2018-12-13 17:57:05 +00:00
[[{project_name}-Binary-Builds-Tutorial]]
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368)
* [KEYCLOAK-6650] Substitute:
* 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1',
* 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag
Also update the command to install the updated templates
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509
application templates on appropriate places
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Move "Binary Builds" tutorial out of
Getting Started section to Tutorials section
Also rename it to:
"Example Workflow: Create OpenShift Application that Authenticates
Using Red Hat Single Sing-On from Existing Maven Binaries"
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts'
(we will introduce a new, refactored 'Getting Started' section soon)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Bring the refactored 'Getting Started' section
back to the docs
Make it contain the most simplistic example, how to deploy RH-SSO
server
Refactor the 'Advanced Concepts' section to guide:
* How to generate keystores, truststore, and secrets for passthroug
TLS RH-SSO application templates,
* Also provide example, how the passthrough TLS template can be
deployed once keystores and secrets are created
Remove the necessary sections from former 'tutorials' content,
that have been used:
* Either in the new 'Getting Started' section, or
* In the new 'Advanced Concepts' section
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Address issues pointed out by Matthew during PR
review. Thanks for them, Matthew!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores,
and the truststore for the RH-SSO server in the application templates
with their definition in the documentation
Also provide example how to obtain certificate names from keystores
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Clarify in the Introduction section, that
for the x509 re-encrypt templates the JGroups keystore isn't
generated, and AUTH protocol is used for cluster traffic
authentication
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-04-23 18:03:12 +00:00
=== Example Workflow: Creating OpenShift Application from Existing Maven Binaries and Securing it Using Red Hat Single Sing-On
2018-03-19 19:04:57 +00:00
2018-06-07 12:12:56 +00:00
== Tutorials
[[Example-Deploying-SSO]]
2018-07-30 08:09:56 +00:00
=== Example Workflow: Preparing and Deploying the {project_openshift_product_name} image
2018-06-07 12:12:56 +00:00
[[Preparing-SSO-Authentication-for-OpenShift-Deployment]]
2018-12-13 17:57:05 +00:00
==== Preparing {project_name} Authentication for OpenShift Deployment
2018-06-07 12:12:56 +00:00
Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368)
* [KEYCLOAK-6650] Substitute:
* 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1',
* 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag
Also update the command to install the updated templates
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509
application templates on appropriate places
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Move "Binary Builds" tutorial out of
Getting Started section to Tutorials section
Also rename it to:
"Example Workflow: Create OpenShift Application that Authenticates
Using Red Hat Single Sing-On from Existing Maven Binaries"
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts'
(we will introduce a new, refactored 'Getting Started' section soon)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Bring the refactored 'Getting Started' section
back to the docs
Make it contain the most simplistic example, how to deploy RH-SSO
server
Refactor the 'Advanced Concepts' section to guide:
* How to generate keystores, truststore, and secrets for passthroug
TLS RH-SSO application templates,
* Also provide example, how the passthrough TLS template can be
deployed once keystores and secrets are created
Remove the necessary sections from former 'tutorials' content,
that have been used:
* Either in the new 'Getting Started' section, or
* In the new 'Advanced Concepts' section
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Address issues pointed out by Matthew during PR
review. Thanks for them, Matthew!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores,
and the truststore for the RH-SSO server in the application templates
with their definition in the documentation
Also provide example how to obtain certificate names from keystores
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Clarify in the Introduction section, that
for the x509 re-encrypt templates the JGroups keystore isn't
generated, and AUTH protocol is used for cluster traffic
authentication
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-04-23 18:03:12 +00:00
To deploy existing applications on OpenShift, you can use the link:https://docs.openshift.com/container-platform/latest/dev_guide/builds/build_inputs.html#binary-source[binary source] capability.
2018-10-12 18:18:28 +00:00
==== Deploy Binary Build of EAP 6.4 / 7.1 JSP Service Invocation Application and Secure it Using Red Hat Single Sign-On
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368)
* [KEYCLOAK-6650] Substitute:
* 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1',
* 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag
Also update the command to install the updated templates
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509
application templates on appropriate places
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Move "Binary Builds" tutorial out of
Getting Started section to Tutorials section
Also rename it to:
"Example Workflow: Create OpenShift Application that Authenticates
Using Red Hat Single Sing-On from Existing Maven Binaries"
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts'
(we will introduce a new, refactored 'Getting Started' section soon)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Bring the refactored 'Getting Started' section
back to the docs
Make it contain the most simplistic example, how to deploy RH-SSO
server
Refactor the 'Advanced Concepts' section to guide:
* How to generate keystores, truststore, and secrets for passthroug
TLS RH-SSO application templates,
* Also provide example, how the passthrough TLS template can be
deployed once keystores and secrets are created
Remove the necessary sections from former 'tutorials' content,
that have been used:
* Either in the new 'Getting Started' section, or
* In the new 'Advanced Concepts' section
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Address issues pointed out by Matthew during PR
review. Thanks for them, Matthew!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores,
and the truststore for the RH-SSO server in the application templates
with their definition in the documentation
Also provide example how to obtain certificate names from keystores
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Clarify in the Introduction section, that
for the x509 re-encrypt templates the JGroups keystore isn't
generated, and AUTH protocol is used for cluster traffic
authentication
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-04-23 18:03:12 +00:00
2018-10-12 18:18:28 +00:00
The following example uses both link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-jee-jsp[app-jee-jsp] and link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-jee-jaxrs[service-jee-jaxrs] quickstarts to deploy EAP 6.4 / 7.1 JSP service application that authenticates using the Red Hat Single Sign-On.
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368)
* [KEYCLOAK-6650] Substitute:
* 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1',
* 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag
Also update the command to install the updated templates
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509
application templates on appropriate places
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Move "Binary Builds" tutorial out of
Getting Started section to Tutorials section
Also rename it to:
"Example Workflow: Create OpenShift Application that Authenticates
Using Red Hat Single Sing-On from Existing Maven Binaries"
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts'
(we will introduce a new, refactored 'Getting Started' section soon)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Bring the refactored 'Getting Started' section
back to the docs
Make it contain the most simplistic example, how to deploy RH-SSO
server
Refactor the 'Advanced Concepts' section to guide:
* How to generate keystores, truststore, and secrets for passthroug
TLS RH-SSO application templates,
* Also provide example, how the passthrough TLS template can be
deployed once keystores and secrets are created
Remove the necessary sections from former 'tutorials' content,
that have been used:
* Either in the new 'Getting Started' section, or
* In the new 'Advanced Concepts' section
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Address issues pointed out by Matthew during PR
review. Thanks for them, Matthew!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores,
and the truststore for the RH-SSO server in the application templates
with their definition in the documentation
Also provide example how to obtain certificate names from keystores
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Clarify in the Introduction section, that
for the x509 re-encrypt templates the JGroups keystore isn't
generated, and AUTH protocol is used for cluster traffic
authentication
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-04-23 18:03:12 +00:00
*Prerequisite:*
[IMPORTANT]
====
2018-07-30 08:09:56 +00:00
This guide assumes the {project_openshift_product_name} image has been previously link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_single_sign-on_for_openshift/index#Example-Deploying-SSO[deployed using one of the following templates:]
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368)
* [KEYCLOAK-6650] Substitute:
* 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1',
* 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag
Also update the command to install the updated templates
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509
application templates on appropriate places
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Move "Binary Builds" tutorial out of
Getting Started section to Tutorials section
Also rename it to:
"Example Workflow: Create OpenShift Application that Authenticates
Using Red Hat Single Sing-On from Existing Maven Binaries"
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts'
(we will introduce a new, refactored 'Getting Started' section soon)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Bring the refactored 'Getting Started' section
back to the docs
Make it contain the most simplistic example, how to deploy RH-SSO
server
Refactor the 'Advanced Concepts' section to guide:
* How to generate keystores, truststore, and secrets for passthroug
TLS RH-SSO application templates,
* Also provide example, how the passthrough TLS template can be
deployed once keystores and secrets are created
Remove the necessary sections from former 'tutorials' content,
that have been used:
* Either in the new 'Getting Started' section, or
* In the new 'Advanced Concepts' section
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Address issues pointed out by Matthew during PR
review. Thanks for them, Matthew!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores,
and the truststore for the RH-SSO server in the application templates
with their definition in the documentation
Also provide example how to obtain certificate names from keystores
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Clarify in the Introduction section, that
for the x509 re-encrypt templates the JGroups keystore isn't
generated, and AUTH protocol is used for cluster traffic
authentication
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-04-23 18:03:12 +00:00
2018-10-05 17:36:32 +00:00
* *_{project_templates_version}-mysql_*
* *_{project_templates_version}-mysql-persistent_*
* *_{project_templates_version}-postgresql_*
* *_{project_templates_version}-postgresql-persistent_*
* *_{project_templates_version}-x509-mysql-persistent_*
* *_{project_templates_version}-x509-postgresql-persistent_*
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368)
* [KEYCLOAK-6650] Substitute:
* 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1',
* 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag
Also update the command to install the updated templates
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509
application templates on appropriate places
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Move "Binary Builds" tutorial out of
Getting Started section to Tutorials section
Also rename it to:
"Example Workflow: Create OpenShift Application that Authenticates
Using Red Hat Single Sing-On from Existing Maven Binaries"
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts'
(we will introduce a new, refactored 'Getting Started' section soon)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Bring the refactored 'Getting Started' section
back to the docs
Make it contain the most simplistic example, how to deploy RH-SSO
server
Refactor the 'Advanced Concepts' section to guide:
* How to generate keystores, truststore, and secrets for passthroug
TLS RH-SSO application templates,
* Also provide example, how the passthrough TLS template can be
deployed once keystores and secrets are created
Remove the necessary sections from former 'tutorials' content,
that have been used:
* Either in the new 'Getting Started' section, or
* In the new 'Advanced Concepts' section
