Versions Compared

Old Version 1

changes.mady.by.user Yi Zhan Lim

Saved on

compared with

New Version Current

changes.mady.by.user Yeok Hong Ng

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section describes the different properties that are being used in use in the Authorization Server. These properties are divided into several blocks with each block corresponding to a particular element of the Authorization Server.

The following is an example of parameters that have been configured accordingly to the requirements. 

Code Block
titleAuthorization Server template.conf
jwt {
    key-id=jwt
    key-password="DR_DEFAULT_KEY-25FB75239B53E487605912194E971790"
    keystore-location="/path/to/keystore"
    keystore-password="DR_DEFAULT_KEY-25FB75239B53E487605912194E971790"
    # Only RS256, RS384 and RS512 are supported
    signature-algorithm=RS256
}
management-api {
    # Management Web API Base URI
    base-uri="/api"
    enable-basic-auth=false
    # HTTP Basic Authentication Password
    password="DR_DEFAULT_KEY-1D2E6A059AF8120841E62C87CFDB3FF4"
    # HTTP Basic Authentication Username
    username=mzadmin
}
sc=sc1
server {
    # Validity period in seconds for access token generated
    access-token-expiry=1800
    # Endpoint to request for access token
    access-token-uri="/token"
    host=localhost
    port=10000
}
storage {
    database {
        enabled=true

# --------------------------------------------------------------------------------
# Storage Properties
# --------------------------------------------------------------------------------
# Only used when storage type is "database". PostgreSQL or Oracle DB only
        storage.database.profile-name="<Path.DBProfileName>"
    }
    file-based {
        storage.database.poolsize=8
# Only used when storage type is "file-based"
        storage.file-based.storage-location="/path/to/file/storage"
    }
    /Users/limyizhan/Workspace/mz9/mz-drx/mediationzone/storage/oauth2.storage
# The storage type can be either "file-based" or "database"
    storage.type=file-based
}
tls {
    enable-tls=false
    enable-two-way-authentication=false
    # Configure keystore if using TLS
    keystore-location="/path/to/keystore"
    keystore-password="DR_DEFAULT_KEY-25FB75239B53E487605912194E971790"
    # Configure truststore if using TLS 2-way authentication
    truststore-location="/path/to/truststore"
    truststore-password="DR_DEFAULT_KEY-25FB75239B53E487605912194E971790"
}

JWT

The Authorization Server generates JSON Web Token (JWT) based access token and requires the JWT to be digitally signed. Currently, only the RSA private/public key pair signing method is supported.

The JWT block is used to configure the keystore and the RSA private/public key pair details.

...

keystore-location

...

keystore-password

...

key-id

...

key-password

...

signature-algorithm

...

Management API

The Management API is used to provision scopes and register clients via HTTP. Clients need to be registered before any access token can be requested.

The Management API configuration is used to configure the base endpoint in the Authorization Server that will be used to host the Management API.

For more information on the function of the Management API, refer to New Management API

...

base-uri

...

enable-basic-auth

Enable HTTP Basic Authentication for Management API

Info

It is recommended to have enable-basic-auth set to true. This is so the list of clients and scope will not be accessible to anyone without the proper credentials mentioned below.

...

username

...

password

...

SC

The Authorization Server will be hosted in a Service Context (SC) and the name of the SC needs to be specified.

...

sc

...

Server

The server configuration for the OAuth2 Service that will determine where the access token endpoint will be hosted on and the access token expiry.

...

host

...

port

...

access-token-uri

...

access-token-expiry

...

Storage

...

# --------------------------------------------------------------------------------
# Server Properties
# --------------------------------------------------------------------------------
# Validity period in seconds for access token generated
server.access-token-expiry=1800

# --------------------------------------------------------------------------------
# Management Api Properties
# --------------------------------------------------------------------------------
management-api.enable-basic-auth=true
# HTTP Basic Authentication Password
management-api.password=DR-4-6912EB66E4E5FDF6035DBF848195669A
# HTTP Basic Authentication Username
management-api.username=mzadmin

# --------------------------------------------------------------------------------
# JSON Web Token (JWT) Properties
# --------------------------------------------------------------------------------
jwt.key-id=selfsigned
jwt.key-password=DR-4-6912EB66E4E5FDF6035DBF848195669A
jwt.keystore-location=/Users/limyizhan/Downloads/keystore_server.jks
jwt.keystore-password=DR-4-6912EB66E4E5FDF6035DBF848195669A
# Only RS256, RS384 and RS512 are supported
jwt.signature-algorithm=RS256

Storage

The OAuth2 Service stores provisioned scopes and registered clients into memory or persistent storage.

The storage configuration is used to determine where the data should be stored. For Database type storage, please see New refer to Authorization Server Storage Database Schema for more details on how to create creating the table for the Authorization serverServer.

Parameter Name

Description

type

Type of storage to be used. The value can be one of the following:

  • file-based (Default) - The data will be stored in a file-based storage.

  • database - The data will be stored in a database.

Info

Only PostgreSQL and Oracle database are currently supported.

file-based.storage-location

Location of the file-based storage. Will be created if not found. Only used when storage type is set to "file-based"

Note

For fresh installs, the last path in the location should be non-existent as the Authorization server will create it automatically.

database.profile-name

The Database Profile Name in MZ to be used. Only used when storage type is set to "database". The value of the profile name should include the directory name as shown in the desktop UI.

Info
title

Example

Code Block
storage {
	database {
			profile-name="REST.PRF_DB"
	}
	type="database"
}

TLS

The Authorization Server runs on the HTTP protocol and it is highly recommended that the HTTP protocol is secured using TLS.

...

database.poolsize

The size of the connection pool, representing the number of database connections that are kept open and ready for use. Only used when stroage type is set to "database". 

Server

The server configuration for the OAuth2 Service that will determine where the access token endpoint will be hosted on and the access token expiry.

Parameter Name

Description

access-token-expiry

Validity period in seconds for access token generated.


Management API

The Management API is used to provision scopes and register clients via HTTP. Clients need to be registered before any access token can be requested.

The Management API configuration is used to configure the base endpoint in the Authorization Server that will be used to host the Management API.

For more information on the function of Management API, refer to Management API.

Parameter Name

Description

enable-

tlsEnable TLS for HTTP protocol (HTTPS)keystore

basic-auth

Enables the HTTP Basic Authentication for Management API.

Info

It is recommended to have enable-basic-auth set to true. This is so the list of clients and scope will not be accessible to anyone without the proper credentials mentioned below.

username

Username for HTTP Basic Authentication (if enabled).

password

Password for HTTP Basic Authentication (if enabled). Must be encrypted using "mzsh encryptpassword" command.

JWT

The Authorization Server generates the JSON Web Token (JWT) and requires the JWT to be digitally signed. Currently, only the RSA private/public key pair signing method is supported.

The JWT block is used to configure the keystore and the RSA private/public key pair details.

Parameter Name

Description

keystore-location

Path to the keystore where the RSA private/public key pair used for

OAuth2 Service

JWT is stored. Only Java KeyStore (JKS) format is supported.

keystore-password

Password of the keystore. Must be encrypted using "mzsh encryptpassword" command.

enable-two-way-authentication
Enable TLS 2-way (mutual) authentication
truststore-location
Path to the truststore where the client certificates are stored. Only Java KeyStore (JKS) format is supported.truststore

key-id

Alias of the RSA private/public key pair used for JWT.

key-password

Password of the

truststore. Must be encrypted using "mzsh encryptpassword" command

RSA private/public key pair used for JWT.

signature-algorithm

Signature algorithm to be used for JWT signing. Only RS256, RS384 and RS512 are supported.