Karaf as identity provider

The Apache Karaf comes with a simple authentication service that is also used to access the Karaf console.

When the BPC is initially started (or at every start if not available), a Backend Connection is automatically created for the Karaf as IdP. This has the module name Karaf (default) and the ID idp_karaf.

Access to the Karaf console is always via the Karaf Identity Provider (IdP), regardless of the configuration of the BPC. Only the users.properties and keys.properties configuration of the Karaf is therefore relevant for authentication on the Karaf console.

Configuration

A new Backend Connection of the type identity_provider is created. The following values must be set there:

Setting (Key) Group Value Description

Setting (Key)	Group	Value	Description
Module_Name (`module_name`)	module	idp-karaf	Assign a descriptive and unique name
IdentityProvider (`identityProvider`)	config	karaf	Set the Karaf as identity provider

Module_Name
(module_name)

module

idp-karaf

Assign a descriptive and unique name

IdentityProvider
(identityProvider)

config

karaf

Set the Karaf as identity provider

Data source (JAAS file)

The authentication and administration of users for access to the Karaf console is carried out via Java Authentication and AdministrationConsole is carried out via Java Authentication and Authorization Service (JAAS) files. These files, in particular users.properties and keys.properties, enable users to be defined and their access authorizations to be specified. Authentication can be configured using both password hashes and public/private key procedures.

Using users.properties for Karaf access

The users are controlled via the KARAF_HOME/etc/users.properties file.
The passwords are stored in the file as hashes in the format {CRYPT}Passwort-Hash{CRYPT}. The plain text password cannot be reconstructed from the password hash.

To change the password, {CRYPT}Passwort-Hash{CRYPT} must be completely replaced by a plain text password. Care must be taken to ensure that the {CRYPT} elements are also removed (see also the following examples). The new password is effective immediately after saving the file and is then automatically replaced by a hash.

users.properties File with password hashes

bpcadmin = {CRYPT}XYZ{CRYPT},bpcadmin
virtimo = {CRYPT}XYZ{CRYPT},_g_:admingroup,bpcNoFrontend
_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh

users.properties File with plain text passwords

bpcadmin = einSehrSicheresPasswort123,bpcadmin
virtimo = einAnderesSehrSicheresPasswort123,_g_:admingroup,bpcNoFrontend
_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh

If the syntax of the file is not adhered to, authentication is not possible and leads to an IDENTITY_PROVIDER_NOT_FOUND error.

Use of keys.properties for Karaf access

In addition to users.properties, keys.properties can also be used to authenticate users with SSH keys. This defines which users have access via SSH keys, which provides additional security.
See Karaf SSH access.

Use

See Create, configure and use an identity provider.

Keywords: