Skip to content

unecessary steps since adding ssl trustDefaultCerts="true" #220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: vnext-release
Choose a base branch
from
Open

unecessary steps since adding ssl trustDefaultCerts="true" #220

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e18e9d9
remove steps no longer needed since adding trustDefaultCerts="true" i…
Mar 13, 2025
1302698
remove unecessary steps since adding ssl trustDefaultCerts="true"
Mar 13, 2025
d7364ed
fix broken link reported by the markdown check
Mar 13, 2025
dad70ba
suggest using DevToys to decrypt tokens
Mar 14, 2025
61f2380
remove all reference to a tool to decrypt tokens
Mar 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 3 additions & 24 deletions authentication/AzureAD/README_WITH_CLIENT_SECRET.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -246,26 +246,7 @@

### Create secrets to configure ODM with Microsoft Entra ID

1. Create a secret with the Microsoft Entra ID Server certificate.

To allow ODM services to access the Microsoft Entra ID Server, it is mandatory to provide the Microsoft Entra ID Server certificate.
You can create the secret as follows:

```shell
keytool -printcert -sslserver login.microsoftonline.com -rfc > microsoft.crt
kubectl create secret generic ms-secret --from-file=tls.crt=microsoft.crt
```

Introspecting the Microsoft Entra ID login.microsoftonline.com certificate, you can see it has been signed by the Digicert Root CA authorithy.

So we will also add the DigiCert Global Root CA from [this page](https://www.digicert.com/kb/digicert-root-certificates.htm):

```shell
curl --silent --remote-name https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
kubectl create secret generic digicert-secret --from-file=tls.crt=DigiCertGlobalRootCA.crt.pem
```

2. Generate the ODM configuration file for Microsoft Entra ID.
1. Generate the ODM configuration file for Microsoft Entra ID.

If you have not yet done so, download the [azuread-odm-script.zip](azuread-odm-script.zip) file to your machine. This archive contains the [script](generateTemplate.sh) and the content of the [templates](templates) directory.

Expand Down Expand Up @@ -293,7 +274,7 @@
- openIdParameters.properties configures several features like allowed domains, logout, and some internal ODM OpenId features
- OdmOidcProviders.json configures the client-credentials OpenId provider used by the Decision Center server configuration to connect Decision Center to the Decision Server console and Decision Center to Decision Runner

3. Create the Microsoft Entra ID authentication secret.
2. Create the Microsoft Entra ID authentication secret.

```shell
kubectl create secret generic azuread-auth-secret \
Expand All @@ -303,7 +284,7 @@
--from-file=webSecurity.xml=./output/webSecurity.xml
```

4. Create the secret allowing to synchronize Decision Center Users and Groups with Entra ID.
3. Create the secret allowing to synchronize Decision Center Users and Groups with Entra ID.

This section is optional.

Expand Down Expand Up @@ -364,7 +345,6 @@ You can now install the product. We will use the PostgreSQL internal database an
--set oidc.enabled=true \
--set license=true \
--set internalDatabase.persistence.enabled=false \
--set customization.trustedCertificateList='{ms-secret,digicert-secret}' \
--set customization.authSecretRef=azuread-auth-secret \
--set internalDatabase.runAsUser='' --set customization.runAsUser='' --set service.enableRoute=true
```
Expand All @@ -389,7 +369,6 @@ You can now install the product. We will use the PostgreSQL internal database an
--set oidc.enabled=true \
--set license=true \
--set internalDatabase.persistence.enabled=false \
--set customization.trustedCertificateList='{ms-secret,digicert-secret}' \
--set customization.authSecretRef=azuread-auth-secret \
--set service.ingress.enabled=true \
--set service.ingress.annotations={"kubernetes.io/ingress.class: nginx"\,"nginx.ingress.kubernetes.io/backend-protocol: HTTPS"}
Expand Down
27 changes: 3 additions & 24 deletions authentication/AzureAD/README_WITH_PRIVATE_KEY_JWT.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,34 +164,15 @@ For additional information regarding the implement in Liberty, please refer to t

### Create secrets to configure ODM with Microsoft Entra ID

1. Create a secret with the Microsoft Entra ID Server certificate.

To allow ODM services to access the Microsoft Entra ID Server, it is mandatory to provide the Microsoft Entra ID Server certificate.
You can create the secret as follows:

```shell
keytool -printcert -sslserver login.microsoftonline.com -rfc > microsoft.crt
kubectl create secret generic ms-secret --from-file=tls.crt=microsoft.crt
```

Introspecting the Microsoft Entra ID login.microsoftonline.com certificate, you can see it has been signed by the Digicert Root CA authorithy.

So we will also add the DigiCert Global Root CA from [this page](https://www.digicert.com/kb/digicert-root-certificates.htm):

```shell
curl --silent --remote-name https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
kubectl create secret generic digicert-secret --from-file=tls.crt=DigiCertGlobalRootCA.crt.pem
```

2. Create a secret to provide the private and public certificate to manage the private_key_jwt authentication
1. Create a secret to provide the private and public certificate to manage the private_key_jwt authentication

To allow ODM containers to generate a client_assertion, you have to provide them the private and public certificates with the following **myodmcompany** secret. Don't change this name with this tutorial as this name is linked to the openidConnectClient **keyAliasName="myodmcompany"** parameter of the private_key_jwt liberty configuration.

```shell
kubectl create secret generic myodmcompany --from-file=tls.key=myodmcompany.key --from-file=tls.crt=myodmcompany.crt
```

3. Generate the ODM configuration file for Microsoft Entra ID.
1. Generate the ODM configuration file for Microsoft Entra ID.

If you have not yet done so, download the [azuread-odm-script.zip](azuread-odm-script.zip) file to your machine. This archive contains the [script](generateTemplateForPrivateKeyJWT.sh) and the content of the [templates_for_privatekeyjwt](templates_for_privatekeyjwt) directory.

Expand All @@ -218,7 +199,7 @@ For additional information regarding the implement in Liberty, please refer to t
- openIdParameters.properties configures several features like allowed domains, logout, and some internal ODM OpenId features
- OdmOidcProviders.json configures the client-credentials OpenId provider used by the Decision Center server configuration to connect Decision Center to the Decision Server console and Decision Center to the Decision Runner

4. Create the Microsoft Entra ID authentication secret.
1. Create the Microsoft Entra ID authentication secret.

