Access Manager Console returns JSON Web Key set defined is invalid while trying to save a JWK

  • Document ID:7025244
  • Creation Date:13-Aug-2021
  • Modified Date:13-Aug-2021
    • Micro Focus Products:
      Access Manager (NAM)

Environment

  • Access Manager 4.5.x
  • Access Manager 5.0.x

Situation

  • Trying to store a JSON Web Key from within iManager => Identity Servers => OAuth $ OpeID Connect => Resource Servers => Access Token Encryption => Encrpy using Resource Server Key returns JSON Web Key set defined is invalid

Resolution

  • use a JSON Web Key set (JWKS) and not a JSON Web Key (JWK)
  • there is as well an online tool as an example which helps to create such a key set at: https://mkjwk.org/

Additional Information

  • Access Manager requires a "JSON Web Key set" which is an array of web keys and not s single JWK.
  • As defined by RFC 7517

    
                           JSON Web Key (JWK)

Abstract

   A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data
   structure that represents a cryptographic key.  This specification
   also defines a JWK Set JSON data structure that represents a set of
   JWKs.  Cryptographic algorithms and identifiers for use with this
   specification are described in the separate JSON Web Algorithms (JWA)
   specification and IANA registries established by that specification.

  • Example:

    {
        "keys": [
            {
                "p": "9EA3slYhY88NL3P-Vc1dHQRqwNsBmEZQIEG3v7UYXPJ5ZNgVwhwxpDfdHj-EXF37qvsGbUtE7d8haKcxd0qmrB6CebApjRCWgYLf2-b5xQo7bf1l_vmhKcsZ8U6F6MXJTmxKwM2Fd6ywEKsUEtXEXPsPDOUd-IWpqW6Hy1OHGbU",
                "kty": "RSA",
                "q": "x__OGqo6mLTiv2coIcRKlVYgs7L5JkSZIwg_CXGbx7yiqcTHFQkey0MBzB_WxThOxnjU9oIhYnjmZYwoIPQDslt_Xs4QDXRyJLjeGLqrTD1Vjn8kP9xc-hZCKo9RN1LgsPqnxGL-dgrFrTgVwKT_xbV_ZzPsjM3FqxkRL98G5kc",
                "d": "rl0YT3ngCsztuMhjF2C10V8LwSjtDNwS-qDRH0F0-1j39FH0ll96ewIq0_wIRHkGr51t4ADPDDdV2XbK4RgjKi40iIujUKBNJFlbL7LtBpy50elxaY7Se5NwTK7gHxIUHTeQq_SuZ_qI8jdQD137WfqewOJseJMogfcCxKTWv_us7o_i57rmVHH6ascnG7KvyWWZ8sP31XG-UF67hILf0-6rIGn77ERRhuGKNsfUI3OORp4Z-UHHPrFnc_Q2Vs4craX2wVrI1jJiD0LwQWR7V6vc5k-LO5ndn393oqw1CnYGonbYdEXNA8aiWL_XghRQmObP5D9OS7p3uHnfcSH-2Q",
                "e": "AQAB",
                "use": "enc",
                "kid": "enc-1628843924",
                "qi": "5zokSNSYbac4NpjzPJBWxIZXWeO9DI3AoEhjpZgzMT5VaLz8WxWAKtBuT77n7GFFbICtMzMzztH6jeva_uwTe6qJemvmOhvmee6tdeT3Cxlbc2GVCjldVq2RLQfV9nQi2VHHU2e9dpaH2Q24PEqtUU3YySIA59LhVuGNU5dDkss",
                "dp": "Rv53ce2ZDPK8yWM0tOnZO7rx8JZ3szQUzBtt9loD99g-srIgOOiLAUl_ivA5X8Oth_go2RG8uktV4Z5fQWZAZd0EXax3l1oP9Rr-SGOti7k6pvC1edRDJOu04a_KOmtq5NGTNNFIDw3xqxae4g6iYchTipL6ECeBtg67h70CktU",
                "alg": "RSA1_5",
                "dq": "FlqMEcTnCbxl_5irDqMe5vQacZtWZ6WRLC42xXpyO-_kim8ZBUvgqj1SDRud6KszetF0lBzVWGlE7yKsNYqwgxXg9Zq4hph2TY5wHHl4veu5DVU-mvipV7Z3LMSaAkH8JSvO5o9d-5mWoJa9L6wBfnqbw9A050P0jPwfRKd74O8",
                "n": "vtH76DlZdn--XND0YlrqDre_Man5PquD52A9Jd1q2oN3UAVOATkPabc9vhF32Q2Rr4oAzR6IATloSeOxfvjS2JQtohCg7Ijwm-gB624K0my2J45wkeS3z-hRFgiLa4jzQO3yYNTUaX2PlTtxb7KwHZLHy9oLh3-n_nWAfx2VbmgoB2SPMIcRlVdtQzuTai4c-kScCNWV4_WAMGaJ5anSKmLH1qjD-EViUqLVMAmpGwlmZx2AyqzusfwgjqsJTD14E-RgY1Er9XjbYq1sMkd_i8OaYiqA9K6wRcW6d__qNL7y_FsTD08vxASZe_pE9awBvodIn2wTT69QXrg50M6_Mw"
            }
        ]
    }

  • Note: using a Resource Server Encryption key allows the client application to decrypt the JWT without having the need to connect to any Tokeninfo EndPoint