JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 3

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The remaining input fields for the popup window look like this:

Image RemovedImage Added


Explanation:

  • The Identity Service Name is a unique identifier that can be freely chosen.
  • The Identity Service Type can be selected as available from the above matrix.
  • The Ordering specifies the sequence in which a login is performed with available Identity Services.
  • The Required attribute specifies if login with the respective Identity Service is required to be successful, for example if a number of Identity Services are triggered on login of a user account.
  • The Identity Service Authentication Scheme allows to select
    • single-factor authentication: user account and password are specified for login with the Identity Service.
    • two-factor authentication: in addition to user account and password a Client Authentication Certificate is required - see the JS7 - Certificate based Authentication article for more information.

...

Having added a Keycloak Identity Service it is necessary to add settings for the Keycloak integration from the Identity Service's Manage Settings action menu item:

For use of the HashiCorpKeycloak® Vault Identity Service:

  • the Vault Keycloak product has to be installed and has to be accessible for JOC Cockpit and
  • the following settings have to be specified: 

Image RemovedImage Added


Explanation:

  • Vault Keycloak URL: the base URL for which the Vault REST API is available.
  • Vault Authentication Method Path: the path specifies the Vault Authentication Method to be used, see the Authentication Methods section above.
  • Vault Truststore Path:  Should the Vault Server be configured for HTTPS connections then the indicated truststore has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication.
    • The truststore can include a self-signed certificate or a CA signed certificate. Typically the Root CA certificate is used as otherwise the complete certificate chain involved in signing the Server Authentication Certificate has to be available with the truststore.
    • If the Vault Server is operated for HTTPS connections and this setting is not specified then the JOC Cockpit will use the truststore that is configured with the JETTY_BASE/resources/joc/joc.properties configuration file. This includes use of settings for the truststore password and truststore type.
    • The path to the truststore is specified relative to the JETTY_BASE/resources/joc directory. If the truststore is located in this directory then only the file name is specified, typically with a .p12 extension. Other relative locations can be specified using, for example, ../../joc-truststore.p12 if the truststore is located in the JETTY_BASE directory. An absolute path cannot be specified and a path cannot be specified that lies before the JETTY_BASE directory in the file system hierarchy.
  • Vault Truststore Password: If the Vault Server is configured for HTTPS connections and the indicated truststore is protected by a password then the password has to be specified.
  • Vault Truststore Type: If the Vault Server is configured for HTTPS connections then the type of the truststore has to be specified being either PKCS12 or JKS (deprecated).
  • Vault Application Token: The application token setting is available only if the VAULT-JOC-ACTIVE Identity Service Type is used.
    • The JOC Cockpit requires this token in order to manage users with Vault. This token has to be created with Vault, see the Application Role section above. This token allows JOC Cockpit to access the Vault REST API to manage user accounts.
    • This token is not used for login of users.  

...