Postinstallation steps to enable JWT security and disable mTLS between
subsystems.
About this task
JWT security is an alternative to using mTLS to secure inter-subsystem communication. For more
information on JWT security and when to use it, see: Enable JWT security instead of mTLS.
If you disable mTLS then you must enable JWT.
Note: It is not possible to use JWT on the V5
compatible gateway to analytics message flow. This flow is secured by mTLS, which cannot be
disabled.
Procedure
-
Describe the
apiconnectcluster
CR to get the JWKS URL:
oc describe apiconnectcluster -n <namespace>
status:
- name: jwksUrl
secretName: api-endpoint
type: API
uri: https://api.apic.acme.com/api/cloud/oauth2/certs
- For each portal, gateway, and analytics subsystem where you want to
use JWT security, edit the section of the top-level CR corresponding to that subsystem, and add the
following:
spec:
<subsystem>
mtlsValidateClient: false
jwksUrl: <JWKS URL>
where
- <subsystem> is either
portal
, analytics
,
or gateway
, depending on which subsystem you want to use JWT security with. If this
subsystem section does not already exist in the top-level CR, then add it as shown above.
- <JWKS URL> is the URL identified in step 1.
- v10.0.5.4 and later: Enable JWT on the gateway to
analytics communications flow. Enable the Use JWT switch for the registered
gateway in the Topology page of the Cloud
Manager UI.
Datapower version 10.5.0.4 only: To enable JWT on the gateway to
analytics communications flow, you also must add a
dataPowerOverride
section to the
gateway CR:
spec:
jwksUrl: <JWKS URL>
dataPowerOverride:
image: customregistry.com/custom-image-datapower:10.5.0.5
version: 10.5.0.5
license: X-XXXX-XXXXXX