```shell
kubectl create secret generic azuread-auth-secret \
Expand Down Expand Up @@ -259,7 +240,6 @@ You can now install the product. We will use the PostgreSQL internal database an
--set oidc.enabled=true \
--set license=true \
--set internalDatabase.persistence.enabled=false \
--set customization.trustedCertificateList='{ms-secret,digicert-secret}' \
--set customization.privateCertificateList='{myodmcompany}' \
--set customization.authSecretRef=azuread-auth-secret \
--set internalDatabase.runAsUser='' --set customization.runAsUser='' --set service.enableRoute=true
Expand All @@ -280,7 +260,6 @@ You can now install the product. We will use the PostgreSQL internal database an
--set oidc.enabled=true \
--set license=true \
--set internalDatabase.persistence.enabled=false \
--set customization.trustedCertificateList='{ms-secret,digicert-secret}' \
--set customization.privateCertificateList='{myodmcompany}' \
--set customization.authSecretRef=azuread-auth-secret \
--set service.ingress.enabled=true \
Expand Down
2 changes: 1 addition & 1 deletion authentication/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ com.ibm.ws.authentication.internal.assertion=true,
com.ibm.wssi.security.oidc.client.credential.storing.utc.time.milliseconds=1669040483111,
id_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJVMVZadVY1S18zbWNGclprVnJFSGFnQWxDaWV2S0ZjOTNoLWVMQ2lMR2hrIn0.eyJleHAiOjE2NjkwNDA3ODMsImlhdCI6MTY2OTA0MDQ4MywiYXV0aF90aW1lIjoxNjY5MDQwNDgyLCJqdGkiOiI0YjQ5ZTkxZC1lODBkLTQyYTAtYTUxYi04YzY4Nzc5MDI1ZTIiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLW1hdHRlc3QuYXBwcy5vY3AtcHNpdC1hZG8uY3AuZnlyZS5pYm0uY29tL3JlYWxtcy9vZG0iLCJhdWQiOiJvZG0iLCJzdWIiOiIxNDE4ZmY0OS04MjU4LTQzZjItODM5Yi01ZjJlMTEzNTc4MjciLCJ0eXAiOiJJRCIsImF6cCI6Im9kbSIsInNlc3Npb25fc3RhdGUiOiJkMDYyNTA5NC1iNDQ5LTQxYWItYWUwMy0zYWY4MDBjNjU2NGEiLCJhdF9oYXNoIjoieWdMM0xOQnNoVWEybVhsOWxqS3hZUSIsImFjciI6IjEiLCJzaWQiOiJkMDYyNTA5NC1iNDQ5LTQxYWItYWUwMy0zYWY4MDBjNjU2NGEiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6IkpvaG4gRG9lIiwiZ3JvdXBzIjpbInJ0c0NvbmZpZ01hbmFnZXJzIiwicmVzQWRtaW5pc3RyYXRvcnMiLCJyZXNNb25pdG9ycyIsInJ0c0FkbWluaXN0cmF0b3JzIiwicnRzSW5zdGFsbGVycyIsInJlc0RlcGxveWVycyIsInJ0c1VzZXJzIiwicmVzRXhlY3V0b3JzIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImpvaG5kb2VAbXljb21wYW55LmNvbSIsImdpdmVuX25hbWUiOiJKb2huIiwiZmFtaWx5X25hbWUiOiJEb2UiLCJlbWFpbCI6ImpvaG5kb2VAbXljb21wYW55LmNvbSJ9.NBbZPp6Mymve3mLVyE0zKgW-yN1VZvZ5FnmpP93ImMDtMc2yYRw9wxZzQ_eZLsAulyR-SlkxIWhMESKcoIKW8Scm23rJembUgyfJ82btGBGAOIXAQDtN7rnGq4_6U6gUaUA7OIswErii4zG3GmXSLu3COBsAIYRaIPtGc_X1OM-bfc9jeGI8H2yK8y9MnlsvTTRaNT6YRNja-yuQKcVe3dukDb7hL5FvBCAWjWnZ0bocQobeYuXp3xV8I8j4z3hC-HAPmvSrgHOEJhokPNKlBfnACE4-1TFzu5fJQztbb8MfzCwVzvpLTmkTdTe3NMk7UDnrUYLfGtiGarGuOOAUYw, ...
```

<!-- markdown-link-check-disable-next-line -->
Introspecting the **id_token** with [https://jwt.io](https://jwt.io), you should get:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's probably not your text (I didn't check the history) but I'd recommend against putting any specific site or even tool to inspect JWT. Imagine this site is hacked somehow, we would trustfully redirect customers to some devil site. I'd rephrase just with Introspecting the **id_token**, you should get:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good thinking!
Since we have a replacement let's suggest to use the DevToyz app instead
https://devtoys.app/

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mmmh I'd say no, for same reason (if somebody hacks devtoys.app)... Or at least just mention the name of the tool without providing any URL. It will be up to the user to determine whether s·he wants to use it or any other tool:
Introspecting the **id_token** (for instance with DevToys), you should get:

Copy link
Contributor Author

@fredmerci fredmerci Mar 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have an opinion @lgrateau ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed the reference/suggestion to use DevToys


```json
Expand Down