In this article
Table of Contents | ||
---|---|---|
|
This article explains how to authenticate your SnapLogic Pipelines that interact with the Box application using the Java Web Token (JWT) open standard.
Scenario: Authenticating your Box Application with Java Web Token Open Standard.
You can use the JWT Snap Pack to authenticate the Pipeline's access to the Box application. When you create a custom Box application with JWT Authentication, the JWT can be digitally signed using a Public and Private Key pair. The JWT Account requires a KeyStore, which contains the Private Key. The JWT Snap Pack uses the Private Key to sign the payload of the JWT token.
In this tutorial, we describe the tasks required for accomplishing the following two objectives:
- How to create a KeyStore file (in PKCS12 format). This part of the tutorial describes the basic tasks and options for doing so with open source OpenSSL and JWT.
- How to Generate the Token for a Box Account. This part of the tutorial describes how to implement the grouping of JWT, JSON Generator, and Mapper Snaps to do so.
For this scenario, the following Snaps are used:
How to Create a KeyStore File (PKCS12 Format)
Public-Key Cryptography Standards (PKCS12) define an archive-file format for storing server certificates, consisting of an intermediate certificate (if any) and a Private Key in a single encryptable file. To generate a KeyStore file in PKCS12 format, we need a Private Key and a Certificate (self-signed or signed by CA).
Info |
---|
The tasks described in this section can be used for any application that uses the JWT open standard. |
Creating the Private Key for the KeyStore
You can create a Private Key choosing one of the three following options:
- Option 1: Create a new Private Key with Box
- Option 2 : Create a New Private Key with OpenSSL
- Option 3: Using an existing Public and Private Key Pair
Option 1: Create a new Private Key with Box
- You can generate a new key pair, as described in Box documentation.
Download the resulting
xxxx_config.json
file.Code Block language text title Example: config.json file { "boxAppSettings": { "clientID": "6l7jykica0k4xrok1zz0ouhvpkg9pbvause clientid from Box json file", "clientSecret": "OQ1ozMTv1TrXpN1Fj8MJuswLi0QjM1qGuse clientSecret from Box json file", "appAuth": { "publicKeyID": "4m5tzcagfs91jjuk", "privateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIeTIJixIoNWACAggA\nMBQGCCqGSIb3DQMHBAi9Vw8IK1CB5ASCBMifA4XXpk/apW9mBwwpbMFw859+UaDS\np8v9FLs4KbqWhrArHwP51wFuEuLGW1zpmLNIgxFqeDH1FDn+iyUZoJYYK/CUGX8z\n2EHHKt85pRTbG7JMzAHXlHI63spxNx/eOdy7vgq0gOTEu4X4BtQ+gyqh95ZDyaJQ\nFxtI/u/x1E8t5VaiTdKcRgh0JNAZwgW/7MsO33kKETANzI8ns83nF9v0DbrKpGii\n6l9qV5ChqsHfYodaP5Ew6GaEedDOOh4zLwbKNb0s8GCsjC0GzA2rOdY6aZ0nyCMw\nxvd2/OcVfFrtV/8ZGPwocaiJ283hV8s5MGQ+RqaUZTZw+u5nNK4InUA5pBQKS/13\n76LBRUH+hiTEhME9q2MjlfF/0hph0Egtshx/F1wlUzFySAzJQc6LiNsjDR3vIwzh\nIa2hmyZDS8uSyLrct6cAWZgSYo3/8HgM9Njg8vWyzj6dbnvCAOIlFyBCKs4nzC65\nWqBfYZWDDqA4RY290deND/KZ0OoA5DYNp4GF1+dPUQgHLAZXb+g5XlOLZVhf5vaG\nkABdCSkl0QXtOjzBMiCBjDhXIkxEfbWIeV4/yVD4laTpY6yRW7Ms1scNqp3Mi6fS\nnJm0v+RSoCGOZmeahieRcc4SaHn2rG3WQTVwgOyQWpA9DZe7hE52N5ZfyRO+K7gM\nG3C2j7X5pe0oYn0ucJFYdjvrQJA12ugOQHfw6ZB3TY7B3CU6GvwUFPxqkXipElDb\nEr7dyT688QLfhO7JEFIkohw3CY4Bi1Ecv4iTFxz8GGE9TdxY50U9kA3YmxSkI/XC\nEeTTv7HcaKtIzT0uaRPx8xbqPKhVJwtpgWDC0txL2Q+Nc34y3mM/pB704ETAxEKd\nM/l0/+ME9NrSuOjOAxAN9fU61laVlnuDEDUzXfN2nZuUq3T2GIVrsYPsUnaeL+94\n06hIznxYoOyOn0f+tXMUnN2TevATpAdqJEiwx2j4Ck9bZ5BUZfBw8rjyVh0GcAiy\nXJHtdx2ciMExg6sAuvwXb+ZuTGqiMQf+WLQaT6CjtZlVKIHA5JOZq5RPBc9X07lq\nuGLt1Ry9FraVFaUEpkSwRDwoZSaUHoV7bUWRtF16gaGGpOUmWG6wtHxtlKtUA4kl\nFNEtS81UdSEgXXk5DFeCqB9Zpx8LgwyoKa4CIS5pLJJ/Wx6XaK4QmHnurhjF8pnz\n9pRIVQTgYI2hzvrtVcS9p7XArepNFGMFD/RB6BUcCUOBUTR28jbDr2sPFIMwTuxm\na0cyLM/dL908ny3VwnqzP3oglbz4E3MDuyciw/AEGNbRBpl/GOGY4Tsp1YGTHhOY\nr9e2h2PrdbZoGyasrSclwLAn1olLhRKE+jJthq4ue9Y2GmwH0htQckCDsVChHbpd\nm76BAIWfarU4bzKxhQ9ZYsTGsJlvBXbtFraqvyUFjQNG3d2PGuS9PNBofJu2dqr/\nQEU8SwnDgo219IB94KXsj+h5Kp9HshDbg85FOiCsaVP+DzWXmJQHEMgrvtWAWcq6\nazgMfL7x8JJ1oWvp+6sQ5YmqeOnBWvksmIN7G1BjfDhnZXzV1/r4/Iuzf2HbsBOi\nQr3CjCslH1bUBRhAF3tWaqqhybtp0lD4ZLjwSoMd+P8QlJQYst9VRGX9I9qrVBpP\nkxw=\n-----END ENCRYPTED PRIVATE KEY-----\nuse privatekey from Box json file", "passphrase": "8b0fbf261ad0a775a5d63cf1e0bfbe4ause passphrase from Box json file" } }, "enterpriseID": "301393628545865" }
- Save the Private Key (displayed as "privateKey" in the previous step) in the
box-private-with-passphrase.key
file. Decrypt the passphrase from the private key by running the following command:
Code Block openssl rsa -in box-private-with-password.key -out box-private.key
When prompted to enter the passphrase, enter the passphrase from the
xxx_config.json
file.Verify the key size of the
box-private.key
file by running the following SSL command:Code Block openssl rsa -in box-private.key -text -noout
See the following example for the first line of the command output:
Code Block Private-Key: (2048 bit) indicating a 2048 bit key
Option 2: Create a new Private Key with OpenSSL
Create a new Private Key with the OpenSSL tool by running the following command:
Code Block |
---|
openssl genrsa -out box-private.key 2048 |
Option 3: Use an existing Public and Private Key Pair
If you already have an existing Public and Private key pair, you can use it for the KeyStore.
