libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

KEYCLOAK-6567 configure moved openshift content to our build process (#396)

Browse source
This commit is contained in:
Stian Thorgersen 2018-06-07 14:12:56 +02:00 committed by GitHub
parent fc2baa8d51
commit f61cfad51e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
41 changed files with 1181 additions and 1767 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
openshift/build.cfg
View file

@ -1,2 +0,0 @@
pdf_mono_font: "DejaVu Sans Mono"
pdf_body_font: "DejaVu Sans"

5
openshift/common/attributes.adoc
View file

@ -1,5 +0,0 @@
:productname: Red Hat JBoss Middleware for OpenShift
:productversion: 3
:productdocsemail: xpaas-docs@redhat.com
:imagesdir: images

16
openshift/common/common_admin.adoc
View file

@ -1,16 +0,0 @@
==== Environment Variables
|===
|Variable name |Description |Example value
|`*ADMIN_USERNAME*`
|If both this and `*ADMIN_PASSWORD`* are defined,
used for the EAP management port user name.
|`eapadmin`
|`*ADMIN_PASSWORD*`
|If defined, an admin user is defined for accessing
the management port, with this value as password.
|`passw0rd`
|===

0
openshift/common/common_basic_info.adoc
View file

25
openshift/common/common_clustering.adoc
View file

@ -1,25 +0,0 @@
Clustering is achieved through one of two discovery mechanisms:
Kubernetes or DNS. This is done by configuring the JGroups protocol stack in
standalone-openshift.xml with either the `<openshift.KUBE_PING/>` or `<openshift.DNS_PING/>`
elements. Out of the box, `KUBE_PING` is the pre-configured and supported protocol.
For `KUBE_PING` to work, however, the following steps must be taken:
. The `OPENSHIFT_KUBE_PING_NAMESPACE` environment variable must be set (see table above).
If not set, the server will act as if it is a single-node cluster (a "cluster of one").
. The `OPENSHIFT_KUBE_PING_LABELS` environment variables should be set (see table above).
If not set, pods outside of your application (albeit in your namespace) will try to join.
. Authorization must be granted to the service account the pod is running under to be
allowed to access Kubernetes' REST api. This is done on the command line.
.Policy commands
====
Using the default service account in the myproject namespace:
....
oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default -n $(oc project -q)
....
Using the eap-service-account in the myproject namespace:
....
oc policy add-role-to-user view system:serviceaccount:$(oc project -q):eap-service-account -n $(oc project -q)
....
====

10
openshift/common/common_datasources.adoc
View file

@ -1,10 +0,0 @@
Datasources are automatically created based on the value of some environment variables.
The most important is the `*DB_SERVICE_PREFIX_MAPPING*` environment variable
that defines JNDI mappings for data sources. This variable must be set to a
comma-separated list of `*<name>_<database_type>=<PREFIX>*` triplets, where
`name` is used as the pool-name in the data source, `database_type` determines
what database driver to use, and `PREFIX` is the prefix used in the names of
environment variables, which are used to configure the data source.
include::jndi_mappings.adoc[]

99
openshift/common/common_eap_sso.adoc
View file

@ -1,99 +0,0 @@
This image contains support for Red Hat SSO/Keycloak-enabled applications.
==== Environment variables
|===
|Variable name |Description |Example value
|`SSO_URI`
| URI of the SSO/Keycloak server
| -
|`SSO_REALM`
| SSO/Keycloak realm for the deployed application(s)
| -
|`SSO_PUBLIC_KEY`
| Public key of the SSO/Keycloak Realm. This field is optional but if omitted can leave the applications vulnerable to man-in-middle attacks
| -
|`SSO_USERNAME`
| SSO/Keycloak User required to access the SSO/Keycloak REST API
| `mySsoUser`
|`SSO_PASSWORD`
| Password for `SSO_USERNAME`
| `6fedmL3P`
|`SSO_SAML_KEYSTORE_SECRET`
| Secret to use for access to SAML keystore
| Default: `sso-app-secret`
|`SSO_SAML_KEYSTORE`
| Keystore location for SAML
| Default: `/etc/sso-saml-secret-volume/keystore.jks`
|`SSO_SAML_KEYSTORE_PASSWORD`
| Keystore password for SAML
| Default: `mykeystorepass`
|`SSO_SAML_CERTIFICATE_NAME`
| Alias for keys/certificate to use for SAML
| Default: `jboss`
|`SSO_BEARER_ONLY`
| Optional. SSO Client Access Type
| true
|`SSO_CLIENT`
| Path for SSO redirects back to the application
| Defaults to match module-name
|`SSO_ENABLE_CORS`
| Optionally enable CORS for SSO applications
| true
|`SSO_SECRET`
| The SSO Client Secret for Confidential Access
| KZ1QyIq4
|`SSO_SECURE_SSL_CONNECTIONS`
| If true SSL communication between EAP and the SSO Server will be secure (i.e. certificate validation is enabled with curl)
| false
|===
==== Example
.Creating Secrets and SSO/Keycloak-enabled EAP in "myproject" project/namespace
====
Once the SSO/Keycloak server has been instantiated and configured with the
appropriate Realm, Role(s), and User(s):
. Create Realm (e.g demo)
. Create Role that corresponds to JEE Role (e.g. user)
. Create User with permanent password credential (e.g. mgmtuser/mgmtpass). Add
all "realm-management" Roles. This User is used to automatically configure
the SSO Clients in the SSO Server.
. Create User with permanent password credential (e.g. demouser/demopass). Add
Roles to User: JEE Role from #2. This User is used to authenticate access to
user applications.
Copy the Realm Public Key from the SSO/Keycloak console and use as the value of
`SSO_PUBLIC_KEY` below. Set `SSO_URI` according to the location of the SSO
server.
....
$ oc create -n myproject -f secrets/eap-app-secret.json
$ oc create -n myproject -f secrets/sso-app-secret.json
$ oc process -f eap/eap64-sso-s2i.json -v APPLICATION_NAME=helloworld,SOURCE_REPOSITORY_URL=https://github.com/keycloak/keycloak-examples,SOURCE_REPOSITORY_REF=0.4-openshift,CONTEXT_DIR=,SSO_URI=https://secure-sso-demo.hostname/auth,SSO_REALM=demo,SSO_USERNAME=mgmtuser,SSO_PASSWORD=mgmtpass,SSO_PUBLIC_KEY=XXX | oc create -n myproject -f -
....
After executing the above, you should be able to access the
SSO/Keycloak-enabled applications at
http://helloworld-myproject.hostname/app-context and
https://secure-helloworld-myproject.hostname/app-context where app-context is
`app-jee`, `app-profile-jee`, `app-profile-jee-saml`, or service depending on the
example application.
Note the `app-html5` and `app-profile-html5` example applications are not deployed
or functional.
====

18
openshift/common/common_https.adoc
View file

@ -1,18 +0,0 @@
==== Environment variables
|===
|Variable name |Description |Example value
|`HTTPS_NAME`
|If defined along with `HTTPS_PASSWORD` and `HTTPS_KEYSTORE`, enable HTTPS and set the SSL name.
|`example.com`
|`HTTPS_PASSWORD`
|If defined along with `HTTPS_NAME` and `HTTPS_KEYSTORE`, enable HTTPS and set the SSL key password.
|`passw0rd`
|`HTTPS_KEYSTORE`
|If defined along with `HTTPS_PASSWORD` and `HTTPS_NAME`, enable HTTPS and set the SSL certificate key file to a
relative path under `$JBOSS_HOME/standalone/configuration`
|`ssl.key`
|===

86
openshift/common/common_s2i.adoc
View file

@ -1,86 +0,0 @@
The image includes S2I scripts and maven.
Maven is currently only supported as a build tool for applications
that are supposed to be deployed on JBoss EAP-based containers (or
related/descendant images) on OpenShift.
Only WAR deployments are supported at this time.
==== Custom configuration
It is possible to add custom configuration files for the image. All
files put into configuration/ directory will be copied into
`$JBOSS_HOME/standalone/configuration/`. For example to override the
default configuration used in the image, just add a custom
standalone-openshift.xml into the configuration/ directory.
https://github.com/goldmann/openshift-eap-examples/tree/master/custom-configuration[See
example] for such deployment.
===== Custom modules
It is possible to add custom modules. All files from the
modules/Â directory will be copied into `$JBOSS_HOME/modules/`.
https://github.com/goldmann/openshift-eap-examples/tree/master/custom-module[See
example] for such deployment.
==== Deployment Artifacts
By default, artifacts from the source `target` directory will be deployed. To deploy from
different directories set the ARTIFACT_DIR environment variable in the BuildConfig
definition. ARTIFACT_DIR is a comma-delimited list. For example:
ARTIFACT_DIR=app1/target,app2/target,app3/target
==== Artifact Repository Mirrors
// Define required 'bcname' attribute for maven_mirror_url.adoc page
:bcname: eap
// Include the Artifact Repository Mirros section
// (MAVEN_MIRROR_URL variable usage information)
include::maven_mirror_url.adoc[bcname]
==== Scripts
`run`:: runs the container without any changes to the default
configuration, this means that the standalone-ha.xml configuration will
be used.
`assemble`:: uses Maven to build the source, create a package (war) and
move it to the `$JBOSS_HOME/standalone/deployments` directory.
==== Environment variables
You can influence the way the build is executed by supplying environment
variables to the `s2i build` command. See the
link:https://github.com/openshift/source-to-image/blob/master/docs/cli.md[s2i
docs] for more information. The environment variables that can be supplied are:
|===
|Variable name |Description |Example value
include::common_s2i_env_vars.adoc[]
|*_APP_DATADIR_*
| If defined, directory in the source from where data files are copied.
|*_mydata_*
|*_DATA_DIR_*
| Directory in the image where data from `$APP_DATADIR` will be copied.
|*_$JBOSS_HOME/data_*
|===
==== Example
This example for the JBoss EAP 6.4 image builds the Heroku Java example
----
s2i build -e "MAVEN_ARGS=clean package" --loglevel=5 --forcePull=false https://github.com/heroku/java-sample.git ce-registry.usersys.redhat.com/jboss-eap-6/eap-openshift:6.4 test-jee-app
----
Later you can run the application with:
----
docker run -it --rm test-jee-app
----
This will run a container and deploy the hello world application on start-up.

39
openshift/common/common_s2i_env_vars.adoc
View file

@ -1,39 +0,0 @@
|`ARTIFACT_DIR`
|`.war` and `.jar` files from this directory will be copied into the `deployments` directory.
|`target`
|`HTTP_PROXY_HOST`
| Hostname or IP address of a HTTP proxy for Maven to use.
|`192.168.1.1`
|`HTTP_PROXY_PORT`
| TCP Port of a HTTP proxy for Maven to use.
|`8080`
|`HTTP_PROXY_USERNAME`
| If supplied with `HTTP_PROXY_PASSWORD`, use credentials for HTTP proxy.
| myusername
|`HTTP_PROXY_PASSWORD`
| If supplied with `HTTP_PROXY_USERNAME`, use credentials for HTTP proxy.
| mypassword
|`HTTP_PROXY_NONPROXYHOSTS`
| If supplied, a configured HTTP proxy will ignore these hosts.
|`some.example.org\|*.example.net`
|`MAVEN_ARGS`
| Overrides the arguments supplied to maven during build.
|`-e -Popenshift -DskipTests -Dcom.redhat.xpaas.repo.redhatga package`
|`MAVEN_ARGS_APPEND`
| Appends user arguments supplied to maven during build.
|`-Dfoo=bar`
|`MAVEN_MIRROR_URL`
| URL of a Maven Mirror/repository manager to configure.
|`\http://10.0.0.1:8080/repository/internal/`
|`MAVEN_CLEAR_REPO`
| Optionally clear the local maven repository after the build.
|`true`

34
openshift/common/common_security_domains.adoc
View file

@ -1,34 +0,0 @@
To configure a new Security Domain, the user must define the
`SECDOMAIN_NAME` environment variable.
This will result in the creation of a security domain named
after the environment variable. The user may also define the following
environment variables to customize the domain:
|===
|Variable name |Description |Example value
|`SECDOMAIN_NAME`
| Define in order to enable the definition of an additional security
domain.
| `myDomain`
|`SECDOMAIN_PASSWORD_STACKING`
| If defined, the password-stacking module option is enabled and
set to the value useFirstPass.
| `true`
|`SECDOMAIN_LOGIN_MODULE`
| The login module to be used. +
Defaults to `UsersRoles`
| `UsersRoles`
|`SECDOMAIN_USERS_PROPERTIES`
| The name of the properties file containing user definitions. +
Defaults to `users.properties`
| `users.properties`
|`SECDOMAIN_ROLES_PROPERTIES`
| The name of the properties file containing role definitions. +
Defaults to `roles.properties`
| `roles.properties`
|===

99
openshift/common/jndi_mappings.adoc
View file

@ -1,99 +0,0 @@
[[db_service_prefix_mapping]]
==== JNDI mappings for datasources
For each `<name>-<database_type>=PREFIX` triplet in the `DB_SERVICE_PREFIX_MAPPING`
environment variable, a separate datasource will be created by the launch script, which is
executed when running the image.
The `<database_type>` will determine the driver for the datasource. Currently, only `postgresql` and
`mysql` are supported.
The `<name>` parameter can be chosen on you own. Do not use any special characters.
NOTE: The first part (before the equal sign) of the `DB_SERVICE_PREFIX_MAPPING`
should be lowercase.
===== Database drivers
Every image contains Java drivers for MySQL, PostgreSQL and MongoDB databases deployed.
Datasources are *generated only for MySQL and PostgreSQL databases*.
NOTE: For MongoDB database there are no JNDI mappings created because this is not
a SQL database.
===== Datasource configuration environment variables
Other datasource properties will be configured from the following environment
variables:
|===
|Variable name |Description |Example value
|`<NAME>_<DATABASE_TYPE>_SERVICE_HOST` |Defines the database server's hostname or IP to be
used in the datasource's `connection-url` property.
|`192.168.1.3`
|`<NAME>_<DATABASE_TYPE>_SERVICE_PORT` |Defines the database server's port for the datasource.
|`5432`
|`<PREFIX>_JNDI` |Defines the JNDI name for the datasource. Defaults to
`java:jboss/datasources/<name>_<database_type>`, where `name` and `database_type` are taken from
the triplet described above. This setting is useful if you want to override the default
generated JNDI name. |`java:jboss/datasources/test-postgresql`
|`<PREFIX>_USERNAME` |Defines the username for the datasource.
|`admin`
|`<PREFIX>_PASSWORD` |Defines the password for the datasource.
|`password`
|`<PREFIX>_DATABASE` |Defines the database name for the datasource.
|`myDatabase`
|`<PREFIX>_TX_ISOLATION` |Defines the java.sql.Connection transaction isolation
level for the datasource.
|`TRANSACTION_READ_UNCOMMITTED`
|`<PREFIX>_MIN_POOL_SIZE` |Defines the minimum pool size option for the datasource.
|`1`
|`<PREFIX>_MAX_POOL_SIZE` |Defines the maximum pool size option for the datasource.
|`20`
|===
When running this image in OpenShift, the `<NAME>_<DATABASE_TYPE>_SERVICE_HOST`
and `<NAME>_<DATABASE_TYPE>_SERVICE_PORT` environment variables are set up
automatically from the database service definition in the OpenShift application
template, while the others are configured in the template directly (as `env`
entries in container definitions under each pod template).
===== Examples
These examples show how value of the `DB_SERVICE_PREFIX_MAPPING` environment
variable influences datasource creation.
====== Single mapping
Consider value `test-postgresql=TEST`.
This will create a datasource with `java:jboss/datasources/test_postgresql` name.
Additionally all the required settings like password and username will be expected
to be provided as env variables with the `TEST_` prefix, for example `TEST_USERNAME`
and `TEST_PASSWORD`.
====== Multiple mappings
You can also specify multiple database mappings. Consider following value for the
`DB_SERVICE_PREFIX_MAPPING` environment variable: `cloud-postgresql=CLOUD,test-mysql=TEST_MYSQL`.
NOTE: Multiple datasource mappings should be separated with comma.
This will create two datasources:
1. `java:jboss/datasources/test_mysql`, and
2. `java:jboss/datasources/cloud_postgresql`.
MySQL datasource configuration (username, etc) will be expected with the
`TEST_MYSQL` prefix, for example `TEST_MYSQL_USERNAME`, whereas for the PostgreSQL
datasource it'll expect beexpected with the `CLOUD_` prefix, for example `CLOUD_USERNAME`.

54
openshift/common/maven_mirror_url.adoc
View file

@ -1,54 +0,0 @@
// This page describes MAVEN_MIRROR_URL variable usage
// It requires 'bcname' attribute to be set to the name of the product
A repository in Maven holds build artifacts and dependencies of various types
(all the project jars, library jar, plugins or any other project specific
artifacts). It also specifies locations from where to download artifacts from,
while performing the S2I build. Besides using central repositories, it is a
common practice for organizations to deploy a local custom repository (mirror).
Benefits of using a mirror are:
* Availability of a synchronized mirror, which is geographically closer and
faster.
* Ability to have greater control over the repository content.
* Possibility to share artifacts across different teams (developers, CI),
without the need to rely on public servers and repositories.
* Improved build times.
Often, a repository manager can serve as local cache to a mirror. Assuming that
the repository manager is already deployed and reachable externally at
*_pass:[http://10.0.0.1:8080/repository/internal/]_*, the S2I build can then use this
manager by supplying the `MAVEN_MIRROR_URL` environment variable to the
build configuration of the application as follows:
. Identify the name of the build configuration to apply `MAVEN_MIRROR_URL`
variable against:
+
[subs="attributes"]
----
oc get bc -o name
buildconfig/{bcname}
----
. Update build configuration of `{bcname}` with a `MAVEN_MIRROR_URL` environment variable
+
[subs="attributes"]
----
oc env bc/{bcname} MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/"
buildconfig "{bcname}" updated
----
. Verify the setting
+
[subs="attributes"]
----
oc env bc/{bcname} --list
# buildconfigs {bcname}
MAVEN_MIRROR_URL=http://10.0.0.1:8080/repository/internal/
----
. Schedule new build of the application
NOTE: During application build, you will notice that Maven dependencies are
pulled from the repository manager, instead of the default public repositories.
Also, after the build is finished, you will see that the mirror is filled with
all the dependencies that were retrieved and used during the build.

2
openshift/content/advanced_concepts/advanced_concepts.adoc
View file

@ -38,7 +38,7 @@ The *_openssl_* toolkit is used in the following example to generate a CA certif
====
For production environments Red Hat recommends that you use your own SSL certificate purchased from a verified Certificate Authority (CA) for SSL-encrypted connections (HTTPS).
See the https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.1/html-single/Security_Guide/index.html#Generate_a_SSL_Encryption_Key_and_Certificate[JBoss Enterprise Application Platform Security Guide] for more information on how to create a keystore with self-signed or purchased SSL certificates.
See the https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform/6.1/html-single/security_guide/index#Generate_a_SSL_Encryption_Key_and_Certificate[JBoss Enterprise Application Platform Security Guide] for more information on how to create a keystore with self-signed or purchased SSL certificates.
====
[[create-https-keystore]]

2
openshift/content/getting_started/getting_started.adoc
View file

@ -1,5 +1,5 @@
=== Using the {xpaasproduct-shortname} Image Streams and Application Templates
Red Hat JBoss Middleware for OpenShift images are pulled on demand from the Red Hat Registry: link:http://registry.access.redhat.com[registry.access.redhat.com]. To update to the latest {xpaasproduct-shortname} images, run the following commands:
Red Hat JBoss Middleware for OpenShift images are pulled on demand from the Red Hat Registry: link:https://access.redhat.com/containers/[registry.access.redhat.com]. To update to the latest {xpaasproduct-shortname} images, run the following commands:
. On your master host(s), ensure that you are logged in as a cluster administrator or a user with project administrator access to the global `openshift` project.
+

1
openshift/docinfo-footer.html Symbolic link
View file

@ -0,0 +1 @@
../aggregation/navbar.html

1
openshift/docinfo.html Symbolic link
View file

@ -0,0 +1 @@
../aggregation/navbar-head.html

10
openshift/docinfo.xml
View file

@ -1,10 +0,0 @@
<productname>Red Hat Single Sign-On</productname>
<productnumber>7.3</productnumber>
<subtitle>Using {xpaasproduct}</subtitle>
<abstract>
<para>Guide to using {xpaasproduct}</para>
</abstract>
<authorgroup>
<orgname>Red Hat Customer Content Services</orgname>
</authorgroup>
<xi:include href="Common_Content/Legal_Notice.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />

BIN
openshift/images/import_realm_error.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 12 KiB

95
openshift/images/import_realm_error.svg
View file

@ -1,95 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
viewBox="0 0 594.66669 62.666668"
height="62.666668"
width="594.66669"
id="svg2"
version="1.1">
<metadata
id="metadata8">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<defs
id="defs6" />
<image
y="0"
x="0"
id="image10"
xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAb4AAAAvCAYAAACcwK+7AAAABmJLR0QA/wD/AP+gvaeTAAAACXBI
WXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH4gMMEwkf2IR+1AAAAB1pVFh0Q29tbWVudAAAAAAAQ3Jl
YXRlZCB3aXRoIEdJTVBkLmUHAAAMfUlEQVR42u3db0wb5x0H8C9TfbT1Idmks+fWERlRA1JA3cIb
XKlmU0hbShSHqhRWNYBoqTKspCAqUDqStIHKCkqK0wiUkgSlkKRJQXhIJa4WswlSFV7UaBWsgqRx
g/BEiUScCHsJZ2nsBfjmP3fnMzj/4PeReNF77p57nt9zd7977s5NgiFn2wIIIYSQNeKJIlUSjP8c
wX8nb1A0CCGErFoJG36Lgd9nIcH5a81CWncXEjdtoqgQQghZte79+COulZYi4Xtg4YXpaYoIIYSQ
Ve8HnQ6/ojAQQghZSyjxEUIIocRHCCGEUOIjhBBCKPERQgghlPgIIYQQSnyEEEIIJT5CCCGEEh8h
hBBCiY8QQgihxEcIIYRQ4iOEEEIo8RFCCHlU/efuXVnr3b13jxIfIYSQx9u/f/kFVQcO4K/ffCO5
3uednfjQYoHnzh1KfESe2sZGDAwNUSAesOzt2x/Y2M16PHinpgYF5eU01nGMP7m/mlpa4LlzB+d6
ekST3+ednXBcuQL39DROdHRQ4pMrt6gI2du3h/zdTyOjo8jevh1VBw6IrrNrzx70ORyrNuY3pqZQ
tHt3SEzmOS5u9ReUl8saB7F9ytn+cXKhtxc52dmwtbcjOysLRbt3Y87rjSmO4fFabTEi9+dat5Lz
urKsDE89+SQACCa/trNn4bhyBQCQrFKh9M03KfHFglEoUJCXx//d730BAMMwokmBYRj02O2rNt5J
LAtWqeT/u7mtDVwcE9/+6uqo60jtU872j5NJtxvPp6YCABIZBnVmM5JYNqY4hsdrtcWIxN9Kz+u0
jRvxl/ffF0x+bWfP4vLgIJ/0DtbU4FmtdsVtfmItDRCrVKLObA5ZNuf1YltxMfZXVWFsYgJ9Dgfa
P/0Ub+/ZE7Ls4okTmOc4NLW2Ymx8HKxSiZLCQhSbTIJ1HD14cPHiH3ThD2az21FsMuFCby+mZ2ag
CxrMgvJy5BqN+NfExGLdRiNKCgujlgW76nKhobkZXp8Pm9PSQsqmZ2bQYLXixtQUklgWdWYztmRm
8mX1TU245fFAp9WiobYW69RqAEBDczN/d7cpNRXWQ4cAAK+9/TZKCgsx7HRi1uNBRno66sxmsEol
3//mtjZc+/lnvPvBB1inVqPVYolok9B+B4aG0NHdjdNHjwIAOrq6MOl2Y391NSr37cPw11+Lti3a
PoO3F+tDuKLdu1FZWorDLS3YkpmJxro6yXjK6WOsYydUR0dXF0ZGR3HN5YJOq0WrxYLaxkbYTp9G
EstK9i8QB6F4BcdIqp9S9QuNzTzHoaC8HK0WCzasXy8rxmKx63M40NHdDY7jwCqVaKqvDzmfAoLb
OOl2Y9cbb4Dz+3F5cBBenw8FeXkoNpkEz9dYtpVqj1ScpLbrczhwobcXnN+PSbcbySoVmurrkZGe
LhmbWNott57gdkc7x2JNfp8cO4a79+7hXE8PzvX08OXJKhU+qqkRHFdKfFF4fT4cbmkBAKTo9SEH
efPJk+A4Dil6PZRPPx2xjFEo8E5NDbw+H/JzczE2Pg7ryZNIUiphzM6OWF/zzDN8shUyODyMyrIy
cByHHrsd5rKy/1/cbt6ETqOBuawM8xyHd2tqkJGeji2ZmZJlwaoOHEBjXR22ZGbiqsuFkr17kb91
62LZwYOoqqiAISsL0zMzeKemBp3Hj2OdWh1S1udwoKG5GdZDhzDkdGLO54OtvZ0/SQJu3b4NAHwi
3LVnD8bGx5GRno7KpX5Vv/ceLg8O4tSRI4KzELH95hgM6OvvR5/DgS2ZmbDZ7bhw4kTItmJti7bP
YFJ9CE88ff39sLW3I3FpNi8VTzl9jIiFzLELrqOksBAjo6MoMplgyMpaVv9iGaPwforVP+fzCY5N
IsMgx2AQTPzRYhweu81paXybm9va0NHdLXjTcuv2bTAKBayHDmHW40H+rl2oLC3F6aNHMc9xyN+1
CwV5efw+l7utVHukxkFsuzmvF6fOn8eFEyeQyDCobWxE/tat/NhJxSaWdkerR6jdsZxjcpNf47Fj
uBf09Wa8k96ae9TJ+f2w2e2w2e0R79Y4joOtvR2dx4/zySp42djEBG7dvo0ikwl1ZjN/ZxP8qDJ4
/WSVSvRR55DTiS2ZmUhkGOQajXAsTeWDbTMa+QtEQV4eP92PVhaYMSSxLJ8MN6Wm8jOHqy4XAPAX
R51WixyDAZcHB3HV5QKjUPBl+bm5GB4ZWVxPo8E1lwsjo6P8dsECF2YAyEhPx6Tbze87Gqn9AsD+
qiqcOn8e9U1NqDWbIy5M0doml1gfwo+h6ooKvg1S8Yylj3LHTk4dK+mf1BhF66dQ/VJjI/YoVijG
Uv3esH49X0+OwRByUyZ2Xq1Tq5GsUoWcSzqNJi7bRmuP2DiIbTfpdkOn1fLxyEhL47eRc0zIabec
elZy/MSS/LRLk4aA32VkxDXprbkZX7JKhUtnzwqWZaSnR9x9Bi+b9XgWD069nn9/xSgUuLW0PHz9
wAEsdEdrs9sxODyMvv5+ftnI6GjIrC34gpDEsvz+o5UF2qrTaEKWBfcjvCxFr8f0zAxm9XpMut0h
HzSwSiVmPR5sWL8eDbW1aP3iC8x6PBGP88IvYLG87J71eET3u06tRhLLIjsrC8NOp+BsJlrbYnkn
KacPwSehVDxj6aPcsZNTx0r7JzZG0fopVP9yxyY8xlL97nM4cHlwEJzfjzmvVzIW4W0MvzHl/H50
dHXh1Pnz/DvOQKKQs23gsaRUe8TGQWy7FL0eN6amMOf1IollMTI6yr/ekHNMyGn3cuqJ54dqASfP
nYtIqH//9lvoNBrsfPVVSnwPWmDwbywNypzXC87vl7wTGejpiZidzHm9uOZy8e9NAGBgaAg9ly6F
XBCCD7jpmZmIi6NYWaCt4cnQ6/PxZdM3b4aUTbrdSNHrsU6tRopej87jx0VvDlotFlx1uVC5bx//
/igesZXa742pKQw7nXg+NRU9ly7h9ddee2Btk9N2sXjG0ke5YyenjofZz/tx3Ej1e8jpxIXeXpw6
ehSJDIMhpxMXe3tX1NeSwkLB9+ZyLLc9UtslsSyKTSaU7N0LnVaL3Jde4q8V8TomHuaxFZz0/jYw
wLeneOdOtH/5Jf/OD0Dckt+aetQZeMcX+ItFdlYWWKUSF3t7cbilBZX79gGA6NehV10u5Lz+Ohqa
m0OW9/X38+8EA3IMBoyMjvKfnjMKBTq6uvhEabPb+btOqbKATampmPV4MDY+zrcl8KhpU2oqOI7j
f+c1PTODgaEhbDMaF8v8/pDfgAXu6Gc9Hr59KXq96Ec70WYcQo9HpPYLAA1WK2rNZuyvqkJnd7fg
DFesbWL7jBepeMbSR9ljJ6OOlZAcIxn9FJopio3N4ZYWWT+3kOr3raWbwESGwTzHwfaQv5Jebnui
bdfX34+Ozz5Dq8UScuMXr2NiJfXE4xwLT3of1dTgDwaD6NeeNOOLQeAdX4DQC3AxiQyDU0eOoMFq
RZ/DsfghSEUFthmNgicvo1CAUSiQHDYbs9ntaKitjVjfkJWFweFh5OfmgmEY6LRa/ndYxSYTf4cn
VRasqb4eDVYr/7FN8PP5VosF9U1NONzSgiSWxf7qan7WaP34YzRYrTjc0gLO78c2oxF1ZjOmZ2aw
v6mJb8O7b70V84yqsrQUtY2NSGJZXAz7QEVsvxd6e6HTaPhHnJVlZREfhUi1TWqf8SIVTzl9jGXs
5NaxXFLxktvPYGJjM7+URIt27JB1HIn1O9doRF9/PwrKy5GsVqPYZHqov41dbnuibafTaLCtuBiM
QgFWqUR+bi7/QVy8jonl1rPSc0wo6f1m6bG60NeeCQkJML3yyorGKeF7YOGF6Wl6lvkIMRYUYNBm
i7mMELL6NLe1YZ1azT9+nfN6UbJ3L1otlrh/9PEwtJ45g398911E0gs2cf06n/yKduzAGyv4H5D8
oNPRO75HdWa6nDJCyOoz6XYjO+ijLq/Ph3mOi3ia9Lj6c2kp1CoV/vjii4JJL3jmN3H9Ona8/PKK
90mJjxBCHmFVFRVosFrReuYMgMVHxo11dYK/N3wcJSQk4E87d0ZdL23jRqRt3BiffdKjTkIIIWvF
Dzod/esMhBBC1hZKfIQQQijxEUIIIZT4CCGEEEp8hBBCCCU+QgghhBIfIYQQQomPEEIIocRHCCGE
UOIjhBBCKPERQgghMSc+xXPP4d7SP3pJCCGErFZ3x8bApKQg4dZXXy24P/wQ3E8/UVQIIYSsWk9t
3oxnP/kECQsLCwsUDkIIIWsFveMjhBCypvwPAIOSpxH0J/gAAAAASUVORK5CYII=
"
preserveAspectRatio="none"
height="62.666668"
width="594.66669" />
</svg>
Side by side

Before

Width:  |  Height:  |  Size: 5.3 KiB

BIN
openshift/images/sso_app_jee_jsp.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 16 KiB

297
openshift/images/sso_app_jee_jsp.svg
View file

@ -1,297 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
viewBox="0 0 745 287"
height="287"
width="745"
id="svg3481"
version="1.1">
<metadata
id="metadata3487">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<defs
id="defs3485" />
<g
id="g3489">
<image
id="image3491"
xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAukAAAEfCAIAAABzhc/FAAAAA3NCSVQICAjb4U/gAAAAGHRFWHRT
b2Z0d2FyZQBtYXRlLXNjcmVlbnNob3TIlvBKAAAgAElEQVR4nO3deXAb150n8B9ugBdAUiJBXYRo
2aJPMZJjU7nMHB4x8WTMzMyOmdqqNWe3aovz19C1f4T+j/+F+WvlP3aHqa3UULNzcHZmdyhnnJFm
kgyUy7RjJZTjgzpMkToskJQogCcANtD7xwOajUZ3o0GCwHvk91MoVhN94HX376F//fp1w3bq1CkC
AAAAEIS90gUAAAAAKAJyFwAAABAJchcAAAAQCXIXAAAAEAlyFwAAABAJchcAAAAQCXIXAAAAEAly
FwAAABAJchcAAAAQCXIXAAAAEAlyFwAAABAJchcAAAAQCXIXAAAAEAlyFwAAABAJchcAAAAQCXIX
AAAAEAlyFwAAABCJs9IFKJosy5UuAuwSNput0kUAAICiCZC7IFmBHaIJLaQyAABC4Dd3QcoCZaaE
HJIYAACecdrfBYkLVBDCDwCAZzy2u1g/cuAYA8Wy2KYiyzJaXwAA+MRd7lIwHUG+Atuhjh/z7ATp
CwAAn/jKXUzyEs0oZDCwHSwpKdjBBekLAACH+MpdjKgzFaNhACvUWYuSlyBHAQAQiAC5i5KgsAHN
vybTwx6nm47kpylKNoP0BQBACBzlLro5h26+YjGJgT3O/PEtNpuN5StKG4xu+oKcBgCANxzlLvny
MxXlr27igiQG8uVfGNJtelHyGGQqAACc4zd30SQlP/jBDypYGNh9+vr6WJqiSVmQvgAAcI7f3IVB
UwrskPybpZG1AAAIgffchXKvED17fX9lCwO7wHuPLpBeWozEBQBACLzkLrqPb1FnLcqIcpYKdjHd
dhfS67SL9hgAAK5w+ntGajoZDMC2aXp8I8YAAETBS7tLPv0biHCAgRLR3GmPvroAAKLgN3dhtCfE
SF2gRDQ3RWuetAsAANziMXcxe+gc2l2gRFhabHSDNFpfAAC4xWPukk91zaii5YDdRTd9AQAAzgmQ
u+ReM+I3efG77NFvh4gomkzVj80WO/vxOlfPkaqew9WhGmfAbSeiyHpqcjE5fnt17OZqIm11xf0u
e8+Rqu4DVR0N7qDPEXA74ql0ZD01FdsIz62P31q7urRRVOGVUUzHD+9ceZjU/ehXH6kZ/XwTEQ3/
Lvr6bxctFrhSNE0sSF8AAEQhQO6Sg9/UJbdsxZTT77Kffa6x71it5v1QjT1U4+o5Un32s6mBdx+c
+2TFfDkeu22oo37giTqvI+f2Ma/DzhbVfbBq+GTj5GJi8PLixU/XrRY+99/hkw1f/3FEvwRb3QIV
hJQFAEA4wuUuPB8St9I+1FrjDHcfCNW42L9TseSFu2szK5LXYetocHcfrAq4HQG3Y/QLTV1B75/+
YsFoOc0+x4UXWzoaPOzfeCodjsSnYsnIeirgtgfc9s79Xja2o8Fz4cWWjjdvX1lUN5+YFD7n3+6D
Vc/vc7+zkDBdLZnvPZWBxAUAQERi5C5i9HeRVQPWyul32ye+cTBY5SSimeWNvl/MX4rENdN85+nA
8LONRNR3rC6aSL/27oP85XgctvCZA+0BNxFFE6mBdx+cu7GsO1nfsdrBpwOhWpfXbtNvJskvfPbf
uJT2Ou1EdPaz+06/dVdnfYrfAhWE3zACABCUGLnLJp7P5ovvlzP6hf1K4tL5z3fm1lP503zv/YdT
0eT411qIaODJwPjs6qXIet5ymljiYrIcIkpI8venYt+fin332ca4lDYssMGzjGdWpJmVje5D1Z1N
3jMHfBfvrmk/QJCeSQAAIDTen6ub95sAfL+KKefxOldPaw2bvOfH9+bWUkZTnp9dHfk4xqY8+/y+
/OX0ttVaWY7yev3XD648SBZR+KzBXz8wKkaxq8/FbjIPNgAA4BLvuYuWLHP9Kqacg8/Us2nHZ1au
PEgUmPjX99nEHY2eE/Uu3eWMfbJccDlbLHzWlQeJ8ZkVImoPuF85Wm08ZaV3hMU1BQAAAQmXu/D9
Kqac3Yeq2LQjH8cKThxLpFnSQETdh6rVo7pafNaXs8XCq0YNvJ3pLzz8WeOml4rvCItrmsU6uxh1
eUFXGAAArgiXu1T6lH3LTRe5r2avnfV0IaKJuXUrCw9/mulf0tXiUy8nVOsqajlbKbxq1OzyxujV
GBGFal2vPlpr2J5R8X1hZU0BAEBAwuUufL8slzPoyyQukTUplkhbWfhU9olwoRpX/nKiiVRCkneq
8LnvD75zPy6liWj4uX0edr+SwZScvgAAQGS4z6h0NE0XpgLuzGWIaCJlcaWiiczdQwGPXZllcznJ
tNFy5P7j+W9O3o9/5h9Vz881Kfzmv5lGi7k1aeSj6MAzDcEqZ//j/jd+93BzgtwpAQAASg7tLjtz
Ql/yiU1mISKiuGTceGNxY5qUJ2/U0K8fsKaXoWcbc5pexNpNAAAgILS7lE4x7S7RuNKI4rC4UuxH
jii3qUZZTrDKabScgV/MKcPBKufgycYCBTZsd9kcjiVSQ7++P3y6KeBxDD3b+PrEApEmy+F4TwEA
gMiEy10qXQATssGwnsiaxAaCVU6/yx5Lpgsunj19johmljaU5SvLCXgcHrstkdL54DeuKNd0qLXW
lcld8htUjApvMOrslYeDJxsDHsfAM/XDlx/krAKaNwAAYMcId82o0reoWLyBpdCUc6tSZDWTdnQ2
e60svOtg5p7q8N019XJmlpJFLcewkCaF1xuVkNJD7y4QkddpHz69P3fKSu8Ii1sAAAAEJFzuwver
mHJeuJV5Xkv/k/UFJ/a77D3Zh+demF1Rjwpnn83f/2RgW4U0KbzB+29MPmQZWP9T9c0+h8mUfL0A
AEBkwuUulT5l31qTht5r+L3Mo3J7Hqk90eguMPHn9rOJJxfiVxbiusvpfcxfcDlmhTQpvPGowV9l
OtMMn27KyQsqvi+sbAEAABCQcLkL369iynl1MTn+yRKbfPz3D2faLfReLx+t7X+6gU05cCmSv5yx
qzEryylQSJPCG48691FsajFBRH1PBDr2eQXbTQAAICDhcpdKn7Kbnc3LxZaz71/vRlY3iChU5554
5egLB33503znVOP4Nw+zpZ797YNLd1Z1l8MSiFCde+o/HXv1cb/ux3ns1PtYnVJEq4UvtF6Dv8w0
vfQ/Xa+/cN5eAAAgMtxnVDrZsnkdtu9+vslkwvDttYuzK0QUi6c7x26G/zgU8rtDde7wHx+dWkyE
76zOxDaIqKPJ291aE/A62FyjHz58LRzRXWBCkrv+YebCt450NPkCHsfo7x0c+UpL+M7qzNIGW1TI
72qv93S2+LzOTLY6cW9d26CiDGg2su5kKudvLE/Or3c0bS7caEpuybJss9nYX6Ox5S8VAADoEi53
4fiQmC2b12kf/Ox+kwm9jvsXZ5bZ8Gws2fHXN0a+eqC3PUBE7Q2e9gaPZvpoPDUQvnfuo6jJMudW
Nzr/bnrodNPAyUav0+512rtDtbpTTtxbG/z53KU7q7qF1w6bj8oaCEfCf3JUNRnfewoAAETGe+7C
zoY3/+f5gGi9bLltG7F4+ttv3Rn61XzPsbqeY3UhvytY7YpL6ciqNLkQH7+xNDYV031wi0ZCkl//
+dzwuws9x+q6QzUdTb5glTPgdbBFTS0mwrdXx28sXc3+LpJh4YtsdyGiS7dXw7dXuw5XF5ySZ2hc
AQAQgu3UqVOVLgMRkTpBYcNyVjqdTqfTf/VXf0VEz/67u2JFhN3ivS8nieiVV16xZ9lsNmWAodxU
BmkNAAA/eG93YTaPHAKezQOfkJoAAAhKjNxlE3pRQOkgZQEAEJFwuUulCwC7C9IXAADhCJC75HTX
RbsLlIiSteT3bgEAAJ4JkLsQ+rvAztDtlgsAAJzjMXdRGlq0N0gT2l2gZMzvJ0I2AwDALR5zFzV2
CFEymPfOpCpaHNg9NImLksoAAADn+P09I9zCCjvKlkv9fgVLBQAABfH4bDrKfTwdG0in07Ie9bza
C0wAen1y87Gn0pFxDxgkNAAA/ODlmpGma4v6h/GUvi+6s6gnwwEGdOVfGNJtdEHiAgAgBF5yFxPm
WYvS9IIDDJhQJyXmGQwAAHCO99xFfc+R7ih1Cw2ACU36QqrcRT0BAABwjt/cRX0VSZ2gGL1Puf1d
cBzay4wiwejyEPrqAgAIhN/chUxbVmx6z4DBUQcY3UjI77Rr9CYAAPCMo9zFlv8kurxOu0Z5jPpf
o2tMsHeYx4BRvmKe8QAAACc4yl2MGHV50c118ieDPcgkBowuDyFsAABEIUDuQnoXhtC4AtuBu6AB
AMTFV+6i3PxsMg0eQAfbp8l9jYLKqG0PAGCXEesUjovcpajDg3r74rgCxbJeP8WqyQAA26E5nnL+
BVjJ3GX7J7ucb1wQF0ILAPYyzm/grdhvMZpnJ3xuLNgjEH4AAAyf1zcq0+5iZVsofXL53HCw+xTs
/gIAsJtYPE/j8OH1FchdCh4YzK+64XISFIQgAQAoyPrD6HlLX8qdu5gcVDSjtnnui1NnKAhBAgCg
fvIIGScxXKUvXNxnRLlHEaNhAAAAKBXd56VxlaMY4SJ3URIUNqD512R6AAAAKEg3HTH6jR3+05ey
5i66OYduvmIxiQEAAICCzDuSqn/5WP1v/kI4yWkq3O6Sn6kof3UTFyQxAAAAW5N/YUi36cXol4/5
wcuz6WRZ/sEPfrCFGQG2w0rNRLxBqSDeoGyKSjv6+vrY9JqUhdv0pfL9XdQVta2treA0ADtH098e
YEch3qBsTFKQ6enp/Juluc1amMrnLmT8ALqt9dXFFwGomVc/zc9j6d4liHgD6xBvUDbWg40K3QKd
H1c8Jy5UztxF9/EtJo/NNXncC3rAgHUW66TmJCOdTus+ZhfxBuYQb1A21hMOTXKs2wlXM7FRp11O
2mM4bXfRrb1WbkFCVYd8ujcBUl6XNE3wsMMJ4g2KhXiDsikYbMqwemx+/qGeQDMxnzjqq2syrGmk
UQ+QcT0HUKirtPqvzWZTn/KqybKsHE4Qb1AUxBuUjUmwqXMU8064mmBDX93CNI0uuomLEc3sqNtg
RF2B1XVbGVBXe03gkV7eTIg3MIZ4g7IxCjYNMk1f5Nybovlveqnw70ib1Mb8xCWdTmsGKK/Cl6X4
IB7dw0Y+dWSa5MqINzCHeIOyMQo2u92uDKgnlg36u8h5z3SRjZ8BU3GVb3dhNNVSU29ZspLOUt5U
hjV1G5UcGPUZCamqt91uZxWbiNgAq97qcw51dCHewArEG5RNwWBLp9NsmI1VMpii0hducZG76NZJ
TR1WanIqlWLDbECp9qTKeCqxEsApm6pxXl2NHQ6Huj6zrgbKsUSJJSXMEG9gBeINysYk2JSshUUX
G1anL2wgv2VFlPSFi9xFQ85rR1Vyl5SKJqdRn6AAqKlb6e1ZqVSKVfJ0Os2OK5St2+y4ouTHmmBD
vIE5xBuUjVGwORwOh8Mhy7LD4VCmlHNvJtJteuE8ZVHwmLuQQaPLgwcPdCdWTl8ACmJntKlUioic
Tic7kLC/pLpPVZblWCymuwTEG1iHeIOyUQeby+VSsl6n00mq5hl1BqOZXaBI4yV3yT+fUKcvbJdU
pGCwi21sbLAAczqdrFlVOSNhrfQAJYR4g7JhwaakKbbszfnsTfPERYgkhpfcRUO5sstqtZJLEtGz
N/ZXtGiwG7x3bIGIkskkOylR/rIaq/QzIMQblALiDcpGHWyUe/+R0ugiRHZirvK5i5zbUVfdbU1W
3WG02e6CC75QCrIsS5KkblNlvRBkVe9IIsQblAbiDcpJkiRS3SzNKE0v6r4vRp2oOM9vKp+76JJz
5eQuqNxQIslk0uVyqeun0ncS8QYlh3iDskkmk0SkZC2s364az3mJFZzmLow6ccF5CZScJEnKSQlr
4WM9KFOp1GbdRrxBiSDeoGwkSWIpC7vniP1VrhmZU996bTS24vjNXZRNrNxnVNnywO7DjiWsStuy
j6GkbHd91rAPUCqINygblrs4nU71LfdslJX0hX881hZNlxel9SU7upJlg91EkiR2RqJ+EiVl0+XM
RIg3KBHEG5SNJEnqxEV9MCXVI3QrXcyt4zF3YTTbOr3546uo3FAaynMOlSOK+ilh2akQb1AaiDco
G81DXCnvkCo6fnMXRn23EQ/Xg/0ue/RPjhBRNJmu/4dbuqOYjh99euVhUnchr7bVjJ7eR0TDH8Ze
n3xIRH/xXGP/o7Xqd8x57LbonxzxOmxEFPy/t+fi2offHK9z9Ryq6jlcFap2Btx2IoqspyYfJsfv
rI3NrCbShhvRZAXVnx5+Mdi5z0NEMytS148js6tS/hYwMXE/cfriPStT7ijNc0vT2ce051ygRLwh
3kqE83hDsNGuDrZdk7Uw9sKT8EG4jT7cUW994pHry2ygr63GyvQ9h6tY3b7w6bqmbvtd9r/s3Df1
zYPDn6nv3OcJ+hxeh83rsIVqnD2Hq0ZP74v80eFXrX2KLr/LPnGmhdXtqdhG58V7rG6LSKnb6gds
MIg3NcRbSeyaeEOw8c8k2HYHfttd5DzZEZUtlsFw3r/dB3zPN3reuZ8wW4icGb6ymJyKbbT7XUGf
44Um76W5uHkp2HkMEY1cW1Z/bmu1M/xiMFST2a1TsY0Ln67PrEpeh62j3t19wBdw2wNu++jpfV1N
3j99+35xK0jU7HWEXwy2+11ENLmY7Pq3SGxD55QxnpJHri2blH9qaYOHpnF1XLFKzvrhc9S/CvGG
eCsbBNvuDTb9g6nIOM1d8jeu6h1ODiayUf2Op9Jeh52Izp6qN2g81FnIyPWls882ElH/ozWX5tZN
StDsdXQ1e4komkydv7OqvO932Se6g0Gfk4hmVjb63r6f/zXxnSf9w59pIKK+R2qiydRrlxetr2Cz
1zHRHQzVuIhoYiHe9W+RvObZzS3w2mX9H5/iironuPF5MOIN8VYa3Mcbgm0XBptusrIL0hfurhnp
btOcN+VKv0xKQkREMyvShbtrRNS533umxWdxIaM3VtgbPYerPDabSQGUptexmVX1+6On9yl1u/Nf
7l2KxPPn/d4HsZ7wHJt94HH/C01eiyvYWuWcfOkAq9vhyHrXv0YSKbm4jcPVKxtX6svA6tMUjlYE
8YZ4K285EWy7I9jUiUvhA6touMtd8om4fQd/m+mSdvbZBouzxDbS47dWicjrsPeGqk2m7H9M1aaa
dbzO1XMkM1dPeD6/g5vi/O21kWtLRRXveJ1r8vcPsO+O8VurX9Y5KdklBG1QRbwJSsR4Q7AJSrhI
MydA7qLFR1arX5KsK4tJVlfb/e5XWqstLkGprv2P1Rp9+vONHnZ+MBVLXllMKu8PPuln847fWlW/
r/savJz59ulo8JwIuM2LdyLgnvh6S8DtIKKxmyvfCs9vceNw9WJltFKZ+Sgq4q3ojcPVS5R4Q7Bt
beNw9bIebCITMHfhJDT0S7I5auDXmWuiwyfrLS7k4qdrkXWJiDr3e1urHbqfrpyXnP04pn6/+6CP
vT9ybangKsQ2Uuzbh4i6D3pNyvb8PvfENzJ1e+Tq0rd/Pr+NjcPViyj30dfK37znYXNRVMRb8RuH
q5dOvKl/4JebeEOwbW3jcPWyFGx6sScSAXMXLgLDoCSqUbMr0uiNZSIK1bhebauxuJCxm5la1/9Y
Xf7yPTZb79FM2+nY9Ob14GaPg7V5EtHEfMLKWoQjmR5zXc15F62zzrT4wmdaWNe84d9F/2zi/rY2
DlcvxJtMhHgr/07kPN4QbFvbOFy99gZO7zPaHQYvL/YerfY67MOnGsZumj00STFydWngCT8R9R6t
fv032n7yPUeqWGUbv7Wqvn8v6HOwgci6lHNfn7Gp2AYbUO451Ai4HRdebMmuyIPvfRCzslhlXvnV
NpMJen4aOX97zfoCwQrEmxHEW8kh2Iwg2MoD7S7bSGkLjZpbT41cXSaioM/Zf7zWykKuxjYmFxNE
FKpxvdCs7Sfff7yOzTRydUn9Pnu4JBFFk2mLKxJNZr4FAm67ec4eWZdGri6XPt/nZz+KUs5CoxBv
YuxHbstpUoy8UQg2TndisUUVlojtLpXdObLBsP6oocnF/uO1Xod9qKN+5OpSIqVbuXOMXF0aOb2f
iPqP116KbD4Lodnn6Ar6iCiyLl28q8nrTUpV7IpkhuOpdDSZDvqcQZ9z4qUDnW/djSULnvRsznv2
I7NTmalYstL70TrEG+KtnCpYTgRb4WXurmATmIi5i0hiyfTQ5MPhU40Bt2Ooo/51ncclaY3eWD77
XKPXYe85Uu1x2JRvhL5jmY5sYzdXNLPknGdYk3M2oyeekjvfujvx0sGgz9nud0+8dNBaDc/Ma2VN
oeQQb1A2CDaoIFwz2mqLnOVRZz+MRRMpIhp43O932QsuJCHJ47OZZyH0HN68BbH/sWyb6tSSZpbI
WuaBB0Gfc/MjTF/tdW42y8yyZLQWs8tS5z/fjaxJRNTud4fPHCi8cE72kcWdiHhDvJVzJ/Ifbwi2
rW0crl57g4C5i2gSKXlo8iEReZ324VOWHpc0cjXzeCXlGvDz+z2hWhcRTczHr2Z7oinm1lOsEhJR
536PlY9gLbREm33ydc2uSJ1vZWp4R6Mn3H3Ab/nsByoC8QZlg2CDShFwV8lyhV8mJTEY9caHUVZD
+tv9zV57gYXI8qV762z6rhZfa7WDZHmzI9tUTHeWC9mLxP3H6wqugt9l62nN3I544c6q+VrMLm90
/vOdnBrusm1l43D1QrypXoi38u1EzuMNwbangk1kIuYulX6ZlMR41OB72ac5nWq0si6j2R+O7z1a
47Hbeo/WEFFcSo9Nr+hOP3wl8zTJntaaE/V5T5PUTJwtw+SDxJUHec+pzCve7LLU+UNVDf/6QY/d
4EdJ+NlNFnci4k0mQryVbSdyHm8Itj0VbCITMHcR07nry1PRJBH1PVbX0VC45XNkKtOVvb/d39tW
43XaiWh8djWvM3/G1djG+Gymm9v411qasw9FyPfyker+xzPP2B6Y0PuleD2zKzk1fOKbhzwOIZ/G
uEcg3qBsEGxQfshdymcw+yDt/va6ghPPrkgT83EiCtW6hp/NnEmMTC2ZzNL3s3lW/UK1rolvHnoh
e9FX7TvPBMazD2U6+0H0kun14Pwidf3oLuua19HoCX/jIGo4zxBvUDYINigzAe+Rruz1PM1VT4uj
iIjo/OzK5INER6OHnWew6UxW5+wHD8e+0kJEwSonEUXWpEv3zB7XGEukOt+8HX7pUKjWFap1hV86
OBVNhu+tzSxnzie6D1UFPJlTltFrS69NLBS3gkRXo8nON29P/MHhgMfR2eQNf+NA11t3N8+WstN7
HbbvFvoR19ezX3a8Q7wZQLztiArGG4JtrwWbyATMXUQ2MLEQfumQxYnHZ1fjUlr5Lhi9bnZewsyu
SB3/dGvk8029j9QSUXvA3R5wa6aJJlIDEwvnri/rLaCwq7ENVQ33hV86mFPDiYjI67QPnihQvYd+
s2jURAylgnhTIN52GoJNgWArAwGvGfHTE6qoUTKRTJc+XQ9/umZxXRKSPDa9+aSmkY9iVooXS6S/
/dNI+/+ZGXz3/sRcpkt/XErPLG+Mz6z0hSPBv7l57prpY7ALFe9qdKPz/G3WvtrZ5At/Q9W7TZT9
KEo5zXcH4k2U/ShcOYvfTQg27nbirmY7depUeT5JVrXRsWFZlmVZTqfT7O+5c+fa2trYv6lUKpVK
SZIkSVIikUgmk/F43OVyEdGzvyl8PRXA3Hsnl2RZvnbtmtvtrqqqcjqdHo/H4XA4HA4iYuFXU1ND
iDcoBd14czqddrudEG9QUu+dXCKia9eueb3eqqoqj8fj8/m8Xq/b7Wbfci6Xy263O51OW9b09PQr
r7xiV7HZbOwvQ0Tsr3qgsgS8ZrRn7l8HLiDeoJwQbwAWCHjNCAAAAPYwEdtdKl0A2FMQb1BOiDcA
C9DuAgAAACIRsd0FJyZQRog3KCfEG4AFaHcBAAAAkYjY7lLpAsCegniDckK8AViAdhcAAAAQiYjt
LjgxgTJCvEE5Id4ALEC7CwAAAIhExHaXShcA9hTEG5QT4g3AArS7AAAAgEhEbHfBiQmUEeINygnx
BmCBgLkLH/xue/S/Hs9/Py6lI2vSRGR97PrS+ZsrmrGvtvtHv3aAiEY+ePhn4YjJ8v/u9w70PuYn
ot6Ld//++lLBz6Xsb8FPLsRHPoxeurumO40yezSRqv9f18zWsPhZ/G5776N13a01Hfs8AY8j4HFE
E6mZpY2JufXx6eWLt1atfNze8Xyzt+/xQGezL1TnCngccSkdTaRnljcmIuvhu6sXbq0mUjmHMZNd
rzERWT/9jzNGY4vdTTsXtKyyTN5PjF1fGp9e1qxvwdnzaVbcaMZoIhVNpGaWNyYXEuG7q/n1FEz8
5Vdb+h4PsOHQuRuzyxsmE5dkF2gWcnZy8bVfzJlMr8QhEcWltG/kqu7S8r/QNB/UMTZ95X5C9yOU
SjF8+f7rby+YFAZ2iIC5CyenJQbF8DrtoTp3qM7d+5h/ciHe/eatubWUzlyy5RXRTGk8l9dpb6/3
tNd7eh/zX5hd6Xnrjs7BwNqiip3F47ANf66p/6mA15lzFTLgcXTsd3Ts9/Y/VR9ZlQZ/NX9uKmbt
U7mxA/Hmd9vHug92t9ao3/Q67UGnPVjt7Az6BjoaiMj7P6dy9mBRJdGbeIu7aceCVqksPW21M0vJ
nrfu6B8qtrziBjOyjC1U5+46WD3Q0RBNpEY/jg3+at4oeSorDopgwuOw9T5ap/zb/2SgwJG7JLsg
973eR+te+7lh7uJx2Hraas3KYBIhuf8On276+pu39T9mC5UCSkrA3IUzcSk99O595d9glbMz6OsM
+oioY7934j+E2v96eie+EzWfyz6662BVx34vEXW31oy/dMiw4pVUc5Xjwh8cYZ9LRNFEKnxnbWZ5
I7ImBaucoVpX16GqgMcRrHaOvnggmkydn97rp7nhP2xVNtdEZH0isj6zlCSiUJ27Y5+nM+hjuYXX
YdONnLiUHvkgarL8qYc6GQAPu8akz8QAABlZSURBVCm/snTs83QdqiaiUJ07/IetodEbsWTaZPYt
rLju5wY89o59XrY1Ah7HQEdDT1uNYfIEWT1tterEt+/xQrlLVgl3QbDaeeZItVE7bu+jdZrUfMu6
W2ueb/a+MxcvydKgtATMXTi5HpwtRjwlf++9+5qRZ45UX+hpJaJQnXvgRP33Lj9QZtscsLgicu6U
pp9LRC+31Y7//mEi6m6tOdHo1n4R6C2qcAGMZ/E4bOFvtbY3eIgomkgN/Cxy7mOdlpUzR6qHP9/c
sd9LMjd70KJSl/bPOxrY93VkVeo+P5v/Te1x2LpbawY6GuJS2mjXv/Yzs2s3+ba3m3Y2aE/s84T/
KMROxIee26dzSr3lFS9UWfxue98TgeHPNbEWoPAftnb87bT5RZAdx3ftGDhRzwbGrsV6H/MHq50v
HPAZXaEmKtEuyC5kajHB0uv+pwIXZ/Vz6/6nAkQ0cW+tY783k8RoNqnJF5pSWinN5j37xebT/zCj
u2KGC4GywH1GO+LirdXBX2a+gpUrr+Vxfnp57FrmsMTOaHfU6IsH2BFxZinZ8bfTukdEIrp4a/Uz
fzetbJO9rP+pzLd/37/d1T3FTKTk89PLX/5/syVsruN5N125nxjIZiQ9j9SaT1xasWT6jcnF9v/9
CWv3CngcLO8HXa21rs6WKiK6MLsynE1E+p+u384yi90Fox9HiajnkTq/W+fgpZRw5IOH2ynVzNLG
hdkVIupsqTpzZMe/RWELBMxdZG5epkUa/2SZjcyexebOtZ3lF9oUE/fW2figz1lssYsqyfGAW8nM
en54e3Zpw3w533vvwflPliu/49RrVPZ4C9W52IIvzq5uvdjFzFWC3bTDQXthJnMOHapzl3DFLc44
u7TRPX6LTdWx33vmSHXJd3oF462ELyXtHnn/4ZWFxNRigoh62mo9dtuO74KskfczSUlPW61RCeNS
euzqktnnWhg1mO0OfPZLQbP1qvROMVu7XU3A3EUQkVVJGfY4bOX86GBV5lKg0eX/Uhl8dh8bGP9k
CR0FLFIuxpctKvjfTXFp8xu3zJWFufowOXY10xa1zYaEXazviQARRROp89PLRDTyu4dE5HXaex+r
KzCnBRZ3wezyxsS9NaNpWAnHPzG8Z826K/cT458sEVF7g+eVUqwglJaAuQu7lF7xlzq/1ZsgWOVQ
xidYx4X8a6tmyzeYrNDneuzUezxT0yburRU7e1Fr2nWoir098v7Dyu+R4nZfxeKNna0SUd/j/iLL
XPy+K8lu2vmgba93s5HRRGqzsmx7xYuaceR3i2zCrkPVJd/pFYy3Ur1eOOgLVjuJaPyTJfZOTqqx
o7sgdyEsZ+psqWqtdeqWcOR3iznb3HqRckcNXMpcyhz+fJPxDq38rjEu224mYO4iiJ5HMgnE5MJ6
eT7R77Gfaa2Z6D0aqnMT0cj7i1cfJnfu45qrnOyDiCh8B89usWr0o8ydMiNfPfAXX2k5kb3xZ4cI
sZuGOvezAXZKXRHKldaAx9Gava4Hiv6nG9iActVmbk1iEdXZUnU8m31uh8VdMHY1FpfSlNf0wkoY
Wd24dKc0UTS7tDH60UMiCtW5X30iUJJlQqmIeJ9RpQvAaK535jrTWjP8hWY2PDa1lDNx/hIKfpDe
XAGPQx54UneOmVjy7G8fvPHbxWKLbVgAvVmUK1OR1Y2ExMle2QGlXrPv/fp+zyO1rEdh/zMN/c80
xKX05EJ84t56+M5q+M5qLGFwk7CFXc/0vHnrfLa7VQl2U+mCVvO+x2HrbPENfnZfdyjTRXfo7QWd
j9jSipt8rq6EJEdWN4LVLiIK+pyzsQrdbcRlTfI4bKwb9Uws+c69zZOxkSuL7IaA/qcbXrukdwtY
SXZBbiwlJHn8k+Xe4/6+JwKv/2JeU8LRj6LaDzL6N79IeUE7+PP53sf8Xqd9+PNNY1OxzUtRW6gU
UFIC5i6c8Tpt38n2JyCiYLWzs8XHjkyUTSPKXKSZpY2ZpR3/5g14Mo12UaNjLRg4PXbzu19oGvhM
Y+Y5Lk57Z0tVZ0vVwMlGIgrfXh2amC/VuSNXuyngdcivGSYffRfvvhMpUyOlrmgiHawmIgp4HIWm
3Vv6nsg8z1C5h5EZ/2SZ3U7ce7xOP3cpksVdMPL+Yu9xf7Da9cKhKlZTeo/7WQmVZqGSmFuTRt5/
OHCyMVjt6n+mXv+EECpBwNyFk+t52WJ4nfbhLzbrTjI5v97z5q2ElM6fi+RCK6K5Xps3HJfSA+F7
6jkCHkfHfm/Psbquw9Vdh6vHbyx9681bVhe7lZIYTLPL7Myqvf7zuaFfzXeHanqO1XW2VLEbmJmu
w9Xhw0dHriz+2U8+1S1JXEqf/Y1ZQjz1IJ4TaXlLKE7pgtbIxL213rduzxol3Ftb8SLLoPnIioU0
l1Wp/5nsHUZXcrqSJCR5/MZSb3sgWO0601p9cSbvmSsl2QV5C7l0e5W10PQ/XX/p9qpSwol7a7Ox
vAvlms81KZLeqKG35/qfqfc67UOdTSNXFjNNL9YrBewMAXMXvsWldGRVmlyIj374MKf5uvQfJH9f
7wzD77GP/0Fr1+HqnmN1/70r+JrpD9BsRzSR+a0D5cweipJIyec/WWZB4nHYWN7Z92SAtZn3n2iY
Wky8oddoF5fk101/z0WNq90Ul9KD2UfPeZ2ZVWbNTgMnGwvGalErvgWbbVTxlPmUe8rxendHk49Y
ZpCXX468/7C3PUBE/c806OQuRbK+C0Y/jA4+t7/nWJ3HYQtWOzOPdblS+naRWCI99Pb88BeDAa9j
6HTTjkYgWCdg7sJJjpstRjSeqv8fHxc7t9dhs7gi8Y204bVVvSXE4ume87OR/nav0z5wct/Qr+Zz
+k9sre+C3nBkJXMTeLDa5bHrP71+NyjLaiUk+Z176+/cWx/61fz4y0e6j9YS0fAXm99QNzNs6RJ7
CXfT9oM2Lslv5Dac+D328Zdbuw5XD5zcNxPbeEO3WWXLfQuKmdHjsLGskdgDDioVzvxVo/5nMr10
Rz94mF88pQmk51id323X9tYqyS7QW8jIlcXB5/Z7nfbe437WbBmX0mNTMZP+UoWLZDDq7OUHg5/d
H/A6Bk42Dr+7YLaOUC6VPxXbU5STCa+zwEMslMu9W+imEEukJ+czv8Gxc4/WnVuTZrLNs12H8ejJ
0kik5N63brPbKLxO+/Mtvm0ucPu7aUeDNpZI95yfjaxuENHZL7eU5HaVrVH6qEXjKcOrV3tSb3vm
wYYjLx6U/9tT+S8l4eg9vq1niBe1C2aXNiY+XSOi/mca+p4MENH4jaUdOoNKpOSht+cp00MguBMf
AcUSMHep+N3z+bfRW56FfUcTUXuDx3xKpQNEZHVjC5+rfFCw2rmF2S3OEr6duee2/xnjBzzw+eI4
3mLxlPIMmFCta7v7btu7aaeDNhZPDfw003Pr7JdbCuyvLe/oQlP2Z3+pJ3x7pfS7leN4M3+daa1W
UpOCBk427tQu0FvCyJUHRNR5oIqVMNMXx8rnFhyV9/4bl++zitB/oqHZ5zCZsvKvvUHAa0YiU5pD
Opp8fk9e+2pWc5Uz5HcTUVxKX13cyoNQla+buLSDd5cMv7vQ91Q9EfU86j+x33tlAT+4WmJKb5Xt
2OZuKkPQ/v3V2PCXkiG/u/to7fMtPvVduOVxvMHDOm3QzvSZEFf/icwFo7Gp6Ex+N9is3vZAyO9u
b/Ru+XtgC7tgbCo28uJBdntRZHXj0u2dfXzR4M8io18/TETDXwqGb5f+V9ahKCK2u3DzKr5ICUm+
cDPTgXfwuf1Gkw19rolNc+Gm3q//FPrcZp+z80Cm9XXqQWL7xTaa5eqDxNjHmSetjfe0tta6zJfz
3S82v/xIXeV3nHqNyh5vx+s95hO01rpY10id3belUm1zN5UnaIeyPwA5/EW9n4/Z8u6wMGNrrevC
H4XYVJPz6xdvrpR8p1cw3rbz8rvtPY/6iSgupft+dOf1n80ZvYbfWWDF7z/RsCO7QG8hCUkemVyc
nF+fnF8ffmehiM/d0qhzH0SnHsSJqO+p+o79PrOFVPa1NwiYuwhOqeSDzze9+qTOsxr//FRjf0cj
Gx765Xyxy/d77OPfamXDmgdJ7YS+f7nDzsZCfvfkq4/qrhERvXys7uP//Ojg8007WhghTPzHR/7l
j0NnQjW6Y483eMK9bWx4cn69VB0vtrmbdjpoiejch1HWJt91pGb7vXws8nvsf36qceq/PMZajKLx
VM8/zZbno4XQl/3xxZzHsukZm8okx0rbiUXb3AWv/fu9z5y78ZlzN964XI7HaA3+LJNh93c0lOHj
wISI14w4SSxlg+ECLt1eOfvewsCz+4lo9BuHhz7ffOHmsnJc6T5ay+owEQ1eundF5/cEMp/lddq+
89w+9YiA19He4Ok+Wqv82l//v97JK9vm7N/9kv5jaZjwrZXsHY9ma5pIyZ1/fSPc29be6A14HaPf
OHz2KwfCt1dmYsnIqhSsdob87q7DNQFvphdnXEpxswdJlmXdv+qBkpfW67R1H63tPlobl9ITn65N
zq9HVqV4Sg7VuToPVHUeyHSnjUvpvh/d1t34BfcdEb3+s5z7jbe5m0oVtHnDOYZ+OTfye4eIaPhL
wS///XQpVly/sgS8jmC1s6PJp7RvEdFMLNnzTzOzSzv4MxqaSGPUo9Rl5oFywWj0g0XzgsUSqQs3
l7uP1ga8jpeP1Z6/ofyMc0l2wRa/bA1mMVlagQ86fyM2Ob/e0eRTvmO3WqQdpxts+d91NptNFrOL
jIC5CyfbeRu16bWf3puJbZz96gEiCvndygmrIi6lB37y6fd1L/pmP8vrtA+/0GL0EdF4qu9Hty/e
zH9U1Obs5q0gXoctM3uhNZ1blTpGrw+/EOzvaPQ67QGvg7Uza8zEkgM/+VSnSJVjs1n4yeJSx1v4
1mp3Wy0ReZ32riM1XUd0GmCmHsR7f3jrynxuvwHL+46Ihn4xpzlR3uZuKknQaodzfX9ycehzzcEa
V9eRmueDVe8ov2205RW3XFlGP1gcvBTZ6fv8KxJvW3aiydve6CWiyMrGpVuFu5KM/m6R3dvff6Lx
/PVs7lKSXcBL6kJENPCTT8PffiRnMm52mZqlYBOZALnLrtwHb1y+PzYV7XuqvvtobXuDh53vRuOp
qcXEhZvLI5MPDH/UxlhcSkfjqcn5+Pj12NhUdAtL2LJESn7tp/eGfjnX2x7obqvtaPIFPI6A1xGN
p2ZiyYl7a+PXY1xlLUbKEGxf/8ebfo+dNb10NPlCfrey92diycn59bGp6A5tq23upp0IWo3hdxZY
ejT8QvDLY9MFp9+aaDwVTWS2dvjWqqqRoNx4/nJT0lPlepC58etL7PcButtqm6udc6uSycT87IJi
Xbq9Gr61onvKwTmeg20LbKdOnSrPJ6kbptQNWel0mv09d+5cW1sbG06lUqlUSpIkSZKSyWQymVxf
X3e5XET07I/xE6+wXe99bUOW5evXr3s8Hq/X68qy2+1ElE6nNzY2amtrCfEGpYB4g7J572sbRHT9
+nWv1+vz+bxer8fj8fl8brfb7XY7nU6n0+lwOBwOh91uZwnNzZs3X3nlFbuKzWZjfxlSpT6c5ECc
trvkbx3VO1y20IGAlJqp1GH1qOwg4g1KA/EGZWPLlT+2IqUqIU5zF8rb9JvbGlUbSkQdV+rzDFmW
2QkxEeINSgbxBmWjCTbzVEZEwtwjvTs2N3BF0zqqHoV4g5JDvEHZmATb7sBvuwuj08SK8xIoEfXF
Xc15cDqd7XaKeIMSQbxB2RgFW6XLVTL85i6aBi673Z7t7YvKDaXhyLLb7Q6Hg9VwImL/ZqdCvEFp
IN6gbNTBxsJsl10z4jF3UTauelvb7fZUKkWEqg0l43Q62WFD6XKvdDvYvC0O8QYlgniDslGCTd36
ojm2VrqM28Jj7sIoW1Zp+2K5y3tnSvDrdABEpL5dUH0eLMuych6MeINSQbxB2WjuhVZaX2i3dK7i
N3chVWcXh8ORaXQBKB2lerOKzQaIyGazpVIpQR+VDdxCvEHZaHIXpalvdyQuxG3uormhi216l8u1
sbGRTCbZA+ukrFQqlU6n2TPu1D/ZsGt2EmyBEgDqKGKBpNRqt9ut/pedCrOTYJvNJqkkk0nlYYmI
N8iHeIOyKRhsTqdT9zF0u6nLC0e5i7IzKLtv2C5Jp9Nsryi1l03P9pbT6dSt2wBMfvVmYcNqtcvl
YheG2V8Wful0Or/HlSRJiDcoCPEGZWMSbE6nkwWbpn+VkrioByq9HlvBUe6ixk5HlL1CuT+7qrTE
sIrN6rb6dwaUhVRwFaCy1GGgVFGlp6RCfSBRjiUsY85v+UO8gRHEG5SNlWBT0uX8phfaFcHDae5C
uRkla1ZVEhdb9rYj9RkJe0ACzktAQ6muypmH+l4P9YAyMXvOaSqVUs5UWI8rxBsUhHiDsjEJNiWD
UXcMV46qlS54CXCau6hzScqmmU6nU9M+ls6SVTQLgb1JEwmaxlWFQ/WwDSKyZ38bT8mP2XA6nUa8
gQnEG5SNlWBTZzDq93dN+sJj7sJORCgvg6G8O4+UplTlpIRy9yuAuo3Unr2tQzl+aM6AlYlZUx87
nLCWP8QbWIF4g7IxCTYlg1FyGk3WInr6wlfuomQtlPt8F8pWdVaHlatI+X3v2Szq1Af2Jk0MKJVc
fYKiaW5VJlMOGKzTFQswxBuYQLxB2VgMNnVLjM3gmpG4UcRX7qKwZfvqsn/t2R8EsGXvPJKzv7yq
W7eVhZS94MAL3WDQnOzmU8+uHEUYxBuYQLxB2VgMNnvejxmpJ6hIyUuI09yF8tIXymYw6kpOuZ3X
0JoKRtTnKOrqTXl1nvIOJKQKM8QbWIF4g7IxCjajdHkXJC7EYe5iy71sJKsewqNbsSmvKVW9qHKW
HLhiFAzq2ssqs5y9G18zsW6iTIg30IN4g7KxHmyaAcoNG6FDiLvchYzTl+npacrbbeb/AlBeFc3/
V9Z7SqlyING8afIvACHeoIwKBhv729bWRrsocSE+cxfS67TLKvapU6cotwKbVGbR9w1sh8XAUIY1
hxP1v4g3KAjxBmVTbLBdvnzZPMUREae5C+WmL5R7kVgzmeYdnJoA5bWjWplMHTnKbflG0ysQb0CI
NyijLQSb7vtC4zd3odxzFN33zecCKIqSHCPeoAwQb1BOuyxyuM5dFJo+RxbPPHbZroKibCdING8i
3qAgxBuUTbERonvJQnRi5C4au283QMmVMEgQb1AQ4g3KBhFCRPoXWQEAAAD4hNwFAAAARILcBQAA
AESC3AUAAABEgtwFAAAARILcBQAAAESC3AUAAABEgtwFAAAARILcBQAAAESC3AUAAABEgtwFAAAA
RILcBQAAAESC3AUAAABEgtwFAAAARILcBQAAAESC3AUAAABEgtwFAAAARILcBQAAAESC3AUAAABE
gtwFAAAARILcBQAAAESC3AUAAABEgtwFAAAARILcBQAAAESC3AUAAABEgtwFAAAARILcBQAAAESC
3AUAAABEgtwFAAAARILcBQAAAESC3AUAAABEgtwFAAAARILcBQAAAESC3AUAAABEgtwFAAAAROKs
dAGKc/ny5UoXAQAAYNeSZdlms7G/RmPLXyoNkXKXtra2ShcBAAAAKqzy14x4yOAAAABAwfmhufK5
CwAAAIB1vOQunKd4AAAAu5X6ECzE4ZiX3AUAAAAqRYiURYHcBQAAAERKX7jIXQTaXgAAALuMchRm
A/wflLnIXUiELQUAALBb2Ww2URIXqlTuoknxAAAAoFJ0Exeej9SVb3dRNhkAAACUnyZx4f+4XMnn
6rKnDivDRDQ9PV3B8gAAAOxBtlzq9ytYKhO2U6dOleeTlDRF/a8sy8pAOp2W9ajn1SwEAAAALMrv
k5vPbrerx1JeBsNDQlO+dhd1K4vyL9sE7P38zcGmUU/GwyYDAAAQVP6FId1GF54TF+LktxjNsxal
6YWTTQYAACAudVJinsFwq/K5i5KdGGUwNuMf4wYAAIBiadIXUuUu6gm4xVFfXSVBMXqfcvu7cL5l
AQAAKs7ouGl0eUiIvroVbncxaVlRt8dobkcCAAAAK3SPm/mddo3e5FNZcxdNd131m+reuLp5jPpf
o2tMAAAAoGZ+xDTKV8wznoqrfH8XMu7yopvr5E8GAAAAukyOmEaXh/g/yHKRu5DehSE0rgAAAOw0
Pu+CNlfu3MWoKYVU2wtZCwAAQDkVPOZydVCuQLuLSfqiTKAM40G6AAAAO8F6OsJV4kKVumZUMH1R
T7nThQEAAAAjHB6IK/Y70hxuCwAAAFDj82Bd4WfTsQFcGAIAAOAHnymLgov7jHQf31LsXAAAAKCx
Kw+pXOQuGmJtQQAAAG7tykNqxfq7AAAAAGwBchcAAAAQCXIXAAAAEAlyFwAAABAJchcAAAAQCXIX
AAAAEAlyFwAAABAJchcAAAAQCXIXAAAAEAlyFwAAABAJchcAAAAQCXIXAAAAEAlyFwAAABAJchcA
AAAQCXIXAAAAEAlyFwAAABAJchcAAAAQCXIXAAAAEAlyFwAAABAJchcAAAAQCXIXAAAAEAlyFwAA
ABAJchcAAAAQCXIXAAAAEAlyFwAAABAJchcAAAAQCXIXAAAAEAlyFwAAABAJchcAAAAQCXIXAAAA
EAlyFwAAABAJchcAAAAQyf8HCczehfvYrTUAAAAASUVORK5CYII=
"
preserveAspectRatio="none"
height="287"
width="745" />
</g>
</svg>
Side by side

