Get started with securing your cloud-native Java microservices applications

Implement a defense-in-depth strategy for your Java microservices. This lab shows how to secure your app and platform with Keycloak and Istio.

#1about 5 minutes

Introduction to the cloud-native security workshop

An overview of the workshop's goals, the final application architecture, and the open source technologies used like Keycloak and Quarkus.

#2about 19 minutes

Implementing authentication with Keycloak, Quarkus, and JWT

A walkthrough of the authentication and authorization flow using Keycloak for identity management, Quarkus with MicroProfile for the backend, and JSON Web Tokens (JWT) for secure communication.

#3about 13 minutes

Securing the platform with an Istio service mesh

An explanation of Istio's core concepts, including the sidecar proxy model for traffic management, securing external access with TLS, and enabling internal security with mutual TLS (mTLS).

#4about 18 minutes

Setting up the IBM Cloud and Kubernetes cluster

A step-by-step guide to requesting a pre-configured Kubernetes cluster on IBM Cloud and accessing it using the integrated Cloud Shell.

#5about 21 minutes

Configuring the Istio ingress gateway with TLS

This lab demonstrates how to install Istio, expose its ingress gateway with a public DNS name, and secure it with a TLS certificate from Let's Encrypt.

#6about 6 minutes

Deploying and configuring Keycloak for identity management

Learn how to deploy Keycloak to Kubernetes and automate the creation of a security realm, users, and roles using a script and the Keycloak API.

#7about 7 minutes

Deploying the Java microservices to Kubernetes

This section covers deploying the web frontend, web API, and articles microservices to the cluster and configuring the Keycloak client with the correct redirect URI.

#8about 6 minutes

Enforcing strict mutual TLS for internal traffic

Discover how to apply an Istio policy to enforce strict mutual TLS (mTLS), preventing unauthorized internal services from directly accessing protected endpoints.

#9about 9 minutes

Implementing service-level authorization policies in Istio

Go beyond mTLS by creating Kubernetes ServiceAccounts and applying Istio AuthorizationPolicies to control which specific services are allowed to communicate with each other.

#10about 4 minutes

Visualizing traffic with Kiali and workshop summary

Use the Kiali dashboard to visualize the secured service mesh traffic and review the key application and platform security concepts covered in the workshop.