Link Search Menu Expand Document
Early Access
Bugs expected

Securing KEEP endpoints

KEEP uses three endpoints:

Keep Endpoints

Only one must be reachable by users (humans or servers). Configure your firewall accordingly and eventually use a proxy.

To be able to securely and efficiently deploy KEEP into a production environment, you must understand how KEEP configuration works. See the configurating section for a deeper dive.

The KEEP configuration includes the KEEP binary directory, config.d, and environment variables.

The call hierarchy

Examples of the default security settings are here, security.json and the default configuration settings are here, config.json. Whenever you do a new KEEP install, these two files and the projectkeep.jar file are overwritten.

We recommend that you keep your configuration changes in the config.d directory so that they persist when you reinstall or update your KEEP version.

Areas of security to assess and implement

  • Which ports to open and close:

    • You must secure your admin port, 8889 and metrics port, 8890 from the outside world.
  • How to handle HTTPS (via proxy or let KEEP handle it):

    • For configuring HTTPS via proxy, see the example under HTTPS via Proxy.
    • KEEP supports three different types of certificates: PEM, JKS, and PKS.
  • How to handle JWT authentication token:

    • Single server built-in, where each server issues and uses their own JWT token.
    • Multi-server built-in, where a multi-server environment reacts to the same JWT token.
    • External identify provider, for example, Active Directory, Keycloak, etc.
  • KEEP can access encrypted resources when Domino‚Äôs ID vault is deployed and the KEEP SAML configuration is set up correctly.

    • Details are still being ironed out on how to do this. Will update this as soon as we have a solution.