Before

Width:  |  Height:  |  Size: 20 KiB

BIN
openshift/images/sso_app_jee_jsp_logged_in.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 18 KiB

332
openshift/images/sso_app_jee_jsp_logged_in.svg
View file

@ -1,332 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
viewBox="0 0 748 290"
height="290"
width="748"
id="svg2"
version="1.1">
<metadata
id="metadata8">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<defs
id="defs6" />
<g
id="g10">
<image
id="image12"
xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAuwAAAEiCAIAAAAtSBDyAAAAA3NCSVQICAjb4U/gAAAAGHRFWHRT
b2Z0d2FyZQBtYXRlLXNjcmVlbnNob3TIlvBKAAAgAElEQVR4nO3dWXQb+X0n+h8KOzeApERCKyG2
WmKvolvtbspbsxN3RLuTNJ1k0vSZc29zZs65Bzn3IdSZB1NvfDP9dNUPd4Y+c5xQcSZmbjI3lJN2
JCdxIC9tdluyqXYv1NISqaUFUhIFcAVAADUPf6BYqA0FslCoAr+fgyMVgVr+wP/3R/3qX/8qOI4f
P04AAAAAdsNVuwAAAAAAW4EkBgAAAGwJSQwAAADYEpIYAAAAsCUkMQAAAGBLSGIAAADAlpDEAAAA
gC0hiQEAAABbQhIDAAAAtoQkBgAAAGwJSQwAAADYEpIYAAAAsCUkMQAAAGBLSGIAAADAlpDEAAAA
gC0hiQEAAABbQhIDAAAAtoQkBgAAAGwJSQwAAADYEpIYAAAAsCUkMQAAAGBLSGIAAADAlpDEAAAA
gC0hiQEAAABbclW7ABXE83y1iwA1wuFwlJwH8QYG0hNyAFBTSQz2IlAhktBiOxjEG1SOYsgBgEQt
JDHYl4CZeJ4XQg67FjAHQg5Ake3HxCCDATNJ4g3hByZDyAGI2bsnRn97RsuHcskPeRWjiOd5nXMC
aNPZy6IYcgA7k42TmJL7CexIYDvE8eNwODTCie1UEG+wTZKQ054TeQwA2TeJ0d6j6JwToCS2q8jl
cuI/xViACTsVxBtskySQ1JIV5DEAZN8kRo14F6I2DaCHYlIi2XMg3sBA4pATwgzJCoCGmkpihD2H
cHAseV5tftjhFHcS8p2HsI+R5Dc6O/8QbyDYWsgBgIQtkxi18ZWkkseUzGZgh9NzTw5h1It4+Iti
aCHeoCTtkGMxJgk5xVOZSG5gh7NlEiMnT1mEf7V3MwACeQe+4pGxYr+LzrQGQEx/yKnlMQA7XC0k
MZK9xfe+970qFgZqz1tvvcV2HuIjYyoE3l/8xV9Ut3hQewYHB8Uhh/ExAGpqIYlhcLALFSK/8BXB
BhWlGHJIXwDkaieJoeKTRy9e313dwkANuPTkA1JKWeSpDOINDKEdcgAgYb8kRm1EgrTZ41gZjCAP
LYfDkcvlpHkM4g2Mo9b5Jx8Zgx4a2OHsl8RoUEhlALZNPg6GRNlzFQsGtUoecshUABTVQhKjfBkI
9i5gEEm+Ih5lKZ7J9HJBzdIIOWQzAGK1kMQw0m4Y7FPAIJILXOV3iyFCvIGR1EKu2uUCsBx7JzFa
dxXDkTEYhOXHktt1CL+mJMxUpdJBDZKEnPAkrlQCkLB3EiMnOp1U1XJAbZHnMcLzhTmqVjaoSYp5
DABI1FQSU60xCgE3F/9mmIji6WzzxFy5ix9tcvcfrOs/UB9ucAU9HBHF1rPTi+nJO6sTt1ZTOb1v
JODm+g/W9e2t627xhPzOoMeZzOZi69mZxEZ0fn3y9trVpY3KFeatJxrGv9hGRGNXl/7svYcam/jB
l9sGDjUQ0cBP5/92drXd54z9aYfO9ygWmXrw3WvLW1iwXJIjYOWdSoXj7S+/sHvwcCObDv+v23Or
GZ0LBtzcwKF6FhVBDxf0OOPp7OxKZupBavLO6oXP1iu6uPnhJC45a5VM9z/evfI4rb2t0d/GT/9m
0QoBqSvkAKDGkpgiZh4Z8yrTpQTc3JmXWoWdkyDcwIUb3P0H6898Pjv0/qOzn65or8fLOUa6m4ee
bvI5OfHzPifHVtW3r270hdbpxdTw5UW1Hc92C7OFD4EvPLZmO8tuYWvaO5JKlsTLOQYO1Qt/Ro40
nf71op6lRo+3RI42SqIi6HF2tzi7W7yRo02x9czw5UXFOt3m4lULJ5WlRl9o+dq/xnRtyzIBidwF
oKQaTmKqlMXo3m5Hgyvatzfc4GZ/ziTS5++tza5kfE5Hd4unb19d0OMMepzjX2rrDfn+088fqK2n
3e88/9qe7hYv+zOZzUVjyZlEOraeDXq4oIfr2e1jr3a3eM+/tqf7h3euLEoPSY0qTP7TKPEhFH1c
8XT2zMdx+UxsVycURj7D1IOkabVcendSyZL0H6wXZxKDhxtOX36kvYgkKuLpbDSWnF3ZiK1nQ35n
uMHdG/IFPc6Q3zX+pbZ4Onvu9pqBi1cxnJSfJ+rbV/fyLs97D1Ilt2WRgEQGA6BHrSUx1RmjwIsm
9G034OGmvr4vVOciotnljcGfL1yMJSXzfOu54OiLrUQ0eLgpnsqdel9hv+V1OqIn93YFPUQUT2WH
3n909oZCh7bX6Rg83Dj8XDDc6PZxDkkhjSmM/g+heM5Uhj/1nsJbe+NgXX6fEd9QnME0ui4SqWS8
DT0VYBMTN5cHOhtDftcr7T55HQl0RsXJff7R463drV5JlW1z8eqGk/z5ZCbnc3FEdObzu068c6/k
GqwQkPi9JACdai2J2WRmT0z5Y3HGv7Rb+Jbv+ae78+tZ+Tzf+eDxTDw9+dU9RDT0THBybvViTHom
aPxLbWxno7EeIkpl+O/OJL47k/j2i63JTE5SSGMKs4UBSbzmQbbo7j/WvPbHnDFYHQ2unjYfEZ2/
uzr6weOBzkYiihxtunhfdTyKOCp6//ne3IryAJoLd9cu3F371nNB4ovKv+3FrRFOhenZlczsykbf
/vqeNt/Jvf4L8k4UnduyfEAC7EBc6VlsQvazA+Y+ytnu0SZ3f0cDm73/X+/Pr2XV5jw3tzr2SYLN
eeblXfL1sF1ayfUIj9O/enTlUboShSnvk9c5c7VqU14A7WCrZAkjR/PdMGOfLF15lJ6Jp4mo/2C9
l/WoyR6SqJhbzmiv/zsfxM/NrRq4uIXCqWD4V49UN1TWtkwISP0hBwC1lMRIscMy0x7lbHf4+WY2
7+TsypVHqRIz/yp/aUZ3q/dYs1txPROfLpdcT6ULI/oQDPqshG903vTalBe1evE2+GQjEcVT2XNz
K8TzbMfvc3EDh+q3X6HVXbzi4VRw5VFqcnaFiLqCnjcVPzc92zInIAGgHDWcxJj7KGe7ffvr2Lxj
nyRKzpxI5dj3LxH17a8Xv9S7x69/PZUuzOaHYOBnVa3alBeggI1OULrEuiKPV0J+dmpmstDbMfFp
fnhKpCuguMg2o2Kbi1srnEQvDf0yP3x49PPqnTHb2ZZRD/0hJ3oVYMeq4SSmYodK5R4OFj/afRzb
LRHR1Py6npVHP8ufxe/d4xevJ9zoLms9lSuM9AjSqI+rWrWp+KaqEW+Rria2+rGP4+yZ+bUMq4Ke
dv/RJpe8QoWoiH62Vu7mtr+4tcJJ9Pzc8sb41QQRhRvdbz3ZuMVtmRCQAFCOGk5izH3o3m7In/+W
j61lEqmcnpXPFG7SFW5wy9cTT2VTGX5rxTaqMOV9CMbOZk61ViPevJyjP9xARLPLG+/NJ4Xnxz7O
DyWJPBXUqNAtRIWBi1sinIqfH37vYTKTI6LRl3ZJRxRZJyABoBy4OsnobZXabtCT7/6Np7I6CxlP
5a/vCHo5YZHN9aSlVxttliVyVP7k9MPk5/5+ztjCsK1t/q/zw9c+9ORFU9Y/Qq1ACQePNLFrgydu
LInXP3lrOZlp97m4gcONp95dEC+yhQqt7uIVDKfN6fzz82uZsY/jQ8+3hOpckacCb//2sXRb2pFm
r4AE2BnQE2P08ZPhM2ssQkREyYz6Ia+eD8eowpS1Kp1zVqs2S36A2h+pQY/I00G27rGP4uLnUxl+
8tYKEYXqXCf31xn8oZm/eOXCSfb8yK8esc6YkRdbizpjtrkhAx8AUA70xBi9rVLbjSeFQ0+nzkKy
H52h4gNcYT2hOpfaeoZ+Pi9Mh+pcwy+0SgppVGGIxHsC3cepJebkN/+3/oGv0SU8GvR07/IR0VRs
fU72o1djH8UHnmwiosjTwQu3N38waAsVKmb+4hUMJ6XpRCo78quHoyfagl7nyIutp6ceFG2LtOvR
VgEJsDPUcBJTpW2V2m5sLX/rsFCdK+DmEulcydWzO48R0ezShrB+YT1Br9PLOVJZhQ2/fUXoMKeO
Rnc+iREd8BlVGDGfk9P54SfZqAs15Xyq1Wd0CSPP5LthxmcS8pVfvLcWW82E6l39nY3iihNXqFpU
aDBw8eqHk8r0mSuPh19oDXqdQ883j15+VFRI7b4QewUkwM5Qw6eTKnb5wPYuW5hfzcQKP0Hc0+7T
s/LeffnLVqP31sTrmV1Kl7UeeSGNKgzxfDyZX4/PWeJDkB58G/GpVrxaTY+3gcOF65J6Q/z/3SV/
hOrzRyADhzevtRFHRe9ef7kb3f7i1gonpdpJZXIj7z8gIp+LGz2xu3hO3fFgeKTJNwEAOtRwEmPu
o5ztnr+dvzdG5JnmkjMH3Fx/4Q6q5+dWxC9FCzdQjzwjvUpFfyGNKoyw9+pq9mqvpKs5f/AdW9W8
G2y1qlKxDObG28kD9UKOUtLQsRaVqChdofLHNhe3VjipVM3b04/Z+iPPNrf7nRpzKgeDoXWtuhUA
0KGGTyeZ+H0gOUQrZfTSw8GngkTU/0TjsVbPlYdav6w7+oXdbGL6QfLKg6If0hPWM3AkMHrpofZ6
1AppVGGmC3927/YF3A61Uwntdc5wk4eIkpnc1UXtAoumrH+EamgJI8/mzyVNXEvMygbECAaONIWb
PF0tXnHFlVWhcmYuXtlw0myVw+/Oj7+2j4hGT7RF761qzCl6STRl/YAE2BnQE2P08ZOOma8upic/
XWKzT/7+gfyxoNLjjUONkeda2JxDF2Py9UxcTehZj0YhjSpMKsOfL9x9dfi40k1ReSKeRl7K77ck
R97b/1QrW60mxlvAzfU/0UREyUxu8Mefnf7Fgtpj9FL+J4Eiz252e0iiokN+/5Xix7dPtL1xqNHA
xS0UTuq1c/bjxMxiiogGnw6yAdS6KtGEgASActRwElOxk9YKp7H5crc7+ON7sdUNIgo3eabePPTK
PoXxB9863jr5BwfYWs/85tHFu6uK62HfxeEmz8z/efitpwKKm/NyNHCkSShihQozeil/Z/fhz+9S
LMmfdzdHns/vt0amHhj+qVagZqsQb4NP53/xceJaIsV+clzlMXE1zuYcOFr0aQ/++B4b2hJu8kz/
x061qHijs+GT/+OJ4c/vkoTE9he3RDiVip/hX+Sv3Ys816zWNMpaoTEPAChHDZ9OqsK2fE7Ht7/Y
pjFj9M7ahbkVIkokcz0Tt6J/Eg4HPOEmT/RPDs0spqJ3V2cTG0TU3ebr62gI+pxsqfGPHp+KxhRX
mMrwvX83e/4bB7vb/EGvc/z39o39zp7o3dXZpQ22qnDA3dXs7dnjZ7dNI6Kp++uSD8eowly8s3bm
14+GXmglovHf2zfy8u7zcytCMfo6GsKB/PCF4Z/NX1lIKq5kEy+asMx3O8/zDoeD/Vv8gmGbEPon
xtntYdQlkrnzs8t94cag1/lGZ+O5ws8qpTJ8zw9uRf9DuKvFy6LizFdCLCrYNU3hJnfv/nqhTpMb
vHhD21zcKuHEq0wXnLuxPL2w3t222TTU5pS+ZG5Aqoac6FXzSgNgMTWcxJj6NcP+97m44c/v1pjR
53x4YTa/p5lLpLv/+sbY7+4d6AoSUVeLt6vFK5k/nswORe+f/Tiusc751Y2eH9wcOdE29EKrz8X5
XFxfuFFxzqn7a8M/m794d1X+klGFORW9P5tIn3l1DxGFAx7hQFmQzOSGove/+8FjpaWL8bzytDUZ
VMJju33sk4+tbly8o1BTEuMfxVl1R55rPndjSXh+fnWj+/s3Rr/cHnm+xefigj5n/+Em+eKzifRQ
9L4Qk0Ytbolw0hE/Q9FY9E8PiWbTrEd7BSTAzlA7SQw7WNn8uxo9MbrmLD5m/eY7d0feXeg/3NR/
uCkccIfq3clMLraamX6QnLyxNDGT0HOvjlSGP/2z+dH3H/QfbuoLN3S3+UN1rqDPyVY1s5iK3lmd
vLF0tfA7NYqMKszbv340MZMYfCbYd6ixq8UT9DqJKJ7Kziymz99aHvtgMZEqffsQotJH0lWk/CvW
RhD20xNKt4eRm7y+lMzkfC6u71Bju981X7hTCxGlMvypf4+NvLswcDTQd6ixe7cv6HUGfc54Mju7
lJ66vz55Y+lCYdyJ3DYXr3446Yifi3dWo3dWew/Ul5xT5worB90tAIocx48fr3YZyiPOVNg0X5DL
5XK53F/91V8R0Yv/7qlaEaFWXHo1zfP8m2++yXEcx3EOETYDz/Pf//73CfEGBrn0apqIhJBjUScJ
PyrOaZDfwE5WOz0xzGZ7ttixO9iXEFTi9EUK8QbGQY4CoFOtJTGbcNIajFN6R4J4A0MhdwHQo4aT
mGoXAGpLiZ0K4g2MhjwGoKSaSmKKxvbiyBgMIj6dRGq7FsQbGEdXyAFAjSUxhDExUBmSAZVCuox4
gwpRHMMLABL2TmLE+xJeciiMI2MwiDyDISKO43I50cW9iDcwjvZVSEhrAAT2TmLEWMMWUplLJ7NV
LQ7UDsnuRHFfgngDA8lDDokLgKJa+O0kXI4IFeUoJn6+iqWCGoaQA9DJ3je7o+L73bGJXC7HKxEv
Kz33BKA0mlI8ISb8YI1amCHeQA/FkJNgt7kjlXNM8j8BdhT7nU6SDH+R7FFIqUmzecSzodmDInkH
vnzvQkQcx5FSIAnRiHgDnRRDTt4NgwwGQJH9khgN2umLcHCMZg8a5LkLixk9ffuIN9gCeciRSioD
ABK1k8Q45Fe9Fr/kUP85ewAxyU6FRHsU8QzyeBNmRrxBWXSGHABI1EISIz7BJN5zqD1PxWMU8O2w
k6lFgsZ5Jck84ngTv4R4A0XbDzkAENRCEkOax74OpXvJ4LsAGMVIUDz8VXwS8Qbl0hNykvRFcTQM
AJBNkxiH/NZ2shG+agmN+E+100+wc2jHgFr8SPpg1E4bId5ATmfIKeYxajMD7Fi2TGLUqA2LUUx6
5LPBDqQRA3p2M4g3KJfOkMNZJAA9aiqJIaU+fBz+wnaIo4g08xXEGxhCu/8YAMTsmsQ4CteyasyD
O4zB9kkGuKgFlVrvC0C5JHkwQg6sxlKJtc2SmLIarWQAZgWKA7VM50kiYU7EG2yT/n2DpfYisNNI
vt+qG432SGK2fyyCNg/bpzaiXHFOU0oEOxGiCyylupdh2uAHILXTFLRnMBPGK0B1IeTAsqrSA231
nhg9H4owoBJ9+GAOhByYrOQQGYCK0pk9m3+bcksnMSWbq/aZOZxpgpK2EySIN9gCxAnYkf7bjpuc
x1g3idFo6pKXtnlogiMbKMnAIEG8gR6IE7Ag7VtOCMzMY6ybxKgRt221aQAAADCK4n2wrPAbtzZL
YoRMRXLTDrUMBpkNAACAfop5idrP+FQ9j7FoEqOYfCgmLjqzGQAAAChJe7Cp+OeWxX/KV2JOcmPR
JEZOnrII/ypmMMhmAAAAtkZ+zkixM0bt55ZNY48kRpKdfO9739vCggDboaeJIt7AKIg3ME1Z+cfg
4KBwj3Jx7lKtPMYeSQwjbrGdnZ0l5wGoHMkofYCKQryBaTRykZs3b8qvta7usBg7JTGkfnuxrQ3s
xTcCiGm3Q8lPIyleZIh4A/0Qb2Aa/cFGpa6g1vnTK6axYhKjeBsYjbujatw2BqNkQD+djVNy2JHL
5RTvpop4A22INzCN/sxDkiUrjtiVzKw2wtecHhorJjEa5KmMYjPWc+ES2jzIqf00kmT8miR42H4F
8QblQryBaUoGmzAtflWeiIhnkMxcFfZIYvR0rihesiSeIPUGDyAQt23xvw6HQ3wQLMbzvLBfQbxB
WRBvYBqNYBMnK9ojdiXBhoG9ZZB0wyhmMGoki6ORgxpxSxY3cmFC3P4lgUdKCTQh3kAd4g1MoxZs
EqSZx/DF11RXvTPG6kmMnmYpz2ByuZxkgmQt35Tig/0o7j/kxJGpkTQj3kAb4g1MoxZsHMcJE+KZ
eZUxMbzs3jC8+r1kKs3qSYycpH1KGjDLWnIFwpPCtKSRo7UDIz5GIVE75ziOtXAiYhOsnYuPQsTR
hXgDPRBvYJqSwZbL5dg0e1VIZcrKY6rFZkmMYuOUNGahSWezWTbNJoT2T6LUpxpvAizKIeq3F7dn
p9MpbthsOIKwUxFiSQgzxBvogXgD02gEm5C+sOhi0+I8hk3I+1osksfYLImR4GVdrEISkxWRJDfi
QxYAMXEHPleQzWZZa8/lcmwHQ4VGznYwQqIsCTbEG2hDvIFp1ILN6XQ6nU6e551OpzAnX3wJkmJn
TNX7YBh7JzGk0g3z6NEjxZmFAxqAktgxbjabJSKXy8X2KOxfEl3myvN8IpFQXAPiDfRDvIFpxMHm
druF9NflcpGow0acykgWt06k2S+JkR9hiPMYVjdVKRjUsI2NDRZgLpeL9bgKxyisAx/AQIg3MA0L
NiFfcRSu7WdPamcwVshm7JfESAhnf1nzFrJLInrxxu6qFg1qwaXDD4gonU6zwxThX9Z0hbEIhHgD
IyDewDTiYKPiq5aEbhgrpCna7JTE8MWjesVj3HjRdUmbPTE4KQxG4Hk+k8mIu1vZSAVeNJSSCPEG
xkC8gZkymQyJrrVmhM4Y8fgYtYFW1U107JTEKOKLFSUxaOVgkHQ67Xa7xQ1VGGiJeAPDId7ANOl0
moiE9IUN8hVDT4wZxBkMjlTAcJlMRjhMYX1+bLhlNpvdbOSINzAI4g1Mk8lkWO7CrlRi/wqnk7SJ
r9xWe7XSaiGJET5r4eqk6pYHag/bqbC27Sjc4JIKg/xZnz+AURBvYBqWxLhcLvEV++wlPXlM1dm7
MUiGxQj9MYWXq1k2qCWZTIYdo4jvcUmFvDk/E+INDIJ4A9NkMhlxBiPemZLo5rzVLqYqeycxjORD
z23+9CtaORhDuHGisGsR33asMBfiDYyBeAPTSO4KS7JdqsXVQhLDiK9RssI544Cbi//pQSKKp3PN
f3db8SWm+0efXXmcVlzJW50N4yd2EdHoR4nT04+J6L+/1Bp5slH8jDYv54j/6UGf00FEof91Zz4p
vYnO0SZ3//66/gN14XpX0MMRUWw9O/04PXl3bWJ2NZVT/RA13qB469HXQj27vEQ0u5Lp/dfY3GpG
/glomHqYOnHhvp45K0pyR9Rc4U7wRecuEW+IN4NYPN4QbFTTwWaX9IXhSs9iNzb69JnR7mb9M49d
X2YTg50NeubvP1DHGvn5z9YljTzg5v6yZ9fMH+wb/Vxzzy5vyO/0OR0+pyPc4Oo/UDd+Ylfsjw+8
pW8rigJuburkHtbIZxIbPRfus0ZuR0IjF9+og0G8iSHeDFEz8YZgsz6NYLOFWuiJ4WUKL1S3WCrT
sj/79vpfbvW+9zCltRI+P31lMT2T2OgKuEN+5yttvovzSe1SsCMbIhq7tizebke9K/paKNyQD4CZ
xMb5z9ZnVzM+p6O72dO31x/0cEEPN35iV2+b7z/98mF5b5Co3eeMvhbqCriJaHox3fsvscSGwkFk
MsuPXVvWKP/M0oYVes3FccVaOxu9b6ExWIg3xJtpEGy1G2zKO1MLs30SI/+URc9YZK/CqzX0ZDbn
c3JEdOZ4s0q/osJKxq4vnXmxlYgiTzZcnF/XKEG7z9nb7iOieDp77u6q8HzAzU31hUJ+FxHNrmwM
/vKh/PviW88ERj/XQkSDTzTE09lTlxf1v8F2n3OqLxRucBPR1INk77/EZD23m5/AqcvKP3RlKeJh
4+pHxog3xJsxLB9vCLYaDDbFrMX6eYyNTycpfrhFT/LVfmiUhIiIZlcy5++tEVHPbt/JPX6dKxm/
scKe6D9Q53U4NAog9MpOzK6Knx8/sUto5D3/fP9iLClf9jsfJvqj82zxoacCr7T5dL7BjjrX9Ot7
WSOPxtZ7fxxLZfnyPhxLPQpxJT5VLD5wsdAbQbwh3swtJ4KtNoJNnMGU3rFajI2TGDkrf9Bqhn+T
H7925sUWnYskNnKTt1eJyOfkBsL1GnNGjoi6WwuONrn7D+aX6o8uyEfDCc7dWRu7tlRW8Y42uad/
fy/7Epm8vfqqwmFKjbBLX6sE4s2m7BhvCDabslek1VQSI2WNPFe5JAVXFtOs0XYFPG921Otcg9Bu
I0ca1bb+cquXHTHMJNJXFtPC88PPBNiyk7dXxc8rPoYv57+Gulu8x4Ie7eIdC3qmvrYn6HES0cSt
lW9EF7b44Vjqwcqop1Vbo6iIt7I/HEs97BJvCLatfTiWeugPNgur6STGIjGiXJLNl4Z+lT9vOvpC
s86VXPhsLbaeIaKe3b6Oeqfi1oUjlTOfJMTP9+3zs+fHri2VfAuJjSz7GiKivn0+jbK9vMsz9fV8
Ix+7uvTNny1s48Ox1IOo+O7awr+yW25boqiIt/I/HEs9FOJN/PPClok3BNvWPhxLPXQFm1LsWUhN
JzGWiBCVkohemlvJjN9YJqJwg/utzgadK5m4lW9+kSNN8vV7HY6BQ/lu1Ymbm+eM271O1h1KRFML
KT3vIhrLD6/rbZed2C44uccfPbmHjeMb/W38z6YebuvDsdQD8cYTId7Mr0SLxxuCbWsfjqUeNcH2
VyfVhuHLiwOH6n1ObvR4y8QtrbswCcauLg09HSCigUP1p38tHV3ff7COtbrJ26viy/9CfiebiK1n
ii4LVDeT2GATwiWLEkGP8/xrewpv5NF3PkzoWa2wLP9Wp8YM/T+Jnbuzpn+FoAfiTQ3izXAINjUI
NkOgJ8aUJLfUS/Pr2bGry0QU8rsiRxv1rORqYmN6MUVE4Qb3K+3S0fWRo01sobGrS+Ln2W0riSie
zul8I/F0/usg6OG0s/jYembs6rLxRwDWqUe7lLPUS4g3e9SjZcupUQzZSwg2i1ZiuUW1qtruialu
LfEq08ovjUwvRo42+pzcSHfz2NWlVFaxlRcZu7o0dmI3EUWONl6Mbd5Tod3v7A35iSi2nrlwT5Lp
a5Sq3DeSn05mc/F0LuR3hfyuqdf39rxzL5EueRi0ueyZj7UObmYS6WrXo36IN8SbmapYTgRb6XXW
VrBZV20nMXaSSOdGph+PHm8Nepwj3c2nFe6/JDV+Y/nMS60+J9d/sN7rdAhfDYOH86PeJm6tSBYp
