Auth Service
The Auth Service is the user authentication and authorization service for CENM. It stores and controls secure user-access to network services, such as:
- Identity manager.
- Zone Service.
- Signing Service.
- Network map (and associated network configurations and node info).
Whenever you use the User admin tool to create new users, groups or roles, the Auth Service is updated to authenticate those users and their permissions. If you use the CENM Command Line Interface, the Auth Service verifies your security clearance to operate on the required context of the service.
When you use any front end interface for CENM, the Auth Service is activated and updated via a front-end gateway, called the Gateway service.
You do not need to interact directly with the Auth Service once it has been installed and configured. To protect the integrity of this secure service, there is no direct API contact with the Auth Service - all front-end communications go via the Gateway service.
Install the Auth Service
You can install the Auth Service by either:
- Installing the
accounts-application.jar
. - Installing the Docker image.
Install using the docker image
The docker image contains the application jar itself setup to run with the Initial user
commands.
To install from the docker, ensure that the config file and other required files are mounted as a shared volume when running the container.
/opt/authsvc/plugins
. When creating a new image from this one, you only need to copy the application specific baseline into this folder, and it will be picked up automatically.Environment variables:
- INITIAL_ADMIN_USERNAME
- Initial user name, defaults to
admin
- Initial user name, defaults to
- INITIAL_ADMIN_PASSWORD
- Initial user password, defaults to
password
- Initial user password, defaults to
- CONFIG_FILE_LOCATION
- Location of the configuration file, defaults to
/usr/auth/auth.conf
- To use the default setting the config file should be mounted under
/usr/auth
- Location of the configuration file, defaults to
- ADDITIONAL_ARGUMENTS
- Additional command line args passed to the service
- Defaults to “–verbose”
Install using the JAR file
- Add the file
accounts-application.jar
to your CENM working directory. - Configure the Auth Service using the command line.
Prepare for configuration
Before you can configure the Auth Service, you need to prepare SSL certificates, create signing keys and add your baseline permissions JAR file so that new permissions can be added to the Auth Service.
To do this:
Create a SSL certificate in a
.jks
file using the CENM PKI tool.Generate a
jwt
signing key (RSA keypair) in a jks file with the following command line command:keytool -genkeypair -alias mytest -keyalg RSA -keypass mypass -keystore mytest.jks -storepass mypass
.Ensure you have a baseline JAR file that contains the set of permissions available in the deployment and optionally predefined roles. This is shipped as part of CENM via Artifcatory. For example, the file for CENM 1.4 is called
accounts-baseline-cenm-1.4.0.jar
. You can also copy this into a folder inside the working directory calledplugins
to avoid having to specify it in the config file.
Configure the Auth Service
To deploy the Auth Service, you need to create a configuration file.
When you create your config file, you establish its connection to your Gateway Service. Make sure you know:
- Your Gateway service ID.
- Your Gateway service secret.
In the sample below, you can see the initial configuration process:
Database configuration. Add the name, address and login credentials for the SQL database that supports the Auth Service.
JSON Web Key configuration. Set the username, password, and location of the RSA keypair store for signing. The location must be the absolute path.
Configure the connection to the Gateway service. Add the ID, secret, and scope of services that you use when setting up the Gateway service.
Configure the web server.
Set optional password policy settings.
Set optional permission baselines for roles.
# database configuration
database {
driverClassName = "org.h2.Driver"
url = "jdbc:h2:file:/usr/auth/auth-persistence;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=10000;WRITE_DELAY=0;AUTO_SERVER_PORT=0"
user = "testuser"
password = "password"
runMigration = true
}
# JSON Web Key configration for JWT signing
jwk {
# Location of the RSA keypair store for singing (MUST BE absolute path)
location = "/usr/auth/jwt-store.jks"
# Password for the keystore
password = "password"
# Key alias for the RSA keypair, default value is 'cordaauthjwk'
keyAlias = "oauth-test-jwt"
}
# Client configuration, this should contain credentials and config for Gateway service instances
clientConfig = {
clients = [
{
# Client id, must be the same as configured for Gateway
clientId = "gateway1"
# Client secret, must be the same as configured for Gateway
clientSecret = "secret1"
# Available scopes for this Gateway service instance, can be any of the below:
# - accounts:admin
# - indicates access to user management from the Gateway service
# - accounts:user
# - indicates zone access from the Gateway service
# default value is 'accounts:user'
scopes = [
"accounts:admin"
]
# This is a list of services that will accept the token generated through
# this Gateway instance, possible values (it is case sensitive):
# - zone (Zone Service)
# - identity-manager (doorman service)
# - signer (signer service)
# - network-map (network-map service)
audience = [
"zone"
]
# access token validity
# Should be short, default is 1 hour
accessTokenValidity = 300
# refresh token validity
# should be in sync with company 'stay logged in' policy
# default value is 7 days
refreshTokenValidity = 6000
}
],
# Issuer value for the JWTs, must match with whatever is configured for CENM services
# Default is 'accounts-service'
issuer = "http://test"
}
# Configuration for the web server
server {
# listening port
port = 8081
# SSL data
ssl = {
keyStore = {
# MUST BE absolute path
location = "/usr/auth/corda-ssl-network-map-keys.jks"
password = "password"
# Defaults to 'cordasslauthservice' if not set
keyAlias = "cordasslnetworkmap"
}
trustStore = {
# MUST BE absolute path
location = "/usr/auth/corda-ssl-trust-store.jks"
password = "trustpass"
}
}
}
# Optional password policy settings
passwordPolicy = {
# Enables password expiration
# Disabled by default
expiration = {
enabled = true
passwordMaxAge = 1
}
# Enables automatic user lockout after a certain number of failed login attempts
# Disabled by default
lock = {
enabled = true
loginAttempts = 1
}
}
# Configuration of the permissions and role baselines
# This is not mandatory if the plugin is placed into the /plugins folder in the application
# working directory it will be picked up automatically
baseline {
permission = {
baselineClass = "com.r3.appeng.accounts.cenm.PermissionBaselineImpl"
baselinePackage = "/usr/auth/accounts-baseline-cenm.jar"
}
role = {
baselineClass = "com.r3.appeng.accounts.cenm.RoleBaselineImpl"
baselinePackage = "/usr/auth/accounts-baseline-cenm.jar"
}
}
Manage your configuration
You can manage the Auth Service configuration using the command line.
Command line arguments:
[-f, --config-file]
Path of the service config file.[-o, --obfuscated]
Indicates an obfuscated config.[--seed]
Optional seed for config deobfuscation.[-v, --verbose]
Redirect all log output to the console. Also sets logging level to INFO.[--logging-level]
Sets logging level. Accepts Log4j Levels.
Initial user initializer: This command group allows configuration of the initial admin user. Both options are required when any of them is in use.
[--initial-user-name]
Sets the name of the user.[--initial-user-password]
Sets the password of the user.[--restore-admin-capability]
()initializer) If all admin users are locked out, for example because of password policy, this option unlocks them.
Reset user (initializer): Use this command group to reset, re-enable, and unlock a user. You can also sets a user’s password or force the user to become an administrator. Administrators can create and edit other users, but cannot access CENM services directly.
[--reset-user-username]
Username to be reset.[--reset-user-password]
New password for the user being reset.[--reset-user-admin]
Flag to enable forcing the user to be admin.[--keep-running]
Enables the application to keep running after any of the initializer arguments have been supplied.
Was this page helpful?
Thanks for your feedback!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.
We're sorry this page wasn't helpful. Let us know how we can make it better!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Create an issue
Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.