The KeyProviderServer demonstrates how your app can enforce access control to a cloud storage solution. It provides a RESTful interface that your client app can use to export and import security keys. The KeyProviderServer demonstrates the following functions:
-
Provides database access to only authenticated users by validating the JWT access token that's passed by the client app.
-
Allows only the user to read or write their private key data.
-
Allows only the user to write their public key data.
-
Allows all authenticated users to read public key data.
You can use this server with popular cloud storage solutions like Azure Cosmos DB. To learn more about setting up Azure Cosmos DB to store the BlackBerry Secure Spark security keys, follow the steps provided here.
These samples require the Spark SDK which you can find along with related resources at the location below.
- Getting stated with the Spark SDK
- Development Guide
- API Reference
Getting started video
The cryptographic keys used by Spark to protect your communications are stored and distributed in a cloud storage system that you choose. Some cloud storage solutions like Firebase satisfy all the requirements to securely store and distribute keys to authenticated users. However, you may choose a different cloud storage solution that would require you to enforce access control on your application server.
Modify the config.js file in the KeyProviderServer example as follows:
- Set the applicationIds value to the GUID assigned to the application that will be using the KeyProviderServer. This may be set to an array of application ID GUIDs if you have multiple applications that will access the same KeyProviderServer instance.
applicationIds: 'YOUR APPLICATION ID',- Set the tenantIds value to the GUID identifying the tenant whose users will be accessing the applications previously identified. This may be set to the GUID for a single-tenant environment or to an array of GUIDs for a multi-tenant environment.
tenantIds: 'YOUR TENANT ID',- Set the 'collectionName' to be the table name in your instance of Azure Cosmos DB.
collectionName: 'YOUR TABLE NAME',- Set 'connectionString' value to be the connectionString of your instance of Azure Cosmos DB.
connectionString: 'YOUR CONNECTION STRING',- Set your application's URI to be the value of 'accessControlAllowOrigin'.
accessControlAllowOrigin: 'https://myApplication.com',Alternatively, you can set it to wildcard. Refer to CORS on ExpressJS for details.
- Set the full path to your private key and public certificate.
keyPath: `${__dirname}/privateKey.pem`,
certPath: `${__dirname}/publicCert.pem`,- Set the key passphrase from your private key.
keyPassphrase: 'myPassphrase',- Optionally, configure server ports or turn off SSL
By default, the KeyProviderServer is configured to run in HTTPS (SSL).
useSsl: true,The default server port in this configuration is 3000.
serverPort: 3000,- Optionally, provide a regular expression to validate the userID.
By default, KerProviderServer is configured to to work with Azure AD user IDs. This is enforced by the regular expression under the 'userIdRegex':
userIdRegex: /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/Execute below commands in KeyProviderServer directory:
- Setup NPM packages.
yarn install- Start server.
node app.jsThese samples are released as Open Source and licensed under the Apache 2.0 License.
If you find a issue in one of the Samples or have a Feature Request, simply file an issue.