[KEYCLOAK-8234] Address multiple issues:

* Whitelist .../templates/${resource} link for both RH-SSO 7.3 TP CD & RH-SSO 7.3 products,
* Replace '[subs="verbatim,macros,attributes"]' with '[source,bash,subs="attributes+,macros+"]'

  The 'macros+' field is needed in order also constructs like 'pass:quotes[_user-name_]' got
  expanded correctly,

* Replace deprecated 'oc env' command with its new "oc set env" equivalent,
* Replace deprecated 'oadm' command with its new "oc adm" equivalent,
* Escape selected https:// links, so they wouldn't end up rendered as <link xlink=...>

Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
This commit is contained in:
Jan Lieskovsky 2018-12-14 13:19:38 +01:00 committed by Stian Thorgersen
parent fa081f55fb
commit dd445d5c2a
5 changed files with 166 additions and 158 deletions

View file

@ -9,13 +9,13 @@ Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
. Create a new project: . Create a new project:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc new-project sso-app-demo $ oc new-project sso-app-demo
---- ----
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the sso-app-demo namespace, which is necessary for managing the cluster. . Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the sso-app-demo namespace, which is necessary for managing the cluster.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default $ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
---- ----
@ -51,19 +51,19 @@ See the https://access.redhat.com/documentation/en-us/jboss_enterprise_applicati
[[generate-ca-certificate]] [[generate-ca-certificate]]
.. Generate a CA certificate. Pick and remember the password. Provide identical password, when xref:signing-csr-with-ca-certificate[signing the certificate sign request with the CA certificate] below: .. Generate a CA certificate. Pick and remember the password. Provide identical password, when xref:signing-csr-with-ca-certificate[signing the certificate sign request with the CA certificate] below:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ openssl req -new -newkey rsa:4096 -x509 -keyout xpaas.key -out xpaas.crt -days 365 -subj "/CN=xpaas-sso-demo.ca" $ openssl req -new -newkey rsa:4096 -x509 -keyout xpaas.key -out xpaas.crt -days 365 -subj "/CN=xpaas-sso-demo.ca"
---- ----
.. Generate a CA certificate for the HTTPS keystore. Provide `mykeystorepass` as the keystore password: .. Generate a CA certificate for the HTTPS keystore. Provide `mykeystorepass` as the keystore password:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ keytool -genkeypair -keyalg RSA -keysize 2048 -dname "CN=secure-sso-sso-app-demo.openshift.example.com" -alias jboss -keystore keystore.jks $ keytool -genkeypair -keyalg RSA -keysize 2048 -dname "CN=secure-sso-sso-app-demo.openshift.example.com" -alias jboss -keystore keystore.jks
---- ----
.. Generate a certificate sign request for the HTTPS keystore. Provide `mykeystorepass` as the keystore password: .. Generate a certificate sign request for the HTTPS keystore. Provide `mykeystorepass` as the keystore password:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ keytool -certreq -keyalg rsa -alias jboss -keystore keystore.jks -file sso.csr $ keytool -certreq -keyalg rsa -alias jboss -keystore keystore.jks -file sso.csr
---- ----
@ -72,19 +72,19 @@ $ keytool -certreq -keyalg rsa -alias jboss -keystore keystore.jks -file sso.csr
[start=4] [start=4]
.. Sign the certificate sign request with the CA certificate. Provide the same password that was used to xref:generate-ca-certificate[generate the CA certificate]: .. Sign the certificate sign request with the CA certificate. Provide the same password that was used to xref:generate-ca-certificate[generate the CA certificate]:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ openssl x509 -req -CA xpaas.crt -CAkey xpaas.key -in sso.csr -out sso.crt -days 365 -CAcreateserial $ openssl x509 -req -CA xpaas.crt -CAkey xpaas.key -in sso.csr -out sso.crt -days 365 -CAcreateserial
---- ----
.. Import the CA certificate into the HTTPS keystore. Provide `mykeystorepass` as the keystore password. Reply `yes` to `Trust this certificate? [no]:` question: .. Import the CA certificate into the HTTPS keystore. Provide `mykeystorepass` as the keystore password. Reply `yes` to `Trust this certificate? [no]:` question:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ keytool -import -file xpaas.crt -alias xpaas.ca -keystore keystore.jks $ keytool -import -file xpaas.crt -alias xpaas.ca -keystore keystore.jks
---- ----
.. Import the signed certificate sign request into the HTTPS keystore. Provide `mykeystorepass` as the keystore password: .. Import the signed certificate sign request into the HTTPS keystore. Provide `mykeystorepass` as the keystore password:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ keytool -import -file sso.crt -alias jboss -keystore keystore.jks $ keytool -import -file sso.crt -alias jboss -keystore keystore.jks
---- ----
@ -94,7 +94,7 @@ $ keytool -import -file sso.crt -alias jboss -keystore keystore.jks
Provide `password` as the keystore password: Provide `password` as the keystore password:
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ keytool -genseckey -alias secret-key -storetype JCEKS -keystore jgroups.jceks $ keytool -genseckey -alias secret-key -storetype JCEKS -keystore jgroups.jceks
---- ----
@ -104,7 +104,7 @@ $ keytool -genseckey -alias secret-key -storetype JCEKS -keystore jgroups.jceks
Provide `mykeystorepass` as the truststore password. Reply `yes` to `Trust this certificate? [no]:` question: Provide `mykeystorepass` as the truststore password. Reply `yes` to `Trust this certificate? [no]:` question:
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ keytool -import -file xpaas.crt -alias xpaas.ca -keystore truststore.jks $ keytool -import -file xpaas.crt -alias xpaas.ca -keystore truststore.jks
---- ----
@ -116,13 +116,13 @@ OpenShift uses objects called link:https://docs.openshift.com/container-platform
. Create the secrets for the HTTPS and JGroups keystores, and {project_name} server truststore, generated in the xref:Configuring-Keystores[previous section]. . Create the secrets for the HTTPS and JGroups keystores, and {project_name} server truststore, generated in the xref:Configuring-Keystores[previous section].
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc secret new sso-app-secret keystore.jks jgroups.jceks truststore.jks $ oc secret new sso-app-secret keystore.jks jgroups.jceks truststore.jks
---- ----
. Link these secrets to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[default] service account, which is used to run {project_name} pods. . Link these secrets to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[default] service account, which is used to run {project_name} pods.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc secrets link default sso-app-secret $ oc secrets link default sso-app-secret
---- ----
@ -144,7 +144,7 @@ Be aware that *the passwords provided when provisioning the template need to mat
==== ====
The following commands using the *_keytool_*, a package *included with the Java Development Kit*, can be used to determine the names associated with the certificate: The following commands using the *_keytool_*, a package *included with the Java Development Kit*, can be used to determine the names associated with the certificate:
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ keytool -v -list -keystore keystore.jks | grep Alias $ keytool -v -list -keystore keystore.jks | grep Alias
Enter keystore password: mykeystorepass Enter keystore password: mykeystorepass
@ -152,7 +152,7 @@ Alias name: xpaas.ca
Alias name: jboss Alias name: jboss
---- ----
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ keytool -v -list -keystore jgroups.jceks -storetype jceks | grep Alias $ keytool -v -list -keystore jgroups.jceks -storetype jceks | grep Alias
Enter keystore password: password Enter keystore password: password
@ -163,7 +163,7 @@ Finally, the *_SSO_ADMIN_USERNAME_*, *_SSO_ADMIN_PASSWORD_*, and the *_SSO_REALM
==== ====
[[advanced-topics-deploy-{project_templates_version}-https-template]] [[advanced-topics-deploy-{project_templates_version}-https-template]]
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc new-app --template={project_templates_version}-https \ $ oc new-app --template={project_templates_version}-https \
-p HTTPS_SECRET="sso-app-secret" \ -p HTTPS_SECRET="sso-app-secret" \
@ -184,7 +184,7 @@ $ oc new-app --template={project_templates_version}-https \
{project_name} {project_version} (Ephemeral with passthrough TLS) {project_name} {project_version} (Ephemeral with passthrough TLS)
--------- ---------
An example {project_name} 7 application. For more information about using this template, see https://github.com/jboss-openshift/application-templates. An example {project_name} 7 application. For more information about using this template, see \https://github.com/jboss-openshift/application-templates.
