JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 4

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 5

changes.mady.by.user Uwe Risse

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • It is not necessary to use Keycloak to connect to an LDAP Directory Service as there is the built-in JS7 - LDAP Identity Service for this purpose.
  • The authentication method has to be added to Keycloak.
    • Authentication with LDAP authentication service in Keycloak is possible using the user federation provider LDAP in Keycloak 
    • The path of the Authentication Method has to be added to the Identity Service configuration in JOC Cockpit.
  • The KEYCLOAK Identity Service Type has to be used, meaning that:
    • user accounts are managed with Keycloak.
    • user accounts are added to the JOC Cockpit to allow assignment of roles:
      • user accounts in Keycloak and in the JOC Cockpit have to match as otherwise the user account is not assigned a role.
      • no passwords are managed by the JOC Cockpit.

...

  • the Keycloak product has to be installed and has to be accessible for JOC Cockpit and
  • the following settings have to be specified: 


Explanation:

Status
colourYellow
titleTODO
Die Settings müssen erläutert werden

  • Keycloak URL: the base URL for which the Keycloak REST API is available. 
  • Keycloak Administration Account:  A Keycloak Account with the admin role. This account is used to get the roles for a Keycloak account.
  • Keycloak Administration Password:  The password for the Keycloak Administration Account.
  • Keycloak Truststore Path:  Should the Keycloak Server be configured for HTTPS connections then the indicated truststore has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication.
    • The truststore can include a self-signed certificate or a CA signed certificate. Typically the Root CA certificate is used as otherwise the complete certificate chain involved in signing the Server Authentication Certificate has to be available with the truststore.
    • If the Keycloak Server is operated for HTTPS connections and this setting is not specified then the JOC Cockpit will use the truststore that is configured with the JETTY_BASE/resources/joc/joc.properties configuration file. This includes use of settings for the truststore password and truststore type.
    • The path to the truststore is specified relative to the JETTY_BASE/resources/joc directory. If the truststore is located in this directory then only the file name is specified, typically with a .p12 extension. Other relative locations can be specified using, for example, ../../joc-truststore.p12 if the truststore is located in the JETTY_BASE directory. An absolute path cannot be specified and a path cannot be specified that lies before the JETTY_BASE directory in the file system hierarchy.
  • Keycloak Truststore Password: If the Keycloak Server is configured for HTTPS connections and the indicated truststore is protected by a password then the password has to be specified.
  • Keycloak Truststore Type: If the Keycloak Server is configured for HTTPS connections then the type of the truststore has to be specified being either PKCS12 or JKS (deprecated).
  • Keycloak Client
    • Keycloak Client ID
    :  
  • Keycloak Client Secret  
    • :  Clients are entities that can request Keycloak to authenticate a user. E.g. a client can be a application or a services that want to use Keycloak to secure themselves and provide a single sign-on solution. An example for a client is "JOC-COCKPIT".
    • Keycloak Client Secret: The client has a secret, which needs to be known to both the application and the Keycloak server.
    • The Keycloak Client ID and the Keycloak Client Secret is used in the post for 
      • requesting a valid token for
        • user authentication
        • admin access token
      • validating an existing token 
      • renew an existing valid token
  • Keycloak Realm: A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users that they control.Keycloak Realm  

Logging

  • Log Files
  • Standard Log Files
    • Identity Services log output to the JETTY_BASE/logs/joc.log file. This includes reporting success or failure of authentication.
    • Successful and failed authentication attempts including the user accounts involved are logged to the JETTY_BASE/logs/audit.log file.
  • Debug Log Files
    • For problem analysis during setup of an Identity Service increase the log level as explained with JS7 - Log Levels and Debug Options.
    • The JETTY_BASE/logs/joc-debug.log file includes general debug output of JOC Cockpit.
    • The JETTY_BASE/logs/authentication-debug.log file includes debug output related to authentication and authorization.
    • The JETTY_BASE/logs/jetty.log file includes debug output of attempts to establish SSL connections.

...