Command-line Shell

The CAS command-line shell provides the ability to query the CAS server for help on available settings/modules and various other utility functions.

To invoke and work with the utility, execute:

1
java -jar /path/to/cas-server-support-shell-$casVersion.jar

…where $casVersion needless to say is the CAS version that is deployed.

The interface that is next presented will guide you through with available parameters and methods of querying. You will learn how to launch into the interactive shell and query the CAS engine dynamically.

:information_source: JCE Requirement

Make sure you have the proper JCE bundle installed in your Java environment that is used by CAS, specially if you need to use specific signing/encryption algorithms and methods. Be sure to pick the right version of the JCE for your Java version. Java versions can be detected via the java -version command.

Note that the WAR Overlay deployment strategy should already be equipped with this functionality. You should not have to do anything special and extra to interact with the shell. See the relevant overlay documentation for more info on how to invoke and work with the shell.

Shell Commands

The following commands are available and exposed by the CAS command-line shell.

generate-key

Generate signing/encryption crypto keys for CAS settings

Name Description Default
key-size,--key-size Key size 256

cipher-text,encode-text

Sign and encrypt text data using keys

Name Description Default
value,--value Value to put through the cipher __NULL__
encryption-key,--encryption-key Encryption key __NULL__
encryption-alg,--encryption-alg Encryption alg A256CBC-HS512
signing-key,--signing-key Signing key __NULL__
encryption-key-size,--encryption-key-size Encryption key size 512
signing-key-size,--signing-key-size Signing key size 512
enable-encryption,--enable-encryption Whether value should be encrypted true
enable-signing,--enable-signing Whether value should be signed true

decipher-text,decode-text

Decrypt and verify text data using keys

Name Description Default
value,--value Value to put through the cipher __NULL__
encryption-key,--encryption-key Encryption key __NULL__
encryption-alg,--encryption-alg Encryption alg A256CBC-HS512
signing-key,--signing-key Signing key __NULL__
encryption-key-size,--encryption-key-size Encryption key size 512
signing-key-size,--signing-key-size Signing key size 512
enable-encryption,--enable-encryption Whether value should be encrypted true
enable-signing,--enable-signing Whether value should be signed true

generate-ddl

Generate database DDL scripts

Name Description Default
file,--file DDL file to contain to generated script /etc/cas/config/cas-db-schema.sql
dialect,--dialect Database dialect class HSQL
url,--url JDBC database connection URL jdbc:hsqldb:mem:cas
delimiter,--delimiter Delimiter to use for separation of statements when generating SQL ;
pretty,--pretty Format DDL scripts and pretty-print the output false
dropSchema,--dropSchema Generate DROP SQL statements in the DDL false
createSchema,--createSchema Generate DROP SQL statements in the DDL false
haltOnError,--haltOnError Halt if an error occurs during the generation process false

decrypt-value

Decrypt a CAS property value/setting via Jasypt

Name Description Default
value,--value Value to decrypt __NONE__
alg,--alg Algorithm to use to decrypt __NULL__
provider,--provider Security provider to use to decrypt __NULL__
password,--password Password (encryption key) to decrypt __NONE__
initvector,--initvector,iv,--iv Use initialization vector to encrypt false
iterations,--iterations Key obtention iterations to decrypt, default 1000 __NULL__

encrypt-value

Encrypt a CAS property value/setting via Jasypt

Name Description Default
value,--value Value to encrypt __NULL__
file,--file File to encrypt __NULL__
alg,--alg Algorithm to use to encrypt __NULL__
provider,--provider Security provider to use to encrypt __NULL__
password,--password Password (encryption key) to encrypt __NONE__
initvector,--initvector,iv,--iv Use initialization vector to encrypt false
iterations,--iterations Key obtention iterations to encrypt, default 1000 __NULL__

jasypt-list-algorithms

List alogrithms you can use with Jasypt for property encryption

Name Description Default
includeBC,--includeBC Include Bouncy Castle provider false

jasypt-list-providers

List encryption providers with PBE Ciphers you can use with Jasypt

Name Description Default
includeBC,--includeBC Include Bouncy Castle provider false

jasypt-test-algorithms

Test encryption algorithms you can use with Jasypt to make sure encryption and decryption both work

Name Description Default

generate-full-jwt

Generate JWT and sign it using a given keystore

Name Description Default
jwks,--jwks Path to the JWKS file used to sign the token
iss,--iss Issuer https://localhost:8443/cas/oidc
claims,--claims JWT claims as JSON {}
aud,--aud Audience CAS
exp,--exp Expiration in seconds 300
sub,--sub Subject __NONE__

generate-jwt

Generate a JWT with given size and algorithm for signing and encryption.

