diff --git a/docker/example-security/README.tex b/docker/example-security/README.tex
new file mode 100644
index 0000000000000000000000000000000000000000..8352fe1208d9b48fa581a1efdf33eeffa4cd0cc1
--- /dev/null
+++ b/docker/example-security/README.tex
@@ -0,0 +1,31 @@
+
+# notes on security:
+# set volume mapping in compose.yaml: security/ -> /etc/pki/tls/
+# configure port/SSL connector: (path is relative to the dir where compose.yaml is
+# * server-connector.xml : set tomcat connector with certificates
+#    -- ia2 needs SECTIGO
+#    -- iam needs self-signed keystore.jks
+# * keep right jjwt*.jar libs (ia2 authlib needs v0.11, iam needs v0.12)
+# FIXME implement *.properties and server-connector.xml by paramters
+
+
+
+#### Security
+# SSL-certificates are site-dependent and must be regularly updated:
+# vlkb-cutout expects them in /etc/pki/tls
+#
+# map volume: ./security:/etc/pki/tls:z,ro
+#
+# ia2token: 
+#  auth.propeties
+#  authpolicy.properties
+#  server-connector.xml
+#  SECTIGO/*
+#
+# iamtoken:
+#  iamtoken.properties
+#  server-connector.xml
+#  keystore.jks
+#
+
+
diff --git a/docker/example-security/garrtoken/keystore.jks b/docker/example-security/garrtoken/keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..57c469584925bdc3de5f6919123d67c5a3189560
Binary files /dev/null and b/docker/example-security/garrtoken/keystore.jks differ
diff --git a/docker/example-security/garrtoken/neatoken.properties b/docker/example-security/garrtoken/neatoken.properties
new file mode 100644
index 0000000000000000000000000000000000000000..839e15d714346acd080d3bc7474dc164e97a4af8
--- /dev/null
+++ b/docker/example-security/garrtoken/neatoken.properties
@@ -0,0 +1,10 @@
+
+# certificates endpoint
+jwks_url=
+
+# account created for the service
+resource_id=
+
+# username for non-authenticated requests
+non_authn_username=anonymous
+
diff --git a/docker/example-security/garrtoken/server-connector-8443.xml-self-signed-keystore-jks b/docker/example-security/garrtoken/server-connector-8443.xml-self-signed-keystore-jks
new file mode 100644
index 0000000000000000000000000000000000000000..02ca4500189bcdf839f61eb03958e8284c4c9205
--- /dev/null
+++ b/docker/example-security/garrtoken/server-connector-8443.xml-self-signed-keystore-jks
@@ -0,0 +1,11 @@
+   <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+               maxThreads="150" SSLEnabled="true" >
+        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+        <SSLHostConfig>
+            <Certificate certificateKeyAlias="tomcat"
+                         certificateKeystoreFile="/etc/pki/tls/keystore.jks"
+                         certificateKeystorePassword="tomcatskassl"
+                         type="RSA" />
+        </SSLHostConfig>
+   </Connector>
+
diff --git a/docker/example-security/ia2token/auth.properties b/docker/example-security/ia2token/auth.properties
new file mode 100644
index 0000000000000000000000000000000000000000..c9c8aee27f0017b03a10a17896236eae4a93a018
--- /dev/null
+++ b/docker/example-security/ia2token/auth.properties
@@ -0,0 +1,10 @@
+rap_uri=https://sso.ia2.inaf.it/rap-ia2
+gms_uri=https://sso.ia2.inaf.it/gms
+client_id=vospace_ui_demo
+client_secret=VOSpaceDemo123
+
+groups_autoload=true
+store_state_on_login_endpoint=true
+scope=openid email profile read:rap
+
+allow_anonymous_access=true
diff --git a/docker/example-security/ia2token/authpolicy.properties b/docker/example-security/ia2token/authpolicy.properties
new file mode 100644
index 0000000000000000000000000000000000000000..d1d5756218a28b49df6e1f92a8828c9f62c24cac
--- /dev/null
+++ b/docker/example-security/ia2token/authpolicy.properties
@@ -0,0 +1,7 @@
+# database for table with permissions
+db_uri=
+db_schema=
+db_user_name=
+db_password=
+
+
diff --git a/docker/example-security/ia2token/server-connector-8443.xml-SECTIGO-vlkb.ia2.inaf.it b/docker/example-security/ia2token/server-connector-8443.xml-SECTIGO-vlkb.ia2.inaf.it
