This section covers additional optional configurations for system administrators, including SGE manual setup, Keycloak integration, and HashiCorp Vault setup. These steps are not required for a standard deployment but are useful for fine-tuning authentication, permissions, and secure secret management.

Before initializing the SGE configuration to recognize jobs sent from the front-end, retrieve the front-end Docker hostname if uncertain:

docker inspect front_end | grep -i Hostname

Change the minimal UID in the SGE master configuration to allow job submission from web apps:

docker exec -it sgecore /bin/bash
qconf -as ${FRONT_END_HOSTNAME}
qconf -mconf   # change UID from 1000 to 33

groupmod -g 120 docker    # or adjust to your system's Docker group
usermod -aG docker application

chown root:docker /var/run/docker.sock
chmod 660 /var/run/docker.sock

Ensure the user and secret in Keycloak match your .env file configuration. Some systems may require allowing Keycloak access through iptables:

sudo iptables -I INPUT -s {keycloak internal IP} -p tcp --dport 8080 -j ACCEPT

Retrieve Client ID and Secret from the Keycloak admin console at:

http(s)://{$FQDN_HOST}/auth/admin

Update the .env with the credentials to enable VRE access.

This guide explains how to configure a Keycloak client to enable interaction between HashiCorp Vault and Keycloak for authentication and authorization using JWT tokens.

1. Log in to the Keycloak admin console through http://localhost:9099/auth and navigate to your realm.

2. Locate your existing client, in this case is the open-vre one.

3. In the client settings, configure the following:

   • Root URL:

     https://$FQDN_HOST/
     

     Replace $FQDN_HOST with your fully qualified domain name (e.g., vre.disc4all.eu).

   • Valid Redirect URIs:

     https://$FQDN_HOST/*
     

     Additionally:

     http://$FQDN_HOST/ui/vault/auth/oidc/oidc/callback
     

     Ensure $FQDN_HOST is replaced with the correct host name for your deployment (e.g., vre.disc4all.eu).

4. Save the changes to the client configuration to ensure the URIs are authorized by Keycloak.

To enable Vault to authenticate and authorize users via Keycloak, create a new dedicated Keycloak client for Vault.

1. Go to the Clients section in the Keycloak admin console.

2. Click on the "Create" button (on the right side of the clients table) to create a new client.

3. Set the Client ID to: open-vre-vault, with the same root Url as open-vre client.

4. Configure the following for the new client:

• Root URL:

  https://$FQDN_HOST/
  

• Valid Redirect URIs:

  https://$FQDN_HOST/*
  

  Additionally:

  http://$FQDN_HOST/ui/vault/auth/oidc/oidc/callback
  

Replace $FQDN_HOST with your domain (e.g., vre.domain.eu).

5. Save the new client configuration.

With the above configuration, Vault will be able to interact with Keycloak for OpenID Connect (OIDC) authentication, once it is configured manually on the Vault. Before interacting with the Vault Server container, for the next configuration step, is necessary to retrieve the JWKS validating public key, directly from the Keycloak Realm. Accessing the Admin Keycloak Interface through these steps :

1. Access the Vault-Server info using this command:

curl http://$FDQN_HOST/auth/realms/open-vre/protocol/openid-connect/certs

;

2. Copy the results so to copy the n and the e values from the response array;

3. Redirect in the vault/ dir;

4. Substitute the vaules you had saved in the pem.py script;

5. Launch the pem.py script:

python3 pem.py >> public-key.pem
mv public-key.pem config/

6. Make sure that the key was saved in the vault/config/ dir.

First time Vault is up, it is possible to access and explore the Vault via the UI.

You can connect to it via http://hostname:8200/ui/vault/. There you would be able to set the number of keys you want to produce and to use to unseal the Vault.

Save the keys!

Once you proceed on the unseal process, and the Status of the Vault turns to green, from the Admin page it would be possible to establish some configuration. For example, setting up some policies.

Click on the Policies section. Here with the button Create ACL Policy, we will add two policies: OIDC and JWT, for the Vault to communicate with the Keycloak local server.

The policies are gonna be named jwt-role-demo:

path "auth/jwt/role/demo" {
  capabilities = ["create", "read", "update", "delete"]
}

path "secret/*" {
  capabilities = ["create", "read", "update", "delete"]
}

path "auth/token/lookup-self" {
  capabilities = ["read"]
}
path "auth/token/renew-self" {
  capabilities = ["update"]
}
path "auth/token/revoke-self" {
  capabilities = ["update"]
}

and oidc-role-myrole:

path "auth/oidc/role/myrole" {
  capabilities = ["create", "read", "update", "delete"]
}

path "secret/mysecret" {
  capabilities = ["create", "read", "update", "delete"]
}

Rest of the configuration could be done manually.

First time Vault up, access the containers in interactive mode, to execute the init and save elsewhere the 'Unseal keys' just generated:

docker exec -ti vault-server vault operator init 

On every Vault restart, use the following command to unseal the vault using 3 out of the 5 Unseal Keys generated during the init.

docker exec -ti vault-server vault operator unseal SECRET_KEY1
docker exec -ti vault-server vault operator unseal SECRET_KEY2
docker exec -ti vault-server vault operator unseal SECRET_KEY3

Considering an external JWT Authorization Token service as a middle identification layer to access the Vault and its secrets, it has to be properly registered. Here are the command to follow to instatiate a JWT Authorization service for Keycloak:

docker exec -ti vault-server /bin/sh
vault login # with ${Intial Root Token}

vault auth enable jwt
vault auth enable oidc

#Policy, if not done by UI
cd vault/config
vault policy write jwt-role-demo jwt-role-demo.hcl
vault policy write oidc-role-myrole oidc-role-myrole-policy.hcl

#Role
vault write auth/oidc/role/myrole allowed_redirect_uris="[http://$HOSTNAME/ui/vault/auth/oidc/oidc/callback, http://localhost:8250/oidc/callback]" user_claim="sub" #Hostname can coincide with $FQDN_HOST
vault write auth/jwt/role/demo bound_audiences="account" allowed_redirect_uris="http://localhost:8250/oidc/callback" user_claim="sub" policies=jwt-role-demo role_type=jwt ttl=1h
vault write auth/jwt/role/demo role_type="jwt"
#vault write auth/jwt/role/demo bound_audiences="account"

#Configuration
#The public key can be retrieved directly from the Keycloak Realm (from the JWKS endpoint)
vault write auth/jwt/config default_role=demo bound_issuer="https://$KEYCLOAK_REALM" [email protected] bound_audiences="account"

#Secrets
vault secrets enable -path=secret/mysecret kv-v2

⬅️ Previous: Extending openVRE | Next: Additional Resources ➡️