This document discusses securing microservices with JSON Web Tokens (JWT) using IBM Datapower. It provides an overview of the deployment topology used, including Datapower, Docker containers for MQ Server and Datapower, and SOAPUI for testing. It then describes setting up Datapower policies for creating and validating JWTs with signing and encryption. Testing is done by sending requests to Datapower to generate and validate tokens.

1. An Architects Hands-on Experience in
Securing Microservices with JSON Web
Token using IBM Datapower
Sandip Gupta
Senior Client Architect
Cloud & Cognitive BU, IBM India
5th April 2020

2. Laptop
Deployment Topology
2
Datapower Container
Multiprotocol Gateway
Front Side
Handler
(Client)
Policy
(Client-to-Server
Backend
(Server)
https://mqserver:8000/crt/test
https://mqserver:9090/dp/login
Host: mqserver
Client Key
Client Certificate
Server Key
Server Certificate
Physical Layout of the components used and their interactions
https://mqserver:8000/vrf/test
Create JWT Token
Verify JWT Token
SoapUI

3. 3
Setup Details

4. 4
Topology Setup – Commands used
Component Versions Commands – First time Commands - Repeated
Operating
System
Macos Mojave
10.14.5
Add an entry in /etc/hosts
<laptop_ip> mqserver
#mkdir $HOME/mq
#mkdir $HOME/dp
IP Address of the laptop
#ifconfig | grep inet4
#ping mqserver
Laptop’s IP address needs to be used
instead of localhost or 127.0.0.1
between DP & MQ containers
Docker
Community
Edition
Docker CE
2.1.0.2
Kitematic 0.17.9
#docker ps
#docker images
# Start Docker Engine
Openssl 2.6.5 #mkdir $HOME/mq/certs
#cd $HOME/mq/certs
#openssl genrsa -out server.key 2048
#openssl req -new -x509 -key server.key -out
server.cert –days 365
#openssl genrsa -out client.key 2048
#openssl req -new -x509 -key client.key -out
client.cert –days 365
<Server Key>
Private key and Public Cert of
Datapower Server
<Client Key>
Private key and Public Cert of MQ
Server
SOAP UI 5.5.0

5. 5
Topology Setup – Contd…
Component Versions Commands – First time Commands - Repeated
Datapower
Developer
Edition
2018.1.10 #docker pull ibmcom/datapower:latest
#cd $HOME/dp
#git clone https://github.com/ibm-
datapower/datapower-tutorials.git
#cd $HOME/dp/datapower-tutorials/getting-
started
# docker run -it
-v $PWD/config:/drouter/config
-v $PWD/local:/drouter/local
-e DATAPOWER_ACCEPT_LICENSE=true
-e DATAPOWER_INTERACTIVE=true
-p 9090:9090
-p 9022:22
-p 5554:5554
-p 8000-8010:8000-8010
--name idg
ibmcom/datapower
configure; web-mgmt 0 9090 9090;
Exit the container
Start IDG container using Kitematic
#docker run –it idg
#docker ps
#docker inspect <dp_container> | grep
IPAddress
<WebConsole>
URL: https://mqserver:9090/dp/login
User: admin:admin

6. 6
JWT Structure

7. 7
IBM Datapower

8. 8
Crypto in Datapower
Two Keys – One named as Client Key & another one as Server Key. Each has their own public certificates.
Client Key & Certificate Server Key & Certificate

9. 9
Multi-Protocol Gateway Services in Datapower
Created two multi-protocol gateway services
rest_mpgw: Multi-protocol gateway service to secure microservice using JWT
token with digital signing and/or encryption

10. 10
Multi-protocol Security Policy in Datapower - 1

11. 11
Multi-protocol Security Policy in Datapower - 2

12. 12
Front Side Handler in Datapower
Acts as a Client to Datapower which is always the server!!

13. 13
JSON Web Token
using IBM Datapower

14. 14
JWT Create Policy in Datapower

15. 15
Matching Rules in Datapower

16. 16
Result Rule in Datapower

17. 17
JWT Create AAA Policy in Datapower - 1

18. 18
JWT Create AAA Policy in Datapower - 2
Select JSON Web Token policy

19. 19
JWT with Signing Policy in Datapower
Server Private Key used for Signing
Encryption Algorithms
Additional Claims
Issuer & Expiry

20. 20
JWT with Encryption Policy in Datapower
Encryption Algorithms
Issuer & Expiry
Server Private Key used for Signing
Client Public Certificate used for Encryption

21. 21
JWT Validate Policy in Datapower

22. 22
JWT Validate AAA Policy in Datapower - 1
Select the JWT validation policy

23. 23
JWT Validate AAA Policy in Datapower - 2

24. 24
JWT with Signing Validation Policy in Datapower
Server Certificate used for Sign Validation
Issuer

25. 25
JWT with Encryption Validation Policy in Datapower
Issuer
Server Certificate used for Sign Verification
Client Public Key used for Decryption

