apm oauth jwk-config
apm oauth jwk-config(1) BIG-IP TMSH Manual apm oauth jwk-config(1)
NAME
jwk-config - Manages JSON Web Keys to be used with Authorization Server/Client/Resource Server
MODULE
apm oauth
SYNTAX
Configure the jwk-config component within the oauth module using the following syntax.
CREATE/MODIFY
create jwk-config [name] modify jwk-config [name]
options:
alg-type [none | HS256 | HS384 | HS512 | RS256 | RS384 | RS512 | ES256 | ES384]
app-service [[string] | none]
auto-generated [enabled | disabled]
cert [certificate-name | none]
cert-chain [chain-name | none]
cert-key [key-name | none]
cert-thumbprint-sha1 [[string] | none]
cert-thumbprint-sha256 [[string] | none]
curve [[string] | none]
include-x5c [enabled | disabled]
key-id [[string] | none]
key-type [rsa | octet | elliptic-curve]
key-use [signing]
modulus [[string] | none]
passphrase [[string] | none]
public-exponent [[string] | none]
shared-secret [[string] | none]
use-client-secret [true | false]
x-coordinate [[string] | none]
y-coordinate [[string] | none]
edit jwk-config [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
DISPLAY
list jwk-config
list jwk-config [ [ [name] | [glob] | [regex] ] ... ]
show running-config jwk-config
show running-config jwk-config [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
DELETE
delete jwk-config [name]
DESCRIPTION
You can use the jwk-config component to configure a cryptographic JSON Web Key. This key may be used by the
Authorization server to sign JSON Web Tokens or by the Client/Resource Server to verify the JSON Web Token
signature.
EXAMPLES
create jwk-config myJwk {
alg-type RS256
key-id b2719f31c6ba1e5fe664fbb1bf0f7c05b3d3a0a1
modulus ovtSwEWv9Q97JbB5Knfq4iAn8gl-ONzsFoxEasbh9-l4CgeTImIXH31cOxu5tjVjAxeFifPW9w8EdEa-o8kUSJ40Fp2qMRN9wFAHmu5pmS70Vlm4brg4Rc2jk8XMahNKoZ6AY1sIs_6e_JsiLMvEP8btu1iOpZri5fS9MjbWC9IOW1Vpy9MB8hp7IUZ4nwWBcWmT4NIUmR1QF9-fDmWsF0JUXfjAm1__cAJN7K3EcMOhLwWkVvrr1U0bpeRLprTUKpRNER-nq-pA0b2t5U56rFAAws-5ydNw4coa2dS3AJrmnaCSS4BZubpRYGh8ScTBxQlZm74f1Sty8H7gUeysFw
public-exponent AQAB
}
Creates a JSON Web Key named myJwk that uses algorithm RS256.
create jwk-config myJwk {
alg-type RS256
key-id b2719f31c6ba1e5fe664fbb1bf0f7c05b3d3a0a1
cert myCrt.crt
cert-key myKey.key
}
Creates a JSON Web Key named myJwk that will automatically generate other fields based on the values in
'cert' and 'cert-key'. This JSON Web Key uses algorithm RS256 and can be used by the Authorization server
to sign JSON Web Tokens.
list jwk-config
Displays a list of registered JSON Web Keys.
delete jwk-config myJwk
Deletes the JSON Web Key myJwk
OPTIONS
alg-type
Specifies which cryptographic algorithm is used by this JSON Web Key. The default value is none.
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
auto-generated
Specifies whether this key was created manually or generated through OpenID Connect metadata discovery.
The default value is false.
cert Specifies the certificate this JSON Web Key uses to verify the JWT. Values derived from this field are a
part of the JWKS endpoint response.
cert-chain
Specifies the certificate chain this JSON Web Key uses to validate the certificate in the cert field.
Values derived from this field are a part of the JWKS endpoint response.
cert-key
Specifies the certificate key this JSON Web Key uses to sign the JWT.
cert-thumbprint-sha1
Specifies the base64url-encoded SHA-1 thumbprint of the DER encoding of X.509 certificate. If the 'cert'
field is present, this value is auto-generated.
cert-thumbprint-sha256
Specifies the base64url-encoded SHA-256 thumbprint of the DER encoding of X.509 certificate. If the
'cert' field is present, this value is auto-generated.
curve
Specifies the curve used by the Elliptic Curve JSON Web Key. If the 'cert' field is present, this value
is auto-generated.
include-x5c
Specifies whether or not JWKS endpoint response contains a chain of one or more PKIX certificates. The
default value is false.
key-id
Specifies the parameter to identify a specific JSON Web Key.
key-type
Specifies the cryptographic algorithm family used by the JSON Web Key. This setting is required. The
default value is rsa.
key-use
Specifies whether the JSON Web Key is used for signature generation and verification. At this time, the
only supported value is signing.
modulus
Specifies the modulus value for the RSA public key in base64url-encoded format. If the 'cert' field is
present, this value is auto-generated.
partition
Displays the partition within which the component resides.
passphrase
Specifies the passphrase used to encrypt the certificate key provided in 'cert-key' field.
public-exponent
Specifies the exponent value for the RSA public key in base64url-encoded format. If the 'cert' field is
present, this value is auto-generated.
shared-secret
Specifies the shared secret for the symmetric JSON Web Key when 'key-type' is set to octet.
use-client-secret
Specifies that this JSON Web Key uses client-secret instead of shared-secret. This field is relevant only
when key-type is set to octet. The default value is false.
x5c Specifies a chain of one or more PKIX certificates represented as a JSON array of certificate value
strings. The JSON array is generated using 'cert' and 'cert-chain' field values.
x-coordinate
Specifies the x coordinate for the Elliptic Curve point in base64url-encoded format. If the 'cert' field
is present, this value is auto-generated.
y-coordinate
Specifies the y coordinate for the Elliptic Curve point in base64url-encoded format. If the 'cert' field
is present, this value is auto-generated.
SEE ALSO
apm oauth jwt-config
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2015-2016, 2017. All rights reserved.
BIG-IP 2017-10-18 apm oauth jwk-config(1)