Merge pull request #19 from HCL-TECH-SOFTWARE/version

FEB-2616 publish

9.3.7/create_postgresql_db.md

@@ -8,9 +8,13 @@ In a production environment, you must create a PostgreSQL database before you in
 
 Create an empty PostgreSQL database following standard naming conventions. There are two methods:
 
-    -   Use PGAdmin.
-    -   Run psql.exe and execute the command create database mydbname;.
-    **Note:** The default page size will be 8KB.
+-   Use PGAdmin tooling
+-   Use the `psql` command 
+
+Default database settings are adequate; however, it is required that the user that is used for Leap's datasource has full permissions on the database. For example:   
+```
+GRANT ALL PRIVILEGES ON DATABASE leap_db TO leap_db_user
+```
 
 
 **Parent topic: **[Create a Database](in_create_db.md)

9.3.7/helm_changing_log_level.md

@@ -7,8 +7,13 @@ Below is an example of how to change the log level.
 ```yaml
 logging:
   leap:
-    level: Leap:*=detail:com.ibm.form.nitro.*=finest
+    level: Leap:*=detail,Leap:com.ibm.form.nitro.*=finest
 ```
+The general format is `Leap:[packageName1].*=[level1],Leap:[packageName2].*=[level2],...`
 
-**Parent topic:** [Preparation](helm_preparation.md)
+The default log configuration is `*=info`.
+
+See [logging levels](https://openliberty.io/docs/latest/log-trace-configuration.html#logging_levels) for more details.
+
+**Parent topic: **[Preparation](helm_preparation.md)
 