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Address issues pointed out by Matthew during PR
review. Thanks for them, Matthew!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores,
and the truststore for the RH-SSO server in the application templates
with their definition in the documentation
Also provide example how to obtain certificate names from keystores
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Clarify in the Introduction section, that
for the x509 re-encrypt templates the JGroups keystore isn't
generated, and AUTH protocol is used for cluster traffic
authentication
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-04-23 18:03:12 +00:00
====
2018-12-13 17:57:05 +00:00
===== Create {project_name} Realm, Roles, and User for the EAP 6.4 / 7.1 JSP Application
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368)
* [KEYCLOAK-6650] Substitute:
* 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1',
* 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag
Also update the command to install the updated templates
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509
application templates on appropriate places
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Move "Binary Builds" tutorial out of
Getting Started section to Tutorials section
Also rename it to:
"Example Workflow: Create OpenShift Application that Authenticates
Using Red Hat Single Sing-On from Existing Maven Binaries"
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts'
(we will introduce a new, refactored 'Getting Started' section soon)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Bring the refactored 'Getting Started' section
back to the docs
Make it contain the most simplistic example, how to deploy RH-SSO
server
Refactor the 'Advanced Concepts' section to guide:
* How to generate keystores, truststore, and secrets for passthroug
TLS RH-SSO application templates,
* Also provide example, how the passthrough TLS template can be
deployed once keystores and secrets are created
Remove the necessary sections from former 'tutorials' content,
that have been used:
* Either in the new 'Getting Started' section, or
* In the new 'Advanced Concepts' section
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Address issues pointed out by Matthew during PR
review. Thanks for them, Matthew!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores,
and the truststore for the RH-SSO server in the application templates
with their definition in the documentation
Also provide example how to obtain certificate names from keystores
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Clarify in the Introduction section, that
for the x509 re-encrypt templates the JGroups keystore isn't
generated, and AUTH protocol is used for cluster traffic
authentication
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-04-23 18:03:12 +00:00
2018-12-13 17:57:05 +00:00
The EAP 6.4 / 7.1 JSP service application requires dedicated {project_name} realm, username, and password to be able to authenticate using Red Hat Single Sign-On. Perform the following steps after the {project_openshift_product_name} image has been deployed:
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368)
* [KEYCLOAK-6650] Substitute:
* 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1',
* 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag
Also update the command to install the updated templates
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509
application templates on appropriate places
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Move "Binary Builds" tutorial out of
Getting Started section to Tutorials section
Also rename it to:
"Example Workflow: Create OpenShift Application that Authenticates
Using Red Hat Single Sing-On from Existing Maven Binaries"
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts'
(we will introduce a new, refactored 'Getting Started' section soon)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Bring the refactored 'Getting Started' section
back to the docs
Make it contain the most simplistic example, how to deploy RH-SSO
server
Refactor the 'Advanced Concepts' section to guide:
* How to generate keystores, truststore, and secrets for passthroug
TLS RH-SSO application templates,
* Also provide example, how the passthrough TLS template can be
deployed once keystores and secrets are created
Remove the necessary sections from former 'tutorials' content,
that have been used:
* Either in the new 'Getting Started' section, or
* In the new 'Advanced Concepts' section
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Address issues pointed out by Matthew during PR
review. Thanks for them, Matthew!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores,
and the truststore for the RH-SSO server in the application templates
with their definition in the documentation
Also provide example how to obtain certificate names from keystores
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Clarify in the Introduction section, that
for the x509 re-encrypt templates the JGroups keystore isn't
generated, and AUTH protocol is used for cluster traffic
authentication
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-04-23 18:03:12 +00:00
2018-12-13 17:57:05 +00:00
*Create the {project_name} Realm*
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368)
* [KEYCLOAK-6650] Substitute:
* 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1',
* 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag
Also update the command to install the updated templates
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509
application templates on appropriate places
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Move "Binary Builds" tutorial out of
Getting Started section to Tutorials section
Also rename it to:
"Example Workflow: Create OpenShift Application that Authenticates
Using Red Hat Single Sing-On from Existing Maven Binaries"
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts'
(we will introduce a new, refactored 'Getting Started' section soon)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Bring the refactored 'Getting Started' section
back to the docs
Make it contain the most simplistic example, how to deploy RH-SSO
server
Refactor the 'Advanced Concepts' section to guide:
* How to generate keystores, truststore, and secrets for passthroug
TLS RH-SSO application templates,
* Also provide example, how the passthrough TLS template can be
deployed once keystores and secrets are created
Remove the necessary sections from former 'tutorials' content,
that have been used:
* Either in the new 'Getting Started' section, or
* In the new 'Advanced Concepts' section
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Address issues pointed out by Matthew during PR
review. Thanks for them, Matthew!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores,
and the truststore for the RH-SSO server in the application templates
with their definition in the documentation
Also provide example how to obtain certificate names from keystores
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Clarify in the Introduction section, that
for the x509 re-encrypt templates the JGroups keystore isn't
generated, and AUTH protocol is used for cluster traffic
authentication
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-04-23 18:03:12 +00:00
2018-12-13 17:57:05 +00:00
. Login to the administration console of the {project_name} server.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368)
* [KEYCLOAK-6650] Substitute:
* 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1',
* 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag
Also update the command to install the updated templates
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509
application templates on appropriate places
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Move "Binary Builds" tutorial out of
Getting Started section to Tutorials section
Also rename it to:
"Example Workflow: Create OpenShift Application that Authenticates
Using Red Hat Single Sing-On from Existing Maven Binaries"
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts'
(we will introduce a new, refactored 'Getting Started' section soon)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Bring the refactored 'Getting Started' section
back to the docs
Make it contain the most simplistic example, how to deploy RH-SSO
server
Refactor the 'Advanced Concepts' section to guide:
* How to generate keystores, truststore, and secrets for passthroug
TLS RH-SSO application templates,
* Also provide example, how the passthrough TLS template can be
deployed once keystores and secrets are created
Remove the necessary sections from former 'tutorials' content,
that have been used:
* Either in the new 'Getting Started' section, or
* In the new 'Advanced Concepts' section
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Address issues pointed out by Matthew during PR
review. Thanks for them, Matthew!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores,
and the truststore for the RH-SSO server in the application templates
with their definition in the documentation
Also provide example how to obtain certificate names from keystores
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Clarify in the Introduction section, that
for the x509 re-encrypt templates the JGroups keystore isn't
generated, and AUTH protocol is used for cluster traffic
authentication
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-04-23 18:03:12 +00:00
*\https://secure-sso-sso-app-demo.openshift.example.com/auth/admin*
2018-03-19 19:04:57 +00:00
+
2018-12-14 21:11:46 +00:00
Use the xref:sso-administrator-setup[credentials of the {project_name} administrator user].
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368)
* [KEYCLOAK-6650] Substitute:
* 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1',
* 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag
Also update the command to install the updated templates
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509
application templates on appropriate places
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Move "Binary Builds" tutorial out of
Getting Started section to Tutorials section
Also rename it to:
"Example Workflow: Create OpenShift Application that Authenticates
Using Red Hat Single Sing-On from Existing Maven Binaries"
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts'
(we will introduce a new, refactored 'Getting Started' section soon)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Bring the refactored 'Getting Started' section
back to the docs
Make it contain the most simplistic example, how to deploy RH-SSO
server
Refactor the 'Advanced Concepts' section to guide:
* How to generate keystores, truststore, and secrets for passthroug
TLS RH-SSO application templates,
* Also provide example, how the passthrough TLS template can be
deployed once keystores and secrets are created
Remove the necessary sections from former 'tutorials' content,
that have been used:
* Either in the new 'Getting Started' section, or
* In the new 'Advanced Concepts' section
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Address issues pointed out by Matthew during PR
review. Thanks for them, Matthew!
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores,
and the truststore for the RH-SSO server in the application templates
with their definition in the documentation
Also provide example how to obtain certificate names from keystores
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
* [KEYCLOAK-6650] Clarify in the Introduction section, that
for the x509 re-encrypt templates the JGroups keystore isn't
generated, and AUTH protocol is used for cluster traffic
authentication
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-04-23 18:03:12 +00:00
. Hover your cursor over the realm namespace (default is *Master*) at the top of the sidebar and click *Add Realm*.
. Enter a realm name (this example uses `demo`) and click *Create*.
2018-03-19 19:04:57 +00:00
2018-10-12 18:18:28 +00:00
[[upgrading-sso-db-from-previous-to-{project_version}]]
2018-07-30 08:09:56 +00:00
=== Example Workflow: Updating Existing Database when Migrating {project_openshift_product_name} Image to a new version
2018-03-19 19:04:57 +00:00
[IMPORTANT]
====
2018-10-12 18:18:28 +00:00
* Rolling updates from previous versions of {project_openshift_product_name} to version {project_version} are not supported as databases and caches are not backward compatible.
* Stop all instances running some of previous versions of the {project_openshift_product_name} before upgrading. They cannot run concurrently against the same database.
2018-03-19 19:04:57 +00:00
* Pre-generated scripts are not available, they are generated dynamically depending on the database.
====
2018-10-12 18:18:28 +00:00
{project_name} {project_version} can xref:automatic-db-migration[automatically migrate the database schema], or you can choose to do it xref:manual-db-migration[manually].
2018-03-19 19:04:57 +00:00
[NOTE]
====
2018-12-13 17:57:05 +00:00
By default the database is automatically migrated when you start {project_name} {project_version} for the first time.
2018-03-19 19:04:57 +00:00
====
[[automatic-db-migration]]
==== Automatic Database Migration
2018-12-13 21:06:13 +00:00
This process assumes that you are link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_single_sign-on_for_openshift/index#Example-Deploying-SSO[running] some previous version of the {project_openshift_product_name} image, backed by MySQL or PostgreSQL database (deployed in ephemeral or persistent mode), running on a separate pod.
2018-03-19 19:04:57 +00:00
[IMPORTANT]
====
2018-12-13 21:06:13 +00:00
Stop all pods running the previous version of the {project_openshift_product_name} image before upgrading to {project_name} {project_version}, as they cannot run concurrently against the same database.
2018-03-19 19:04:57 +00:00
====
Use the following steps to automatically migrate the database schema:
2018-12-13 21:06:13 +00:00
. Identify the deployment config used to deploy the containers, running previous version of the {project_openshift_product_name} image.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc get dc -o name --selector=application=sso
deploymentconfig/sso
deploymentconfig/sso-postgresql
----
2018-12-13 21:06:13 +00:00
. Stop all pods running the previous version of the {project_openshift_product_name} image in the current namespace.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc scale --replicas=0 dc/sso
deploymentconfig "sso" scaled
----
2018-12-13 17:57:05 +00:00
. Update the image change trigger in the existing deployment config to reference the {project_name} {project_version} image.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
2018-10-05 17:36:32 +00:00
$ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "redhat-{project_templates_version}-openshift:{project_latest_image_tag}"}]'
2018-03-19 19:04:57 +00:00
"sso" patched
----
2018-12-13 17:57:05 +00:00
. Start rollout of the new {project_name} {project_version} images based on the latest image defined in the image change triggers.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc rollout latest dc/sso
deploymentconfig "sso" rolled out
----
2018-12-13 17:57:05 +00:00
. Deploy {project_name} {project_version} containers using the modified deployment config.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc scale --replicas=1 dc/sso
deploymentconfig "sso" scaled
----
. (Optional) Verify the database has been successfully updated.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc get pods --selector=application=sso
NAME READY STATUS RESTARTS AGE
sso-4-vg21r 1/1 Running 0 1h
sso-postgresql-1-t871r 1/1 Running 0 2h
----
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc logs sso-4-vg21r | grep 'Updating'
11:23:45,160 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 58) Updating database. Using changelog META-INF/jpa-changelog-master.xml
----
[[manual-db-migration]]
==== Manual Database Migration
[IMPORTANT]
====
2018-12-13 17:57:05 +00:00
Pre-generated scripts are not available. They are generated dynamically depending on the database. With {project_name} {project_version} one can generate and export these to an SQL file that can be manually applied to the database afterwards. To dynamically generate the SQL migration file for the database:
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
. Configure {project_name} {project_version} with the correct datasource,
2018-03-19 19:04:57 +00:00
. Set following configuration options in the `standalone-openshift.xml` file:
.. `initializeEmpty=false`,
.. `migrationStrategy=manual`, and
.. `migrationExport` to the location on the file system of the pod, where the output SQL migration file should be stored (e.g. `migrationExport="${jboss.home.dir}/keycloak-database-update.sql"`).
2018-12-13 17:57:05 +00:00
See link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html/server_installation_and_configuration_guide/database-1#database_configuration[database configuration of {project_name} {project_version}] for further details.
2018-03-19 19:04:57 +00:00
2018-12-13 21:06:13 +00:00
The database migration process handles the data schema update and performs manipulation of the data, therefore, stop all pods running the previous version of the {project_openshift_product_name} image before dynamic generation of the SQL migration file.
2018-03-19 19:04:57 +00:00
====
2018-12-13 21:06:13 +00:00
This process assumes that you are link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_single_sign-on_for_openshift/index#Example-Deploying-SSO[running] some previous version of the {project_openshift_product_name} image, backed by MySQL or PostgreSQL database (deployed in ephemeral or persistent mode), running on a separate pod.
2018-03-19 19:04:57 +00:00
Perform the following to generate and get the SQL migration file for the database:
. Prepare template of OpenShift link:https://docs.openshift.com/container-platform/latest/dev_guide/jobs.html[database migration job] to generate the SQL file.
+
2018-10-05 17:36:32 +00:00
[source,yaml,subs="verbatim,macros,attributes"]
2018-03-19 19:04:57 +00:00
----
2018-12-13 21:06:13 +00:00
$ cat job-to-migrate-db-to-{project_templates_version}.yaml.orig
2018-03-19 19:04:57 +00:00
apiVersion: batch/v1
kind: Job
metadata:
2018-12-13 21:06:13 +00:00
name: job-to-migrate-db-to-{project_templates_version}
2018-03-19 19:04:57 +00:00
spec:
autoSelector: true
parallelism: 0
completions: 1
template:
metadata:
2018-12-13 21:06:13 +00:00
name: job-to-migrate-db-to-{project_templates_version}
2018-03-19 19:04:57 +00:00
spec:
containers:
- env:
- name: DB_SERVICE_PREFIX_MAPPING
2018-10-05 17:36:32 +00:00
value: pass:[<<DB_SERVICE_PREFIX_MAPPING_VALUE>>]
- name: pass:[<<PREFIX>>]_JNDI
value: pass:[<<PREFIX_JNDI_VALUE>>]
- name: pass:[<<PREFIX>>]_USERNAME
value: pass:[<<PREFIX_USERNAME_VALUE>>]
- name: pass:[<<PREFIX>>]_PASSWORD
value: pass:[<<PREFIX_PASSWORD_VALUE>>]
- name: pass:[<<PREFIX>>]_DATABASE
value: pass:[<<PREFIX_DATABASE_VALUE>>]
2018-03-19 19:04:57 +00:00
- name: TX_DATABASE_PREFIX_MAPPING
2018-10-05 17:36:32 +00:00
value: pass:[<<TX_DATABASE_PREFIX_MAPPING_VALUE>>]
- name: pass:[<<SERVICE_HOST>>]
value: pass:[<<SERVICE_HOST_VALUE>>]
- name: pass:[<<SERVICE_PORT>>]
value: pass:[<<SERVICE_PORT_VALUE>>]
image: pass:[<<SSO_IMAGE_VALUE>>]
2018-03-19 19:04:57 +00:00
imagePullPolicy: Always
2018-12-13 21:06:13 +00:00
name: job-to-migrate-db-to-{project_templates_version}
2018-10-05 17:36:32 +00:00
# Keep the pod running after the SQL migration
# file was generated, so we can retrieve it
command:
- "/bin/bash"
- "-c"
- "/opt/eap/bin/openshift-launch.sh || sleep 600"
2018-03-19 19:04:57 +00:00
restartPolicy: Never
----
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
2018-12-13 21:06:13 +00:00
$ cp job-to-migrate-db-to-{project_templates_version}.yaml.orig \
job-to-migrate-db-to-{project_templates_version}.yaml
2018-03-19 19:04:57 +00:00
----
2018-12-13 21:06:13 +00:00
. From deployment config used to run the previous version of the {project_openshift_product_name} image, copy the datasource definition and database access credentials to appropriate places of the template of the database migration job.
2018-03-19 19:04:57 +00:00
+
2018-12-13 21:06:13 +00:00
Use the following script to copy `DB_SERVICE_PREFIX_MAPPING` and `TX_DATABASE_PREFIX_MAPPING` variable values, together with values of environment variables specific to particular datasource (`<PREFIX>_JNDI`, `<PREFIX>_USERNAME`, `<PREFIX>_PASSWORD`, and `<PREFIX>_DATABASE`) from the deployment config named `sso` to the database job migration template named `job-to-migrate-db-to-{project_templates_version}.yaml`.
2018-03-19 19:04:57 +00:00
+
[NOTE]
====
2018-10-12 18:18:28 +00:00
Although the `DB_SERVICE_PREFIX_MAPPING` environment variable allows a link:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html-single/red_hat_jboss_enterprise_application_platform_for_openshift/#datasources[comma-separated list of *<name>-<database_type>=<PREFIX>* triplets] as its value, this example script accepts only one datasource triplet definition for demonstration purposes. You can modify the script for handling multiple datasource definition triplets.
2018-03-19 19:04:57 +00:00
====
+
2018-10-05 17:36:32 +00:00
[source,bash,subs="verbatim,macros,attributes"]
2018-03-19 19:04:57 +00:00
----
$ cat mirror_sso_dc_db_vars.sh
#!/bin/bash
# IMPORTANT:
#
2018-10-05 17:36:32 +00:00
# If the name of the SSO deployment config differs from 'sso'
# or if the file name of the YAML definition of the migration
# job is different, update the following two variables
2018-03-19 19:04:57 +00:00
SSO_DC_NAME="sso"
2018-12-13 21:06:13 +00:00
JOB_MIGRATION_YAML="job-to-migrate-db-to-{project_templates_version}.yaml"
2018-03-19 19:04:57 +00:00
2018-10-05 17:36:32 +00:00
# Get existing variables of the $SSO_DC_NAME deployment config
# in an array
declare -a SSO_DC_VARS=( \
$(oc set env dc/${SSO_DC_NAME} --list \
| sed '/^#/d') \
)
2018-03-19 19:04:57 +00:00
# Get the PREFIX used in the names of environment variables
2018-10-05 17:36:32 +00:00
PREFIX=$( \
grep -oP 'DB_SERVICE_PREFIX_MAPPING=\[^ ]++' \
<<< "${SSO_DC_VARS[@]}" \
)
