Chapter 8. Integrating Red Hat JBoss BRMS with Red Hat Single Sign-On

Red Hat Single Sign-On (RH-SSO) is a Single Sign-On solution that you can use for securing your browser applications and your REST web services. This chapter describes how you can integrate RH-SSO with Red Hat JBoss BRMS and leverage its features.

Integrating with RH-SSO brings an integrated SSO and IDM (Identity Management) environment for Red Hat JBoss BRMS. The session management feature of RH-SSO allows you to use different Red Hat JBoss BRMS environments on the web by authenticating only once.

For more information on RH-SSO, see the RH-SSO documentation.

Red Hat Single Sign On Integration Points

You can integrate RH-SSO with Realtime Decision Servers using the following integration points:

Business Central authentication through an RH-SSO server
Authenticating Red Hat JBoss BRMS Business Central through RH-SSO involves securing both the Business Central web client and remote services through RH-SSO. This integration enables you to connect to Business Central using either web interface or a remote service consumer through RH-SSO.
Realtime Decision Server authentication through an RH-SSO server
Authenticating Red Hat JBoss BRMS Realtime Decision Server through RH-SSO involves securing the remote services provided by the Realtime Decision Server as it does not provide a web interface for server authentication. This enables any remote Red Hat JBoss BRMS service consumer (user or a service) to authenticate through RH-SSO.
Third-party client authentication through an RH-SSO server
Authenticating a third-party client through an RH-SSO server involves third-party clients to authenticate themselves using RH-SSO to consume the remote service endpoints provided by Business Central and Realtime Decision Server.

The following sections describe how to achieve RH-SSO integration through these integration points:

8.1. Business Central Authentication through RH-SSO

To authenticate Business Central through RH-SSO:

Set up and run an RH-SSO server with a realm client for Business Central.
Install and set up the RH-SSO client adapter for EAP.
Secure Business Central Remote Service using RH-SSO.

8.1.1. Setting Up RH-SSO with Realm Client for Business Central

Security realms are used to restrict access for the different applications resources. It is advised to create a new realm whether your RH-SSO instance is private or shared amongst other products. You can keep the master realm as a place for super administrators to create and manage the realms in your system. If you are integrating with an RH-SSO instance that is shared with other product installations to achieve Single Sign-On with those applications, all those applications must use the same realm.

Here is how you can install an RH-SSO server and create a security realm for Business Central:

Procedure: Setting Up RH-SSO with Realm Client

Install and configure a basic RH-SSO standalone server. To do this, follow the instructions in the RH-SSO Installation Guide.
Note
If you want to run both RH-SSO and Red Hat JBoss BRMS servers on the same machine, ensure that you avoid port conflicts. To do so, do one of the following:
- Update the RHSSO_HOME/standalone/configuration/standalone.xml file and set a port offset to 100. For example:
  <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:100}">
- Use an environment variable to run the server:
  bin/standalone.sh -Djboss.socket.binding.port-offset=100
Start the RH-SSO server using the following command from RHSSO_HOME/bin:
```
./standalone.sh
```
Once the RH-SSO server starts, open http://localhost:8180/auth/admin in a web browser and log in using your admin credentials that you created while installing RH-SSO. When you login for the first time, you can set up the initial user using the new user registration form.
On the RH-SSO admin console, click Realm Settings tab.
On the Realm Settings page, click Add Realm.
The Add realm page opens.
On the Add realm page, provide a name for the realm and click Create.
Click Client tab from the main admin console menu and click Create.
The Add Client page opens.
On the Add Client page, provide the required information to create a new client for your realm. For example:
- Client ID: kie
- Client protocol: openid-connect
- Root URL: http://localhost:8080/business-central
Click Save to save your changes.
At this point, the RH-SSO server is configured with a realm with a client for Red Hat JBoss BRMS applications (Business Central, in this example) and running and listening for HTTP connections at localhost:8180. This realm provides different users, roles, and sessions for the Red Hat JBoss BRMS applications.

8.1.2. Setting Up RH-SSO Client Adapter for EAP

To set up the RH-SSO client adapter for EAP:

Install the RH-SSO adapter for EAP.
Configure the Red Hat JBoss BRMS application and the RH-SSO client adapter.

Procedure: Installing the RH-SSO Adapter for EAP

Install EAP 6.4.X. See Chapter 2. Installation Instructions from the Red Hat JBoss Enterprise Application Platform Installation Guide.
Install Red Hat JBoss BRMS in the freshly installed JBoss EAP. This step is important because if you configure RH-SSO adapter by making changes in standalone.xml, and then unzip Red Hat JBoss BRMS, you may overwrite and lose the RH-SSO adapter configuration.
Download the EAP adapter from the Red Hat Customer Portal.
Unzip and install the adapter. For installation instructions, see Installing Adapters for Red Hat Single Sign-On in the RH-SSO Installation Guide.

