Setting up Liberator to work with KeyMaster

This page describes how to configure Liberator to work with KeyMaster.


To configure Liberator to accept KeyMaster authentication tokens, you require the following:

  • A Liberator auth module that supports KeyMaster tokens. Caplin examples include PermissioningService and TokenPermissioning.

  • The public key of the KeyMaster servlet that issues authentication tokens to users. For more information on deploying the KeyMaster servlet, see Deploying KeyMaster

Configuring Liberator

On all hosts where Liberator is deployed, follow the steps below:

  1. Copy KeyMaster’s DER public key to the Deployment Framework’s global_config/ssl directory.

  2. Activate a Liberator auth module that supports KeyMaster authentication tokens (for example, PermissioningService or TokenPermissioning):

    $ ./dfw deactivate OpenPermissioning
    $ ./dfw activate PermissioningService
  3. In the Deployment Framework configuration override file for the auth module, add a add-sigkey block if it is not already present:

    Example (from global_config/overrides/PermissioningService/Liberator/etc/rttpd.conf)
       key-id               Caplin
       timeout              600 (1)
       keyfile              "${SSLCERT_PATH}/keymaster_public.der" (2)
       hashing-algorithm    sha256
    1 The timeout option has been set to 600 seconds. Liberator will reject attempts to login with tokens older than 600 seconds (10 minutes).
    2 The keyfile option specifies the path to KeyMaster’s public key. The default value of the configuration variable SSLCERT_PATH is global_config/ssl.

See also: