Digital Developer Conference: Cloud Security 2021 – Build the skills to secure your cloud and data Register free

Secure your Java microservices application

Learning objectives

In this workshop, learn how to get started with application security from two perspectives:

Follow along with the example application in this workshop to learn how to:

  • Secure external access to a Kubernetes cluster with TLS
  • Secure communication between microservices with Istio and mTLS
  • Implement authorization and authentication with the Open Source Identity and Access Management system Keycloak and JSON Web Tokens (JWT)

Note: The scope of this workshop is not to explain every aspect of application security.


In order to run this workshop, you will need to create an IBM Cloud account (or log in to your existing account).

To run the platform security exercises, you will use:

To run the authorization and authentication exercises, ensure that you have installed the following tools on your local machine and that you can run them in your terminal sessions:

Estimated time

It should take about 1 hour to complete this workshop.



Set up the IBM Cloud environment

Follow the steps in the “Set up IBM Cloud” > “Overview” section of this workshop to:

  • Register for IBM Cloud (or log in to your existing account)
  • Access the Kubernetes cluster
  • Access IBM Cloud Shell, which is a cloud-based shell that you can access through your browser, and is preconfigured with the full IBM Cloud CLI and other third-party CLIs

Set up Istio and Keycloak

Once you have the initial environment set up, you will need:

  • Keycloak for authentication and authorization
  • Istio to secure access to your services

Complete the steps in the “Set up Istio and Keycloak” > “Overview” section of the workshop to:

  • Install Istio on the IBM Cloud Kubernetes Service (IKS)
  • Use the Istio Ingress gateway to gain access to the sample application and externally to Keycloak with a DNS entry
  • Secure the Istio Ingress gateway with HTTPS using a certificate that is automatically generated
  • Install Keycloak within the Istio Service Mesh

Platform security with mTLS

Complete the labs in this section to gain an understanding of application security provided by the platform.

  • Deploy microservices to Kubernetes
  • Secure communication between microservices with Istio using mutual authentication with Transport Layer Security (mTLS)
  • (Optional) Apply authorization policies to further secure communication within the service mesh, workload to workload, using Istio

Authorization and authentication with Keycloak and Quarkus

In this section, learn more about end-user to workload authentication.

  • (Optional) Locally set up the web application and microservices
  • Use Keycloak for authentication on the web front endpoint
  • Use Keycloak for authorization in Quarkus applications for specific microservices in the back end
    • Develop protected endpoints
    • Invoke protected endpoints


After you complete this workshop, you’ll understand the following topics related to application security:

  • Application security provided by the platform
  • Application security with Keycloak and Quarkus