Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In this article

Table of Contents
maxLevel3


This article explains how to authenticate your SnapLogic Pipelines that interact with the Box application using the Java Web Token (JWT) open standard.

Scenario: Authenticating your Box Application with Java Web Token Open Standard.

You can use the JWT Snap Pack to authenticate the Pipeline's access to the Box application.  When you create a custom Box application with JWT Authentication, the JWT can be digitally signed using a Public and Private Key pair. The JWT Account requires a KeyStore, which contains the Private Key. The JWT Snap Pack uses the Private Key to sign the payload of the JWT token. 

In this tutorial, we describe the tasks required for accomplishing the following two objectives:

  1. How to create a KeyStore file (in PKCS12 format). This part of the tutorial describes the basic tasks and options for doing so with open source OpenSSL and JWT.
  2. How to Generate the Token for a Box Account. This part of the tutorial describes how to implement the grouping of JWT, JSON Generator, and Mapper Snaps to do so.

For this scenario, the following Snaps are used:


How to Create a KeyStore File (PKCS12 Format)

Public-Key Cryptography Standards (PKCS12) define an archive-file format for storing server certificates, consisting of an intermediate certificate (if any) and a Private Key in a single encryptable file. To generate a KeyStore file in PKCS12 format, we need a Private Key and a Certificate (self-signed or signed by CA).

Info

The tasks described in this section can be used for any application that uses the JWT open standard.


Creating the Private Key for the KeyStore

You can create a Private Key choosing one of the  three following options:

Option 1: Create a new Private Key with Box

  1. You can generate a new key pair, as described in Box documentation.
  2. Download the resulting xxxx_config.json file. 

