[4.3.2] Generate new JWT Signing key

Giacomo Petillo

unread,

Sep 24, 2018, 6:06:47 AM9/24/18

to dotCMS User Group

Hi all,

there is an "how to" generate a new JWT Signing key?

I don't understand the dotCMS documentation, https://doc.dotcms.com/docs/latest/authentication-using-jwt#DefaultSigningKey

I guess i must add a "json.web.token.hash.signing.key" key in dotmarketing-config.properties, right?

Another question, how can i generate a new segning key? "ssh-keygen -t rsa -b 2048 -f jwtRS256.key" ?

Thx

Giacomo Petillo

unread,

Sep 24, 2018, 11:37:53 AM9/24/18

to dotCMS User Group

no one?

Falzone, Chris

unread,

Sep 24, 2018, 12:02:43 PM9/24/18

to dot...@googlegroups.com

The JWT Signing Key is just a random string. You don't need to generate a keypair because it does not use asymmetric encryption. So use your favorite method to generate a sufficiently long secure password and use that. The docs are just saying that you should probably not use the default because that string is publicly available in the both the dotCMS documentation and the public github repository.

As for where to adjust the property, I would do this a static configuration plugin:

https://doc.dotcms.com/docs/latest/changing-dotcms-configuration-properties#EditPropertiesExtension

As to which properties file this specific setting is changed in the documentation is not clear actually. I assume based on the code that this is changed in dotmarketing-config.properties though:

https://github.com/dotCMS/core/blob/38e33c17a9cc88555156e95035e847223a6057e4/dotCMS/src/main/java/com/dotcms/auth/providers/jwt/factories/impl/HashSigningKeyFactoryImpl.java#L21

Which seems strange as security for login has historically been configured in portal.properties. Maybe dotCMS can get the documentation clearer there?

Hope that helps!

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com.
To post to this group, send email to dot...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/63b1616f-a3e9-4930-a28e-cae18ca02663%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Christopher Falzone
Interactive Developer

A Q U E N T
Digital, Creative, and Marketing Talent

aquent.com
cfal...@aquent.com

jonathan...@dotcms.com

unread,

Sep 24, 2018, 2:28:27 PM9/24/18

to dotCMS User Group

As Chris described it right, basically dotCMS took this string and creates the SecretKey based on it for the JWT.

However on 5.x it has changed in order to include a diff mechanism, I think it is using now keys; you can create your own ones and address to them by configuration, otherwise dotCMS is gonna generated a new random keys for your automatically if they already does not exists so that not any installation will share the same keys from 5.x.

Thanks,

J

Giacomo Petillo

unread,

Sep 25, 2018, 5:26:38 AM9/25/18

to dotCMS User Group

Thank you all,

G.

Reply all

Reply to author

Forward