Identity and access management for App Connect Designer and App Connect Dashboard instances on Red Hat OpenShift
To manage security and access for your App Connect Designer and App Connect Dashboard instances, enable identity and access management (IAM) for the instances and then configure user access. IAM is implemented by using Keycloak, which provides a single sign-on solution for web applications and RESTful web services.
Creating App Connect Designer or App Connect Dashboard instances with IAM enabled
You enable IAM for an App Connect Designer or App Connect Dashboard instance when you create the instance.
Before you begin
- Ensure that you have cluster administrator authority with
cluster-admin
permissions. - Ensure that your IBM App Connect Operator is installed as part of an IBM Cloud Pak for Integration deployment that also includes the IBM Cloud Pak foundational services and certificate manager Operators. For more information, see Installing IBM App Connect with identity and access management on Red Hat OpenShift.
- If you are using an online cluster with access to public registries, and do not already have an entitlement key, obtain an entitlement key, which will enable you to pull the software images for your product components from the IBM Entitled Registry. You supply this key as a Kubernetes pull secret. To obtain and apply your entitlement key, see Finding and applying your entitlement key (online installation) in the Cloud Pak for Integration documentation.
- If you are licensed to use the IBM Cloud Pak Platform UI and intend to use it to create App Connect Designer or App Connect Dashboard instances, ensure that a Platform UI instance is deployed. For more information, see Deploying the Platform UI.
- Ensure that the required storage is set up for the App Connect Designer or
App Connect Dashboard instances that you want to create.Storage requirements for IAM:
The Keycloak deployment that is used to configure IAM for your App Connect Designer or App Connect Dashboard instances requires block storage and a storage class that is set as the default class. Therefore, you must set up this required storage before you try to create any instances. For more information, see Storage options for Keycloak in the Cloud Pak for Integration documentation.
To set the storage class as the default class, you can add an annotation to the metadata block in the StorageClass custom resource (CR) as shown in the following example.apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: rook-ceph-block annotations: storageclass.kubernetes.io/is-default-class: 'true' ...
About this task
- In a cluster-scoped Cloud Pak for Integration environment, the IBM Cloud Pak for Integration, IBM App Connect, IBM Cloud Pak foundational
services, and Operand Deployment Lifecycle Manager Operators are all
installed in the
openshift-operators
namespace. However, the certificate manager Operator is installed in thecert-manager-operator
namespace, and the Keycloak Operator is installed in theibm-common-services
namespace. - In a namespace-scoped Cloud Pak for Integration environment, the IBM Cloud Pak for Integration, IBM App Connect, IBM Cloud Pak foundational
services, Operand Deployment Lifecycle Manager, and Keycloak Operators are all installed in the same (specific) namespace.
However, the cert-manager Operator is installed in the
cert-manager-operator
namespace.
Procedure
To create an IAM-enabled App Connect Designer or App Connect Dashboard instance, complete the relevant step:
Results
After you click Create or run oc apply to create the Designer or Dashboard instance, the following sequence of events occurs:
- The IBM App Connect Operator automatically deploys a
CP4iServicesBinding
resource for the Designer or Dashboard instance. - The
CP4iServicesBinding
resource requests anIntegrationKeycloakClient
resource for the instance from the IBM Cloud Pak for Integration Operator (to enable IAM). - The IBM Cloud Pak for Integration Operator passes the request to the IBM Cloud Pak foundational
services Operator to provision a Keycloak instance if one is not yet available.
Note: The very first time that you create an App Connect Designer or App Connect Dashboard instance that has Keycloak enabled for IAM, the IBM Cloud Pak foundational services Operator automatically installs the Keycloak Operator if it is not yet installed in your cluster-scoped or namespace-scoped deployment. This Keycloak Operator is used to provision the Keycloak instance.
The status messages for the Designer or Dashboard instance reflect this process.
What to do next
- When the status of a Designer or Dashboard instance is shown as
Ready
, you can view the Keycloak artifacts that are created. - Locate the URL for your Keycloak instance. You need this URL to access the Keycloak Administration Console so that you can set up user access to the Designer or Dashboard instance.
