Chapter 4. Authenticating Decision Central through RH-SSO
This chapter describes how to authenticate Decision Central through RH-SSO. It includes the following sections:
- Section 4.1, “Creating the Decision Central client for RH-SSO”
- Section 4.2, “Installing the RH-SSO client adapter for Decision Central”
- Section 4.3, “Securing Decision Central remote service using RH-SSO”
- Section 4.4, “Securing Decision Central file system services using RH-SSO”
- Section 4.5, “Enabling user and group management for RH-SSO”
- Decision Central is installed in a Red Hat JBoss EAP 7.2 server, as described in Installing and configuring Red Hat Decision Manager on Red Hat JBoss EAP.
- RH-SSO is installed as described in Chapter 2, Installing and configuring RH-SSO.
- Decision Central users have been added to RH-SSO as described in Chapter 3, Adding Red Hat Decision Manager users.
4.1. Creating the Decision Central client for RH-SSO
After the RH-SSO server starts, open http://localhost:8180/auth/admin in a web browser and log in using the admin credentials that you created while installing RH-SSO. When you login for the first time, you can set up the initial user on the new user registration form.
- In the RH-SSO Admin Console, click the Realm Settings menu item.
On the Realm Settings page, click Add Realm.
The Add realm page opens.
- On the Add realm page, provide a name for the realm and click Create.
Click the Clients menu item and click Create.
The Add Client page opens.
On the Add Client page, provide the required information to create a new client for your realm. For example:
- Client ID: kie
- Client protocol: openid-connect
Click Save to save your changes.
After you create a new client, its Access Type is set to
publicby default. Change it to
The RH-SSO server is now configured with a realm with a client for Decision Central applications and running and listening for HTTP connections at
localhost:8180. This realm provides different users, roles, and sessions for Decision Central applications.
4.2. Installing the RH-SSO client adapter for Decision Central
After you install RH-SSO, you must install the RH-SSO client adapter for Red Hat JBoss EAP and configure it for Decision Central.
- Decision Central is installed in a Red Hat JBoss EAP 7.2 instance, as described in as described in Installing and configuring Red Hat Decision Manager on Red Hat JBoss EAP.
- RH-SSO is installed as described in Chapter 2, Installing and configuring RH-SSO.
A user with the
adminrole has been added to RH-SSO as described in Chapter 3, Adding Red Hat Decision Manager users.
Navigate to the Software Downloads page in the Red Hat Customer Portal (login required), and select the product and version from the drop-down options:
- Product: Red Hat Single Sign-On
- Version: 7.2
Download Red Hat Single Sign-on 7.2.0 Client Adapter for JBoss EAP 7 (
Unzip and install
rh-sso-7.2.0-eap7-adapter.zip. For installation instructions, see the "JBoss EAP Adapter" section of the Red Hat Single Sign On Securing Applications and Services Guide.
EAP_HOME/standalone/configurationand open the
<single-sign-on/>element from both of the files.
Navigate to the
EAP_HOME/standalone/configurationdirectory in your Red Hat JBoss EAP installation and edit the
standalone-full.xmlfiles to add the RH-SSO subsystem configuration. For example:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"> <secure-deployment name="decision-central.war"> <realm>demo</realm> <realm-public-key>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</realm-public-key> <auth-server-url>http://localhost:8180/auth</auth-server-url> <ssl-required>external</ssl-required> <enable-basic-auth>true</enable-basic-auth> <resource>kie</resource> <credential name="secret">759514d0-dbb1-46ba-b7e7-ff76e63c6891</credential> <principal-attribute>preferred_username</principal-attribute> </secure-deployment> </subsystem>
In this example:
secure-deployment nameis the name of your application’s WAR file.
realmis the name of the realm that you created for the applications to use.
realm-public-keyis the public key of the realm you created. You can find the key in the Keys tab in the Realm settings page of the realm you created in the RH-SSO Admin Console. If you do not provide a value for
realm-public-key, the server retrieves it automatically.
auth-server-urlis the URL for the RH-SSO authentication server.
enable-basic-authis the setting to enable basic authentication mechanism, so that the clients can use both token-based and basic authentication approaches to perform the requests.
resourceis the name for the client that you created.
credential nameis the secret key for the client you created. You can find the key in the Credentials tab on the Clients page of the RH-SSO Admin Console.
principal-attributeis the login name of the user. If you do not provide this value, your User Id is displayed in the application instead of your user name.Note
The RH-SSO server converts the user names to lower case. Therefore, after integration with RH-SSO, your user name will appear in lower case in Red Hat Decision Manager. If you have user names in upper case hard coded in business processes, the application might not be able to identify the upper case user.
EAP_HOME/bin/and enter the following command to start the Red Hat JBoss EAP server:
./standalone.sh -c standalone-full.xml
You can also configure the RH-SSO adapter for Decision Central by updating your application’s WAR file to use the RH-SSO security subsystem. However, Red Hat recommends that you configure the adapter through the RH-SSO subsystem. Doing this updates the Red Hat JBoss EAP configuration instead of applying the configuration on each WAR file.
4.3. Securing Decision Central remote service using RH-SSO
Decision Central provides different remote service endpoints that can be consumed by third-party clients using a remote API. To authenticate those services through RH-SSO, you must disable the
Open the Decision Central application deployment descriptor file (
WEB-INF/web.xml) and apply the following changes to it:
Remove the following lines to remove the servlet filter and its mapping for class
<filter> <filter-name>HTTP Basic Auth Filter</filter-name> <filter-class>org.uberfire.ext.security.server.BasicAuthSecurityFilter</filter-class> <init-param> <param-name>realmName</param-name> <param-value>KIE Workbench Realm</param-value> </init-param> </filter> <filter-mapping> <filter-name>HTTP Basic Auth Filter</filter-name> <url-pattern>/rest/*</url-pattern> <url-pattern>/maven2/*</url-pattern> <url-pattern>/ws/*</url-pattern> </filter-mapping>
Add the following lines to add the
security-constraintparameter for the url-patterns that you have removed from the filter mapping:
<security-constraint> <web-resource-collection> <web-resource-name>remote-services</web-resource-name> <url-pattern>/rest/*</url-pattern> <url-pattern>/maven2/*</url-pattern> <url-pattern>/ws/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>rest-all</role-name> <role-name>rest-project</role-name> <role-name>rest-deployment</role-name> <role-name>rest-process</role-name> <role-name>rest-process-read-only</role-name> <role-name>rest-task</role-name> <role-name>rest-task-read-only</role-name> <role-name>rest-query</role-name> <role-name>rest-client</role-name> </auth-constraint> </security-constraint>
- Save your changes.
4.4. Securing Decision Central file system services using RH-SSO
To consume other remote services such as file systems (for example, a remote GIT service), you must specify the correct RH-SSO login module.
Generate a JSON configuration file:
- Navigate to the RH-SSO Admin Console located at http://localhost:8180/auth/admin.
- Click Clients.
Create a new client with the following settings:
Set Client ID as
Set Access Type as
- Disable the Standard Flow Enabled option.
- Enable the Direct Access Grants Enabled option.
- Set Client ID as
- Click Save.
- Click the Installation tab at the top of the client configuration screen and choose Keycloak OIDC JSON as a Format Option.
- Click Download.
- Move the downloaded JSON file to an accessible directory in the server’s file system or add it to the application class path.
Specify the correct RH-SSO login module in the
standalone-full.xmlfiles. By default, the security domain in Red Hat Decision Manager is set to
other. Replace the default values of the
login-modulein this security domain with the values in the following example:
<security-domain name="other" cache-type="default"> <authentication> <login-module code="org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule" flag="required"> <module-option name="keycloak-config-file" value="$EAP_HOME/kie-git.json"/> </login-module> </authentication> </security-domain>
The JSON file specified in the
module-optionelement contains a client used for securing the remote services. Replace the
$EAP_HOME/kie-git.jsonvalue of the
module-optionelement with the absolute path or the class path (
classpath:/EXAMPLE_PATH/kie-git.json) to this JSON configuration file.
At this point, all users authenticated through the RH-SSO server can clone internal GIT repositories. In the following command, change
USER_NAMEto a RH-SSO user, for example
git clone ssh://USER_NAME@localhost:8001/system
4.5. Enabling user and group management for RH-SSO
This section describes how you can configure Decision Central to manage users and groups stored in RH-SSO.
Ensure that the following libraries are in the
uberfire-security-management-api-<latest_artifact_version>.jar uberfire-security-management-backend-<latest_artifact_version>.jar uberfire-security-management-keycloak-<latest_artifact_version>.jar keycloak-core-<latest_artifact_version>.jar keycloak-common-<latest_artifact_version>.jar
Remove third-party security JAR files, for example:
Replace the entire contents of the
WEB-INF/classes/security-management.propertiesfile with the following content:
WEB-INF/classes/security-management.propertiesfile does not exist, create it.
Edit the following dependencies and exclusions in the
<dependencies> <module name="org.jboss.resteasy.resteasy-jackson-provider" services="import"/> </dependencies> <exclusions> <module name="org.jboss.resteasy.resteasy-jackson2-provider"/> </exclusions>