new file mode 100644
index 0000000000000000000000000000000000000000..1ad61476dbe60e77851fa636d3c40009af30232e
--- /dev/null
+++ b/docker/example-security/ia2token/server-connector-8443.xml-SECTIGO-vlkb.ia2.inaf.it
@@ -0,0 +1,11 @@
+  <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+        sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
+               maxThreads="150" SSLEnabled="true">
+         <SSLHostConfig>
+            <Certificate certificateKeyFile="/etc/pki/tls/SECTIGO/vlkb_ia2_inaf_it.key"
+                         certificateFile="/etc/pki/tls/SECTIGO/vlkb_ia2_inaf_it.crt"
+                         certificateChainFile="/etc/pki/tls/SECTIGO/CA.crt"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+
diff --git a/docker/example-security/iamtoken/iamtoken.properties b/docker/example-security/iamtoken/iamtoken.properties
new file mode 100644
index 0000000000000000000000000000000000000000..d275d68bee277ed3450eee1349d4a3a2c48210dc
--- /dev/null
+++ b/docker/example-security/iamtoken/iamtoken.properties
@@ -0,0 +1,13 @@
+
+# certificates endpoint
+#jwks_url=
+introspect=
+client_name=
+client_password=
+
+# account created for the service
+resource_id=
+
+# username for non-authenticated requests
+non_authn_username=anonymous
+
diff --git a/docker/example-security/iamtoken/keystore.jks b/docker/example-security/iamtoken/keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..57c469584925bdc3de5f6919123d67c5a3189560
Binary files /dev/null and b/docker/example-security/iamtoken/keystore.jks differ
diff --git a/docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks b/docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks
new file mode 100644
index 0000000000000000000000000000000000000000..02ca4500189bcdf839f61eb03958e8284c4c9205
--- /dev/null
+++ b/docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks
@@ -0,0 +1,11 @@
+   <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+               maxThreads="150" SSLEnabled="true" >
+        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+        <SSLHostConfig>
+            <Certificate certificateKeyAlias="tomcat"
+                         certificateKeystoreFile="/etc/pki/tls/keystore.jks"
+                         certificateKeystorePassword="tomcatskassl"
+                         type="RSA" />
+        </SSLHostConfig>
+   </Connector>
+
diff --git a/docker/example-security/ssl/How to generate a self-signed SSL certificate using OpenSSL - Stack Overflow.pdf b/docker/example-security/ssl/How to generate a self-signed SSL certificate using OpenSSL - Stack Overflow.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..2d7b3fd09bb0a24f3f7a1f04af33ee0ec8269d5e
Binary files /dev/null and b/docker/example-security/ssl/How to generate a self-signed SSL certificate using OpenSSL - Stack Overflow.pdf differ
diff --git a/docker/example-security/ssl/How to use OpenSSL and the Internet PKI on Linux systems Enable Sysadmin.pdf b/docker/example-security/ssl/How to use OpenSSL and the Internet PKI on Linux systems Enable Sysadmin.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..c2e26bc3bcf6a7aadf1b8ab23fab0434464168ba
Binary files /dev/null and b/docker/example-security/ssl/How to use OpenSSL and the Internet PKI on Linux systems Enable Sysadmin.pdf differ
diff --git a/docker/example-security/ssl/Makefile b/docker/example-security/ssl/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..cdc5c8deb2b2141a315d28b58e362d658237b0f7
--- /dev/null
+++ b/docker/example-security/ssl/Makefile
@@ -0,0 +1,10 @@
+
+
+
+keystore.jks:
+	keytool -genkey -keyalg RSA -noprompt -alias tomcat -dname "CN=localhost, OU=NA, O=NA, L=NA, S=NA, C=NA" -keystore keystore.jks -validity 9999 -storepass tomcatskassl -keypass tomcatskassl
+
+
+showxml:
+	xmlstarlet c14n server.xml
+