9.3.7/helm_configure_db.md

@@ -14,18 +14,18 @@ configuration:
     configOverrideFiles: 
       . . .
       db2Override: |  
-        <server description="leapServer"> 
-          <!-- Adds the jdbc library to the Leap application classpath -->
-          <application autoStart="true" type="ear" id="leap" name="HCL Leap" location="leap.ear">
-            <classloader id="leapClassloader" delegation="parentLast" commonLibraryRef="jdbcDB2"/>
-          </application>          
+        <server> 
           <!-- Disable the hard-coded derby datasource -->
-          <dataSource id="leapDerbyDatasource" jndiName="disabled" statementCacheSize="10" />
-          <authData id="db2AuthAlias" user="${DB_USERNAME}" password="${DB_PASSWORD}" /> 
+          <dataSource id="leapDerbyDatasource" jndiName="disabled" />
+          <!-- Adds the DB2 JDBC library to the Leap application classpath -->
           <library id="jdbcDB2" > 
-            <fileset dir ="${server.config.dir}/lib" includes="db2jcc4.jar db2jcc_license_cu.jar" /> 
+            <fileset dir ="${server.config.dir}/lib" includes="db2jcc4.jar" /> 
           </library> 
-          <dataSource id="febDataSource" jndiName="jdbc/BuilderDataSource" statementCacheSize="30" containerAuthDataRef="db2AuthAlias"> 
+          <application id="leap">
+            <classloader id="leapClassloader" commonLibraryRef="jdbcDB2"/>
+          </application>          
+          <authData id="db2AuthAlias" user="${DB_USERNAME}" password="${DB_PASSWORD}" /> 
+          <dataSource id="leapDB2DataSource" jndiName="jdbc/BuilderDataSource" statementCacheSize="30" containerAuthDataRef="db2AuthAlias"> 
             <properties.db2.jcc  
                 databaseName="LEAPDB"  
                 driverType="4" 
@@ -69,25 +69,25 @@ configuration:
     configOverrideFiles: 
       . . .
       oracleOverride: | 
-        <server description="leapServer"> 
-            <!-- Adds the jdbc library to the Leap application classpath -->
-            <application autoStart="true" type="ear" id="leap" name="HCL Leap" location="leap.ear">
-                <classloader id="leapClassloader" delegation="parentLast" commonLibraryRef="jdbcOracle"/>
-          </application>            
+        <server> 
             <!-- Disable the hard-coded derby datasource -->
-            <dataSource id="leapDerbyDatasource" jndiName="disabled" statementCacheSize="10" />
+            <dataSource id="leapDerbyDatasource" jndiName="disabled" />
+            <!-- Adds the jdbc library to the Leap application classpath -->
             <library id="jdbcOracle" >
                 <fileset dir="${server.config.dir}/lib" includes='ojdbc8.jar' />
             </library>
-            <dataSource id="leapDataSource" jndiName="jdbc/BuilderDataSource" containerAuthDataRef="oracleAuthAlias"> 
+            <application id="leap">
+                <classloader id="leapClassloader" commonLibraryRef="jdbcOracle"/>
+            </application>            
+            <authData id="oracleAuthAlias" user="${DB_USERNAME}" password="${DB_PASSWORD}" /> 
+            <dataSource id="leapOracleDataSource" jndiName="jdbc/BuilderDataSource" containerAuthDataRef="oracleAuthAlias"> 
                 <jdbcDriver libraryRef="jdbcOracle"/> 
                 <properties.oracle URL="jdbc:oracle:thin:@leap-oracle-db.example.com:1521/orclpdb1"/> 
                 <connectionManager  
                     minPoolSize="0" maxPoolSize="10" maxIdleTime="10m" 
                     purgePolicy="ValidateAllConnections" 
                 /> 
             </dataSource> 
-            <authData id="oracleAuthAlias" user="${DB_USERNAME}" password="${DB_PASSWORD}" /> 
         </server>
 ```
 
@@ -102,23 +102,23 @@ configuration:
     configOverrideFiles: 
       . . .
       postgreSQLOverride: |  
-        <server description="leapServer"> 
-          <!-- Adds the jdbc library to the Leap application classpath -->        
-          <application autoStart="true" type="ear" id="leap" name="HCL Leap" location="leap.ear">
-            <classloader id="leapClassloader" delegation="parentLast" commonLibraryRef="jdbcPostgreSQL"/>
-          </application>        
+        <server> 
           <!-- Disable the hard-coded derby datasource -->
-          <dataSource id="leapDerbyDatasource" jndiName="disabled" statementCacheSize="10" />
+          <dataSource id="leapDerbyDatasource" jndiName="disabled" />
+          <!-- Adds the jdbc library to the Leap application classpath -->        
           <library id="jdbcPostgreSQL" > 
             <fileset dir ="${server.config.dir}/lib" includes="postgresql.jar" /> 
           </library> 
-          <dataSource id="febDataSource" jndiName="jdbc/BuilderDataSource" containerAuthDataRef="postgresAuthAlias"> 
+          <application id="leap">
+            <classloader id="leapClassloader" commonLibraryRef="jdbcPostgreSQL"/>
+          </application>        
+          <authData id="postgresAuthAlias" user="${DB_USERNAME}" password="${DB_PASSWORD}" />  
+          <dataSource id="leapPostgresDataSource" jndiName="jdbc/BuilderDataSource" containerAuthDataRef="postgresAuthAlias"> 
             <properties.postgresql  
                 serverName="postgresql.acme.com"  
                 databaseName="leapDB"
                 portNumber="5432"
             />
-            <authData id="postgresAuthAlias" user="${DB_USERNAME}" password="${DB_PASSWORD}" />  
             <jdbcDriver libraryRef="jdbcPostgreSQL"/> 
             <connectionManager connectionTimeout="180" maxPoolSize="100" minPoolSize="1" numConnectionsPerThreadLocal="1" /> 
           </dataSource> 

9.3.7/helm_oidc_config.md

@@ -66,23 +66,27 @@ configOverrideFiles:
         mapIdentityToRegistryUser="false"
         httpsRequired="true"
         scope="openid"
-        <!-- Defines a simple name that can be used to refer to this OIDC config -->
         realmName="LeapOidc"
-        <!-- The property of the token that contains the user's group assignments -->
         groupIdentifier="group_membership"
         userIdentityToCreateSubject="preferred_username"
         discoveryEndpointUrl="https://myoidcserver:8443/realms/Leapdev/.well-known/openid-configuration">
       </openidConnectClient>
       <authFilter id="interceptedAuthFilter">
-        <requestUrl id="authRequestUrl" matchType="contains" urlPattern="/apps/secure|/apps/secured"/>
+        <requestUrl id="authRequestUrl" matchType="contains" urlPattern="/apps/secure"/>
       </authFilter>
-      <httpEndpoint id="defaultHttpEndpoint"
-          host="*"
-          httpPort="9080"
-          httpsPort="9443">
-          <samesite none="*" />
     </server> 
 ```
+General Notes:  
+
+- `realmName`: Defines a qualify that can be used to refer to users and groups from this OIDC config
+- `groupIdentifier`: The property of the token that contains the user's group assignments
+
+Microsoft Azure AD Notes:  
+
+- `scope`: A value of `"openid profile"` is required to get the `preferred_username` claim, which is a reasonable claim to use for `userIdentityToCreateSubject`. The application registration in Azure AD is required to have the "openid" and "profile" permissions.
+- `groupIdentifier`: Recommended value is `"groups"`; however, this might depend on the Azure AD environment
+- `discoveryEndpointUrl`: Is likely to be `https://login.microsoftonline.com/[tenant id]/v2.0/.well-known/openid-configuration`
+
 
