Chapter 3. Admin Console

When you boot Red Hat Single Sign-On for the first time a pre-defined realm is created for you. This initial realm is called the master realm and is the king of all realms. Admins in this realm have permissions to view and manage any other realm created on the server instance. When you define your initial admin account, you are creating an account in the master realm. Your initial login to the admin console will also be through the master realm.

It is recommended that you do not use the master realm to manage the users and applications in your organization. Keep the master realm as a place for super admins to create and manage the realms in your system. This keeps things clean and organized.

It is possible to disable the master realm and define admin accounts at each individual new realm you create. Each realm has its own dedicated Admin Console that you can log into with local accounts. This guide talks more about this in the Dedicated Realm Admin Consoles chapter.

Creating a new realm is very simple. Mouse over the top left corner drop down menu that is titled with Master. If you are logged in the master realm this drop down menu lists all the realms created. The last entry of this drop down menu is always Add Realm. Click this to add a realm.

This menu option will bring you to the Add Realm page. Specify the realm name you want to define and click the Create button. Alternatively you can import a JSON document that defines your new realm. We’ll go over this in more detail in the Export and Import chapter.

After creating the realm you are brought back to the main Admin Console page. The current realm will now be set to the realm you just created. You can switch between managing different realms by doing a mouse over on the top left corner drop down menu.

Each realm has an SSL Mode associated with it. The SSL Mode defines the SSL/HTTPS requirements for interacting with the realm. Browsers and applications that interact with the realm must honor the SSL/HTTPS requirements defined by the SSL Mode or they will not be allowed to interact with the server.

To configure the SSL Mode of your realm, you need to click on the Realm Settings left menu item and go to the Login tab.

The Require SSL option allows you to pick the SSL Mode you want. Here is an explanation of each mode:

The authentication protocols that are used by Red Hat Single Sign-On require cryptographic signatures and sometimes even encryption. Red Hat Single Sign-On uses an asymmetric key pair, a private and public key to accomplish this. When a realm is created a key pair is automatically generated. It is recommended that you cycle this key pair occasionally. How often you do this is dependent on your organizational needs and security requirements as you have to make sure every application that needs the public key or certificate of your realm gets this updated. This can be a lot of work!

To cycle a key pair click on the Realm Settings left menu item, go to the Keys tab, and push the Generate new keys button.

This will create a brand new key pair for your realm.

Red Hat Single Sign-On will cache everything it can in memory within the limits of your JVM and/or the limits you’ve configured it for. If the Red Hat Single Sign-On database is modified by a third party (i.e. a DBA) outside the scope of the server’s REST APIs or Admin Console there’s a chance parts of the in-memory cache may be stale. You can clear the realm and user caches from the Admin Console by going to the Realm Settings left menu item and the Cache tab.

Just click the clear button on the cache you want to evict.

Red Hat Single Sign-On sends emails to users to verify their email address, when they forget their passwords, or when an admin needs to receive notifications about a server event. To enable Red Hat Single Sign-On to send emails you need to provide Red Hat Single Sign-On with your SMTP server settings. This is configured per realm. Go to the Realm Settings left menu item and click the Email tab.

As emails are used for recovering usernames and passwords it’s recommended to use SSL or TLS, especially if the SMTP server is on an external network. To enable SSL click on Enable SSL or to enable TLS click on Enable TLS. You will most likely also need to change the Port (the default port for SSL/TLS is 465).

If your SMTP server requires authentication click on Enable Authentication and insert the Username and Password.

Themes allow you to change the look and feel of any UI in Red Hat Single Sign-On. Themes are configured per realm. To change a theme go to the Realm Settings left menu item and click on the Themes tab.

Pick the theme you want for each UI category and click Save.

The Server Developer Guide goes into how to create a new themes or modify existing ones.