Scribd
Upload
31 views

TAFJ-Secure-Authentication-Using-Keycloak

Uploaded by

rwigemapierrechristian
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
31 views

TAFJ-Secure-Authentication-Using-Keycloak

Uploaded by

rwigemapierrechristian
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

TAFJ-Secure Authentication using

Keycloak
R22

Information in this document is subject


to change without notice.
No part of this document may be
reproduced or transmitted in any form or
by any means, for any purpose, without
the express written permission of
TEMENOS HEADQUARTERS SA.
© 2022 Temenos Headquarters SA -
all rights reserved.
TAFJ-Secure Authentication using Keycloak

Document History

Revision Date Amended Name Description

1 31st March 2021 Riswana Secure TAFJ Entry Points using KeyCloak

2 6th January 2023 Riswana Update Websphere Liberty Configurations

2 Temenos Application Framework Java – (TAFJ)


TAFJ-Secure Authentication using Keycloak

Copyright

Copyright © Temenos Headquarters SA 2009-2022.


All rights reserved.
This document contains proprietary information that is protected by copyright. No part of this
document may be reproduced, transmitted, or made available directly or indirectly to a third party
without the express written agreement of TEMENOS UK Limited. Receipt of this material directly
TEMENOS UK Limited constitutes its express permission to copy. Permission to use or copy this
document expressly excludes modifying it for any purpose, or using it to create a derivative
therefrom.

Errata and Comments


If you have any comments regarding this manual or wish to report any errors in the
documentation, please document them and send them to the address below:
Technology Department
Temenos Headquarters SA
2 Rue de l’Ecole-de-Chimie,
CH - 1205 Geneva,
Switzerland

Tel SB: +41 (0) 22 708 1150


Fax: +41 (0) 22 708 1160

Please include your name, company, address, and telephone and fax numbers, and email
address if applicable. [email protected]

3 Temenos Application Framework Java – (TAFJ)


TAFJ-Secure Authentication using Keycloak

Table of Contents

Document History 2
Copyright 3
Errata and Comments 3
Overview 5
KeyCloak Configuration 5
Create Realm............................................................................................................................. 5
Create Client.............................................................................................................................. 6
Create Group TAFJAdmin............................................................................................................ 8
Create Roles TAFJAdmin............................................................................................................. 9
Add Mapper for TAFJClient........................................................................................................ 10
Create User with Group TAFJAdmin.......................................................................................... 11
TAFJEE.ear Configuration 12
Jboss........................................................................................................................................ 12
Install adapter in Jboss.......................................................................................................... 12
Configuration........................................................................................................................ 12
WebSphere Liberty................................................................................................................... 13
Configuration........................................................................................................................ 13
DBTools Authentication with Keycloak 14
Console.................................................................................................................................... 14
Servlet..................................................................................................................................... 14

4 Temenos Application Framework Java – (TAFJ)


TAFJ-Secure Authentication using Keycloak

Overview
Keycloak is an Open Source Identity and Access Management solution for modern Applications
and Services. In this document, the configuration of keycloak to access TAFJ entry points is
detailed.

KeyCloak Configuration
 Start Keycloak server. Find below command to start keycloak server using docker

docker run --name keycloak -p 8180:8180 -e KEYCLOAK_ADMIN=admin -e


KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:latest start-dev --http-port
8180 --http-relative-path /auth

Create Realm
Access the Keycloak URL http://localhost:8180/auth

Create Client

5 Temenos Application Framework Java – (TAFJ)


TAFJ-Secure Authentication using Keycloak

Set Access type as confidential and Add root URL as http://localhost:9089/TAFJEE/

Note: while using HOSTNAME, provide it in lower case

Incase of Websphere Liberty where openidConnectClient is used, set the Root URL to the root
and Valid Redirect URIs as “https://<IP_Address:port>/oidcclient/redirect/*”

Add role TAFJAdmin

6 Temenos Application Framework Java – (TAFJ)


TAFJ-Secure Authentication using Keycloak

Settings → Change Access type as Confidential and set the Direct Grant Workflow as "direct
grant"

Change the client's credentials in the Client Authenticator field to Client Id and Secret

Generate JWKS key for keystore for Liberty

7 Temenos Application Framework Java – (TAFJ)


TAFJ-Secure Authentication using Keycloak

Create Group TAFJAdmin


Create Group with Role Mapping as below,

Select the newly created Client role (TAFJClient) then select the Available role and use the Add
selected button to move Assigned Roles.