    Code Block
    languagetext
    titleExample: config.json file
    {
      "boxAppSettings": {
        "clientID": "6l7jykica0k4xrok1zz0ouhvpkg9pbvause clientid from Box json file",
        "clientSecret": "OQ1ozMTv1TrXpN1Fj8MJuswLi0QjM1qGuse clientSecret from Box json file",
        "appAuth": {
          "publicKeyID": "4m5tzcagfs91jjuk",
          "privateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIeTIJixIoNWACAggA\nMBQGCCqGSIb3DQMHBAi9Vw8IK1CB5ASCBMifA4XXpk/apW9mBwwpbMFw859+UaDS\np8v9FLs4KbqWhrArHwP51wFuEuLGW1zpmLNIgxFqeDH1FDn+iyUZoJYYK/CUGX8z\n2EHHKt85pRTbG7JMzAHXlHI63spxNx/eOdy7vgq0gOTEu4X4BtQ+gyqh95ZDyaJQ\nFxtI/u/x1E8t5VaiTdKcRgh0JNAZwgW/7MsO33kKETANzI8ns83nF9v0DbrKpGii\n6l9qV5ChqsHfYodaP5Ew6GaEedDOOh4zLwbKNb0s8GCsjC0GzA2rOdY6aZ0nyCMw\nxvd2/OcVfFrtV/8ZGPwocaiJ283hV8s5MGQ+RqaUZTZw+u5nNK4InUA5pBQKS/13\n76LBRUH+hiTEhME9q2MjlfF/0hph0Egtshx/F1wlUzFySAzJQc6LiNsjDR3vIwzh\nIa2hmyZDS8uSyLrct6cAWZgSYo3/8HgM9Njg8vWyzj6dbnvCAOIlFyBCKs4nzC65\nWqBfYZWDDqA4RY290deND/KZ0OoA5DYNp4GF1+dPUQgHLAZXb+g5XlOLZVhf5vaG\nkABdCSkl0QXtOjzBMiCBjDhXIkxEfbWIeV4/yVD4laTpY6yRW7Ms1scNqp3Mi6fS\nnJm0v+RSoCGOZmeahieRcc4SaHn2rG3WQTVwgOyQWpA9DZe7hE52N5ZfyRO+K7gM\nG3C2j7X5pe0oYn0ucJFYdjvrQJA12ugOQHfw6ZB3TY7B3CU6GvwUFPxqkXipElDb\nEr7dyT688QLfhO7JEFIkohw3CY4Bi1Ecv4iTFxz8GGE9TdxY50U9kA3YmxSkI/XC\nEeTTv7HcaKtIzT0uaRPx8xbqPKhVJwtpgWDC0txL2Q+Nc34y3mM/pB704ETAxEKd\nM/l0/+ME9NrSuOjOAxAN9fU61laVlnuDEDUzXfN2nZuUq3T2GIVrsYPsUnaeL+94\n06hIznxYoOyOn0f+tXMUnN2TevATpAdqJEiwx2j4Ck9bZ5BUZfBw8rjyVh0GcAiy\nXJHtdx2ciMExg6sAuvwXb+ZuTGqiMQf+WLQaT6CjtZlVKIHA5JOZq5RPBc9X07lq\nuGLt1Ry9FraVFaUEpkSwRDwoZSaUHoV7bUWRtF16gaGGpOUmWG6wtHxtlKtUA4kl\nFNEtS81UdSEgXXk5DFeCqB9Zpx8LgwyoKa4CIS5pLJJ/Wx6XaK4QmHnurhjF8pnz\n9pRIVQTgYI2hzvrtVcS9p7XArepNFGMFD/RB6BUcCUOBUTR28jbDr2sPFIMwTuxm\na0cyLM/dL908ny3VwnqzP3oglbz4E3MDuyciw/AEGNbRBpl/GOGY4Tsp1YGTHhOY\nr9e2h2PrdbZoGyasrSclwLAn1olLhRKE+jJthq4ue9Y2GmwH0htQckCDsVChHbpd\nm76BAIWfarU4bzKxhQ9ZYsTGsJlvBXbtFraqvyUFjQNG3d2PGuS9PNBofJu2dqr/\nQEU8SwnDgo219IB94KXsj+h5Kp9HshDbg85FOiCsaVP+DzWXmJQHEMgrvtWAWcq6\nazgMfL7x8JJ1oWvp+6sQ5YmqeOnBWvksmIN7G1BjfDhnZXzV1/r4/Iuzf2HbsBOi\nQr3CjCslH1bUBRhAF3tWaqqhybtp0lD4ZLjwSoMd+P8QlJQYst9VRGX9I9qrVBpP\nkxw=\n-----END ENCRYPTED PRIVATE KEY-----\nuse privatekey from Box json file",
          "passphrase": "8b0fbf261ad0a775a5d63cf1e0bfbe4ause passphrase from Box json file"
        }
      },
      "enterpriseID": "301393628545865"
    }


  3. Save the Private Key (displayed as "privateKey" in the previous step) in the box-private-with-passphrase.key file.

  4. Decrypt the passphrase from the private key by running the following command: 

    Code Block
    openssl rsa -in box-private-with-password.key -out box-private.key


  5. When prompted to enter the passphrase, enter the passphrase from the xxx_config.json file.

  6. Verify the key size of the box-private.key file by running the following SSL command:

    Code Block
    openssl rsa -in box-private.key -text -noout

    See the following example for the first line of the command output:

    Code Block
    Private-Key: (2048 bit) indicating a 2048 bit key



Option 2: Create a new Private Key with OpenSSL

Create a new Private Key with the OpenSSL tool by running the following command:

Code Block
openssl genrsa -out box-private.key 2048


Option 3: Use an existing Public and Private Key Pair

If you already have an existing Public and Private key pair, you can use it for the KeyStore.


