FAQ: CoreCloudGateway - CGW

We recommend using CGW version >= 3.1.22

This version includes several improvements and also prevents a sporadically 401 error in Webclient.

CGW Change of Logout Parameter

Since CGW 3.1.20 there is new property in the CGW config which replaces the previous property:

cg.censhareLogoutUrls:
- http://${CENSHARE_SERVER_1:PORT}/forward/rest/service/webserver/rest/csLogout
- http://${CENSHARE_SERVER_2:PORT}/forward/rest/service/webserver/rest/csLogout
- ....

The previous value was a single-value property cg.censhareLogoutUrl
The new implementation uses cg.censhareLogoutUrls and must contain an array of all necessary censhare logout URLs. Use IP addresses if necessary.

If cloud-gateway is running on the same server as the censhare server then localhost and port 9000 should be used:

cg.censhareLogoutUrls:
- http://localhost:9000/forward/rest/service/webserver/rest/csLogout

CGW Direct Keycloak URIs

By default all Keycloak URIs use the external Keycloak URL, which is necessary so that a user is able to connect to the Keycloak server. For three URIs a direct connection can be used, when the Keycloak server is in the same network. This improves speed and security, as the communication wont leave the internal network. Please use the correct port, usually Keycloak listens to 8080.

Note: http protocol is used, as the proxy does the SSL termination in this example. Please see Truststore certificate validation below in case https is needed

spring.security.oauth2.client.provider.keycloak.token-uri: http://${INTERNAL_KEYCLOAK_SERVER:PORT}/auth/realms/censhare/protocol/openid-connect/token
spring.security.oauth2.client.provider.keycloak.jwk-set-uri: http://${INTERNAL_KEYCLOAK_SERVER:PORT}/auth/realms/censhare/protocol/openid-connect/certs
spring.security.oauth2.client.provider.keycloak.user-info-uri: http://${INTERNAL_KEYCLOAK_SERVER:PORT}/auth/realms/censhare/protocol/openid-connect/userinfo

Example: when Keycloak runs on the application server:

spring.security.oauth2.client.provider.keycloak.token-uri: http://localhost:8080/auth/realms/censhare/protocol/openid-connect/token
spring.security.oauth2.client.provider.keycloak.jwk-set-uri: http://localhost:8080/auth/realms/censhare/protocol/openid-connect/certs
spring.security.oauth2.client.provider.keycloak.user-info-uri: http://localhost:8080/auth/realms/censhare/protocol/openid-connect/userinfo

CGW Cookie handling in proxy

CGW > 3.1.15 introduced a new cookie CGW_SESSION for session handling with CGW. This needs to be handled in the proxy configuration. For example with haproxy this could be done like this:

backend cloud-gateway
    cookie CGW_SESSION prefix nocache

CGW and SRS: Remove error message

On none- cloud systems there might be an error message flooding the logs:

core-cloud-gateway[1154]: {"timestamp":"2025-03-04 03:40:53.799","level":"ERROR","thread":"OkHttp http://localhost:4318/...","logger":"io.opentelemetry.exporter.internal.okhttp.OkHttpExporter","message":"Failed to export spans. The request could not be executed. Full error message: Failed to connect to localhost/127.0.0.1:4318","context":"default"}

To stop this from happening add the following line:

management.tracing.enabled: false

This parameter can also be added to the Static-Resource-Server (SRS) configuration.

CGW and SRS cannot validate certificate of encrypted http URLs

In case CGW and/or SRS have to connect to encrypted http URLs both services have to be adjusted to use a valid truststore.
Java offers parameters -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword to add this capability.

Please see example below that is adding default truststore of REDHAT Linux to CGW.

ExecStart=/usr/bin/java -Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit -jar /opt/censer/core-cloud-gateway/core-cloud-gateway.jar

For adjusting startup parameters of both services modify startup files /usr/lib/systemd/system/censhare.core-cloud-gateway.service

/usr/lib/systemd/system/censhare.static-resource-server.service

Background:

A customer running a dedicated hosted keycloak instance reported an issue stating that CGW and SRS do face certificate validation errors while connecting to keycloak.

It turned out that the dedicated hosted keycloak instance was running https, encrypted http.

Example application.yaml of CGW of customer:

KEYCLOAK_DOMAIN: keycloakservice.example.com:8884

AUTH_OPENID_URL: https://${KEYCLOAK_DOMAIN}/auth/realms/censhare/protocol/openid-connect

Example application.yaml of SRS of customer:

spring.security.oauth2.resourceserver.jwt.jwk-set-uri: https://keycloakservice.example.com:8884/auth/realms/censhare/protocol/openid-connect/certs

The root cause of this issue is that CGW and SRS by default do not support encrypted http connections.

To add support for encrypted http CGW and SRS config files had to be adjusted

After adjusting CGW and SRS to use a valid truststore CGW and SRS were able to connect, issue was solved.

Example ExecStart parms of CGW and SARS after adjustment:

ExecStart=/usr/bin/java -Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit -jar /opt/censer/core-cloud-gateway/core-cloud-gateway.jar

ExecStart=/usr/bin/java -Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit -jar /opt/censer/static-resource-server/static-resource-server.jar