Security

HTTP and JWT

  • security.json (doesn’t exist by default)
  • Environment parameters

security.json

{
    "LocalMode: : false,
	"GodMode": true,
	"JwtSecret": "This gets overwritten by an ENV parameter",
	"JwtPublicKey": "The public key of JWT issuer if JwtUseCert = true",
	"JwtIssuer": "The Demo Wizzard",
	"JwtDuration": 60,
	"maxJwtDuration": 360,
	"JwtUseCert": false,
	"TLSFile": "null",
	"TLSPassword": "null",
	"PEMCert": "Path to PEM Cert file",
	"TLSType": "pfx",
	"cipher": {
		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": true,
		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": true,
		"TLS_RSA_WITH_AES_256_GCM_SHA384": true
	},
	"enabledProtocols": {
		"TLSv1.3": false,
		"TLSv1.2": true
	},
	"removeInsecureProtocols": {
		"TLSv1": true,
		"TLSv1.1": true,
		"SSLv2Hello": true
	},
	"jwt": {
		"SomeQualifier1": {
			"active": false,
			"algorithm": "RS256",
			"key": "Somekey"
		},
		"SomeQualifier2": {
			"active": false,
			"algorithm": "ES512",
			"key": "Somekey"
		}
	},
	"jwtAlgorythms": [
		"RS256",
		"RS384",
		"RS512",
		"ES256",
		"ES384",
		"ES512"
	]
}

Environment

Parameters are case sensitive

  • PORT : HTTP(S) port for the keep service
  • ADMINPORT : HTTP Port for the Admin listner, should not be reachable from outside
  • GodeMode: true/false -> Should users in KeepConfig be recognized
  • JwtDuration: lifetime in minutes for the internal JWT provider - default 60min
  • JwtMaxDuration: what is the maximum lifetime in minutes JWT tokens get accepted
  • DEBUG: true/false Debug mode. Creates more console output
  • PEMCert: if your TLS is PEM format (e.g. LetsEncrypt) path to Certificate file
  • TLSFile: TLS file with key for jks, pem or pfx
  • TLSPassword: password for jks and pfx key file
  • shutdownkey: passphrase for posting to http://localhost:adminport/shutdown to shut down KEEP

Overwriting the values

All values can be over written by entries in the config.d directory. The structure needs to be the same as in the default file, but only needs the entries you want to change