Configuring the OAuth protocol for single sign-on with LSF Web Services

After you have installed Keycloak and configure it for single sign-on for LSF Web Services, you configure single sign-on through the OAuth 2.0 protocol for LSF Web Services. This process includes setting Keycloak access on the client so that users can single sign-on to LSF Web Services using the single sign-on server for authentication.

Procedure

  1. As root, source the LSF Web Services environment.
    For example:
    • For csh or tcsh:
      # source /opt/ibm/lsfsuite/ext/cshrc.platform
    • For sh, ksh, or bash:
      # . /opt/ibm/lsfsuite/ext/cshrc.platform
  2. Edit the lws.conf configuration file to include the following parameters: 
    # ENABLE_OAUTH="true" 
# OAuth2_ClientId="Select from keycloak's Client list" 
# OAuth2_ClientSecret=" Select from credentials" 
# OAuth2_TokenUri="http://Keycloak_HOSTNAME or IP:Port/realms/Test(Enter your new Create realm name)/protocol/openid-connect/token" 
# _RedirectUri="https://LWS_HOSTNAME:8448/lsf/v1/*" 
# OAuth2_AuthScope=" openid microprofile-jwt " 
# OAuth2_IntrospectUri="http://Keycloak_HOSTNAME or IP:8180/realms/Test/protocol/openid-connect/token/introspect" 
# _UsernameAttr="preferred_username"
    For example:
    ENABLE_OAUTH="true" 
OAuth2_ClientId="lws-oauth" 
OAuth2_ClientSecret="ziQhZCTThd5pYkRd8EP7RI8DlthniMH2" 
OAuth2_TokenUri="http://lwshost:8180/realms/ABCRealm/protocol/openid-connect/token" 
OAuth2_AuthUri="http://lwshost:8180/realms/ABCRealm/protocol/openid-connect/auth" 
OAuth2_RedirectUri="https://lwshost:8448/lsf/v1/*" 
OAuth2_AuthScope="openid microprofile-jwt" 
OAuth2_IntrospectUri=http://lwshost:8180/realms/ABCRealm/protocol/openid-connect/token/introspect 
OAuth2_UsernameAttr="preferred_username"
  3. Restart LSF Web Services services so that the configuration file changes take effect: 
    #. /opt/ibm/lsfsuite/ext/profile.platform 
# systemctl stop lwsd​
# systemctl start lwsd​
# systemctl status lwsd​
  4. Authenticate OAuth single sign-on connection:
    1. Log on to LSF Web Services through your single sign-on realm account. Use the username and password created for the realm you created in Keycloak (for example, lsfadmin): 
      # lsf cluster logon --username username --password password --url https://LWS_proxy_hostname_or_IP_address:port
      For example: 
      # lsf cluster logon --username lsfadmin --password xxxxxx --url https://LWS_proxy_hostname_or_IP_address:8448
    2. List the logged clusters:
      For example: 
       
#lsf cluster list 
Default   Name     Version                                            URL 
*         lws_ha   IBM Spectrum LSF Standard 10.1.0.14, Jun 11 2023   https://lwshost.ibm.com:8448
    3. Submit jobs to the LSF cluster.
      For example: 
      #lsf bsub sleep 20                                                                                   
Job <364> is submitted to default queue <normal>. 

#lsf bjobs -a     
JOBID  USER     STAT  QUEUE   FROM_HOST   EXEC_HOST   JOB_NAME   SUBMIT_TIME 
364    lsfadmin DONE  normal  lwshost     lwsexec     sleep 20   May 25 05:46

What to do next

After you have configured the OAuth protocol for single sign-on with LSF Web Services, your next step is to integrate Keycloak with an LDAP or Active Directory service.