oxAuth Key Rotation
Overview#
The role of the KeyRotation container is to regenerate oxauth-keys.jks
. After keys have been regenerated, these keys will be saved into the secrets backend. The oxAuth container runs a periodic task to pull new oxauth-keys.jks
(if any) from the secrets backend.
Deploying the container#
Below is an example of docker-compose.yml
to deploy the KeyRotation container:
services:
key-rotation:
image: gluufederation/key-rotation:3.1.6_03
environment:
- GLUU_CONFIG_CONSUL_HOST=consul
- GLUU_SECRET_VAULT_HOST=vault
- GLUU_LDAP_URL=ldap:1636
# when will next key rotation occurs (in hours)
- GLUU_KEY_ROTATION_INTERVAL=48
# checks if oxAuth keys need to be rotated (in seconds)
- GLUU_KEY_ROTATION_CHECK=3600
container_name: key-rotation
volumes:
- /path/to/vault_role_id.txt:/etc/certs/vault_role_id
- /path/to/vault_secret_id.txt:/etc/certs/vault_secret_id
restart: unless-stopped
labels:
- "SERVICE_IGNORE=yes"