Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Dat Thanh Diep (DatThanhDiep)
CIBC

CIBC
CA
DatThanhDiep Member since 2016 19 posts
CIBC
Posted: Sep 6, 2021
Last activity: Sep 7, 2021
Posted: 6 Sep 2021 18:51 EDT
Last activity: 7 Sep 2021 5:11 EDT
Closed

Are Keystore rules for pxProcessJWT and pxGenerateJWT must be the same?

Hi Team,

I am learning how Pega process JWT token. In my test app, I have only 1 keystore.jks. I create 2 keystore instances (Keystore_A and Keystore_B) which use the same keystore.jks. I create 2 Token Profile: A with Generation Type and B with Processing Type. TokenProfile_A uses Keystore_A, TokenProfile_B uses Keystore_B. So technically, both of them use the same keystore.jks.

Then the token generated by TokenProfile_A are not processed by TokenProfile_B. Logs:

Show More

Hi Team,

I am learning how Pega process JWT token. In my test app, I have only 1 keystore.jks. I create 2 keystore instances (Keystore_A and Keystore_B) which use the same keystore.jks. I create 2 Token Profile: A with Generation Type and B with Processing Type. TokenProfile_A uses Keystore_A, TokenProfile_B uses Keystore_B. So technically, both of them use the same keystore.jks.

Then the token generated by TokenProfile_A are not processed by TokenProfile_B. Logs:

2021-09-06 18:11:00,734 [http-nio-8080-exec-2] [  STANDARD] [                    ] [    TestApp:01.01.01] (ta_Admin_Security_Token.Action) ERROR localhost| Proprietary information hidden diepd - Unable to process the Json Web Token 
com.pega.pegarules.pub.PRRuntimeException: Unable to retrieve JWK public key 
	at com.pega.platform.securitycore.internal.jwt.JWTSignatureVerifier.getJWSKeySelectorFromPubKey(JWTSignatureVerifier.java:280) ~[security-core.jar:?] 
	at com.pega.platform.securitycore.internal.jwt.JWTSignatureVerifier.getJWSKeySelector(JWTSignatureVerifier.java:211) ~[security-core.jar:?] 
	at com.pega.platform.securitycore.internal.jwt.JWTSignatureVerifier.validateSignature(JWTSignatureVerifier.java:191) ~[security-core.jar:?] 
	at com.pega.platform.securitycore.internal.jwt.JWTProcessorImpl.processGeneratedJsonWebToken(JWTProcessorImpl.java:172) ~[security-core.jar:?] 
	at com.pega.pegarules.integration.engine.internal.security.jwt.JWTUtilsImpl.processJSONWebToken(JWTUtilsImpl.java:244) ~[printegrint.jar:?] 
	at com.pegarules.generated.activity.ra_action_pxprocessjwt_99e447b231b02066bcf63faa704cca68.step3_circum0(ra_action_pxprocessjwt_99e447b231b02066bcf63faa704cca68.java:378) ~[?:?] 
	at com.pegarules.generated.activity.ra_action_pxprocessjwt_99e447b231b02066bcf63faa704cca68.perform(ra_action_pxprocessjwt_99e447b231b02066bcf63faa704cca68.java:114) ~[?:?] 

Then I change the TokenProfile_A and TokenProfile_B to use the same Keystore_A. Everything works fine. I do another test, I change both token profile to use Keystore_B, they still work fine.

The error only happens why TokenProfile_A and TokenProfile_B use different Keystore instances. It does not make any sense to me because both Keystore_A and Keystore_B use the same keystore.jks.

Could someone let me know what I am missing here? Is it a Pega bug?

ps: I attached my keystore in case someone want to take a look. pass is "dattest"

Best,

Dat

 

Show Less
***Edited by Moderator: Pooja Gadige to add platform capability tag***
To see attachments, please log in.
Pega Platform 8.5.1
Security

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice