App Connect

 View Only

How to use Keycloak to provide authentication and authorization for App Connect Dashboard and Designer Authoring

By Shanna Xu posted Wed December 13, 2023 07:05 AM

  

Introduction

Prior to App Connect Dashboard and Designer Authoring operand version 12.0.10.0-r2 (which is first available in IBM® App Connect Operator version 11), you can use the Identity and Access Management (IAM) service provided by IBM® Cloud Pak foundational services version 3 to configure a user's authority to use the App Connect Dashboard and Designer Authoring. 

App Connect Operator version 11 continues to use foundational services to provide IAM, but requires version 4.3. With this version of foundational services a major change was introduced in how IAM was implemented, where Keycloak became the default authentication and authorization provider.  Thus, for App Connect version 11 customers, you now use Keycloak to configure authentication and authorization for Dashboard and Designer Authoring.

This article contains a tutorial on how to install the App Connect Dashboard and Designer Authoring resources, and use Keycloak to configure a user's authority to access those resources. The tutorial requires a cluster on Red Hat® OpenShift® Container Platform (OCP) version 4.12 or 4.14.

Two scenarios are described in this tutorial, to cover variations in installations and license uses. The first scenario covers a cluster-wide installation of the App Connect Operator, including the Dashboard and Designer Authoring resources with an App Connect license and using Keycloak. The second scenario describes the installation of the same resources in a namespace-scoped installation with a Cloud Pak for Integration license.  For simplicity, the second scenario is abbreviated and only outlines the differences from the first scenario.  You will learn how to create a user in Keycloak to log into the resources in both scenarios.

Article index

Scenario 1: Cluster-wide installation with AppConnectEnterpriseProduction license

Scenario 2: Namespaced-scoped installation with CloudPakForIntegrationProduction license

Additional information on Keycloak:

Note: In this article, resource names are highlighted in dark red.  Keywords that are displayed on a UI are highlighted in bold.  The keywords project and namespace are used interchangeably.

Scenario 1: Cluster-wide installation with AppConnectEnterpriseProduction license

Before you start, you can use the following Prerequisites to configure your cluster environment.

Prerequisites

    1. You must install block storage on the cluster and set a default storage class. To set a storage class as default, you need to add the following annotation to the CR of the storage class.
      metadata:
		  annotations:
			storageclass.kubernetes.io/is-default-class: 'true'
    2. Add the catalog sources for the following operators:
      • For Linux on IBM Z / Linux on Power®: IBM® Cert Manager (version 4.0 and later), which is required by IBM® Cloud Pak foundational services version 4.3.  (See note)
      • IBM® Cloud Pak foundational services operator version 4.3 (See note)
      • IBM® Cloud Pak for Integration operator version 2023.4.1
      • IBM® App Connect operator version 11

      Follow this documentation to do so: https://www.ibm.com/docs/en/cloud-paks/cp-integration/2023.4?topic=images-adding-catalog-sources-cluster

      Note: A cert manager is no longer required from IBM® Cloud Pak foundational services operator version 4.4.

    3. Install the operators in the following order:
      • Install the cert manager operator: 
      • Install IBM® Cloud Pak foundational services operator version 4.3 cluster-wide, in the openshift-operators namespace. This will create a CommonService instance in the ibm-common-services namespace, and install the Operand Deployment Lifecycle Manager (ODLM) cluster-wide. You must verify that the CommonService instance is in a Succeeded status.  If it is in a Failed status, you must make sure the ibm-common-services namespace is created.  You can manually create one if it does not exist.
      • Install IBM® Cloud Pak for Integration operator version 2023.4.1 cluster-wide, in the openshift-operators namespace.
      • Install IBM® App Connect operator version 11 cluster-wide, in the openshift-operators namespace.

      To install the IBM® Cloud Pak foundational services, IBM® Cloud Pak for Integration and IBM® App Connect operators, you can follow this documentation: https://www.ibm.com/docs/en/cloud-paks/cp-integration/2023.4?topic=installing-operators

    Install a Dashboard with AppConnectEnterpriseProduction license

    On your OCP cluster, you can use the following steps to install a Dashboard resource.
    1. Create a project named ace-keycloakOn the navigation pane, select Operators -> Installed Operators to show operators installed for project ace-keycloak. You should see the operators, specified in the Prerequisites list (except cert-manager, which is managed by its own namespace), are successfully installed. Next, click Dashboard, which is one of the Provided APIs from the IBM App Connect operator.
    2. Click Create Dashboard to configure a Dashboard resource.
    3. Set license to AppConnectEnterpriseProduction and select the accept checkbox.
    4. From the Storage class drop-down list, select a file storage.
    5. Expand the Advanced configuration section. You can see Authentication and Authorization are switched on by default to enable IAM with Keycloak.
      For more information about how to configure IAM for the Dashboard,  see the How to enable and disable IAM section.
    6. Finally, click Create. This starts the creation for a Dashboard resource, with a default name of db-01-quickstart, and with IAM enabled.
      • Go to the Behind the scenes section to understand how a Keycloak instance is provisioned on the cluster.
      • When the Dashboard resource becomes Ready, you can use the Admin UI link to access the Dashboard UI.

      Note: From Dashboard operand version 12.0.11.1-r1 (which is first available in IBM® App Connect Operator version 11), the Admin UI is renamed to Dashboard UI.

    7. Use the new user, ace-keycloak-test1, to log in to your Dashboard UI. You can verify that you only have permission to view resources in the Dashboard.
    8. (optional) Now add a dashboard-admin role to ace-keycloak-test1 in the Keycloak Administration Console, and verify you can create resources on the Dashboard.

    Install a Designer Authoring with AppConnectEnterpriseProduction license

    On your OCP cluster, you can use the following steps to install a Designer Authoring resource.
    1. If you have not already done so, create a project named ace-keycloak.
    2. On the navigation pane, select Operators -> Installed Operators to show operators installed for project ace-keycloak. You should see the operators, specified in the Prerequisites list (except cert-manager, which is managed by its own namespace), are successfully installed. Next, click Designer Authoring, which is one of the Provided APIs from the IBM App Connect operator.
    3. Click Create DesignerAuthoring to configure a Designer Authoring resource.
    4. Set license to AppConnectEnterpriseProduction and select the accept checkbox.
    5. From the Storage class drop-down list, select a file storage.

    6. Expand the Advanced configuration section. You can see Authentication and Authorization are switched on by default to enable IAM with Keycloak.

      For more information about how to configure IAM for the Designer Authoring,  see the How to enable and disable IAM section.
    7. Finally, click Create. This starts the creation for a Designer Authoring resource named des-01-quickstart-ma with IAM enabled.
      • Go to the Behind the scenes section to understand how a Keycloak instance is provisioned.
      • When the Designer Authoring resource becomes Ready, you can use the UI URL link to access the Designer Authoring resource.

      Note: From Designer Authoring operand version 12.0.11.1-r1 (which is first available in IBM® App Connect Operator version 11), the UI URL is renamed to Designer UI.

    8. Use the new user, ace-keycloak-test1, to log in to your Designer Authoring UI.  You can verify that you have permission to perform administrative tasks in the Designer Authoring.

    Scenario 2: Namespaced-scoped installation with CloudPakForIntegrationProduction license

    Before you start, you should use the following Prerequisites to configure your cluster environment.

    Prerequisites

      1. Create a namespace named ace-keycloak.  Note that if you have already completed scenario 1, you must uninstall the cluster-wide installations of IBM® Cloud Pak foundational services, IBM® Cloud Pak for Integration and IBM® App Connect operators.
      2. Follow the Prerequisites of scenario 1 to install the IBM® Cloud Pak foundational services, IBM® Cloud Pak for Integration and IBM® App Connect operators.  For steps 3, you must install the IBM® Cloud Pak foundational services, IBM® Cloud Pak for Integration and IBM® App Connect operators in the ace-keycloak namespace. The foundational services operator will create a CommonService instance and install the ODLM in the ace-keycloak namespace. You must verify that the CommonService instance is in a Succeeded status.  If it is in a Failed status, you must make sure the ibm-common-services namespace is created.  You can manually create one if it does not exist.

