kcm-guacamole-auth-jsonneeds to be installed. This package is an authentication extension for Apache Guacamole which authenticates users using JSON which has been signed using HMAC/SHA-256 and encrypted with AES-128 CBC. As this JSON contains all information describing the user being authenticated, including any connections they have access to, this extension can provide a simple means of integrating Keeper Connection Manager with external applications.
/etc/guacamole/guacamole.properties, must be modified to specify the secret key which the Guacamole server should use to decrypt and verify received JSON. Systems generating this JSON will also use this same key to encrypt and sign the JSON they generate.
guacamole.propertiesduring the startup process. To apply the configuration changes, Guacamole must be restarted:
TIMESTAMPis a standard UNIX epoch timestamp with millisecond resolution (the number of milliseconds since midnight of January 1, 1970 UTC) and
PROTOCOLis the internal name of any of Guacamole's supported protocols, such as
json-secret-keyproperty) with HMAC/SHA-256. Prepend the binary result of the signing process to the plaintext JSON that was signed.
/api/tokensREST endpoint as the value of an HTTP parameter named
data(or include it in the URL of any Guacamole page as a query parameter named
BASE64_RESULTis the result of the above process, the equivalent run of the "curl" utility would be:
/opt/keeper/share/guacamole-auth-json/doc/encrypt-json.sh, which uses the OpenSSL command-line utility to encrypt and sign JSON in the manner that guacamole-auth-json requires. It is thoroughly commented and should work well as a reference implementation, for testing, and as a point of comparison for development. The script is run as:
auth.jsoncontaining the following:
kcm-guacamole-auth-jsonpackage as it's not inherently required by the actual Guacamole extension. If you do not already have the OpenSSL utility installed, you will need to install it before running the