Skip to content

Configure the PLOSSYS 5 Server

Configure a Shared Replica Set

In MongoDB, a shared replica set has to be configured as of PLOSSYS 5.2.1:

  1. Open the MongoDB configuration file:

    C:\ProgramData\SEAL Systems\config\mongod.conf

  2. Change the following line:

    bindIp: 127.0.0.1

    to

    bindIp: 0.0.0.0

  3. Add the following lines:

    replication:
  oplogSizeMB: 2048
  replSetName: p5

    Hint - oplogSizeMB

    We recommend setting oplogSizeMB to 5 % of the disk space available for MongoDB.

  4. Restart the following service:

    • seal-mongodb

Initialize the Database (Only for Single Server Mode)

In the single server mode, you have to initialize the database after configuring the shared replica set. For the steps required for the cluster mode, refer to Configure MongoDB in a Cluster.

  1. Initialize the database:

    & "C:\Program Files\MongoDB\Server\3.6\bin\mongo.exe" --ssl --sslAllowInvalidCertificates --sslAllowInvalidHostnames --eval "rs.initiate()"

Configure the OIDC Identity Provider in PLOSSYS 5

In the configuration for all services, specify the following key:

Example - setting key via PLOSSYS CLI

plossys config set ID_PROVIDER_NAME https://<id_provider_server>:32769/auth/realms/SEAL --service any --insecure

Hint - FQDN and lower case letters

Use the fully-qualified domain name (FQDN) of the OIDC identity provider server in lower case letters!

Example - setting key via PLOSSYS CLI

plossys config set AUTH_ISSUER_URL https://<id_provider_server>:32769/auth/realms/SEAL --service any --insecure

Caution - AUTH_ISSUER_URL and ID_PROVIDER_NAME

AUTH_ISSUER_URL and ID_PROVIDER_NAME have to be set to the same value.

Map the Permissions to the Roles Specified in the OIDC Identity Provider

In the configuration of the seal-rest service, you map the permissions for printers and jobs to the roles specified in the OIDC identity provider. The specific permissions depend on the OIDC client. The following OIDC clients are available in connection with PLOSSYS 5:

  • seal-plossysadmin for PLOSSYS Administrator

  • seal-plossyscli for PLOSSYS CLI

  • seal-easyprima for easyPRIMA

  • seal-mobile_print for PLOSSYS DocPrint

In the OIDC identity provider, roles are configured to which the users will be assigned. For example, in the preconfigured Keycloak from SEAL Systems, admin is available as role and used in the example below.

The mapping of the permissions and the roles is specified with the following key:

Example - admin role with full access in PLOSSYS Administrator and all permissions for importing printers from easyPRIMA to PLOSSYS 5)

{
  "seal-plossysadmin": {
    "roles": {
      "admin": {
        "areas": {
          "jobs": {
            "set-a": {
              "views": ["ALL"],
              "permissions": ["ALL"]
            }
          },
          "printers": {
            "set-a": {
              "views": ["ALL"],
              "permissions": ["ALL"]
            }
          }
        }
      }
    }
  },
  "seal-easyprima": {
    "roles": {
      "admin": {
        "areas": {
          "printers": {
            "set-a": {
              "views": ["ALL"],
              "permissions": ["ALL"]
            }
          }
        }
      }
    }
  }
}

Example - read-only role which may view all jobs but is not allowed to manage them

{
  "seal-plossysadmin": {
    "roles": {
      "read-only": {
        "areas": {
          "jobs": {
            "set-view-all": {
              "permissions": [],
              "views": ["ALL"]
            }
          }
        }
      }
    }
  }
}

Example - subbadruggarolle role which may only view and manage printers starting with roe

{
  "seal-plossysadmin": {
    "roles": {
      "subbadruggarolle": {
        "areas": {
          "jobs": {},
          "printers": {
            "set-roe-printers": {
              "views": [
                {
                   "struct": "config.printer",
                   "value": "roe*",
                   "operator": "wildcard"
                }
              ],
              "permissions": [ "ALL" ]
            }
          }
        }
      }
    }
  }
}

