Lead your team forward
OCT 24 / 9AM ET Register nowHow to Generate JWT Keys
Applies to self-managed deployments. |
You can use this guide to generate JWT tokens when introducing a new service during the upgrade procedure or in case you need to update the existing keys for some modules.
In this guide, we are using the open-source generator mkjwk to create the tokens. If you prefer to generate the tokens locally, the same tool is available as a command-line utility or a library.
You can also choose any other generator provided that it uses the P256 elliptic curve for asymmetric encryption.
The example shows how to establish communication between Data Processing Module (DPM) and Data Processing Engine (DPE) modules. The same procedure needs to be repeated for any other pair of communicating modules. For more information about the specific use cases, refer to the Upgrade Guide.
Prerequisites
Make sure the services for which you’re generating the keys are not running before you start editing the configuration.
Generate a token
Start by generating a token for one of the modules (in our case, DPM).
-
Go to mkjwk.org/.
-
Switch to the EC tab.
-
Provide the following arguments:
-
Curve: P-256.
-
Key Use: Signature.
-
Algorithm: ES256 (ECDSA using P-256 and SHA-256).
-
Key ID: SHA-256.
-
Show X509: No.
-
-
Select Generate.
-
Copy the generated Public and Private Keypair and save it to a dedicated text file.
Alternatively, keep the browser tab open until you are finished with step 3.
Supply the JWT key to DPM
-
Open the file containing the Public and Private Keypair (created in step Generate a token).
Keep the file open as the information stored in it is reused in step Provide the DPM deployment information to DPE. -
Copy the keypair and base64 encode it.
-
Open the
dpm/etc/application.properties
configuration file and configure the following property using the base64 encoded value for Public and Private Keypair (obtained in the previous step).dpm/etc/application.properties
ataccama.authentication.internal.jwt.generator.key=<generated_key>
Provide the DPM deployment information to DPE
-
In the
dpe/etc/application.properties
configuration file, configure the following properties:-
ataccama.one.platform.deployments.<deployment_name>.module
: The module type, in this casedpm
. -
ataccama.one.platform.deployments.<deployment_name>.environment
: The name of the environment, for example,dev
. -
ataccama.one.platform.deployments.<deployment_name>.security.jwt-keys.key.fingerprint
: Copy the key identifier (kid
) value from the file containing the Public and Private Keypair. -
ataccama.one.platform.deployments.<deployment_name>.security.jwt-keys.key.content
: Copy the Public and Private Keypair from the file used in the previous step and removed
anduse
parameters. The value must use JSON syntax and be provided on a single line. -
ataccama.one.platform.deployments.<deployment_name>.security.jwt-keys.key.is-revoked
: Set tofalse
. -
ataccama.one.platform.deployments.<deployment_name>.security.roles[0]
: The user role (as defined in Keycloak) used to create the service identity during authentication. Set toIMPERSONATION
.Use one name per deployment and make sure that this name is consistent across all modules, for example, dpm-dev
. You can set the value of<deployment_name>
to any string consisting of alphanumeric characters and dashes.dpe/etc/application.properties
ataccama.one.platform.deployments.dpm-dev.module=dpm ataccama.one.platform.deployments.dpm-dev.environment=dev ataccama.one.platform.deployments.dpm-dev.security.jwt-keys.key.fingerprint=vcjAli5Xm_pvtE8ItBkd3aT_FWi_23WieMf5f-lppBI ataccama.one.platform.deployments.dpm-dev.security.jwt-keys.key.content={kty":"EC",crv":"P-256","kid":"vcjAli5Xm_pvtE8ItBkd3aT_FWi_23WieMf5f-lppBI","x":"Hbs53V5zC-1DjNf5RtJ1bNHlxvzM5jST7J1ADVePV9g","y":"4pVfzrF7FMHt_Xx2FgLauvLZuJqbpL9crdOxvTXWb64","alg":"ES256"} ataccama.one.platform.deployments.dpm-dev.security.jwt-keys.key.is-revoked=false ataccama.one.platform.deployments.dpm-dev.security.roles[0]=IMPERSONATION
-
Generate a second token
Generate a token for the second module (in our case, DPE). For details, see Generate a token.
Supply the JWT key to DPE
-
Open the file containing the Public and Private Keypair (created in Generate a second token).
