Configuring Security

HERO user authentication is managed by Keycloak.

In Keycloak, each application has its own Realm with different users and authorization settings. HERO authorization settings are stored in a Realm named HERO.

In HERO Realm, the nginx client uses Keycloak to manage user authentication to the remote machines providing a single sign-on solution.

For details about Keycloak, see  Keycloak documentation.

The steps to configure the security for your HERO installation, including the generation of a new secret, and the customization of SSL certificates, are run automatically by the installation script.

The installation script generates two HERO users:

• userid test, password test, with user role

• userid admin, password admin, with administrator role

To add additional users, roles, or to change the default passwords, see the steps in Creating a new user below.

Configuring Security manually

To properly customize Keycloak in your environment, run the following steps:

1. In the <BUILD_DIR> directory, find the .tomcat.env file.

2. In the .tomcat.env file, find the variables:

• CLIENT_SECRET

• KEYCLOAK_URL 

3. In the KEYCLOAK_URL {"realm": "hero","url": "https://hero.hcltech.com/keycloak/auth","clientId": "nginx"}, replace the hero.hcltech.com part  with <IP>:<PORT> of the host machine.

If the port used in the docker-compose.yml file is the default one  (443), only the <IP> value must be added.

4. In the <BUILD_DIR>\CONFIGURATION\HERO\ui.properties configuration file (see Installing and Configuring), set the variable keycloak  to the same value assigned to KEYCLOAK_URL in step 3.

5. After the execution of the docker-compose up --d command, the user test, with password test,  is automatically created and authorized to access the HERO dashboard https://<your_host_machine_address:port>/Dashboard.

6. To create a user with administrator role, see the steps in Creating a new user below.

Creating a new user

The installation process generates a Keycloak default realm named HERO and a default client named nginx.

For additional information about Keycloak realms and clients, see Keycloak documentation.

Use the Keycloak administration console to define new users, new roles, or change user passwords.

For example, to create a new HERO user with administrator role, run the following steps:

1. Access Keycloak administration console https://<IP:PORT>/keycloak/auth/admin by using the following credentials:

• userid=admin

• password=password

2. If you want, you can change Keycloak default password:

1. From Keycloak administrator console, in the upper right corner, click Admin:

2. Select Manage account -> password

3. Under Clients -> nginx -> roles tab, click the Add role button

4. Provide the role name admin and click save

5. Under users, click the add user button

6. Provide a user name and click save

7. Under Credentials, provide a password for the user, turn the temporary field to off,  click the Reset Password button and confirm

8. Under Role Mappings, in the Client Roles dropdown, select nginx. Some boxes appear on the right

9. Under  Available Roles, select admin and click the Add Selected button. The admin role appears in the Assigned Roles box

10. On the left navigation bar, select the Realm Settings page and go to the Themes tab

11. In the Login Theme parameter, select the Keycloak theme, then click save

Generating a new secret

For security reasons, you are recommended to generate a new client secret, in place of the default one. To generate a new client secret and customize HERO accordingly, run the following steps:

1. From Keycloak administration console, in the left side navigation bar, select Clients->nginx.

2. From the tab Credentials, click Regenerate Secret.

3. Copy the content of the field Secret.

4. From the <BUILD_DIR> directory, run the commands:

• docker-compose down

• docker volume rm <BUILD_DIR>_hero-home   (to remove the configuration volume)

5. In the <BUILD_DIR>\CONFIGURATION\HERO directory, find the .tomcat.env file.

6. Paste the content you copied from the field Secret into the CLIENT_SECRET parameter.

7. In the <BUILD_DIR>\CONFIGURATION\HERO\ui.properties configuration file, paste the same content into the clientSecret parameter.

8. From the <BUILD_DIR> directory, run the commands docker-compose up --build

Customizing SSL certificates

To install your own SSL certificates, run the following procedure:

1. In the  <BUILD_DIR>\config folder, replace the hero.key and hero.crt default certificate files with your own files (do not change the default names).

2. Complete the installation procedure, or run the following command from the <BUILD_DIR> directory to update a pre-existing installation:

 docker-compose up -d –build

Customizing Keycloak for AppScan

In the Keycloak administration console, selecting Client -> nginx, the parameter Redirect URIs has a default value set to "*", which means that the login can be redirected to every URI. To avoid this is identified as an  issue by  AppScan, modify the Redirect URIs parameter by adding only the URIs requested by HERO:

HOSTNAME\Dashboard

HOSTNAME\tomcat

HOSTNAME\keycloak

HOSTNAME\elasticsearch

HOSTNAME\kibana

HOSTNAME\prediction

where HOSTNAME is the hostname of the machine where HERO is installed.