Example - blosmeiglumbrolle role which may only view and manage own jobs but does not see any printer

{
  "seal-plossysadmin": {
    "roles": {
      "blosmeiglumbrolle": {
        "areas": {
          "jobs": {
            "set-own-jobs": {
              "views": [
                {
                  "struct": "current.userName",
                  "value": "%CURRENT_USER%",
                  "operator": "eq"
                }
              ],
              "permissions": [ "ALL" ]
            }
          },
          "printers": {}
        }
      }
    }
  }
}

Hint - complex JSON object

Due to the value of ALLOWED_OIDC_CLIENTS is a complex JSON object, it is reasonable to read it from a file via PLOSSYS CLI. Additionally, the value of ALLOWED_OIDC_CLIENTS is then checked for JSON conformity. You can also generate a template for the JSON object via PLOSSYS CLI.

Configure the Logging

If you have installed PLOSSYS 5 with a separate management server, the IP address of the management server has to be set for the logging:

  1. Edit the following file on the PLOSSYS 5 server:

    C:\ProgramData\SEAL Systems\config\filebeat.yml

  2. With elasticsearch, replace localhost by the hostname or IP address of the management server:

    output:
  elasticsearch:
    hosts:
    - http://<admin_server>:9200

  3. Save the file.

  4. Specify the following key for the seal-rest service:

    Example - setting key via PLOSSYS CLI

    plossys config set ELASTICSEARCH_REST_URL "http://<admin_server>:9200" --service rest --insecure

  5. Restart the PLOSSYS 5 system.

Configure the PLOSSYS Administrator Environment

In the configuration of the seal-plossysadmin service, specify the following keys:

  • AUTH_CLIENT_ID: Client name configured in the OIDC identity provider for the seal-plossyadmin client, by default seal-plossysadmin

  • AUTH_CLIENT_SECRET: Client secret generated in the OIDC identity provider for the seal-plossysadmin client

Example - setting keys via PLOSSYS CLI

plossys config set AUTH_CLIENT_ID seal-plossysadmin --service plossysadmin --insecure

plossys config set AUTH_CLIENT_SECRET <client_secret_plossysadmin> --service plossysadmin --insecure

Hint - FQDN and lower case letters

Use the fully-qualified domain name (FQDN) of the OIDC identity provider server in lower case letters!

If self-signed certificates are used with PLOSSYS 5, the following key has to be set to 0 for the seal-plossysadmin service:

Example - setting key via PLOSSYS CLI

plossys config set NODE_TLS_REJECT_UNAUTHORIZED 0 --service plossysadmin --insecure

Configure the PLOSSYS CLI Environment

When using an OIDC identity provider for user authentication, the following environment variables have to be set in Windows for calling PLOSSYS CLI:

  • AUTH_CLIENT_ID: Client name configured in the OIDC identity provider for the seal-plossycli client, by default seal-plossyscli

  • AUTH_CLIENT_SECRET: Client secret generated in the OIDC identity provider for the seal-plossycli client.

  • CONSUL_URL: URL of the Consul server (required if PLOSSYS CLI is executed on a server different to the PLOSSYS 5 server for managing the jobs and printers)

Example - environment variables for PLOSSYS CLI

AUTH_CLIENT_ID=seal-plossyscli

AUTH_CLIENT_SECRET=<client_secret_plossyscli>

CONSUL_URL=https://p5_server:8500

Literature - keys

For further information about the keys, refer to the description of the Service Keys.

Caution - validity

The environment variables set globally in Windows are valid for other services as well, seal-plossysadmin for example. Make sure that the settings for seal-plossysadmin are specified explicitly in the configuration, refer to Configure the PLOSSYS Administrator Environment.

Back to top