OpenText Analytics Database 26.2.x – Configuring OAuth authentication

Security-and-Authentication: Configure Keycloak

Mon, 01 Jan 0001 00:00:00 +0000

The following procedure configures a Keycloak 18.0.0 server on 203.0.113.1 for integration with Vertica. For details, see Configuring OAuth authentication.

The goals of this procedure are to configure Keycloak and obtain the following information:

Client ID: The ID used to identify the Vertica database. This is configured by the user and set to vertica in the example procedure.
Client secret: A Keycloak-generated string used to refresh the OAuth token when it expires.
Discovery endpoint: The endpoint that serves information for all other endpoints as a JSON string. The endpoint for a Keycloak server on 203.0.113.1 is one of the following:
- https://203.0.113.1:8443/realms/myrealm/.well-known/openid-configuration (if TLS is configured)
- http://203.0.113.1:8443/realms/myrealm/.well-known/openid-configuration

Configure TLS (optional)

If you want to use TLS, you must obtain a certificate and key for Keycloak signed by a trusted CA. This example uses a self-signed CA for convenience. The following example creates a certificate and key in Vertica:

Generate the CA certificate:

=> CREATE KEY SSCA_key TYPE 'RSA' LENGTH 2048;
CREATE KEY

=> CREATE CA CERTIFICATE SSCA_cert
SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=Micro Focus/OU=Vertica/C N=Vertica Root CA'
VALID FOR 3650
EXTENSIONS 'nsComment' = 'Self-signed root CA cert'
KEY SSCA_key;
CREATE CERTIFICATE

Generate a server key and certificate, signed by your CA, setting the subjectAltName of the certificate to the DNS server and/or IP address of your Keycloak server:

=> CREATE KEY keycloak_key TYPE 'RSA' LENGTH 2048;
CREATE KEY

=> CREATE CERTIFICATE keycloak_cert
SUBJECT '/C=US/ST=Massachussets/L=Cambridge/O=Micro Focus/OU=Vertica/CN=Vertica Server'
SIGNED BY SSCA_cert
EXTENSIONS 'nsComment' = 'Keycloak CA', 'extendedKeyUsage' = 'serverAuth', 'subjectAltName' = 'DNS.1:dnsserver,IP:203.0.113.1'
KEY keycloak_key;
CREATE CERTIFICATE

Create the file keycloak_directory/conf/keyfile.pem with the content from the key column for the generated key:
```
=> SELECT key FROM cryptographic_keys WHERE name = 'keycloak_key';
```
Create the file keycloak_directory/conf/certfile.pem with the content from the certificate_text column for the generated certificate:
```
=> SELECT certificate_text FROM certificates WHERE name = 'keycloak_cert';
```
Append to your system's CA bundle the content from the certificate_text column for the generated CA certificate. The default CA bundle path and format varies between distributions; for details, see SystemCABundlePath:
```
=> SELECT certificate_text FROM certificates WHERE name = 'SSCA_cert';
```

Set the SystemCABundlePath configuration parameter:

=> ALTER DATABASE DEFAULT SET SystemCABundlePath = 'path/to/ca_bundle';

Start Keycloak

Enter the following commands for a minimal configuration to create the Keycloak admin and to start Keycloak in start-dev mode:

$ KEYCLOAK_ADMIN=kcadmin
$ export KEYCLOAK_ADMIN
$ KEYCLOAK_ADMIN_PASSWORD=password
$ export KEYCLOAK_ADMIN_PASSWORD
$ cd keycloak_directory/bin/
$ ./kc.sh start-dev --hostname 203.0.113.1 --https-certificate-file ../conf/certfile.pem --https-certificate-key-file=../conf/keyfile.pem

Open the Keycloak console with your browser (these examples use the default ports):
- For HTTP: http://203.0.113.1:8080
- For HTTPS: http://203.0.113.1:8443
Sign in as the admin.
Go to Client scopes > Client scope details > Mapper details, and toggle Full group path to Off. Vertica does not support subgroups.
(Optional) To make testing OAuth more convenient, go to Realm Settings > Tokens and increase Access Token Lifespan to a greater value (the default is 5 minutes).

Create the Vertica client

Go to Clients and select on Create. The Add Client page appears.
In Client ID, enter vertica.
Select Save. The client configuration page appears.
On the Settings tab, use the Access Type dropdown to select confidential.
On the Credentials tab, copy the Secret. This is the client secret used to refresh the token when it expires.

Create a Keycloak user

Keycloak users map to Vertica users with the same name. This example creates a the Keycloak user oauth_user.

On the Users tab, select Add user. The Add user page appears.
In Username, enter oauth_user.
On the Credentials tab, enter a password.

Security-and-Authentication: Configure Okta

Mon, 01 Jan 0001 00:00:00 +0000

The following procedure configures Okta for integration with Vertica and requires administrator privileges. For details, see Configuring OAuth authentication.

The goals of this procedure are to configure Okta and obtain the following information:

Client ID: The ID used to identify the Vertica database. This is generated by Okta.
Client secret: An Okta-generated string used to refresh the OAuth token when it expires.
Token endpoint: Used by the client to retrieve the OAuth token.
Introspection endpoint: Used by Vertica to validate the OAuth token.

These values are used to create the oauth authentication record in Vertica and act as instructions for Vertica to communicate with Okta when a user attempts to authenticate.

Create an OIDC application

From the Okta dashboard, go to Applications > Applications and select Create App Integration. The Create a new app integration dialog box appears.
For the Sign-in method, select OIDC - OpenID Connect. The Application type section appears.
For the Application type, select Native Application.
Select Next. The New Native App Integration window opens.
In the App integration name, enter a name for your application. This example uses Demo_Vertica.
For the Grant Type, select Authorization Code, Refresh Token, and Resource Owner Password.
For Controlled access, select the option applicable to your organization. This example uses Allow everyone in your organization to access.
Select Save to save your application.

Retrieve the client ID and client secret

From the Okta dashboard, go to Applications > Applications and select the name of your OIDC application.
In the General tab in the Client Credentials section, select Edit.
For Client authentication, select Client secret and select Save. This generates a new client secret.
Copy the client ID and client secret.

Set the authentication policy

From the Okta dashboard, go to Applications > Applications and select the name of your OIDC application.
In the Sign On tab in the User authentication section, select Edit.
Select Password only.
Select Save to save the new policy.

Retrieve Okta endpoints

From the Okta dashboard, go to Security > API.
In the Authorization Servers tab, select the name of your authorization server. By default, the name of this server is default.
Select the Metadata URI to get a list of all endpoints for your authorization server as a json string.
Copy the values for the token_endpoint and introspection_endpoint.

Test the configuration

Verify that you can retrieve an OAuth token from the token endpoint. If successful, Okta respond with an access_token and refresh_token:

$ curl --insecure -d "client_id=client_id" -d "client_secret=client_secret" -d "username=okta_username" -d "password=okta_password" -d "grant_type=password" -d "scope=offline_access%20openid" token_endpoint

Verify that the tokens are valid with the introspection endpoint. If successful, Okta responds with a json string containing "active":true:

To verify the access token:
```
$ curl --insecure -d "client_id=client_id" -d "client_secret=client_secret" -d "token=access_token" introspection_endpoint
```
Similarly, to verify the refresh token:
```
$ curl --insecure -d "client_id=client_id" -d "client_secret=client_secret" -d "token=refresh_token" introspection_endpoint
```
The access_token and refresh_token can then be used for the oauthaccesstoken and oauthrefreshtoken parameters. For details, see JDBC connection properties and ODBC DSN connection properties.