A new {project_name} service has been created in your project. The admin username/password for accessing the master realm via the {project_name} console is admin/redhat. Please be sure to create the following secrets: "sso-app-secret" containing the keystore.jks file used for serving secure content; "sso-app-secret" containing the jgroups.jceks file used for securing JGroups communications; "sso-app-secret" containing the truststore.jks file used for securing {project_name} requests. A new {project_name} service has been created in your project. The admin username/password for accessing the master realm via the {project_name} console is admin/redhat. Please be sure to create the following secrets: "sso-app-secret" containing the keystore.jks file used for serving secure content; "sso-app-secret" containing the jgroups.jceks file used for securing JGroups communications; "sso-app-secret" containing the truststore.jks file used for securing {project_name} requests.
@ -231,7 +231,7 @@ $ oc new-app --template={project_templates_version}-https \
After the template got deployed, identify the available routes: After the template got deployed, identify the available routes:
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get routes $ oc get routes
---- ----
@ -365,7 +365,7 @@ Run the following commands to prepare the previously created deployment config o
. Identify the deployment config of the {project_name} application. . Identify the deployment config of the {project_name} application.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get dc -o name $ oc get dc -o name
deploymentconfig/sso deploymentconfig/sso
@ -373,9 +373,11 @@ deploymentconfig/sso-mysql
---- ----
. Clear the *_SSO_ADMIN_USERNAME_* and *_SSO_ADMIN_PASSWORD_* variables setting. . Clear the *_SSO_ADMIN_USERNAME_* and *_SSO_ADMIN_PASSWORD_* variables setting.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc env dc/sso -e SSO_ADMIN_USERNAME="" SSO_ADMIN_PASSWORD="" $ oc set env dc/sso \
-e SSO_ADMIN_USERNAME="" \
-e SSO_ADMIN_PASSWORD=""
---- ----
==== ====
@ -386,7 +388,7 @@ Run following commands to create an administrator account for the `master` realm
. Identify the {project_name} application pod. . Identify the {project_name} application pod.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get pods $ oc get pods
NAME READY STATUS RESTARTS AGE NAME READY STATUS RESTARTS AGE
@ -395,14 +397,14 @@ sso-mysql-6-d97pf 1/1 Running 0 2m
---- ----
. Open a remote shell session to the {project_openshift_product_name} container. . Open a remote shell session to the {project_openshift_product_name} container.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc rsh sso-12-pt93n $ oc rsh sso-12-pt93n
sh-4.2$ sh-4.2$
---- ----
. Create the {project_name} server administrator account for the `master` realm at the command line with the `add-user-keycloak.sh` script. . Create the {project_name} server administrator account for the `master` realm at the command line with the `add-user-keycloak.sh` script.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
sh-4.2$ cd /opt/eap/bin/ sh-4.2$ cd /opt/eap/bin/
sh-4.2$ ./add-user-keycloak.sh -r master -u sso_admin -p sso_password sh-4.2$ ./add-user-keycloak.sh -r master -u sso_admin -p sso_password
@ -415,7 +417,7 @@ The `sso_admin`/`sso_password` credentials in the example above are for demonstr
==== ====
. Restart the underlying JBoss EAP server instance to load the newly added user account. Wait for the server to restart properly. . Restart the underlying JBoss EAP server instance to load the newly added user account. Wait for the server to restart properly.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
sh-4.2$ ./jboss-cli.sh --connect ':reload' sh-4.2$ ./jboss-cli.sh --connect ':reload'
{ {
@ -460,7 +462,7 @@ It is required to specify the client type in the *<auth-method>* key of the appl
The following is an example snippet for the application *web.xml* to configure an OIDC client: The following is an example snippet for the application *web.xml* to configure an OIDC client:
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
... ...
<login-config> <login-config>
@ -552,10 +554,10 @@ There are two methods for passing the {project_name} adapter configuration to th
See xref:Example-EAP-Manual[Example Workflow: Manually Configure an Application to Use {project_name} Authentication, Using SAML Client] for an end-to-end example of the manual {project_name} client registration method using a SAML client. See xref:Example-EAP-Manual[Example Workflow: Manually Configure an Application to Use {project_name} Authentication, Using SAML Client] for an end-to-end example of the manual {project_name} client registration method using a SAML client.
=== Limitations === Limitations
OpenShift does not currently accept OpenShift role mapping from external providers. If {project_name} is used as an authentication gateway for OpenShift, users created in {project_name} must have the roles added using the OpenShift Administrator `oadm policy` command. OpenShift does not currently accept OpenShift role mapping from external providers. If {project_name} is used as an authentication gateway for OpenShift, users created in {project_name} must have the roles added using the OpenShift Administrator `oc adm policy` command.
For example, to allow an {project_name}-created user to view a project namespace in OpenShift: For example, to allow an {project_name}-created user to view a project namespace in OpenShift:
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
oadm policy add-role-to-user view <pass:quotes[_user-name_]> -n <pass:quotes[_project-name_]> $ oc adm policy add-role-to-user view <pass:quotes[_user-name_]> -n <pass:quotes[_project-name_]>
---- ----

View file

@ -24,13 +24,13 @@ To update to the latest {project_openshift_product_name} images, run the followi
. On your master host(s), ensure that you are logged in as a cluster administrator or a user with project administrator access to the global `openshift` project. . On your master host(s), ensure that you are logged in as a cluster administrator or a user with project administrator access to the global `openshift` project.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc login -u system:admin $ oc login -u system:admin
---- ----
. Run the following commands to update the core set of {project_name} {project_version} resources for OpenShift in the `openshift` project: . Run the following commands to update the core set of {project_name} {project_version} resources for OpenShift in the `openshift` project:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ for resource in {project_templates_version}-image-stream.json \ $ for resource in {project_templates_version}-image-stream.json \
{project_templates_version}-https.json \ {project_templates_version}-https.json \
@ -43,12 +43,12 @@ $ for resource in {project_templates_version}-image-stream.json \
{project_templates_version}-x509-postgresql-persistent.json {project_templates_version}-x509-postgresql-persistent.json
do do
oc replace -n openshift --force -f \ oc replace -n openshift --force -f \
https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/{project_templates_version}-dev/templates/${resource} \https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/{project_templates_version}-dev/templates/${resource}
done done
---- ----
. Run the following command to install the {project_name} {project_version} OpenShift image streams in the `openshift` project: . Run the following command to install the {project_name} {project_version} OpenShift image streams in the `openshift` project:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc -n openshift import-image redhat-{project_templates_version}-openshift:{project_latest_image_tag} $ oc -n openshift import-image redhat-{project_templates_version}-openshift:{project_latest_image_tag}
---- ----
@ -76,7 +76,7 @@ OpenShift uses objects called `Secrets` to hold sensitive information, such as p
The {project_openshift_product_name} image requires one or more secrets that hold the two keystores described earlier. This provides the necessary authorization to applications in the project. The {project_openshift_product_name} image requires one or more secrets that hold the two keystores described earlier. This provides the necessary authorization to applications in the project.
Use the SSL and JGroups keystore files to create secrets for the project: Use the SSL and JGroups keystore files to create secrets for the project:
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc secret new <pass:quotes[_sso-ssl-secret_]> <pass:quotes[_ssl.jks_]> $ oc secret new <pass:quotes[_sso-ssl-secret_]> <pass:quotes[_ssl.jks_]>
$ oc secret new <pass:quotes[_sso-jgroups-secret_]> <pass:quotes[_jgroups.jceks_]> $ oc secret new <pass:quotes[_sso-jgroups-secret_]> <pass:quotes[_jgroups.jceks_]>
@ -91,19 +91,19 @@ The service account that you create must be configured with the correct permissi
. Create a service account to be used for the SSO deployment: . Create a service account to be used for the SSO deployment:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc create serviceaccount <pass:quotes[_service-account-name_]> $ oc create serviceaccount <pass:quotes[_service-account-name_]>
---- ----
. Add the *view* role to the service account. This enables the service account to view all the resources in the application namespace in OpenShift, which is necessary for managing the cluster. . Add the *view* role to the service account. This enables the service account to view all the resources in the application namespace in OpenShift, which is necessary for managing the cluster.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc policy add-role-to-user view system:serviceaccount:<pass:quotes[_project-name_]>:<pass:quotes[_service-account-name_]> -n <pass:quotes[_project-name_]> $ oc policy add-role-to-user view system:serviceaccount:<pass:quotes[_project-name_]>:<pass:quotes[_service-account-name_]> -n <pass:quotes[_project-name_]>
---- ----
. Link the secrets created for the project to the service account: . Link the secrets created for the project to the service account:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc secrets link <pass:quotes[_service-account-name_]> <pass:quotes[_sso-ssl-secret_]> <pass:quotes[_sso-jgroups-secret_]> $ oc secrets link <pass:quotes[_service-account-name_]> <pass:quotes[_sso-ssl-secret_]> <pass:quotes[_sso-jgroups-secret_]>
---- ----
@ -156,7 +156,7 @@ Run the following commands to prepare the previously created deployment config o
. Identify the deployment config of the {project_name} application. . Identify the deployment config of the {project_name} application.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get dc -o name $ oc get dc -o name
deploymentconfig/sso deploymentconfig/sso
@ -164,9 +164,11 @@ deploymentconfig/sso-mysql
---- ----
. Clear the *_SSO_ADMIN_USERNAME_* and *_SSO_ADMIN_PASSWORD_* variables setting. . Clear the *_SSO_ADMIN_USERNAME_* and *_SSO_ADMIN_PASSWORD_* variables setting.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc env dc/sso -e SSO_ADMIN_USERNAME="" SSO_ADMIN_PASSWORD="" $ oc set env dc/sso \
-e SSO_ADMIN_USERNAME="" \
-e SSO_ADMIN_PASSWORD=""
---- ----
==== ====
@ -177,7 +179,7 @@ Run following commands to create administrator account for the `master` realm of
. Identify the {project_name} application pod. . Identify the {project_name} application pod.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get pods $ oc get pods
NAME READY STATUS RESTARTS AGE NAME READY STATUS RESTARTS AGE
@ -186,14 +188,14 @@ sso-mysql-6-d97pf 1/1 Running 0 2m
---- ----
. Open a remote shell session to {project_openshift_product_name} container. . Open a remote shell session to {project_openshift_product_name} container.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc rsh sso-12-pt93n $ oc rsh sso-12-pt93n
sh-4.2$ sh-4.2$
---- ----
. Create the {project_name} server administrator account for the `master` realm at the command line with the `add-user-keycloak.sh` script. . Create the {project_name} server administrator account for the `master` realm at the command line with the `add-user-keycloak.sh` script.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
sh-4.2$ cd /opt/eap/bin/ sh-4.2$ cd /opt/eap/bin/
sh-4.2$ ./add-user-keycloak.sh -r master -u sso_admin -p sso_password sh-4.2$ ./add-user-keycloak.sh -r master -u sso_admin -p sso_password
@ -206,7 +208,7 @@ The `sso_admin`/`sso_password` credentials in the example above are for demonstr
==== ====
. Restart the underlying JBoss EAP server instance to load the newly added user account. Wait for the server to restart properly. . Restart the underlying JBoss EAP server instance to load the newly added user account. Wait for the server to restart properly.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
sh-4.2$ ./jboss-cli.sh --connect ':reload' sh-4.2$ ./jboss-cli.sh --connect ':reload'
{ {
@ -317,7 +319,7 @@ It is required to specify the client type in the *<auth-method>* key of the appl
The following is an example snippet for the application *web.xml* to configure an OIDC client: The following is an example snippet for the application *web.xml* to configure an OIDC client:
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
... ...
<login-config> <login-config>
@ -409,12 +411,12 @@ There are two methods for passing the {project_name} adapter configuration to th
See xref:Example-EAP-Manual[Example Workflow: Manually Configure an Application to Use {project_name} Authentication, Using SAML Client] for an end-to-end example of the manual {project_name} client registration method using a SAML client. See xref:Example-EAP-Manual[Example Workflow: Manually Configure an Application to Use {project_name} Authentication, Using SAML Client] for an end-to-end example of the manual {project_name} client registration method using a SAML client.
==== Limitations ==== Limitations
OpenShift does not currently accept OpenShift role mapping from external providers. If {project_name} is used as an authentication gateway for OpenShift, users created in {project_name} must have the roles added using the OpenShift Administrator `oadm policy` command. OpenShift does not currently accept OpenShift role mapping from external providers. If {project_name} is used as an authentication gateway for OpenShift, users created in {project_name} must have the roles added using the OpenShift Administrator `oc adm policy` command.
For example, to allow an {project_name}-created user to view a project namespace in OpenShift: For example, to allow an {project_name}-created user to view a project namespace in OpenShift:
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
oadm policy add-role-to-user view <pass:quotes[_user-name_]> -n <pass:quotes[_project-name_]> $ oc adm policy add-role-to-user view <pass:quotes[_user-name_]> -n <pass:quotes[_project-name_]>
---- ----
=== Binary Builds === Binary Builds
@ -515,20 +517,20 @@ You can select multiple items at once by holding the *Ctrl* key and simultaneous
. Create a new project for the EAP 6.4 / 7.1 JSP application. . Create a new project for the EAP 6.4 / 7.1 JSP application.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc new-project eap-app-demo $ oc new-project eap-app-demo
---- ----
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster. . Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default $ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
---- ----
. The EAP template requires an link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_single_sign-on_for_openshift/index#Configuring-Keystores[SSL keystore and a JGroups keystore]. This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores. . The EAP template requires an link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_single_sign-on_for_openshift/index#Configuring-Keystores[SSL keystore and a JGroups keystore]. This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores.
.. Generate a secure key for the SSL keystore (this example uses `password` as password for the keystore). .. Generate a secure key for the SSL keystore (this example uses `password` as password for the keystore).
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ keytool -genkeypair \ $ keytool -genkeypair \
-dname "CN=secure-eap-app-eap-app-demo.openshift.example.com" \ -dname "CN=secure-eap-app-eap-app-demo.openshift.example.com" \
@ -538,7 +540,7 @@ $ keytool -genkeypair \
---- ----
.. Generate a secure key for the JGroups keystore (this example uses `password` as password for the keystore). .. Generate a secure key for the JGroups keystore (this example uses `password` as password for the keystore).
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ keytool -genseckey \ $ keytool -genseckey \
-alias jgroups \ -alias jgroups \
@ -547,18 +549,18 @@ $ keytool -genseckey \
---- ----
.. Generate the EAP 6.4 / 7.1 for OpenShift secrets with the SSL and JGroup keystore files. .. Generate the EAP 6.4 / 7.1 for OpenShift secrets with the SSL and JGroup keystore files.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc secret new eap-ssl-secret eapkeystore.jks $ oc secret new eap-ssl-secret eapkeystore.jks
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc secret new eap-jgroup-secret eapjgroups.jceks $ oc secret new eap-jgroup-secret eapjgroups.jceks
---- ----
.. Add the EAP application secret to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. .. Add the EAP application secret to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc secrets link default eap-ssl-secret eap-jgroup-secret $ oc secrets link default eap-ssl-secret eap-jgroup-secret
---- ----
@ -567,20 +569,20 @@ $ oc secrets link default eap-ssl-secret eap-jgroup-secret
. Clone the source code. . Clone the source code.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ git clone https://github.com/keycloak/keycloak-quickstarts.git $ git clone \https://github.com/keycloak/keycloak-quickstarts.git
---- ----
. link:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html-single/development_guide/#use_the_maven_repository[Configure] the link:https://access.redhat.com/maven-repository[Red Hat JBoss Middleware Maven repository]. . link:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html-single/development_guide/#use_the_maven_repository[Configure] the link:https://access.redhat.com/maven-repository[Red Hat JBoss Middleware Maven repository].
. Build both the link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-jee-jaxrs[service-jee-jaxrs] and link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-jee-jsp[app-jee-jsp] applications. . Build both the link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-jee-jaxrs[service-jee-jaxrs] and link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-jee-jsp[app-jee-jsp] applications.
.. Build the `service-jee-jaxrs` application. .. Build the `service-jee-jaxrs` application.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ cd keycloak-quickstarts/service-jee-jaxrs/ $ cd keycloak-quickstarts/service-jee-jaxrs/
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ mvn clean package -DskipTests $ mvn clean package -DskipTests
[INFO] Scanning for projects... [INFO] Scanning for projects...
@ -599,22 +601,22 @@ $ mvn clean package -DskipTests
---- ----
.. *Comment out* the `app-jee-jsp/config/keycloak.json` requirement of the `maven-enforcer-plugin` plugin and build the `app-jee-jsp` application. .. *Comment out* the `app-jee-jsp/config/keycloak.json` requirement of the `maven-enforcer-plugin` plugin and build the `app-jee-jsp` application.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
service-jee-jaxrs]$ cd ../app-jee-jsp/ service-jee-jaxrs]$ cd ../app-jee-jsp/
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
app-jee-jsp]$ sed -i /\<executions\>/s/^/\<\!--/ pom.xml app-jee-jsp]$ sed -i /\<executions\>/s/^/\<\!--/ pom.xml
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
app-jee-jsp]$ sed -i '/\(<\/executions>\)/a\-->' pom.xml app-jee-jsp]$ sed -i '/\(<\/executions>\)/a\-->' pom.xml
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
app-jee-jsp]$ mvn clean package -DskipTests app-jee-jsp]$ mvn clean package -DskipTests
[INFO] Scanning for projects... [INFO] Scanning for projects...
@ -646,28 +648,28 @@ Application archives in the *deployments/* subdirectory of the main binary build
+ +
Create main directory for the binary build on the local file system and *deployments/* subdirectory within it. Copy the previously built WAR archives of both the *service-jee-jaxrs* and *app-jee-jsp* quickstarts to the *deployments/* subdirectory: Create main directory for the binary build on the local file system and *deployments/* subdirectory within it. Copy the previously built WAR archives of both the *service-jee-jaxrs* and *app-jee-jsp* quickstarts to the *deployments/* subdirectory:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
app-jee-jsp]$ ls app-jee-jsp]$ ls
config pom.xml README.md src target config pom.xml README.md src target
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
app-jee-jsp]$ mkdir -p sso-eap7-bin-demo/deployments app-jee-jsp]$ mkdir -p sso-eap7-bin-demo/deployments
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
app-jee-jsp]$ cp target/app-jsp.war sso-eap7-bin-demo/deployments/ app-jee-jsp]$ cp target/app-jsp.war sso-eap7-bin-demo/deployments/
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
app-jee-jsp]$ cp ../service-jee-jaxrs/target/service.war sso-eap7-bin-demo/deployments/ app-jee-jsp]$ cp ../service-jee-jaxrs/target/service.war sso-eap7-bin-demo/deployments/
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
app-jee-jsp]$ tree sso-eap7-bin-demo/ app-jee-jsp]$ tree sso-eap7-bin-demo/
sso-eap7-bin-demo/ sso-eap7-bin-demo/
@ -699,7 +701,7 @@ Location of the standard deployments directory depends on the underlying base im
==== ====
. Identify the image stream for EAP 6.4 / 7.1 image. . Identify the image stream for EAP 6.4 / 7.1 image.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get is -n openshift | grep eap | cut -d ' ' -f 1 $ oc get is -n openshift | grep eap | cut -d ' ' -f 1
jboss-eap64-openshift jboss-eap64-openshift
@ -715,7 +717,7 @@ jboss-eap71-openshift
Replace `--image-stream=jboss-eap71-openshift` parameter with the `--image-stream=jboss-eap64-openshift` one in the following oc command to deploy the JSP application on top of JBoss EAP 6.4 for OpenShift image. Replace `--image-stream=jboss-eap71-openshift` parameter with the `--image-stream=jboss-eap64-openshift` one in the following oc command to deploy the JSP application on top of JBoss EAP 6.4 for OpenShift image.
==== ====
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc new-build --binary=true \ $ oc new-build --binary=true \
--image-stream=jboss-eap71-openshift \ --image-stream=jboss-eap71-openshift \
@ -739,7 +741,7 @@ $ oc new-build --binary=true \
---- ----
. Start the binary build. Instruct `oc` executable to use main directory of the binary build we created xref:directory-structure-binary-builds[in previous step] as the directory containing binary input for the OpenShift build. In the working directory of *app-jee-jsp* issue the following command. . Start the binary build. Instruct `oc` executable to use main directory of the binary build we created xref:directory-structure-binary-builds[in previous step] as the directory containing binary input for the OpenShift build. In the working directory of *app-jee-jsp* issue the following command.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
app-jee-jsp]$ oc start-build eap-app \ app-jee-jsp]$ oc start-build eap-app \
--from-dir=./sso-eap7-bin-demo/ \ --from-dir=./sso-eap7-bin-demo/ \
@ -764,7 +766,7 @@ Push successful
---- ----
. Create a new OpenShift application based on the build. . Create a new OpenShift application based on the build.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc new-app eap-app $ oc new-app eap-app
--> Found image 6b13d36 (2 minutes old) in image stream "eap-app-demo/eap-app" under tag "latest" for "eap-app" --> Found image 6b13d36 (2 minutes old) in image stream "eap-app-demo/eap-app" under tag "latest" for "eap-app"
@ -787,13 +789,13 @@ $ oc new-app eap-app
---- ----
. Stop all running containers of the EAP 6.4 / 7.1 JSP application in the current namespace. . Stop all running containers of the EAP 6.4 / 7.1 JSP application in the current namespace.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get dc -o name $ oc get dc -o name
deploymentconfig/eap-app deploymentconfig/eap-app
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc scale dc/eap-app --replicas=0 $ oc scale dc/eap-app --replicas=0
deploymentconfig "eap-app" scaled deploymentconfig "eap-app" scaled
@ -807,7 +809,7 @@ deploymentconfig "eap-app" scaled
Ensure to replace the value of *_SSO_PUBLIC_KEY_* variable below with the actual content of the RSA public key for the `demo` realm, that has been xref:copy-rsa-public-key[copied]. Ensure to replace the value of *_SSO_PUBLIC_KEY_* variable below with the actual content of the RSA public key for the `demo` realm, that has been xref:copy-rsa-public-key[copied].