Creating the Certificate for KeyStore
Now that you have the Private Key, you can create the certificate for the KeyStore using one of the following two options:
Option 1: Use a Self-signed Certificate
Use OpenSSL to run the following command for generating a CSR (Certificate Signing Request) file:
Code Block openssl req -new -key box-private.key -out box.csr
Generate a self-signed certificate using the
box.csr
output file from the previous step by running the following command:Code Block openssl x509 -req -days 365 -in box.csr -signkey box-private.key -out box.crt
Option 2: Use a CA-signed Certificate
If you have a CA-signed Certificate, you can use that. (In this document, we use the name box.crt)
Generating the KeyStore using the Private Key and Certificate
Now that you have created the Private Key and the Certificate, you can generate the KeyStore following these steps:
Create a PEM file with the Private Key and Certificate by running the following commands:
Code Block language java cat box-private.key > box-private.pem cat box.crt >> box-private.pem
Generate the KeyStore file in PKCS12 format.
Run the following OpenSSL command:
Code Block language java openssl pkcs12 -export -in box-private.pem -out box-keystore.p12 -name 4m5tzcag
Where 4m5tzcag is the <Alias_Name> in this example. If the Private Key was generated by Box, the <Alias_Name> is the Public Key ID from the
xxx_config.json
file that you download from Box.- When the Set Password prompt appears, enter the Export password. This is the password for the KeyStore, and you need to provide it when creating the JWT Account.
Code Block title Example Command openssl pkcs12 -export -in box-private.pem -out box-keystore.p12 -name 4m5tzcag
You can obtain the Public Certificate associated with the
box-private.key
from the KeyStore by running the following Open SSL command:Code Block openssl pkcs12 -in box-keystore.p12 -nokeys -out box-public.crt
Create the JWT
Now that you have generated the KeyStore file, you can create the JWT for use in your SnapLogic Pipelines by doing the following:
- Make the KeyStore file available to Snaplogic by one of the following three methods:
- Upload the
box-keystore.p12
file to SnapLogic file system in Manager.- Download the
box-keystore.p12
file to the machine hosting the JCC Nodes in the Groundplex. - Store the
box-keystore.p12
file in a web location that can be accessed by SnapLogic.
- Download the
- Create a JWT Account as described in Configuring JWT Accounts. You must specify the KeyStore passphrase that you used when generating the
box-keystore.p12
KeyStore file.
- Upload the
You can now proceed to the second part of this tutorial, where we describe how to generate the JWT Token using the JWT Generate Snap in a Pipeline.
How to Generate the Token for a Box Account
This tutorial focuses on creating the Pipeline Pattern used to generate the token for Box Account used to access the Box application. We assume that you have completed the tasks outlined in How to Create a KeyStore File (PKCS12 Format.
The following Pipeline demonstrates how to use the JWT Snap Pack to generate the token to access a Box.com account. In this scenario, we are focusing only the first branch of the Pipeline, which contains four Snaps:
Info |
---|
After you download the sample pipeline, ensure that you add a valid clientID, clientSecret, publicKeyID, privateKey, and passphrase to run the pipeline successfully. |
When we configure the JWT Generate Snap with a JWT account as follows, the JWT Generate Snap signs the JWT claims payload as expected by the Box application.
In the JSON Generator Snap, we create the config.json
file that contains the Public and Private Keys.
In the Mapper Snap, we configure the JWT authentication settings for the Box account. The Mapping Table displays how the JWT keys are mapped for the JWT Generate Snap.
In the JWT Generate Snap, tokens are generated for the keys specified in the Mapper Snap. The Generate Snap has explicit Audience and Subject fields
The JWT Validate Snap authenticates the keys from the JWT Generate Snap.
To validate the signature, enter the Public Key in the Verify Signature field of the JWT.io by running the following command:
Code Block | ||
---|---|---|
| ||
openssl pkey -in box-private.pem -out box-public.pem -pubout |
The following image is an example reference of a verified signature:
Once you complete both parts described in this tutorial, you can use this authentication method inside the Pipeline delivering its payload to get access to the Box application. The token generated from JWT Generate Snap can be decoded at jwt.io, by doing a Copy-Paste of the Public Certificate that was obtained in the Verify Signature section (top box).
Attachments patterns *.slp