Configure the PLOSSYS 5 Server¶
Configure the OIDC Identity Provider in PLOSSYS 5¶
In the configuration for all services, specify the following key:
- ID_PROVIDER_NAME: Server name of the OIDC identity provider
Example - setting key via PLOSSYS CLI
plossys config set ID_PROVIDER_NAME https://<id_provider_server>:32769/auth/realms/SEAL --service any --insecure
Hint - FQDN and lower case letters
Use the fully-qualified domain name (FQDN) of the OIDC identity provider server in lower case letters!
- AUTH_ISSUER_URL: Server name of the OIDC identity provider
Example - setting key via PLOSSYS CLI
plossys config set AUTH_ISSUER_URL https://<id_provider_server>:32769/auth/realms/SEAL --service any --insecure
Caution - AUTH_ISSUER_URL and ID_PROVIDER_NAME
AUTH_ISSUER_URL and ID_PROVIDER_NAME have to be set to the same value.
Map the Permissions to the Roles Specified in the OIDC Identity Provider¶
In the configuration of the seal-rest service, you map the permissions for printers and jobs to the roles specified in the OIDC identity provider. The specific permissions depend on the OIDC client. The following OIDC clients are available in connection with PLOSSYS 5:
- 
seal-plossysadminfor PLOSSYS Administrator
- 
seal-plossysclifor PLOSSYS CLI
- 
seal-easyprimafor easyPRIMA
- 
seal-mobile_printfor PLOSSYS DocPrint
In the OIDC identity provider, roles are configured to which the users will be assigned. For example, in the preconfigured Keycloak from SEAL Systems, admin is available as role and used in the example below.
The mapping of the permissions and the roles is specified with the following key:
- ALLOWED_OIDC_CLIENTS: Mapping of permissions to roles specified in the OIDC identity provider
Example - admin role with full access in PLOSSYS Administrator and all permissions for importing printers from easyPRIMA to PLOSSYS 5)
{
  "seal-plossysadmin": {
    "roles": {
      "admin": {
        "areas": {
          "jobs": {
            "set-a": {
              "views": ["ALL"],
              "permissions": ["ALL"]
            }
          },
          "printers": {
            "set-a": {
              "views": ["ALL"],
              "permissions": ["ALL"]
            }
          }
        }
      }
    }
  },
  "seal-easyprima": {
    "roles": {
      "admin": {
        "areas": {
          "printers": {
            "set-a": {
              "views": ["ALL"],
              "permissions": ["ALL"]
            }
          }
        }
      }
    }
  }
}
Example - read-only role which may view all jobs but is not allowed to manage them
{
  "seal-plossysadmin": {
    "roles": {
      "read-only": {
        "areas": {
          "jobs": {
            "set-view-all": {
              "permissions": [],
              "views": ["ALL"]
            }
          }
        }
      }
    }
  }
}
Example - subbadruggarolle role which may only view and manage printers starting with roe
{
  "seal-plossysadmin": {
    "roles": {
      "subbadruggarolle": {
        "areas": {
          "jobs": {},
          "printers": {
            "set-roe-printers": {
              "views": [
                {
                   "struct": "config.printer",
                   "value": "roe*",
                   "operator": "wildcard"
                }
              ],
              "permissions": [ "ALL" ]
            }
          }
        }
      }
    }
  }
}
Example - blosmeiglumbrolle role which may only view and manage own jobs but does not see any printer
{
  "seal-plossysadmin": {
    "roles": {
      "blosmeiglumbrolle": {
        "areas": {
          "jobs": {
            "set-own-jobs": {
              "views": [
                {
                  "struct": "current.userName",
                  "value": "%CURRENT_USER%",
                  "operator": "eq"
                }
              ],
              "permissions": [ "ALL" ]
            }
          },
          "printers": {}
        }
      }
    }
  }
}
Hint - complex JSON object
Due to the value of ALLOWED_OIDC_CLIENTS is a complex JSON object, reading it to or from a file via PLOSSYS CLI makes sense. Additionally, the value of ALLOWED_OIDC_CLIENTS is then checked for JSON conformity. You can also generate a template for the JSON object via PLOSSYS CLI.
Configure the Logging¶
If you have installed PLOSSYS 5 with a separate management server, the IP address of the management server has to be set for the logging:
- 
Edit the following file on the PLOSSYS 5 server: C:\ProgramData\SEAL Systems\config\filebeat.yml
- 
With elasticsearch, replacelocalhostby the hostname or IP address of the management server:output: elasticsearch: hosts: - https://<admin_server>:9200
- 
Save the file. 
- 
Specify the following key for the seal-restservice:- ELASTICSEARCH_REST_URL: URL of the Elasticsearch server
 Example - setting key via PLOSSYS CLI plossys config set ELASTICSEARCH_REST_URL "http://<admin_server>:9200" --service rest --insecure
Configure the PLOSSYS Administrator Environment¶
In the configuration of the seal-plossysadmin service, specify the following keys:
- 
AUTH_CLIENT_ID: Client name configured in the OIDC identity provider for theseal-plossyadminclient, by defaultseal-plossysadmin
- 
AUTH_CLIENT_SECRET: Client secret generated in the OIDC identity provider for theseal-plossysadminclient
Example - setting keys via PLOSSYS CLI
plossys config set AUTH_CLIENT_ID seal-plossysadmin --service plossysadmin --insecure
plossys config set AUTH_CLIENT_SECRET <client_secret_plossysadmin> --service plossysadmin --insecure
Hint - FQDN and lower case letters
Use the fully-qualified domain name (FQDN) of the OIDC identity provider server in lower case letters!
If self-signed certificates are used with PLOSSYS 5, the following key has to be set to 0 for the seal-plossysadmin service:
- NODE_TLS_REJECT_UNAUTHORIZED: Flag if self-signed certificates are allowed
Example - setting key via PLOSSYS CLI
plossys config set NODE_TLS_REJECT_UNAUTHORIZED 0 --service plossysadmin --insecure
Configure the PLOSSYS CLI Environment¶
When using an OIDC identity provider for user authentication, the following environment variables have to be set in Windows for calling PLOSSYS CLI:
- 
AUTH_CLIENT_ID: Client name configured in the OIDC identity provider for theseal-plossycliclient, by defaultseal-plossyscli
- 
AUTH_CLIENT_SECRET: Client secret generated in the OIDC identity provider for theseal-plossycliclient.
- 
CONSUL_URL: URL of the Consul server (required if PLOSSYS CLI is executed on a server different to the PLOSSYS 5 server for managing the jobs and printers)
Example - environment variables for PLOSSYS CLI
AUTH_CLIENT_ID=seal-plossyscli
AUTH_CLIENT_SECRET=<client_secret_plossyscli>
CONSUL_URL=https://p5_server:8500
Literature - keys
For further information about the keys, refer to the description of the Service Keys.
Caution - validity
The environment variable set globally in Windows are valid for other services as well, seal-plossysadmin for example. Make sure that the settings for seal-plossysadmin are specified explicitly in the configuration, refer to Configure the PLOSSYS Administrator Environment.