Administer > Service Portal Administration Guide > Change the JWT Signing Key

Change the JWT Signing Key

Important: After changing the password for the idmTransportUser, you should also change the JWT signing key. To accomplish this, you must update all of the following four properties with identical encrypted values.

JWT Signing Key - Update Locations

  1. The AUTHENTICATION.secretKey JSON property in the
    /opt/hp/propel/sx/WEB-INF/classes/config/infrastructure.json file.
  2. The security.encryptedSigningKey property in the
    /opt/hp/propel/sx/WEB-INF/sx.properties file.
  3. The idm.encryptedSigningKey property in the
    /opt/hp/propel/idm-service/idm-service.war/WEB-INF/spring/applicationContext.properties file.
  4. The securityEncryptedSigningKey property in the
    /opt/hp/propel/jboss-as/standalone/deployments/consumption.war/WEB-INF/classes/csa.properties file.

The first two JWT signing-key locations (items 1 and 2) are under the sx.war directory, and will get encrypted automatically if both of their properties have an unencrypted value. For the final two locations (items 3 and 4), you must encrypt the value manually. (See Encrypt a Password - Service Portal User Accounts for instructions on how to encrypt these values.).

Note: It is highly recommended that the signing key assigned by the Service Portal Administrator is strong and long enough to survive brute force attacks. Any user with an IDM token (even an expired token) and knowledge about the authentication method may use this knowledge to perform a brute force attack without any rate limits in search of the secret signing key. Example: a strong and long key should be composed of 25 characters (including letters, digits, and some symbols), but not containing any dictionary words.

After making these password changes, you must restart Service Portal for the changes to take effect. (See Restart Service Portal for information to restart Service Portal.)

Restart Service Portal

To restart services on the Service Portal host, do the following:

  1. Log in to the Service Portal host as root, and navigate to the $PROPEL_HOME/bin directory.
  2. Run the following commands:

    # propel stop

    # propel start