Configure the PLOSSYS 5 Server¶
Configure a Shared Replica Set¶
In MongoDB, a shared replica set has to be configured as of PLOSSYS 5.2.1:
-
Open the MongoDB configuration file:
C:\ProgramData\SEAL Systems\config\mongod.conf
-
Change the following line:
bindIp: 127.0.0.1
to
bindIp: 0.0.0.0
-
Add the following lines:
replication: oplogSizeMB: 2048 replSetName: p5
Hint -
oplogSizeMB
We recommend setting
oplogSizeMB
to 5 % of the disk space available for MongoDB. -
Restart the following service:
seal-mongodb
Initialize the Database (Only for Single Server Mode)¶
In the single server mode, you have to initialize the database after configuring the shared replica set. For the steps required for the cluster mode, refer to Configure MongoDB in a Cluster.
-
Initialize the database:
& "C:\Program Files\MongoDB\Server\3.6\bin\mongo.exe" --ssl --sslAllowInvalidCertificates --sslAllowInvalidHostnames --eval "rs.initiate()"
Configure the OIDC Identity Provider in PLOSSYS 5¶
In the configuration for all services, specify the following key:
ID_PROVIDER_NAME
: Server name of the OIDC identity provider
Example - setting key via PLOSSYS CLI
plossys config set ID_PROVIDER_NAME https://<id_provider_server>:32769/auth/realms/SEAL --service any --insecure
Hint - FQDN and lower case letters
Use the fully-qualified domain name (FQDN) of the OIDC identity provider server in lower case letters!
AUTH_ISSUER_URL
: Server name of the OIDC identity provider
Example - setting key via PLOSSYS CLI
plossys config set AUTH_ISSUER_URL https://<id_provider_server>:32769/auth/realms/SEAL --service any --insecure
Caution - AUTH_ISSUER_URL
and ID_PROVIDER_NAME
AUTH_ISSUER_URL
and ID_PROVIDER_NAME
have to be set to the same value.
Map the Permissions to the Roles Specified in the OIDC Identity Provider¶
In the configuration of the seal-rest
service, you map the permissions for printers and jobs to the roles specified in the OIDC identity provider. The specific permissions depend on the OIDC client. The following OIDC clients are available in connection with PLOSSYS 5:
-
seal-plossysadmin
for PLOSSYS Administrator -
seal-plossyscli
for PLOSSYS CLI -
seal-easyprima
for easyPRIMA -
seal-mobile_print
for PLOSSYS DocPrint
In the OIDC identity provider, roles are configured to which the users will be assigned. For example, in the preconfigured Keycloak from SEAL Systems, admin
is available as role and used in the example below.
The mapping of the permissions and the roles is specified with the following key:
ALLOWED_OIDC_CLIENTS
: Mapping of permissions to roles specified in the OIDC identity provider
Example - admin
role with full access in PLOSSYS Administrator and all permissions for importing printers from easyPRIMA to PLOSSYS 5)
{
"seal-plossysadmin": {
"roles": {
"admin": {
"areas": {
"jobs": {
"set-a": {
"views": ["ALL"],
"permissions": ["ALL"]
}
},
"printers": {
"set-a": {
"views": ["ALL"],
"permissions": ["ALL"]
}
}
}
}
}
},
"seal-easyprima": {
"roles": {
"admin": {
"areas": {
"printers": {
"set-a": {
"views": ["ALL"],
"permissions": ["ALL"]
}
}
}
}
}
}
}
Example - read-only
role which may view all jobs but is not allowed to manage them
{
"seal-plossysadmin": {
"roles": {
"read-only": {
"areas": {
"jobs": {
"set-view-all": {
"permissions": [],
"views": ["ALL"]
}
}
}
}
}
}
}
Example - subbadruggarolle
role which may only view and manage printers starting with roe
{
"seal-plossysadmin": {
"roles": {
"subbadruggarolle": {
"areas": {
"jobs": {},
"printers": {
"set-roe-printers": {
"views": [
{
"struct": "config.printer",
"value": "roe*",
"operator": "wildcard"
}
],
"permissions": [ "ALL" ]
}
}
}
}
}
}
}
Example - blosmeiglumbrolle
role which may only view and manage own jobs but does not see any printer
{
"seal-plossysadmin": {
"roles": {
"blosmeiglumbrolle": {
"areas": {
"jobs": {
"set-own-jobs": {
"views": [
{
"struct": "current.userName",
"value": "%CURRENT_USER%",
"operator": "eq"
}
],
"permissions": [ "ALL" ]
}
},
"printers": {}
}
}
}
}
}
Hint - complex JSON object
Due to the value of ALLOWED_OIDC_CLIENTS
is a complex JSON object, it is reasonable to read it from a file via PLOSSYS CLI. Additionally, the value of ALLOWED_OIDC_CLIENTS
is then checked for JSON conformity. You can also generate a template for the JSON object via PLOSSYS CLI.
Configure the Logging¶
If you have installed PLOSSYS 5 with a separate management server, the IP address of the management server has to be set for the logging:
-
Edit the following file on the PLOSSYS 5 server:
C:\ProgramData\SEAL Systems\config\filebeat.yml
-
With
elasticsearch
, replacelocalhost
by the hostname or IP address of the management server:output: elasticsearch: hosts: - http://<admin_server>:9200
-
Save the file.
-
Specify the following key for the
seal-rest
service:ELASTICSEARCH_REST_URL
: URL of the Elasticsearch server
Example - setting key via PLOSSYS CLI
plossys config set ELASTICSEARCH_REST_URL "http://<admin_server>:9200" --service rest --insecure
Configure the PLOSSYS Administrator Environment¶
In the configuration of the seal-plossysadmin
service, specify the following keys:
-
AUTH_CLIENT_ID
: Client name configured in the OIDC identity provider for theseal-plossyadmin
client, by defaultseal-plossysadmin
-
AUTH_CLIENT_SECRET
: Client secret generated in the OIDC identity provider for theseal-plossysadmin
client
Example - setting keys via PLOSSYS CLI
plossys config set AUTH_CLIENT_ID seal-plossysadmin --service plossysadmin --insecure
plossys config set AUTH_CLIENT_SECRET <client_secret_plossysadmin> --service plossysadmin --insecure
Hint - FQDN and lower case letters
Use the fully-qualified domain name (FQDN) of the OIDC identity provider server in lower case letters!
If self-signed certificates are used with PLOSSYS 5, the following key has to be set to 0
for the seal-plossysadmin
service:
NODE_TLS_REJECT_UNAUTHORIZED
: Flag if self-signed certificates are allowed
Example - setting key via PLOSSYS CLI
plossys config set NODE_TLS_REJECT_UNAUTHORIZED 0 --service plossysadmin --insecure
Configure the PLOSSYS CLI Environment¶
When using an OIDC identity provider for user authentication, the following environment variables have to be set in Windows for calling PLOSSYS CLI:
-
AUTH_CLIENT_ID
: Client name configured in the OIDC identity provider for theseal-plossycli
client, by defaultseal-plossyscli
-
AUTH_CLIENT_SECRET
: Client secret generated in the OIDC identity provider for theseal-plossycli
client. -
CONSUL_URL
: URL of the Consul server (required if PLOSSYS CLI is executed on a server different to the PLOSSYS 5 server for managing the jobs and printers)
Example - environment variables for PLOSSYS CLI
AUTH_CLIENT_ID=seal-plossyscli
AUTH_CLIENT_SECRET=<client_secret_plossyscli>
CONSUL_URL=https://p5_server:8500
Literature - keys
For further information about the keys, refer to the description of the Service Keys.
Caution - validity
The environment variables set globally in Windows are valid for other services as well, seal-plossysadmin
for example. Make sure that the settings for seal-plossysadmin
are specified explicitly in the configuration, refer to Configure the PLOSSYS Administrator Environment
.