2018-03-19 19:04:57 +00:00
PREFIX=${PREFIX##*=}
2018-10-05 17:36:32 +00:00
# Substitute:
2018-03-19 19:04:57 +00:00
# * <<PREFIX>> with actual $PREFIX value and
# * <<PREFIX with "<<$PREFIX" value
2018-10-05 17:36:32 +00:00
# The order in which these replacements are made is important!
2018-03-19 19:04:57 +00:00
sed -i "s#<<PREFIX>>#${PREFIX}#g" ${JOB_MIGRATION_YAML}
sed -i "s#<<PREFIX#<<${PREFIX}#g" ${JOB_MIGRATION_YAML}
2018-10-05 17:36:32 +00:00
# Construct the array of environment variables
# specific to the datasource
2018-03-19 19:04:57 +00:00
declare -a DB_VARS=(JNDI USERNAME PASSWORD DATABASE)
# Prepend $PREFIX to each item of the datasource array
DB_VARS=( "${DB_VARS[@]/#/${PREFIX}_}" )
2018-10-05 17:36:32 +00:00
# Add DB_SERVICE_PREFIX_MAPPING and TX_DATABASE_PREFIX_MAPPING
# variables to datasource array
DB_VARS=( \
"${DB_VARS[@]}" \
DB_SERVICE_PREFIX_MAPPING \
TX_DATABASE_PREFIX_MAPPING \
)
2018-03-19 19:04:57 +00:00
# Construct the SERVICE from DB_SERVICE_PREFIX_MAPPING
2018-10-05 17:36:32 +00:00
SERVICE=$( \
grep -oP 'DB_SERVICE_PREFIX_MAPPING=[^ ]+' \
<<< "${SSO_DC_VARS[@]}" \
)
2018-03-19 19:04:57 +00:00
SERVICE=${SERVICE#*=}
SERVICE=${SERVICE%=*}
SERVICE=${SERVICE^^}
SERVICE=${SERVICE//-/_}
2018-10-05 17:36:32 +00:00
# If the deployment config contains pass:[<<SERVICE>>]_SERVICE_HOST
# and pass:[<<SERVICE>>]_SERVICE_PORT variables, add them to the
# datasource array. Their values also need to be propagated into
# yaml definition of the migration job.
HOST_PATTERN="${SERVICE}_SERVICE_HOST=\[^ ]+"
PORT_PATTERN="${SERVICE}_SERVICE_PORT=[^ ]+"
if
grep -Pq "${HOST_PATTERN}" <<< "${SSO_DC_VARS[@]}" &&
grep -Pq "${PORT_PATTERN}" <<< "${SSO_DC_VARS[@]}"
2018-03-19 19:04:57 +00:00
then
2018-10-05 17:36:32 +00:00
DB_VARS=( \
"${DB_VARS[@]}" \
"${SERVICE}_SERVICE_HOST" \
"${SERVICE}_SERVICE_PORT" \
)
# If they are not defined, delete their placeholder rows in
# yaml definition file (since if not defined they are not
# expanded which make the yaml definition invalid).
2018-03-19 19:04:57 +00:00
else
for KEY in "HOST" "PORT"
do
sed -i "/SERVICE_${KEY}/d" ${JOB_MIGRATION_YAML}
done
fi
2018-10-05 17:36:32 +00:00
# Substitute:
# * pass:[<<SERVICE_HOST>>] with ${SERVICE}_SERVICE_HOST and
# * pass:[<<SERVICE_HOST_VALUE>>] with pass:[<<${SERVICE}_SERVICE_HOST_VALUE>>]
# The order in which replacements are made is important!
2018-03-19 19:04:57 +00:00
# Do this for both "HOST" and "PORT"
for KEY in "HOST" "PORT"
do
2018-10-05 17:36:32 +00:00
PATTERN_1=pass:["<<SERVICE_${KEY}>>"]
REPL_1="${SERVICE}_SERVICE_${KEY}"
sed -i "s#${PATTERN_1}#${REPL_1}#g" ${JOB_MIGRATION_YAML}
PATTERN_2=pass:["<<SERVICE_${KEY}_VALUE>>"]
REPL_2="<<${SERVICE}_SERVICE_${KEY}_VALUE>>"
sed -i "s#${PATTERN_2}#${REPL_2}#g" ${JOB_MIGRATION_YAML}
2018-03-19 19:04:57 +00:00
done
2018-10-05 17:36:32 +00:00
# Propagate the values of the datasource array items into
# yaml definition of the migration job
2018-03-19 19:04:57 +00:00
for VAR in "${SSO_DC_VARS[@]}"
do
IFS=$'=' read KEY VALUE <<< $VAR
if grep -q $KEY <<< ${DB_VARS[@]}
then
KEY+="_VALUE"
# Enwrap integer port value with double quotes
if [[ ${KEY} =~ ${SERVICE}_SERVICE_PORT_VALUE ]]
then
sed -i "s#<<${KEY}>>#\"${VALUE}\"#g" ${JOB_MIGRATION_YAML}
# Character values do not need quotes
else
sed -i "s#<<${KEY}>>#${VALUE}#g" ${JOB_MIGRATION_YAML}
fi
# Verify that the value has been successfully propagated.
2018-10-05 17:36:32 +00:00
if
grep -q '(JNDI|USERNAME|PASSWORD|DATABASE)' <<< "${KEY}" &&
pass:[grep -q "<<PREFIX${KEY#${PREFIX}}"] ${JOB_MIGRATION_YAML} ||
grep -q "<<${KEY}>>" ${JOB_MIGRATION_YAML}
2018-03-19 19:04:57 +00:00
then
echo "Failed to update value of ${KEY%_VALUE}! Aborting."
exit 1
else
2018-10-05 17:36:32 +00:00
printf '%-60s%-40s\n' \
"Successfully updated ${KEY%_VALUE} to:" \
"$VALUE"
2018-03-19 19:04:57 +00:00
fi
fi
done
----
+
[[get-db-credentials]]
Run the script.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ chmod +x ./mirror_sso_dc_db_vars.sh
$ ./mirror_sso_dc_db_vars.sh
Successfully updated DB_SERVICE_PREFIX_MAPPING to: sso-postgresql=DB
Successfully updated DB_JNDI to: java:jboss/datasources/KeycloakDS
Successfully updated DB_USERNAME to: userxOp
Successfully updated DB_PASSWORD to: tsWNhQHK
Successfully updated DB_DATABASE to: root
Successfully updated TX_DATABASE_PREFIX_MAPPING to: sso-postgresql=DB
----
2018-12-13 21:06:13 +00:00
. Build the {project_name} {project_version} database migration image using the link:https://github.com/iankko/openshift-examples/tree/KEYCLOAK-8500/sso-manual-db-migration[pre-configured source] and wait for the build to finish.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
2018-10-05 17:36:32 +00:00
$ oc get is -n openshift | grep {project_templates_version} | cut -d ' ' -f1
redhat-{project_templates_version}-openshift
2018-03-19 19:04:57 +00:00
----
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
2018-12-13 21:06:13 +00:00
$ oc new-build redhat-{project_templates_version}-openshift:{project_latest_image_tag}~https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500 \
--context-dir=sso-manual-db-migration \
--name={project_templates_version}-db-migration-image
2018-10-05 17:36:32 +00:00
--> Found image bf45ac2 (7 days old) in image stream "openshift/redhat-{project_templates_version}-openshift" under tag "{project_latest_image_tag}" for "redhat-{project_templates_version}-openshift:{project_latest_image_tag}"
2018-03-19 19:04:57 +00:00
2018-12-13 21:06:13 +00:00
Red Hat SSO {project_version}
2018-03-19 19:04:57 +00:00
---------------
Platform for running Red Hat SSO
Tags: sso, sso7, keycloak
2018-12-13 21:06:13 +00:00
* A source build using source code from \https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500 will be created
2018-10-05 17:36:32 +00:00
* The resulting image will be pushed to image stream "{project_templates_version}-db-migration-image:latest"
2018-03-19 19:04:57 +00:00
* Use 'start-build' to trigger a new build
2018-10-05 17:36:32 +00:00
--> Creating resources with label build={project_templates_version}-db-migration-image ...
imagestream "{project_templates_version}-db-migration-image" created
buildconfig "{project_templates_version}-db-migration-image" created
2018-03-19 19:04:57 +00:00
--> Success
2018-10-05 17:36:32 +00:00
Build configuration "{project_templates_version}-db-migration-image" created and build triggered.
Run 'oc logs -f bc/{project_templates_version}-db-migration-image' to stream the build progress.
2018-03-19 19:04:57 +00:00
----
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
2018-10-05 17:36:32 +00:00
$ oc logs -f bc/{project_templates_version}-db-migration-image --follow
2018-12-13 21:06:13 +00:00
Cloning "https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500" ...
2018-03-19 19:04:57 +00:00
...
Push successful
----
2018-12-13 21:06:13 +00:00
. Update the template of the database migration job (`job-to-migrate-db-to-{project_templates_version}.yaml`) with reference to the built `{project_templates_version}-db-migration-image` image.
2018-03-19 19:04:57 +00:00
.. Get the docker pull reference for the image.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
2018-10-05 17:36:32 +00:00
$ PULL_REF=$(oc get istag -n $(oc project -q) --no-headers | grep {project_templates_version}-db-migration-image | tr -s ' ' | cut -d ' ' -f 2)
2018-03-19 19:04:57 +00:00
----
2018-10-05 17:36:32 +00:00
.. Replace the pass:[<<SSO_IMAGE_VALUE>>] field in the job template with the pull specification.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
2018-12-13 21:06:13 +00:00
$ sed -i "s#pass:[<<SSO_IMAGE_VALUE>>]#$PULL_REF#g" job-to-migrate-db-to-{project_templates_version}.yaml
2018-03-19 19:04:57 +00:00
----
.. Verify that the field is updated.
. Instantiate database migration job from the job template.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
2018-12-13 21:06:13 +00:00
$ oc create -f job-to-migrate-db-to-{project_templates_version}.yaml
job "job-to-migrate-db-to-{project_templates_version}" created
2018-03-19 19:04:57 +00:00
----
+
[IMPORTANT]
====
2018-12-13 21:06:13 +00:00
The database migration process handles the data schema update and performs manipulation of the data, therefore, stop all pods running the previous version of the {project_openshift_product_name} image before dynamic generation of the SQL migration file.
