Chapter 18. Authenticating Business Central through RH-SSO

This chapter describes how to authenticate Business Central through RH-SSO. It includes the following sections:

Prerequisites

Note

Except for Section 18.1, “Creating the Business Central client for RH-SSO”, this section is intended for standalone installations. If you are integrating RH-SSO and Red Hat Process Automation Manager on Red Hat OpenShift Container Platform, complete only the steps in Section 18.1, “Creating the Business Central client for RH-SSO” and then deploy the Red Hat Process Automation Manager environment on Red Hat OpenShift Container Platform. For information about deploying Red Hat Process Automation Manager on Red Hat OpenShift Container Platform, see Deploying Red Hat Process Automation Manager on Red Hat OpenShift Container Platform.

18.1. Creating the Business Central client for RH-SSO

After the RH-SSO server starts, use the RH-SSO Admin Console to create the Business Central client for RH-SSO.

Procedure

  1. Enter http://localhost:8180/auth/admin in a web browser to open the RH-SSO Admin Console and log in using the admin credentials that you created while installing RH-SSO.

    Note

    If you are configuring RH-SSO with Red Hat OpenShift Container Platform, enter the URL that is exposed by the RH-SSO routes. Your OpenShift administrator can provide this URL if necessary.

    When you login for the first time, you can set up the initial user on the new user registration form.

  2. In the RH-SSO Admin Console, click the Realm Settings menu item.
  3. On the Realm Settings page, click Add Realm.

    The Add realm page opens.

  4. On the Add realm page, provide a name for the realm and click Create.
  5. Click the Clients menu item and click Create.

    The Add Client page opens.

  6. On the Add Client page, provide the required information to create a new client for your realm. For example:

    • Client ID: kie
    • Client protocol: openid-connect
    • Root URL: http://localhost:8080/business-central

      Note

      If you are configuring RH-SSO with Red Hat OpenShift Container Platform, enter the URL that is exposed by the KIE Server routes. Your OpenShift administrator can provide this URL if necessary.

  7. Click Save to save your changes.

    After you create a new client, its Access Type is set to public by default. Change it to confidential.

    The RH-SSO server is now configured with a realm with a client for Business Central applications and running and listening for HTTP connections at localhost:8180. This realm provides different users, roles, and sessions for Business Central applications.

18.2. Installing the RH-SSO client adapter for Business Central

After you install RH-SSO, you must install the RH-SSO client adapter for Red Hat JBoss EAP and configure it for Business Central.

Prerequisites

Procedure

  1. Navigate to the Software Downloads page in the Red Hat Customer Portal (login required), and select the product and version from the drop-down options:

    • Product: Red Hat Single Sign-On
    • Version: 7.4
  2. Select the Patches tab.
  3. Download Red Hat Single Sign-on 7.4 Client Adapter for EAP 7 (rh-sso-7.4.6-eap7-adapter.zip or the latest version).
  4. Extract and install the adapter zip file. For installation instructions, see the "JBoss EAP Adapter" section of the Red Hat Single Sign On Securing Applications and Services Guide.

    Note

    Install the adapter with the -Dserver.config=standalone-full.xml property.

  5. Navigate to the EAP_HOME/standalone/configuration directory in your Red Hat JBoss EAP installation and open the standalone-full.xml file in a text editor.
  6. Add the system properties listed in the following example to <system-properties>:

    <system-properties>
      <property name="org.jbpm.workbench.kie_server.keycloak" value="true"/>
      <property name="org.uberfire.ext.security.management.api.userManagementServices" value="KCAdapterUserManagementService"/>
      <property name="org.uberfire.ext.security.management.keycloak.authServer" value="http://localhost:8180/auth"/>
    </system-properties>
  7. Optional: If you want to use client roles, add the following system property:

      <property name="org.uberfire.ext.security.management.keycloak.use-resource-role-mappings" value="true"/>

    By default, the client resource name is kie. The client resource name must be the same as the client name that you used to configure the client in RH-SSO. If you want to use a custom client resource name, add the following system property:

      <property name="org.uberfire.ext.security.management.keycloak.resource" value="customClient"/>

    Replace customClient with the client resource name.

  8. Add the RH-SSO subsystem configuration. For example:

    <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
     <secure-deployment name="business-central.war">
       <realm>demo</realm>
       <realm-public-key>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</realm-public-key>
       <auth-server-url>http://localhost:8180/auth</auth-server-url>
       <ssl-required>external</ssl-required>
       <enable-basic-auth>true</enable-basic-auth>
       <resource>kie</resource>
       <credential name="secret">759514d0-dbb1-46ba-b7e7-ff76e63c6891</credential>
       <principal-attribute>preferred_username</principal-attribute>
     </secure-deployment>
    </subsystem>

    In this example:

    • secure-deployment name is the name of your application’s WAR file.
    • realm is the name of the realm that you created for the applications to use.
    • realm-public-key is the public key of the realm you created. You can find the key in the Keys tab in the Realm settings page of the realm you created in the RH-SSO Admin Console. If you do not provide a value for realm-public-key, the server retrieves it automatically.
    • auth-server-url is the URL for the RH-SSO authentication server.
    • enable-basic-auth is the setting to enable basic authentication mechanism, so that the clients can use both token-based and basic authentication approaches to perform the requests.
    • resource is the name for the client that you created. To use client roles, set the client resource name that you used when configuring the client in RH-SSO.
    • credential name is the secret key for the client you created. You can find the key in the Credentials tab on the Clients page of the RH-SSO Admin Console.
    • principal-attribute is the login name of the user. If you do not provide this value, your User Id is displayed in the application instead of your user name.