      Install a Dashboard with CloudPakForIntegrationProduction license

      On your OCP cluster, you can use the following steps to install a Dashboard resource.
      1. On the navigation pane, select Operators -> Installed Operators to show operators installed for project ace-keycloak. You should see the operators, specified in the Prerequisites list (except cert-manager, which is managed by its own namespace), are successfully installed. Next, click Platform UI, which is one of the Provided APIs from the IBM Cloud Pak for Integration operator.
      2. Click Create PlatformNavigator to configure a PlatformNavigator resource.
      3. Accept license, by setting spec.license.accept to true in the YAML view. Click Create.
      4. When the Platform UI instance becomes Ready, follow the Install a Dashboard with AppConnectEnterpriseProduction license section to create a Dashboard and log in. You must set license to CloudPakForIntegrationProduction.

      Install a Designer Authoring with CloudPakForIntegrationProduction license

      On your OCP cluster, you can use the following steps to install a Designer Authoring resource.
      1. If a Platform UI is not yet created, follow the Install a Dashboard with CloudPakForIntegrationProduction license section, steps 1 - 3 to create an instance in your namespace ace-keycloak.
      2. When the Platform UI instance becomes Ready, follow the Install a Designer Authoring with AppConnectEnterpriseProduction license section to create a Designer Authoring and log in. You must set license to CloudPakForIntegrationProduction.

      Behind the scenes

      Behind the scenes, the App Connect Dashboard or Designer Authoring triggers the App Connect Operator to create a Cp4iServicesBinding resource to provision a Keycloak instance for the cluster. The Cp4iServicesBinding resource instructs the IBM® Cloud Pak for Integration operator that IAM must be enabled for this Dashboard or Designer Authoring instance. The IBM® Cloud Pak for Integration operator then forwards the request to the IBM® Cloud Pak foundational services operator to fulfil IAM.

      When the Cp4iServicesBinding resource reaches the Cloud Pak for Integration operator, the operator uses the foundational services operator to create a couple of OperandRequest resources, which triggers the following actions:
      1. Install a Keycloak operator.
      2. Install an EDB Keycloak, which is a database to store Keycloak roles.
      As a result, the ibm-common-services namespace (for cluster-wide installation) or the namespace where the App Connect operator is installed (for namespace-scoped installation) should contain the following resources:
      • A Keycloak instance is provisioned.
      • A Keycloak realm, which is like a namespace in Keycloak, is created named cloudpak.
      • A database is configured to store Keycloak resources, such as users and roles.
      At the end, the Cloud Pak for Integration operator creates a generic IntegrationKeycloakClient resource, whose name is specified in the Cp4iServicesBinding CR in status.metadata.integrationKeycloak.clientName for the Keycloak realm cloudpak.

      When we create our own IntegrationKeycloakClient resources for App Connect Dashboard or Designer Authoring, they will be in the same realm (cloudpak).

      How to enable and disable IAM

      This section explains how to enable and disable IAM for App Connect Dashboard and Designer Authoring.

      It is important to understand that IAM is enabled by default. As a result, when you create a Dashboard or Designer Authoring resource, both Authentication and Authorization are switched on by default, as shown in the Form view of the creation UI.

      From the YAML view, IAM is enabled (by the fields from line 100 and 105 in the yaml file) as follows:
      To disable IAM, you can either untick both selections from the Form view, or set both spec.authentication.integrationKeycloak.enabled and spec.authorization.integrationKeycloak.enabled to false from the YAML view.

      Note that you can not disable IAM by removing the authentication and authorization fields from the YAML view; in this case, IAM is assumed enabled.

      In addition, note that IAM was previously configured for Dashboard and Designer Authoring by setting the useCommonServices field from the YAML view. This field is now deprecated.

      Create a user and configure user roles in Keycloak

      For IBM® App Connect Operator version 11.0.0, 11.0.1 or 11.1.0, you must follow steps 1 to 3.  For IBM® App Connect Operator version 11.2.0 and later, you can skip steps 1 and 2.  This is because the URIs to the Keycloak UI are now displayed on the Dashboard and Designer Authoring UIs.