Creating the Certificate for KeyStore

Now that you have the Private Key, you can create the certificate for the KeyStore using one of the following two options:

Option 1: Use a Self-signed Certificate

  1. Use OpenSSL to run the following command for generating a CSR (Certificate Signing Request) file:

    Code Block
    openssl req -new -key box-private.key -out box.csr



  2. Generate a self-signed certificate using the box.csr output file from the previous step by running the following command:

    Code Block
    openssl x509 -req -days 365 -in box.csr -signkey box-private.key -out box.crt


Option 2: Use a CA-signed Certificate

If you have a CA-signed Certificate, you can use that. (In this document, we use the name box.crt)

Generating the KeyStore using the Private Key and Certificate

Now that you have created the Private Key and the Certificate, you can generate the KeyStore following these steps:

  1. Create a PEM file with the Private Key and Certificate by running the following commands:

    Code Block
    languagejava
    cat box-private.key > box-private.pem
    cat box.crt >> box-private.pem


  2. Generate the KeyStore file in PKCS12 format.

    1. Run the following OpenSSL command:

      Code Block
      languagejava
      openssl pkcs12 -export -in box-private.pem -out box-keystore.p12 -name 4m5tzcag 

      Where 4m5tzcag is the <Alias_Name> in this example. If the Private Key was generated by Box, the <Alias_Name> is the Public Key ID from the xxx_config.json file that you download from Box.

    2. When the Set Password prompt appears, enter the Export password. This is the password for the KeyStore, and you need to provide it when creating the JWT Account.


      Code Block
      titleExample Command
      openssl pkcs12 -export -in box-private.pem -out box-keystore.p12 -name 4m5tzcag


  3. You can obtain the Public Certificate associated with the box-private.key from the KeyStore by running the following Open SSL command:

    Code Block
    openssl pkcs12 -in box-keystore.p12 -nokeys -out box-public.crt


Create the JWT

Now that you have generated the KeyStore file, you can create the JWT for use in your SnapLogic Pipelines by doing the following:

  1. Make the KeyStore file available to Snaplogic by one of the following three methods:

    • Upload the box-keystore.p12 file to SnapLogic file system in Manager.

      • Download the box-keystore.p12 file to the machine hosting the JCC Nodes in the Groundplex.

      • Store the box-keystore.p12 file in a web location that can be accessed by SnapLogic.

    • Create a JWT Account as described in Configuring JWT Accounts. You must specify the KeyStore passphrase that you used when generating the box-keystore.p12 KeyStore file.

You can now proceed to the second part of this tutorial, where we describe how to generate the JWT Token using the JWT Generate Snap in a Pipeline.


How to Generate the Token for a Box Account

This tutorial focuses on creating the Pipeline Pattern used to generate the token for Box Account used to access the Box application.  We assume that you have completed the tasks outlined in How to Create a KeyStore File (PKCS12 Format

The following Pipeline demonstrates how to use the JWT Snap Pack to generate the token to access a Box.com account. In this scenario, we are focusing only the first branch of the Pipeline, which contains four Snaps:

Info

After you download the sample pipeline, ensure that you add a valid clientID, clientSecret, publicKeyID, privateKey, and passphrase to run the pipeline successfully.

When we configure the JWT Generate Snap with a JWT account as follows, the JWT Generate Snap signs the JWT claims payload as expected by the Box application.

In the JSON Generator Snap, we create the config.json file that contains the Public and Private Keys.


In the Mapper Snap, we configure the JWT authentication settings for the Box account. The Mapping Table displays how the JWT keys are mapped for the JWT Generate Snap.


In the JWT Generate Snap, tokens are generated for the keys specified in the Mapper Snap. The Generate Snap has explicit Audience and Subject fields


The JWT Validate Snap authenticates the keys from the JWT Generate Snap.


To validate the signature, enter the Public Key in the Verify Signature field of the JWT.io by running the following command:

Code Block
languagejava
openssl pkey -in box-private.pem -out box-public.pem -pubout


The following image is an example reference of a verified signature:


Once you complete both parts described in this tutorial, you can use this authentication method inside the Pipeline delivering its payload to get access to the Box application. The token generated from JWT Generate Snap can be decoded at jwt.io, by doing a Copy-Paste of the Public Certificate that was obtained in the Verify Signature section (top box).

 


Attachments
patterns*.slp