2018-06-07 12:12:56 +00:00
== Introduction
2018-12-13 17:57:05 +00:00
=== What Is {openshift_name}?
{openshift_name} is an integrated sign-on solution available as a Red Hat JBoss Middleware for OpenShift containerized image. The {project_openshift_product_name} image provides an authentication server for users to centrally log in, log out, register, and manage user accounts for web applications, mobile applications, and RESTful web services.
2018-03-19 19:04:57 +00:00
[[sso-templates]]
2018-10-12 18:18:28 +00:00
Red Hat offers multiple OpenShift application templates utilizing the {project_openshift_product_name} image version number {project_version}. These define the resources needed to develop {project_name} {project_version} server based deployment and can be split into the following two categories:
2018-03-19 19:04:57 +00:00
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368)
* [KEYCLOAK-6650] Substitute:
* 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1',
* 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag
Also update the command to install the updated templates
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509
application templates on appropriate places
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Move "Binary Builds" tutorial out of
Getting Started section to Tutorials section
Also rename it to:
"Example Workflow: Create OpenShift Application that Authenticates
Using Red Hat Single Sing-On from Existing Maven Binaries"
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts'
(we will introduce a new, refactored 'Getting Started' section soon)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Bring the refactored 'Getting Started' section
back to the docs
Make it contain the most simplistic example, how to deploy RH-SSO
server
Refactor the 'Advanced Concepts' section to guide:
* How to generate keystores, truststore, and secrets for passthroug
TLS RH-SSO application templates,
* Also provide example, how the passthrough TLS template can be
deployed once keystores and secrets are created
Remove the necessary sections from former 'tutorials' content,
that have been used:
* Either in the new 'Getting Started' section, or
* In the new 'Advanced Concepts' section
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Address issues pointed out by Matthew during PR
review. Thanks for them, Matthew!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores,
and the truststore for the RH-SSO server in the application templates
with their definition in the documentation
Also provide example how to obtain certificate names from keystores
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Clarify in the Introduction section, that
for the x509 re-encrypt templates the JGroups keystore isn't
generated, and AUTH protocol is used for cluster traffic
authentication
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-04-23 18:03:12 +00:00
[[passthrough-templates]]
2018-12-13 17:57:05 +00:00
* Templates using HTTPS and JGroups keystores and a truststore for the {project_name} server, all prepared beforehand. These secure the TLS communication using link:https://docs.openshift.com/container-platform/latest/architecture/networking/routes.html#passthrough-termination[passthrough TLS termination]:
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
** *_{project_templates_version}-https_*: {project_name} {project_version} backed by internal H2 database on the same pod.
** *_{project_templates_version}-mysql_*: {project_name} {project_version} backed by ephemeral MySQL database on a separate pod.
** *_{project_templates_version}-mysql-persistent_*: {project_name} {project_version} backed by persistent MySQL database on a separate pod.
** *_{project_templates_version}-postgresql_*: {project_name} {project_version} backed by ephemeral PostgreSQL database on a separate pod.
** *_{project_templates_version}-postgresql-persistent_*: {project_name} {project_version} backed by persistent PostgreSQL database on a separate pod.
