Configure the PLOSSYS 5 Server

---

Configure the OIDC Identity Provider in PLOSSYS 5

In the configuration of all services, specify the following key:

• ID_PROVIDER_NAME: Server name of the OIDC identity provider

Example - setting key via PLOSSYS CLI

plossys config set ID_PROVIDER_NAME https://<id_provider_server>:32769/auth/realms/SEAL --service any --insecure

Hint - FQDN and lower case letters

Use the fully-qualified domain name (FQDN) of the OIDC identity provider server in lower case letters!

• AUTH_ISSUER_URL: Server name of the OIDC identity provider

Example - setting key via PLOSSYS CLI

plossys config set AUTH_ISSUER_URL https://<id_provider_server>:32769/auth/realms/SEAL --service any --insecure

Caution - AUTH_ISSUER_URL and ID_PROVIDER_NAME

AUTH_ISSUER_URL and ID_PROVIDER_NAME have to be set to the same value.

---

Map the Permissions to the Roles Specified in the OIDC Identity Provider

In the configuration of the seal-rest service, you map the permissions for printers and jobs to the roles specified in the OIDC identity provider. The specific permissions depend on the OIDC client. The following OIDC clients are available in connection with PLOSSYS 5:

• seal-plossysadmin for PLOSSYS Administrator

• seal-plossyscli for PLOSSYS CLI

• seal-easyprima for easyPRIMA

• seal-mobile_print for PLOSSYS DocPrint

In the OIDC identity provider, roles are configured to which the users will be assigned. For example, in the preconfigured Keycloak from SEAL Systems, admin is available as role and used in the example below.

The mapping of the permissions and the roles is specified with the following key:

• ALLOWED_OIDC_CLIENTS: Mapping of permissions to roles specified in the OIDC identity provider

Example - admin role with full access in PLOSSYS Administrator and all permissions for importing printers from easyPRIMA to PLOSSYS 5)

{
  "seal-plossysadmin": {
    "roles": {
      "admin": {
        "areas": {
          "jobs": {
            "set-a": {
              "views": ["ALL"],
              "permissions": ["ALL"]
            }
          },
          "printers": {
            "set-a": {
              "views": ["ALL"],
              "permissions": ["ALL"]
            }
          }
        }
      }
    }
  },
  "seal-easyprima": {
    "roles": {
      "admin": {
        "areas": {
          "printers": {
            "set-a": {
              "views": ["ALL"],
              "permissions": ["ALL"]
            }
          }
        }
      }
    }
  }
}

Example - read-only role which may view all jobs but is not allowed to manage them

{
  "seal-plossysadmin": {
    "roles": {
      "read-only": {
        "areas": {
          "jobs": {
            "set-view-all": {
              "permissions": [],
              "views": ["ALL"]
            }
          }
        }
      }
    }
  }
}

Example - subbadruggarolle role which may only view and manage printers starting with roe

{
  "seal-plossysadmin": {
    "roles": {
      "subbadruggarolle": {
        "areas": {
          "jobs": {},
          "printers": {
            "set-roe-printers": {
              "views": [
                {
                   "struct": "config.printer",
                   "value": "roe*",
                   "operator": "wildcard"
                }
              ],
              "permissions": [ "ALL" ]
            }
          }
        }
      }
    }
  }
}

Example - blosmeiglumbrolle role which may only view and manage own jobs but does not see any printer

{
  "seal-plossysadmin": {
    "roles": {
      "blosmeiglumbrolle": {
        "areas": {
          "jobs": {
            "set-own-jobs": {
              "views": [
                {
                  "struct": "current.userName",
                  "value": "%CURRENT_USER%",
                  "operator": "eq"
                }
              ],
              "permissions": [ "ALL" ]
            }
          },
          "printers": {}
        }
      }
    }
  }
}

Hint - complex JSON object

Due to the value of ALLOWED_OIDC_CLIENTS is a complex JSON object, reading it to or from a file via PLOSSYS CLI makes sense. Additionally, the value of ALLOWED_OIDC_CLIENTS is then checked for JSON conformity. You can also generate a template for the JSON object via PLOSSYS CLI.

---

Adjust the Operating System Settings

Adjust some operating system settings in the following system file:

/etc/sysctl.conf

For high-volume systems, set the following parameters:

net.ipv4.ip_local_port_range = 1024 65535
fs.file-max = 1058576

For working with Elasticsearch, set the following parameter:

vm.max_map_count = 262144

---

Configure the Logging

If you have installed PLOSSYS 5 with a separate management server, the IP address of the management server has to be set for the logging:

1. Edit the following file on the PLOSSYS 5 server:

   /opt/seal/etc/filebeat.yml
   

2. With elasticsearch, replace localhost by the hostname or IP address of the management server:

   output:
     elasticsearch:
       hosts:
       - https://<admin_server>:9200
   

3. Save the file.

4. Specify the following key for the seal-rest service:

   • ELASTICSEARCH_REST_URL: URL of the Elasticsearch server

   Example - setting key via PLOSSYS CLI

   plossys config set ELASTICSEARCH_REST_URL "http://<admin_server>:9200" --service rest --insecure
   

5. Restart the PLOSSYS 5 system.

---

Configure the PLOSSYS Administrator Environment

In the configuration of the seal-plossysadmin service, specify the following keys:

• AUTH_CLIENT_ID: Client name configured in the OIDC identity provider for the seal-plossyadmin client, by default seal-plossysadmin

• AUTH_CLIENT_SECRET: Client secret generated in the OIDC identity provider for the seal-plossysadmin client

Example - setting keys via PLOSSYS CLI

plossys config set AUTH_CLIENT_ID seal-plossysadmin --service plossysadmin --insecure

plossys config set AUTH_CLIENT_SECRET <client_secret_plossysadmin> --service plossysadmin --insecure

Hint - FQDN and lower case letters

Use the fully-qualified domain name (FQDN) of the OIDC identity provider server in lower case letters!

---

If self-signed certificates are used with PLOSSYS 5, the following key has to be set to 0 for the seal-plossysadmin service:

• NODE_TLS_REJECT_UNAUTHORIZED: Flag if self-signed certificates are allowed

Example - setting key via PLOSSYS CLI

plossys config set NODE_TLS_REJECT_UNAUTHORIZED 0 --service plossysadmin --insecure

---

Configure the PLOSSYS CLI Environment

When using an OIDC identity provider for user authentication, the following environment variables have to be set in Linux for calling PLOSSYS CLI:

• AUTH_CLIENT_ID: Client name configured in the OIDC identity provider for the seal-plossycli client, by default seal-plossyscli

• AUTH_CLIENT_SECRET: Client secret generated in the OIDC identity provider for the seal-plossycli client.

• CONSUL_URL: URL of the Consul server (required if PLOSSYS CLI is executed on a server different to the PLOSSYS 5 server for managing the jobs and printers)

Example - environment variables for PLOSSYS CLI

AUTH_CLIENT_ID=seal-plossyscli

AUTH_CLIENT_SECRET=<client_secret_plossyscli>

CONSUL_URL=https://p5_server:8500

Literature - keys

For further information about the keys, refer to the description of the Service Keys.

Caution - validity

The environment variable set globally in Linux are valid for other services as well, seal-plossysadmin for example. Make sure that the settings for seal-plossysadmin are specified explicitly in the configuration, refer to Configure the PLOSSYS Administrator Environment.

---