26. 26
Testing of the Policy

27. 27
Base64 Encoding of User:Password for Basic HTTP Authentication
dG9ueWY6dG9ueWY=
User present in AAAInfo.xml
tonyf:tonyf

28. 28
First Request sent to Datapower to generate the token after user
authentication
JWT returned in Authorization header
Base64 of Password
(User is in AAA file)
eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJpZGciLCJzdWIiOiJ0b255ZiIsImV4cCI6MTU
4NDg5MzI5OX0.ih6we3urbUDNo6Mkq1UBujUWXYK_ZInaEfH6ht_P3pT0LHjNa
ah6cUWBheWeARJ9ltHYW5HcYh8GzkQA5hL6cl_goXjnNlIWokfJAAYszJVGnmX
MrO0BHIFp2CaDdIFOf24ssdvigY51R9rhBOBTJNcsKlOhlZ_RUcohPCTYtCvFCza
gnMCc0rSTWUspEWtEt6UUzslnbO_dzdfut5NGh9nxYCd6E6CssdEb3sCJMXh38
D4xHEZD5bzA3guEjl9xXYSntF9jdtf4t81HoCWF9hQrESPzmpAWuCh4OpKD_Fqq
LmLbrfppex7fEPpUOja-ss3EdeLjA747MTTELKEwaw

29. 29
JWT Validation in Datapower
Testing of the sample token in jwt.io external website

30. 30
Request sent to Datapower for Validation of the Generated Token
JWT Sent in Authorization Header

31. 31
First Request sent to Datapower to generate encrypted JWT Token
JWT with Encryption returned in Authorization header
Base64 of Password
(User is in AAA file)
eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBMV81IiwiY3R5IjoiSldUIn0.BaoEctr
BCPrwA5eHppZMN8-X0eP2m2KTsTin-SVPEaJko8upuBRBReFyjOJ9vdb-
uLmDdQWzdqEoa-6rV1N-AIbFn-
fubQnmJQAqSWrF9QvaARN1OatJhYOpo_NHBKzUa0VYeJ1IsBBP3wo5r7x2SaYb3kBDYi
RqzUzmVAThmuTcyRoASzmyjXw35IqHxqBMcUWrPALIgCySQdkTASK0iCMAXNdiBwm0j
2b1WlU7_UxjTqaYW85XpK0RY0aQ8IxZKe_0R5qt8kij3ghXVtEOQOxNRVOz4gXYdcTb60
9265tgFEssLc8TIwc70JIu9THLR38hz10CR7XGXVQrfLmZzw.nRAF3ZAHdUqM1Mq3CXx
3yA.1nl86tTcvk8sHWIyXzHhnVLC_4Uj4cUJTQHqun9mx-
rXP1h7v5Q8CkthT8Hly1eVEROtTJ4MnQWjYM8uQsZ6R5PJT4TBIWnh9DXWwWGizqJ9U
n6rK2ynOMzigMVIjpRkAvnfZ42EiOZaKoZ5OlsyHKoFuJqJqydcCDMsvmsK3Rf7T-
cChfSxnmuuBLff5X_3_0nVAAIUIhh2idfScM410JDJIel6ELChBzmpeYxQfRrczlbKk2-
RVS4ubQ8t-
HG8WnF4xadgmGmAssDb4TOdXm4G2l3r91aybhg7OlMeiWpuc2Ygkz0Nx4K6WDMnArQ
GoVQnXqbLtwBX0Xs6cNoAlVUagKTWHaN8Api1AFjN7MfJ-
_4kzgq28jT4upUTg00U9i5hqtf1sfLnI52R2P-v7POY2amNoDmzZYS-
TA0gEelX1ywpFdeErKIMxtIf3sAocekMyblkY0z5l6WXhUFXR_zWfZPjKAvjwloaeCXrsBli9
WmP3onFhtvIacqy0qic50QkLJlEsYQbhqrOchnmFUht4_Gvi74yjD9Ov6YMBZT6Gt0AfHZ
DkcKKdGzznbyD.NK-7Cz2YCIIcStUfc5SpVw

32. 32
References
• Datapower Hello-World: https://developer.ibm.com/datapower/config/
• MQ: https://hub.docker.com/r/ibmcom/mq/
• MQ: https://github.com/ibm-messaging/mq-container
• MQ Admin Tool: https://sourceforge.net/projects/mqadmintool/
• ACE: https://github.com/ot4i/ace-docker
• JWT with X5C: https://github.com/pglezen/dpx5cjwt
• OAuth on DP: https://www.ibm.com/developerworks/websphere/library/techarticles/1208_rasmussen/1208_rasmussen.html
• OAuth on DP Git: https://github.com/pglezen/dp-article-oauth-clients
• SSKEY: http://rcbj.net/blog01/2012/03/17/generating-and-uploading-a-shared-key-symmetric-key-to-datapower-appliances/
• JOSE: https://jose.readthedocs.io/en/latest/
• Base64: https://www.base64encode.org/