TPI.devCommunityGithubLinkedIn

JWS Key Management, Configuration, and Rotation

Q: How does digiRunner store and manage the Private Key used for JWS signing?

(Keywords: JWS, Private Key, KeyStore, JKS, digiRunner Configuration, Token Signing)

A: digiRunner manages its JWS (JSON Web Signature) private key using a flexible, properties-based configuration system. The private key, which is used for both JWS signing and token generation, is secured within a KeyStore file (typically in JKS format).

This architecture allows administrators to configure or update keys via startup parameters without the need to modify any source cod. You can define these settings in the digiRunner Token Keypair Setting section of your properties file using the following parameters:

  • digiRunner.token.key-store.path: The directory path containing the KeyStore file (Default: keys).

  • digiRunner.token.key-store.name: The specific filename of the KeyStore (Default: opendgr-token.jks).

  • digiRunner.token.key-store-password: The password required to access the KeyStore.

  • digiRunner.token.keyAlias: The alias for the specific private key inside the KeyStore (Default: opendgr-token).

  • digiRunner.token.keyStoreType: The format type of the KeyStore (Default: JKS).

Q: What is the process for rotating or updating the JWS Private Key?

(Keywords: Key Rotation, Update Private Key, KeyStore Update, Restart Instance)

A: To safely update or rotate the JWS private key, follow these three steps:

  1. Prepare the New KeyStore: Generate a new public/private key pair and save it into a new KeyStore file (e.g., new-token.jks).

  2. Update Properties: Place the new KeyStore file into the configured directory (e.g., keys/) and update the corresponding properties (filename, password, and alias) to match the new file.

  3. Restart digiRunner: Because these are startup-level configurations, you must restart the digiRunner instance for the new key settings to take effect.

Q: How can clients retrieve the Public Key for JWS signature verification?

(Keywords: Public Key, Signature Verification, JWS Validation, /ssotoken/enccert)

A: Clients require the corresponding public key to verify the authenticity of tokens or JWS signatures issued by digiRunner.

Client applications can retrieve the currently active public key dynamically by calling the following API endpoint:

This endpoint returns the necessary public key information, ensuring that clients can reliably validate the signatures on responses received from the server.

PreviousJWS Public Key Exchange & Configuration for APIs / OIDCNextJWS Public Key Retrieval and Signature Verification

Last updated

Was this helpful?