Setting up Liberator to work with KeyMaster
This page describes how to configure Liberator to work with KeyMaster.
Requirements
To configure Liberator to accept KeyMaster authentication tokens, you require the following:
-
A Liberator auth module that supports KeyMaster tokens. Caplin examples include PermissioningService and TokenPermissioning.
-
The public key of the KeyMaster servlet that issues authentication tokens to users. For more information on deploying the KeyMaster servlet, see Deploying KeyMaster
Configuring Liberator
On all hosts where Liberator is deployed, follow the steps below:
-
Copy KeyMaster’s DER public key to the Deployment Framework’s
global_config/ssl
directory. -
Activate a Liberator auth module that supports KeyMaster authentication tokens (for example, PermissioningService or TokenPermissioning):
$ ./dfw deactivate OpenPermissioning $ ./dfw activate PermissioningService
-
In the Deployment Framework configuration override file for the auth module, add a
add-sigkey
block if it is not already present:Example (from global_config/overrides/PermissioningService/Liberator/etc/rttpd.conf)add-sigkey key-id Caplin timeout 600 (1) keyfile "${SSLCERT_PATH}/keymaster_public.der" (2) hashing-algorithm sha256 end-sigkey
1 The timeout
option has been set to 600 seconds. Liberator will reject attempts to login with tokens older than 600 seconds (10 minutes).2 The keyfile
option specifies the path to KeyMaster’s public key. The default value of the configuration variableSSLCERT_PATH
isglobal_config/ssl
.
See also: