Question
CIBC
CA
Last activity: 7 Sep 2021 5:11 EDT
Are Keystore rules for pxProcessJWT and pxGenerateJWT must be the same?
Hi Team,
I am learning how Pega process JWT token. In my test app, I have only 1 keystore.jks. I create 2 keystore instances (Keystore_A and Keystore_B) which use the same keystore.jks. I create 2 Token Profile: A with Generation Type and B with Processing Type. TokenProfile_A uses Keystore_A, TokenProfile_B uses Keystore_B. So technically, both of them use the same keystore.jks.
Then the token generated by TokenProfile_A are not processed by TokenProfile_B. Logs:
Hi Team,
I am learning how Pega process JWT token. In my test app, I have only 1 keystore.jks. I create 2 keystore instances (Keystore_A and Keystore_B) which use the same keystore.jks. I create 2 Token Profile: A with Generation Type and B with Processing Type. TokenProfile_A uses Keystore_A, TokenProfile_B uses Keystore_B. So technically, both of them use the same keystore.jks.
Then the token generated by TokenProfile_A are not processed by TokenProfile_B. Logs:
2021-09-06 18:11:00,734 [http-nio-8080-exec-2] [ STANDARD] [ ] [ TestApp:01.01.01] (ta_Admin_Security_Token.Action) ERROR localhost| Proprietary information hidden diepd - Unable to process the Json Web Token com.pega.pegarules.pub.PRRuntimeException: Unable to retrieve JWK public key at com.pega.platform.securitycore.internal.jwt.JWTSignatureVerifier.getJWSKeySelectorFromPubKey(JWTSignatureVerifier.java:280) ~[security-core.jar:?] at com.pega.platform.securitycore.internal.jwt.JWTSignatureVerifier.getJWSKeySelector(JWTSignatureVerifier.java:211) ~[security-core.jar:?] at com.pega.platform.securitycore.internal.jwt.JWTSignatureVerifier.validateSignature(JWTSignatureVerifier.java:191) ~[security-core.jar:?] at com.pega.platform.securitycore.internal.jwt.JWTProcessorImpl.processGeneratedJsonWebToken(JWTProcessorImpl.java:172) ~[security-core.jar:?] at com.pega.pegarules.integration.engine.internal.security.jwt.JWTUtilsImpl.processJSONWebToken(JWTUtilsImpl.java:244) ~[printegrint.jar:?] at com.pegarules.generated.activity.ra_action_pxprocessjwt_99e447b231b02066bcf63faa704cca68.step3_circum0(ra_action_pxprocessjwt_99e447b231b02066bcf63faa704cca68.java:378) ~[?:?] at com.pegarules.generated.activity.ra_action_pxprocessjwt_99e447b231b02066bcf63faa704cca68.perform(ra_action_pxprocessjwt_99e447b231b02066bcf63faa704cca68.java:114) ~[?:?]
Then I change the TokenProfile_A and TokenProfile_B to use the same Keystore_A. Everything works fine. I do another test, I change both token profile to use Keystore_B, they still work fine.
The error only happens why TokenProfile_A and TokenProfile_B use different Keystore instances. It does not make any sense to me because both Keystore_A and Keystore_B use the same keystore.jks.
Could someone let me know what I am missing here? Is it a Pega bug?
ps: I attached my keystore in case someone want to take a look. pass is "dattest"
Best,
Dat