Configure JWT Security with LDAP
You can configure the gm-jwt-security service to search an LDAP server for user payloads. To use LDAP as a backend service, refer to the following configuration options.
To enable, USE_LDAP must be set to true.
Need help configuring JWT for LDAP? Contact our team at .
Variable
Default Value
Description
Type
USE_LDAP
false
true to configure and search an LDAP server for user payloads
bool
LDAP_ADDR
"ldap.example.com"
the LDAP server address
string
LDAP_PORT
389
the LDAP server port
uint
LDAP_TLS
false
true to encrypt the LDAP connection
bool
LDAP_BASE_DN
dc=example,dc=com
base userDN for LDAP search requests
string
LDAP_USER
"cn=read-only-admin,dc=example,dc=com"
user to associate with the LDAP session
string
LDAP_USER_PASSWORD
`"echo \"password\"
base64 -> cGFzc3dvcmQK"`
password to associate with the LDAP session user
base64
LDAP_TEST_DN
"cn=admin,dc=example,dc=com"
test user payload for LDAP
string
Configuration details for the Grey Matter JWT Security service.
You can deploy the Grey Matter JSON Web Token (JWT) Service many ways, including the following:
The preferred approach is to deploy via a Docker container running inside of an OpenShift or Kubernetes Pod.
The service is also packaged as a TAR file. The TAR contains an executable binary file you can deploy to a server.
Follow the configuration requirements below to set up the Grey Matter JWT Security service.
There are three required pieces of information to configure and run the service.
Set JWT_API_KEY as an environment variable
Set PRIVATE_KEY and USERS_JSON as a base64 encoded string, or as a volume mount (recommended)
If both are provided, the volume mount supersedes the set variable
JWT_API_KEY is the base64 encoding of a comma separated list of API keys.
The users.json file should have a users field that contains an array of user payloads. This is an example:
For the API key, list: 123,my-special-key,super-secret-key,pub-keyandJWT_API_KEY set to the value of:
Any service that provides the header api-key with a value matching one of the following will have access:
123
my-special-key
super-secret-key
The gm-jwt-security services creates and writes jwt tokens to a Redis server. In order to successfully generate and store jwt tokens, a Redis client must be implemented to connect to a server using information from the following environment variables.
The following environment variables can be set to specify the host, ports, and logging capabilities of the gm-jwt-service. To specify an expiration time for generated tokens, set TOKEN_EXP_TIME.
The gm-jwt-security service supports as a backend server to search for user payloads.
TLS can be configured on the gm-jwt-security service using .
Need help configuring JWT? Contact us at: .
USERS_JSON
/gm-jwt-security/etc/users.json
""
base64 encoded users.json file
base64
pub-keyRedis database to be selected after connecting to the server
uint
REDIS_PASS
"123"
password for Redis server
string
https port for the server
uint
ZEROLOG_LEVEL
"WARN"
logging level: INFO, DEBUG, WARN, ERR
string
TOKEN_EXP_TIME
28800
token expiration time in seconds
uint
DEFAULT_PATH
"/services/"
default path to apply to cookies generated by the /policies endpoint
string
Variable
Mount Location
Default Value
Description
Type
JWT_API_KEY
-
""
base64 encoded string of comma separated api keys
base64
PRIVATE_KEY
/gm-jwt-security/certs/jwtES512.key
""
base64 encoded private key file
Variable
Default Value
Description
Type
REDIS_HOST
"0.0.0.0"
host name of Redis server
string
REDIS_PORT
"6379"
port number of Redis server
string
REDIS_DB
Variable
Default Value
Description
Type
BIND_ADDRESS
"0.0.0.0"
bind address for the gm-jwt-security server
string
HTTP_PORT
8080
http port for the server
uint
HTTPS_PORT
base64
0
9443
{
"users": [
{
"label": "CN=localuser,OU=Engineering,O=Decipher Technology Studios,=Alexandria,=Virginia,C=US",
"values": {
"email": [
"localuser@deciphernow.com"
],
"org": [
"www.deciphernow.com"
]
}
},
{
"label": "cn=chris.holmes, dc=deciphernow, dc=com",
"values": {
"email": [
"chris.holmes@deciphernow.com"
],
"org": [
"www.deciphernow.com"
],
"privilege": [
"root"
]
}
}
]
}echo "123,my-special-key,super-secret-key,pub-key" | base64 MTIzLG15LXNwZWNpYWwta2V5LHN1cGVyLXNlY3JldC1rZXkscHViLWtleQo=To enable TLS support for the service, perform the following steps:
Set ENABLE_TLS to true
Specify cert, trust, and key either through a volume mount (recommended) or the following environment variables.
In the event that both a volume mount and environment variables are provided, the volume mounted files will take precedence over the environment variables.
Need help?
Create an account at to reach our team.
SERVER_CERT
/gm-jwt-security/certs/server.cert.pem
""
base64 encoded server certificate
base64
SERVER_KEY
/gm-jwt-security/certs/server.key.pem
""
base64 encoded server key
base64
Variable
Mount Location
Default Value
Description
Type
ENABLE_TLS
-
false
true to enable TLS support
bool
SERVER_TRUST
/gm-jwt-security/certs/server.trust.pem
""
base64 encoded server trust store
base64