Command-line Shell

The CAS command-line shell provides the ability to query the CAS server for help on available settings/modules and various other utility functions.

To invoke and work with the utility, execute:

java -jar /path/to/cas-server-support-shell-$casVersion.jar

…where $casVersion needless to say is the CAS version that is deployed.

The interface that is next presented will guide you through with available parameters and methods of querying. You will learn how to launch into the interactive shell and query the CAS engine dynamically.

JCE Requirement

Make sure you have the proper JCE bundle installed in your Java environment that is used by CAS, specially if you need to use specific signing/encryption algorithms and methods. Be sure to pick the right version of the JCE for your Java version. Java versions can be detected via the java -version command.

Note that the WAR Overlay deployment strategy should already be equipped with this functionality. You should not have to do anything special and extra to interact with the shell. See the relevant overlay documentation for more info on how to invoke and work with the shell.

Shell Commands

The following commands are available and exposed by the CAS command-line shell.

generate-key

Generate signing/encryption crypto keys for CAS settings

Name	Description	Default
`key-size,--key-size`	`Key size`	`256`

cipher-text,encode-text

Sign and encrypt text data using keys

Name	Description	Default
`value,--value`	`Value to put through the cipher`	`__NULL__`
`encryption-key,--encryption-key`	`Encryption key`	`__NULL__`
`encryption-alg,--encryption-alg`	`Encryption alg`	`A256CBC-HS512`
`signing-key,--signing-key`	`Signing key`	`__NULL__`
`encryption-key-size,--encryption-key-size`	`Encryption key size`	`512`
`signing-key-size,--signing-key-size`	`Signing key size`	`512`
`enable-encryption,--enable-encryption`	`Whether value should be encrypted`	`true`
`enable-signing,--enable-signing`	`Whether value should be signed`	`true`

decipher-text,decode-text

Decrypt and verify text data using keys

Name	Description	Default
`value,--value`	`Value to put through the cipher`	`__NULL__`
`encryption-key,--encryption-key`	`Encryption key`	`__NULL__`
`encryption-alg,--encryption-alg`	`Encryption alg`	`A256CBC-HS512`
`signing-key,--signing-key`	`Signing key`	`__NULL__`
`encryption-key-size,--encryption-key-size`	`Encryption key size`	`512`
`signing-key-size,--signing-key-size`	`Signing key size`	`512`
`enable-encryption,--enable-encryption`	`Whether value should be encrypted`	`true`
`enable-signing,--enable-signing`	`Whether value should be signed`	`true`

generate-ddl

Generate database DDL scripts

Name	Description	Default
`file,--file`	`DDL file to contain to generated script`	`/etc/cas/config/cas-db-schema.sql`
`dialect,--dialect`	`Database dialect class`	`HSQL`
`url,--url`	`JDBC database connection URL`	`jdbc:hsqldb:mem:cas`
`delimiter,--delimiter`	`Delimiter to use for separation of statements when generating SQL`	`;`
`pretty,--pretty`	`Format DDL scripts and pretty-print the output`	`false`
`dropSchema,--dropSchema`	`Generate DROP SQL statements in the DDL`	`false`
`createSchema,--createSchema`	`Generate DROP SQL statements in the DDL`	`false`
`haltOnError,--haltOnError`	`Halt if an error occurs during the generation process`	`false`

decrypt-value

Decrypt a CAS property value/setting via Jasypt

Name	Description	Default
`value,--value`	`Value to decrypt`	`__NONE__`
`alg,--alg`	`Algorithm to use to decrypt`	`__NULL__`
`provider,--provider`	`Security provider to use to decrypt`	`__NULL__`
`password,--password`	`Password (encryption key) to decrypt`	`__NONE__`
`initvector,--initvector,iv,--iv`	`Use initialization vector to encrypt`	`false`
`iterations,--iterations`	`Key obtention iterations to decrypt, default 1000`	`__NULL__`

encrypt-value

Encrypt a CAS property value/setting via Jasypt

Name	Description	Default
`value,--value`	`Value to encrypt`	`__NULL__`
`file,--file`	`File to encrypt`	`__NULL__`
`alg,--alg`	`Algorithm to use to encrypt`	`__NULL__`
`provider,--provider`	`Security provider to use to encrypt`	`__NULL__`
`password,--password`	`Password (encryption key) to encrypt`	`__NONE__`
`initvector,--initvector,iv,--iv`	`Use initialization vector to encrypt`	`false`
`iterations,--iterations`	`Key obtention iterations to encrypt, default 1000`	`__NULL__`

jasypt-list-algorithms

List alogrithms you can use with Jasypt for property encryption

Name	Description	Default
`includeBC,--includeBC`	`Include Bouncy Castle provider`	`false`

jasypt-list-providers

List encryption providers with PBE Ciphers you can use with Jasypt

Name	Description	Default
`includeBC,--includeBC`	`Include Bouncy Castle provider`	`false`

jasypt-test-algorithms

Test encryption algorithms you can use with Jasypt to make sure encryption and decryption both work

Name	Description	Default

generate-full-jwt

Generate JWT and sign it using a given keystore

Name	Description	Default
`jwks,--jwks`	`Path to the JWKS file used to sign the token`
`iss,--iss`	`Issuer`	`https://localhost:8443/cas/oidc`
`claims,--claims`	`JWT claims as JSON`	`{}`
`aud,--aud`	`Audience`	`CAS`
`exp,--exp`	`Expiration in seconds`	`300`
`sub,--sub`	`Subject`	`__NONE__`

generate-jwt

Generate a JWT with given size and algorithm for signing and encryption.