2018-03-19 19:04:57 +00:00
====
+
2018-12-13 21:06:13 +00:00
. Identify the deployment config used to deploy the containers, running previous version of the {project_openshift_product_name} image.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc get dc -o name --selector=application=sso
deploymentconfig/sso
deploymentconfig/sso-postgresql
----
2018-12-13 21:06:13 +00:00
. Stop all pods running the previous version of the {project_openshift_product_name} image in the current namespace.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc scale --replicas=0 dc/sso
deploymentconfig "sso" scaled
----
. Run the database migration job and wait for the pod to be running correctly.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc get jobs
NAME DESIRED SUCCESSFUL AGE
2018-12-13 21:06:13 +00:00
job-to-migrate-db-to-{project_templates_version} 1 0 3m
2018-03-19 19:04:57 +00:00
----
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
2018-12-13 21:06:13 +00:00
$ oc scale --replicas=1 job/job-to-migrate-db-to-{project_templates_version}
job "job-to-migrate-db-to-{project_templates_version}" scaled
2018-03-19 19:04:57 +00:00
----
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc get pods
NAME READY STATUS RESTARTS AGE
sso-postgresql-1-n5p16 1/1 Running 1 19h
2018-12-13 21:06:13 +00:00
job-to-migrate-db-to-{project_templates_version}-b87bb 1/1 Running 0 1m
2018-10-05 17:36:32 +00:00
{project_templates_version}-db-migration-image-1-build 0/1 Completed 0 27m
2018-03-19 19:04:57 +00:00
----
+
[NOTE]
====
By default, the database migration job terminates automatically after `600 seconds` after the migration file is generated. You can adjust this time period.
====
. Get the dynamically generated SQL database migration file from the pod.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ mkdir -p ./db-update
2018-12-13 21:06:13 +00:00
$ oc rsync job-to-migrate-db-to-{project_templates_version}-b87bb:/opt/eap/keycloak-database-update.sql ./db-update
2018-03-19 19:04:57 +00:00
receiving incremental file list
keycloak-database-update.sql
sent 30 bytes received 29,726 bytes 59,512.00 bytes/sec
total size is 29,621 speedup is 1.00
----
2018-12-13 21:06:13 +00:00
. Inspect the `keycloak-database-update.sql` file for changes to be performed within manual database update to {project_name} {project_version} version.
2018-03-19 19:04:57 +00:00
. Apply the database update manually.
2018-12-13 21:06:13 +00:00
* Run the following commands if running some previous version of the {project_openshift_product_name} image, backed by the PostgreSQL database deployed in ephemeral or persistent mode, running on a separate pod:
2018-03-19 19:04:57 +00:00
... Copy the generated SQL migration file to the PostgreSQL pod.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc rsync --no-perms=true ./db-update/ sso-postgresql-1-n5p16:/tmp
sending incremental file list
sent 77 bytes received 11 bytes 176.00 bytes/sec
total size is 26,333 speedup is 299.24
----
... Start a shell session to the PostgreSQL pod.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc rsh sso-postgresql-1-n5p16
sh-4.2$
----
... Use the `psql` tool to apply database update manually.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
sh-4.2$ alias psql="/opt/rh/rh-postgresql95/root/bin/psql"
sh-4.2$ psql --version
psql (PostgreSQL) 9.5.4
sh-4.2$ psql -U <PREFIX>_USERNAME -d <PREFIX>_DATABASE -W -f /tmp/keycloak-database-update.sql
Password for user <PREFIX>_USERNAME:
INSERT 0 1
INSERT 0 1
...
----
+
[IMPORTANT]
====
Replace `<PREFIX>_USERNAME` and `<PREFIX>_DATABASE` with the actual database credentials retrieved xref:get-db-credentials[in previous section]. Also use value of `<PREFIX>_PASSWORD` as the password for the database, when prompted.
====
... Close the shell session to the PostgreSQL pod. Continue with xref:image-change-trigger-update-step[updating image change trigger step].
2018-12-13 21:06:13 +00:00
* Run the following commands if running some previous version of the {project_openshift_product_name} image, backed by the MySQL database deployed in ephemeral or persistent mode, running on a separate pod:
... Given the pod situation similar to the following:
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc get pods
NAME READY STATUS RESTARTS AGE
sso-mysql-1-zvhk3 1/1 Running 0 1h
2018-12-13 21:06:13 +00:00
job-to-migrate-db-to-{project_templates_version}-m202t 1/1 Running 0 11m
2018-10-05 17:36:32 +00:00
{project_templates_version}-db-migration-image-1-build 0/1 Completed 0 13m
2018-03-19 19:04:57 +00:00
----
... Copy the generated SQL migration file to the MySQL pod.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc rsync --no-perms=true ./db-update/ sso-mysql-1-zvhk3:/tmp
sending incremental file list
keycloak-database-update.sql
sent 24,718 bytes received 34 bytes 49,504.00 bytes/sec
total size is 24,594 speedup is 0.99
----
... Start a shell session to the MySQL pod.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc rsh sso-mysql-1-zvhk3
sh-4.2$
----
... Use the `mysql` tool to apply database update manually.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
sh-4.2$ alias mysql="/opt/rh/rh-mysql57/root/bin/mysql"
sh-4.2$ mysql --version
/opt/rh/rh-mysql57/root/bin/mysql Ver 14.14 Distrib 5.7.16, for Linux (x86_64) using EditLine wrapper
sh-4.2$ mysql -D <PREFIX>_DATABASE -u <PREFIX>_USERNAME -p < /tmp/keycloak-database-update.sql
Enter password:
sh-4.2$ echo $?
0
----
+
[IMPORTANT]
====
Replace `<PREFIX>_USERNAME` and `<PREFIX>_DATABASE` with the actual database credentials retrieved xref:get-db-credentials[in previous section]. Also use value of `<PREFIX>_PASSWORD` as the password for the database, when prompted.
====
... Close the shell session to the MySQL pod. Continue with xref:image-change-trigger-update-step[updating image change trigger step].
[[image-change-trigger-update-step]]
[start=12]
2018-12-13 21:06:13 +00:00
. Update the image change trigger in the existing deployment config to reference the {project_name} {project_version} image.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
2018-10-05 17:36:32 +00:00
$ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "redhat-{project_templates_version}-openshift:{project_latest_image_tag}"}]'
2018-03-19 19:04:57 +00:00
"sso" patched
----
2018-12-13 17:57:05 +00:00
. Start rollout of the new {project_name} {project_version} images based on the latest image defined in the image change triggers.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc rollout latest dc/sso
deploymentconfig "sso" rolled out
----
2018-12-13 21:06:13 +00:00
. Deploy the {project_name} {project_version} containers using the modified deployment config.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc scale --replicas=1 dc/sso
deploymentconfig "sso" scaled
----
2018-12-13 17:57:05 +00:00
=== Example Workflow: Migrating Entire {project_name} Server Database Across The Environments
This tutorial focuses on migrating the Red Hat Single Sign-On server database from one environment to another or migrating to a different database. It assumes steps described in xref:Preparing-SSO-Authentication-for-OpenShift-Deployment[Preparing {project_name} Authentication for OpenShift Deployment] section have been performed already.
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
==== Deploying the {project_name} MySQL Application Template
2018-03-19 19:04:57 +00:00
. Log in to the OpenShift web console and select the _sso-app-demo_ project space.
. Click *Add to project* to list the default image streams and templates.
. Use the *Filter by keyword* search bar to limit the list to those that match _sso_. You may need to click *See all* to show the desired application template.
2018-12-13 17:57:05 +00:00
. Select *_{project_templates_version}-mysql_* {project_name} application template. When deploying the template ensure to *keep the _SSO_REALM_ variable unset* (default value).
2018-03-19 19:04:57 +00:00
+
[IMPORTANT]
====
2018-12-13 17:57:05 +00:00
Export and import of {project_name} {project_version} database link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html-single/server_administration_guide/#export_import[is triggered at {project_name} server boot time and its paramaters are passed in via Java system properties.] This means during one {project_name} server boot only one of the possible migration actions (either *_export_*, or *_import_*) can be performed.
2018-03-19 19:04:57 +00:00
====
+
[WARNING]
====
2018-12-13 17:57:05 +00:00
When the *_SSO_REALM_* configuration variable is set on the {project_openshift_product_name} image, a database import is performed in order to create the {project_name} server realm requested in the variable. For the database export to be performed correctly, the *_SSO_REALM_* configuration variable cannot be simultaneously defined on such image.
2018-03-19 19:04:57 +00:00
====
+
. Click *Create* to deploy the application template and start pod deployment. This may take a couple of minutes.
+
2018-12-14 21:11:46 +00:00
Then access the {project_name} web console at *$$https://secure-sso-$$_<sso-app-demo>_._<openshift32.example.com>_/auth/admin* using the xref:sso-administrator-setup[administrator account].
2018-03-19 19:04:57 +00:00
+
[NOTE]
====
2018-12-13 17:57:05 +00:00
This example workflow uses a self-generated CA to provide an end-to-end workflow for demonstration purposes. Accessing the {project_name} web console will prompt an insecure connection warning. +
2018-03-19 19:04:57 +00:00
For production environments, Red Hat recommends that you use an SSL certificate purchased from a verified Certificate Authority.
====
2018-12-13 17:57:05 +00:00
==== (Optional) Creating additional {project_name} link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html-single/server_administration_guide/#core_concepts_and_terms[realm and users] to be also exported
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
When performing link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html-single/server_administration_guide/#export_import[{project_name} {project_version} server database export] only {project_name} realms and users currently present in the database will be exported. If the exported JSON file should include also additional {project_name} realms and users, these need to be created first:
2018-03-19 19:04:57 +00:00
. link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html-single/server_administration_guide/#create-realm[Create a new realm]
. link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html-single/server_administration_guide/#create-new-user[Create new users]
Upon their creation xref:sso-export-the-database[the database can be exported.]
[[sso-export-the-database]]
2018-12-13 17:57:05 +00:00
==== Export the {project_name} database as a JSON file on the OpenShift pod
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
. Get the {project_name} deployment config and scale it down to zero.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc get dc -o name
deploymentconfig/sso
deploymentconfig/sso-mysql
$ oc scale --replicas=0 dc sso
deploymentconfig "sso" scaled
----
2018-12-13 17:57:05 +00:00
. Instruct the {project_name} {project_version} server deployed on {project_openshift_product_name} image to perform database export at {project_name} server boot time.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
$ oc set env dc/sso \
-e "JAVA_OPTS_APPEND= \
-Dkeycloak.migration.action=export \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.file=/tmp/demorealm-export.json"
2018-03-19 19:04:57 +00:00
----
2018-12-13 17:57:05 +00:00
. Scale the {project_name} deployment config back up. This will start the {project_name} server and export its database.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc scale --replicas=1 dc sso
deploymentconfig "sso" scaled
----
. (Optional) Verify that the export was successful.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc get pods
NAME READY STATUS RESTARTS AGE
sso-4-ejr0k 1/1 Running 0 27m
sso-mysql-1-ozzl0 1/1 Running 0 4h
$ oc logs sso-4-ejr0k | grep 'Export'
09:24:59,503 INFO [org.keycloak.exportimport.singlefile.SingleFileExportProvider] (ServerService Thread Pool -- 57) Exporting model into file /tmp/demorealm-export.json
09:24:59,998 INFO [org.keycloak.services] (ServerService Thread Pool -- 57) KC-SERVICES0035: Export finished successfully
----
==== Retrieve and import the exported JSON file
2018-12-13 17:57:05 +00:00
. Retrieve the JSON file of the {project_name} database from the pod.
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc get pods
NAME READY STATUS RESTARTS AGE
sso-4-ejr0k 1/1 Running 0 2m
sso-mysql-1-ozzl0 1/1 Running 0 4h
$ oc rsync sso-4-ejr0k:/tmp/demorealm-export.json .
----
2018-12-13 17:57:05 +00:00
. (Optional) Import the JSON file of the {project_name} database into an {project_name} server running in another environment.
2018-03-19 19:04:57 +00:00
+
[NOTE]
====
2018-12-13 17:57:05 +00:00
For importing into an {project_name} server not running on OpenShift, see the link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html/server_administration_guide/export_import[Export and Import section] of the RH SSO Server Administration Guide.
2018-03-19 19:04:57 +00:00
====
+
2018-12-13 17:57:05 +00:00
Use the link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html-single/server_administration_guide/#admin_console_export_import[administration console] of the {project_name} server to import the resources from previously exported JSON file into the {project_name} server's database, when the {project_name} server is running as a {project_name} {project_version} container on OpenShift:
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
.. Log into the `master` realm's administration console of the {project_name} server using the credentials used to create the administrator user. In the browser, navigate to *\http://sso-<project-name>.<hostname>/auth/admin* for the {project_name} web server, or to *\https://secure-sso-<project-name>.<hostname>/auth/admin* for the encrypted {project_name} web server.
.. At the top of the sidebar choose the name of the {project_name} realm, the users, clients, realm roles, and client roles should be imported to. This example uses `master` realm.
2018-03-19 19:04:57 +00:00
.. Click the *Import* link under *Manage* section at the bottom of the sidebar.
.. In the page that opens, click *Select file* and then specify the location of the exported `demorealm-export.json` JSON file on the local file system.
2018-12-13 17:57:05 +00:00
.. From the *Import from realm* drop-down menu, select the name of the {project_name} realm from which the data should be imported. This example uses `master` realm.
2018-03-19 19:04:57 +00:00
.. Choose which of users, clients, realm roles, and client roles should be imported (all of them are imported by default).
.. Choose a strategy to perform, when a resource already exists (one of *Fail*, *Skip*, or *Overwrite*).
+
[NOTE]
====
The attempt to import an object (user, client, realm role, or client role) fails if object with the same identifier already exists in the current database. Use *Skip* strategy to import the objects that are present in the `demorealm-export.json` file, but do not exist in current database.
====
.. Click *Import* to perform the import.
+
[NOTE]
====
When importing objects from a non-master realm to `master` realm or vice versa, after clicking the *Import* button, it is sometimes possible to encounter an error like the following one:
[[realm-import-error-message]]
[.text-center]
2018-06-07 12:12:56 +00:00
image:images/import_realm_error.png[Example of Possible Error Message when Performing Partial Import from Previously Exported JSON File]
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
In such cases, it is necessary first to create the missing clients, having the *Access Type* set to *bearer-only*. These clients can be created by manual copy of their characteristics from the source {project_name} server, on which the export JSON file was created, to the target {project_name} server, where the JSON file is imported. After creation of the necessary clients, click the *Import* button again.
2018-03-19 19:04:57 +00:00
To suppress the xref:realm-import-error-message[above] error message, it is needed to create the missing `realm-management` client, of the *bearer-only* *Access Type*, and click the *Import* button again.
====
+
[NOTE]
====
For *Skip* import strategy, the newly added objects are marked as *ADDED* and the object which were skipped are marked as *SKIPPED*, in the *Action* column on the import result page.
====
+
[IMPORTANT]
====
The administration console import allows you to *overwrite* resources if you choose (*Overwrite* strategy). On a production system use this feature with caution.
====
[[OSE-SSO-AUTH-TUTE]]
2018-12-13 17:57:05 +00:00
=== Example Workflow: Configuring OpenShift to use {project_name} for Authentication
Configure OpenShift to use the {project_name} deployment as the authorization gateway for OpenShift. This follows on from xref:Example-Deploying-SSO[Example Workflow: Preparing and Deploying the {project_openshift_product_name} image], in which {project_name} was deployed on OpenShift.
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
This example adds {project_name} as an authentication method alongside the HTPasswd method configured in the https://access.redhat.com/documentation/en/red-hat-xpaas/0/single/openshift-primer/#understand_roles_and_authentication[OpenShift Primer]. Once configured, both methods will be available for user login to your OpenShift web console.
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
==== Configuring {project_name} Credentials
2018-12-14 21:11:46 +00:00
Log in to the encrypted {project_name} web server at *$$https://secure-sso-$$_sso-app-demo_._openshift32.example.com_/auth/admin* using the xref:sso-administrator-setup[administrator account] created during the {project_name} deployment.
2018-03-19 19:04:57 +00:00
*Create a Realm*
. Hover your cursor over the realm namespace (default is *Master*) at the top of the sidebar and click *Add Realm*.
. Enter a realm name (this example uses _OpenShift_) and click *Create*.
*Create a User*
2018-12-13 17:57:05 +00:00
Create a test user that can be used to demonstrate the {project_name}-enabled OpenShift login:
2018-03-19 19:04:57 +00:00
. Click *Users* in the *Manage* sidebar to view the user information for the realm.
. Click *Add User*.
. Enter a valid *Username* (this example uses _testuser_) and any additional optional information and click *Save*.
. Edit the user configuration:
.. Click the *Credentials* tab in the user space and enter a password for the user.
.. Ensure the *Temporary Password* option is set to *Off* so that it does not prompt for a password change later on, and click *Reset Password* to set the user password. A pop-up window prompts for additional confirmation.
*Create and Configure an OpenID-Connect Client*
See the link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html-single/server_administration_guide/#clients[Managing Clients] chapter of the Red Hat Single Sign-On Server Administration Guide for more information.
. Click *Clients* in the *Manage* sidebar and click *Create*.
. Enter the *Client ID*. This example uses _openshift-demo_.
. Select a *Client Protocol* from the drop-down menu (this example uses *openid-connect*) and click *Save*. You will be taken to the configuration *Settings* page of the _openshift-demo_ client.
. From the *Access Type* drop-down menu, select *confidential*. This is the access type for server-side applications.
. In the *Valid Redirect URIs* dialog, enter the URI for the OpenShift web console, which is _$$https://openshift$$.example.com:8443/*_ in this example.
The client *Secret* is needed to configure OpenID-Connect on the OpenShift master in the next section. You can copy it now from under the *Credentials* tab. The secret is <pass:quotes[_7b0384a2-b832-16c5-9d73-2957842e89h7_]> for this example.
==== Configuring OpenShift Master for Red Hat Single Sign-On Authentication
Log in to the OpenShift master CLI. You must have the required permissions to edit the */etc/origin/master/master-config.yaml* file.
. Edit the */etc/origin/master/master-config.yaml* file and find the *identityProviders*. The OpenShift master, which was deployed using the OpenShift Primer, is configured with HTPassword and shows the following:
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
identityProviders:
- challenge: true
login: true
name: htpasswd_auth
provider:
apiVersion: v1
file: /etc/origin/openshift-passwd
kind: HTPasswdPasswordIdentityProvider
----
+
2018-12-13 17:57:05 +00:00
Add {project_name} as a secondary identity provider with content similar to the following snippet:
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
- name: rh_sso
challenge: false
login: true
2018-07-16 14:32:16 +00:00
mappingMethod: add
2018-03-19 19:04:57 +00:00
provider:
apiVersion: v1
kind: OpenIDIdentityProvider
clientID: pass:quotes[_openshift-demo_]
clientSecret: pass:quotes[_7b0384a2-b832-16c5-9d73-2957842e89h7_]
pass:quotes[_ca: xpaas.crt_]
urls:
authorize: pass:quotes[_https://secure-sso-sso-app-demo.openshift32.example.com/auth/realms/OpenShift/protocol/openid-connect/auth_]
token: pass:quotes[_https://secure-sso-sso-app-demo.openshift32.example.com/auth/realms/OpenShift/protocol/openid-connect/token_]
userInfo: pass:quotes[_https://secure-sso-sso-app-demo.openshift32.example.com/auth/realms/OpenShift/protocol/openid-connect/userinfo_]
claims:
id:
- sub
preferredUsername:
- preferred_username
name:
- name
email:
- email
----
2018-12-13 17:57:05 +00:00
.. The {project_name} *Secret* hash for the *clientSecret* can be found in the {project_name} web console: *Clients* -> *_openshift-demo_* -> *Credentials*
.. The endpoints for the *urls* can be found by making a request with the {project_name} application. For example:
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
<pass:quotes[_curl -k https://secure-sso-sso-app-demo.openshift32.example.com/auth/realms/OpenShift/.well-known/openid-configuration | python -m json.tool_]>
----
+
The response includes the *authorization_endpoint*, *token_endpoint*, and *userinfo_endpoint*.
+
.. This example workflow uses a self-generated CA to provide an end-to-end workflow for demonstration purposes. For this reason, the *ca* is provided as <pass:quotes[_ca: xpaas.crt_]>. This CA certificate must also be copied into the */etc/origin/master* folder. This is not necessary if using a certificate purchased from a verified Certificate Authority.
. Save the configuration and restart the OpenShift master:
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ systemctl restart atomic-openshift-master
----
==== Logging in to OpenShift
Navigate to the OpenShift web console, which in this example is _https://openshift.example.com:8443/console_. The OpenShift login page now has the option to use either *htpasswd_auth* or *rh-sso*. The former is still available because it is present in the */etc/origin/master/master-config.yaml*.
2018-12-13 17:57:05 +00:00
Select *rh-sso* and log in to OpenShift with the _testuser_ user created earlier in {project_name}. No projects are visible to _testuser_ until they are added in the OpenShift CLI. This is the only way to provide user privileges in OpenShift because it currently does not accept external role mapping.
2018-03-19 19:04:57 +00:00
To provide _testuser_ `view` privileges for the _sso-app-demo_, use the OpenShift CLI:
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
$ oc adm policy add-role-to-user view testuser -n sso-app-demo
2018-03-19 19:04:57 +00:00
----
[[Example-EAP-Auto]]
2018-12-13 17:57:05 +00:00
=== Example Workflow: Automatically Registering EAP Application in {project_name} with OpenID-Connect Client
This follows on from xref:Example-Deploying-SSO[Example Workflow: Preparing and Deploying the {project_openshift_product_name} image], in which {project_name} was deployed on OpenShift. This example prepares {project_name} realm, role, and user credentials for an EAP project using an OpenID-Connect client adapter. These credentials are then provided in the EAP for OpenShift template for automatic {project_name} client registration. Once deployed, the {project_name} user can be used to authenticate and access JBoss EAP.
2018-03-19 19:04:57 +00:00
[NOTE]
====
2018-12-14 19:34:48 +00:00
This example uses a OpenID-Connect client but an SAML client could also be used. See xref:../advanced_concepts/advanced_concepts.adoc#SSO-Clients[{project_name} Clients] and xref:../advanced_concepts/advanced_concepts.adoc#Auto-Man-Client-Reg[Automatic and Manual {project_name} Client Registration Methods] for more information on the differences between OpenID-Connect and SAML clients.
2018-03-19 19:04:57 +00:00
====
2018-12-13 17:57:05 +00:00
==== Preparing {project_name} Authentication for OpenShift Deployment
2018-03-19 19:04:57 +00:00
Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
. Create a new project:
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc new-project eap-app-demo
----
2018-12-13 17:57:05 +00:00
//. Create a service account to be used for the {project_name} deployment:
2018-03-19 19:04:57 +00:00
//+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
//[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
//----
//$ oc create serviceaccount eap-service-account
//----
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
----
. The EAP template requires an xref:Configuring-Keystores[SSL keystore and a JGroups keystore]. +
This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores. The following commands will prompt for passwords. +
.. Generate a secure key for the SSL keystore:
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ keytool -genkeypair -alias https -storetype JKS -keystore eapkeystore.jks
----
.. Generate a secure key for the JGroups keystore:
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ keytool -genseckey -alias jgroups -storetype JCEKS -keystore eapjgroups.jceks
----
. Generate the EAP for OpenShift secrets with the SSL and JGroup keystore files:
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc secret new eap-ssl-secret eapkeystore.jks
$ oc secret new eap-jgroup-secret eapjgroups.jceks
----
. Add the EAP secret to the `default` service account:
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc secrets link default eap-ssl-secret eap-jgroup-secret
----
2018-12-13 17:57:05 +00:00
==== Preparing the {project_name} Credentials
2018-12-14 21:11:46 +00:00
Log in to the encrypted {project_name} web server at *$$https://secure-sso-$$_<project-name>_._<hostname>_/auth/admin* using the xref:sso-administrator-setup[administrator account] created during the {project_name} deployment.
2018-03-19 19:04:57 +00:00
*Create a Realm*
. Hover your cursor over the realm namespace at the top of the sidebar and click*Add Realm*.
. Enter a realm name (this example uses _eap-demo_) and click *Create*.
*Copy the Public Key*
2018-12-13 17:57:05 +00:00
In the newly created _eap-demo_ realm, click the *Keys* tab and copy the generated public key. This example uses the variable _<realm-public-key>_ for brevity. This is used later to deploy the {project_name}-enabled JBoss EAP image.
2018-03-19 19:04:57 +00:00
*Create a Role*
2018-12-13 17:57:05 +00:00
Create a role in {project_name} with a name that corresponds to the JEE role defined in the *web.xml* of the example EAP application. This role is assigned to an {project_name} _application user_ to authenticate access to user applications.
2018-03-19 19:04:57 +00:00
. Click *Roles* in the *Configure* sidebar to list the roles for this realm. This is a new realm, so there should only be the default _offline_access_ role.
. Click *Add Role*.
. Enter the role name (this example uses the role _eap-user-role_) and click *Save*.
*Create Users and Assign Roles*
Create two users:
2018-12-13 17:57:05 +00:00
- Assign the _realm management user_ the *realm-management* roles to handle automatic {project_name} client registration in the {project_name} server.
2018-03-19 19:04:57 +00:00
- Assign the _application user_ the JEE role, created in the previous step, to authenticate access to user applications.
Create the _realm management user_:
. Click *Users* in the *Manage* sidebar to view the user information for the realm.
. Click *Add User*.
. Enter a valid *Username* (this example uses the user _eap-mgmt-user_) and click *Save*.
. Edit the user configuration. Click the *Credentials* tab in the user space and enter a password for the user. After the password has been confirmed you can click *Reset Password* to set the user password. A pop-up window prompts for additional confirmation.
2018-12-13 17:57:05 +00:00
. Click *Role Mappings* to list the realm and client role configuration. In the *Client Roles* drop-down menu, select *realm-management* and add all of the available roles to the user. This provides the user {project_name} server rights that can be used by the JBoss EAP image to create clients.
2018-03-19 19:04:57 +00:00
Create the _application user_:
. Click *Users* in the *Manage* sidebar to view the user information for the realm.
. Click *Add User*.
. Enter a valid *Username* and any additional optional information for the _application user_ and click *Save*.
. Edit the user configuration. Click the *Credentials* tab in the user space and enter a password for the user. After the password has been confirmed you can click *Reset Password* to set the user password. A pop-up window prompts for additional confirmation.
. Click *Role Mappings* to list the realm and client role configuration. In *Available Roles*, add the role created earlier.
2018-12-13 17:57:05 +00:00
==== Deploy the {project_name}-enabled JBoss EAP Image
2018-03-19 19:04:57 +00:00
. Return to the OpenShift web console and click *Add to project* to list the default image streams and templates.
. Use the *Filter by keyword* search bar to limit the list to those that match _sso_. You may need to click *See all* to show the desired application template.
2018-12-13 17:57:05 +00:00
. Select the *_eap71-sso-s2i_* image to list all of the deployment parameters. Include the following {project_name} parameters to configure the {project_name} credentials during the EAP build:
2018-03-19 19:04:57 +00:00
+
[cols="2*", options="header"]
|===
|Variable
|Example Value
|*_APPLICATION_NAME_*
|_sso_
|*_HOSTNAME_HTTPS_*
|_secure-sample-jsp.eap-app-demo.openshift32.example.com_
|*_HOSTNAME_HTTP_*
|_sample-jsp.eap-app-demo.openshift32.example.com_
|*_SOURCE_REPOSITORY_URL_*
|_$$https://repository-example.com/developer/application$$_
|*_SSO_URL_*
|_$$https://secure-sso-sso-app-demo.openshift32.example.com/auth$$_
|*_SSO_REALM_*
|_eap-demo_
|*_SSO_USERNAME_*
|_eap-mgmt-user_
|*_SSO_PASSWORD_*
| _password_
|*_SSO_PUBLIC_KEY_*
|_<realm-public-key>_
|*_HTTPS_KEYSTORE_*
|_eapkeystore.jks_
|*_HTTPS_PASSWORD_*
|_password_
|*_HTTPS_SECRET_*
|_eap-ssl-secret_
|*_JGROUPS_ENCRYPT_KEYSTORE_*
|_eapjgroups.jceks_
|*_JGROUPS_ENCRYPT_PASSWORD_*
|_password_
|*_JGROUPS_ENCRYPT_SECRET_*
|_eap-jgroup-secret_
|===
. Click *Create* to deploy the JBoss EAP image.
It may take several minutes for the JBoss EAP image to deploy.
2018-12-13 17:57:05 +00:00
==== Log in to the JBoss EAP Server Using {project_name}
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
. Access the JBoss EAP application server and click *Login*. You are redirected to the {project_name} login.
. Log in using the {project_name} user created in the example. You are authenticated against the {project_name} server and returned to the JBoss EAP application server.
2018-03-19 19:04:57 +00:00
[[Example-EAP-Manual]]
2018-12-13 17:57:05 +00:00
=== Example Workflow: Manually Registering EAP Application in {project_name} with SAML Client
This follows on from xref:Example-Deploying-SSO[Example Workflow: Preparing and Deploying the {project_openshift_product_name} image], in which {project_name} was deployed on OpenShift.
2018-03-19 19:04:57 +00:00
2018-12-13 17:57:05 +00:00
This example prepares {project_name} realm, role, and user credentials for an EAP project and configures an EAP for OpenShift deployment. Once deployed, the {project_name} user can be used to authenticate and access JBoss EAP.
2018-03-19 19:04:57 +00:00
[NOTE]
====
2018-12-14 19:34:48 +00:00
This example uses a SAML client but an OpenID-Connect client could also be used. See xref:../advanced_concepts/advanced_concepts.adoc#SSO-Clients[{project_name} Clients] and xref:../advanced_concepts/advanced_concepts.adoc#Auto-Man-Client-Reg[Automatic and Manual {project_name} Client Registration Methods] for more information on the differences between SAML and OpenID-Connect clients.
