CDD Authentication
JWT Authentication for Due Diligence Microservices with the release version 202010 happens in the microservice layer using the environment variable configuration. The validation happens in-house and reduces any http hop between IRF and Microservices.
Authentication using MS - JWT
JWT signature is used to verify that the token is signed by the sender and not altered in any way. The Signature is created using the Header and Payload segments, a signing algorithm, and a secret or public key.
To enable JWT authorisation, you should set ms.security.tokencheck.enabled to Y in ENV.env file. The table below describes the JWT authentication properties.
| Properties | Description |
|---|---|
|
JWT_TOKEN_ISSUER |
Identifies the issuer of the authentication token. |
|
JWT_TOKEN_PUBLIC_KEY |
Indicates Base64 encoded public key content that can be directly loaded as a public key certificate. |
|
JWT_TOKEN_PRINCIPAL_CLAIM |
Indicates the claim in which the user principal is provided. |
|
ID_TOKEN_SIGNED |
Enables the JWT signature validation along with the header and payload. |
JWT Authorization is by default disabled in Azure/AWS/K8 stack.
Enabling Authentication for Azure
For Azure deployment, set the following mentioned JWT configuration properties in both install.sh/install-postgresql.sh and install.bat/install-postgresql.bat.
install.sh/install-postgresql.sh/install.bat/install-postgresql.bat
#--- JWT Configuration --- ms_security_tokencheck_enabled= 'Y' JWT_TOKEN_PRINCIPAL_CLAIM= "sub" JWT_TOKEN_ISSUER= "Fabric" ID_TOKEN_SIGNED= "true" JWT_TOKEN_PUBLIC_KEY= "TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI="
Enabling Authentication for AWS
In AWS deployment, set the following mentioned JWT configuration properties in install-aws.sh and install-aws-postgresql.sh.
install-aws.sh/install-aws-postgresql.sh
#--- JWT Configuration --- ms_security_tokencheck_enabled= 'Y' JWT_TOKEN_PRINCIPAL_CLAIM= "sub" JWT_TOKEN_ISSUER= "Fabric" ID_TOKEN_SIGNED= "true" JWT_TOKEN_PUBLIC_KEY= "TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI="
Enabling Authentication for K8
For K8, navigate to the path(\duediligence\ms-duediligence-package\ms-duediligence-package-docker\src\docker\k8\on-premise\svc\templates\svc\) and set the below mentioned JWT configuration properties as Environment Variables in API container of duediligence-configmap.yaml which in turn will refer the start scripts(start-duediligence-mongo.bat/start-duediligence-mongo.sh/start-duediligence-postgresql.bat/start-duediligence-postgresql.sh) for the value of the respective JWT configuration properties.
duediligence-configmap.yaml
#--- JWT configurations ---
ms.security.tokencheck.enabled: {{ .Values.jwtauth.enabled | quote }}
JWT_TOKEN_PRINCIPAL_CLAIM: {{ .Values.jwtauth.JWT_TOKEN_PRINCIPAL_CLAIM | quote }}
JWT_TOKEN_ISSUER: {{ .Values.jwtauth.JWT_TOKEN_ISSUER | quote }}
ID_TOKEN_SIGNED: {{ .Values.jwtauth.ID_TOKEN_SIGNED | quote }}
JWT_TOKEN_PUBLIC_KEY: {{ .Values.jwtauth.JWT_TOKEN_PUBLIC_KEY | quote }}
start-duediligence-mongo.bat
SET jwtauth_enabled=Y SET JWT_TOKEN_PRINCIPAL_CLAIM=sub SET JWT_TOKEN_ISSUER=Fabric SET ID_TOKEN_SIGNED=true SET JWT_TOKEN_PUBLIC_KEY=TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI=
If value for a property has not been set in start scripts, then the respective JWT configuration properties's values will be taken from values.yaml.
Values.yaml
#--- JWT configurations --- enabled: Y JWT_TOKEN_PRINCIPAL_CLAIM: sub JWT_TOKEN_ISSUER: Fabric ID_TOKEN_SIGNED: true JWT_TOKEN_PUBLIC_KEY: TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzYjJubnNMMzkycjNpd1JmYUdaUzFsVXRkYitFeXZ2OUZmZlhNR2NSNHJmTm5ITHkvRUlHbFFvNWh0NUNwUG91ODYwZkhnREpHZHk1ckVKWEJXVVdEUGI5OGkxMitQMkJGY1FyVnhmM3BWODM0ME10U0NEY3RwYmY2R2x3SkZZRHBjSVZSYWttWWpva0R2VEljanAxWnd2MHQvV2k5SjhHeERXWWhpNmhyd3VGY0c5SUdBSEJQWk8vY2dMR2pmYW9oYUY5OFhFOUtYTGMvV0NxQ1QycUIraEZjeWNlQTVMWU4vdURkRnZHbW5DOHUycWRIWDRoRW96bU8wTmpUaFBhRndiSm9NSXhENEtQa1VGN0Q1VXRkSWRYNUdIcXFOd1RSWnU4S0NEWWJUT1RvN2s3a2syeTB6SytkMllXQWdhWWw4djRTeEtCbVZzMVliZGRwUk1TVFFJREFRQUI=
In this topic