Enable JWT security and disable mTLS between subsystems

Postinstallation steps to enable JWT security and disable mTLS between subsystems.

About this task

JWT security is an alternative to using mTLS to secure inter-subsystem communication. For more information on JWT security and when to use it, see: Enable JWT security instead of mTLS.

If you disable mTLS then you must enable JWT.
Note: It is not possible to use JWT on the V5 compatible gateway to analytics message flow. This flow is secured by mTLS, which cannot be disabled.

Procedure

  1. Describe the management CR to get the JWKS URL: 
    oc describe mgmt

Status:
  Endpoints:
    - name: jwksUrl
      secretName: api-endpoint
      type: API
      uri: https://api.apic.acme.com/api/cloud/oauth2/certs
  2. For each portal, gateway, and analytics subsystem where you want to use JWT security, update the CR corresponding to that subsystem, and set spec.mtlsValidateClient to false, and spec.jwksUrl to the JWKS URL you identified in step 1. 
    spec:
...
  mtlsValidateClient: false
  jwksUrl: <JWKS URL>
    Note: If you are using the OpenShift® top-level CR deployment, edit your APIConnectCluster CR instead. Updates should be made in appropriate the spec.<subsystem name> section.
  3. Enable JWT on the gateway to analytics communications flow. Enable the Use JWT switch for the registered gateway in the Topology page of the Cloud Manager UI.