      Note

      The RH-SSO server converts the user names to lower case. Therefore, after integration with RH-SSO, your user name will appear in lower case in Red Hat Process Automation Manager. If you have user names in upper case hard coded in business processes, the application might not be able to identify the upper case user.

      If you want to use client roles, also add the following setting under <secure-deployment>:

      <use-resource-role-mappings>true</use-resource-role-mappings>
  9. The Elytron subsystem provides a built-in policy provider based on JACC specification. To enable the JACC manually in the standalone.xml or in the file where Elytron is installed, do any of the following tasks:

    • To create the policy provider, enter the following commands in the management command-line interface (CLI) of Red Hat JBoss EAP:

      /subsystem=elytron/policy=jacc:add(jacc-policy={})
      /subsystem=undertow/application-security-domain=other:remove
      /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=keycloak-http-authentication,enable-jacc=true)

      For more information about the Red Hat JBoss EAP management CLI, see the Management CLI Guide for Red Hat JBoss EAP.

    • Navigate to the EAP_HOME/standalone/configuration directory in your Red Hat JBoss EAP installation. Locate the Elytron and undertow subsystem configurations in the standalone.xml and standalone-full.xml files and enable JACC. For example:

      <subsystem xmlns="urn:wildfly:elytron:4.0" ...>
      ......
       <policy name="jacc"><jacc-policy/></policy>
      </subsystem>
      <subsystem xmlns="urn:jboss:domain:undertow:7.0" ...>
      ......
       <application-security-domains>
          <application-security-domain name="other" http-authentication-factory="keycloak-http-authentication" enable-jacc="true"/>
       </application-security-domains>
      </subsystem>
      Note

      To use the Elytron subsystem, you must disable JACC in the legacy security subsystem. To disable JACC in the legacy subsystem, enter the following command in the Red Hat JBoss EAP management CLI:

      /subsystem=security:write-attribute(name=initialize-jacc, value=false)

      For more information about disabling JACC in the legacy security subsystem, see the Development Guide for Red Hat JBoss EAP.

  10. Navigate to EAP_HOME/bin/ and enter the following command to start the Red Hat JBoss EAP server:

    ./standalone.sh -c standalone-full.xml
Note

You can also configure the RH-SSO adapter for Business Central by updating your application’s WAR file to use the RH-SSO security subsystem. However, Red Hat recommends that you configure the adapter through the RH-SSO subsystem. Doing this updates the Red Hat JBoss EAP configuration instead of applying the configuration on each WAR file.

18.3. Securing Business Central file system services using RH-SSO

To consume other remote services such as file systems (for example, a remote GIT service), you must specify the correct RH-SSO login module.

Procedure

  1. Generate a JSON configuration file:

    1. Navigate to the RH-SSO Admin Console located at http://localhost:8180/auth/admin.
    2. Click Clients.
    3. Create a new client with the following settings:

      • Set Client ID as kie-git.
      • Set Access Type as confidential.
      • Disable the Standard Flow Enabled option.
      • Enable the Direct Access Grants Enabled option.
      kie git client settings
    4. Click Save.
    5. Click the Installation tab at the top of the client configuration screen and choose Keycloak OIDC JSON as a Format Option.
    6. Click Download.
  2. Move the downloaded JSON file to an accessible directory in the server’s file system or add it to the application class path.
  3. Specify the correct RH-SSO login module in the EAP_HOME/standalone/configuration/standalone-full.xml file. By default, the security domain in Red Hat Process Automation Manager is set to other. Replace the default values of the login-module in this security domain with the values in the following example:

    <security-domain name="other" cache-type="default">
      <authentication>
        <login-module code="org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule" flag="required">
          <module-option name="keycloak-config-file" value="$EAP_HOME/kie-git.json"/>
        </login-module>
      </authentication>
    </security-domain>
  4. The JSON file specified in the module-option element contains a client used for securing the remote services. Replace the $EAP_HOME/kie-git.json value of the module-option element with the absolute path or the class path (classpath:/EXAMPLE_PATH/kie-git.json) to this JSON configuration file.

    At this point, all users authenticated through the RH-SSO server can clone internal GIT repositories. In the following command, change USER_NAME to a RH-SSO user, for example admin:

    git clone ssh://USER_NAME@localhost:8001/system