Security
HTTP and JWT
- security.json (doesn’t exist by default)
- Environment parameters
security.json
Here is a JSON representation of the resource:
{
"LocalMode: : false,
"GodMode": true,
"JwtSecret": "This gets overwritten by an ENV parameter",
"JwtPublicKey": "The public key of JWT issuer if JwtUseCert = true",
"JwtIssuer": "The Demo Wizzard",
"JwtDuration": 60,
"maxJwtDuration": 360,
"JwtUseCert": false,
"TLSFile": "null",
"TLSPassword": "null",
"PEMCert": "Path to PEM Cert file",
"TLSType": "pfx",
"cipher": {
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": true,
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": true,
"TLS_RSA_WITH_AES_256_GCM_SHA384": true
},
"enabledProtocols": {
"TLSv1.3": false,
"TLSv1.2": true
},
"removeInsecureProtocols": {
"TLSv1": true,
"TLSv1.1": true,
"SSLv2Hello": true
},
"jwt": {
"SomeQualifier1": {
"active": false,
"algorithm": "RS256",
"key": "Somekey"
},
"SomeQualifier2": {
"active": false,
"algorithm": "ES512",
"key": "Somekey"
}
}
}
Properties
These properties are case-sensitive.
| Property | Type | Description |
|---|---|---|
| ADMINPORT | int (0 to 65353) | HTTP Port for the Admin listener, should not be reachable from outside. |
| cipher | Boolean | Parameter for TLS ciphers and whether or not they are allowed. |
| CORS | String | Parameter for sites or sub-sites from which CORS requests will be accepted. |
| DEBUG | Boolean | To true if debug level logging is enabled. Creates more console output. |
| DisableEventBusSocket | Boolean | When true disables the websocket interface that allows for watching the eventBus. |
| disableDominoLogin | Boolean | (default false) When true, Domino does not issue JWT tokens in exchange for user credentials. Authentication then requires a configured external JWT provider. |
| disableJwtExpiryCheck | Boolean | When true disables checks against expired JWT tokens. Good for testing. Do not use in production. Defaults to false. |
| enabledProtocols | Boolean | Parameter for TLS protocols and whether they are enabled. There are problems using TLSv1.3 with Java8. |
| GodMode | Boolean | true to allow Local Users defined in the KeepConfig database. |
| jwt | jwtParameters | Parameter for JWT providers. Algorithm format to be used (e.g. “RS256”) and key or keyfile. |
| JwtIssuer | String | Parameter for the issuer name for the JWT tokens generated by KEEP. |
| JwtDuration | int | Lifetime in minutes for the internal JWT provider - default 60min. |
| JwtMaxDuration | int | Maximum lifetime in minutes JWT tokens are accepted. |
| JwtPublicKey | String | TODO |
| LocalMode | Boolean | true to use “localhost” as the server name. |
| TLSFile | String | Parameter for TLS file with key for jks, pem or pfx. This is hashed out in the “/config” endpoint. |
| TLSPassword | String | Parameter for password for jks and pfx key file. This is hashed out in the “/config” endpoint. |
| TLSType | String | Parameter for format for the TLSFile - “jks”, “pem” or “pfx”. |
| PEMCert | String | If your TLS is PEM format (e.g. LetsEncrypt) path to certificate file. |
| PORT | int (0 to 65353) | HTTP(S) port for the KEEP service. |
| removeInsecureProtocols | Boolean | Whether insecure protocols should be removed. |
jwt Parameters
Here is a JSON representation of the resource:
"jwt": {
"SomeQualifier1": {
"active": false,
"algorithm": "RS256",
"key": "Somekey"
},
The jwt (in lowercase) parameters include one ore more named entries with three properties:
| Property | Type | Description |
|---|---|---|
| active | Boolean | true if this jwt qualifier is active |
| algorithm | String | JWT algorithm |
| key | String | JWT key |
Remarks
Overwriting the values
All values can be over written by entries in the config.d directory. The structure needs to be the same as in the default file, but only needs the entries you want to change.
[TODO] ADD DETAILS ABOUT-
- HTTPS
- Authentication & JWT
- CORS
- Proxy Configuration