Skip to main content

The most recent patch for this version is 2.2.3.  Learn more  

Version: 2.2

ASM and ADS integration

To integrate Access Decision Service (ADS) with Axiomatics Services Manager (ASM), you must configure ADS to retrieve its authorization domain configuration file from ASM. This is achieved by first preparing ASM to provide the domain and then updating your ADS deployment configuration.

Preparation

Follow the steps below to perform the required actions within ASM:

  1. Configure an authorization domain in an ASM project

    Learn how to manage authorization domain configurations in the Domain managementOpens in a new tab section of the ASM documentation.

  2. Configure Keycloak

    Set up the Keycloak client to provide authentication access to ADS, following the instructions provided in the Configure Keycloak for ADSOpens in a new tab section of the ASM documentation.

Deployment configuration

Update your deployment.yaml file to point to the remote HTTP/HTTPS endpoint and configure the appropriate authentication as follows:

  1. Set the domain path

    Set the path under the domain section to the HTTP/HTTPS URL of your ASM endpoint.

    note

    Spaces in domain names should be URL-encoded as %20. For example, Project 1 becomes Project%201 to ensure proper interpretation by the server.

    path: https://<hostname>/adm/api/namespaces/Project%201/names/mydomain/domain.yaml

    Domain path example with URL encoding

  1. Configure authentication

    ADS requires client credentials to request the domain configuration from ASM. Under the domain.authentication section, configure OAuth2 authentication:

    1. Specify an oauth2ClientId under domain.authentication.

    2. Add the corresponding OAuth2 properties (client-id, client-secret, scope, authorization-grant-type, and token-uri) under the spring.security.oauth2.client section.

      tip

      Axiomatics recommends using environmental variables to protect sensitive information like your client secret.

  2. Configure TLS

    Secure communications between ADS and your chosen service by incorporating Transport Layer Security (TLS):

    1. Define a tlsConfigurationId (for example, admBundle) in the domain.authentication section.

    2. Provide the secure connection settings by adding the keystore (location, password, type) and truststore (location, password, type) properties under spring.ssl.bundle.jks.

      ADS supports both basic TLS with a KeyStore for client authentication or TLS with client certificates.

deployment.yaml
# ADS configuration for integration with ASM

license: file:<path_to_file>/axiomatics_ADS.license

domain:
  path: file:<path_to_file>/domain.yaml
  authentication:
    oauth2ClientId: adm-client
    tlsConfigurationId: admBundle  

spring:
  security:
    oauth2:
      client:
          registration:
            adm-client:
              client-id: <your_client_id>
              client-secret: ${OAUTH_CLIENT_SECRET}
              scope: openid  # Defines the scope of access requested by the client.
              authorization-grant-type: <your_grant_type>
              provider: adm-client
          provider:
            adm-client:
              token-uri: https://<asm-hostname>/auth/realms/asm/protocol/openid-connect/token
  ssl:
    bundle:
      jks:
        admBundle:                             
          keystore:
            location: file:<path_to_keystore.jks>  # Or .p12 for PKCS12
            password: ${KEYSTORE_PASSWORD}
            type: JKS # Replace with PKCS12 depending on the keystore type used
          truststore:
            location: file:<path_to_truststore.jks>
            password: ${TRUSTSTORE_PASSWORD}
            type: JKS # Replace with PKCS12 depending on the keystore type used
Important

Replace the placeholders with your values.