Keep the file open as the information stored in it is reused in step Provide the DPE deployment information to DPM. -
Copy the keypair and base64 encode it.
-
Open the
dpe/etc/application.properties
configuration file and configure the following property using the base64 encoded value for Public and Private Keypair (obtained in the previous step).dpe/etc/application.properties
ataccama.authentication.internal.jwt.generator.key=<generated_key>
Provide the DPE deployment information to DPM
-
In the
dpm/etc/application.properties
configuration file, configure the following properties.For a description of the properties and their values, see Provide the DPM deployment information to DPE.
dpm/etc/application.properties
ataccama.one.platform.deployments.dpe-dev.module=dpe ataccama.one.platform.deployments.dpe-dev.environment=dev ataccama.one.platform.deployments.dpe-dev.security.jwt-keys.key1.fingerprint=kHSzWkPiZKfSKAgdIkCdXfAAKs7x23jszQLkTOzQTEM ataccama.one.platform.deployments.dpe-dev.security.jwt-keys.key1.content={"kty":"EC","crv":"P-256","kid":"KBv0lrEO88ISAnmwXn6Y5jYjG9TvemuZA0yQlq7QpG0","x":"KsJKpmDA03Js3o8JWWiH5tyUfv80kaJy60_7BOrwmKo","y":"7kfcrUzl95MQEZnCjhWA0dIIhzK-jvdaAtGRAuBzZbk","alg":"ES256"} ataccama.one.platform.deployments.dpe-dev.security.jwt-keys.key1.is-revoked=false ataccama.one.platform.deployments.dpe-dev.security.roles[0]=IMPERSONATION
Start the modules
Start the modules in the following order: DPM, DPE. DPE can now register with DPM and the following messages are shown:
dpm/log/spring-boot-logger.json.log
{"@timestamp":"2021-04-14T11:26:03.234+02:00","@version":"1","message":"eventId=registerEngine engineId=0031debd-6130-4b4a-8eaf-7a834555cf33, engine=EngineAddress(hostname=user-VirtualBox, port=8532), engineConstraints=(requirements: {} capabilities: { ... } priorities: []), message=New engine registered.","logger_name":"com.ataccama.dpm.registry.EngineRegistryServiceImpl","thread_name":"grpc-default-executor-0","severity":"INFO","level_value":20000,"authenticatedUser":"ServiceIdentity(module=dpe, id=dpe-dev, roles=[IMPERSONATION])","correlationId":"0031debd-6130-4b4a-8eaf-7a834555cf33","eventId":"registerEngine","engineId":"0031debd-6130-4b4a-8eaf-7a834555cf33","engine":"EngineAddress(hostname=user-VirtualBox, port=8532)","engineConstraints":"(requirements: {} capabilities: { ... } priorities: [])","message":"New engine registered.","application":"oneApplication"}
{"@timestamp":"2021-04-14T11:26:03.804+02:00","@version":"1","message":"eventId=setEngineStatus engine=Engine(id=0031debd-6130-4b4a-8eaf-7a834555cf33, address=EngineAddress(hostname=user-VirtualBox, port=8532)), oldStatus=NEW, newStatus=READY","logger_name":"com.ataccama.dpm.registry.EngineRegistryServiceImpl","thread_name":"scheduling-1","severity":"INFO","level_value":20000,"correlationId":"0031debd-6130-4b4a-8eaf-7a834555cf33","eventId":"setEngineStatus","engine":"Engine(id=0031debd-6130-4b4a-8eaf-7a834555cf33, address=EngineAddress(hostname=user-VirtualBox, port=8532))","oldStatus":"NEW","newStatus":"READY","application":"oneApplication"}
dem/log/spring-boot-logger.json.log
{"@timestamp":"2021-04-14T11:14:37.280+02:00","@version":"1","message":"eventId=register dpmUrl=localhost:8531, message=Engine registered.","logger_name":"com.ataccama.dpe.service.StatusChecker","thread_name":"scheduling-1","severity":"INFO","level_value":20000,"correlationId":"7b87a034-536b-4650-979b-62a27c575430","eventId":"register","dpmUrl":"localhost:8531","message":"Engine registered.","application":"oneApplication"}
Was this page useful?