Deployment checklist
These are the minimum required steps to setup a Connect2id server for use in production:
-
Set the Java system property
envtoprod, which will trigger several extra configuration security checks when the server starts up.-Denv=prod -
Generate an AES key to encrypt sensitive material in the Connect2id server key store (since v17.0). Deployments that choose to use the static key store mode must manually generate a new server JWK set with the provided tool.
-
Set the URL which identifies the Connect2id server as an OpenID provider and OAuth 2.0 authorisation server.
-
Set the URL of the login page for the Connect2id server.
-
Set the URL of the logout page, if one is required.
-
Generate master tokens for the Connect2id server web APIs and save their SHA-256 hashes in the configuration. Each token must consist of at least 32 random characters. On Linux you can generate a token with
pwgen 32and compute its hash withsha256sum-
Master token for the tenants endpoint (multitenant Connect2id server edition only).
Script to generate a 32 character token and compute its SHA-256 hash in hex:
#! /bin/sh TOKEN=`pwgen 32 1` echo "Access token: $TOKEN" TOKEN_SHA256=`echo -n $TOKEN | sha256sum` echo "Access token SHA-256: $TOKEN_SHA256" -
Set the maximum expected length of the local user IDs, required for the computation of pairwise subject IDs.
-
Set up a database for the Connect2id server to persist its own data, such as client registrations and authorisations.
-
Connect one or more OpenID claims sources, required for the UserInfo endpoint. The Connect2id server comes with ready connectors for sourcing user attributes from an LDAP directory, an HTTP endpoint (web hook) or the user session object. To use a different source create your own connector.
-
Deploy to a DMZ if the client applications are going to access the Connect2id server from the Internet (recommended).
To support a FAPI security profile a few additional configurations are needed.