You can configure the JSON Web Token (JWT) producer settings when Unified Access Gateway wants to create and sign the JWT to exchange control information for SaaS environments like Horizon Cloud Service.

The following procedure describes the JSON web token producer settings configuration:


  1. In the admin UI Configure Manually section, click Select.
  2. Under Advanced Settings, select the JWT Settings gearbox icon.
  3. In the JWT Settings window, click Add JWT Producer.
  4. In the JWT Producer Settings window, enter the following information:
    Option Default and Description
    Name A JWT producer name to identify this setting for validation.
    Issuer Enter the case-sensitive JWT issuer value to be specified in the produced JWT's issuer claim that is to be sent to recipient.

    By default, the value of this field is set to the Name field.

    JWT Signing Certificate Type

    Select the valid certificate types for JWT signing from the drop-down menu. The options are:

    • PEM:
      • Private Key: Click Select and browse to the private key file for the certificate in PEM format.
      • Certificate Chain: Click Select and browse to the certificate chain file in PEM format.
    • PFX:
      • Upload PFX: Click Select and browse to the JWT signing certificate in PFX format.
      • Password: Enter the password of PFX certificate.
      • Alias: Enter the alias of PFX certificate if there are multiple certificates present in the certificate store.

    JWT Signing Private Key

    Click Select and browse to the private key for the certificate in PEM format used for JWT signing.

    JWT Signing Certificate Chain

    Click Select and browse to the certificate chain in PEM format used for JWT signing.
    Configure Encryption Public Key Settings

    The encryption key (static or dynamic) is used to encrypt the JWT produced by Unified Access Gateway.

    Turn on this toggle to configure encryption public key URL for fetching the public key dynamically from the URL.

    Turn off this toggle to upload static encryption public keys.

    Dynamic Public key URL

    Enter the URL for dynamically fetching the public key.

    A public key can either be a single public key or a JSON Web Key Set (JWKS) format.

    With the JWKS format, multiple JSON Web Key (JWK) format public keys can be obtained for validating the JWT.

    Each JWK has a unique identifier (kid) and this identifier is present in the JWT provided to Unified Access Gateway. Using this identifier, Unified Access Gateway identifies the public key to be used.

    Public key URL thumbprints Enter the list of public key URL thumbprints. If you do not provide a list of thumbprints, ensure that the server certificates are issued by a trusted CA. Enter the hexadecimal thumbprint digits. For example, sha1= C2 88 A3 19 DC 7A 47 2C 84 1C 81 EC 5E 8F 6A 3C 33 F2 95 C5.
    Trusted Certificates
    • To select a certificate in the PEM format and add to the trust store, click +.
    • To remove a certificate from the trust store, click -.
    • To provide a different name, edit the alias text box.

      By default, the alias name is the filename of the PEM certificate. You can add a maximum of 64 trusted certificate files.

    Public key refresh interval

    The time interval in seconds at which the public key is fetched from the URL periodically.

    The default value is 3600 (1 hour).

    If this is set to 0, the public key(s) is fetched from the URL exactly once.

    Static Public Keys Click + to select and add a public key to use for JWT encryption.

    The file must be in PEM format.

    Note: If a dynamic public key URL is not available, set a static public key.
  5. Click Save.