66 lines
3 KiB
Text
66 lines
3 KiB
Text
|
|
[[_fuse7_hawtio]]
|
|
===== Securing the Hawtio Administration Console
|
|
|
|
To secure the Hawtio Administration Console with {project_name}, complete the following steps:
|
|
|
|
. Create a client in the {project_name} administration console in your realm. For example, in the {project_name} `demo` realm, create a client `hawtio-client`, specify `public` as the Access Type, and specify a redirect URI pointing to Hawtio: \http://localhost:8181/hawtio/*. Configure corresponding Web Origin (in this case, \http://localhost:8181). Setup client scope mapping to include _view-profile_ client role of _account_ client in _Scope_ tab in `hawtio-client` client detail.
|
|
|
|
. Create the `keycloak-hawtio-client.json` file in the `$FUSE_HOME/etc` directory using content similar to that shown in the example below. Change the `realm`, `resource`, and `auth-server-url` properties according to your {project_name} environment. The `resource` property must point to the client created in the previous step. This file is used by the client (Hawtio JavaScript application) side.
|
|
+
|
|
[source,json]
|
|
----
|
|
{
|
|
"realm" : "demo",
|
|
"clientId" : "hawtio-client",
|
|
"url" : "http://localhost:8080/auth",
|
|
"ssl-required" : "external",
|
|
"public-client" : true
|
|
}
|
|
----
|
|
|
|
. Create the `keycloak-direct-access.json` file in the `$FUSE_HOME/etc` directory using content similar to that shown in the example below. Change the `realm` and `url` properties according to your {project_name} environment. This file is used by JavaScript client.
|
|
+
|
|
[source,json]
|
|
----
|
|
{
|
|
"realm" : "demo",
|
|
"resource" : "ssh-jmx-admin-client",
|
|
"auth-server-url" : "http://localhost:8080/auth",
|
|
"ssl-required" : "external",
|
|
"credentials": {
|
|
"secret": "password"
|
|
}
|
|
}
|
|
----
|
|
|
|
. Create the `keycloak-hawtio.json` file in the `$FUSE_HOME/etc` dicrectory using content similar to that shown in the example below. Change the `realm` and `auth-server-url` properties according to your {project_name} environment. This file is used by the adapters on the server (JAAS Login module) side.
|
|
+
|
|
[source,json]
|
|
----
|
|
{
|
|
"realm" : "demo",
|
|
"resource" : "jaas",
|
|
"bearer-only" : true,
|
|
"auth-server-url" : "http://localhost:8080/auth",
|
|
"ssl-required" : "external",
|
|
"use-resource-role-mappings": false,
|
|
"principal-attribute": "preferred_username"
|
|
}
|
|
----
|
|
|
|
. Start {fuse7Version}, <<_fuse7_install_feature,install the Keycloak feature>>. Then type in the Karaf terminal:
|
|
+
|
|
[source,subs="attributes"]
|
|
----
|
|
system:property -p hawtio.keycloakEnabled true
|
|
system:property -p hawtio.realm keycloak
|
|
system:property -p hawtio.keycloakClientConfig file://\${karaf.base}/etc/keycloak-hawtio-client.json
|
|
system:property -p hawtio.rolePrincipalClasses org.keycloak.adapters.jaas.RolePrincipal,org.apache.karaf.jaas.boot.principal.RolePrincipal
|
|
restart io.hawt.hawtio-war
|
|
----
|
|
|
|
. Go to http://localhost:8181/hawtio and log in as a user from your {project_name} realm.
|
|
+
|
|
Note that the user needs to have the proper realm role to successfully authenticate to Hawtio. The available roles are configured in the `$FUSE_HOME/etc/system.properties` file in `hawtio.roles`.
|
|
|