Setting up Liberator to work with KeyMaster

This page describes how to configure Liberator to work with KeyMaster.

Before you follow the steps below, ensure you have followed the steps in Installing KeyMaster.

Making the KeyMaster public key available to Liberator

Follow the steps below:

  1. Install KeyMaster on your Java web application server. See Installing KeyMaster or Installing KeyMaster pre-6.2.0.

    By default, KeyMaster is included in the WAR files of Caplin FX Suite web applications. If you have deployed KeyMaster as part of an FX Suite deployment, you can skip the servlet installation step in Installing KeyMaster or Installing KeyMaster pre-6.2.0.
  2. On all hosts where Liberator is deployed, follow the steps below:

    1. Copy KeyMaster’s DER public key to the Deployment Framework’s global_config/ssl directory.

      If you copy the DER public key using FTP, make sure you use binary mode, because the DER file contains binary data.
    2. Activate a Liberator auth module designed to work with KeyMaster (PermissioningService, XMLPermissioning, or TokenPermissioning):

      $ ./dfw deactivate OpenPermissioning
      $ ./dfw activate PermissioningService
    3. In the Deployment Framework configuration override file for the auth module that you activated above, add a add-sigkey block if it is not already present:

      Example (from global_config/overrides/PermissioningService/Liberator/etc/rttpd.conf)
         key-id               Caplin
         timeout              600 (1)
         keyfile              "${SSLCERT_PATH}/keymaster_public.der" (2)
         hashing-algorithm    sha256
      1 The timeout value has been set to 600 seconds. Liberator will reject attempts to login with tokens older than 600 seconds (10 minutes).
      2 The keyfile option specifies the path to KeyMaster’s public key. By default, the configuration variable SSLCERT_PATH has the value global_config/ssl.


The Caplin Permissioning Integration API provides classes and interfaces that allow you to create Permissioning Adapter. Further information can be found in the Permissioning documentation here.

You need to be licensed to use the auth modules

The auth modules in the Liberator license file are as follows:

  • module openauth auth

  • module javaauth auth

Configure Java Auth Module

If you’re using Caplin Trader, you’ve most likely implemented the user authentication with the javaauth API (see the JavaAuth API documentation)

It is possible to write your own java auth module; however, this is rarely done. It is likely however that you would write a permissioning adapter. To create a Permissioning Adapter, you write and compile a Java application that uses the Caplin Permissioning Integration API. Details of how to do this are here.

See also: