Setup ZTS (authoriZation Token System)
- Getting Software
- Athenz CA X.509 Certificate Issuing
- Start/Stop ZTS Server
The following tools are required to be installed on hosts configured to run ZTS server.
ZTS Server is written in Java and using embedded Jetty.
While ZTS has been developed and tested with Oracle Java Platform JDK 8 it should run successfully with OpenJDK 8 as well.
Download latest ZTS binary release from Bintray - click on the
choose the latest version directory and then download the
$ tar xvfz athenz-zts-X.Y-bin.tar.gz $ cd athenz-zts-X.Y
To run ZTS Server, the system administrator must generate the keys,
certificates and make necessary changes to the configuration settings.
Since ZMS Server is running with a self-signed certificate, we need to
generate a truststore for the java http client to use when communicating
with the ZMS Server. For our configuration script we need the ZMS server
hostname and a copy of the server certificate file. From your ZMS Server
installation, copy the
zms_cert.pem file from the
athenz-zms-X.Y/var/zms_server/certs directory to a local directory on the
host that will be running the ZTS Server. For the
argument below pass the full path of the zms_cert.pem.
$ cd athenz-zms-X.Y $ bin/setup_dev_zts.sh <zms-hostname> <zms-public-cert-path>
Running this setup script completes the following tasks:
- Generate a unique private key that ZTS Server will use to sign any ZTokens it issues
- Generate a self-signed X509 certificate for ZTS Server HTTPS support
- Generate a truststore for secure communication with the ZMS Server
- Registers the zts service in Athenz sys.auth domain
- Generates an Athenz configuration file
Athenz CA X.509 Certificate Issuing
For authenticating services using X509 certificates, ZTS Servers expect
the configured cert signer factory class names in its
athenz.zts.cert_signer_factory_class system property.
Self Cert Signer com.yahoo.athenz.zts.cert.impl.SelfCertSignerFactory
is a sample implementation of cert Signer we have for development environment.
You can use SelfCertSigner or have your implementation of Cert Signer.
Refer Certificate Signer for full details how to implement your cert signer.
Start/Stop ZTS Server
Start the ZTS Server by executing:
$ cd athenz-zts-X.Y $ bin/zts start
Based on the sample configuration file provided, ZTS Server will be listening on port 8443.
Stop the ZTS Server by executing:
$ cd athenz-zts-X.Y $ bin/zts stop