Important Changes¶
Version 23.0.0¶
This version upgrade comes with changes that affect other SEAL Systems products and services.
Java Version¶
Caution - Java 17 or later
Keycloak 23.0 requires Java 17 or later versions.
Keycloak Version 23.x requires Java 17 or later versions. As Keycloak 21.x runs with Java 17, too, we recommend you to start the update from 21.x to 23.x by updating the Java version first and then the Keycloak version.
\\
Double Backslash Under Windows¶
In the keycloak.conf
configuration file, you are not allowed to use \\
double backslashes any more. You have to use /
single slashes instead.
The update provides a corrected file, which is automatically installed.
If you need to reconfigue paths from the keycloak.conf.install-bak
backup file, you have to change them manually.
Version 21.0.1¶
This version upgrade comes with changes that affect other SEAL Systems products and services.
... on the Client¶
Keycloak includes the following important changes:
-
Hint - HTTPS only
SEAL Port 32769 supports only HTTPS, no HTTP anymore!
-
In your clients, e. g. PLOSSYS 5, SEAL Operator/SEAL Print Client, adjust the following environment keys by removing the
auth
directory from the URL:-
AUTH_ISSUER_URL
: The OIDC identity provider's auth issuer URL. This parameter is mandatory.Example -
AUTH_ISSUER_URL
-
old value:
AUTH_ISSUER_URL=https://mgmt_server:32769/auth/realms/SEAL
-
new value:
AUTH_ISSUER_URL=https://mgmt_server:32769/realms/SEAL
-
-
ID_PROVIDER_NAME
: The name of the OIDC identity provider. This parameter is required for some identity providers.Example -
ID_PROVIDER_NAME
-
old value:
ID_PROVIDER_NAME=https://mgmt_server:32769/auth/realms/SEAL
-
new value:
ID_PROVIDER_NAME=https://mgmt_server:32769/realms/SEAL
-
-
KC_ADMIN_BASE_URL
: The admin base URL, if you use Keycloak as OIDC provider for Web Portal, and if AUTH_PROVIDER is set tokeycloak
.Example -
KC_ADMIN_BASE_URL
-
old value:
KC_ADMIN_BASE_URL=https://localhost:32769/auth
-
new value:
KC_ADMIN_BASE_URL=https://localhost:32769
-
-
... in Keycloak¶
The client configuration has been changed. The previous configuration has been extended by a new optional, internal seal-webportal
client for the communication between Web Portal and other SEAL Operator connectors.
The client is preconfigered as follows:
-
Client Credential Flow is activated.
-
The
client-secret
is active.
Getting a Token¶
You can get a token by making test calls like the following:
-
easyPRIMA:
curl -k -d "client_id=seal-easyprima" -d "username=<user_name>" -d "password=<password>" -d "grant_type=password" -d "client_secret=<client_secret>" "https://%HOSTNAME%:32769/realms/SEAL/protocol/openid-connect/token" -v
-
SEAL OP-CLI:
curl -k -d "client_id=seal-opcli" -d "username=<user_name>" -d "password=<password>" -d "grant_type=password" -d "client_secret=<client_secret>" "https://%HOSTNAME%:32769/realms/SEAL/protocol/openid-connect/token" -v
-
PLOSSYS CLI:
curl -k -d "client_id=seal-plossyscli" -d "username=<user_name>" -d "password=<password>" -d "grant_type=password" -d "client_secret=<client_secret>" "https://%HOSTNAME%:32769/realms/SEAL/protocol/openid-connect/token" -v
Hint - adding new clients manually
You have to add new clients manually to prevent the existing configuration from being destroyed.
If you are allowed to overwrite the existing configuration, see Configuring an External Keycloak.