==== ====
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc set env dc/eap-app \ $ oc set env dc/eap-app \
-e HOSTNAME_HTTP="eap-app-eap-app-demo.openshift.example.com" \ -e HOSTNAME_HTTP="eap-app-eap-app-demo.openshift.example.com" \
@ -823,7 +825,7 @@ deploymentconfig "eap-app" updated
---- ----
.. Configure the application with details about both the SSL and JGroups keystore. .. Configure the application with details about both the SSL and JGroups keystore.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc set env dc/eap-app \ $ oc set env dc/eap-app \
-e HTTPS_KEYSTORE_DIR="/etc/eap-secret-volume" \ -e HTTPS_KEYSTORE_DIR="/etc/eap-secret-volume" \
@ -837,7 +839,7 @@ deploymentconfig "eap-app" updated
---- ----
.. Define OpenShift volumes for both the SSL and JGroups secrets created earlier. .. Define OpenShift volumes for both the SSL and JGroups secrets created earlier.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc volume dc/eap-app --add \ $ oc volume dc/eap-app --add \
--name="eap-keystore-volume" \ --name="eap-keystore-volume" \
@ -847,7 +849,7 @@ $ oc volume dc/eap-app --add \
deploymentconfig "eap-app" updated deploymentconfig "eap-app" updated
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc volume dc/eap-app --add \ $ oc volume dc/eap-app --add \
--name="eap-jgroups-keystore-volume" \ --name="eap-jgroups-keystore-volume" \
@ -858,7 +860,7 @@ deploymentconfig "eap-app" updated
---- ----
.. Configure the deployment config of the application to run application pods under the `default` OpenShift service account (default setting). .. Configure the deployment config of the application to run application pods under the `default` OpenShift service account (default setting).
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc patch dc/eap-app --type=json \ $ oc patch dc/eap-app --type=json \
-p '[{"op": "add", "path": "/spec/template/spec/serviceAccountName", "value": "default"}]' -p '[{"op": "add", "path": "/spec/template/spec/serviceAccountName", "value": "default"}]'
@ -866,32 +868,32 @@ $ oc patch dc/eap-app --type=json \
---- ----
. Deploy container of the EAP 6.4 / 7.1 JSP application using the modified deployment config. . Deploy container of the EAP 6.4 / 7.1 JSP application using the modified deployment config.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc scale dc/eap-app --replicas=1 $ oc scale dc/eap-app --replicas=1
deploymentconfig "eap-app" scaled deploymentconfig "eap-app" scaled
---- ----
. Expose the service as route. . Expose the service as route.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get svc -o name $ oc get svc -o name
service/eap-app service/eap-app
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get route $ oc get route
No resources found. No resources found.
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc expose svc/eap-app $ oc expose svc/eap-app
route "eap-app" exposed route "eap-app" exposed
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get route $ oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD

View file

@ -30,23 +30,24 @@ build configuration of the application as follows:
. Identify the name of the build configuration to apply `MAVEN_MIRROR_URL` . Identify the name of the build configuration to apply `MAVEN_MIRROR_URL`
variable against: variable against:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get bc -o name $ oc get bc -o name
buildconfig/sso buildconfig/sso
---- ----
. Update build configuration of `sso` with a `MAVEN_MIRROR_URL` environment variable . Update build configuration of `sso` with a `MAVEN_MIRROR_URL` environment variable
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc env bc/sso MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/" $ oc set env bc/sso \
-e MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/"
buildconfig "sso" updated buildconfig "sso" updated
---- ----
. Verify the setting . Verify the setting
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc env bc/sso --list $ oc set env bc/sso --list
# buildconfigs sso # buildconfigs sso
MAVEN_MIRROR_URL=http://10.0.0.1:8080/repository/internal/ MAVEN_MIRROR_URL=http://10.0.0.1:8080/repository/internal/
---- ----
@ -83,23 +84,24 @@ build configuration of the application as follows:
. Identify the name of the build configuration to apply `MAVEN_MIRROR_URL` . Identify the name of the build configuration to apply `MAVEN_MIRROR_URL`
variable against: variable against:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get bc -o name $ oc get bc -o name
buildconfig/sso buildconfig/sso
---- ----
. Update build configuration of `sso` with a `MAVEN_MIRROR_URL` environment variable . Update build configuration of `sso` with a `MAVEN_MIRROR_URL` environment variable
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc env bc/sso MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/" $ oc set env bc/sso \
-e MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/"
buildconfig "sso" updated buildconfig "sso" updated
---- ----
. Verify the setting . Verify the setting
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc env bc/sso --list $ oc set env bc/sso --list
# buildconfigs sso # buildconfigs sso
MAVEN_MIRROR_URL=http://10.0.0.1:8080/repository/internal/ MAVEN_MIRROR_URL=http://10.0.0.1:8080/repository/internal/
---- ----
@ -110,10 +112,6 @@ pulled from the repository manager, instead of the default public repositories.
Also, after the build is finished, you will see that the mirror is filled with Also, after the build is finished, you will see that the mirror is filled with
all the dependencies that were retrieved and used during the build. all the dependencies that were retrieved and used during the build.
[[env_vars]] [[env_vars]]
=== Environment Variables === Environment Variables

View file

@ -74,7 +74,7 @@ Use the following steps to automatically migrate the database schema:
. Identify the deployment config used to deploy the containers, running previous version of the {project_openshift_product_name} image. . Identify the deployment config used to deploy the containers, running previous version of the {project_openshift_product_name} image.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get dc -o name --selector=application=sso $ oc get dc -o name --selector=application=sso
deploymentconfig/sso deploymentconfig/sso
@ -82,35 +82,35 @@ deploymentconfig/sso-postgresql
---- ----
. Stop all pods running the previous version of the {project_openshift_product_name} image in the current namespace. . Stop all pods running the previous version of the {project_openshift_product_name} image in the current namespace.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc scale --replicas=0 dc/sso $ oc scale --replicas=0 dc/sso
deploymentconfig "sso" scaled deploymentconfig "sso" scaled
---- ----
. Update the image change trigger in the existing deployment config to reference the {project_name} {project_version} image. . Update the image change trigger in the existing deployment config to reference the {project_name} {project_version} image.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "redhat-{project_templates_version}-openshift:{project_latest_image_tag}"}]' $ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "redhat-{project_templates_version}-openshift:{project_latest_image_tag}"}]'
"sso" patched "sso" patched
---- ----
. Start rollout of the new {project_name} {project_version} images based on the latest image defined in the image change triggers. . Start rollout of the new {project_name} {project_version} images based on the latest image defined in the image change triggers.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc rollout latest dc/sso $ oc rollout latest dc/sso
deploymentconfig "sso" rolled out deploymentconfig "sso" rolled out
---- ----
. Deploy {project_name} {project_version} containers using the modified deployment config. . Deploy {project_name} {project_version} containers using the modified deployment config.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc scale --replicas=1 dc/sso $ oc scale --replicas=1 dc/sso
deploymentconfig "sso" scaled deploymentconfig "sso" scaled
---- ----
. (Optional) Verify the database has been successfully updated. . (Optional) Verify the database has been successfully updated.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get pods --selector=application=sso $ oc get pods --selector=application=sso
NAME READY STATUS RESTARTS AGE NAME READY STATUS RESTARTS AGE
@ -118,7 +118,7 @@ sso-4-vg21r 1/1 Running 0 1h
sso-postgresql-1-t871r 1/1 Running 0 2h sso-postgresql-1-t871r 1/1 Running 0 2h
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc logs sso-4-vg21r | grep 'Updating' $ oc logs sso-4-vg21r | grep 'Updating'
11:23:45,160 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 58) Updating database. Using changelog META-INF/jpa-changelog-master.xml 11:23:45,160 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 58) Updating database. Using changelog META-INF/jpa-changelog-master.xml
@ -193,7 +193,7 @@ spec:
restartPolicy: Never restartPolicy: Never
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ cp job-to-migrate-db-to-{project_templates_version}.yaml.orig \ $ cp job-to-migrate-db-to-{project_templates_version}.yaml.orig \
job-to-migrate-db-to-{project_templates_version}.yaml job-to-migrate-db-to-{project_templates_version}.yaml
@ -342,7 +342,7 @@ done
[[get-db-credentials]] [[get-db-credentials]]
Run the script. Run the script.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ chmod +x ./mirror_sso_dc_db_vars.sh $ chmod +x ./mirror_sso_dc_db_vars.sh
$ ./mirror_sso_dc_db_vars.sh $ ./mirror_sso_dc_db_vars.sh
@ -355,13 +355,13 @@ Successfully updated TX_DATABASE_PREFIX_MAPPING to: sso-postgresql=DB
---- ----
. Build the {project_name} {project_version} database migration image using the link:https://github.com/iankko/openshift-examples/tree/KEYCLOAK-8500/sso-manual-db-migration[pre-configured source] and wait for the build to finish. . Build the {project_name} {project_version} database migration image using the link:https://github.com/iankko/openshift-examples/tree/KEYCLOAK-8500/sso-manual-db-migration[pre-configured source] and wait for the build to finish.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get is -n openshift | grep {project_templates_version} | cut -d ' ' -f1 $ oc get is -n openshift | grep {project_templates_version} | cut -d ' ' -f1
redhat-{project_templates_version}-openshift redhat-{project_templates_version}-openshift
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc new-build redhat-{project_templates_version}-openshift:{project_latest_image_tag}~https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500 \ $ oc new-build redhat-{project_templates_version}-openshift:{project_latest_image_tag}~https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500 \
--context-dir=sso-manual-db-migration \ --context-dir=sso-manual-db-migration \
@ -386,7 +386,7 @@ $ oc new-build redhat-{project_templates_version}-openshift:{project_latest_imag
Run 'oc logs -f bc/{project_templates_version}-db-migration-image' to stream the build progress. Run 'oc logs -f bc/{project_templates_version}-db-migration-image' to stream the build progress.
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc logs -f bc/{project_templates_version}-db-migration-image --follow $ oc logs -f bc/{project_templates_version}-db-migration-image --follow
Cloning "https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500" ... Cloning "https://github.com/iankko/openshift-examples.git#KEYCLOAK-8500" ...
@ -396,20 +396,20 @@ Push successful
. Update the template of the database migration job (`job-to-migrate-db-to-{project_templates_version}.yaml`) with reference to the built `{project_templates_version}-db-migration-image` image. . Update the template of the database migration job (`job-to-migrate-db-to-{project_templates_version}.yaml`) with reference to the built `{project_templates_version}-db-migration-image` image.
.. Get the docker pull reference for the image. .. Get the docker pull reference for the image.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ PULL_REF=$(oc get istag -n $(oc project -q) --no-headers | grep {project_templates_version}-db-migration-image | tr -s ' ' | cut -d ' ' -f 2) $ PULL_REF=$(oc get istag -n $(oc project -q) --no-headers | grep {project_templates_version}-db-migration-image | tr -s ' ' | cut -d ' ' -f 2)
---- ----
.. Replace the pass:[&lt;&lt;SSO_IMAGE_VALUE&gt;&gt;] field in the job template with the pull specification. .. Replace the pass:[&lt;&lt;SSO_IMAGE_VALUE&gt;&gt;] field in the job template with the pull specification.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ sed -i "s#pass:[&lt;&lt;SSO_IMAGE_VALUE&gt;&gt;]#$PULL_REF#g" job-to-migrate-db-to-{project_templates_version}.yaml $ sed -i "s#pass:[&lt;&lt;SSO_IMAGE_VALUE&gt;&gt;]#$PULL_REF#g" job-to-migrate-db-to-{project_templates_version}.yaml
---- ----
.. Verify that the field is updated. .. Verify that the field is updated.
. Instantiate database migration job from the job template. . Instantiate database migration job from the job template.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc create -f job-to-migrate-db-to-{project_templates_version}.yaml $ oc create -f job-to-migrate-db-to-{project_templates_version}.yaml
job "job-to-migrate-db-to-{project_templates_version}" created job "job-to-migrate-db-to-{project_templates_version}" created
@ -422,7 +422,7 @@ The database migration process handles the data schema update and performs manip
+ +
. Identify the deployment config used to deploy the containers, running previous version of the {project_openshift_product_name} image. . Identify the deployment config used to deploy the containers, running previous version of the {project_openshift_product_name} image.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get dc -o name --selector=application=sso $ oc get dc -o name --selector=application=sso
deploymentconfig/sso deploymentconfig/sso
@ -430,27 +430,27 @@ deploymentconfig/sso-postgresql
---- ----
. Stop all pods running the previous version of the {project_openshift_product_name} image in the current namespace. . Stop all pods running the previous version of the {project_openshift_product_name} image in the current namespace.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc scale --replicas=0 dc/sso $ oc scale --replicas=0 dc/sso
deploymentconfig "sso" scaled deploymentconfig "sso" scaled
---- ----
. Run the database migration job and wait for the pod to be running correctly. . Run the database migration job and wait for the pod to be running correctly.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get jobs $ oc get jobs
NAME DESIRED SUCCESSFUL AGE NAME DESIRED SUCCESSFUL AGE
job-to-migrate-db-to-{project_templates_version} 1 0 3m job-to-migrate-db-to-{project_templates_version} 1 0 3m
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc scale --replicas=1 job/job-to-migrate-db-to-{project_templates_version} $ oc scale --replicas=1 job/job-to-migrate-db-to-{project_templates_version}
job "job-to-migrate-db-to-{project_templates_version}" scaled job "job-to-migrate-db-to-{project_templates_version}" scaled
---- ----
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get pods $ oc get pods
NAME READY STATUS RESTARTS AGE NAME READY STATUS RESTARTS AGE
@ -465,7 +465,7 @@ By default, the database migration job terminates automatically after `600 secon
==== ====
. Get the dynamically generated SQL database migration file from the pod. . Get the dynamically generated SQL database migration file from the pod.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ mkdir -p ./db-update $ mkdir -p ./db-update
$ oc rsync job-to-migrate-db-to-{project_templates_version}-b87bb:/opt/eap/keycloak-database-update.sql ./db-update $ oc rsync job-to-migrate-db-to-{project_templates_version}-b87bb:/opt/eap/keycloak-database-update.sql ./db-update
@ -480,7 +480,7 @@ total size is 29,621 speedup is 1.00
* Run the following commands if running some previous version of the {project_openshift_product_name} image, backed by the PostgreSQL database deployed in ephemeral or persistent mode, running on a separate pod: * Run the following commands if running some previous version of the {project_openshift_product_name} image, backed by the PostgreSQL database deployed in ephemeral or persistent mode, running on a separate pod:
... Copy the generated SQL migration file to the PostgreSQL pod. ... Copy the generated SQL migration file to the PostgreSQL pod.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc rsync --no-perms=true ./db-update/ sso-postgresql-1-n5p16:/tmp $ oc rsync --no-perms=true ./db-update/ sso-postgresql-1-n5p16:/tmp
sending incremental file list sending incremental file list
@ -490,14 +490,14 @@ total size is 26,333 speedup is 299.24
---- ----
... Start a shell session to the PostgreSQL pod. ... Start a shell session to the PostgreSQL pod.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc rsh sso-postgresql-1-n5p16 $ oc rsh sso-postgresql-1-n5p16
sh-4.2$ sh-4.2$
---- ----
... Use the `psql` tool to apply database update manually. ... Use the `psql` tool to apply database update manually.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
sh-4.2$ alias psql="/opt/rh/rh-postgresql95/root/bin/psql" sh-4.2$ alias psql="/opt/rh/rh-postgresql95/root/bin/psql"
sh-4.2$ psql --version sh-4.2$ psql --version
@ -517,7 +517,7 @@ Replace `<PREFIX>_USERNAME` and `<PREFIX>_DATABASE` with the actual database cre
* Run the following commands if running some previous version of the {project_openshift_product_name} image, backed by the MySQL database deployed in ephemeral or persistent mode, running on a separate pod: * Run the following commands if running some previous version of the {project_openshift_product_name} image, backed by the MySQL database deployed in ephemeral or persistent mode, running on a separate pod:
... Given the pod situation similar to the following: ... Given the pod situation similar to the following:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get pods $ oc get pods
NAME READY STATUS RESTARTS AGE NAME READY STATUS RESTARTS AGE
@ -527,7 +527,7 @@ job-to-migrate-db-to-{project_templates_version}-m202t 1/1 Running 0
---- ----
... Copy the generated SQL migration file to the MySQL pod. ... Copy the generated SQL migration file to the MySQL pod.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc rsync --no-perms=true ./db-update/ sso-mysql-1-zvhk3:/tmp $ oc rsync --no-perms=true ./db-update/ sso-mysql-1-zvhk3:/tmp
sending incremental file list sending incremental file list
@ -538,14 +538,14 @@ total size is 24,594 speedup is 0.99
---- ----
... Start a shell session to the MySQL pod. ... Start a shell session to the MySQL pod.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc rsh sso-mysql-1-zvhk3 $ oc rsh sso-mysql-1-zvhk3
sh-4.2$ sh-4.2$
---- ----
... Use the `mysql` tool to apply database update manually. ... Use the `mysql` tool to apply database update manually.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
sh-4.2$ alias mysql="/opt/rh/rh-mysql57/root/bin/mysql" sh-4.2$ alias mysql="/opt/rh/rh-mysql57/root/bin/mysql"
sh-4.2$ mysql --version sh-4.2$ mysql --version
@ -566,21 +566,21 @@ Replace `<PREFIX>_USERNAME` and `<PREFIX>_DATABASE` with the actual database cre
[start=12] [start=12]
. Update the image change trigger in the existing deployment config to reference the {project_name} {project_version} image. . Update the image change trigger in the existing deployment config to reference the {project_name} {project_version} image.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "redhat-{project_templates_version}-openshift:{project_latest_image_tag}"}]' $ oc patch dc/sso --type=json -p '[{"op": "replace", "path": "/spec/triggers/0/imageChangeParams/from/name", "value": "redhat-{project_templates_version}-openshift:{project_latest_image_tag}"}]'
"sso" patched "sso" patched
---- ----
. Start rollout of the new {project_name} {project_version} images based on the latest image defined in the image change triggers. . Start rollout of the new {project_name} {project_version} images based on the latest image defined in the image change triggers.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc rollout latest dc/sso $ oc rollout latest dc/sso
deploymentconfig "sso" rolled out deploymentconfig "sso" rolled out
---- ----
. Deploy the {project_name} {project_version} containers using the modified deployment config. . Deploy the {project_name} {project_version} containers using the modified deployment config.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc scale --replicas=1 dc/sso $ oc scale --replicas=1 dc/sso
deploymentconfig "sso" scaled deploymentconfig "sso" scaled
@ -630,7 +630,7 @@ Upon their creation xref:sso-export-the-database[the database can be exported.]
. Get the {project_name} deployment config and scale it down to zero. . Get the {project_name} deployment config and scale it down to zero.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get dc -o name $ oc get dc -o name
deploymentconfig/sso deploymentconfig/sso
@ -641,20 +641,24 @@ deploymentconfig "sso" scaled
---- ----
. Instruct the {project_name} {project_version} server deployed on {project_openshift_product_name} image to perform database export at {project_name} server boot time. . Instruct the {project_name} {project_version} server deployed on {project_openshift_product_name} image to perform database export at {project_name} server boot time.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
oc env dc/sso -e "JAVA_OPTS_APPEND=-Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/tmp/demorealm-export.json" $ oc set env dc/sso \
-e "JAVA_OPTS_APPEND= \
-Dkeycloak.migration.action=export \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.file=/tmp/demorealm-export.json"
---- ----
. Scale the {project_name} deployment config back up. This will start the {project_name} server and export its database. . Scale the {project_name} deployment config back up. This will start the {project_name} server and export its database.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc scale --replicas=1 dc sso $ oc scale --replicas=1 dc sso
deploymentconfig "sso" scaled deploymentconfig "sso" scaled
---- ----
. (Optional) Verify that the export was successful. . (Optional) Verify that the export was successful.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get pods $ oc get pods
NAME READY STATUS RESTARTS AGE NAME READY STATUS RESTARTS AGE
@ -670,7 +674,7 @@ $ oc logs sso-4-ejr0k | grep 'Export'
. Retrieve the JSON file of the {project_name} database from the pod. . Retrieve the JSON file of the {project_name} database from the pod.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc get pods $ oc get pods
NAME READY STATUS RESTARTS AGE NAME READY STATUS RESTARTS AGE
@ -768,7 +772,7 @@ Log in to the OpenShift master CLI. You must have the required permissions to ed
. Edit the */etc/origin/master/master-config.yaml* file and find the *identityProviders*. The OpenShift master, which was deployed using the OpenShift Primer, is configured with HTPassword and shows the following: . Edit the */etc/origin/master/master-config.yaml* file and find the *identityProviders*. The OpenShift master, which was deployed using the OpenShift Primer, is configured with HTPassword and shows the following:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
identityProviders: identityProviders:
- challenge: true - challenge: true
@ -782,7 +786,7 @@ identityProviders:
+ +
Add {project_name} as a secondary identity provider with content similar to the following snippet: Add {project_name} as a secondary identity provider with content similar to the following snippet:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
- name: rh_sso - name: rh_sso
challenge: false challenge: false
@ -811,7 +815,7 @@ Add {project_name} as a secondary identity provider with content similar to the
.. The {project_name} *Secret* hash for the *clientSecret* can be found in the {project_name} web console: *Clients* -> *_openshift-demo_* -> *Credentials* .. The {project_name} *Secret* hash for the *clientSecret* can be found in the {project_name} web console: *Clients* -> *_openshift-demo_* -> *Credentials*
.. The endpoints for the *urls* can be found by making a request with the {project_name} application. For example: .. The endpoints for the *urls* can be found by making a request with the {project_name} application. For example:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
<pass:quotes[_curl -k https://secure-sso-sso-app-demo.openshift32.example.com/auth/realms/OpenShift/.well-known/openid-configuration | python -m json.tool_]> <pass:quotes[_curl -k https://secure-sso-sso-app-demo.openshift32.example.com/auth/realms/OpenShift/.well-known/openid-configuration | python -m json.tool_]>
---- ----
@ -821,7 +825,7 @@ The response includes the *authorization_endpoint*, *token_endpoint*, and *useri
.. This example workflow uses a self-generated CA to provide an end-to-end workflow for demonstration purposes. For this reason, the *ca* is provided as <pass:quotes[_ca: xpaas.crt_]>. This CA certificate must also be copied into the */etc/origin/master* folder. This is not necessary if using a certificate purchased from a verified Certificate Authority. .. This example workflow uses a self-generated CA to provide an end-to-end workflow for demonstration purposes. For this reason, the *ca* is provided as <pass:quotes[_ca: xpaas.crt_]>. This CA certificate must also be copied into the */etc/origin/master* folder. This is not necessary if using a certificate purchased from a verified Certificate Authority.
. Save the configuration and restart the OpenShift master: . Save the configuration and restart the OpenShift master:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ systemctl restart atomic-openshift-master $ systemctl restart atomic-openshift-master
---- ----
@ -833,9 +837,9 @@ Navigate to the OpenShift web console, which in this example is _https://openshi
Select *rh-sso* and log in to OpenShift with the _testuser_ user created earlier in {project_name}. No projects are visible to _testuser_ until they are added in the OpenShift CLI. This is the only way to provide user privileges in OpenShift because it currently does not accept external role mapping. Select *rh-sso* and log in to OpenShift with the _testuser_ user created earlier in {project_name}. No projects are visible to _testuser_ until they are added in the OpenShift CLI. This is the only way to provide user privileges in OpenShift because it currently does not accept external role mapping.
To provide _testuser_ `view` privileges for the _sso-app-demo_, use the OpenShift CLI: To provide _testuser_ `view` privileges for the _sso-app-demo_, use the OpenShift CLI:
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oadm policy add-role-to-user view testuser -n sso-app-demo $ oc adm policy add-role-to-user view testuser -n sso-app-demo
---- ----
[[Example-EAP-Auto]] [[Example-EAP-Auto]]
@ -852,19 +856,19 @@ Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
. Create a new project: . Create a new project:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc new-project eap-app-demo $ oc new-project eap-app-demo
---- ----
//. Create a service account to be used for the {project_name} deployment: //. Create a service account to be used for the {project_name} deployment:
//+ //+
//[subs="verbatim,macros,attributes"] //[source,bash,subs="attributes+,macros+"]
//---- //----
//$ oc create serviceaccount eap-service-account //$ oc create serviceaccount eap-service-account
//---- //----
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster. . Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default $ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
---- ----
@ -872,26 +876,26 @@ $ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores. The following commands will prompt for passwords. + This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores. The following commands will prompt for passwords. +
.. Generate a secure key for the SSL keystore: .. Generate a secure key for the SSL keystore:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ keytool -genkeypair -alias https -storetype JKS -keystore eapkeystore.jks $ keytool -genkeypair -alias https -storetype JKS -keystore eapkeystore.jks
---- ----
.. Generate a secure key for the JGroups keystore: .. Generate a secure key for the JGroups keystore:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ keytool -genseckey -alias jgroups -storetype JCEKS -keystore eapjgroups.jceks $ keytool -genseckey -alias jgroups -storetype JCEKS -keystore eapjgroups.jceks
---- ----
. Generate the EAP for OpenShift secrets with the SSL and JGroup keystore files: . Generate the EAP for OpenShift secrets with the SSL and JGroup keystore files:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc secret new eap-ssl-secret eapkeystore.jks $ oc secret new eap-ssl-secret eapkeystore.jks
$ oc secret new eap-jgroup-secret eapjgroups.jceks $ oc secret new eap-jgroup-secret eapjgroups.jceks
---- ----
. Add the EAP secret to the `default` service account: . Add the EAP secret to the `default` service account:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc secrets link default eap-ssl-secret eap-jgroup-secret $ oc secrets link default eap-ssl-secret eap-jgroup-secret
---- ----
@ -1100,19 +1104,19 @@ Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
. Create a new project: . Create a new project:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc new-project eap-app-demo $ oc new-project eap-app-demo
---- ----
//. Create a service account to be used for the SSO deployment: //. Create a service account to be used for the SSO deployment:
//+ //+
//[subs="verbatim,macros,attributes"] //[source,bash,subs="attributes+,macros+"]
//---- //----
//$ oc create serviceaccount app-service-account //$ oc create serviceaccount app-service-account
//---- //----
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster. . Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster.
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default $ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
---- ----
@ -1121,26 +1125,26 @@ $ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores. The following commands will prompt for passwords. + This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores. The following commands will prompt for passwords. +
.. Generate a secure key for the SSL keystore: .. Generate a secure key for the SSL keystore:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ keytool -genkeypair -alias https -storetype JKS -keystore eapkeystore.jks $ keytool -genkeypair -alias https -storetype JKS -keystore eapkeystore.jks
---- ----
.. Generate a secure key for the JGroups keystore: .. Generate a secure key for the JGroups keystore:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ keytool -genseckey -alias jgroups -storetype JCEKS -keystore eapjgroups.jceks $ keytool -genseckey -alias jgroups -storetype JCEKS -keystore eapjgroups.jceks
---- ----
. Generate the EAP for OpenShift secrets with the SSL and JGroup keystore files: . Generate the EAP for OpenShift secrets with the SSL and JGroup keystore files:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc secret new eap-ssl-secret eapkeystore.jks $ oc secret new eap-ssl-secret eapkeystore.jks
$ oc secret new eap-jgroup-secret eapjgroups.jceks $ oc secret new eap-jgroup-secret eapjgroups.jceks
---- ----
. Add the EAP application secret to the EAP service account created earlier: . Add the EAP application secret to the EAP service account created earlier:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
$ oc secrets link default eap-ssl-secret eap-jgroup-secret $ oc secrets link default eap-ssl-secret eap-jgroup-secret
---- ----
@ -1155,7 +1159,7 @@ The *keycloak-saml-subsystem.xml*, exported from the {project_name} client in a
. Replace the *SPECIFY YOUR LOGOUT PAGE!* value of the *logout page* tag with the url to redirect users when they log out of the application. This example uses */index.jsp*. . Replace the *SPECIFY YOUR LOGOUT PAGE!* value of the *logout page* tag with the url to redirect users when they log out of the application. This example uses */index.jsp*.
. Delete the *<PrivateKeyPem>* and *<CertificatePem>* tags and keys and replace it with keystore information: . Delete the *<PrivateKeyPem>* and *<CertificatePem>* tags and keys and replace it with keystore information:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
... ...
<Keys> <Keys>
@ -1172,7 +1176,7 @@ The mount path of the *keystore-saml.jks* (in this example *_/etc/eap-secret-vol
The aliases and passwords for the *PrivateKey* and the *Certificate* were configured when the SAML Keys were exported from the {project_name} client. The aliases and passwords for the *PrivateKey* and the *Certificate* were configured when the SAML Keys were exported from the {project_name} client.
. Delete the second *<CertificatePem>* tag and key and replace it with the the realm certificate information: . Delete the second *<CertificatePem>* tag and key and replace it with the the realm certificate information:
+ +
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
... ...
<Keys> <Keys>
@ -1193,7 +1197,7 @@ The certificate alias and password were configured when the SAML Keys were expor
The client type must also be specified by the *<auth-method>* key in the application *web.xml*. This file is read by the image at deployment. The client type must also be specified by the *<auth-method>* key in the application *web.xml*. This file is read by the image at deployment.
Open the application *web.xml* file and ensure it includes the following: Open the application *web.xml* file and ensure it includes the following:
[subs="verbatim,macros,attributes"] [source,bash,subs="attributes+,macros+"]
---- ----
... ...
<login-config> <login-config>

View file

@ -25,4 +25,6 @@ https://accounts.google.com/o/oauth2/revoke
https://keycloak.example.com/auth/realms/REALM_NAME/protocol/openid-connect/logout https://keycloak.example.com/auth/realms/REALM_NAME/protocol/openid-connect/logout
http://127.0.0.1:3000/oauth/callback http://127.0.0.1:3000/oauth/callback
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/* https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/*
https://api.linkedin.com/v2/me https://api.linkedin.com/v2/me
https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso-cd-dev/templates/${resource}
https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso73-dev/templates/${resource}