I have installed several application on a BizTalk 2020 server using BTDF 5.8 where I used to the application settings in the deployment to update any config for the BizTalk applications.
My own account is part of the SSO admin group and I use the in proc host account to install the apps into the BizTalk server. The proc host account is also part of the SSO admin group.
When I view the SSO using the admin or client utility no apps are shown. I also downloaded and run the BizTalk-Server-SSO-Application-Configuration-Tool. The tool also showed no current installed applications, but was able to add an application with it config.
But ideally I would like to view and edit current config as I am currently getting an error on a server with incorrect value.
Is there another tool to view and edit settings or am I missing something that must be enabled.
I am studying jBPM (KIE Server and Business Central) and Keycloak. In isolation, I managed to run all this software with success. However, when I try to integrate between them, the authentication of users on the website works (Keycloak login page to access the Business Central site), however it seems that the authentication of the REST services call, both from the KIE Server and from the Business Central, stops working (unauthorized) and the KIE Server is unable to synchronize with its Controller (Business Central).
Below are more details on the subject.
I have been searching for a few days for a solution to the problem but without success.
Although I have already consulted this excellent site, this is my first question and I do not have much reference on which file is recommended to attach to the question. If you see a specific file, please sign that I will attach it.
I appreciate any help.
Notes (useful information) about the environment and problems encountered:
Only 1 Wildfly 20.0.1 environment (server) hosting KIE Server 7.43.1.Final, Business Central 7.43.1.Final and Keycloak 11.0.2, with the Keycloak adapter installed, on Windows 10.
In Keycloak, Realm was created with the name VHLLEmpresaRealm and 2 clients (applications):
VHLLEmpresaKIEServer: with public access.
VHLLEmpresaBusinessCentral: with confidential access.
In the Keycloak, the user kieserver with password kieserver1! was created and assigned to various roles (both Realm and Clients), among them: admin, rest-all, kie-server, kiemgmt and user.
Authentication with kieserver User and your Password on the Business Central website working properly integrated with Keycloak (Keycloak login page). Authentication with Google (social login) working properly.
Business Central configured to show and manage the users registered in the Keycloak.
Problems observed:
When starting the Wildfly server, the KIE Server is unable to synchronize with the Controller Business Central (see the Startup Log - Doc 06). The attempt below is repeated at startup several times without success, followed by NullPointerException with lines copied below:
17:13:30,057 INFO [org.kie.server.controller.websocket.client.WebSocketKieServerControllerImpl] (KieServer-ControllerConnect) Kie Server points to non Web Socket controller 'http://localhost:8080/business-central/rest/controller', using default REST mechanism
17:13:30,214 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-6) Uncaught server error: java.lang.NullPointerException
at org.keycloak.storage.StorageId.isLocalStorage(StorageId.java:77)
at org.keycloak.credential.UserCredentialStoreManager.getStoreForUser(UserCredentialStoreManager.java:54)
...
17:13:30,214 WARN [org.kie.server.services.impl.controller.DefaultRestControllerImpl] (KieServer-ControllerConnect) Exception encountered while syncing with controller at http://localhost:8080/business-central/rest/controller/server/wildfly-kieserver error Error while sending PUT request to http://localhost:8080/business-central/rest/controller/server/wildfly-kieserver response code 401
Link to complete file:
https://drive.google.com/file/d/1kr47ap9frsCQB8oyQE2dEm2gfl7__s0G/view?usp=sharing
On the Business Central website, on the Deployments page (which shows the Servers too), the KIE Server server does not appear as available (see Doc 07).
Link to complete file:
https://drive.google.com/file/d/1lKiCZdOp7yRvHibfgJ8ZOE_dZIAnkE6U/view?usp=sharing
In the CURL command to access the Business Central REST services, even if the kieserver user and password are passed, the answer is NOT authorized (see Doc 08).
COMMAND: curl -X GET http://kieserver:kieserver1!#localhost:8080/business-central/rest/repositories -v
RESPONSE: ErrorUnauthorized
Link to complete file:
https://drive.google.com/file/d/1V_CH_hiTkhLh-AtgRvP0YkZ3afwBc4tZ/view?usp=sharing
Other Files:
Wildfly Settings - STANDALONE-FULL.XML
https://drive.google.com/file/d/1f0xvRDPiId1RymZkMGIUaIMB_EuGpbud/view?usp=sharing
I'm not sure if this is the correct way to solve the problem, but after continuing my studies and research for a few more days, using the CURL command to call a Business Central service (below), I obtained the Access Token and through the website jwt.io, I noticed in the content of this Token that the audience (aud) field was not filled in with the Keycloak Client ID that requested the Token.
curl -d "grant_type=password" -d "client_id=VHLLEmpresaBusinessCentral" -d "client_secret=020c8841-50ee-437e-af16-XXXXXXXX" -d "username=kieserver" -d "password=kieserverXXXXX" -d "scope=VHLLEmpresaEscopo" http://localhost:8180/auth/realms/VHLLEmpresaRealm/protocol/openid-connect/token
So, I created a Client Scope, I created a Mapper for the Audience to add the Client's own ID and associated this Client Scope to the corresponding Client.
The second change that was necessary was to override the Direct Grant Flow with the "direct grant" value for each Client involved.
With the two changes above, the synchronization between KIE Server and Business Central has returned to work.
I'm switching over from the legacy security subsystem to Elytron in WildFly 14.
A particular data source is using a legacy security domain with a custom login module. The custom login module is invoked with a username and an encoded password. The custom login module implements "org.picketbox.datasource.security.AbstractPasswordCredentialLoginModule" where decoded credentials are "returned" to the framework in the overridden commit method.
Since the legacy security subsystem is deprecated, I'd like to switch over to using Elytron and would like to implement similar credential handling. I searched around and found some discussions about creating an Elytron security domain that points to a custom security realm in which a class in a custom module would implement "org.wildfly.security.auth.server.SecurityRealm". I have yet to find any working examples and have been unable to figure this out.
Any ideas?
I am running a WebSphere 8.5.5.3 installation with WebSphere HTTP server in a cluster environment on AIX. I am having a problem of incorrect redirects upon login e.g.:
User is trying to access http://domain_name/app_name/resource_name
User is redirected to the login page at http://domain_name/Login.html
User enters valid credentials
User is redirected to the incorrect url at http:///app_name/resource_name
If the user logs in a second time then everything works fine
What am I doing wrong? Have I misconfigured something?
Thanks to https://www.ibm.com/developerworks/community/forums/html/topic?id=8deb461e-d3fe-41e5-9402-52be4ec4dba9 here is the answer:
http://www-01.ibm.com/support/docview.wss?rs=203&ca=portall2&uid=swg21259747
Summary:
Create a custom property for WebSphere Global Security:
Name: com.ibm.websphere.security.util.fullyQualifiedURL
Value: true
I was able to restart the WebSphere application server... but you may need to restart all of WebSphere if restarting just the app server app is not enough.
When I access remote EJB, the login credentials are passed into the custom security domain that is set for all EJBs. Here password is received in my custom login module as org.jboss.as.security.remoting.RemotingConnectionCredential#35ddbd0f.
But when login from browser, password is received as entered. What's wrong with remote calls?
Here is my jndi.properties
java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory
java.naming.provider.url=http-remoting://localhost:8080
java.naming.security.principal=xxxx
java.naming.security.credentials=xxxx
jboss.naming.client.ejb.context=true
I checked with latest stable version 8.2.0.