Viewing the Keycloak artifacts
If you want to obtain an overall view of the Keycloak deployment, you can examine the Keycloak artifacts that are automatically deployed by Operators in your cluster.
Procedure
From the Red Hat® OpenShift® web console, you can view the Keycloak artifacts as follows:
Locating the URL for your Keycloak instance
To access your Keycloak instance, you need to first
locate its URL. These instructions describe how to find this URL from your Designer or Dashboard
instance, or from the Cp4iServicesBinding
resource for the Designer or Dashboard
instance.
Keycloak
instance
named cs-keycloak
as
described in Viewing the Keycloak artifacts.Before you begin
Ensure that you have cluster administrator authority with
cluster-admin
permissions.
Procedure
To locate the URL for your Keycloak instance, complete either of the following steps:
What to do next
Locate the credentials that you can use to access the Keycloak Administration Console.
Locating the credentials for the Keycloak Administration Console
To log in to the Keycloak Admin Console, you need to first obtain the login credentials, which are stored as a secret in your cluster. The name and location of this secret depends on the installation mode of the IBM App Connect Operator and the type of license that you specified when you created the Designer or Dashboard instance.
Procedure
To obtain the admin login credentials for the Keycloak Admin Console, complete the following steps:
What to do next
Log in to the Keycloak Admin Console.
Logging in to the Keycloak Administration Console
Use the URL of the Keycloak instance and the credentials for the Keycloak Admin Console to access the Admin Console.
Procedure
To log in to the Keycloak Admin Console, complete the following steps:
What to do next
Use the Keycloak Admin Console to manage user access to the Designer or Dashboard instance that you created.
Managing user access in the Keycloak Administration Console
After you log in to the Keycloak Admin Console, you can
view information about your Designer and Dashboard instances, and set up users with assigned roles
to access these instances. You must be in the cloudpak
realm that was created
earlier.
About this task
In the Keycloak Admin Console, your Designer and Dashboard
instances (which require user authentication) are represented as clients. Each client
is identified by its IntegrationKeycloakClient
resource name.
App Connect provides predefined roles that determine what type of access permissions a user has to a Designer or Dashboard instance. You can view the roles for each Designer or Dashboard instance in the Keycloak Admin Console, and then choose which roles to assign to a user.
Complete the following procedure if you are using App Connect and
IAM with an AppConnectEnterprise
license that permits installation of the Operators
that are required to enable Keycloak, but prohibits access to the
Platform UI and other product capabilities. The instructions provide a
simple sequence for quickly setting up users with App Connect roles,
but it is possible to configure Keycloak further as described in
the Server Administration Guide for the Red Hat build of Keycloak.
If you are using App Connect and IAM with a Cloud Pak for Integration license that entitles you to use the Platform UI and other product capabilities, see Identity and access management for information about adding users, details about the supplied roles and permissions, and details about Keycloak configuration options.
Procedure
To view clients, create users, and assign roles, complete the following steps:
What to do next
Provide login details to the user that you created.
Supplying the user with login URLs and credentials
Provide the URL of the Designer or Dashboard instance to the user, and supply the configured authentication credentials that they can use to log in.
If you want to enable the user to manage the Keycloak user account that you created for them, also provide the URL of the Keycloak Account Console. For example, users can configure their profiles, update their password, configure two-factor authentication, or view device activity. For more information, see Account Console in the Server Administration Guide for the Red Hat build of Keycloak.
Procedure
To supply login details to the user, complete the following steps.
Tutorial
The following tutorial provides scenarios for cluster-scoped and namespace-scoped deployments of IBM App Connect, and describes how to secure access to App Connect Designer and App Connect Dashboard instances within these deployments.
Follow this worked example to obtain an end-to-end view of how to install the Operators that are required for IAM, create your Designer and Dashboard instances with different license entitlements, enable and disable IAM, and configure user access for the instances: How to use Keycloak to provide authentication and authorization for App Connect Dashboard and Designer Authoring.