Configuring Security

In Clara, user authentication is managed by Keycloak.

In Keycloak, each application has its own Realm with different users and authorization settings. Clara authorization settings are stored in a Realm named Clara.

For details about Keycloak, see Keycloak documentation.

The steps to configure the security for your Clara installation, including the generation of a new secret, and the customization of SSL certificates, are run automatically by the installation script.

The installation script generates two Clara users:

1. 1. • userid solutions, password Hclsolutions00, with user role

      • userid admin, password Hclsolutions00, with administrator role

To add additional users, roles, or to change the default passwords, see the steps in Creating a new user below.

Creating a new user

The installation process generates a Keycloak default realm named Clara and a default client named Clara.

For additional information about Keycloak realms and clients, see Keycloak documentation.

Use the Keycloak administration console to define new users, new roles, or change user passwords.

For example, to create a new Clara user with administrator role, run the following steps:

1. Access Keycloak administration console https://<IP:PORT>/keycloak/auth/admin by using the following credentials:

• userid=admin

• password=Hclsolutions00

2.  If you want, you can change Keycloak default password:

1. From Keycloak administrator console, in the upper right corner, click Admin:

2. Select Manage account -> password

3. Under Clients -> Clara -> roles tab, click the Add role button

4. Provide the role name admin and click save

5. Under users, click the add user button

6. Provide a user name and click save

7. Under Credentials, provide a password for the user, turn the temporary field to off,  click the Reset Password button and confirm

8. Under Role Mappings, in the Client Roles dropdown, select Clara. Some boxes appear on the right

9. Under  Available Roles, select admin and click the Add Selected button. The admin role appears in the Assigned Roles box

10. On the left navigation bar, select the Realm Settings page and go to the Themes tab

11. In the Login Theme parameter, select the Keycloak theme, then click save

Customizing SSL certificates

To install your own SSL certificates, run the following procedure:

1. In the  <install_path>/clara/nginx/cert folder replace the .key and .crt default certificate files with your own files (do not change the default names).

2. Complete the installation procedure, or run the following commands from the <install_path> directory to update a pre-existing installation:

 docker stop clara-nginx

 docker start clara-nginx

Configuring Clara to use TLS

By default, Clara external port is configured to use TLS 1.2 and TLS 1.3.

To modify this setting, you can proceed in one of the following ways::

• Before launching Clara, build a tailored version of the clara-nginx image.
  After extracting clara-img.tar.gz file (see installation instructions), go in the folder clara-img/nginx and edit the file nginxAuth.conf.
  Configure the key “ssl_protocols” to the desired value (see nginx official documentation for more details).

• On a running Clara, run the bash in the running container clara-nginx:
   docker exec -ti clara-nginx bash
  edit /etc/nginx/conf.d/default.conf file and configure the key “ssl_protocols” to the desired value (see nginx official documentation for more details).
  Restart the container:
          docker restart clara-nginx

How to set a custom client secret

1. From the Keycloak administration console, in the left side navigation bar, select Clients->Clara.

2. From the tab Credentials, click Regenerate Secret.

3. Copy the content of the field Secret.

4. In the .env file you find in <BUILD_DIR>/clara/.env, paste the content you copied from the field Secret into the CLIENT_SECRET parameter, overriding the default value.

5. From the <BUILD_DIR> directory, run the commands ./clara.sh --up --nc.