Chapter 5. Authenticating KIE Server through RH-SSO
KIE Server provides a REST API for third-party clients. If you integrate KIE Server with RH-SSO, you can delegate third-party client identity management to the RH-SSO server.
After you create a realm client for Red Hat Process Automation Manager and set up the RH-SSO client adapter for Red Hat JBoss EAP, you can set up RH-SSO authentication for KIE Server.
Prerequisites
- RH-SSO is installed as described in Chapter 2, Installing and configuring RH-SSO.
-
At least one user with the
kie-server
role has been added to RH-SSO as described in Section 3.1, “Adding Red Hat Process Automation Manager users”. - KIE Server is installed in a Red Hat JBoss EAP 7.3 instance, as described in Installing and configuring Red Hat Process Automation Manager on Red Hat JBoss EAP 7.3.
This chapter contains the following sections:
Except for Section 5.1, “Creating the KIE Server client on RH-SSO”, this section is intended for standalone installations. If you are integrating RH-SSO and Red Hat Process Automation Manager on Red Hat OpenShift Container Platform, complete the steps in Section 5.1, “Creating the KIE Server client on RH-SSO” and then deploy the Red Hat Process Automation Manager environment on Red Hat OpenShift Container Platform. For information about deploying Red Hat Process Automation Manager on Red Hat OpenShift Container Platform, see the relevant document on the Red Hat Customer Portal.
5.1. Creating the KIE Server client on RH-SSO
Use the RH-SSO Admin Console to create a KIE Server client in an existing realm.
Prerequisites
- KIE Server is installed in a Red Hat JBoss EAP 7.3 server, as described in Installing and configuring Red Hat Process Automation Manager on Red Hat JBoss EAP 7.3.
- RH-SSO is installed as described in Chapter 2, Installing and configuring RH-SSO.
-
At least one user with the
kie-server
role has been added to RH-SSO as described in Section 3.1, “Adding Red Hat Process Automation Manager users”.
Procedure
- In the RH-SSO Admin Console, open the security realm that you created in Chapter 2, Installing and configuring RH-SSO.
Click Clients and click Create.
The Add Client page opens.
On the Add Client page, provide the required information to create a KIE Server client for your realm, then click Save. For example:
-
Client ID:
kie-execution-server
-
Root URL:
http://localhost:8080/kie-server
Client protocol:
openid-connect
NoteIf you are configuring RH-SSO with Red Hat OpenShift Container Platform, enter the URL that is exposed by the KIE Server routes. Your OpenShift administrator can provide this URL if necessary.
-
Client ID:
-
The new client Access Type is set to
public
by default. Change it toconfidential
and click Save again. -
Navigate to the Credentials tab and copy the secret key. The secret key is required to configure the
kie-execution-server
client.
5.2. Installing and configuring KIE Server with the client adapter
After you install RH-SSO, you must install the RH-SSO client adapter for Red Hat JBoss EAP and configure it for KIE Server.
Prerequisites
- KIE Server is installed in a Red Hat JBoss EAP 7.3 server, as described in Installing and configuring Red Hat Process Automation Manager on Red Hat JBoss EAP 7.3.
- RH-SSO is installed as described in Chapter 2, Installing and configuring RH-SSO.
-
At least one user with the
kie-server
role has been added to RH-SSO as described in Section 3.1, “Adding Red Hat Process Automation Manager users”.
If you deployed KIE Server to a different application server than Business Central, install and configure RH-SSO on your second server as well.
Procedure
Navigate to the Software Downloads page in the Red Hat Customer Portal (login required), and select the product and version from the drop-down options:
- Product: Red Hat Single Sign-On
- Version: 7.4
-
Download Red Hat Single Sign-on 7.4 Client Adapter for JBoss EAP 7 (
rh-sso-7.4.0-eap7-adapter.zip
or the latest version). - Extract and install the adapter zip file. For installation instructions, see the "JBoss EAP Adapter" section of the Red Hat Single Sign On Securing Applications and Services Guide.