Name	Description	Default
`signingSecretSize,--signingSecretSize`	`Size of the signing secret`	`256`
`encryptionSecretSize,--encryptionSecretSize`	`Size of the encryption secret`	`48`
`signingAlgorithm,--signingAlgorithm`	`Algorithm to use for signing`	`HS256`
`encryptionAlgorithm,--encryptionAlgorithm`	`Algorithm to use for encryption`	`dir`
`encryptionMethod,--encryptionMethod`	`Method to use for encryption`	`A192CBC-HS384`
`subject,--subject`	`Subject to use for the JWT`	`__NONE__`

generate-oidc-jwks

Generate OIDC JSON Web Keystore

Name	Description	Default
`jwksFile,--jwksFile`	`Location of the JSON web keystore file.`	`/etc/cas/config/keystore.jwks`
`jwksKeyId,--jwksKeyId`	`The key identifier to set for the generated key in the keystore.`	`cas`
`jwksKeySize,--jwksKeySize`	`The key size (an algorithm-specific) for the generated jwks.`	`2048`
`jwksKeyType,--jwksKeyType`	`The type of the JWKS used to handle signing/encryption of authentication tokens.`	`RSA`

add-properties

Add properties associated with a CAS group/module to a Properties/Yaml configuration file.

Name	Description	Default
`file,--file`	`Path to the CAS configuration file`	`/etc/cas/config/cas.properties`
`group,--group`	`Group/module whose associated settings should be added to the CAS configuration file`	`__NONE__`

convert-props

Convert CAS properties to YAML file at the same location.

Name	Description	Default
`properties,--properties`	`Path to a properties file that contains CAS settings`	`/etc/cas/config/cas.properties`

export-props

Export CAS properties and settings from configuration metadata.

Name	Description	Default
`dir,--dir`	`Path to a directory where reference configuration files would be exported.`	`./etc/cas/config`

find

Look up properties associated with a CAS group/module.

Name	Description	Default
`name,--name`	`Property name regex pattern`	`.+`
`strict-match,--strict-match`	`Whether pattern should be done in strict-mode which means the matching engine tries to match the entire region for the query.`	`__NONE__`
`summary,--summary`	`Whether results should be presented in summarized mode`	`__NONE__`

generate-idp-metadata

Generate SAML2 IdP Metadata

Name	Description	Default
`metadataLocation,--metadataLocation`	`Directory location to hold metadata and relevant keys/certificates`	`/etc/cas/saml`
`entityId,--entityId`	`Entity ID to use for the generated metadata`	`cas.example.org`
`hostName,--hostName`	`CAS server prefix to be used at the IdP host name when generating metadata`	`https://cas.example.org/cas`
`scope,--scope`	`Scope to use when generating metadata`	`example.org`
`force,--force`	`Force metadata generation (XML only, not certs), overwriting anything at the specified location`	`__NONE__`
`subjectAltNames,--subjectAltNames`	`Comma separated list of other subject alternative names for the certificate (besides entityId)`

generate-anonymous-user

Generate an anonymous (persistent) username identifier

Name	Description	Default
`username,--username`	`Authenticated username`	`__NONE__`
`service,--service`	`Service application URL for which CAS may generate the identifier`	`__NONE__`
`salt,--salt`	`Salt used to generate and encode the anonymous identifier`	`__NONE__`

generate-yaml

Generate a YAML registered service definition

Name	Description	Default
`file,--file`	`Path to the JSON service definition file`	`__NONE__`
`destination,--destination`	`Path to the destination YAML service definition file`	`__NONE__`

validate-service

Validate a given JSON/YAML service definition by path or directory

Name	Description	Default
`file,--file`	`Path to the JSON/YAML service definition file`
`directory,--directory`	`Path to the JSON/YAML service definitions directory`

validate-endpoint

Test connections to an endpoint to verify connectivity, SSL, etc

Name	Description	Default
`url,--url`	`Endpoint URL to test`	`__NONE__`
`proxy,--proxy`	`Proxy address to use when testing the endpoint url`
`timeout,--timeout`	`Timeout to use in milliseconds when testing the url`	`5000`

validate-ldap

Test connections to an LDAP server to verify connectivity, SSL, etc

Name	Description	Default
`url,--url`	`LDAP URL to test, comma-separated.`	`__NONE__`
`bindDn,--bindDn`	`bindDn to use when testing the LDAP server`	`__NONE__`
`bindCredential,--bindCredential`	`bindCredential to use when testing the LDAP server`	`__NONE__`
`baseDn,--baseDn`	`baseDn to use when testing the LDAP server, searching for accounts (i.e. OU=some,DC=org,DC=edu)`	`__NONE__`
`searchFilter,--searchFilter`	`Filter to use when searching for accounts (i.e. (&(objectClass=*) (sAMAccountName=user)))`
`userPassword,--userPassword`	`Password for the user found in the search result, to attempt authentication`
`userAttributes,--userAttributes`	`User attributes, comma-separated, to fetch for the user found in the search result`