Secure your Java microservices application

Learning objectives

In this workshop, learn how to get started with application security from two perspectives:

• Application security provided by the platform:
  • Transport Layer Security (TLS)/Hypertext Transfer Protocol Secure (HTTPS)
  • Mutual authentication with Transport Layer Security (mTLS)
• Application security with Keycloak and Quarkus:
  • Authentication with Keycloak on the web front end
  • Authorization in Quarkus for specific microservices in the back end

Follow along with the example application in this workshop to learn how to:

• Secure external access to a Kubernetes cluster with TLS
• Secure communication between microservices with Istio and mTLS
• Implement authorization and authentication with the Open Source Identity and Access Management system Keycloak and JSON Web Tokens (JWT)

Note: The scope of this workshop is not to explain every aspect of application security.

Prerequisites

In order to run this workshop, you will need to create an IBM Cloud account (or log in to your existing account).

To run the platform security exercises, you will use:

• IBM Cloud Kubernetes Service (pre-provisioned for the workshop or a paid cluster)
• IBM Cloud Shell

To run the authorization and authentication exercises, ensure that you have installed the following tools on your local machine and that you can run them in your terminal sessions:

• git
• yarn
• Node.js
• Apache Maven
• Docker (running Keycloak locally)
• Java

Estimated time

It should take about 1 hour to complete this workshop.

Steps

Follow the steps in the “Set up IBM Cloud” > “Overview” section of this workshop to:

• Register for IBM Cloud (or log in to your existing account)
• Access the Kubernetes cluster
• Access IBM Cloud Shell, which is a cloud-based shell that you can access through your browser, and is preconfigured with the full IBM Cloud CLI and other third-party CLIs

Once you have the initial environment set up, you will need:

• Keycloak for authentication and authorization
• Istio to secure access to your services

Complete the steps in the “Set up Istio and Keycloak” > “Overview” section of the workshop to:

• Install Istio on the IBM Cloud Kubernetes Service (IKS)
• Use the Istio Ingress gateway to gain access to the sample application and externally to Keycloak with a DNS entry
• Secure the Istio Ingress gateway with HTTPS using a certificate that is automatically generated
• Install Keycloak within the Istio Service Mesh

Complete the labs in this section to gain an understanding of application security provided by the platform.

• Deploy microservices to Kubernetes
• Secure communication between microservices with Istio using mutual authentication with Transport Layer Security (mTLS)
• (Optional) Apply authorization policies to further secure communication within the service mesh, workload to workload, using Istio

In this section, learn more about end-user to workload authentication.

• (Optional) Locally set up the web application and microservices
• Use Keycloak for authentication on the web front endpoint
• Use Keycloak for authorization in Quarkus applications for specific microservices in the back end
  • Develop protected endpoints
  • Invoke protected endpoints

Summary

After you complete this workshop, you’ll understand the following topics related to application security:

• Application security provided by the platform
• Application security with Keycloak and Quarkus