Skip to content

Lab 10 - Configure JWT

By default, the Domino REST API uses a random symmetric JWT signing key that’s changed each time the API service restarts. This approach works fine for testing and single-server use. However, it's not suitable for multi-server operation or for IdP use.

What you will learn

  • Understanding how Domino REST API configuration works.
  • Additional endpoints other than port 8880
  • How to use the Management console.

Before you begin

Your Domino server must be running.

Procedure

  1. Access http://localhost:8889.

    Management console

  2. Enter a name in the Certificate Name field, and click Create IdP Certificate.

    Note

    The entered name should have no spaces or special characters.

  3. Restart Domino REST API.

How to verify

  • Check the keepconfig.d directory. You should see new files matching the entered certificate name.

    For example, if you entered KeepLabIdP as your certificate name, you should see the following files in keepconfig.d:

    • KeepLabIdP.json
    • KeepLabIdP.cert.pem
    • KeepLabIdP.private.key.pem
    • KeepLabIdP.public.key.pem
  • After restarting Domino REST API, the JWT provider changes. For more information, see Log in to the REST API.

When you copy these files to another server, the JWT issued by the first server will be recognized and accepted by the second server as well. This extends to the Domino HTTP task if the core Domino is configured for JWT.

Check http://localhost:8880/.well-known/openid-configuration.

OpenID config

Things to explore

Next step

Proceed to Lab 11 - Domino REST API Configuration.