Name Description Default
signingSecretSize,--signingSecretSize Size of the signing secret 256
encryptionSecretSize,--encryptionSecretSize Size of the encryption secret 48
signingAlgorithm,--signingAlgorithm Algorithm to use for signing HS256
encryptionAlgorithm,--encryptionAlgorithm Algorithm to use for encryption dir
encryptionMethod,--encryptionMethod Method to use for encryption A192CBC-HS384
subject,--subject Subject to use for the JWT __NONE__

generate-oidc-jwks

Generate OIDC JSON Web Keystore

Name Description Default
jwksFile,--jwksFile Location of the JSON web keystore file. /etc/cas/config/keystore.jwks
jwksKeyId,--jwksKeyId The key identifier to set for the generated key in the keystore. cas
jwksKeySize,--jwksKeySize The key size (an algorithm-specific) for the generated jwks. 2048
jwksKeyType,--jwksKeyType The type of the JWKS used to handle signing/encryption of authentication tokens. RSA

add-properties

Add properties associated with a CAS group/module to a Properties/Yaml configuration file.

Name Description Default
file,--file Path to the CAS configuration file /etc/cas/config/cas.properties
group,--group Group/module whose associated settings should be added to the CAS configuration file __NONE__

convert-props

Convert CAS properties to YAML file at the same location.

Name Description Default
properties,--properties Path to a properties file that contains CAS settings /etc/cas/config/cas.properties

export-props

Export CAS properties and settings from configuration metadata.

Name Description Default
dir,--dir Path to a directory where reference configuration files would be exported. ./etc/cas/config

find

Look up properties associated with a CAS group/module.

Name Description Default
name,--name Property name regex pattern .+
strict-match,--strict-match Whether pattern should be done in strict-mode which means the matching engine tries to match the entire region for the query. __NONE__
summary,--summary Whether results should be presented in summarized mode __NONE__

generate-idp-metadata

Generate SAML2 IdP Metadata

Name Description Default
metadataLocation,--metadataLocation Directory location to hold metadata and relevant keys/certificates /etc/cas/saml
entityId,--entityId Entity ID to use for the generated metadata cas.example.org
hostName,--hostName CAS server prefix to be used at the IdP host name when generating metadata https://cas.example.org/cas
scope,--scope Scope to use when generating metadata example.org
force,--force Force metadata generation (XML only, not certs), overwriting anything at the specified location __NONE__
subjectAltNames,--subjectAltNames Comma separated list of other subject alternative names for the certificate (besides entityId)

generate-anonymous-user

Generate an anonymous (persistent) username identifier

Name Description Default
username,--username Authenticated username __NONE__
service,--service Service application URL for which CAS may generate the identifier __NONE__
salt,--salt Salt used to generate and encode the anonymous identifier __NONE__

generate-yaml

Generate a YAML registered service definition

Name Description Default
file,--file Path to the JSON service definition file __NONE__
destination,--destination Path to the destination YAML service definition file __NONE__

validate-service

Validate a given JSON/YAML service definition by path or directory

Name Description Default
file,--file Path to the JSON/YAML service definition file
directory,--directory Path to the JSON/YAML service definitions directory

validate-endpoint

Test connections to an endpoint to verify connectivity, SSL, etc

Name Description Default
url,--url Endpoint URL to test __NONE__
proxy,--proxy Proxy address to use when testing the endpoint url
timeout,--timeout Timeout to use in milliseconds when testing the url 5000

validate-ldap

Test connections to an LDAP server to verify connectivity, SSL, etc

Name Description Default
url,--url LDAP URL to test, comma-separated. __NONE__
bindDn,--bindDn bindDn to use when testing the LDAP server __NONE__
bindCredential,--bindCredential bindCredential to use when testing the LDAP server __NONE__
baseDn,--baseDn baseDn to use when testing the LDAP server, searching for accounts (i.e. OU=some,DC=org,DC=edu) __NONE__
searchFilter,--searchFilter Filter to use when searching for accounts (i.e. (&(objectClass=*) (sAMAccountName=user)))
userPassword,--userPassword Password for the user found in the search result, to attempt authentication
userAttributes,--userAttributes User attributes, comma-separated, to fetch for the user found in the search result