4.2. Installing the RH-SSO client adapter for Business Central

Procedure

1. Navigate to the Software Downloads page in the Red Hat Customer Portal (login required), and select the product and version from the drop-down options:

   • Product: Red Hat Single Sign-On
   • Version: 7.4
2. Download Red Hat Single Sign-on 7.4 Client Adapter for JBoss EAP 7 (rh-sso-7.4.0-eap7-adapter.zip or the latest version).

3. Extract and install the adapter zip file. For installation instructions, see the "JBoss EAP Adapter" section of the Red Hat Single Sign On Securing Applications and Services Guide.

   注記

   Install the adapter with the -Dserver.config=standalone-full.xml property.

4. Navigate to the EAP_HOME/standalone/configuration directory in your Red Hat JBoss EAP installation and open the standalone-full.xml file in a text editor.

5. Add the system properties listed in the following example to <system-properties>:

   <system-properties>
     <property name="org.jbpm.workbench.kie_server.keycloak" value="true"/>
     <property name="org.uberfire.ext.security.management.api.userManagementServices" value="KCAdapterUserManagementService"/>
     <property name="org.uberfire.ext.security.management.keycloak.authServer" value="http://localhost:8180/auth"/>
   </system-properties>

   Copy to Clipboard Toggle word wrap

6. Add the RH-SSO subsystem configuration. For example:

   <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
    <secure-deployment name="decision-central.war">
      <realm>demo</realm>
      <realm-public-key>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</realm-public-key>
      <auth-server-url>http://localhost:8180/auth</auth-server-url>
      <ssl-required>external</ssl-required>
      <enable-basic-auth>true</enable-basic-auth>
      <resource>kie</resource>
      <credential name="secret">759514d0-dbb1-46ba-b7e7-ff76e63c6891</credential>
      <principal-attribute>preferred_username</principal-attribute>
    </secure-deployment>
   </subsystem>

   Copy to Clipboard Toggle word wrap

   In this example:

   • secure-deployment name is the name of your application’s WAR file.
   • realm is the name of the realm that you created for the applications to use.
   • realm-public-key is the public key of the realm you created. You can find the key in the Keys tab in the Realm settings page of the realm you created in the RH-SSO Admin Console. If you do not provide a value for realm-public-key, the server retrieves it automatically.
   • auth-server-url is the URL for the RH-SSO authentication server.
   • enable-basic-auth is the setting to enable basic authentication mechanism, so that the clients can use both token-based and basic authentication approaches to perform the requests.
   • resource is the name for the client that you created.
   • credential name is the secret key for the client you created. You can find the key in the Credentials tab on the Clients page of the RH-SSO Admin Console.

   • principal-attribute is the login name of the user. If you do not provide this value, your User Id is displayed in the application instead of your user name.

     注記

     The RH-SSO server converts the user names to lower case. Therefore, after integration with RH-SSO, your user name will appear in lower case in Red Hat Decision Manager. If you have user names in upper case hard coded in business processes, the application might not be able to identify the upper case user.

7. The Elytron subsystem provides a built-in policy provider based on JACC specification. To enable the JACC manually in the standalone.xml or in the file where Elytron is installed, do any of the following tasks:

   • To create the policy provider, enter the following commands in the management command-line interface (CLI) of Red Hat JBoss EAP:

     /subsystem=elytron/policy=jacc:add(jacc-policy={})
     /subsystem=undertow/application-security-domain=other:remove
     /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=keycloak-http-authentication,enable-jacc=true)

     Copy to Clipboard Toggle word wrap

     For more information about management CLI of Red Hat JBoss EAP, see the Management CLI Guide.

   • Navigate to the EAP_HOME/standalone/configuration directory in your Red Hat JBoss EAP installation. Locate the Elytron and undertow subsystem configurations in the standalone.xml and standalone-full.xml files and enable JACC. For example:

     <subsystem xmlns="urn:wildfly:elytron:4.0" ...>
     ......
      <policy name="jacc"><jacc-policy/></policy>
     </subsystem>

     Copy to Clipboard Toggle word wrap

     <subsystem xmlns="urn:jboss:domain:undertow:7.0" ...>
     ......
      <application-security-domains>
         <application-security-domain name="other" http-authentication-factory="keycloak-http-authentication" enable-jacc="true"/>
      </application-security-domains>
     </subsystem>

     Copy to Clipboard Toggle word wrap

8. Navigate to EAP_HOME/bin/ and enter the following command to start the Red Hat JBoss EAP server:

   ./standalone.sh -c standalone-full.xml

   Copy to Clipboard Toggle word wrap