In many scenarios the MHK server application fails to obtain a valid
admin token to access the server. This can be because of complicated
transitions involving stored admin tokens by MHK that are out of sync
with the Kleio server token database.
In previous versions an admin token was shared in the config files
of Kleio server and MHK, and those files were part of the install
process, which was a security concern.
A better approach is to generate a fresh bootstrap token every time
the kleio server starts, with a single privilege "generate_token" and
a life span of 5 minutes. This token is written to a file in the Kleio_server configuration directory.
Any client running in the same machine and with access to the
kleio server configuration directory can obtain the token and generate
a private admin token. For extra security the client can then
invalidate the bootstrap. The token expires after five minutes
either it was invalidated or not.
In a typical situation this means that a client such as MHK Server would
be able to obtain an admin token if it was started within five minutes
of the kleio server. This requires that clients be coded to use this facility.
In many scenarios the MHK server application fails to obtain a valid admin token to access the server. This can be because of complicated transitions involving stored admin tokens by MHK that are out of sync with the Kleio server token database.
In previous versions an admin token was shared in the config files of Kleio server and MHK, and those files were part of the install process, which was a security concern.
A better approach is to generate a fresh bootstrap token every time the kleio server starts, with a single privilege "generate_token" and a life span of 5 minutes. This token is written to a file in the Kleio_server configuration directory.
Any client running in the same machine and with access to the kleio server configuration directory can obtain the token and generate a private admin token. For extra security the client can then invalidate the bootstrap. The token expires after five minutes either it was invalidated or not.
In a typical situation this means that a client such as MHK Server would be able to obtain an admin token if it was started within five minutes of the kleio server. This requires that clients be coded to use this facility.