OvLQp+j4Rkkyy/e8c2/q9X0hv6X8QCQAACAASURBVKsr4Jl6fZ++pp5fVs87BcMh3sA0CDaoHJxO
qnxnne6XznyUiKeyRDT0VCDg5kquJJXhJ+fy91ToP7B5BWPkSKG7dWZJskhsLX/jhJDftbkJzUdX
k4ctMrucUXsXc8uZnn+6F1vLEFFXwBM9ubf0yi1SRzorEfGGeDOzEq0fbwi2rX04lnrUhJpOYuwm
leVHph8Tkc/FjR7Xdf+lsav5+zUJ54lf3u0NN7qJaGohebUwbE0wv55lrZGIenZ79WyCdd4SbY7k
VzS3kul5J9/Uu1u90b69Ad3HQ1AViDcwDYINKqSma4Lnq/zQKInKS29/FGdNJdIVaPdxJVbC8xfv
r7P5e/f4O+qdxPObo95mEoqLnC+cSI4cbSr5FgJuR39H/mrG83dXtd/F3PJGzz/dLWrqbsdWPhxL
PRBvogfizbxKtHi8Idh2VLBZWG0nMdV+aJRE/aXhS4XbQx1v1fNexgu/Xz9wqMHLOQYONRBRMpOb
uLmiOP/olfx9Kvs7Go41y+5TKZm5UIbpR6krj2R3wJQVb2450/OPoqb+tX1eTuUHUKxTTTorEfHG
EyHeTKtEi8cbgm1HBZuF1XQSY09nry/PxNNENHikqbuldKfo2Ex+AHykKzDQ2eBzcUQ0ObcquwQg
72piY3IuPyZu8qt72gs3V5B742B95Kn8bbyHppR+sF7J3EpRU5/6g/1epxXv8wgM4g1Mg2ADwyGJ
saLhwr26I11NJWeeW8lMLSSJKNzoHn0xf2wxNrOkscjgTxdYOww3uqf+YP8rhRPDYt96PjhZuMvT
mQ/jFzXPGcuL1Puje2wcX3erN/r1fWjqVoZ4A9Mg2MBYNX2JdXXP+UnOjOp8iYiIzs2tTD9Kdbd6
2ZEHm0/j7Zz58PHE7+wholCdi4hia5mL97VuBJlIZXt+eCf6+v5wozvc6I6+vm8mno7eX5tdzh9h
9O2vC3rzBzHj15ZOTT0o7w0SXY2ne354Z+oPDwS9zp42X/Tre3vfubd5/FSY3+d0fLvUT8ieLnzr
WR3iTQXirSKqGG8Itp0WbBZW00mMnQ1NPYi+vl/nzJNzq8lMTvhSGL+udaTCzK1kuv/h9tgX2wae
aCSirqCnK+iRzBNPZYemHpy9vqy0gtKuJjZETd0ffX1fUVMnIiKfixs+VqKdj/x6Ua33GIyCeBMg
3ioNwSZAsG1fTZ9Oss6wqbJe4ol4uvjZevSzNZ3vJZXhJ25u3vpp7OOEnuIlUrlv/iTW9f/NDr//
cGo+fyFAMpObXd6YnF0ZjMZC//PW2Wuad9ouVbyr8Y2ec3dY12tPmz/6ddFQOLvUo13KqV0diDe7
1KPtyll+NSHYLFeJduY4fvx4tcsgxYu679g0z/M8z+dyOfbv2bNnOzs72Z/ZbDabzWYymUwmk0ql
0ul0Mpl0u91E9OKvS59zBdB26YUlnuevXbvm8Xjq6upcLpfX63U6nU6nk4hY+DU0NBDiDYygGG8u
l4vjOEK8gaEuvbBERNeuXfP5fHV1dV6v1+/3+3w+j8fDvuXcbjfHcS6Xy1Fw8+bNN998kxNxOBzs
X4aI2L/iiYqq6dNJtXIdPNgD4g3MhHgDqPHTSQAAAFC7arsnptoFgB0F8QZmQrwBoCcGAAAAbKq2
e2JwqAImQryBmRBvAOiJAQAAAJuq7Z6YahcAdhTEG5gJ8QaAnhgAAACwqdruicGhCpgI8QZmQrwB
oCcGAAAAbKq2e2KqXQDYURBvYCbEGwB6YgAAAMCmarsnBocqYCLEG5gJ8QZQ40mMNQQ8XPz/Oip/
PpnJxdYyU7H1ietL526tSF59qysw/tW9RDT24eM/i8Y01v+D39s7cCRARAMX7v3t9aWS26XCT9JP
P0iOfRS/eG9Nu9jxVLb5f1zTeoflLxLwcANPNvV1NHTv8ga9zqDXGU9lZ5c2pubXJ28uX7i9qmdz
O8fL7b7Bp4I97f5wkzvodSYzuXgqN7u8MRVbj95bPX97NZUt2p9pVL3EVGz9xN/Pqr1abjVVLmhZ
Y5l+mJq4vjR5c1nyfksuLid542oLxlPZeCo7u7wx/SAVvbcqb6eg4S9/d8/gU0E2HT57Y255Q2Nm
Q6pAspIz04unfj6vMb8Qh0SUzOT8Y1cV1yb/QpNsqHvi5pWHKcVNCI1i9PLD0798oFEY2JqaTmIs
cqCiUgyfiws3ecJNnoEjgekHyb4f3p5fyyosxet+I5I51ZfyubiuZm9Xs3fgSOD83Er/O3cV9gr6
VlXuIl6nY/QLbZFngz5X0anMoNfZvdvZvdsXebY5tpoZfnfh7ExC31YtowLxFvBwE337+joaxE/6
XFzIxYXqXT0h/1B3CxH5/ttMUQ2WVRKlmbdYTRULWqGx9Hc2zi6l+9+5q7zP2PIbV1mQpW7hJk/v
vvqh7pZ4Kjv+SWL43QW1LMpUFiiCBq/TMfBkk/Bn5JlgiV24IVVQ/NzAk02nfqaaxHidjv7ORq0y
aERI8Z+jJ9q+9sM7ypvZQqOActR0EmMxyUxu5P2Hwp+hOldPyN8T8hNR927f1H8Id/31zUp8OUq2
yzbdu6+ue7ePiPo6GiZf36/aAg3VXuc8/4cH2XaJKJ7KRu+uzS5vxNYyoTpXuNHdu78u6HWG6l3j
r+2Np7Pnbu70A9/oH3UIH9dUbH0qtj67lCaicJOne5e3J+RnSYbP6VCMnGQmN/ZhXGP9M48VUgEr
VJO8sXTv8vburyeicJMn+kcd4fEbiXROY/EtvHHF7Qa9XPcuH/s0gl7nUHdLf2eDahYFBf2djeIM
ePCpUklMgYFVEKp3nTxYr9azO/BkkyRH37K+joaX233vzScNWRuUpaaTGIucMy4UI5nlv3PpoeTF
kwfrz/d3EFG4yTN0rPk7lx8Ji21O6HwjfPGcmtslojc6Gyd//wAR9XU0HGv1SL8RlFZVugDqi3id
jug3OrpavEQUT2WHfho7+4lCX8vJg/WjX2zv3u0j3jI1qJPRpf3z7hb2xR1bzfSdm5N/ZXudjr6O
hqHulmQmp1b1p36qdVpHbnvVVNmgPbbLG/3jMDs0H3lpl8JB9pbfeKnGEvBwg08HR7/QxvqEon/U
0f03N7XPj1SctVvH0LFmNjFxLTFwJBCqd72y16928prIoCoorGRmMcXy7MizwQtzykl25NkgEU3d
X+ve7ctnM5KPVOMLTShtJseWPfPl9hN/N6v4xlRXAkbA1UlVduH26vAv8t/FwtlZc5y7uTxxLb9/
Yse4FTX+2l62a5xdSnf/zU3FXSMRXbi9+rkf3BQ+k50s8mx+NzD4L/cUDzpTWf7czeVX//85Azvw
rFxNVx6mhgqpSf8TjdozGyuRzr09vdj1/U9ZT1jQ62QHAKCoo9Hds6eOiM7PrYwWMpLIc83bWWe5
VTD+SZyI+p9oCngUdnNCCcc+fLydUs0ubZyfWyGinj11Jw9W/FsU5Go6ieEt89As0uSny+zFwnFt
8VLbWX+pj2Lq/jp7PeR3lVvsskpyNOgRUrT+f7wzt7ShvZ7vXHp07tPl6lec+B2ZHm/hJjdb8YW5
1a0Xu5ylDKimCgft+dn8UXW4yWPgG9e54NzSRt/kbTZX927fyYP1hld6FePNwIeQf4998PjKg9TM
YoqI+jsbvZyj4lVQMPZBPjvp72xUK2Eyk5u4uqS1XR0vDRfGDp/5SkjrfVW7UrTenZ3VdBJjE7HV
jDDtdTrM3HSoLn8+UW2IgFGGX9zFJiY/XcJgAp2EE/amRYX1qymZ2fzqNbmxMFcfpyeu5nunttm1
UMMGnw4SUTyVPXdzmYjGfvuYiHwubuBIU4klddBZBXPLG1P319TmYSWc/FT1Sjf9rjxMTX66RERd
Ld43jXiDUJaaTmLY6faqP8QZr9IMoTqn8HqKDW6Qn3/VWr/KbKW26+Vo4Gi+yU3dXyt38bLeae/+
Ovb02AePq18j5VVf1eKNHb8S0eBTgTLLXH7dGVJNlQ/armYPezGeym42lm2/8bIWHPvtIpuxd3+9
4ZVexXgz6vHKPn+o3kVEk58usWeKco6KVkHxSljy1LOnrqPRpVjCsd8uFn3m+otU/NLQxfxZztEv
tqlXaPWrRr1sNlbTSYxN9D+RzySmH6ybs8WAlzvZ0TA1cCjc5CGisQ8Wrz5OV25z7XUutiEiit7F
PWD0Gv84f33N2O/u/e+/s+dY4XKhCrFFNY307GYT7CC7KoSTsEGvs6Nwyg8Ekeda2IRwQmd+LcMi
qmdP3dFCGrodOqtg4moimcmRrDOGlTC2unHxrjFRNLe0Mf7xYyIKN3neejpoyDpBp9q+OqnaBWAk
50SLnexoGP1SO5uemFkqmlm+hpIbUloq6HXyQ88oLjGbSJ/5zaO3f7NYbrFVC6C0iHDSKra6kcpY
pFYqwOh39p1fPex/opENP4w83xJ5viWZyU0/SE7dX4/eXY3eXU2kVK4x1lH1TP8Pb58rDMkyoJqM
C1rJ816no2ePf/jzu/rC+fG8I798oLCJLb1xje0qSmX42OpGqN5NRCG/ay5RpWuULNmSvE4HG3M9
m0i/d3/zqGzsyiK7eiDyXMupi0oXjhlSBcWxlMrwk58uDxwNDD4dPP3zBUkJxz+OSzek9qe8SLKg
Hf7ZwsCRgM/FjX6xbWImsXmWaguNAspR00mMxfhcjm8VxhwQUaje1bPHz3ZRVMgnTC7S7NLG7FLF
v4KD3nyHX1xtpwsqTkzc+vaX2oY+15q/H4yL69lT17OnbuiFViKK3lkdmVow6mjSUtUU9Dn5U6pZ
yOCFe+/FTOq2VBRP5UL1RERBr7PUvDvL4NP5GyQKVz4yk58us6uRB442KScxZdJZBWMfLA4cDYTq
3a/sr2MtZeBogJVQ6CgyxPxaZuyDx0MvtIbq3ZHnm5WPDKECajqJscg5v0IxfC5u9MvtirNML6z3
//B2KpOTL0V8qTciOacrm05mckPR++Ilgl5n925f/+Gm3gP1vQfqJ28sfeOHt/WudislUZmnxlTm
rZ3+2fzIuwt94Yb+w009e+rY9c9M74H66IFDY1cW/+zfPlMsSTKTO/Nrrcx45lGyKNJkayiPcUGr
Zur+2sA7d+bUMu+tvfEyyyDZZNVC2pJNKfJ84bqkK0XDTVIZfvLG0kBXMFTvPtlRf2FWdu8WQ6pA
tpKLd1ZZn03kueaLd1aFEk7dX5tLyM6hS7arUSSll0Z+OR95vtnn4kZ62sauLOY7Y/Q3CtiSmk5i
rC2ZycVWM9MPkuMfPS7q2TZ+Q/x3lY45Al5u8g87eg/U9x9u+n96Q6c0f+xmO+Kp/M8pCMf6UJZU
lj/36TILEq/TwRLQwWeCrDs9cqxlZjH1tlI3XjLDn9b87RgxS1VTMpMbLtzLzufKv2XWETX0QmvJ
WC3rjW/BZq9VMqs9545ytNnT3eYnliLIEs2xDx4PdAWJKPJ8i0ISUyb9VTD+UXz4pd39h5u8Tkeo
3pW/PcwV43tKEqncyC8XRr8cCvqcIyfaKhqBIKjpJMYiWW+hGPFktvn//aTcpX1Oh843ktzIqZ5/
VVpDIpnrPzcXi3T5XNzQC7tG3l0oGmOxtfENStOxlfw15KF6t5dTvkF+LTDlbaUy/Hv319+7vz7y
7sLkGwf7DjUS0eiX298Wdzxs6TS8gdW0/aBNZvi3i7tSAl5u8o2O3gP1Qy/smk1svK3Y0bLl8Qfl
LOh1Olj6SOz+CNUKZ+s1o8jz+SG94x8+lhdP6BTpP9wU8HDSEV2GVIHSSsauLA6/tNvn4gaOBlhH
ZjKTm5hJaIypKl0klZfOXH40/PndQZ9z6IXW0fcfaL1HMEj1D7lAkXB44XOVuBmGcEp4C0MZEqnc
9EL+9z4qd9Pe+bXMbKHntvcAbmppjFSWH3jnDrv4wufiXt7j3+YKt19NFQ3aRCrXf24utrpBRGde
3WPIRS5bI4xjiyezqie2dqSBrvydEsde28f/12flDyHzGDi6rbuTl1UFc0sbU5+tEVHk+ZbBZ4JE
NHljqUKHUqksP/LLBcoPHghVYhMgUdNJTNWvwpdfjq97EfZlTURdLV7tOYVBErHVjS1sV9hQqN61
hcV1LhK9k79kN/K8+o0irPmwcLwlklnhXjLhRvd2627b1VTpoE0ks0M/yY/uOvPqnhL1teWKLjVn
pPCrQNE7K8ZXq4XjTftxsqNeyFFKGnqhtVJVoLSGsSuPiKhnbx0rYX68jp7tlnxJ9vzblx+yhhA5
1tLud2rMWf1HTajp00l2JnSQdLf5A15Z12tBe50rHPAQUTKTu7q4lVusCt87yUwFr0kZff/B4LPN
RNT/ZODYbt+VB/i5V4MJI1q2Y5vVZELQ/u3VxOhX0uGAp+9Q48t7/OKLeM1xtMXLBnZQZcZV2Ffk
WP5c0sRMfFY+ZrZgoCsYDni6Wn1b/h7YQhVMzCTGXtvHLkqKrW5cvFPZ2yAN/zQ2/rUDRDT6lVD0
jvG/8Q5itd0TY5lH+UVKZfjzt/KjfYdf2q0228gX2tg8528p/dJQqe22+109e/MdszOPUtsvttoi
Vx+lJj7J37ptsr+jo9GtvZ5vf7n9jSeaql9x4ndkerwdbfZqz9DR6GbjKBWqb0ul2mY1mRO0I4Vf
nRz9stJP1Wy5OnQs2NHoPv/HYTbX9ML6hVsrhld6FeNtO4+Ah+t/MkBEyUxu8Ed3T/90Xu0x+t4D
VvzIsZaKVIHSSlIZfmx6cXphfXphffS9B2Vsd0svnf0wPvMoSUSDzzZ37/ZrraS6j5pQ00mMzQmt
ffjltreeUbgL5J8fb410t7LpkV8slLv+gJeb/EYHm5bcmaoSBv/5Ljs+Cwc80289qfiOiOiNw02f
/Ocnh19uq2hhbGHqPz7xz38SPhluUHz1aIs3OtDJpqcX1o0anLHNaqp00BLR2Y/irLu+92DD9kcC
6RTwcn9+vHXmvxxhfUjxZLb/H+bM2bQtDBZ+8bHoPm9KJmbyWbLQm6LTNqvg1L/f/9zZG587e+Pt
y2bcjmv4p/lUO9LdYsLmdrLaPp1kkVSTV5ku4eKdlTOXHgy9uJuIxr9+YOSL7edvLQs7mL5Djawx
E9HwxftXFH6yIL8tn8vxrZd2iV8I+pxdLd6+Q43CTwxGfnxXVrbNxb/9FeXb2zDR2yuFCya13mkq
y/f89Y3oQGdXqy/oc45//cCZ39kbvbMym0jHVjOhelc44Ok90BD05Yd8JjNZy9Qg8Tyv+K94wvDS
+lyOvkONfYcak5nc1Gdr0wvrsdVMMsuHm9w9e+t69ubH3iYzucEf3VH88EvWHRGd/mnR5crbrCaj
glY2XWTkF/Njv7efiEa/Enr1b28a8caVG0vQ5wzVu7rb/EKPFxHNJtL9/zA7t1TBX+qQRBojfklc
ZisQziWNf7ioXbBEKnv+1nLfocagz/nG4cZzN4QfkTakCrb4ZauyiMbaSmzo3I3E9MJ6d5tf+I7d
apEqTjHY5N91DoeDt+QwmppOYizygW+jWZ36yf3ZxMaZ391LROGARziEFSQzuaF/++y7iieGC9vy
ubjRV/aobSKezA7+6M6FW/J7T20urt0v4nM68ouXeqfzq5nu8eujr4Qi3a0+Fxf0OVkXtMRsIj30
b58pFKl6HA4dP5hsdLxFb6/2dTYSkc/F9R5s6D2o0CUz8yg58I+3rywUjy3QXXdENPLzecmh8zar
yZCglU4X++704sgX2kMN7t6DDS+H6t4Tfkdpy29cd2MZ/3Bx+GKs0rcJqEq8bdmxNl9Xq4+IYisb
F2+XHm4y/ttFdmuAyLHWc9cLSYwhVWCVHIaIaOjfPot+84mi2SxTZWK6gs3CaiqJsXtlKHr78sOJ
mfjgs819hxq7WrzsCDiezM4sps7fWh6bfqT6AzrqkplcPJmdXkhOXk9MzMS3sIYtS2X5Uz+5P/KL
+YGuYF9nY3ebP+h1Bn3OeDI7m0hP3V+bvJ6wVPqixoRg+9rf3wp4OdYZ093mDwc8Qu3PJtLTC+sT
M/EKfVbbrKZKBK3E6HsPWJ40+kro1YmbJeffmngyG0/lP+3o7VVRt4HZrPzlJuSpwqkibZPXl9hP
EPR1NrbXu+ZXMxozW6cKynXxzmr09orisYfFWTnY5BzHjx+vdhmkxH1W4j6uXC7H/j179mxnZyeb
zmaz2Ww2k8lkMpl0Op1Op9fX191uNxG9+K/4gVnYrktf3eB5/vr1616v1+fzuQs4jiOiXC63sbHR
2NhIiDcwAuINTHPpqxtEdP36dZ/P5/f7fT6f1+v1+/0ej8fj8bhcLpfL5XQ6nU4nx3Ess7l169ab
b77JiTgcDvYvQ6IcyJxkyPY9MfKPSfSMJTvvwIaEJio0ZvFLhUnEGxgD8QamcRSTv1qVUuln+ySG
ZHWw+aGjjYNBxHElPvLgeZ4dIhMh3sAwiDcwjSTYtHMaC6rBS6xt8bmDvUg6TsUvId7AcIg3MI1G
sNlCLfTEMAq9rzhSAYOITwBLjoxzucIYVcQbGATxBqZRC7Zql0uvWkhiJH1fHMcVhgajlYMxnAUc
xzmdTtbUiYj9WZgL8QbGQLyBacTBxsLMXqeT7J3ECJ+y+EPnOC6bzRKhjYNhXC4X238IA/WFoQmb
F9Mh3sAgiDcwjRBs4v4Yyb612mXUYu8khhE+YqFbjCUxl04a8JN4AEQkvtpQfGTM87xwZIx4A6Mg
3sA0kkuphf4YsskArFpIYkg0IMbpdOa7YQCMI7Rz1sLZBBE5HI5sNmvNu3GDfSHewDSSJEbo/LNF
BkM1kMRIrgdjdeB2uzc2NtLpNLsDXqYgm83mcjl20zzxz0PYpbagEoQAEEcRCySheXs8HvGf7OCY
HRY7HI6MSDqdFu6+iHgDOcQbmKZksLlcLsX72tloWIwtkxihVqhQSaxucrkcqx6hGbP5WbW5XC7F
Rg7AyNs5CxvWvN1uNzt5zP5l4ZfL5eSjsjKZDOINSkK8gWk0gs3lcrFgk4zBEjIY8US134cCWyYx
YuwARageKv7RV6FvhrVw1sjFP2UgrKSKbwGqSxwGQlsVhlUKxHsUYafCUmd5XyDiDdQg3sA0eoJN
yJvlnTFkh+CxfRJDxTkm63EVMhhH4WIl8TEKu9ECjlRAQmi3wrGI+AoR8YQwM7uDajabFY5d2Kgs
xBuUhHgD02gEm5DKiEeRC3vVahe8NNsnMeLskgqJp8vlknSd5Qp4EclKYGeSRIKk31XgFN20g4i4
wg/yCYkym87lcog30IB4A9PoCTZxKiN+3i55jL2TGHZoQrJUhmTXKwm9rMJhChVXMIC4+5QrXAwi
7Egkx8TCzKzzj+1XWF8g4g30QLyBaTSCTUhlhORGkr5YPI+xaxIjpC9UfJ8YKrR51piFE0zyEfts
EXEOBDuTJAaE1i4+ZJH0xAqzCXsONjCLBRjiDTQg3sA0OoNN3DfjUDmdZNkosmsSI3AUBvayP7nC
bw44Ctcr8YXffVVs5MJKTC84WIViMEgOf+XEiwu7EwbxBhoQb2AancHGyX44STxDVUqun+2TGJLl
MVRIZcStnYpHuqGjFdSIj1rE7ZxkjZ9kexQShRniDfRAvIFp1IJNLW+2fgZDtk5iHMVnlHjRXX0U
WzjJelnFqzKz5GApasEgbsasVfOFi/klMytmzIR4AyWINzCN/mCTTFBx2Fg5hGycxJB6HnPz5k2S
1Z/2nwAka6vyP3ml+58KexTJkxp/AhDiDUxUMtjYv52dnWSfDIbsnsSQ0ghf1sKPHz9OxS1Zo1Vb
vJKgonQGhjAt2a+I/0S8QUmINzBNucF2+fJl7VzHgmyfxFBxHkPFJ5Ils0mewcEKkKyLVc9s4sgR
rupXm1+AeANCvIGJthBsis9bWS0kMVR81KL4vPZSAGURsmTEG5gA8QZmslfk1EgSI5AMUNJ5LGKv
OgNjbSdIJE8i3qAkxBuYptwIUTyJYXG1lsRI2K4+wHwGBgniDUpCvIFpdkKEKJ9eBQAAALA4JDEA
AABgS0hiAAAAwJaQxAAAAIAtIYkBAAAAW0ISAwAAALaEJAYAAABsCUkMAAAA2BKSGAAAALAlJDEA
AABgS0hiAAAAwJaQxAAAAIAtIYkBAAAAW0ISAwAAALaEJAYAAABsCUkMAAAA2BKSGAAAALAlJDEA
AABgS0hiAAAAwJaQxAAAAIAtIYkBAAAAW0ISAwAAALaEJAYAAABsCUkMAAAA2BKSGAAAALAlJDEA
AABgS0hiAAAAwJaQxAAAAIAtIYkBAAAAW0ISAwAAALaEJAYAAABsCUkMAAAA2BKSGAAAALAlJDEA
AABgS0hiAAAAwJZc1S5ApVy+fLnaRQAAAKhZPM87HA72r9qrlS5DbSYxnZ2d1S4CAAAAVJadTieZ
kNMBAACAftXdNdspiQEAAAAQ2C+JQX8MAABAVYh3wVbYHdsviQEAAIBqsULuIkASAwAAAGWwTh5j
syTGOh8cAADATiPshdlE1XfKNktiyAIfGQAAwI7lcDgsksGQ9ZMYSdIHAAAA1aKYwVRxT231JEZM
+OwAAADAfJIMpur7ZXvcsZfd2FiYJqKbN29WtUQAAAA7jqOY+PnqlOf48eNV2bAGIV8R/8nzvDCR
y+V4JeJlJSsBAAAAneQDeOU4jhO/SrJUZof+dpK430X4k30W7Hn558LmEc+GE08AAABbJj9npNgN
U8UMhqyZxGjQTl+EzhhkMAAAANskzk60U5lqsVMSI6QpaqmMQ/03wQEAAKBckjyGREmMeIZqsUcS
IxnYK2Qqas9T8ZgYpDUAAADa1PabameOrDCw1x5JDGn2tYh7aCQXMQEAAIAeivtN+QhftSerwqJJ
jGRsr/hJ8dBdxYRG/Kfa6ScAAAAQ095jqiUu2qlPpVk0iVGjNixGMemRzwYAAACKNPaYameOqr6T
tVkSQ0rnjNDdAgAAUGlVuYham3WTGLXOFRJ9cEhfAAAAzFRyn2vmTtm6SQxp5jHCDMI0btELAABQ
CfrzEpO7FSydxJCOPEY8LFs02gAAARVJREFUZ6ULAwAAAGrM3xHb4FeskZ0AAABYXFV21lbviWEU
b2EHAAAA1YU79pZB8TYw5S4FAAAAEnbcpdosiZGw1EcJAABgX3bcpdpgTAwAAACAHJIYAAAAsCUk
MQAAAGBLSGIAAADAlpDEAAAAgC0hiQEAAABbQhIDAAAAtoQkBgAAAGwJSQwAAADYEpIYAAAAsCUk
MQAAAGBLSGIAAADAlpDEAAAAgC0hiQEAAABbQhIDAAAAtoQkBgAAAGwJSQwAAADYEpIYAAAAsCUk
MQAAAGBLSGIAAADAlpDEAAAAgC0hiQEAAABbQhIDAAAAtoQkBgAAAGwJSQwAAADYEpIYAAAAsCUk
MQAAAGBLSGIAAADAlv43N7IEIt65BrkAAAAASUVORK5CYII=
"
preserveAspectRatio="none"
height="290"
width="748" />
</g>
</svg>
Side by side

Before

Width:  |  Height:  |  Size: 23 KiB

7
openshift/index.adoc Normal file
View file

@ -0,0 +1,7 @@
:toc:
:toclevels: 3
:numbered:
:linkattrs:
include::topics/templates/document-attributes-product.adoc[]
include::topics.adoc[]

25
openshift/master-docinfo.xml Normal file
View file

@ -0,0 +1,25 @@
<productname>{project_name}</productname>
<productnumber>{project_versionDoc}</productnumber>
<subtitle>For Use with {project_name} {project_versionDoc}</subtitle>
<title>{xpaasproduct}</title>
<release>{project_versionDoc}</release>
<abstract>
<para>This guide consists of basic information and instructions to get started with {project_name} for OpenShift {project_versionDoc}</para>
</abstract>
<authorgroup>
<orgname>Red Hat Customer Content Services</orgname>
</authorgroup>
<legalnotice lang="en-US" version="5.0" xmlns="http://docbook.org/ns/docbook">
<para> Copyright <trademark class="copyright"></trademark> 2018 Red Hat, Inc. </para>
<para>Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at</para>
<para>
<ulink url="http://www.apache.org/licenses/LICENSE-2.0"> http://www.apache.org/licenses/LICENSE-2.0</ulink>
</para>
<para>Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.</para>
</legalnotice>

27
openshift/master.adoc
View file

@ -1,23 +1,12 @@
include::common/attributes.adoc[]
:xpaasproduct: Red Hat Single Sign-On for OpenShift
:xpaasproduct-shortname: RH-SSO for OpenShift
:toc:
:toclevels: 3
:numbered:
:linkattrs:
= {xpaasproduct}
include::topics/templates/document-attributes-product.adoc[]
== Introduction
include::content/introduction/introduction.adoc[]
:openshift:
== Before You Begin
include::content/before_you_begin/before_you_begin.adoc[]
= Red Hat Single Sign-On for OpenShift
== Getting Started
include::content/getting_started/getting_started.adoc[]
== Advanced Concepts
include::content/advanced_concepts/advanced_concepts.adoc[]
== Tutorials
include::content/tutorials/tutorials.adoc[]
== Reference
include::content/reference/reference.adoc[]
include::topics.adoc[]

46
openshift/pom.xml Normal file
View file

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.keycloak.documentation</groupId>
<artifactId>documentation-parent</artifactId>
<version>1.0.0-SNAPSHOT</version>
<relativePath>../</relativePath>
</parent>
<name>Red Hat Single Sign-On for OpenShift</name>
<artifactId>openshift</artifactId>
<packaging>pom</packaging>
<build>
<plugins>
<plugin>
<groupId>org.keycloak.documentation</groupId>
<artifactId>header-maven-plugin</artifactId>
<executions>
<execution>
<id>add-file-headers</id>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.asciidoctor</groupId>
<artifactId>asciidoctor-maven-plugin</artifactId>
<executions>
<execution>
<id>asciidoc-to-html</id>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>maven-antrun-plugin</artifactId>
<executions>
<execution>
<id>echo-output</id>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>

9
openshift/topics.adoc Normal file
View file

@ -0,0 +1,9 @@
include::topics/introduction.adoc[leveloffset=+0]
include::topics/before_you_begin.adoc[leveloffset=+0]
include::topics/get_started.adoc[leveloffset=+0]
include::topics/tutorials.adoc[leveloffset=+0]
include::topics/reference.adoc[leveloffset=+0]

4
openshift/content/before_you_begin/before_you_begin.adoc → openshift/topics/before_you_begin.adoc
View file

@ -1,3 +1,5 @@
== Before You Begin
=== Comparison: {xpaasproduct-shortname} Image and Red Hat Single Sign-On
The {xpaasproduct-shortname} image version number 7.2 is based on Red Hat Single Sign-On 7.2. There are some differences in functionality between the {xpaasproduct-shortname} image and Red Hat Single Sign-On:
@ -16,7 +18,7 @@ The {xpaasproduct-shortname} image version number 7.0 and 7.1 are deprecated and
====
=== Initial Setup
The Tutorials in this guide follow on from and assume an OpenShift instance similar to that created in the https://access.redhat.com/documentation/en/red-hat-application-services/0/openshift-primer[OpenShift Primer].
The Tutorials in this guide follow on from and assume an OpenShift instance similar to that created in the https://access.redhat.com/documentation/en/red-hat-xpaas/0/single/openshift-primer[OpenShift Primer].
[IMPORTANT]
====

931
openshift/topics/get_started.adoc Normal file
View file

@ -0,0 +1,931 @@
== Get Started
=== Using the {xpaasproduct-shortname} Image Streams and Application Templates
Red Hat JBoss Middleware for OpenShift images are pulled on demand from the Red Hat Registry: link:https://access.redhat.com/containers/[registry.access.redhat.com]. To update to the latest {xpaasproduct-shortname} images, run the following commands:
. On your master host(s), ensure that you are logged in as a cluster administrator or a user with project administrator access to the global `openshift` project.
+
----
$ oc login -u system:admin
----
. Run the following commands to update the core set of RH-SSO 7.2 resources for OpenShift in the `openshift` project:
+
----
$ for resource in sso72-image-stream.json \
sso72-https.json \
sso72-mysql-persistent.json \
sso72-mysql.json \
sso72-postgresql-persistent.json \
sso72-postgresql.json
do
oc replace -n openshift --force -f \
https://raw.githubusercontent.com/jboss-openshift/application-templates/ose-v1.4.9/sso/${resource}
done
----
. Run the following command to install the RH-SSO 7.2 OpenShift image streams in the `openshift` project:
+
----
$ oc -n openshift import-image redhat-sso72-openshift:1.0
----
=== Preparing and Deploying the {xpaasproduct-shortname} Application Templates
[[Configuring-Keystores]]
==== Configuring Keystores
The {xpaasproduct-shortname} image requires two keystores: +
- An SSL keystore to provide private and public keys for https traffic encryption. +
- A JGroups keystore to provide private and public keys for network traffic encryption between nodes in the cluster.
These keystores are expected by the {xpaasproduct-shortname} image, even if the application uses only http on a single-node OpenShift instance. Self-signed certificates do not provide secure communication and are intended for internal testing purposes.
[WARNING]
For production environments Red Hat recommends that you use your own SSL certificate purchased from a verified Certificate Authority (CA) for SSL-encrypted connections (HTTPS).
See the https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform/6.1/html-single/security_guide/index#Generate_a_SSL_Encryption_Key_and_Certificate[JBoss Enterprise Application Platform Security Guide] for more information on how to create a keystore with self-signed or purchased SSL certificates.
==== Generating Secrets
OpenShift uses objects called `Secrets` to hold sensitive information, such as passwords or keystores. See the https://access.redhat.com/documentation/en-us/openshift_enterprise/3.2/html-single/developer_guide/index#dev-guide-secrets[Secrets chapter] in the OpenShift documentation for more information.
The {xpaasproduct-shortname} image requires one or more secrets that hold the two keystores described earlier. This provides the necessary authorization to applications in the project.
Use the SSL and JGroups keystore files to create secrets for the project:
[subs="verbatim,macros"]
----
$ oc secret new <pass:quotes[_sso-ssl-secret_]> <pass:quotes[_ssl.jks_]>
$ oc secret new <pass:quotes[_sso-jgroups-secret_]> <pass:quotes[_jgroups.jceks_]>
----
////
==== Creating the Service Account
Service accounts are API objects that exist within each project and allow users to associate certain secrets and roles with applications in a project namespace. This provides the application with the necessary authorization to run with all required privileges.
The service account that you create must be configured with the correct permissions to view pods in Kubernetes. This is required in order for clustering with the {xpaasproduct-shortname} image to work. You can view the top of the log files to see whether the correct service account permissions have been configured.
. Create a service account to be used for the SSO deployment:
+
[subs="verbatim,macros"]
----
$ oc create serviceaccount <pass:quotes[_service-account-name_]>
----
. Add the *view* role to the service account. This enables the service account to view all the resources in the application namespace in OpenShift, which is necessary for managing the cluster.
+
[subs="verbatim,macros"]
----
$ oc policy add-role-to-user view system:serviceaccount:<pass:quotes[_project-name_]>:<pass:quotes[_service-account-name_]> -n <pass:quotes[_project-name_]>
----
. Link the secrets created for the project to the service account:
+
[subs="verbatim,macros"]
----
$ oc secrets link <pass:quotes[_service-account-name_]> <pass:quotes[_sso-ssl-secret_]> <pass:quotes[_sso-jgroups-secret_]>
----
////
[[sso-administrator-setup]]
==== Creating Administrator Account for Red Hat Single Sign-On Server
Red Hat Single Sign-On does not provide any pre-configured management account out of the box. This administrator account is necessary for logging into the `master` realm's management console and perform server maintenance operations such as, creating realms or users, or registering applications intended to be secured by Red Hat Single Sign-On.
The administrator account can be created:
* By providing values for the xref:sso-admin-template-parameters[*_SSO_ADMIN_USERNAME_* and *_SSO_ADMIN_PASSWORD_* parameters], when deploying the RH-SSO application template, or
* By xref:sso-admin-remote-shell[a remote shell session to particular RH-SSO pod], if the {xpaasproduct-shortname} image is deployed without an application template.
[NOTE]
====
Red Hat Single Sign-On allows an initial administrator account creation via the link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html-single/getting_started_guide/#creating_the_admin_account[Welcome Page] web form. But only if the `Welcome Page` is accessed from a localhost, this method of administrator account creation is not applicable for {xpaasproduct-shortname} image.
====
[[sso-admin-template-parameters]]
===== Creating RH-SSO Administrator Account via Template Parameters
When deploying RH-SSO application template, *_SSO_ADMIN_USERNAME_* and *_SSO_ADMIN_PASSWORD_* parameters denote the username and password of the RH-SSO server's administrator account to be created for the `master` realm.
[NOTE]
====
*Both of these parameters are required.* If not specified, they are auto generated and displayed as an OpenShift instructional message when the template is instantiated.
====
[IMPORTANT]
====
The lifespan of the RH-SSO server's administrator account depends upon the the storage type used to store the RH-SSO server's database:
* For an in-memory database mode (*_sso71-https_* and *_sso72-https_* templates) the account exist throughout the lifecycle of the particular RH-SSO pod (stored account data is lost upon pod destruction),
* For an ephemeral database mode (*_sso71-mysql_*, *_sso71-postgresql_*, *_sso72-mysql_*, and *_sso72-postgresql_* templates) the account exist throughout the lifecycle of the database pod (even if RH-SSO pod is destructed, the stored account data is preserved under the assumption that the database pod is still running),
* For persistent database mode (*_sso71-mysql-persistent_*, *_sso71-postgresql-persistent_*, *_sso72-mysql-persistent_*, and *_sso72-postgresql-persistent_* templates) the account exists throughout the lifecycle of the persistent medium used to hold the database data. This means that the stored account data is preserved even when both, the RH-SSO and the database pods are destructed.
It is a common practice to deploy an RH-SSO application template to get the corresponding OpenShift deployment config for the application, and then reuse that deployment config multiple times (every time a new RH-SSO application needs to be instantiated).
====
[WARNING]
====
In the case of *ephemeral or persistent database mode*, after creating the RH_SSO server's administrator account, remove the *_SSO_ADMIN_USERNAME_* and *_SSO_ADMIN_PASSWORD_* variables from the deployment config before deploying new RH-SSO applications.
====
[IMPORTANT]
====
Run the following commands to prepare the previously created deployment config of the RH-SSO application for reuse after the administrator account has been created:
. Identify the deployment config of the RH-SSO application.
+
----
$ oc get dc -o name
deploymentconfig/sso
deploymentconfig/sso-mysql
----
. Clear the *_SSO_ADMIN_USERNAME_* and *_SSO_ADMIN_PASSWORD_* variables setting.
+
----
$ oc env dc/sso -e SSO_ADMIN_USERNAME="" SSO_ADMIN_PASSWORD=""
----
====
[[sso-admin-remote-shell]]
===== Creating RH-SSO Administrator Account via Remote Shell Session to RH-SSO Pod
Run following commands to create administrator account for the `master` realm of the RH-SSO server, when deploying the {xpaasproduct-shortname} image directly from the image stream (without the xref:../introduction/introduction.adoc#sso-templates[template]), after the RH-SSO application pod has been started:
. Identify the RH-SSO application pod.
+
----
$ oc get pods
NAME READY STATUS RESTARTS AGE
sso-12-pt93n 1/1 Running 0 1m
sso-mysql-6-d97pf 1/1 Running 0 2m
----
. Open a remote shell session to {xpaasproduct-shortname} container.
+
----
$ oc rsh sso-12-pt93n
sh-4.2$
----
. Create the RH-SSO server administrator account for the `master` realm at the command line with the `add-user-keycloak.sh` script.
+
----
sh-4.2$ cd /opt/eap/bin/
sh-4.2$ ./add-user-keycloak.sh -r master -u sso_admin -p sso_password
Added 'sso_admin' to '/opt/eap/standalone/configuration/keycloak-add-user.json', restart server to load user
----
+
[NOTE]
====
The `sso_admin`/`sso_password` credentials in the example above are for demonstration purposes only. Refer to the password policy applicable within your organization for guidance on how to create a secure user name and password.
====
. Restart the underlying JBoss EAP server instance to load the newly added user account. Wait for the server to restart properly.
+
----
sh-4.2$ ./jboss-cli.sh --connect ':reload'
{
"outcome" => "success",
"result" => undefined
}
----
+
[WARNING]
====
When restarting the server it is important to restart just the JBoss EAP process within the running RH-SSO container, and not the whole container. Because restarting the whole container recreates it from scratch, without the RH-SSO server administration account for the `master` realm to be created.
====
. Log into the `master` realm's administration console of the RH-SSO server using the the credentials created in the steps above. In the browser, navigate to *\http://sso-<project-name>.<hostname>/auth/admin* for the RH-SSO web server, or to *\https://secure-sso-<project-name>.<hostname>/auth/admin* for the encrypted RH-SSO web server, and specify user name and password used to create the administrator user.
==== Using the OpenShift Web Console
Log in to the OpenShift web console:
. Click *Add to project* to list the default image streams and templates.
. Use the *Filter by keyword* search bar to limit the list to those that match _sso_. You may need to click *See all* to show the desired application template.
. Select an application template and configure the deployment parameters as required.
. Click *Create* to deploy the application template.
These are some of the more common variables to configure an RH-SSO deployment:
[cols="2*", options="header"]
|===
|Variable
|Description
|*_APPLICATION_NAME_*
|The name for the RH-SSO application.
|*_HOSTNAME_HTTPS_*
|Custom hostname for https service route. Leave blank for default hostname of _<application-name>.<project>.<default-domain-suffix>_
|*_HOSTNAME_HTTP_*
|Custom hostname for http service route. Leave blank for default hostname of _<application-name>.<project>.<default-domain-suffix>_
|*_HTTPS_KEYSTORE_*
|The name of the keystore file within the secret.
|*_HTTPS_PASSWORD_*
|The password for the keystore and certificate.
|*_HTTPS_SECRET_*
|The name of the secret containing the keystore file.
|*_JGROUPS_ENCRYPT_KEYSTORE_*
|The name of the JGroups keystore file within the secret.
|*_JGROUPS_ENCRYPT_PASSWORD_*
|The password for the JGroups keystore and certificate.
|*_JGROUPS_ENCRYPT_SECRET_*
|The name of the secret containing the JGroups keystore file.
|*_SSO_ADMIN_USERNAME_*
|Username of the administrator account for the `master` realm of the RH-SSO server. *Required.* If no value is specified, it is auto generated and displayed as an OpenShift instructional message when the template is instantiated.
|*_SSO_ADMIN_PASSWORD_*
|Password of the administrator account for the `master` realm of the RH-SSO server. *Required.* If no value is specified, it is auto generated and displayed as an OpenShift instructional message when the template is instantiated.
|*_SSO_REALM_*
|The name of an additional RH-SSO realm to create during deployment.
|*_SSO_SERVICE_USERNAME_*
|RH-SSO service user name to manage the realm.
|*_SSO_SERVICE_PASSWORD_*
|RH-SSO service user password.
|===
See the xref:env_vars[Reference chapter] for a more comprehensive list of the RH-SSO environment variables.
See the xref:Example-Deploying-SSO[Example Workflow: Preparing and Deploying the {xpaasproduct-shortname} Image] for an end-to-end example of RH-SSO deployment.
==== Routes
The {xpaasproduct-shortname} templates use TLS passthrough termination for routes by default. This means that the destination route receives encrypted traffic without the OpenShift router providing TLS termination. Users do not need the relevant SSL certificate to connect to the RH-SSO login page.
For more information on OpenShift route types, see the link:https://docs.openshift.com/container-platform/3.7/architecture/networking/routes.html#route-types[Networking chapter] of the OpenShift Architecture Guide.
==== Deployment Process
Once deployed, the *_sso71-https_* and *_sso72-https_* templates create a single pod that contains both the database and the RH-SSO servers. The *_sso71-mysql_*, *_sso72-mysql_*, *_sso71-mysql-persistent_*, *_sso72-mysql-persistent_*, *_sso71-postgresql_*, *_sso72-postgresql_*, *_sso71-postgresql-persistent_*, and *_sso72-postgresql-persistent_* templates create two pods, one for the database server and one for the RH-SSO web server.
After the RH-SSO web server pod has started, it can be accessed at its custom configured hostnames, or at the default hostnames:
* *\http://sso-_<project-name>_._<hostname>_/auth/admin*: for the RH-SSO web server, and
* *\https://secure-sso-_<project-name>_._<hostname>_/auth/admin*: for the encrypted RH-SSO web server.
Use the xref:../get_started/get_started.adoc#sso-administrator-setup[administrator user credentials] to log in into the `master` realms administration console.
[[SSO-Clients]]
==== RH-SSO Clients
Clients are RH-SSO entities that request user authentication. A client can be an application requesting RH-SSO to provide user authentication, or it can be making requests for access tokens to start services on behalf of an authenticated user. See the link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html/server_administration_guide/clients[Managing Clients chapter of the Red Hat Single Sign-On documentation] for more information.
RH-SSO provides link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html/server_administration_guide/clients#oidc_clients[OpenID-Connect] and link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html/server_administration_guide/clients#saml_clients[SAML] client protocols. +
OpenID-Connect is the preferred protocol and utilizes three different access types:
- *public*: Useful for JavaScript applications that run directly in the browser and require no server configuration.
- *confidential*: Useful for server-side clients, such as EAP web applications, that need to perform a browser login.
- *bearer-only*: Useful for back-end services that allow bearer token requests.
It is required to specify the client type in the *<auth-method>* key of the application *web.xml* file. This file is read by the image at deployment. Set the value of *<auth-method>* element to:
* *KEYCLOAK* for the OpenID Connect client.
* *KEYCLOAK-SAML* for the SAML client.
The following is an example snippet for the application *web.xml* to configure an OIDC client:
----
...
<login-config>
<auth-method>KEYCLOAK</auth-method>
</login-config>
...
----
[[Auto-Man-Client-Reg]]
==== Automatic and Manual RH-SSO Client Registration Methods
A client application can be automatically registered to an RH-SSO realm by using credentials passed in variables specific to the *_eap64-sso-s2i_*, *_eap70-sso-s2i_*, *_eap71-sso-s2i_*, and *_datavirt63-secure-s2i_* templates.
Alternatively, you can manually register the client application by configuring and exporting the RH-SSO client adapter and including it in the client application configuration.
==== Automatic RH-SSO Client Registration
Automatic RH-SSO client registration is determined by RH-SSO environment variables specific to the *_eap64-sso-s2i_*, *_eap70-sso-s2i_*, *_eap71-sso-s2i_*, and *_datavirt63-secure-s2i_* templates. The RH-SSO credentials supplied in the template are then used to register the client to the RH-SSO realm during deployment of the client application.
The RH-SSO environment variables included in the *_eap64-sso-s2i_*, *_eap70-sso-s2i_*, *_eap71-sso-s2i_*, and *_datavirt63-secure-s2i_* templates are:
[cols="2*", options="header"]
|===
|Variable
|Description
|*_HOSTNAME_HTTP_*
|Custom hostname for http service route. Leave blank for default hostname of <application-name>.<project>.<default-domain-suffix>
|*_HOSTNAME_HTTPS_*
|Custom hostname for https service route. Leave blank for default hostname of <application-name>.<project>.<default-domain-suffix>
|*_SSO_URL_*
|The RH-SSO web server authentication address: $$https://secure-sso-$$_<project-name>_._<hostname>_/auth
|*_SSO_REALM_*
|The RH-SSO realm created for this procedure.
|*_SSO_USERNAME_*
|The name of the _realm management user_.
|*_SSO_PASSWORD_*
| The password of the user.
|*_SSO_PUBLIC_KEY_*
|The public key generated by the realm. It is located in the *Keys* tab of the *Realm Settings* in the RH-SSO console.
|*_SSO_BEARER_ONLY_*
|If set to *true*, the OpenID Connect client is registered as bearer-only.
|*_SSO_ENABLE_CORS_*
|If set to *true*, the RH-SSO adapter enables Cross-Origin Resource Sharing (CORS).
|===
If the RH-SSO client uses the SAML protocol, the following additional variables need to be configured:
[cols="2*", options="header"]
|===
|Variable
|Description
|*_SSO_SAML_KEYSTORE_SECRET_*
|Secret to use for access to SAML keystore. The default is _sso-app-secret_.
|*_SSO_SAML_KEYSTORE_*
|Keystore filename in the SAML keystore secret. The default is _keystore.jks_.
|*_SSO_SAML_KEYSTORE_PASSWORD_*
|Keystore password for SAML. The default is _mykeystorepass_.
|*_SSO_SAML_CERTIFICATE_NAME_*
|Alias for keys/certificate to use for SAML. The default is _jboss_.
|===
See xref:Example-EAP-Auto[Example Workflow: Automatically Registering EAP Application in RH-SSO with OpenID-Connect Client] for an end-to-end example of the automatic client registration method using an OpenID-Connect client.
==== Manual RH-SSO Client Registration
Manual RH-SSO client registration is determined by the presence of a deployment file in the client application's _../configuration/_ directory. These files are exported from the client adapter in the RH-SSO web console. The name of this file is different for OpenID-Connect and SAML clients:
[horizontal]
*OpenID-Connect*:: _../configuration/secure-deployments_
*SAML*:: _../configuration/secure-saml-deployments_
These files are copied to the RH-SSO adapter configuration section in the _standalone-openshift.xml_ at when the application is deployed.
There are two methods for passing the RH-SSO adapter configuration to the client application:
* Modify the deployment file to contain the RH-SSO adapter configuration so that it is included in the _standalone-openshift.xml_ file at deployment, or
* Manually include the OpenID-Connect _keycloak.json_ file, or the SAML _keycloak-saml.xml_ file in the client application's *../WEB-INF* directory.
See xref:Example-EAP-Manual[Example Workflow: Manually Configure an Application to Use RH-SSO Authentication, Using SAML Client] for an end-to-end example of the manual RH-SSO client registration method using a SAML client.
==== Limitations
OpenShift does not currently accept OpenShift role mapping from external providers. If RH-SSO is used as an authentication gateway for OpenShift, users created in RH-SSO must have the roles added using the OpenShift Administrator `oadm policy` command.
For example, to allow an RH-SSO-created user to view a project namespace in OpenShift:
[subs="verbatim,macros"]
----
oadm policy add-role-to-user view <pass:quotes[_user-name_]> -n <pass:quotes[_project-name_]>
----
=== Binary Builds
To deploy existing applications on OpenShift, you can use the link:https://docs.openshift.com/container-platform/latest/dev_guide/builds/build_inputs.html#binary-source[binary source] capability.
==== Deploy Binary Build of EAP 6.4 / 7.0 JSP Service Invocation Application that Authenticates Using Red Hat Single Sign-On
The following example uses both link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-jee-jsp[app-jee-jsp] and link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-jee-jaxrs[service-jee-jaxrs] quickstarts to deploy EAP 6.4 / 7.0 JSP service application that authenticates using the Red Hat Single Sign-On.
*Prerequisite:*
[IMPORTANT]
====
This guide assumes the {xpaasproduct-shortname} image has been previously link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_single_sign-on_for_openshift/index#Example-Deploying-SSO[deployed using one of the following templates:]
* *_sso71-mysql_*
* *_sso72-mysql_*
* *_sso71-postgresql_*
* *_sso72-postgresql_*
* *_sso71-mysql-persistent_*
* *_sso72-mysql-persistent_*
* *_sso71-postgresql-persistent_*
* *_sso72-postgresql-persistent_*
====
===== Create RH-SSO Realm, Roles, and User for the EAP 6.4 / 7.0 JSP Application
The EAP 6.4 / 7.0 JSP service application requires dedicated RH-SSO realm, username, and password to be able to authenticate using Red Hat Single Sign-On. Perform the following steps after the {xpaasproduct-shortname} image has been deployed:
*Create the RH-SSO Realm*
. Login to the administration console of the RH-SSO server.
+
*\https://secure-sso-sso-app-demo.openshift.example.com/auth/admin*
+
Use the xref:sso_server.adoc#sso-administrator-setup[credentials of the RH-SSO administrator user].
. Hover your cursor over the realm namespace (default is *Master*) at the top of the sidebar and click *Add Realm*.
. Enter a realm name (this example uses `demo`) and click *Create*.
[[copy-rsa-public-key]]
*Copy the Public Key*
In the newly created `demo` realm, click the *Keys* tab and copy the public key that has been generated.
[NOTE]
====
RH-SSO 7.1 and RH-SSO 7.2 images generate two keys by default:
* RSA key, and
* HMAC key
To copy the public key information for the RH-SSO 7.1 or RH-SSO 7.2 image, click the *Public key* button of the *RSA* row of the keys table. Then select and copy the content of the pop-up window that appears.
====
The information about the public key is necessary xref:sso-public-key-details[later to deploy] the RH-SSO-enabled EAP 6.4 / 7.0 JSP application.
*Create RH-SSO Roles*
[NOTE]
====
The link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-jee-jaxrs[service-jee-jaxrs] quickstart exposes three endpoints by the service:
* `public` - Requires no authentication.
* `secured` - Can be invoked by users with the `user` role.
* `admin` - Can be invoked by users with the `admin` role.
====
Create `user` and `admin` roles in RH-SSO. These roles will be assigned to an RH-SSO application user to authenticate access to user applications.
. Click *Roles* in the *Configure* sidebar to list the roles for this realm.
+
[NOTE]
====
This is a new realm, so there should only be the default roles:
* `offline_access` and `uma_authorization` role for the RH-SSO 7.1 and RH-SSO 7.2 images.
====
. Click *Add Role*.
. Enter the role name (`user`) and click *Save*.
Repeat these steps for the `admin` role.
*Create the RH-SSO Realm Management User*
. Click *Users* in the *Manage* sidebar to view the user information for the realm.
. Click *Add User.*
. Enter a valid *Username* (this example uses the user `appuser`) and click *Save*.
. Edit the user configuration:
.. Click the *Credentials* tab in the user space and enter a password for the user (this example uses the password `apppassword`).
.. Ensure the *Temporary Password* option is set to *Off* so that it does not prompt for a password change later on, and click *Reset Password* to set the user password. A pop-up window prompts for additional confirmation.
===== Assign `user` RH-SSO Role to the Realm Management User
Perform the following steps to tie the previously created `appuser` with the `user` RH-SSO role:
. Click *Role Mappings* to list the realm and client role configuration. In *Available Roles*, select the `user` role created earlier, and click *Add selected>*.
. Click *Client Roles*, select *realm-management* entry from the list, select each record in the *Available Roles* list.
+
[NOTE]
====
You can select multiple items at once by holding the *Ctrl* key and simultaneously clicking the first `impersonation` entry. While keeping the *Ctrl* key and the left mouse button pressed, move to the end of the list to the `view-clients` entry and ensure each record is selected.
====
. Click *Add selected>* to assign the roles to the client.
===== Prepare RH-SSO Authentication for OpenShift Deployment of the EAP 6.4 / 7.0 JSP Application
. Create a new project for the EAP 6.4 / 7.0 JSP application.
+
[subs="verbatim,macros"]
----
$ oc new-project eap-app-demo
----
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster.
+
[subs="verbatim,macros"]
----
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
----
. The EAP template requires an link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_single_sign-on_for_openshift/index#Configuring-Keystores[SSL keystore and a JGroups keystore]. This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores.
.. Generate a secure key for the SSL keystore (this example uses `password` as password for the keystore).
+
[subs="verbatim,macros"]
----
$ keytool -genkeypair \
-dname "CN=secure-eap-app-eap-app-demo.openshift.example.com" \
-alias https \
-storetype JKS \
-keystore eapkeystore.jks
----
.. Generate a secure key for the JGroups keystore (this example uses `password` as password for the keystore).
+
[subs="verbatim,macros"]
----
$ keytool -genseckey \
-alias jgroups \
-storetype JCEKS \
-keystore eapjgroups.jceks
----
.. Generate the EAP 6.4 / 7.0 for OpenShift secrets with the SSL and JGroup keystore files.
+
[subs="verbatim,macros"]
----
$ oc secret new eap-ssl-secret eapkeystore.jks
----
+
[subs="verbatim,macros"]
----
$ oc secret new eap-jgroup-secret eapjgroups.jceks
----
.. Add the EAP application secret to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account.
+
[subs="verbatim,macros"]
----
$ oc secrets link default eap-ssl-secret eap-jgroup-secret
----
===== Deploy Binary Build of the EAP 6.4 / 7.0 JSP Application
. Clone the source code.
+
[subs="verbatim,macros"]
----
$ git clone https://github.com/keycloak/keycloak-quickstarts.git
----
. link:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html-single/development_guide/#use_the_maven_repository[Configure] the link:https://access.redhat.com/maven-repository[Red Hat JBoss Middleware Maven repository].
. Build both the link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-jee-jaxrs[service-jee-jaxrs] and link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-jee-jsp[app-jee-jsp] applications.
.. Build the `service-jee-jaxrs` application.
+
[subs="verbatim,macros"]
----
$ cd keycloak-quickstarts/service-jee-jaxrs/
----
+
[subs="verbatim,macros"]
----
$ mvn clean package -DskipTests
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building Keycloak Quickstart: service-jee-jaxrs 3.1.0.Final
[INFO] ------------------------------------------------------------------------
...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.153 s
[INFO] Finished at: 2017-06-26T12:06:12+02:00
[INFO] Final Memory: 25M/241M
[INFO] ------------------------------------------------------------------------
----
.. *Comment out* the `app-jee-jsp/config/keycloak.json` requirement of the `maven-enforcer-plugin` plugin and build the `app-jee-jsp` application.
+
[subs="verbatim,macros"]
+
----
service-jee-jaxrs]$ cd ../app-jee-jsp/
----
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ sed -i /\<executions\>/s/^/\<\!--/ pom.xml
----
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ sed -i '/\(<\/executions>\)/a\-->' pom.xml
----
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ mvn clean package -DskipTests
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building Keycloak Quickstart: app-jee-jsp 3.1.0.Final
[INFO] ------------------------------------------------------------------------
...
[INFO] Building war: /tmp/github/keycloak-quickstarts/app-jee-jsp/target/app-jsp.war
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.018 s
[INFO] Finished at: 2017-06-26T12:22:25+02:00
[INFO] Final Memory: 35M/310M
[INFO] ------------------------------------------------------------------------
----
+
[IMPORTANT]
====
The link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-jee-jsp[app-jee-jsp] quickstart requires to configure the adapter, and adapter configuration file (`keycloak.json`) to be present at the `config/` directory in the root of the quickstart to successfully build the quickstart. But since this example configures the adapter later via selected environment variables available for the EAP 6.4 / 7.0 for OpenShift image, it is not necessary to specify the form of `keycloak.json` adapter configuration file at this moment.
====
[[directory-structure-binary-builds]]
[start=4]
. Prepare the directory structure on the local file system.
+
Application archives in the *deployments/* subdirectory of the main binary build directory are copied directly to the xref:standard-deployments-directory[standard deployments directory] of the image being built on OpenShift. For the application to deploy, the directory hierarchy containing the web application data must be correctly structured.
+
Create main directory for the binary build on the local file system and *deployments/* subdirectory within it. Copy the previously built WAR archives of both the *service-jee-jaxrs* and *app-jee-jsp* quickstarts to the *deployments/* subdirectory:
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ ls
config pom.xml README.md src target
----
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ mkdir -p sso-eap7-bin-demo/deployments
----
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ cp target/app-jsp.war sso-eap7-bin-demo/deployments/
----
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ cp ../service-jee-jaxrs/target/service.war sso-eap7-bin-demo/deployments/
----
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ tree sso-eap7-bin-demo/
sso-eap7-bin-demo/
|__ deployments
|__ app-jsp.war
|__ service.war
1 directory, 2 files
----
+
[[standard-deployments-directory]]
[NOTE]
====
Location of the standard deployments directory depends on the underlying base image, that was used to deploy the application. See the following table:
.Standard Location of the Deployments Directory
[cols="2", options="header"]
|===
| Name of the Underlying Base Image(s) | Standard Location of the Deployments Directory
| EAP for OpenShift 6.4 and 7.0 | *_$JBOSS_HOME/standalone/deployments_*
| Java S2I for OpenShift | *_/deployments_*
| JWS for OpenShift | *_$JWS_HOME/webapps_*
|===
====
. Identify the image stream for EAP 6.4 / 7.0 image.
+
[subs="verbatim,macros"]
----
$ oc get is -n openshift | grep eap | cut -d ' ' -f 1
jboss-eap64-openshift
jboss-eap70-openshift
jboss-eap71-openshift
----
[[eap-new-binary-build]]
[start=6]
. Create new binary build, specifying image stream and application name.
+
[NOTE]
====
Replace `--image-stream=jboss-eap70-openshift` parameter with the `--image-stream=jboss-eap64-openshift` one in the following oc command to deploy the JSP application on top of JBoss EAP 6.4 for OpenShift image.
====
+
[subs="verbatim,macros"]
----
$ oc new-build --binary=true \
--image-stream=jboss-eap70-openshift \
--name=eap-app
--> Found image 31895a4 (3 months old) in image stream "openshift/jboss-eap70-openshift" under tag "latest" for "jboss-eap70-openshift"
JBoss EAP 7.0
-------------
Platform for building and running JavaEE applications on JBoss EAP 7.0
Tags: builder, javaee, eap, eap7
* A source build using binary input will be created
* The resulting image will be pushed to image stream "eap-app:latest"
* A binary build was created, use 'start-build --from-dir' to trigger a new build
--> Creating resources with label build=eap-app ...
imagestream "eap-app" created
buildconfig "eap-app" created
--> Success
----
. Start the binary build. Instruct `oc` executable to use main directory of the binary build we created xref:directory-structure-binary-builds[in previous step] as the directory containing binary input for the OpenShift build. In the working directory of *app-jee-jsp* issue the following command.
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ oc start-build eap-app \
--from-dir=./sso-eap7-bin-demo/ \
--follow
Uploading directory "sso-eap7-bin-demo" as binary input for the build ...
build "eap-app-1" started
Receiving source from STDIN as archive ...
Copying all war artifacts from /home/jboss/source/. directory into /opt/eap/standalone/deployments for later deployment...
Copying all ear artifacts from /home/jboss/source/. directory into /opt/eap/standalone/deployments for later deployment...
Copying all rar artifacts from /home/jboss/source/. directory into /opt/eap/standalone/deployments for later deployment...
Copying all jar artifacts from /home/jboss/source/. directory into /opt/eap/standalone/deployments for later deployment...
Copying all war artifacts from /home/jboss/source/deployments directory into /opt/eap/standalone/deployments for later deployment...
'/home/jboss/source/deployments/app-jsp.war' -> '/opt/eap/standalone/deployments/app-jsp.war'
'/home/jboss/source/deployments/service.war' -> '/opt/eap/standalone/deployments/service.war'
Copying all ear artifacts from /home/jboss/source/deployments directory into /opt/eap/standalone/deployments for later deployment...
Copying all rar artifacts from /home/jboss/source/deployments directory into /opt/eap/standalone/deployments for later deployment...
Copying all jar artifacts from /home/jboss/source/deployments directory into /opt/eap/standalone/deployments for later deployment...
Pushing image 172.30.82.129:5000/eap-app-demo/eap-app:latest ...
Pushed 6/7 layers, 86% complete
Pushed 7/7 layers, 100% complete
Push successful
----
. Create a new OpenShift application based on the build.
+
[subs="verbatim,macros"]
----
$ oc new-app eap-app
--> Found image 6b13d36 (2 minutes old) in image stream "eap-app-demo/eap-app" under tag "latest" for "eap-app"
eap-app-demo/eap-app-1:aa2574d9
-------------------------------
Platform for building and running JavaEE applications on JBoss EAP 7.0
Tags: builder, javaee, eap, eap7
* This image will be deployed in deployment config "eap-app"
* Ports 8080/tcp, 8443/tcp, 8778/tcp will be load balanced by service "eap-app"
* Other containers can access this service through the hostname "eap-app"
--> Creating resources ...
deploymentconfig "eap-app" created
service "eap-app" created
--> Success
Run 'oc status' to view your app.
----
. Stop all running containers of the EAP 6.4 / 7.0 JSP application in the current namespace.
+
[subs="verbatim,macros"]
----
$ oc get dc -o name
deploymentconfig/eap-app
----
+
[subs="verbatim,macros"]
----
$ oc scale dc/eap-app --replicas=0
deploymentconfig "eap-app" scaled
----
. Further configure the EAP 6.4 / 7.0 JSP application prior the deployment.
[[sso-public-key-details]]
.. Configure the application with proper details about the RH-SSO server instance.
+
[WARNING]
====
Ensure to replace the value of *_SSO_PUBLIC_KEY_* variable below with the actual content of the RSA public key for the `demo` realm, that has been xref:copy-rsa-public-key[copied].
====
+
[subs="verbatim,macros"]
----
$ oc set env dc/eap-app \
-e HOSTNAME_HTTP="eap-app-eap-app-demo.openshift.example.com" \
-e HOSTNAME_HTTPS="secure-eap-app-eap-app-demo.openshift.example.com" \
-e SSO_DISABLE_SSL_CERTIFICATE_VALIDATION="true" \
-e SSO_USERNAME="appuser" \
-e SSO_PASSWORD="apppassword" \
-e SSO_REALM="demo" \
-e SSO_URL="https://secure-sso-sso-app-demo.openshift.example.com/auth" \
-e SSO_PUBLIC_KEY="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkdhXyKx97oIoO6HwnV/MiX2EHO55Sn+ydsPzbjJevI5F31UvUco9uA8dGl6oM8HrnaWWv+i8PvmlaRMhhl6Xs68vJTEc6d0soP+6A+aExw0coNRp2PDwvzsXVWPvPQg3+iytStxu3Icndx+gC0ZYnxoRqL7rY7zKcQBScGEr78Nw6vZDwfe6d/PQ6W4xVErNytX9KyLFVAE1VvhXALyqEM/EqYGLmpjw5bMGVKRXnhmVo9E88CkFDH8E+aPiApb/gFul1GJOv+G8ySLoR1c8Y3L29F7C81odkVBp2yMm3RVFIGSPTjHqjO/nOtqYIfY4Wyw9mRIoY5SyW7044dZXRwIDAQAB" \
-e SSO_SECRET="0bb8c399-2501-4fcd-a183-68ac5132868d"
deploymentconfig "eap-app" updated
----
.. Configure the application with details about both the SSL and JGroups keystore.
+
[subs="verbatim,macros"]
----
$ oc set env dc/eap-app \
-e HTTPS_KEYSTORE_DIR="/etc/eap-secret-volume" \
-e HTTPS_KEYSTORE="eapkeystore.jks" \
-e HTTPS_PASSWORD="password" \
-e JGROUPS_ENCRYPT_SECRET="eap-jgroup-secret" \
-e JGROUPS_ENCRYPT_KEYSTORE_DIR="/etc/jgroups-encrypt-secret-volume" \
-e JGROUPS_ENCRYPT_KEYSTORE="eapjgroups.jceks" \
-e JGROUPS_ENCRYPT_PASSWORD="password"
deploymentconfig "eap-app" updated
----
.. Define OpenShift volumes for both the SSL and JGroups secrets created earlier.
+
[subs="verbatim,macros"]
----
$ oc volume dc/eap-app --add \
--name="eap-keystore-volume" \
--type=secret \
--secret-name="eap-ssl-secret" \
--mount-path="/etc/eap-secret-volume"
deploymentconfig "eap-app" updated
----
+
[subs="verbatim,macros"]
----
$ oc volume dc/eap-app --add \
--name="eap-jgroups-keystore-volume" \
--type=secret \
--secret-name="eap-jgroup-secret" \
--mount-path="/etc/jgroups-encrypt-secret-volume"
deploymentconfig "eap-app" updated
----
.. Configure the deployment config of the application to run application pods under the `default` OpenShift service account (default setting).
+
[subs="verbatim,macros"]
----
$ oc patch dc/eap-app --type=json \
-p '[{"op": "add", "path": "/spec/template/spec/serviceAccountName", "value": "default"}]'
"eap-app" patched
----
. Deploy container of the EAP 6.4 / 7.0 JSP application using the modified deployment config.
+
[subs="verbatim,macros"]
----
$ oc scale dc/eap-app --replicas=1
deploymentconfig "eap-app" scaled
----
. Expose the service as route.
+
[subs="verbatim,macros"]
----
$ oc get svc -o name
service/eap-app
----
+
[subs="verbatim,macros"]
----
$ oc get route
No resources found.
----
+
[subs="verbatim,macros"]
----
$ oc expose svc/eap-app
route "eap-app" exposed
----
+
[subs="verbatim,macros"]
----
$ oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
eap-app eap-app-eap-app-demo.openshift.example.com eap-app 8080-tcp None
----
===== Access the Application
Access the application in your browser using the URL *\http://eap-app-eap-app-demo.openshift.example.com/app-jsp*. You should see output like on the following image:
[.text-center]
image:images/sso_app_jee_jsp.png[RH-SSO Example JSP Application]
Perform the following to test the application:
* Click the *INVOKE PUBLIC* button to access the `public` endpoint that doesn't require authentication.
+
You should see the *Message: public* output.
* Click the *LOGIN* button to be redirected for user authentication to the RH-SSO server instance against the `demo` realm.
+
Specify username and password of the RH-SSO user configured earlier (`appuser` / `apppassword`). Click *Log in*. The look of the application changes as detailed in the following image:
+
[.text-center]
image:images/sso_app_jee_jsp_logged_in.png[]
* Click the *INVOKE SECURED* button to access the `secured` endpoint.
+
You should see the *Message: secured* output.
* Click the *INVOKE ADMIN* button to access the `admin` endpoint.
+
You should see *403 Forbidden* output.
+
[NOTE]
====
The `admin` endpoint requires users with `admin` RH-SSO role to invoke properly. Access for the `appuser` is forbidden because they only have `user` role privilege, which allows them to access the `secured` endpoint.
====
+
Perform the following steps to add the `appuser` to the `admin` RH-SSO role:
+
. Access the administration console of the RH-SSO server's instance.
+
*\https://secure-sso-sso-app-demo.openshift.example.com/auth/admin*.
+
Use the xref:sso_server.adoc#sso-administrator-setup[credentials of the RH-SSO administrator user].
. Click *Users* in the *Manage* sidebar to view the user information for the `demo` realm.
. Click *View all users* button.
. Click the ID link for the *appuser* or alternatively click the *Edit* button in the *Actions* column.
. Click the *Role Mappings* tab.
. Select `admin` entry from the *Available Roles* list in the *Realm Roles* row.
. Click *Add selected>* button to add the `admin` role to the user.
. Return to EAP 6.4 / 7.0 JSP service application.
+
*\http://eap-app-eap-app-demo.openshift.example.com/app-jsp*.
. Click the *LOGOUT* button to reload role mappings for the `appuser`.
. Click the *LOGIN* button again and provider `appuser` credentials.
. Click the *INVOKE ADMIN* button again.
+
You should see the *Message: admin* output already.

