Page History
...
- It is not necessary to use Keycloak to connect to an LDAP Directory Service as there is the built-in JS7 - LDAP Identity Service for this purpose.
- The authentication method has to be added to Keycloak.
- Authentication with LDAP authentication service in Keycloak is possible using the
user federation provider
LDAP in Keycloak - The path of the Authentication Method has to be added to the Identity Service configuration in JOC Cockpit.
- Authentication with LDAP authentication service in Keycloak is possible using the
- The
KEYCLOAK
Identity Service Type has to be used, meaning that:- user accounts are managed with Keycloak.
- user accounts are added to the JOC Cockpit to allow assignment of roles:
- user accounts in Keycloak and in the JOC Cockpit have to match as otherwise the user account is not assigned a role.
- no passwords are managed by the JOC Cockpit.
...
- the Keycloak product has to be installed and has to be accessible for JOC Cockpit and
- the following settings have to be specified:
Explanation:
Status | ||||
---|---|---|---|---|
|
Keycloak URL
: the base URL for which the Keycloak REST API is available.Keycloak Administration Account
: A Keycloak Account with the admin role. This account is used to get the roles for a Keycloak account.Keycloak Administration Password
: The password for theKeycloak Administration Account.
Keycloak Truststore Path
: Should the Keycloak Server be configured for HTTPS connections then the indicated truststore has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication.- The truststore can include a self-signed certificate or a CA signed certificate. Typically the Root CA certificate is used as otherwise the complete certificate chain involved in signing the Server Authentication Certificate has to be available with the truststore.
- If the Keycloak Server is operated for HTTPS connections and this setting is not specified then the JOC Cockpit will use the truststore that is configured with the
JETTY_BASE/resources/joc/joc.properties
configuration file. This includes use of settings for the truststore password and truststore type. - The path to the truststore is specified relative to the
JETTY_BASE/resources/joc
directory. If the truststore is located in this directory then only the file name is specified, typically with a .p12 extension. Other relative locations can be specified using, for example,../../joc-truststore.p12
if the truststore is located in theJETTY_BASE
directory. An absolute path cannot be specified and a path cannot be specified that lies before theJETTY_BASE
directory in the file system hierarchy.
Keycloak Truststore Password
: If the Keycloak Server is configured for HTTPS connections and the indicated truststore is protected by a password then the password has to be specified.Keycloak Truststore Type
: If the Keycloak Server is configured for HTTPS connections then the type of the truststore has to be specified being eitherPKCS12
orJKS
(deprecated).- Keycloak Client
Keycloak Client ID
Keycloak Client Secret
- : Clients are entities that can request Keycloak to authenticate a user. E.g. a client can be a application or a services that want to use Keycloak to secure themselves and provide a single sign-on solution. An example for a client is "JOC-COCKPIT".
Keycloak Client Secret:
The client has a secret, which needs to be known to both the application and the Keycloak server.- The
Keycloak Client ID
and theKeycloak Client Secret
is used in the post for- requesting a valid token for
- user authentication
- admin access token
- validating an existing token
- renew an existing valid token
- requesting a valid token for
Keycloak Realm
: A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users that they control.Keycloak Realm
Logging
- Log Files
- Standard Log Files
- Identity Services log output to the
JETTY_BASE/logs/joc.log
file. This includes reporting success or failure of authentication. - Successful and failed authentication attempts including the user accounts involved are logged to the
JETTY_BASE/logs/audit.log
file.
- Identity Services log output to the
- Debug Log Files
- For problem analysis during setup of an Identity Service increase the log level as explained with JS7 - Log Levels and Debug Options.
- The
JETTY_BASE/logs/joc-debug.log
file includes general debug output of JOC Cockpit. - The
JETTY_BASE/logs/authentication-debug.log
file includes debug output related to authentication and authorization. - The
JETTY_BASE/logs/jetty.log
file includes debug output of attempts to establish SSL connections.
...
Overview
Content Tools