Procedure: Configuring the RH-SSO Adapter

Navigate to EAP_HOME/standalone/configuration in your EAP installation and edit standalone.xml to add the RH-SSO subsystem configuration. For example:
```
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
 <secure-deployment name="business-central.war">
   <realm>demo</realm>
   <realm-public-key>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</realm-public-key>
   <auth-server-url>http://localhost:8180/auth</auth-server-url>
   <ssl-required>external</ssl-required>
   <enable-basic-auth>true</enable-basic-auth>
   <resource>kie</resource>
   <credential name="secret">759514d0-dbb1-46ba-b7e7-ff76e63c6891</credential>
   <principal-attribute>preferred_username</principal-attribute>
 </secure-deployment>
</subsystem>
```
Here,
- secure-deployment name: Name of your application’s WAR file.
- realm: Name of the realm that you created for the applications to use.
- realm-public-key: The public key of the realm you created. You can find it in the Keys tab in the Realm settings page of the realm you created in the RH-SSO admin console. If you do not provide a value for realm-public-key, the server retrieves it automatically.
- auth-server-url: The URL for the RH-SSO authentication server.
- enable-basic-auth: The setting to enable basic authentication mechanism, so that the clients can use both token-based and basic authentication approaches to perform the requests.
- resource: The name for the client that you created.
- credential name: The secret key for the client you created. You can find it in the Credentials tab on the Clients page of the RH-SSO admin console.
- principal-attribute: The login name of the user. If you do not provide this value, your User Id is displayed in the application instead of your user name.
  Note
  The RH-SSO server converts the user names to lowercase. Therefore, after integration with RH-SSO, your user name will appear in lowercase in Business Central. If you have user names in upper-case letters hard coded in business processes, the application may not be able to identify the upper-case user.
Add the following sub element under the <extensions> section of standalone.xml:
```
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
```
This secures the application using the urn:jboss:domain:keycloak subsystem in standalone.xml as opposed to securing it through web.xml file inside each WAR.
Navigate to EAP_HOME/bin/ and start the EAP server using the following command:
```
./standalone.sh
```
You can now login to your Red Hat JBoss BRMS application (in this example, Business Central) once the server is running using the RH-SSO admin user credentials.

Note

You can also configure RH-SSO adapter for EAP by updating your applications WAR file to use the RH-SSO security subsystem. However, the recommended approach is configuring the adapter through the RH-SSO subsystem. This means that you are updating EAP configuration instead of applying the configuration on each WAR file.

8.1.3. Adding a New User

To add new users and assign them a role to access Business Central:

Login to the RH-SSO Admin console and open the realm you wish to add a user to.
Click Users under Manage section in the left menu bar.
An empty user list page called Users opens.
Click the Add User button on the empty user list to start creating your new user.
An Add user page opens.
Provide user information on the Add user page and click Save.
Set new password under the Credentials tab.
Assign the new user one of the roles that allow access to Business Central (For example, admin or analyst role for Red Hat JBoss BRMS and admin or developer role for Red Hat JBoss BPM Suite).
Define the roles as realm roles in the Roles page under the Configure section.
Click Role Mappings tab on the Users page to assign roles.

8.1.4. Securing Business Central Remote Service using RH-SSO

Business Central provides different remote service endpoints that can be consumed by third-party clients using remote API. To authenticate those services through RH-SSO, you must disable a security filter called BasicAuthSecurityFilter. To do this, follow these steps:

Procedure: Disabling BasicAuthSecurityFilter

Open your application deployment descriptor file (WEB-INF/web.xml) and apply the following changes to it:

Remove the following lines to remove the servlet filter and its mapping for class org.uberfire.ext.security.server.BasicAuthSecurityFilter:

<filter>
  <filter-name>HTTP Basic Auth Filter</filter-name>
  <filter-class>org.uberfire.ext.security.server.BasicAuthSecurityFilter</filter-class>
  <init-param>
    <param-name>realmName</param-name>
    <param-value>KIE Workbench Realm</param-value>
  </init-param>
</filter>

<filter-mapping>
  <filter-name>HTTP Basic Auth Filter</filter-name>
  <url-pattern>/rest/*</url-pattern>
  <url-pattern>/maven2/*</url-pattern>
  <url-pattern>/ws/*</url-pattern>
</filter-mapping>

Add the following lines to add the security-constraint for the url-patterns that you have removed from the filter mapping:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>remote-services</web-resource-name>
    <url-pattern>/rest/*</url-pattern>
    <url-pattern>/maven2/*</url-pattern>
    <url-pattern>/ws/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>rest-all</role-name>
  </auth-constraint>
</security-constraint>

Save your changes.

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories