FAQ: CoreCloudGateway - CGW
We recommend using CGW version >= 3.1.22
This version includes several improvements and also prevents a sporadically 401 error in Webclient.
CGW Change of Logout Parameter
Since CGW 3.1.20 there is new property in the CGW config which replaces the previous property:
cg.censhareLogoutUrls:
- http://${CENSHARE_SERVER_1:PORT}/forward/rest/service/webserver/rest/csLogout
- http://${CENSHARE_SERVER_2:PORT}/forward/rest/service/webserver/rest/csLogout
- ....
The previous value was a single-value property cg.censhareLogoutUrl
The new implementation uses cg.censhareLogoutUrls
and must contain an array of all necessary censhare logout URLs. Use IP addresses if necessary.
If cloud-gateway is running on the same server as the censhare server then localhost and port 9000 should be used:
cg.censhareLogoutUrls:
- http://localhost:9000/forward/rest/service/webserver/rest/csLogout
CGW Direct Keycloak URIs
By default all Keycloak URIs use the external Keycloak URL, which is necessary so that a user is able to connect to the Keycloak server. For three URIs a direct connection can be used, when the Keycloak server is in the same network. This improves speed and security, as the communication wont leave the internal network. Please use the correct port, usually Keycloak listens to 8080.
Note: http protocol is used, as the proxy does the SSL termination in this example. Please see Truststore certificate validation below in case https is needed
spring.security.oauth2.client.provider.keycloak.token-uri: http://${INTERNAL_KEYCLOAK_SERVER:PORT}/auth/realms/censhare/protocol/openid-connect/token
spring.security.oauth2.client.provider.keycloak.jwk-set-uri: http://${INTERNAL_KEYCLOAK_SERVER:PORT}/auth/realms/censhare/protocol/openid-connect/certs
spring.security.oauth2.client.provider.keycloak.user-info-uri: http://${INTERNAL_KEYCLOAK_SERVER:PORT}/auth/realms/censhare/protocol/openid-connect/userinfo
Example: when Keycloak runs on the application server:
spring.security.oauth2.client.provider.keycloak.token-uri: http://localhost:8080/auth/realms/censhare/protocol/openid-connect/token
spring.security.oauth2.client.provider.keycloak.jwk-set-uri: http://localhost:8080/auth/realms/censhare/protocol/openid-connect/certs
spring.security.oauth2.client.provider.keycloak.user-info-uri: http://localhost:8080/auth/realms/censhare/protocol/openid-connect/userinfo
CGW Cookie handling in proxy
CGW > 3.1.15 introduced a new cookie CGW_SESSION
for session handling with CGW. This needs to be handled in the proxy configuration. For example with haproxy this could be done like this:
backend cloud-gateway
cookie CGW_SESSION prefix nocache
CGW and SRS: Remove error message
On none- cloud systems there might be an error message flooding the logs:
core-cloud-gateway[1154]: {"timestamp":"2025-03-04 03:40:53.799","level":"ERROR","thread":"OkHttp http://localhost:4318/...","logger":"io.opentelemetry.exporter.internal.okhttp.OkHttpExporter","message":"Failed to export spans. The request could not be executed. Full error message: Failed to connect to localhost/127.0.0.1:4318","context":"default"}
To stop this from happening add the following line:
management.tracing.enabled: false
This parameter can also be added to the Static-Resource-Server (SRS) configuration.
CGW and SRS cannot validate certificate of encrypted http URLs
In case CGW and/or SRS have to connect to encrypted http URLs both services have to be adjusted to use a valid truststore.
Java offers parameters -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword to add this capability.
Please see example below that is adding default truststore of REDHAT Linux to CGW.
ExecStart=/usr/bin/java -Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit -jar /opt/censer/core-cloud-gateway/core-cloud-gateway.jar
For adjusting startup parameters of both services modify startup files /usr/lib/systemd/system/censhare.core-cloud-gateway.service
/usr/lib/systemd/system/censhare.static-resource-server.service
Background:
A customer running a dedicated hosted keycloak instance reported an issue stating that CGW and SRS do face certificate validation errors while connecting to keycloak.
It turned out that the dedicated hosted keycloak instance was running https, encrypted http.
Example application.yaml of CGW of customer:
KEYCLOAK_DOMAIN: keycloakservice.example.com:8884
AUTH_OPENID_URL: https://${KEYCLOAK_DOMAIN}/auth/realms/censhare/protocol/openid-connect
Example application.yaml of SRS of customer:
spring.security.oauth2.resourceserver.jwt.jwk-set-uri: https://keycloakservice.example.com:8884/auth/realms/censhare/protocol/openid-connect/certs
The root cause of this issue is that CGW and SRS by default do not support encrypted http connections.
To add support for encrypted http CGW and SRS config files had to be adjusted
After adjusting CGW and SRS to use a valid truststore CGW and SRS were able to connect, issue was solved.
Example ExecStart parms of CGW and SARS after adjustment:
ExecStart=/usr/bin/java -Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit -jar /opt/censer/core-cloud-gateway/core-cloud-gateway.jar
ExecStart=/usr/bin/java -Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit -jar /opt/censer/static-resource-server/static-resource-server.jar
- Why censhare chooses wrong 'Asset type metadata dialog' template?
- Technical FAQ censhare WP (webpack) and Keycloak
- Previews - Spot colors cause undesirable results
- MacOS Monterey support
- Is it possible to have more than one filesystem of the same type for a domain?
- Is Adobe InDesign Server able to open InDesign documents older than its own version?
- InDesign – Improve Performance Using Layouts with Many InCopy Texts
- How to assign a role to a any "Resource Replacement Variant" relation?
- How can I install different censhare-Client versions on Windows?
- FAQ - About the Asset Query Panel in the Layout Applications
- FAQ – censhare Full-Text-Search censhare know-how
- General help for InDesign version upgrades
- Why is a PDF, generated by a Render command within censhare, much larger than with the same settings in Acrobat Distiller
- FAQ - On Premises: Licensing, installing / setup and operating the Adobe Indesign Renderer and censhare Renderer Client
- Download censhareClient Software