search cancel

ECDSA algorithm for JWT validation and creation in Policy Server

book

Article ID: 134038

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

How to make CA SiteMinder use the ECDSA algorithm to sign JWT token as the CA API Gateway only uses this ECDSA algorithm for signature. Is it possible?

 

Resolution

 

At first glance, the latest version SiteMinder 12.8SP6a, ECDSA is not implemented for cookie and token encryption (1). The JWT signature algorithm should be one of RS256, RS384, and RS512 (2).

Further, as pre-requisites for JWT, ensure that JWT is RSA encryption based (3).

 

Additional Information

 

(1)

    Encryption and Decryption Algorithms
    

(2)

    8. Provide the Certificate Alias List details to be used for JWT signature validation.

      JWTs can accept the following RSA-based algorithms for certificate validation:

        RS256 - RSA signature with SHA-256
        RS384 - RSA signature with SHA-384
        RS512 - RSA signature with SHA-512

    

(3)

    Configure JWT Authentication Scheme

      Import the User Public Certificate for JWS or import the private key for JWE into Policy Server Certificate Database (CDS) to validate a JWT for RSA algorithms.