-
Go to
EAP_HOME/standalone/configuration
and open thestandalone-full.xml
file. -
Delete the
<single-sign-on/>
element from both of the files. -
Navigate to
EAP_HOME/standalone/configuration
directory in your Red Hat JBoss EAP installation and edit thestandalone-full.xml
file to add the RH-SSO subsystem configuration. For example: Navigate to
EAP_HOME/standalone/configuration
in your Red Hat JBoss EAP installation and edit thestandalone-full.xml
file to add the RH-SSO subsystem configuration. For example:<subsystem xmlns="urn:jboss:domain:keycloak:1.1"> <secure-deployment name="kie-server.war"> <realm>demo</realm> <realm-public-key>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</realm-public-key> <auth-server-url>http://localhost:8180/auth</auth-server-url> <ssl-required>external</ssl-required> <resource>kie-execution-server</resource> <enable-basic-auth>true</enable-basic-auth> <credential name="secret">03c2b267-7f64-4647-8566-572be673f5fa</credential> <principal-attribute>preferred_username</principal-attribute> </secure-deployment> </subsystem> <system-properties> <property name="org.kie.server.sync.deploy" value="false"/> </system-properties>
In this example:
-
secure-deployment name
is the name of your application WAR file. -
realm
is the name of the realm that you created for the applications to use. -
realm-public-key
is the public key of the realm you created. You can find the key in the Keys tab in the Realm settings page of the realm you created in the RH-SSO Admin Console. If you do not provide a value for this public key, the server retrieves it automatically. -
auth-server-url
is the URL for the RH-SSO authentication server. -
resource
is the name for the server client that you created. -
enable-basic-auth
is the setting to enable basic authentication mechanism, so that the clients can use both token-based and basic authentication approaches to perform the requests. -
credential name
is the secret key of the server client you created. You can find the key in the Credentials tab on the Clients page of the RH-SSO Admin Console. -
principal-attribute
is the login name of the user. If you do not provide this value, your User Id is displayed in the application instead of your user name.
-
- Save your configuration changes.
Use the following command to restart the Red Hat JBoss EAP server and run KIE Server.
EXEC_SERVER_HOME/bin/standalone.sh -c standalone-full.xml -Dorg.kie.server.id=<ID> -Dorg.kie.server.user=<USER> -Dorg.kie.server.pwd=<PWD> -Dorg.kie.server.location=<LOCATION_URL> -Dorg.kie.server.controller=<CONTROLLER_URL> -Dorg.kie.server.controller.user=<CONTROLLER_USER> -Dorg.kie.server.controller.pwd=<CONTOLLER_PASSWORD>
For example:
EXEC_SERVER_HOME/bin/standalone.sh -c standalone-full.xml -Dorg.kie.server.id=kieserver1 -Dorg.kie.server.user=kieserver -Dorg.kie.server.pwd=password -Dorg.kie.server.location=http://localhost:8080/kie-server/services/rest/server -Dorg.kie.server.controller=http://localhost:8080/business-central/rest/controller -Dorg.kie.server.controller.user=kiecontroller -Dorg.kie.server.controller.pwd=password
When KIE Server is running, enter the following command to check the server status, where
<KIE_SERVER_USER>
is a user with thekie-server
role and<PASSWORD>
is the password for that user:curl http://<KIE_SERVER_USER>:<PASSWORD>@localhost:8080/kie-server/services/rest/server/
5.3. KIE Server token-based authentication
You can also use token-based authentication for communication between Red Hat Process Automation Manager and KIE Server. You can use the complete token as a system property of your application server, instead of the user name and password, for your applications. However, you must ensure that the token will not expire while the applications are interacting because the token is not automatically refreshed. To get the token, see Section 6.2, “Token-based authentication”.
Procedure
To configure Business Central to manage KIE Server using tokens:
-
Set the
org.kie.server.token
property. Make sure that the
org.kie.server.user
andorg.kie.server.pwd
properties are not set.Red Hat Process Automation Manager will then use the
Authorization: Bearer $TOKEN
authentication method.
-
Set the
To use the REST API using the token-based authentication:
-
Set the
org.kie.server.controller.token
property. -
Make sure that the
org.kie.server.controller.user
andorg.kie.server.controller.pwd
properties are not set.
-
Set the
Because KIE Server is unable to refresh the token, use a high-lifespan token. A token’s lifespan must not exceed January 19 2038. Check with your security best practices to see whether this is a suitable solution for your environment.