The EKM will periodically push batch updates of public keys to the WKD. This mechanism takes more work to set up, but allows for greater flexibility and scalability, because the WKD can serve public keys independently, and doesn’t need to access the EKM.
The EKM will authenticate using a self-issued JSON Web Token (JWT) when pushing public keys to the WKD.
1. First, generate a JSON Web Key (JWK) using the command below:
java -jar flowcrypt-email-key-manager.jar --gen-jwk
This will print out a set of properties to copy into WKD and EKM properties files.
2. Set the following properties on the WKD:
| Property | Description |
|---|---|
wkd.push.readonly |
The optional property if you want a WKD read-only instance. Default value: falseExample: true
|
wkd.push.source.ips |
A comma-separated list of internal IP addresses that may use the Push Sync endpoint. Empty means all IPs are allowed. Example: 10.0.1.30,10.0.1.31
|
auth.service.pushsync.verification.key |
Retrieve using the --gen-jwk flag and set the corresponding signing key in EKM.Example: ey...
|
3. Set the following properties on the EKM to allow Push Sync:
| Property | Description |
|---|---|
wkd.url |
An internal URL where the WKD may be reached from the EKM. Example: https://wkd.yourorg.com
|
wkd.push.rate optional |
How often (in seconds) updated keys should be synchronized with the WKD server. Example: 30
|
wkd.push.delay optional |
When (in seconds) the first EKM to WKD synchronization job is run after start up. Example: 10
|
wkd.push.batch.size optional |
The Maximum number of keys pushed to WKD in one request. Example: 1000
|
auth.service.pushsync.signing.key |
The signing key for the EKM to sign JWT for Push Sync requests. Retrieve using --gen-jwk and set the corresponding verification key in WKD.Example: ey3Pj4...
|
truststore.fileoptional |
Java trust store which holds public certificates/keys used to validate the cert of the WKD, when using internal CA. Example: truststore.p12
|
truststore.password optional |
Password for the truststore file. Example: password
|