Skip to content

Security

HTTPS

To switch IAD Server to use HTTPS set the SERVER_SSL_ENABLED environment variable to true. This will change the default port from 8080 to 8443:

docker run \
    --env SERVER_SSL_ENABLED=true \
    -p 8443:8443 \
    ...

By default the Server uses a self-signed certificate. You can change it by mapping the required certificate as a volume and providing the path to it inside the container via the SERVER_SSL_KEY_STORE environment variable:

docker run \
    --env SERVER_SSL_ENABLED=true \
    --env SERVER_SSL_KEY_STORE=/tls/bundle.pem \
    --volume /etc/idlivedoc/bundle.pem:/tls/bundle.pem \
    ...

The pem file should contain a certificate and a private key. If you have separate files you can put paths to them in a config file:

config.properties
source.key=/tls/fullchain.key
source.cert=/tls/privkey.pem

And use the config file by setting the SERVER_SSL_KEY_STORE_TYPE environment variable to PEMCFG.MOD and linking the config file on the SERVER_SSL_KEY_STORE variable:

docker run \
    --env SERVER_SSL_ENABLED=true                       \
    --env SERVER_SSL_KEY_STORE=/tls/config.properties   \
    --env SERVER_SSL_KEY_STORE_TYPE=PEMCFG.MOD          \
    --volume /etc/idlivedoc/tls:/tls                   \
    ...

JWT

IAD Server supports JWT-based authentication. To enable it set the IAD_SERVER_AUTHENTICATION environment variable to jwt and specify the configuration endpoint of the authorization server:

docker run \
    --env IAD_SERVER_AUTHENTICATION=jwt \
    --env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=https://example.com/realms/test \
    ...

If your authorization server doesn't support configuration endpoints, the JWK Set endpoint can be specified instead:

docker run \
    --env IAD_SERVER_AUTHENTICATION=jwt \
    --env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=https://example.com/realms/test/protocol/openid-connect/certs \
    ...

Additionally you can specify the audiences (the aud claim) that the JWT should contain:

docker run \
    --env SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_AUDIENCES=idlivedoc \
    ...

Note that /api_version endpoint never requires authentication.