WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.
Command-line Shell
The CAS command-line shell provides the ability to query the CAS server for help on available settings/modules and various other utility functions.
To invoke and work with the utility, execute:
1
java -jar /path/to/cas-server-support-shell-$casVersion.jar
…where $casVersion needless to say is the CAS version that is deployed.
The interface that is next presented will guide you through with available parameters and methods of querying. You will learn how to launch into the interactive shell and query the CAS engine dynamically.
JCE RequirementMake sure you have the proper JCE bundle installed in your
Java environment that is used by CAS, specially if you need to use specific signing/encryption algorithms and methods.
Be sure to pick the right version of the JCE for your Java version. Java versions can be detected via the java -version command.
Note that the WAR Overlay deployment strategy should already be equipped with this functionality. You should not have to do anything special and extra to interact with the shell. See the relevant overlay documentation for more info on how to invoke and work with the shell.
Shell Commands
The following commands are available and exposed by the CAS command-line shell.
generate-key
Generate signing/encryption crypto keys for CAS settings
| Name | Description | Default |
|---|---|---|
key-size,--key-size
|
Key size
|
256
|
cipher-text,encode-text
Sign and encrypt text data using keys
| Name | Description | Default |
|---|---|---|
value,--value
|
Value to put through the cipher
|
__NULL__
|
encryption-key,--encryption-key
|
Encryption key
|
__NULL__
|
signing-key,--signing-key
|
Signing key
|
__NULL__
|
encryption-key-size,--encryption-key-size
|
Encryption key size
|
256
|
signing-key-size,--signing-key-size
|
Signing key size
|
512
|
enable-encryption,--enable-encryption
|
Whether value should be encrypted
|
true
|
enable-signing,--enable-signing
|
Whether value should be signed
|
true
|
decipher-text,decode-text
Decrypt and verify text data using keys
| Name | Description | Default |
|---|---|---|
value,--value
|
Value to put through the cipher
|
__NULL__
|
encryption-key,--encryption-key
|
Encryption key
|
__NULL__
|
signing-key,--signing-key
|
Signing key
|
__NULL__
|
encryption-key-size,--encryption-key-size
|
Encryption key size
|
256
|
signing-key-size,--signing-key-size
|
Signing key size
|
512
|
enable-encryption,--enable-encryption
|
Whether value should be encrypted
|
true
|
enable-signing,--enable-signing
|
Whether value should be signed
|
true
|
generate-ddl
Generate database DDL scripts
| Name | Description | Default |
|---|---|---|
file,--file
|
DDL file to contain to generated script
|
/etc/cas/config/cas-db-schema.sql
|
dialect,--dialect
|
Database dialect class
|
HSQL
|
url,--url
|
JDBC database connection URL
|
jdbc:hsqldb:mem:cas
|
delimiter,--delimiter
|
Delimiter to use for separation of statements when generating SQL
|
;
|
pretty,--pretty
|
Format DDL scripts and pretty-print the output
|
false
|
dropSchema,--dropSchema
|
Generate DROP SQL statements in the DDL
|
false
|
createSchema,--createSchema
|
Generate DROP SQL statements in the DDL
|
false
|
haltOnError,--haltOnError
|
Halt if an error occurs during the generation process
|
false
|
decrypt-value
Decrypt a CAS property value/setting via Jasypt
| Name | Description | Default |
|---|---|---|
value,--value
|
Value to decrypt
|
__NONE__
|
alg,--alg
|
Algorithm to use to decrypt
|
__NULL__
|
provider,--provider
|
Security provider to use to decrypt
|
__NULL__
|
password,--password
|
Password (encryption key) to decrypt
|
__NONE__
|
initvector,--initvector,iv,--iv
|
Use initialization vector to encrypt
|
false
|
iterations,--iterations
|
Key obtention iterations to decrypt, default 1000
|
__NULL__
|
encrypt-value
Encrypt a CAS property value/setting via Jasypt
| Name | Description | Default |
|---|---|---|
value,--value
|
Value to encrypt
|
__NULL__
|
file,--file
|
File to encrypt
|
__NULL__
|
alg,--alg
|
Algorithm to use to encrypt
|
__NULL__
|
provider,--provider
|
Security provider to use to encrypt
|
__NULL__
|
password,--password
|
Password (encryption key) to encrypt
|
__NONE__
|
initvector,--initvector,iv,--iv
|
Use initialization vector to encrypt
|
false
|
iterations,--iterations
|
Key obtention iterations to encrypt, default 1000
|
__NULL__
|
jasypt-list-algorithms
List alogrithms you can use with Jasypt for property encryption
| Name | Description | Default |
|---|---|---|
includeBC,--includeBC
|
Include Bouncy Castle provider
|
false
|
jasypt-list-providers
List encryption providers with PBE Ciphers you can use with Jasypt
| Name | Description | Default |
|---|---|---|
includeBC,--includeBC
|
Include Bouncy Castle provider
|
false
|
jasypt-test-algorithms
Test encryption algorithms you can use with Jasypt to make sure encryption and decryption both work
| Name | Description | Default |
|---|
generate-full-jwt
Generate JWT and sign it using a given keystore
| Name | Description | Default |
|---|---|---|
jwks,--jwks
|
Path to the JWKS file used to sign the token
|
|
iss,--iss
|
Issuer
|
https://localhost:8443/cas/oidc
|
claims,--claims
|
JWT claims as JSON
|
{}
|
aud,--aud
|
Audience
|
CAS
|
exp,--exp
|
Expiration in seconds
|
300
|
sub,--sub
|
Subject
|
__NONE__
|
generate-jwt
Generate a JWT with given size and algorithm for signing and encryption.
