Setting up Liberator to work with KeyMaster

This page describes how to configure Liberator to work with KeyMaster.

Contents:

Requirements
Configuring Liberator

Requirements

To configure Liberator to accept KeyMaster authentication tokens, you require the following:

A Liberator auth module that supports KeyMaster tokens. Caplin examples include PermissioningService and TokenPermissioning.
The public key of the KeyMaster servlet that issues authentication tokens to users. For more information on deploying the KeyMaster servlet, see Deploying KeyMaster

Configuring Liberator

On all hosts where Liberator is deployed, follow the steps below:

Copy KeyMaster’s DER public key to the Deployment Framework’s global_config/ssl directory.
Activate a Liberator auth module that supports KeyMaster authentication tokens (for example, PermissioningService or TokenPermissioning):
```
$ ./dfw deactivate OpenPermissioning
$ ./dfw activate PermissioningService
```

In the Deployment Framework configuration override file for the auth module, add a add-sigkey block if it is not already present:

Example (from global_config/overrides/PermissioningService/Liberator/etc/rttpd.conf)

add-sigkey
   key-id               Caplin
   timeout              600 (1)
   keyfile              "${SSLCERT_PATH}/keymaster_public.der" (2)
   hashing-algorithm    sha256
end-sigkey

1	The `timeout` option has been set to 600 seconds. Liberator will reject attempts to login with tokens older than 600 seconds (10 minutes).
2	The `keyfile` option specifies the path to KeyMaster’s public key. The default value of the configuration variable `SSLCERT_PATH` is `global_config/ssl`.

See also: