webMethods and Intelligent Business Operations 10.2 | API Gateway User's Guide | API Gateway Administration | Security Configuration | JWT | Configuring API Gateway to use Trusted Issuers
 
Configuring API Gateway to use Trusted Issuers
Pre-requisites:
You must have the Manage security configurations functional privilege assigned to perform this task.
As an alternative to using API Gateway issue JSON Web Tokens (JWTs), you can use a third-party identity provider to issue JWTs. To authenticate an application using the JWT issued by a third-party provider, you must configure your third-party provider as a trusted JWT issuer of API Gateway. This allows API Gateway to also accept and process JWTs from third-party issuers.
Trusted JWT issuers are issuers whose public certificate is used for JWT verification.
API Gateway performs the JWT verification through one of the following ways:
*Using the JWKS URI of the issuer.
*Using the trusted issuers certificate stored in API Gateway truststore.
API Gateway maintains a list of trusted issuers. Using API Gateway you can add trusted issuers. You can also edit or delete an existing trusted issuer.
* To configure API Gateway to use trusted JWT issuer
1. Select Username > Administration.
2. Select Security > JWT.
3. Click Add issuer.
4. In the Configure issuer section, provide the following information:
Field
Description
Issuer
Mandatory. Name of the JWT issuer.
Note: The Issuer name is case-sensitive.
Description
A description for the issuer.
JWKS URI
Endpoint URI of JSON Web Key Set (JWKS) through which API Gateway fetches the JSON Web Key (JWK) to verify and validate the signature of JWT.
API Gateway fetches a JWK, whenever the API Gateway instance is started or the JWKS URI field is updated.
Note: If you do not specify a value for this field, you must specify values for the Truststore alias and Certificate alias fields.
Truststore alias
Alias of the truststore that contains the certificates of the signing authorities associated with the issuer. The truststore alias can be used to verify the signature of a JWT when the JSON Web Key endpoint is not specified.
The Truststore alias field contains a list of the public certificates that are trusted by API Gateway.
Certificate alias
Alias of the certificate associated with the truststore alias.
The Certificate alias field contains a list of the available certificate aliases in the selected truststore.
Audience
The intended recipient of the JWT. An aud (audience) claim in the JWT identifies the recipient that the token is intended for. The value you specify in the Audience field must match with the aud claim present in the incoming JWT .
You can specify one or more values for the Audience field. The application that receives a JWT verifies the audience value in the incoming token for an exact match with any one of the configured audience value.
5. Click Save.
The newly added trusted issuer is listed in a table.
You can edit the issuer as required. You can delete the issuer by clicking the icon.
Note: JWT Trusted issuers configured in Integration Server prior to 10.2 version are migrated to API Gateway's External JWT configuration.
Copyright © 2015- 2018 | Software AG, Darmstadt, Germany and/or Software AG USA, Inc., Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors.
Innovation Release