Enable JWT security and disable mTLS between subsystems

Postinstallation steps to enable JWT security and disable mTLS between subsystems.

About this task

JWT security is an alternative to using mTLS to secure inter-subsystem communication. For more information on JWT security and when to use it, see: Enable JWT security instead of mTLS.

If you disable mTLS then you must enable JWT.
Note: It is not possible to use JWT on the V5 compatible gateway to analytics message flow. This flow is secured by mTLS, which cannot be disabled.

Procedure

  1. Describe the apiconnectcluster CR to get the JWKS URL:
    oc describe apiconnectcluster -n <namespace>
    status:
      - name: jwksUrl
        secretName: api-endpoint
        type: API
        uri: https://api.apic.acme.com/api/cloud/oauth2/certs
  2. For each portal, gateway, and analytics subsystem where you want to use JWT security, edit the section of the top-level CR corresponding to that subsystem, and add the following:
    spec:
      <subsystem>
        mtlsValidateClient: false
        jwksUrl: <JWKS URL>
    where
    • <subsystem> is either portal, analytics, or gateway, depending on which subsystem you want to use JWT security with. If this subsystem section does not already exist in the top-level CR, then add it as shown above.
    • <JWKS URL> is the URL identified in step 1.
  3. v10.0.5.4 and later: Enable JWT on the gateway to analytics communications flow. Enable the Use JWT switch for the registered gateway in the Topology page of the Cloud Manager UI.
    Datapower version 10.5.0.4 only: To enable JWT on the gateway to analytics communications flow, you also must add a dataPowerOverride section to the gateway CR:
       
    spec:
      jwksUrl: <JWKS URL>
      dataPowerOverride:
         image: customregistry.com/custom-image-datapower:10.5.0.5
         version: 10.5.0.5
         license: X-XXXX-XXXXXX