Configuring the Management Interface
The management interface allows accessing management endpoints via a different HTTP server than the primary one.
It provides the possibility to hide endpoints like /metrics or /health from the outside world and, therefore, hardens the security.
The most significant advantage might be seen in Kubernetes environments as the specific management port might not be exposed.
Management interface configuration
The management interface is turned on when something is exposed on it.
Management endpoints such as /metrics and /health are exposed on the default management port 9000 when metrics and health are enabled.
The management interface provides a set of options and is fully configurable.
If management interface properties are not explicitly set, their values are automatically inherited from the default HTTP server.
Port
In order to change the port for the management interface, you can use the NQRust-Identity option http-management-port.
Relative path
You can change the relative path of the management interface, as the prefix path for the management endpoints can be different.
You can achieve it via the NQRust-Identity option http-management-relative-path.
For instance, if you set the CLI option --http-management-relative-path=/management, the metrics, and health endpoints will be accessed on the /management/metrics and /management/health paths.
User is automatically redirected to the path where NQRust-Identity is hosted when the relative path is specified.
It means when the relative path is set to /management, and the user access localhost:9000/, the page is redirected to localhost:9000/management.
If you do not explicitly set the value for it, the value from the http-relative-path property is used. For instance,
if you set the CLI option --http-relative-path=/auth, these endpoints are accessible on the /auth/metrics and /auth/health paths.
TLS support
When the TLS is set for the default NQRust-Identity server, by default the management interface will be accessible through HTTPS as well. The management interface can run only either on HTTP or HTTPS, not both as for the main server.
If you do not want the management interface to use HTTPS, you may set the http-management-scheme option to http.
Specific NQRust-Identity management interface options with the prefix https-management-* were provided for setting different TLS parameters for the management HTTP server. Their function is similar to their counterparts for the main HTTP server, for details see Configuring TLS.
When these options are not explicitly set, the TLS parameters are inherited from the default HTTP server.
Disable Management interface
The management interface is automatically turned off when nothing is exposed on it.
Currently, only health checks and metrics are exposed on the management interface regardless.
If you want to disable exposing them on the management interface, set the NQRust-Identity property legacy-observability-interface to true.
Exposing health and metrics endpoints on the default server is not recommended for security reasons, and you should always use the management interface.
Beware, the legacy-observability-interface option is deprecated and will be removed in future releases.
It only allows you to give more time for the migration.
Relevant options
| Option | Type or Values | Default |
|---|---|---|
http-management-health-enabledIf health endpoints should be exposed on the management interface. If false, health endpoints will be exposed on the main interface. CLI: --http-management-health-enabledEnv: KC_HTTP_MANAGEMENT_HEALTH_ENABLED | true, false | true |
http-management-portPort of the management interface. Relevant only when something is exposed on the management interface - see the guide for details. CLI: --http-management-portEnv: KC_HTTP_MANAGEMENT_PORT | Integer | 9000 |
http-management-relative-pathSet the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details.CLI: --http-management-relative-pathEnv: KC_HTTP_MANAGEMENT_RELATIVE_PATH | String | / |
http-management-schemeConfigures the management interface scheme. If inherited, the management interface will inherit the HTTPS settings of the main interface. If http, the management interface will be accessible via HTTP - it will not inherit HTTPS settings and cannot be configured for HTTPS.CLI: --http-management-schemeEnv: KC_HTTP_MANAGEMENT_SCHEME | http, inherited | inherited |
https-management-certificate-fileThe file path to a server certificate or certificate chain in PEM format for the management server. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details. CLI: --https-management-certificate-fileEnv: KC_HTTPS_MANAGEMENT_CERTIFICATE_FILE | File | |
https-management-certificate-key-fileThe file path to a private key in PEM format for the management server. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details. CLI: --https-management-certificate-key-fileEnv: KC_HTTPS_MANAGEMENT_CERTIFICATE_KEY_FILE | File | |
https-management-certificates-reload-periodInterval on which to reload key store, trust store, and certificate files referenced by https-management-* options for the management server. May be an ISO 8601 duration value, an integer number of seconds, or an integer followed by one of [ms, h, m, s, d]. Must be greater than 30 seconds. Use -1 to disable. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details. CLI: --https-management-certificates-reload-periodEnv: KC_HTTPS_MANAGEMENT_CERTIFICATES_RELOAD_PERIOD | String | 1h |
https-management-client-authConfigures the management interface to require/request client authentication. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details. CLI: --https-management-client-authEnv: KC_HTTPS_MANAGEMENT_CLIENT_AUTH | none, request, required | none |
https-management-key-store-fileThe key store which holds the certificate information instead of specifying separate files for the management server. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details. CLI: --https-management-key-store-fileEnv: KC_HTTPS_MANAGEMENT_KEY_STORE_FILE | File | |
https-management-key-store-passwordThe password of the key store file for the management server. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details. CLI: --https-management-key-store-passwordEnv: KC_HTTPS_MANAGEMENT_KEY_STORE_PASSWORD | String | password |
legacy-observability-interfaceIf metrics/health endpoints should be exposed on the main HTTP server (not recommended). If set to true, the management interface is disabled. CLI: --legacy-observability-interfaceEnv: KC_LEGACY_OBSERVABILITY_INTERFACE | true, false | false |