2018-03-19 19:04:57 +00:00
====
2018-12-13 17:57:05 +00:00
==== Preparing the {project_name} Credentials
2018-12-14 21:11:46 +00:00
Log in to the encrypted {project_name} web server at *$$https://secure-sso-$$_<project-name>_._<hostname>_/auth/admin* using the xref:sso-administrator-setup[administrator account] created during the {project_name} deployment.
2018-03-19 19:04:57 +00:00
*Create a Realm*
. Hover your cursor over the realm namespace (default is *Master*) at the top of the sidebar and click *Add Realm*.
. Enter a realm name (this example uses _saml-demo_) and click *Create*.
*Copy the Public Key*
2018-12-13 17:57:05 +00:00
In the newly created _saml-demo_ realm, click the *Keys* tab and copy the generated public key. This example uses the variable _realm-public-key_ for brevity. This is needed later to deploy the {project_name}-enabled JBoss EAP image.
2018-03-19 19:04:57 +00:00
*Create a Role*
2018-12-13 17:57:05 +00:00
Create a role in {project_name} with a name that corresponds to the JEE role defined in the *web.xml* of the example EAP application. This role will be assigned to an {project_name} _application user_ to authenticate access to user applications.
2018-03-19 19:04:57 +00:00
. Click *Roles* in the *Configure* sidebar to list the roles for this realm. This is a new realm, so there should only be the default _offline_access_ role.
. Click *Add Role*.
. Enter the role name (this example uses the role _saml-user-role_) and click *Save*.
*Create Users and Assign Roles*
Create two users:
2018-12-13 17:57:05 +00:00
- Assign the _realm management user_ the *realm-management* roles to handle automatic {project_name} client registration in the {project_name} server.
2018-03-19 19:04:57 +00:00
- Assign the _application user_ the JEE role, created in the previous step, to authenticate access to user applications.
Create the _realm management user_:
. Click *Users* in the *Manage* sidebar to view the user information for the realm.
. Click *Add User*.
. Enter a valid *Username* (this example uses the user _app-mgmt-user_) and click *Save*.
. Edit the user configuration. Click the *Credentials* tab in the user space and enter a password for the user. After the password has been confirmed you can click *Reset Password* to set the user password. A pop-up window prompts for additional confirmation.
////
Need for the SAML?
2018-12-13 17:57:05 +00:00
. Click *Role Mappings* to list the realm and client role configuration. In the *Client Roles* drop-down menu, select *realm-management* and add all of the available roles to the user. This provides the user {project_name} server rights that can be used by the JBoss EAP image to create clients.
2018-03-19 19:04:57 +00:00
////
Create the _application user_:
. Click *Users* in the *Manage* sidebar to view the user information for the realm.
. Click *Add User*.
. Enter a valid *Username* and any additional optional information for the _application user_ and click *Save*.
. Edit the user configuration. Click the *Credentials* tab in the user space and enter a password for the user. After the password has been confirmed you can click *Reset Password* to set the user password. A pop-up window prompts for additional confirmation.
. Click *Role Mappings* to list the realm and client role configuration. In *Available Roles*, add the role created earlier.
*Create and Configure a SAML Client*:
2018-12-13 17:57:05 +00:00
Clients are {project_name} entities that request user authentication. This example configures a SAML client to handle authentication for the EAP application. This section saves two files, *keystore.jks* and *keycloak-saml-subsystem.xml* that are needed later in the procedure.
2018-03-19 19:04:57 +00:00
Create the SAML Client:
. Click *Clients* in the *Configure* sidebar to list the clients in the realm. Click *Create*.
. Enter a valid *Client ID*. This example uses _sso-saml-demo_.
. In the *Client Protocol* drop-down menu, select *saml*.
. Enter the *Root URL* for the application. This example uses _$$https://demoapp-eap-app-demo.openshift32.example.com$$_.
. Click *Save*.
Configure the SAML Client:
In the *Settings* tab, set the *Root URL* and the *Valid Redirect URLs* for the new *_sso-saml-demo_* client:
. For the *Root URL*, enter the same address used when creating the client. This example uses _$$https://demoapp-eap-app-demo.openshift32.example.com$$_.
. For the *Valid Redirect URLs*, enter an address for users to be redirected to at when they log in or out. This example uses a redirect address relative to the root _$$https://demoapp-eap-app-demo.openshift32.example.com/*$$_.
Export the SAML Keys:
. Click the *SAML Keys* tab in the _sso-saml-demo_ client space and click *Export*.
. For this example, leave the *Archive Format* as *JKS*. This example uses the default *Key Alias* of _sso-saml-demo_ and default *Realm Certificate Alias* of _saml-demo_.
. Enter the *Key Password* and the *Store Password*. This example uses _password_ for both.
. Click *Download* and save the *keystore-saml.jks* file for use later.
. Click the *_sso-saml-demo_* client to return to the client space ready for the next step.
Download the Client Adapter:
. Click *Installation*.
2018-06-07 12:12:56 +00:00
. Use the *Format Option* drop-down menu to select a format. This example uses *Keycloak SAML Wildfly/JBoss Subsystem*.
2018-03-19 19:04:57 +00:00
. Click *Download* and save the file *keycloak-saml-subsystem.xml*.
The *keystore-saml.jks* will be used with the other EAP keystores in the next section to create an OpenShift secret for the EAP application project. Copy the *keystore-saml.jks* file to an OpenShift node. +
The *keycloak-saml-subsystem.xml* will be modified and used in the application deployment. Copy it into the */configuration* folder of the application as *secure-saml-deployments*.
2018-12-13 17:57:05 +00:00
==== Preparing {project_name} Authentication for OpenShift Deployment
2018-03-19 19:04:57 +00:00
Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
. Create a new project:
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc new-project eap-app-demo
----
//. Create a service account to be used for the SSO deployment:
//+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
//[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
//----
//$ oc create serviceaccount app-service-account
//----
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster.
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
----
+
. The EAP template requires an xref:Configuring-Keystores[SSL keystore and a JGroups keystore]. +
This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores. The following commands will prompt for passwords. +
.. Generate a secure key for the SSL keystore:
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ keytool -genkeypair -alias https -storetype JKS -keystore eapkeystore.jks
----
.. Generate a secure key for the JGroups keystore:
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ keytool -genseckey -alias jgroups -storetype JCEKS -keystore eapjgroups.jceks
----
. Generate the EAP for OpenShift secrets with the SSL and JGroup keystore files:
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc secret new eap-ssl-secret eapkeystore.jks
$ oc secret new eap-jgroup-secret eapjgroups.jceks
----
. Add the EAP application secret to the EAP service account created earlier:
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
$ oc secrets link default eap-ssl-secret eap-jgroup-secret
----
[[modified-saml-xml]]
==== Modifying the *secure-saml-deployments* File
2018-12-13 17:57:05 +00:00
The *keycloak-saml-subsystem.xml*, exported from the {project_name} client in a previous section, should have been copied into the */configuration* folder of the application and renamed *secure-saml-deployments*. EAP searches for this file when it starts and copies it to the *standalone-openshift.xml* file inside the {project_name} SAML adapter configuration.
2018-03-19 19:04:57 +00:00
. Open the */configuration/secure-saml-deployments* file in a text editor.
. Replace the *YOUR-WAR.war* value of the *secure-deployment name* tag with the application *.war* file. This example uses _sso-saml-demo.war_.
. Replace the *SPECIFY YOUR LOGOUT PAGE!* value of the *logout page* tag with the url to redirect users when they log out of the application. This example uses */index.jsp*.
. Delete the *<PrivateKeyPem>* and *<CertificatePem>* tags and keys and replace it with keystore information:
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
...
<Keys>
<Key signing="true">
<KeyStore file= "/etc/eap-secret-volume/keystore-saml.jks" password="password">
<PrivateKey alias="sso-saml-demo" password="password"/>
<Certificate alias="sso-saml-demo"/>
</KeyStore>
</Key>
</Keys>
----
+
The mount path of the *keystore-saml.jks* (in this example *_/etc/eap-secret-volume/keystore-saml.jks_*) can be specified in the application template with the parameter *EAP_HTTPS_KEYSTORE_DIR*. +
2018-12-13 17:57:05 +00:00
The aliases and passwords for the *PrivateKey* and the *Certificate* were configured when the SAML Keys were exported from the {project_name} client.
2018-06-07 12:12:56 +00:00
. Delete the second *<CertificatePem>* tag and key and replace it with the the realm certificate information:
2018-03-19 19:04:57 +00:00
+
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
...
<Keys>
<Key signing="true">
<KeyStore file="/etc/eap-secret-volume/keystore-saml.jks" password="password">
<Certificate alias="saml-demo"/>
</KeyStore>
</Key>
</Keys>
...
----
+
2018-12-13 17:57:05 +00:00
The certificate alias and password were configured when the SAML Keys were exported from the {project_name} client.
2018-03-19 19:04:57 +00:00
. Save and close the */configuration/secure-saml-deployments* file.
==== Configuring SAML Client Registration in the Application *web.xml*
The client type must also be specified by the *<auth-method>* key in the application *web.xml*. This file is read by the image at deployment.
Open the application *web.xml* file and ensure it includes the following:
[KEYCLOAK-8234] Address multiple issues:
* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'
The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
expanded correctly,
* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2018-12-14 12:19:38 +00:00
[source,bash,subs="attributes+,macros+"]
2018-03-19 19:04:57 +00:00
----
...
<login-config>
<auth-method>KEYCLOAK-SAML</auth-method>
</login-config>
...
----
==== Deploying the Application
2018-12-13 17:57:05 +00:00
You do not need to include any {project_name} configuration for the image because that has been configured in the application itself. Navigating to the application login page redirects you to the {project_name} login. Log in to the application through {project_name} using the _application user_ user created earlier.