Overview
In Apache Knox v1.6.0 the team added two new UIs that are directly accessible from the Knox Home page:
- Token Generation
- Token Management
By default, the homepage
topology comes with the KNOXTOKEN
service enabled with the following attributes:
- token TTL is set to 7 days
- token service is enabled (default to keystore-based token state service)
- the admin user is allowed to renew/revoke tokens
In this topology, homepage, two new applications were added in order to display the above-listed UIs:
tokengen
: this is an old-style JSP UI, with a relatively simple JS code included. The source is located in the gateway-applications Maven sub-module.token-management
: this is an Angular UI. The source is located in its own knox-token-management-ui Maven sub-module.
On the Knox Home page, you will see a new town in the General Proxy Information table like this:
However, the Integration Token links are disabled by default, because token integration requires a gateway-level alias - called knox.token.hash.key
- being created and without that alias, it does not make sense to show those links.
Creating the token hash key
As explained, if you would like to use Knox's token generation features, you will have to create a gateway-level alias with a 256, 384, or 512-bit length JWK. You can do it in - at least - two different ways:
- You generate your own key (using this online tool for instance) and save it as an alias using Knox CLI.
- You do it running the following Knox CLI command:
generate-jwk --saveAlias knox.token.hash.key
The second option involves a newly created Knox CLI command called generate-jwk
:
Code Block |
---|
Generates a JSON Web Key using the supplied algorithm name and prints the generated key value on the screen.
As an alternative to displaying this possibly sensitive information on the screen you may want to save it as an alias.
Options are as follows:
--jwkAlg (optional) defines the name of the desired JSON Web Signature algorithm name; defaults to HS256. Other accepted values are HS384 and HS512
--saveAlias (optional) if this is set, the given alias name is used to save the generated JWK instead of printing it on the screen
--topology (optional) the name of the topology (aka. cluster) to be used when saving the JWK as an alias. If none specified, the alias is going to be saved for the Gateway |
...