ONE Desktop ONE DQ&C ONE MDM ONE RDM ONE Runtime Server
latest (15.4.0) 15.3.0 15.2.0 15.1.0 14.5.x 13.9.x 13.8.x 13.7.x 13.6.x 13.5.0 13.4.x 13.3.x 13.2.x
User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit support.ataccama.com/downloads

How to Generate JWT Keys

Applies to self-managed deployments.

You can use this guide to generate JWT tokens when introducing a new service during the upgrade procedure or in case you need to update the existing keys for some modules.

In this guide, we are using the open-source generator mkjwk to create the tokens. If you prefer to generate the tokens locally, the same tool is available as a command-line utility or a library.

You can also choose any other generator provided that it uses the P256 elliptic curve for asymmetric encryption.

The example shows how to establish communication between Data Processing Module (DPM) and Data Processing Engine (DPE) modules. The same procedure needs to be repeated for any other pair of communicating modules. For more information about the specific use cases, refer to the Upgrade Guide.

Prerequisites

Make sure the services for which you’re generating the keys are not running before you start editing the configuration.

Generate a token

Start by generating a token for one of the modules (in our case, DPM).

  1. Go to mkjwk.org/.

  2. Switch to the EC tab.

  3. Provide the following arguments:

    • Curve: P-256.

    • Key Use: Signature.

    • Algorithm: ES256 (ECDSA using P-256 and SHA-256).

    • Key ID: SHA-256.

    • Show X509: No.

  4. Select Generate.

  5. Copy the generated Public and Private Keypair and save it to a dedicated text file.

    Alternatively, keep the browser tab open until you are finished with step 3.

Supply the JWT key to DPM

  1. Open the file containing the Public and Private Keypair (created in step Generate a token).

    Keep the file open as the information stored in it is reused in step Provide the DPM deployment information to DPE.

  2. Copy the keypair and base64 encode it.

  3. Open the dpm/etc/application.properties configuration file and configure the following property using the base64 encoded value for Public and Private Keypair (obtained in the previous step).

    dpm/etc/application.properties
    ataccama.authentication.internal.jwt.generator.key=<generated_key>

Provide the DPM deployment information to DPE

  1. In the dpe/etc/application.properties configuration file, configure the following properties:

    • ataccama.one.platform.deployments.<deployment_name>.module: The module type, in this case dpm.

    • ataccama.one.platform.deployments.<deployment_name>.environment: The name of the environment, for example, dev.

    • ataccama.one.platform.deployments.<deployment_name>.security.jwt-keys.key.fingerprint: Copy the key identifier (kid) value from the file containing the Public and Private Keypair.

    • ataccama.one.platform.deployments.<deployment_name>.security.jwt-keys.key.content: Copy the Public and Private Keypair from the file used in the previous step and remove d and use parameters. The value must use JSON syntax and be provided on a single line.

    • ataccama.one.platform.deployments.<deployment_name>.security.jwt-keys.key.is-revoked: Set to false.

    • ataccama.one.platform.deployments.<deployment_name>.security.roles[0]: The user role (as defined in Keycloak) used to create the service identity during authentication. Set to IMPERSONATION.

      Use one name per deployment and make sure that this name is consistent across all modules, for example, dpm-dev. You can set the value of <deployment_name> to any string consisting of alphanumeric characters and dashes.
      dpe/etc/application.properties
      ataccama.one.platform.deployments.dpm-dev.module=dpm
ataccama.one.platform.deployments.dpm-dev.environment=dev
ataccama.one.platform.deployments.dpm-dev.security.jwt-keys.key.fingerprint=vcjAli5Xm_pvtE8ItBkd3aT_FWi_23WieMf5f-lppBI
ataccama.one.platform.deployments.dpm-dev.security.jwt-keys.key.content={kty":"EC",crv":"P-256","kid":"vcjAli5Xm_pvtE8ItBkd3aT_FWi_23WieMf5f-lppBI","x":"Hbs53V5zC-1DjNf5RtJ1bNHlxvzM5jST7J1ADVePV9g","y":"4pVfzrF7FMHt_Xx2FgLauvLZuJqbpL9crdOxvTXWb64","alg":"ES256"}
ataccama.one.platform.deployments.dpm-dev.security.jwt-keys.key.is-revoked=false
ataccama.one.platform.deployments.dpm-dev.security.roles[0]=IMPERSONATION

Generate a second token

Generate a token for the second module (in our case, DPE). For details, see Generate a token.

Supply the JWT key to DPE

  1. Open the file containing the Public and Private Keypair (created in Generate a second token).

    Keep the file open as the information stored in it is reused in step Provide the DPE deployment information to DPM.

  2. Copy the keypair and base64 encode it.

  3. Open the dpe/etc/application.properties configuration file and configure the following property using the base64 encoded value for Public and Private Keypair (obtained in the previous step).

    dpe/etc/application.properties
    ataccama.authentication.internal.jwt.generator.key=<generated_key>

Provide the DPE deployment information to DPM

  1. In the dpm/etc/application.properties configuration file, configure the following properties.

    For a description of the properties and their values, see Provide the DPM deployment information to DPE.

    dpm/etc/application.properties
    ataccama.one.platform.deployments.dpe-dev.module=dpe
ataccama.one.platform.deployments.dpe-dev.environment=dev
ataccama.one.platform.deployments.dpe-dev.security.jwt-keys.key1.fingerprint=kHSzWkPiZKfSKAgdIkCdXfAAKs7x23jszQLkTOzQTEM
ataccama.one.platform.deployments.dpe-dev.security.jwt-keys.key1.content={"kty":"EC","crv":"P-256","kid":"KBv0lrEO88ISAnmwXn6Y5jYjG9TvemuZA0yQlq7QpG0","x":"KsJKpmDA03Js3o8JWWiH5tyUfv80kaJy60_7BOrwmKo","y":"7kfcrUzl95MQEZnCjhWA0dIIhzK-jvdaAtGRAuBzZbk","alg":"ES256"}
ataccama.one.platform.deployments.dpe-dev.security.jwt-keys.key1.is-revoked=false
ataccama.one.platform.deployments.dpe-dev.security.roles[0]=IMPERSONATION

Start the modules

Start the modules in the following order: DPM, DPE. DPE can now register with DPM and the following messages are shown:

dpm/log/spring-boot-logger.json.log 
{"@timestamp":"2021-04-14T11:26:03.234+02:00","@version":"1","message":"eventId=registerEngine engineId=0031debd-6130-4b4a-8eaf-7a834555cf33, engine=EngineAddress(hostname=user-VirtualBox, port=8532), engineConstraints=(requirements: {} capabilities: { ... } priorities: []), message=New engine registered.","logger_name":"com.ataccama.dpm.registry.EngineRegistryServiceImpl","thread_name":"grpc-default-executor-0","severity":"INFO","level_value":20000,"authenticatedUser":"ServiceIdentity(module=dpe, id=dpe-dev, roles=[IMPERSONATION])","correlationId":"0031debd-6130-4b4a-8eaf-7a834555cf33","eventId":"registerEngine","engineId":"0031debd-6130-4b4a-8eaf-7a834555cf33","engine":"EngineAddress(hostname=user-VirtualBox, port=8532)","engineConstraints":"(requirements: {} capabilities: { ... } priorities: [])","message":"New engine registered.","application":"oneApplication"}

{"@timestamp":"2021-04-14T11:26:03.804+02:00","@version":"1","message":"eventId=setEngineStatus engine=Engine(id=0031debd-6130-4b4a-8eaf-7a834555cf33, address=EngineAddress(hostname=user-VirtualBox, port=8532)), oldStatus=NEW, newStatus=READY","logger_name":"com.ataccama.dpm.registry.EngineRegistryServiceImpl","thread_name":"scheduling-1","severity":"INFO","level_value":20000,"correlationId":"0031debd-6130-4b4a-8eaf-7a834555cf33","eventId":"setEngineStatus","engine":"Engine(id=0031debd-6130-4b4a-8eaf-7a834555cf33, address=EngineAddress(hostname=user-VirtualBox, port=8532))","oldStatus":"NEW","newStatus":"READY","application":"oneApplication"}
dem/log/spring-boot-logger.json.log 
{"@timestamp":"2021-04-14T11:14:37.280+02:00","@version":"1","message":"eventId=register dpmUrl=localhost:8531, message=Engine registered.","logger_name":"com.ataccama.dpe.service.StatusChecker","thread_name":"scheduling-1","severity":"INFO","level_value":20000,"correlationId":"7b87a034-536b-4650-979b-62a27c575430","eventId":"register","dpmUrl":"localhost:8531","message":"Engine registered.","application":"oneApplication"}

Was this page useful?