Setting up Liberator to work with KeyMaster

Note: Before you follow the steps below, ensure you have followed the steps to generate the encryption keys. These are detailed under Installing KeyMaster.

Once the encryption keys have been generated, you need to configure Liberator so that it can work with KeyMaster.

Contents:

  1. make the public key file available to Liberator 
  2. modify the Liberator configuration file
  3. configure java auth module

Making the public key file available to Liberator

Copy the DER public key file in <Your_KeyMaster_dir> to Caplin Liberator. The name of this file ends in .der, for example publickey.der.

Put the file in the <deployment framework>/global_config/ssl directory of the Liberator installation.

Note: If you copy the file using FTP (because the KeyMaster and Liberator are on different machines), make sure you use binary mode, as the DER file contains binary data.

Modifying the Liberator configuration file

Edit the Liberator's configuration file <deployment framework>/global_config/overrides/servers/Liberator/etc/rttpd.conf to set up the configuration items that will allow it to work with KeyMaster - see the KeyMaster configuration reference page. The most important configuration item is add-sigkey. The add-sigkey ... end- sigkey configuration item group defines a public key and its properties. Liberator uses this key when it authenticates a user by verifying the digital signature in the user credentials token.

Example of add-sigkey:

## AUTH ##########################################################
#
#

add-sigkey
   key-id               testkey
   keyfile              %r/etc/publickey.der
   hashing-algorithm    sha256
   timeout              300
end-sigkey
  • The keyfile option must point to the DER public key file that was generated using KeyMaster. The %r in the file path means the root directory of the Liberator installation.
  • The timeout value has been set to 300 seconds in the example. This means that, when a user credentials token has been created, the Liberator will consider it to be invalid after 5 minutes. An end-user must therefore connect to the Liberator within 5 minutes of KeyMaster granting the token; after this time the Liberator will reject attempts to log in using the token.

Authentication

The Caplin Permissioning Integration API provides classes and interfaces that allow you to create Permissioning Adapter. Further information can be found in the Permissioning documentation here.

Note: You need to be licensed to use the auth modules

The auth modules in the Liberator license file are as follows:

  • module openauth auth
  • module javaauth auth

Configure Java Auth Module

If you're using Caplin Trader, you've most likely implemented the user authentication with the javaauth API (see the JavaAuth API documentation)

It is possible to write your own java auth module; however, this is rarely done. It is likely however that you would write a permissioning adapter. To create a Permissioning Adapter, you write and compile a Java application that uses the Caplin Permissioning Integration API. Details of how to do this are here.


See also: