12.2. Intelligent Process Server Authentication through RH-SSO

The Red Hat JBoss BPM Suite Intelligent Process Server provides a REST API for third-party clients. You can integrate the Intelligent Process Server with RH-SSO to delegate the third-party clients identity management to the RH-SSO server.

Once you have created a realm client for Business Central and set up the RH-SSO client adapter for EAP, you can repeat the same steps to integrate the Intelligent Process Server with RH-SSO.

12.2.1. Creating Client for Intelligent Process Server on RH-SSO

To create a new client on your already created realm on RH-SSO admin console:

Procedure: Creating a Client for the Intelligent Process Server

  1. On the RH-SSO admin console, open the security realm that you created.

  2. Click Client tab from the main menu and click Create.

    The Add Client page opens.

  3. On the Add Client page, provide the required information to create a new client for your realm. For example:

    • Client ID: kie-execution-server
    • Root URL: http://localhost:8080/kie-server
    • Client protocol: openid-connect
  4. Navigate to the Credentials tab and copy the secret key and and paste it on the kie-execution-server client configuration screen.

  5. Click Save to save your changes.

    Once you create a new client, its access value is public by default. Change it to confidential.

12.2.2. Installing and Setting Up Intelligent Process Server with Client Adapter

To consume the Intelligent Process Server remote service endpoints, you must first create and assign the kie-server role in the RH-SSO admin console.

Procedure: Setting Up the Intelligent Process Server

  1. Navigate to EAP_HOME/standalone/configuration in your EAP installation and edit standalone.xml to add the RH-SSO subsystem configuration. For example: 

    <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
  <secure-deployment name="kie-server.war">
     <realm>demo</realm>
     <realm-public-key>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</realm-public-key>
     <auth-server-url>http://localhost:8180/auth</auth-server-url>
     <ssl-required>external</ssl-required>
     <resource>kie-execution-server</resource>
     <enable-basic-auth>true</enable-basic-auth>
     <credential name="secret">03c2b267-7f64-4647-8566-572be673f5fa</credential>
     <principal-attribute>preferred_username</principal-attribute>
  </secure-deployment>
</subsystem>

<system-properties>
  <property name="org.kie.server.sync.deploy" value="false"/>
</system-properties>

    Here,

    • secure-deployment name: Name of your application WAR file.
    • realm: Name of the realm that you created for the applications to use.
    • realm-public-key: The public key of the realm you created. You can
    • find it in the Keys tab in the Realm settings page of the realm you created in the RH-SSO admin console. If you do not provide a value for this public key, the server retrieves it automatically.
    • auth-server-url: The URL for the RH-SSO authentication server.
    • resource: The name for the server client that you created.
    • enable-basic-auth: The setting to enable basic authentication mechanism, so that the clients can use both token-based and basic authentication approaches to perform the requests.
    • credential name: The secret key of the server client you created. You can find it in the Credentials tab on the Clients page of the RH-SSO admin console.
    • principal-attribute: The login name of the user. If you do not provide this value, your User Id is displayed in the application instead of your user name.
  2. Save your configuration changes in standalone.xml.

  3. Use the following command to restart the EAP server and run the Intelligent Process Server. 

    EXEC_SERVER_HOME/bin/standalone.sh -Dorg.kie.server.id=<ID> -Dorg.kie.server.user=<USER> -Dorg.kie.server.pwd=<PWD> -Dorg.kie.server.location=<LOCATION_URL> -Dorg.kie.server.controller=<CONTROLLER_URL> -Dorg.kie.server.controller.user=<CONTROLLER_USER> -Dorg.kie.server.controller.pwd=<CONTOLLER_PASSWORD>

    Here is an example: 

    EXEC_SERVER_HOME/bin/standalone.sh -Dorg.kie.server.id=kieserver1 -Dorg.kie.server.user=kieserver -Dorg.kie.server.pwd=password -Dorg.kie.server.location=http://localhost:8080/kie-server/services/rest/server -Dorg.kie.server.controller=http://localhost:8080/business-central/rest/controller -Dorg.kie.server.controller.user=kiecontroller -Dorg.kie.server.controller.pwd=password

  4. Once the Intelligent Process Server is running, you can check the server status using the following command: 

    curl http://kieserver:password@localhost:8080/kie-server/services/rest/server/
Note

Token-based authorization is also supported for communication between Business Central and the Intelligent Process Server. Additionally, you can use the complete token as system property (instead of username and password) for your applications. However, you must ensure that the token does not expire for the period of interaction between the applications, as it is not automatically refreshed.