      1. Find the Cp4iServicesBinding resources managed by your Dashboard and Designer Authoring in the ace-keycloak namespace, which provides the URI to the Keycloak UI. On the navigation pane, select API Explorer, and type Cp4iServicesBinding in the search box. Click the Cp4iServicesBinding Kind.
      2. Under Instances, you can find the Cp4iServicesBinding resources created by your Dashboard and Designer Authoring. Make sure you are viewing the instances in the ace-keycloak project.
        • For Dashboard, click into the resource named <dashboard-name>-dash.  In this tutorial, this is db-01-quickstart-dash.
        • For Designer Authoring, click into the resource named <designerauthoring-name>-designer. In this tutorial, this is des-01-quickstart-ma-designer
        Switch to the YAML view to browse the Cp4iServicesBinding CR. You can find the URI to the Keycloak UI in the Cp4iServicesBinding CR. It is in the status.endpoints section, with a name of keycloak and type of ui. For example, in the status as follows, the Keycloak UI is at https://keycloak-ibm-common-services.apps.<cluster URL>.
        status:
		  endpoints:
			- name: keycloak
			  type: ui
			  uri: >-
				https://keycloak-ibm-common-services.apps.<cluster URL>
        Note: From Dashboard and Designer Authoring operand version 12.0.11.1-r1 (which is first available in IBM® App Connect Operator version 11), the Keycloak UI are available in the Dashboard and Designer Authoring CRs.
      3. Open the Keycloak UI on a browser and click Administration Console.
      4. You are now at the Keycloak Administration Console.
      5. To log in, you need to retrieve credentials from your cluster. There are a couple of approaches, depending on the license you used to create your App Connect resources.
          • With an App Connect license, you can use a Secret resource named cs-keycloak-initial-admin.
          • With a Cloud Pak for Integration license, you can, in addition, use a Secret resource named integration-admin-initial-temporary-credentials.

        For namespace-scoped installations, you can locate those secrets in the namespace, where the App Connect resources are installed. For cluster-wide installations, the secrets are in the ibm-common-services namespace.

        Both secrets can be revealed by clicking Reveal values, where you can retrieve the values of username and password. The following screenshot shows an example using the cs-keycloak-initial-admin secret.

      6. Enter the credentials in the Keycloak Administration Console. Once logged in, you must change Realm on the navigation pane to cloudpak.
         
      7. Click Clients on the navigation pane to view the IntegrationKeycloakClient resources that were created in the ace-keycloak namespace by your Dashboard and Designer Authoring resources.
      8. Click Users on the navigation pane, and then click Add user to add a new user. You need to provide a username, such as ace-keycloak-test1, and click Create.
      9. Assign roles to the user by clicking Role mapping, and then Assign role. You need to use the correct filter, by selecting Filter by clients.
        • Assigning roles for a Dashboard user
          There are two roles available for App Connect Dashboard, which are dashboard-viewer and dashboard-admin. The former gives you a view-only access to the Dashboard, which means you can only view resources. The latter enables you to perform administrative tasks, such as creating an IntegrationRuntime and uploading a BAR file. Click to select dashboard-viewer for your IntegrationKeycloakClient resource and click Assign to complete.  It is important to note that if both dashboard-viewer and dashboard-admin roles are selected, the role with a higher authority takes precedence. This means, when both roles are selected, a user becomes an admin on the Dashboard.
        • Assigning a role for a Designer Authoring user
          There is one role available for App Connect Designer Authoring, which is designerauthoring-admin. The role enables you to perform administrative tasks, such as creating and importing a flow. Click to select designerauthoring-admin for your IntegrationKeycloakClient resource and click Assign to complete.
      10. Finally you need to set a password for the user.  Select Credentials, click Set password, and then set a password. You can toggle off Temporary for this tutorial (otherwise the user will be prompted to change the password on the first log in).
      1 comment
      75 views

      Permalink

      Comments

      Sudhir Mohith
      Wed December 20, 2023 12:52 PM

      Great asset. Would like to see this referenced from the App Connect documentation.