FAQ: CoreCloudGateway - CGW

We recommend using CGW version >= 3.1.22

This version included several improvements and also prevents a sporadically 401 error in Webclient.

Change of Logout Parameter

Since CGW 3.1.20 there is new property in the CGW config which replaces the previous property:

cg.censhareLogoutUrls:
- http://${CENSHARE_SERVER_1:PORT}/forward/rest/service/webserver/rest/csLogout
- http://${CENSHARE_SERVER_2:PORT}/forward/rest/service/webserver/rest/csLogout
- ....

The previous value was a single-value property cg.censhareLogoutUrl
The new implementation uses cg.censhareLogoutUrls and must contain an array of all necessary censhare logout URLs. Use IP addresses if necessary.

If cloud-gateway is running on the same server as the censhare server then localhost and port 9000 should be used:

cg.censhareLogoutUrls:
- http://localhost:9000/forward/rest/service/webserver/rest/csLogout

Direct Keycloak URIs

By default all Keycloak URIs use the external Keycloak URL, which is necessary so that a user is able to connect to the Keycloak server. For three URIs a direct connection can be used, when the Keycloak server is in the same network. This improves speed and security, as the communication wont leave the internal network. Please use the correct port, usually Keycloak listens to 8080.

Note: http protocol is used, as the proxy does the SSL termination in this example. Please see Truststore certificate validation below in case https is needed

spring.security.oauth2.client.provider.keycloak.token-uri: http://${INTERNAL_KEYCLOAK_SERVER:PORT}/auth/realms/censhare/protocol/openid-connect/token
spring.security.oauth2.client.provider.keycloak.jwk-set-uri: http://${INTERNAL_KEYCLOAK_SERVER:PORT}/auth/realms/censhare/protocol/openid-connect/certs
spring.security.oauth2.client.provider.keycloak.user-info-uri: http://${INTERNAL_KEYCLOAK_SERVER:PORT}/auth/realms/censhare/protocol/openid-connect/userinfo

Example: when Keycloak runs on the application server:

spring.security.oauth2.client.provider.keycloak.token-uri: http://localhost:8080/auth/realms/censhare/protocol/openid-connect/token
spring.security.oauth2.client.provider.keycloak.jwk-set-uri: http://localhost:8080/auth/realms/censhare/protocol/openid-connect/certs
spring.security.oauth2.client.provider.keycloak.user-info-uri: http://localhost:8080/auth/realms/censhare/protocol/openid-connect/userinfo

Cookie handling in proxy

CGW > 3.1.15 introduced a new cookie CGW_SESSION for session handling with CGW. This needs to be handled in the proxy configuration. For example with haproxy this could be done like this:

backend cloud-gateway
    cookie CGW_SESSION prefix nocache

Remove error message

On none- cloud systems there might be an error message flooding the logs:

core-cloud-gateway[1154]: {"timestamp":"2025-03-04 03:40:53.799","level":"ERROR","thread":"OkHttp http://localhost:4318/...","logger":"io.opentelemetry.exporter.internal.okhttp.OkHttpExporter","message":"Failed to export spans. The request could not be executed. Full error message: Failed to connect to localhost/127.0.0.1:4318","context":"default"}

To stop this from happening add the following line:

management.tracing.enabled: false

Truststore certificate validation

Optional in case certificates from company CA are used.

Add the following parameter to CGW and SRS startup. In this case the java truststore is used.

-Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts 
-Djavax.net.ssl.trustStorePassword=changeit