To protect the payload of the JSON Web Token (JWT), configure PAS for OpenEdge to encrypt the payloads using JSON Web Encryption (JWE).
Note: The OpenEdge Advanced Security add-on is required to use JWE tokens.
JWE uses asymmetric public key encryption to secure the payload. The PAS for OpenEdge Security Administrator must create the keystore containing a public key and private key pair. You must share the public key with the authentication server so that it can use the public key to encrypt the payload. When PAS for OpenEdge receives the encrypted payload, PAS for OpenEdge uses a corresponding private key to decrypt the payload.
The steps to configure payload encryption include the following:
  1. Create a keystore containing a public and private key pair.
  2. Provide the public key certificate to the authentication server to encrypt the message.
  3. Configure PAS for OpenEdge to locate the private key to decrypt the message.

For more information on asymmetric public key encryption, see Asymmetric public key cryptography.

Create a keystore containing a public and private key pair

This example uses the default keystore included with PAS for OpenEdge. Production systems must generate a secure keystore based on your company-specific certificates.

For more general information on creating a keystore, see Use the keytool utility

Provide the public key certificate to the authentication provider to encrypt the message

To provide the necessary certificates needed to encrypt the payload, you have two options:

  • Provide the URL of the keystore to the authentication server

  • Use the tools of the authentication server to locate public key certificate

Provide the URL of the keystore to the authentication server

You can share a URL to the keystore containing the public key certificate for development and test systems. Configure PAS for OpenEdge to share the default URL:

publicKeys.keystore.path=${catalina.base}/ablapps/${oeabl.ablapp.name}/conf/${oeabl.ablapp.name}.p12
publicKeys.keystore.pwd=oeph0::76E5F6C162276768465F02E4D2D1DDCD
publicKeys.keystore.aliases=defaultkey
publicKeys.filter.url=/oauth2/keys

The authorization server uses the URL to get the keys. 

http://hostname:port/oauth2/keys
Note: The hostname and port identify the machine and port of the PAS for OpenEdge instance.
Use the tools of the authentication server to locate public key certificate
For production system, it is more secure to limit the access to the public key certificate by sharing it directly with the vendor. Typical steps include:
  1. Export the key certificate using the KEYTOOL utility.
    proenv>keytool -exportcert -keystore C:\OpenEdge\WRK\oepas1\ablapps\oepas1\conf\oepas1.p12  
-storepass password -alias defaultkey -file myCertificate.crt
    Note: This example uses the default keystore, alias, and password.
  2. Locate the certificate using the API, user interface, or tools of the authentication server.

Configure PAS for OpenEdge to locate the private key to decrypt the message

To decrypt the payload, configure PAS for OpenEdge to use the appropriate keystore containing the private key by configure the following:
  1. Set the related JWE properties in the relevant oeablSecurity.properties file. 
     ## "jwe": JWT Encryption
 jwtToken.keystore.jwe.key.selector=pkcs12EncKeySelector
 jwtToken.keystore.jwe.path=keystorePath
 jwtToken.keystore.jwe.pwd=keystorePassword
 jwtToken.keystore.jwe.alias=keystoreAlias
 jwtToken.keystore.jwe.cache=true
    Note: The keystorePath, keystorePassword, and keystoreAlias are unique to your system.
    Table 1. JWE properties
    Property Description 
    jwtToken.keystore.jwe.key.selector
    		 Identifies the key selector. The valid values are:
    • noJWEKeySelector
    • pkcs12EncKeySelector
    		 
    jwtToken.keystore.jwe.path
    		 Path to the local key store with private keys. The default value is [ ]. 
    jwtToken.keystore.jwe.pwd
    		 Encrypted keystore password similar to jwtToken.keystore.pwd to access the keystore store defined by jwtToken.keystore.jwe.path. The default value is [ ]. 
    jwtToken.keystore.jwe.alias
    		 List of private key aliases in the JWE keystore. The default value is [ ]. 
    jwtToken.keystore.jwe.cache
    		 Defines whether to cache JWE private keys or extract them from the keystore every time. The default value is true.
    Note: This example uses a pkcs12EncKeySelector available with PingFederate.
  2. Save the file.