JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Uwe Risse

Saved on

compared with

New Version 7

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

JS7 supports the following authentication methods with Keycloak:

  • Username Account & Password
  • LDAP
    • It is not required to use Keycloak to connect to an LDAP Directory Service as there is a built-in JS7 - LDAP Identity Service for this purpose.
    • This authentication method can be used with the KEYCLOAK Identity Service Type only.

...

Keycloak Server Configuration

To use Keycloak in JOC Cockpit there must be 

The following objects have to be in place with Keycloak to enable authentication from JOC Cockpit: 

  • Realm configuration,
  • Client configuration,
  • User Accounts,
  • Roles.
  • a realm configuratin
  • a cient configuration
  • users
  • roles when using the Identity Service
    • Roles are used with the Identity Service Type
    • KEYCLOAK. Roles are not
    neccessary
    • required when using the Identity Service Type KEYCLOAK-JOC.

...

Realm

A If no Keycloak Realm is present then it can be added using the button "Add Realm"in Keycloak. The default Settings settings are sufficient. 

Image Removed

Client

From the Configure/Client panel new clients If no Keycloak Client is present then it can be added or existing clients can be configuredin Keycloak.

Roles

...

When the KEYCLOAK Identity Service Type is used then the names of roles in Keycloak have to match the roles in JOC Cockpit.

When the KEYCLOAK-JOC Identity Service Type is used then roles in Keycloak are not considered. Instead roles are assigned to accounts in JOC Cockpit..

Status
colourYellow
titleTODO
Was muss seitens Keycloak konfiguriert sein?

Anchor
authentication_methods
authentication_methods
Authentication Methods

...

Having added a Keycloak Identity Service it is necessary to add settings for the Keycloak integration from the Identity Service's Manage Settings action menu item:

For use of the Keycloak® Identity  Identity Service:

  • the Keycloak product has to be installed and has to be accessible for JOC Cockpit and
  • the following settings have to be specified: 

...

  • Keycloak URL: the base URL for which the Keycloak REST API is available. 
  • Keycloak Administration Account: A Keycloak Account with the admin role. This account is used to get retrieve the roles for a Keycloak account.
  • Keycloak Administration Password: The password for the Keycloak Administration Account.
  • Keycloak Truststore Path:  Should the Keycloak Server be configured for HTTPS connections then the indicated truststore has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication.
    • The truststore can include a self-signed certificate or a CA signed certificate. Typically the Root CA certificate is used as otherwise the complete certificate chain involved in signing the Server Authentication Certificate has to be available with the truststore.
    • If the Keycloak Server is operated for HTTPS connections and this setting is not specified then the JOC Cockpit will use the truststore that is configured with the JETTY_BASE/resources/joc/joc.properties configuration file. This includes use of settings for the truststore password and truststore type.
    • The path to the truststore is specified relative to the JETTY_BASE/resources/joc directory. If the truststore is located in this directory then only the file name is specified, typically with a .p12 extension. Other relative locations can be specified using, for example, ../../joc-truststore.p12 if the truststore is located in the JETTY_BASE directory. An absolute path cannot be specified and a path cannot be specified that lies before the JETTY_BASE directory in the file system hierarchy.
  • Keycloak Truststore Password: If the Keycloak Server is configured for HTTPS connections and the indicated truststore is protected by a password then the password has to be specified.
  • Keycloak Truststore Type: If the Keycloak Server is configured for HTTPS connections then the type of the truststore has to be specified being either PKCS12 or JKS (deprecated).
  • Keycloak ClientKeycloak Client ID:  Clients are entities that can request Keycloak to authenticate a user . E.g. a client can be a application or a services that want to use Keycloak to secure themselves and account. For example, an application such as JOC Cockpit or service acts as a Client to the Keycloak server. Clients use Keycloak to authenticate and to provide a single sign-on solution. An example for a client is "JOC-COCKPIT".
    • Keycloak Client Secret: The client has a secret, which needs to be known to both the application and the Keycloak server.The Keycloak Client ID and the Keycloak Client Secret is are used in the post for 
      • requesting a valid token
        • for
        • user authentication,
        • for admin access token,
      • validating an existing token token,
      • renew renewing an existing valid token.
    • Keycloak Client Secret: The Client has a secret which needs to be known by both the Keycloak server and the JOC Cockpit.
  • Keycloak Realm: A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm and performs a login to a realm. Realms are isolated from one another each other and can only manage and authenticate the users exclusively user accounts that they control.

Logging

...