security.json
HTTP and JWT
- security.json (doesn't exist by default)
- Environment parameters
security.json
Here is a JSON representation of the resource:
{
"LocalMode": false,
"JwtSecret": "This gets overwritten by an ENV parameter",
"JwtPublicKey": "The public key of JWT issuer if JwtUseCert = true",
"JwtIssuer": "The Demo Wizzard",
"JwtDuration": 60,
"maxJwtDuration": 360,
"JwtUseCert": false,
"TLSFile": "null",
"TLSPassword": "null",
"PEMCert": "Path to PEM Cert file",
"TLSType": "pfx",
"cipher": {
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": true,
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": true,
"TLS_RSA_WITH_AES_256_GCM_SHA384": true
},
"enabledProtocols": {
"TLSv1.3": false,
"TLSv1.2": true
},
"removeInsecureProtocols": {
"TLSv1": true,
"TLSv1.1": true,
"SSLv2Hello": true
},
"jwt": {
"SomeQualifier1": {
"active": false,
"algorithm": "RS256",
"key": "Somekey"
},
"SomeQualifier2": {
"active": false,
"algorithm": "ES512",
"key": "Somekey"
}
}
}
Properties
These properties are case-sensitive.
| Property | Type | Description |
|---|---|---|
| ADMINPORT | int (0 to 65353) | HTTP Port for the Admin listener, should not be reachable from outside. |
| cipher | Boolean | Parameter for TLS ciphers and whether or not they are allowed. |
| CORS | String | Parameter for sites or sub-sites from which CORS requests will be accepted. |
| DEBUG | Boolean | Set to true if debug level logging is enabled. Creates more console output. |
| DisableEventBusSocket | Boolean | When true disables the websocket interface that allows for watching the eventBus. |
| disableDominoLogin | Boolean | (default false) When true, Domino does not issue JWT tokens in exchange for user credentials. Authentication then requires a configured external JWT provider. |
| disableJwtExpiryCheck | Boolean | When true disables checks against expired JWT tokens. Good for testing. Do not use in production. Defaults to false. |
| enabledProtocols | Boolean | Parameter for TLS protocols and whether they are enabled. There are problems using TLSv1.3 with Java8. |
| jwt | jwtParameters | Parameter for JWT providers. Algorithm format to be used (e.g. "RS256") and key or keyfile. |
| JwtIssuer | String | Parameter for the issuer name for the JWT tokens generated by Domino REST API. |
| JwtDuration | int | Lifetime in minutes for the internal JWT provider - default 60min. |
| JwtMaxDuration | int | Maximum lifetime in minutes JWT tokens are accepted. |
| JwtPublicKey | String | The public key of JWT issuer. |
| LocalMode | Boolean | Set to true to use "localhost" as the server name. |
| TLSFile | String | Parameter for TLS file with key for jks, pem or pfx. This is hashed out in the "/config" endpoint. |
| TLSPassword | String | Parameter for password for jks and pfx key file. This is hashed out in the "/config" endpoint. |
| TLSType | String | Parameter for format for the TLSFile - "jks", "pem" or "pfx". |
| PEMCert | String | If your TLS is PEM format (e.g. LetsEncrypt) path to certificate file. |
| PORT | int (0 to 65353) | HTTP(S) port for the Domino REST API service. |
| removeInsecureProtocols | Boolean | Whether insecure protocols should be removed. |
jwt Parameters
Here is a JSON representation of the resource:
{
"jwt": {
"SomeQualifier1": {
"active": false,
"algorithm": "RS256",
"key": "Somekey"
}
}
}
The jwt (in lowercase) parameters include one ore more named entries containing a set of these properties:
| Property | Type | Description |
|---|---|---|
| active | Boolean | (Required) true if this jwt qualifier is active. |
| providerUrl | String | Base URL of an OIDC-compatible provider or the URL to a .well-known/openid-configuration endpoint. |
| algorithm | String | JWT algorithm |
| key | String | JWT key |
| keyFile | String | Path relative to keepconfig.d to a file containing the PEM-format JWT public key. |
| iss | String | The expected issuer URL for incoming JWTs. |
| kid | String | The expected "kid" value for incoming JWTs. |
| userIdentifier | String | The property in the JWT payload containing the user's distinguished name, if not "sub" or "CN". This may be a property name or a JSON Pointer. |
| userIdentifierInLdapFormat | Boolean | true if the value in the user identifier property is expected to be in LDAP format (e.g. "cn=Joe Schmoe,o=Org"); false if it is in Domino format. |
An accepted JWT can be configured either by specifying the "providerUrl" property or by specifying "algorithm", "iss", "kid", and one of "key" or "keyFile".
Overwriting the values
All values can be overwritten by entries in the config.d directory. The structure needs to be the same as in the default file, but only needs the entries you want to change.