 For more details on defining a server customization, see [Open Liberty server customizations](helm_open_liberty_custom.md).
 
@@ -94,6 +98,7 @@ The following properties must be set to complete the OIDC configuration:
 -   userLookups - By setting this to false it will disable user lookups, which is not available when configured with OIDC.
 -   userGroups - By setting this to false it will disable group lookups, which is not available when configured with OIDC.
 -   postLogoutRedirectURL - This is the URL to which Leap will redirect the browser after a user chooses to log out. This is necessary to complete the loop with the OIDC IDP.
+-   reauthOnFailedRequest, reauthInNewWindow - When the user's session expires, these settings enable the user to reauthenticate in a pop-up window and not lose any unsaved work
 
 ```yaml
 configuration:
@@ -102,24 +107,38 @@ configuration:
     leapProperties: |
       ibm.nitro.NitroConfig.userLookup=false
       ibm.nitro.NitroConfig.userGroups=false 
+      ibm.nitro.NitroConfig.reauthOnFailedRequest=true 
+      ibm.nitro.NitroConfig.reauthInNewWindow=true 
       ibm.nitro.LogoutServlet.postLogoutRedirectURL=https://myoidcServer.com/realms/Leap/protocol/openid-connect/logout?client_id=hcl-leap-oidc-client&post_logout_redirect_uri=https://myLeapServer.com/apps/secure/org/ide/manager.html
 ```
 
 For more details on setting Leap properties, see [Leap properties](helm_leap_properties.md).
 
 ## Referencing Users and Groups in Security Role Mapping 
-To assign a user or group from OIDC to one of the Leap roles (AdministrativeUsers, EditApplicationUsers, UseApplicationUsers) you must use their access id.  The access id is made up of the realmName (defined in the 'openidConnectClient' definition) and the user/group name.  
+To assign a user or group from OIDC to one of the Leap roles (AdministrativeUsers, EditApplicationUsers, UseApplicationUsers) you must use their access id.  The access id is made up of the realmName (defined in the 'openidConnectClient' definition) and the user or group name.  
 
 To assign a user from OIDC to a Leap security role you would use {realmName}/{userName}:
 ```yaml
-MappedUsersAccessIDs:
- - LeapOidc/john.oidc
+configuration:
+  leap:
+    ...
+    roleMapping:
+      ...
+      EditApplicationsUsers:
+        MappedUsersAccessIDs:
+        - LeapOidc/john.oidc
 ```
 
 To assign a group from OIDC to a Leap security role you would use {realmName}/{groupName}:
 ```yaml
-MappedGroupsAccessIDs:
- - LeapOidc//Group1
+configuration:
+  leap:
+    ...
+    roleMapping:
+      ...
+      EditApplicationsUsers:
+        MappedGroupsAccessIDs:
+        - LeapOidc//Group1
 ```
 Note: there is an extra slash in the group name because that is part of the definition in the IDP used for this example. Other IDPs may differ in how they define the group name, if in doubt leverage the logging trace string to identify the correct value.