Chapter 19. Authenticating KIE Server through RH-SSO

Procedure

1. In the RH-SSO Admin Console, open the security realm that you created in Chapter 16, Installing and configuring RH-SSO.

2. Click Clients and click Create.

   The Add Client page opens.

3. On the Add Client page, provide the required information to create a KIE Server client for your realm, then click Save. For example:

   • Client ID: kie-execution-server
   • Root URL: http://localhost:8080/kie-server

   • Client protocol: openid-connect

     Note

     If you are configuring RH-SSO with Red Hat OpenShift Container Platform, enter the URL that is exposed by the KIE Server routes. Your OpenShift administrator can provide this URL if necessary.

4. The new client Access Type is set to public by default. Change it to confidential and click Save again.
5. Navigate to the Credentials tab and copy the secret key. The secret key is required to configure the kie-execution-server client.

Procedure

1. Navigate to the Software Downloads page in the Red Hat Customer Portal (login required), and select the product and version from the drop-down options:

   • Product: Red Hat Single Sign-On
   • Version: 7.4
2. Download Red Hat Single Sign-on 7.4 Client Adapter for JBoss EAP 7 (rh-sso-7.4.6-eap7-adapter.zip or the latest version).
3. Extract and install the adapter zip file. For installation instructions, see the "JBoss EAP Adapter" section of the Red Hat Single Sign On Securing Applications and Services Guide.
4. Go to EAP_HOME/standalone/configuration and open the standalone-full.xml file.
5. Delete the <single-sign-on/> element from both of the files.
6. Navigate to EAP_HOME/standalone/configuration directory in your Red Hat JBoss EAP installation and edit the standalone-full.xml file to add the RH-SSO subsystem configuration. For example:

7. Navigate to EAP_HOME/standalone/configuration in your Red Hat JBoss EAP installation and edit the standalone-full.xml file to add the RH-SSO subsystem configuration. For example:

   <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
     <secure-deployment name="kie-server.war">
        <realm>demo</realm>
        <realm-public-key>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</realm-public-key>
        <auth-server-url>http://localhost:8180/auth</auth-server-url>
        <ssl-required>external</ssl-required>
        <resource>kie-execution-server</resource>
        <enable-basic-auth>true</enable-basic-auth>
        <credential name="secret">03c2b267-7f64-4647-8566-572be673f5fa</credential>
        <principal-attribute>preferred_username</principal-attribute>
     </secure-deployment>
   </subsystem>
   
   <system-properties>
     <property name="org.kie.server.sync.deploy" value="false"/>
   </system-properties>

   Copy to Clipboard Toggle word wrap

   In this example:

   • secure-deployment name is the name of your application WAR file.
   • realm is the name of the realm that you created for the applications to use.
   • realm-public-key is the public key of the realm you created. You can find the key in the Keys tab in the Realm settings page of the realm you created in the RH-SSO Admin Console. If you do not provide a value for this public key, the server retrieves it automatically.
   • auth-server-url is the URL for the RH-SSO authentication server.
   • resource is the name for the server client that you created.
   • enable-basic-auth is the setting to enable basic authentication mechanism, so that the clients can use both token-based and basic authentication approaches to perform the requests.
   • credential name is the secret key of the server client you created. You can find the key in the Credentials tab on the Clients page of the RH-SSO Admin Console.
   • principal-attribute is the login name of the user. If you do not provide this value, your User Id is displayed in the application instead of your user name.
8. Save your configuration changes.

9. Use the following command to restart the Red Hat JBoss EAP server and run KIE Server.

   EXEC_SERVER_HOME/bin/standalone.sh -c standalone-full.xml -Dorg.kie.server.id=<ID> -Dorg.kie.server.user=<USER> -Dorg.kie.server.pwd=<PWD> -Dorg.kie.server.location=<LOCATION_URL> -Dorg.kie.server.controller=<CONTROLLER_URL> -Dorg.kie.server.controller.user=<CONTROLLER_USER> -Dorg.kie.server.controller.pwd=<CONTOLLER_PASSWORD>

   Copy to Clipboard Toggle word wrap

   For example:

   EXEC_SERVER_HOME/bin/standalone.sh -c standalone-full.xml -Dorg.kie.server.id=kieserver1 -Dorg.kie.server.user=kieserver -Dorg.kie.server.pwd=password -Dorg.kie.server.location=http://localhost:8080/kie-server/services/rest/server -Dorg.kie.server.controller=http://localhost:8080/business-central/rest/controller -Dorg.kie.server.controller.user=kiecontroller -Dorg.kie.server.controller.pwd=password

   Copy to Clipboard Toggle word wrap

10. When KIE Server is running, enter the following command to check the server status, where <KIE_SERVER_USER> is a user with the kie-server role and <PASSWORD> is the password for that user:

    curl http://<KIE_SERVER_USER>:<PASSWORD>@localhost:8080/kie-server/services/rest/server/

    Copy to Clipboard Toggle word wrap

Procedure

1. To configure Business Central to manage KIE Server using tokens:

   1. Set the org.kie.server.token property.

   2. Make sure that the org.kie.server.user and org.kie.server.pwd properties are not set.

      Red Hat Process Automation Manager will then use the Authorization: Bearer $TOKEN authentication method.

2. To use the REST API using the token-based authentication:

   1. Set the org.kie.server.controller.token property.
   2. Make sure that the org.kie.server.controller.user and org.kie.server.controller.pwd properties are not set.