In Clara, user authentication is managed by Keycloak.
In Keycloak, each application has its own Realm with different users and authorization settings. Clara authorization settings are stored in a Realm named Clara.
For details about Keycloak, see Keycloak documentation.
The steps to configure the security of your Clara installation, including the generation of a new secret, and the customization of SSL certificates, are run automatically by the installation script.
The installation script generates two Clara users:
userid solutions, password Hclsolutions00, with user role.
userid admin, password Hclsolutions00, with administrator role.
To add additional users, roles, or to change the default passwords, see the steps in Creating a new user below.
The installation process generates a Keycloak default realm named Clara and a default client named Clara.
For additional information about Keycloak realms and clients, see Keycloak documentation.
Use the Keycloak administration console to define new users, new roles, or change user passwords.
For example, to create a new Clara user with administrator role, run the following steps:
Access Keycloak administration console https://<IP:PORT>/keycloak/auth/admin by using the following credentials:
userid=admin
password=Hclsolutions00
You can also reach the Keycloak administration console from Clara Control Panel, by clicking Manage roles in the Account icon drop-down menu on the Control Panel header.
If you want, you can change Keycloak default password:
From Keycloak administrator console, in the upper right corner, click Admin:
Select Manage account -> password
Under Clients -> Clara -> roles tab, click the Add role button.
Provide the role name admin and click save.
Under users, click the add user button.
Provide a user name and click save.
Under Credentials, provide a password for the user, turn the temporary field to off, click the Reset Password button and confirm.
Under Role Mappings, in the Client Roles dropdown, select Clara. Some boxes appear on the right.
Under Available Roles, select admin and click the Add Selected button. The admin role appears in the Assigned Roles box.
On the left navigation bar, select the Realm Settings page and go to the Themes tab.
In the Login Theme parameter, select the Keycloak theme, then click save.
To install your own SSL certificates, run the following procedure:
In the <install_path>/clara/nginx/cert folder replace the .key and .crt default certificate files with your own files (do not change the default names).
Complete the installation procedure, or run the following commands from the <install_path> directory to update a pre-existing installation:
docker stop clara-nginx
docker start clara-nginx
By default, Clara external port is configured to use TLS 1.2 and TLS 1.3.
To modify this setting, you can proceed in one of the following ways:
Before launching Clara, build a tailored version of the clara-nginx image.
After extracting clara-img.tar.gz file (see installation instructions), go in the folder clara-img/nginx and edit the file nginxAuth.conf.
Configure the key “ssl_protocols” to the desired value (see nginx official documentation for more details).
On a running Clara, run the bash in the running container clara-nginx:
docker exec -ti clara-nginx bash
edit /etc/nginx/conf.d/default.conf file and configure the key “ssl_protocols” to the desired value (see nginx official documentation for more details).
Restart the container:
docker restart clara-nginx
With Clara, to prevent HTTP Host Header attacks, run the following procedure: