Difference between revisions of "AUTH/Current/AuthPEGuide/Configure"

From Genesys Documentation
Jump to: navigation, search
(Published)
 
(Published)
Line 42: Line 42:
 
Now map the secret to the default service account:
 
Now map the secret to the default service account:
 
<source lang="text">oc secrets link default mycred --for=pull</source>
 
<source lang="text">oc secrets link default mycred --for=pull</source>
|Status=No
 
}}{{Section
 
|sectionHeading=Prepare your environment
 
|anchor=Prepare
 
|alignment=Vertical
 
|structuredtext=To prepare your environment for the deployment, first confirm the cluster is running:
 
 
<source lang="text">oc get clusterversion</source>
 
 
Create a new namespace (also called a project) for Genesys Authentication:
 
 
<source lang="text">oc new-project gauth</source>
 
 
Finally, enable a security context for the default service account:
 
 
<source lang="text">oc adm policy add-scc-to-user genesys-restricted -z default -n gauth</source>
 
 
|Status=No
 
|Status=No
 
}}{{Section
 
}}{{Section

Revision as of 14:12, July 21, 2021

This topic is part of the manual Genesys Authentication Private Edition Guide for version Current of Genesys Authentication.

Learn how to configure Genesys Authentication.

Complete the steps on this page to configure your Genesys Authentication deployment.

Add Java KeyStore support (optional)

Complete the steps in this section to set up a Java KeyStore (JKS) if you need to configure Genesys Authentication to use JSON Web Token authentication. This method of authentication is currently used for WebRTC.

Create a keystore file: 

keytool -keystore idp_keystore.jks -genkey -alias gws-auth-key -storepass <password> -keypass <password> -keyalg RSA

Get the Base64 encoded key: 

cat ./idp_keystore.jks | base64

The result looks like this: 

/u3+7QAAAAIAAAABAAAAAQAMZ3dzLWF1dGgta2V5AAABeRmB2Y4AAAUBMIIE/TAOBgorBgEEASoCEQEBBQAEggTpwQQ5aW5CUYAsf4/IheBuNrlPPyZhUA+NWh3SG52HV3sVjV+p18vKp2k/q12I9NynoM6R/DW5bFfEWU1zx3cfXH2kNirRUOIbNZpa43NOroyyF1GSdZFlwa8Kq8Xtp8ZBmiJdSb1n12ODaTKGKv1cb5tsfdzkWs99QeTBGJypHMCdnBvdFB0Nvid+yaxdmK3bdQlCwDgDOHZ2RnU0oxXebH3o+jIrrowyo7DidJDyUwIeT2PPPI9F88QsP+CdDRRR1T7t0ojd1hIJ8YYMwJ1wQmwgF4QZRbtrEnwXqkHinJnwOERcp4FLuceds6YTlcxvWsS+GEv38Jv8YokLwRb/mMACTHk4R9yASsd7fljgNLSn0jhrz9FuxvYgpOVvExiq+sb5YrfbZjtTzZDzFVOu/2kWzASfZBSiyyxMOr3IhUPkMpIrg+UYkI0tgn/C3yR1wLr9HElpx8fCu61ORqp8hhp1yvL46K0c6eTa2JcRpO6fmysf2EG0JagG7zNEJHlvtNnt3JpQV06xos2iWsFAtHq+9w8LwvCVbDzx/UHoCYenIdJ7SBv06mXgKisa3RDIi/y5x5/9T4brgCLUvwI4Z5Rf/oi2Zx5/lXjQXmBPlPAcUVHLr5PvNQUUx5NBr/ooioD7qka4ADF1/cx8I2bzqTi+U01fiFdMGRlNlCfcGDMI2h82JUeCswRYi4+dMDiSaGgC2MoL2susLxMYa5CTo9Vs0Y2k+6j8fhIO4h8h0JxdXZODU63OM0cDSUHXfbyKSey/4IhiV3k7W4OHYeXUeDvoNmfo/AriELZl+WgYETiXGsKzxmrsHrBKC0+aT098FwqdY9ACsM/7WoF2+9eftc7fa2jruutrRjmk0A/BaIqzboJLFiWaUUGV9gsexEmpGszikQsmOYSIRxY8BYF+SYldehcfcsRRxDnhTaGNV8y2ZnwA61FNPAFps3gaFXeaYsUzlxTSi9m70HJJrUp7JDK6SGg6luiKMG4O7QjsGgOOwGpoLJf7EFOCspN3t4damhH/KFi9OrEuAdhMJa+iQ21PBZ+iIwxb0y9xMReImoUtoqy6Epre3qMOS6MILLw2bVrxJYo38+hR5uzNdlbsUlpYOoorI1Hp8A/VEYtG9PDHEhhoqUamdUYUzkFDi9QZfylIgi8Jc4G4PPrPKgMPqqE7sl6bJvoLavU58eHpdWo/Mb9UtdTx+l/SlulCCE0Xce6M9YE1SyC2B3gd82zNQa81lx+QAY8IaSmX+C2nMz+UeXKngSEzguK6gXg9RwCs8pUavuLQ6uZGkJ+fhDBvDAFgD7hG1XdHs27XGSUsRq6GiiwmjZXsZ70ETIVmXfuSvGuYYpv4CKzIDvweGdbkUWap2oQqm6Sw+OkJLbim1aW4MSYGCZItLOM36108onELop0wTIMiZBv2cIaQ+WzbyKDXIi94ebntxu42GSeUn1IGDMGAa+vh4itLDV6yIXCRHCd9GM6JBj+SKXkn+J0FIZ257Kf4k3kg6rm9Ha1800NMB7ILrbJChCZd5bmDmMwUGsNrlar2Oa4S41Y81vmBQJlMzSvAS37gk3eFX3XLKtfn7+Dxq8aYRA0TQEMln0uUuoiNRZH8iaLwhpI4bEkaoSU/DT/KHRB7AHN5/vQpj6KOscxqmyPrgPY/+TseczEeaQLQ6MfjvXY+AAAAAQAFWC41MDkAAAN7MIIDdzCCAl+gAwIBAgIEYxhLHTANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTIxMDQyODE3MjMzMFoXDTIxMDcyNzE3MjMzMFowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0300E4F3NDKRHYwrkqDgeUPwoIrozyLp6JvkCsOe1nj5L44vwJjnrYw9falOVDQ9ggwquwXoD5RNEf5/esYcJNEqu1btJLwLvhXb651OyZnsmeNGP2BrNCPXZS6CBReMMKJaZrlCwJQxiSrGPHB/gpxKoAowLwl3V7wB2BHKDhrczQBPdvtsfBAzeqpN/yRpdKZRAtu2LyGqRZKCglSrwYenJFqROdOeworbNmtIKXfQLiamE4KdhzQdPfnyBC7ZWtCIJUp9Va4LmCYD/ISOmVyfQ9Xql1rRNQLcVaewCKRM2ffBAkx98d3n79XUZDljOzHh+79tCpheuuYfbMQqMCAwEAAaMhMB8wHQYDVR0OBBYEFNtM8mIEb67VYot5tjDAdrhiq+31MA0GCSqGSIb3DQEBCwUAA4IBAQBued3SqK+1chAUpNz06Ceak2Ldzlz6MXxBZx6fx50odSY3C4rwywK31RSAAtCe/Ta4y+B6JcdPjFtII6Pf5W0DDTOa3cHNMeukYn5lBnaMbIKqoxFT7nM7MD3DB+dISvMu8FtVWFwbPzXWhl+Aycuu9ETGlCoJqYfl+vmLyGjJVadcUg4E3u7b29woO+bH9pagJErfi7Wq0vaaqMtkKjfOSovMTwz5ruXSiCDZlxb8C8CEr9lkpT3F0G1XFaNNOHoZiZNwXFKLoLrdI2t3pOCYyhwYbGKGMyitRguYz490dxZ0G5R4kMo/YbN7be2QIJwmucIZzH7fkU90V+rmVZhl9Bo8ixuIJG/vZTxmEBaDqmhiP4w=

Make note of the following values - you need them to configure JKS support in the Helm chart:

  • Keystore filename
  • Keystore password
  • Key alias
  • Key password
  • Base64 encoded key

Configure a secret to access JFrog

If you haven't done so already, create a secret for accessing the JFrog registry: 

oc create secret docker-registry <credential-name> --docker-server=<docker repo> --docker-username=<username> --docker-password=<password> --docker-email=<emailid>

Now map the secret to the default service account: 

oc secrets link default mycred --for=pull

Override Helm chart values

You can specify parameters for the deployment by overriding Helm chart values in the values_gauth.yaml file. See the Parameters table for a full list of overridable values.

For more information about how to override Helm chart values, see Overriding Helm chart values.

Parameters
Parameter Description Required Default
image.registry Docker image registry name.
postgres.deploy false
postgres.secret.name_override
postgres.secret.create false
postgres.configmap.name_override
postgres.configmap.create false
postgres.username The username to access Genesys Authentication's PostgreSQL database. Yes
postgres.password The password to access Genesys Authentication's PostgreSQL database. Yes
postgres.db The name of Genesys Authentication's PostgreSQL database. Yes
postgres.host The host of the PostgreSQL instance. Yes
postgres.port The port of the PostgreSQL instance. Yes
services.replicas The number of Genesys Authentication pod replicas. Genesys recommends n+1. 3
services.location /
services.secret.name_override
services.secret.create true
services.secret.admin_username Yes
services.secret.admin_password Yes
services.secret.client_id Yes
services.secret.client_secret Yes
auth.jks.enabled Specifies whether Genesys Authentication uses Java KeyStore. See Add JKS support for details. false
auth.jks.sso.enabled Enable single-sign on (SSO) support. false
auth.jks.secret.create true
auth.jks.secret.name The name of the secret.
auth.jks.keyStore The name of the Java keystore file from Add JKS support.
auth.jks.keyStoreFileData The Base64 encoded key value from Add JKS support.
auth.jks.keyStorePassword The keystore password from Add JKS support.
auth.jks.keyAlias The key alias from Add JKS support.
auth.jks.keyPassword The key password from Add JKS support.

Configure Kubernetes

The sections below provide more information about configuring Kubernetes.

ConfigMaps

Genesys Authentication includes separate ConfigMaps for PostgreSQL and Redis configuration.

PostgreSQL - configmap-pg.yaml 

{{- if or .Values.postgres.configmap.create .Values.postgres.deploy }}
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "configmap.postgres" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "gauth.labels" . | nindent 4 }}
    gauth: postgres
data:
  db: {{ required "Missing required parameter 'postgres.password'" .Values.postgres.db |quote}}
  host: {{ default ( include "name.postgres" . ) .Values.postgres.host |quote}}
  port: {{ default ( include "port.postgres.service" . ) .Values.postgres.port |quote }}
  {{- end }}

Redis - configmap-redis.yaml 

{{ if or .Values.redis.configmap.create .Values.redis.deploy }}
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "configmap.redis" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "gauth.labels" . | nindent 4 }}
    gauth: redis
data:
  cluster_nodes: {{ default ( include "service.redis" . ) .Values.redis.cluster_nodes | quote}}
  {{end}}

Secrets

The following Genesys Authentication services artifacts are stored as Kubernetes secrets:

  • Administrator user credentials for the Authentication API and Environment API services.
  • OAuth 20 client IDs and client secrets for the Authentication API and Environment API services.
  • PostgreSQL database credentials for the Environment API service.
  • PostgreSQL database credentials for the Authentication API service.
  • Java keystore password for Authentication API service.
  • Credentials for access to a password-protected Redis (Access Key) for the Authentication API service.

Configure security

Content coming soon
Retrieved from "https://all.docs.genesys.com/AUTH/Current/AuthPEGuide/Configure (2025-06-19 07:38:30)"
Comments or questions about this documentation? Contact us for support!