Security Settings
Security settings manage authentication integration, certificate management, and session policies for the SecureLink platform.
Keycloak Integration
SecureLink uses Keycloak as its identity provider for all user authentication. The platform does not store or manage passwords directly — all credential management is handled by Keycloak.
Connection Settings
| Setting | Description |
|---|---|
| Realm URL | Full URL to the Keycloak realm (e.g., https://keycloak.securelink.example.com/realms/securelink) |
| Client ID | The OAuth2 client ID registered in Keycloak for this orchestrator |
| Client Secret | The client secret for server-side token validation |
| JWKS Endpoint | The JSON Web Key Set endpoint used to verify token signatures (typically {realm_url}/protocol/openid-connect/certs) |
SecureLink uses a Token Exchange pattern:
- Users authenticate with Keycloak and receive a Keycloak JWT
- The JWT is exchanged via the
/auth/exchangeendpoint for a VSN+ session token - The session token contains full authorization context (user type, tenant ID, roles, permissions)
- All subsequent API requests use the VSN+ session token
SecureLink uses Keycloak for all authentication. Password policies — including minimum length, complexity requirements, and account lockout — are configured in Keycloak, not in SecureLink.
TLS Certificates
Manage the TLS certificates used for secure communication across the platform:
| Certificate | Purpose |
|---|---|
| API TLS | HTTPS certificate for the API server |
| MQTT TLS | Certificate for encrypted MQTT communication between edges and the broker |
| Edge Communication | Certificates used during edge bootstrap and ongoing configuration sync |
Certificates can be uploaded, renewed, or regenerated from this page. The system tracks certificate expiry dates and can be configured to send warnings before expiration (see Alert Configuration).
Session Timeout
Configure how long VSN+ session tokens remain valid before requiring re-authentication.
- Default: 24 hours
- Minimum: 1 hour
- Maximum: 72 hours
When a session token expires, the user is redirected to the Keycloak login page to re-authenticate.
Password Policy
All password policies are managed through Keycloak. To configure password requirements:
- Log in to the Keycloak admin console
- Navigate to the appropriate realm
- Go to Authentication > Policies > Password Policy
- Configure the desired rules (minimum length, special characters, password history, etc.)
Changes to password policy in Keycloak take effect immediately for all new password operations.