Then do the same for the realm-management client role in that select all available roles and
move

8 Temenos Application Framework Java – (TAFJ)


TAFJ-Secure Authentication using Keycloak

Create Roles TAFJAdmin

Create a realm role for TAFJAdmin.

Edit this role and add client roles.

9 Temenos Application Framework Java – (TAFJ)


TAFJ-Secure Authentication using Keycloak

Add Mapper for TAFJClient

Evaluate TAFJClient to find if the groupof mapper is getting passed in the token

10 Temenos Application Framework Java – (TAFJ)


TAFJ-Secure Authentication using Keycloak

Create User with Group TAFJAdmin

11 Temenos Application Framework Java – (TAFJ)


TAFJ-Secure Authentication using Keycloak

Logout and Login with created user using below URL


http://localhost:8180/auth/admin/TAFJRealm/console/#/realms/TAFJRealm

TAFJEE.ear Configuration
Change the auth-method in web.xml as KEYCLOAK
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>TAFJRealm</realm-name>
</login-config>

TAFJEE Auth e n t i c a t i o n usi n g Keycl o a k in JBOSS


Jbos s
Install adapter in Jboss
Reference https://wjw465150.gitbooks.io/keycloak-
documentation/content/securing_apps/topics/oidc/java/jboss-adapter.html
 Download keycloak from https://www.keycloak.org/downloads.html

 Refer https://www.keycloak.org/documentation

Configuration
 Add below extension inside <extensions> in Standalone.xml

<extension module="org.keycloak.keycloak-adapter-subsystem"/>
 From Keycloak Server → Clients→ Installation Tab, download/copy the configuration in the
required format.

 Either makes changes in subsystem or make changes in war

o Copy the Installation information in subsystem format and add sub system in
standalone.xml as below

<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="TAFJEE.war">
<realm>TAFJRealm</realm>
<auth-server-url>http://localhost:8180/auth/</auth-server-url>

12 Temenos Application Framework Java – (TAFJ)


TAFJ-Secure Authentication using Keycloak
<public-client>true</public-client>
<ssl-required>NONE</ssl-required>
<resource>TAFJClient</resource>
<use-resource-role-mappings>true</use-resource-role-mappings>
</secure-deployment>
</subsystem>

o Or download json from keycloak client->installation and add it in war at WEB-INF

WebSphere Liberty
Configuration
Add below features in server.xml.
<featureManager>
….
<feature>transportSecurity-1.0</feature>
<feature>openidConnectClient-1.0</feature>
</featureManager>

Add below keystore and OIDC client configuration in server.xml.


<openidConnectClient id="KEYCLOAK"
trustStoreRef="defaultKeyStore"
trustAliasName="TAFJClient"
realmName="TAFJRealm"
clientId="TAFJClient"
grantType="password"
clientSecret="jp60QRQxDpxYJsDaGIyXpy4bJAnS1CiU"
httpsRequired="false"
createSession="true"
responseType="code"
tokenReuse="true"
groupIdentifier="groupof"
signatureAlgorithm="RS256"
jwkEndpointUrl="http://<Keycloak_IP>:<Keycloak_Port>/auth/realms/TAFJRealm/protocol/openid-connect/certs"
issuerIdentifier="http://<Keycloak_IP>:<Keycloak_Port>/auth/realms/TAFJRealm"
authorizationEndpointUrl="http://<Keycloak_IP>:<Keycloak_Port>/auth/realms/TAFJRealm/protocol/openid-connect/auth"
tokenEndpointUrl="http://<Keycloak_IP>:<Keycloak_Port>/auth/realms/TAFJRealm/protocol/openid-connect/token">
</openidConnectClient>

13 Temenos Application Framework Java – (TAFJ)


TAFJ-Secure Authentication using Keycloak
DBTools Authentication with Keycloak
Copy the keycloak.json to TemenSecurity.jar or set the path of keycloak.json using the Java
property as -Dtemn.security.keycloak.json.path =<path/to/keycloak.json>

Console
Add -keycloak with DBTools command to authenticate with Keycloak
DBTools -u <usename> -p <password> -keycloak

Servlet
 Add DBTools.jar to module.xml to enable DBTools in servlet.

 Add the "org.apache.httpcomponents" dependency in tafj module.xml

<dependencies>
....
<module name="org.apache.httpcomponents"/>
</dependencies>

 Select the checkbox "Use Keycloak for authentication"

14 Temenos Application Framework Java – (TAFJ)

You might also like