KeyMaster configuration

These DataSource configuration items allow a DataSource application to work with KeyMaster.

Use these configuration items to set up Liberator, Transformer and C-based Integration Adapters so they can work with KeyMaster. KeyMaster is used to authenticate user logins to Liberator via a single sign-on facility. It can also be used to authenticate monitoring connections to Liberator, Transformer and C-based Integration Adapters.

KeyMaster can’t be used in Java-based DataSource applications, so these configuration items don’t apply to them.


add-sigkey specifies the properties of a signature key.

Use in: C


   key-id [string]
   hashing-algorithm [integer/string]
   keyfile [string]
   timeout [float]

The options for add-sigkey are:

Name Type Default Description


integer or string



The algorithm to use for validating the digital signature in user credentials tokens provided by KeyMaster.

The hashing algorithms that DataSource applications can use are:

md5 or 0 MD5 algorithm

sha256 or 1 SHA256withRSA algorithm

sha384 or 2 SHA384 algorithm

sha512 or 3 SHA512 algorithm

sha1 or 4 SHA1 algorithm

ripemd160 or 5 RIPEMD160 algorithm

Pick the setting that corresponds to the algorithm used by your KeyMaster Signature Generator.




A name identifying the signature key.

If you’re setting up KeyMaster for Liberator, and the Liberator is using the XMLauth authentication module, the key-id must correspond to a sigkey-id attribute in the XMLauth users.xml configuration file.

(For more about XMLauth, see Liberator user authentication and permissioning.)




The filename and path of the DER (binary) format public key file.

The directory path can contain the parameter %r, which is replaced at run time by the root directory under which this DataSource application runs.




The length of time in seconds for which a user credentials token is valid.

This overrides the signature-validtime configuration item.

Example of add-sigkey:

   key-id               testkey
   keyfile              %r/etc/publickey.der
   hashing-algorithm    sha256
   timeout 300


signature-hashsize specifies the size in buckets of the hash table for storing signature keys.

Use this configuration item to tune the Liberator’s performance when authorizing users; set it to twice the number of user credentials tokens that are likely to be created within the configured time out period (as defined by the configuration item signature-validtime and the timeout option of add-sigkey).

Use in: C

Syntax: signature-hashsize <hash-table-size-in-buckets>

Type: integer

Default value: 8192

Values accepted:

  • Minimum: 1024


signature-validtime specifies the length of time in seconds for which a user credentials token is valid. This timeout applies to any user credentials token that doesn’t have a specific timeout configuration item defined for it in the timeout option of an add-sigkey item.

Use in: C

Syntax: signature-validtime <time-in-seconds>

Type: float

Default value: 600.0 (= 10 minutes)

See also: