DevTest - IAM configuration for reduce DB permissions

Document ID : KB000122253
Last Modified Date : 04/12/2018
Show Technical Document Details
Introduction:
By far, the easiest way to configure IAM to use an external database is to use the DevTest_Home/IdentityAcessManager/bin/DataSourceUpdater executable. 

Note: In order to use this application, the DB User must have DBA privileges. 
Once the Data Source has been updated, the privileges can be reduced if needed.
However, in some environments, DBA privileges are forbidden and the changes must be made by hand.
 
Environment:
DevTest 10.4.0
Instructions:
There are four supported databases: Oracle, MySql, MSSQL and DB2.
These instructions have been tested with Oracle and MySQL but the other two should be similar.
Note: There are DB vendor specific changes.


1. cd DevTest_Home/IdentityAcessManager
2. Copy the standalone directory to standalone-original. This will allow reverting back to the original setup if needed.
3. cd standalone/configuration
4. Copy standalone.xml to standalone-orig.xml
5. Edit standalone.xml
6. Search for "keycloadDS" - should be around line 137

***************
For Oracle:
***************
7 (Oracle). Change the next line from:
<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
to (edit as needed)
<connection-url>jdbc:oracle:thin:@<db host>:<db port>:<DB></connection-url>

where 
<db host>= database host name or IP address
<db port>= database port
<DB>= Oracle Database name

8 (Oracle). Change the next line from:
<driver>h2</driver>
to 
<driver>oracle</driver>

***************
For MySql:
***************
7 (MySql). Change the next line from:
<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
to (edit as needed)
<connection-url>jdbc:mysql://<db host>:<db port>:<DB>?useSSL=false</connection-url>

where 
<db host>= database host name or IP address
<db port>= database port
<DB>= MySql Database Name

8 (MySql). Change the next line from:
<driver>h2</driver>
to 
<driver>mysql</driver>

***************
For All:
***************
9. Skip two lines and replace these lines:
<user-name>sa</user-name>
<password>sa</password>
to 
<security-domain>EncryptDBPassword</security-domain>

***************
For Oracle:
***************
10 (Oracle). Skip 4 or 5 lines, below this section:
<driver name="h2" module="com.h2database.h2">
     <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
add this sections (do not replace)
<driver name="oracle" module="oracle.jdbc.driver.oracledriver">
     <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
</driver>

***************
For MySql:
***************
11 (MySql). Skip 4 or 5 lines, below this section:
<driver name="h2" module="com.h2database.h2">
     <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
add this sections (do not replace)
<driver name="mysql" module="com.mysql.jdbc.driver">
     <driver-class>com.mysql.jdbc.Driver</driver-class>
</driver>

***************
For All:
***************
12. Search for "<auth-module code="Dummy"/>"
13. Skip two line and between:
      </security-domain>
</security-domains>
insert this section:
<security-domain name="EncryptDBPassword" cache-type="default">
     <authentication>
          <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
               <module-option name="username" value="<user>"/>
               <module-option name="password" value="<encrypted password>"/>
               <module-option name="managedConnectionFactoryName" value="SecuredKeycloakDS"/>
          </login-module>
     </authentication>
</security-domain>

where:
<user>= DB username
<encrypted password>=encrypted DB password (see below to encrypt password)

14. Save standalone.xml

***************
For Oracle:
***************
15(Oracle). Create this directory path:
DevTest_Home/IdentityAccessManager/modules/oracle/jdbc/driver/oracledriver/main
16(Oracle). Copy the Oracle driver into this directory.
17. In the same directory create file named: module.xml
18 Copy these contents into module.xml:
<?xml version='1.0' encoding='UTF-8'?>

<module xmlns="urn:jboss:module:1.1" name="oracle.jdbc.driver.oracledriver">

    <resources>
        <resource-root path="<Oracle Driver jar>"/>
    </resources>

    <dependencies>
        <module name="javax.api"/>
        <module name="javax.transaction.api"/>
        <module name="javax.xml.bind.api"/>
    </dependencies>
</module>

where:
<Oracle Driver jar>=name of the file from step #16.

***************
For MySql:
***************
15(MySql). Create this directory path:
DevTest_Home/IdentityAccessManager/modules/com/mysql/jdbc/driver/main
16(MySql). Copy the MySql driver into this directory.
17. In the same directory create file named: module.xml
18 Copy these contents into module.xml:
<?xml version='1.0' encoding='UTF-8'?>

<module xmlns="urn:jboss:module:1.1" name="com.mysql.jdbc.driver">

    <resources>
        <resource-root path="<MySql Driver jar>"/>
    </resources>

    <dependencies>
        <module name="javax.api"/>
        <module name="javax.transaction.api"/>
        <module name="javax.xml.bind.api"/>
    </dependencies>
</module>

where:
<MySql Driver jar>=name of the file from step #16.

***************
For All:
***************
19. Start IAM

***************************************
How to encrypt the DB password
***************************************
1. cd DevTest_Home
2. run: 
java -cp IdentityAccessManager/modules/system/layers/base/org/picketbox/main/picketbox-5.0.2.Final.jar org.picketbox.datasource.security.SecureIdentityLoginModule <password>

where <password>= Plain text DB password



 
Additional Information:
Not Applicable.