| Name | Description | Default |
|---|---|---|
signingSecretSize,--signingSecretSize
|
Size of the signing secret
|
256
|
encryptionSecretSize,--encryptionSecretSize
|
Size of the encryption secret
|
48
|
signingAlgorithm,--signingAlgorithm
|
Algorithm to use for signing
|
HS256
|
encryptionAlgorithm,--encryptionAlgorithm
|
Algorithm to use for encryption
|
dir
|
encryptionMethod,--encryptionMethod
|
Method to use for encryption
|
A192CBC-HS384
|
subject,--subject
|
Subject to use for the JWT
|
__NONE__
|
generate-oidc-jwks
Generate OIDC JSON Web Keystore
| Name | Description | Default |
|---|---|---|
jwksFile,--jwksFile
|
Location of the JSON web keystore file.
|
/etc/cas/config/keystore.jwks
|
jwksKeyId,--jwksKeyId
|
The key identifier to set for the generated key in the keystore.
|
cas
|
jwksKeySize,--jwksKeySize
|
The key size (an algorithm-specific) for the generated jwks.
|
2048
|
jwksKeyType,--jwksKeyType
|
The type of the JWKS used to handle signing/encryption of authentication tokens.
|
RSA
|
add-properties
Add properties associated with a CAS group/module to a Properties/Yaml configuration file.
| Name | Description | Default |
|---|---|---|
file,--file
|
Path to the CAS configuration file
|
/etc/cas/config/cas.properties
|
group,--group
|
Group/module whose associated settings should be added to the CAS configuration file
|
__NONE__
|
convert-props
Convert CAS properties to YAML file at the same location.
| Name | Description | Default |
|---|---|---|
properties,--properties
|
Path to a properties file that contains CAS settings
|
/etc/cas/config/cas.properties
|
export-props
Export CAS properties and settings from configuration metadata.
| Name | Description | Default |
|---|---|---|
dir,--dir
|
Path to a directory where reference configuration files would be exported.
|
./etc/cas/config
|
find
Look up properties associated with a CAS group/module.
| Name | Description | Default |
|---|---|---|
name,--name
|
Property name regex pattern
|
.+
|
strict-match,--strict-match
|
Whether pattern should be done in strict-mode which means the matching engine tries to match the entire region for the query.
|
__NONE__
|
summary,--summary
|
Whether results should be presented in summarized mode
|
__NONE__
|
generate-idp-metadata
Generate SAML2 IdP Metadata
| Name | Description | Default |
|---|---|---|
metadataLocation,--metadataLocation
|
Directory location to hold metadata and relevant keys/certificates
|
/etc/cas/saml
|
entityId,--entityId
|
Entity ID to use for the generated metadata
|
cas.example.org
|
hostName,--hostName
|
CAS server prefix to be used at the IdP host name when generating metadata
|
https://cas.example.org/cas
|
scope,--scope
|
Scope to use when generating metadata
|
example.org
|
force,--force
|
Force metadata generation (XML only, not certs), overwriting anything at the specified location
|
__NONE__
|
subjectAltNames,--subjectAltNames
|
Comma separated list of other subject alternative names for the certificate (besides entityId)
|
|
generate-anonymous-user
Generate an anonymous (persistent) username identifier
| Name | Description | Default |
|---|---|---|
username,--username
|
Authenticated username
|
__NONE__
|
service,--service
|
Service application URL for which CAS may generate the identifier
|
__NONE__
|
salt,--salt
|
Salt used to generate and encode the anonymous identifier
|
__NONE__
|
generate-yaml
Generate a YAML registered service definition
| Name | Description | Default |
|---|---|---|
file,--file
|
Path to the JSON service definition file
|
__NONE__
|
destination,--destination
|
Path to the destination YAML service definition file
|
__NONE__
|
validate-service
Validate a given JSON/YAML service definition by path or directory
| Name | Description | Default |
|---|---|---|
file,--file
|
Path to the JSON/YAML service definition file
|
|
directory,--directory
|
Path to the JSON/YAML service definitions directory
|
|
validate-endpoint
Test connections to an endpoint to verify connectivity, SSL, etc
| Name | Description | Default |
|---|---|---|
url,--url
|
Endpoint URL to test
|
__NONE__
|
proxy,--proxy
|
Proxy address to use when testing the endpoint url
|
|
timeout,--timeout
|
Timeout to use in milliseconds when testing the url
|
5000
|
validate-ldap
Test connections to an LDAP server to verify connectivity, SSL, etc
| Name | Description | Default |
|---|---|---|
url,--url
|
LDAP URL to test, comma-separated.
|
__NONE__
|
bindDn,--bindDn
|
bindDn to use when testing the LDAP server
|
__NONE__
|
bindCredential,--bindCredential
|
bindCredential to use when testing the LDAP server
|
__NONE__
|
baseDn,--baseDn
|
baseDn to use when testing the LDAP server, searching for accounts (i.e. OU=some,DC=org,DC=edu)
|
__NONE__
|
searchFilter,--searchFilter
|
Filter to use when searching for accounts (i.e. (&(objectClass=*) (sAMAccountName=user)))
|
|
userPassword,--userPassword
|
Password for the user found in the search result, to attempt authentication
|
|
userAttributes,--userAttributes
|
User attributes, comma-separated, to fetch for the user found in the search result
|
|