Google Pub/Sub JWT Authentication in webMethods CloudStreams


This article describes the step-by-step process of generating JWT Authentication for the webMethods CloudStreams provider.


  • User needs to have a working Google account to log into the google cloud console. Sometimes it requires paid tenant depending on the charges applicable on the API.
  • Access permission for the Google API, in our case its Google Pub/Sub.


  • Generation of Google Pub/Sub JWT Authentication.


Any coding or configuration examples provided in this document are only examples and are not intended for use in a productive system without verification. The example is only done to better explain and visualize the possibilities.


    1. Log in to the Google cloud console( ), with the Google credentials. It will look like below.

    2. Users can create a new project or existing projects can be used. In this case, the existing project has been used.

    3. Now enable the Google pub/sub API for the newly created project or in an existing project. So, click on Hamburger icon -> APIs & Services -> Dashboard.

    4. The dashboard will appear for APIs & Services. Now click on the “ENABLE APIS AND SERVICES”.

    5. It will take the user to the “API Library”. A search bar will appear, users need to search for the particular API’s, that he needs to activate for this project.

    6. Search for the Google pub/sub APIs. select and enable It.

    7. Once the APIs are enabled successfully, It looks like the below screenshot.

    8. Now the Google pub/sub APIs are enabled successfully for the selected project. Now we will proceed for Obtaining the JWT token for the Pub/Sub.

    9. To generate the JWT Token for any Google APIs, the User also needs to create the service account as well in the Google Cloud Console.

    10. To generate the Service Account, click on Hamburger icon-> APIs & Services -> Credentials.

    11. Now click on the “Create Service Account”.

    12. A page will open, asking the details for the service account. Users need to fill these details and click on “Create”.

    13. On the next page, it will ask for the “Service account permissions”. In the “Select role” tab choose for the Pub/Sub and then select the permission for the “Publisher” & “Subscriber”. Users can choose other permissions too based on their needs and click on the continue.

    14. Now, the next section asks for the “create Key”, click on this option and choose the JSON file to download and click on create.

    15. Once the JSON file gets downloaded. Store the file safely, as it contains account-related information and maybe not reproducible. The downloaded JSON file looks like below.

    16. This JSON file contains the “private key” and client_x509_cert_url gives you the link for the “certificate”.

    17. Reassemble your certificate(in between the certificate string there will be "\n") we need to remove those and the string starting from "\n" should come in the next line.

    18. Take an empty text file, arrange your certificate as( removed "\n" )

    19. Keep the certificate(rearranged) and private key files together in a text file.

    20. As we can't get the .jks file directly from the certificate and private key we need to get a .p12 file first and then this p.12 file has to be exported as .jks file.

    21. Install OpenSSL-Win64 --> open the installation directory OpenSSL-Win64\bin --> run the below command and store the generated certificate.

    openssl pkcs12 -export -in [path to certificate] -inkey [path to private key] -certfile [path to certificate ] -out testkeystore.p12

    keytool -importkeystore -srckeystore <p12 file name.p12> -srcstoretype pkcs12 -destkeystore <jks file name.jks> -deststoretype JKS

    22. Now we need to add the generated .jks file in the webMethods Integration Server. Start the IS 10.4 and above (this feature is supported on IS version 10.4 onwards). Login to the IS admin page and navigate to the “Keystore” under the security and click on the “create Keystore alias”.

    23. A page will appear asking the details for the “Keystore properties”. Provide the details for “alias”, “Location” of the .jks file and give the password & re-type password as “password” only and click on the “submit” button.

    24. In the next part, it will again ask for the “key alias password”. Provide the password as “password” only in both the sections and click on the “save changes” button.

    25. Now the “Keystore” is configured successfully. Now we will create the JWT Connection.

    26. Navigate to the “cloud streams provider” section and choose the “Google” and choose the “configure the new connection” option.

    27. Now while creating the new connection, choose the Connection type as “OAuth v2.0(JWT Flow)” also provide the folder name, connection name, server URL, issuer & subject then click on the “Generate Access_token”.

         Issuer: <client_id> or identifier (or,name) of the server or system issuing the Token.

         Subject: Identifier(or, name) of the user this token represents.

    28. OAuth 2.0 JWT Flow window will appear, the user needs to fill the details for the “private key Id”, which is present in the JSON file, that we downloaded while creating the google service account. Under the “Keystore & Proxy” section, choose the “Keystore name” from the drop-down and click on the “Get Token” button.

    29. Now, after clicking the “Get Token” button, it will generate the Access_token automatically. Because the Cloudstreams engine supports JWT authentication and Cloudstreams provider for Google Pub/Sub is configured accordingly.