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368)
* [KEYCLOAK-6650] Substitute:
* 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1',
* 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag
Also update the command to install the updated templates
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509
application templates on appropriate places
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Move "Binary Builds" tutorial out of
Getting Started section to Tutorials section
Also rename it to:
"Example Workflow: Create OpenShift Application that Authenticates
Using Red Hat Single Sing-On from Existing Maven Binaries"
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts'
(we will introduce a new, refactored 'Getting Started' section soon)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Bring the refactored 'Getting Started' section
back to the docs
Make it contain the most simplistic example, how to deploy RH-SSO
server
Refactor the 'Advanced Concepts' section to guide:
* How to generate keystores, truststore, and secrets for passthroug
TLS RH-SSO application templates,
* Also provide example, how the passthrough TLS template can be
deployed once keystores and secrets are created
Remove the necessary sections from former 'tutorials' content,
that have been used:
* Either in the new 'Getting Started' section, or
* In the new 'Advanced Concepts' section
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Address issues pointed out by Matthew during PR
review. Thanks for them, Matthew!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores,
and the truststore for the RH-SSO server in the application templates
with their definition in the documentation
Also provide example how to obtain certificate names from keystores
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Clarify in the Introduction section, that
for the x509 re-encrypt templates the JGroups keystore isn't
generated, and AUTH protocol is used for cluster traffic
authentication
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-04-23 18:03:12 +00:00
[[reencrypt-templates]]
2018-12-13 17:57:05 +00:00
* Templates using OpenShift's internal link:https://docs.openshift.com/container-platform/latest/dev_guide/secrets.html#service-serving-certificate-secrets[service serving x509 certificate secrets] to automatically create the HTTPS keystore used for serving secure content. The JGroups cluster traffic is authenticated using the `AUTH` protocol and encrypted using the `ASYM_ENCRYPT` protocol. The {project_name} server truststore is also created automatically, containing the */var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt* CA certificate file, which is used to sign the certificate for HTTPS keystore. Moreover, the truststore for the {project_name} server is pre-populated with the all known, trusted CA certificate files found in the Java system path. These templates secure the TLS communication using link:https://docs.openshift.com/container-platform/latest/architecture/networking/routes.html#re-encryption-termination[re-encryption TLS termination]:
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368)
* [KEYCLOAK-6650] Substitute:
* 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1',
* 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag
Also update the command to install the updated templates
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509
application templates on appropriate places
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Move "Binary Builds" tutorial out of
Getting Started section to Tutorials section
Also rename it to:
"Example Workflow: Create OpenShift Application that Authenticates
Using Red Hat Single Sing-On from Existing Maven Binaries"
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts'
(we will introduce a new, refactored 'Getting Started' section soon)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Bring the refactored 'Getting Started' section
back to the docs
Make it contain the most simplistic example, how to deploy RH-SSO
server
Refactor the 'Advanced Concepts' section to guide:
* How to generate keystores, truststore, and secrets for passthroug
TLS RH-SSO application templates,
* Also provide example, how the passthrough TLS template can be
deployed once keystores and secrets are created
Remove the necessary sections from former 'tutorials' content,
that have been used:
* Either in the new 'Getting Started' section, or
* In the new 'Advanced Concepts' section
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Address issues pointed out by Matthew during PR
review. Thanks for them, Matthew!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores,
and the truststore for the RH-SSO server in the application templates
with their definition in the documentation
Also provide example how to obtain certificate names from keystores
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Clarify in the Introduction section, that
for the x509 re-encrypt templates the JGroups keystore isn't
generated, and AUTH protocol is used for cluster traffic
authentication
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-04-23 18:03:12 +00:00
2018-12-13 17:57:05 +00:00
** *_{project_templates_version}-x509-https_*: {project_name} {project_version} with auto-generated HTTPS keystore and {project_name} truststore, backed by internal H2 database. The `ASYM_ENCRYPT` JGroups protocol is used for encryption of cluster traffic.
** *_{project_templates_version}-x509-mysql-persistent_*: {project_name} {project_version} with auto-generated HTTPS keystore and {project_name} truststore, backed by persistent MySQL database. The `ASYM_ENCRYPT` JGroups protocol is used for encryption of cluster traffic.
** *_{project_templates_version}-x509-postgresql-persistent_*: {project_name} {project_version} with auto-generated HTTPS keystore and {project_name} truststore, backed by persistent PostgreSQL database. The `ASYM_ENCRYPT` JGroups protocol is used for encryption of cluster traffic.
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
Other templates that integrate with {project_name} are also available:
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
* *_eap64-sso-s2i_*: {project_name}-enabled Red Hat JBoss Enterprise Application Platform 6.4.
* *_eap71-sso-s2i_*: {project_name}-enabled Red Hat JBoss Enterprise Application Platform 7.1.
* *_datavirt63-secure-s2i_*: {project_name}-enabled Red Hat JBoss Data Virtualization 6.3.
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
These templates contain environment variables specific to {project_name} that enable automatic {project_name} client registration when deployed.
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
See xref:Auto-Man-Client-Reg[Automatic and Manual {project_name} Client Registration Methods] for more information.