2
openshift/content/introduction/introduction.adoc → openshift/topics/introduction.adoc
View file

@ -1,3 +1,5 @@
== Introduction
=== What Is Red Hat Single Sign-On?
Red Hat Single Sign-On (RH-SSO) is an integrated sign-on solution available as a Red Hat JBoss Middleware for OpenShift containerized image. The {xpaasproduct} image provides an authentication server for users to centrally log in, log out, register, and manage user accounts for web applications, mobile applications, and RESTful web services.

112
openshift/content/reference/reference.adoc → openshift/topics/reference.adoc
View file

@ -1,12 +1,112 @@
== Reference
[[sso-artifact-repository-mirrors-section]]
=== Artifact Repository Mirrors
// Define required 'bcname' attribute for maven_mirror_url.adoc page
:bcname: sso
// This page describes MAVEN_MIRROR_URL variable usage
// It requires 'bcname' attribute to be set to the name of the product
A repository in Maven holds build artifacts and dependencies of various types
(all the project jars, library jar, plugins or any other project specific
artifacts). It also specifies locations from where to download artifacts from,
while performing the S2I build. Besides using central repositories, it is a
common practice for organizations to deploy a local custom repository (mirror).
Benefits of using a mirror are:
* Availability of a synchronized mirror, which is geographically closer and
faster.
* Ability to have greater control over the repository content.
* Possibility to share artifacts across different teams (developers, CI),
without the need to rely on public servers and repositories.
* Improved build times.
Often, a repository manager can serve as local cache to a mirror. Assuming that
the repository manager is already deployed and reachable externally at
*_pass:[http://10.0.0.1:8080/repository/internal/]_*, the S2I build can then use this
manager by supplying the `MAVEN_MIRROR_URL` environment variable to the
build configuration of the application as follows:
. Identify the name of the build configuration to apply `MAVEN_MIRROR_URL`
variable against:
+
----
oc get bc -o name
buildconfig/sso
----
. Update build configuration of `sso` with a `MAVEN_MIRROR_URL` environment variable
+
----
oc env bc/sso MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/"
buildconfig "sso" updated
----
. Verify the setting
+
----
oc env bc/sso --list
# buildconfigs sso
MAVEN_MIRROR_URL=http://10.0.0.1:8080/repository/internal/
----
. Schedule new build of the application
NOTE: During application build, you will notice that Maven dependencies are
pulled from the repository manager, instead of the default public repositories.
Also, after the build is finished, you will see that the mirror is filled with
all the dependencies that were retrieved and used during the build.
A repository in Maven holds build artifacts and dependencies of various types
(all the project jars, library jar, plugins or any other project specific
artifacts). It also specifies locations from where to download artifacts from,
while performing the S2I build. Besides using central repositories, it is a
common practice for organizations to deploy a local custom repository (mirror).
Benefits of using a mirror are:
* Availability of a synchronized mirror, which is geographically closer and
faster.
* Ability to have greater control over the repository content.
* Possibility to share artifacts across different teams (developers, CI),
without the need to rely on public servers and repositories.
* Improved build times.
Often, a repository manager can serve as local cache to a mirror. Assuming that
the repository manager is already deployed and reachable externally at
*_pass:[http://10.0.0.1:8080/repository/internal/]_*, the S2I build can then use this
manager by supplying the `MAVEN_MIRROR_URL` environment variable to the
build configuration of the application as follows:
. Identify the name of the build configuration to apply `MAVEN_MIRROR_URL`
variable against:
+
----
oc get bc -o name
buildconfig/sso
----
. Update build configuration of `sso` with a `MAVEN_MIRROR_URL` environment variable
+
----
oc env bc/sso MAVEN_MIRROR_URL="http://10.0.0.1:8080/repository/internal/"
buildconfig "sso" updated
----
. Verify the setting
+
----
oc env bc/sso --list
# buildconfigs sso
MAVEN_MIRROR_URL=http://10.0.0.1:8080/repository/internal/
----
. Schedule new build of the application
NOTE: During application build, you will notice that Maven dependencies are
pulled from the repository manager, instead of the default public repositories.
Also, after the build is finished, you will see that the mirror is filled with
all the dependencies that were retrieved and used during the build.
// Include the Artifact Repository Mirros section
// (MAVEN_MIRROR_URL variable usage information)
include::../../common/maven_mirror_url.adoc[bcname]
[[env_vars]]
=== Environment Variables
@ -73,7 +173,7 @@ switch Jolokia into https communication mode. The default CA cert is set to
|*_AB_JOLOKIA_CONFIG_*
|If set uses this file (including path) as Jolokia JVM agent properties (as
described in Jolokias
link:http://www.jolokia.org/reference/html/agents.html#agents-jvm[reference
link:https://jolokia.org/reference/html/agents.html#agents-jvm[reference
manual]). If not set, the `/opt/jolokia/etc/jolokia.properties` file will be
created using the settings as defined in this document, otherwise the rest of
the settings in this document are ignored.

1
openshift/topics/templates Symbolic link
View file

@ -0,0 +1 @@
../../topics/templates

530
openshift/content/tutorials/tutorials.adoc → openshift/topics/tutorials.adoc
View file

@ -1,6 +1,14 @@
[[RH-SSO-Binary-Builds-Tutorial]]
=== Example Workflow: Creating OpenShift Application from Existing Maven Binaries and Securing it Using Red Hat Single Sing-On
== Tutorials
[[Example-Deploying-SSO]]
=== Example Workflow: Preparing and Deploying the {xpaasproduct-shortname} image
[[Preparing-SSO-Authentication-for-OpenShift-Deployment]]
==== Preparing RH-SSO Authentication for OpenShift Deployment
Log in to the OpenShift CLI with a user that holds the _cluster:admin_ role.
To deploy existing applications on OpenShift, you can use the link:https://docs.openshift.com/container-platform/latest/dev_guide/builds/build_inputs.html#binary-source[binary source] capability.
==== Deploy Binary Build of EAP 6.4 / 7.0 JSP Service Invocation Application and Secure it Using Red Hat Single Sign-On
@ -11,7 +19,7 @@ The following example uses both link:https://github.com/keycloak/keycloak-quicks
[IMPORTANT]
====
This guide assumes the {xpaasproduct-shortname} image has been previously link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_jboss_sso_for_openshift/#Example-Deploying-SSO[deployed using one of the following templates:]
This guide assumes the {xpaasproduct-shortname} image has been previously link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_single_sign-on_for_openshift/index#Example-Deploying-SSO[deployed using one of the following templates:]
* *_sso72-mysql_*
* *_sso72-mysql-persistent_*
@ -35,513 +43,7 @@ Use the xref:sso_server.adoc#sso-administrator-setup[credentials of the RH-SSO a
. Hover your cursor over the realm namespace (default is *Master*) at the top of the sidebar and click *Add Realm*.
. Enter a realm name (this example uses `demo`) and click *Create*.
[[copy-rsa-public-key]]
*Copy the Public Key*
In the newly created `demo` realm, click the *Keys* tab and copy the public key that has been generated.
[NOTE]
====
The RH-SSO 7.2 image generates three keys by default:
* RSA key,
* HMAC key, and
* AES key
To copy the public key information for the RH-SSO 7.2 image, click the *Public key* button of the *RSA* row of the keys table. Then select and copy the content of the pop-up window that appears.
====
The information about the public key is necessary xref:sso-public-key-details[later to deploy] the RH-SSO-enabled EAP 6.4 / 7.0 JSP application.
*Create RH-SSO Roles*
[NOTE]
====
The link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-jee-jaxrs[service-jee-jaxrs] quickstart exposes three endpoints by the service:
* `public` - Requires no authentication.
* `secured` - Can be invoked by users with the `user` role.
* `admin` - Can be invoked by users with the `admin` role.
====
Create `user` and `admin` roles in RH-SSO. These roles will be assigned to an RH-SSO application user to authenticate access to user applications.
. Click *Roles* in the *Configure* sidebar to list the roles for this realm.
+
[NOTE]
====
This is a new realm, so there should only be the default roles:
* `offline_access` and `uma_authorization` role for the RH-SSO 7.2 image.
====
. Click *Add Role*.
. Enter the role name (`user`) and click *Save*.
Repeat these steps for the `admin` role.
*Create the RH-SSO Realm Management User*
. Click *Users* in the *Manage* sidebar to view the user information for the realm.
. Click *Add User.*
. Enter a valid *Username* (this example uses the user `appuser`) and click *Save*.
. Edit the user configuration:
.. Click the *Credentials* tab in the user space and enter a password for the user (this example uses the password `apppassword`).
.. Ensure the *Temporary Password* option is set to *Off* so that it does not prompt for a password change later on, and click *Reset Password* to set the user password. A pop-up window prompts for additional confirmation.
===== Assign `user` RH-SSO Role to the Realm Management User
Perform the following steps to tie the previously created `appuser` with the `user` RH-SSO role:
. Click *Role Mappings* to list the realm and client role configuration. In *Available Roles*, select the `user` role created earlier, and click *Add selected>*.
. Click *Client Roles*, select *realm-management* entry from the list, select each record in the *Available Roles* list.
+
[NOTE]
====
You can select multiple items at once by holding the *Ctrl* key and simultaneously clicking the first `impersonation` entry. While keeping the *Ctrl* key and the left mouse button pressed, move to the end of the list to the `view-clients` entry and ensure each record is selected.
====
. Click *Add selected>* to assign the roles to the client.
===== Prepare RH-SSO Authentication for OpenShift Deployment of the EAP 6.4 / 7.0 JSP Application
. Create a new project for the EAP 6.4 / 7.0 JSP application.
+
[subs="verbatim,macros"]
----
$ oc new-project eap-app-demo
----
. Add the `view` role to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account. This enables the service account to view all the resources in the `eap-app-demo` namespace, which is necessary for managing the cluster.
+
[subs="verbatim,macros"]
----
$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
----
. The EAP template requires an link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_jboss_sso_for_openshift/#Configuring-Keystores[SSL keystore and a JGroups keystore]. This example uses `keytool`, a package included with the Java Development Kit, to generate self-signed certificates for these keystores.
.. Generate a secure key for the SSL keystore (this example uses `password` as password for the keystore).
+
[subs="verbatim,macros"]
----
$ keytool -genkeypair \
-dname "CN=secure-eap-app-eap-app-demo.openshift.example.com" \
-alias https \
-storetype JKS \
-keystore eapkeystore.jks
----
.. Generate a secure key for the JGroups keystore (this example uses `password` as password for the keystore).
+
[subs="verbatim,macros"]
----
$ keytool -genseckey \
-alias jgroups \
-storetype JCEKS \
-keystore eapjgroups.jceks
----
.. Generate the EAP 6.4 / 7.0 for OpenShift secrets with the SSL and JGroup keystore files.
+
[subs="verbatim,macros"]
----
$ oc secret new eap-ssl-secret eapkeystore.jks
----
+
[subs="verbatim,macros"]
----
$ oc secret new eap-jgroup-secret eapjgroups.jceks
----
.. Add the EAP application secret to the link:https://docs.openshift.com/container-platform/latest/dev_guide/service_accounts.html#default-service-accounts-and-roles[`default`] service account.
+
[subs="verbatim,macros"]
----
$ oc secrets link default eap-ssl-secret eap-jgroup-secret
----
===== Deploy Binary Build of the EAP 6.4 / 7.0 JSP Application
. Clone the source code.
+
[subs="verbatim,macros"]
----
$ git clone https://github.com/keycloak/keycloak-quickstarts.git
----
. link:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html-single/development_guide/#use_the_maven_repository[Configure] the link:https://access.redhat.com/maven-repository[Red Hat JBoss Middleware Maven repository].
. Build both the link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-jee-jaxrs[service-jee-jaxrs] and link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-jee-jsp[app-jee-jsp] applications.
.. Build the `service-jee-jaxrs` application.
+
[subs="verbatim,macros"]
----
$ cd keycloak-quickstarts/service-jee-jaxrs/
----
+
[subs="verbatim,macros"]
----
$ mvn clean package -DskipTests
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building Keycloak Quickstart: service-jee-jaxrs 3.1.0.Final
[INFO] ------------------------------------------------------------------------
...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.153 s
[INFO] Finished at: 2017-06-26T12:06:12+02:00
[INFO] Final Memory: 25M/241M
[INFO] ------------------------------------------------------------------------
----
.. *Comment out* the `app-jee-jsp/config/keycloak.json` requirement of the `maven-enforcer-plugin` plugin and build the `app-jee-jsp` application.
+
[subs="verbatim,macros"]
+
----
service-jee-jaxrs]$ cd ../app-jee-jsp/
----
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ sed -i /\<executions\>/s/^/\<\!--/ pom.xml
----
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ sed -i '/\(<\/executions>\)/a\-->' pom.xml
----
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ mvn clean package -DskipTests
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building Keycloak Quickstart: app-jee-jsp 3.1.0.Final
[INFO] ------------------------------------------------------------------------
...
[INFO] Building war: /tmp/github/keycloak-quickstarts/app-jee-jsp/target/app-jsp.war
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.018 s
[INFO] Finished at: 2017-06-26T12:22:25+02:00
[INFO] Final Memory: 35M/310M
[INFO] ------------------------------------------------------------------------
----
+
[IMPORTANT]
====
The link:https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-jee-jsp[app-jee-jsp] quickstart requires to configure the adapter, and adapter configuration file (`keycloak.json`) to be present at the `config/` directory in the root of the quickstart to successfully build the quickstart. But since this example configures the adapter later via selected environment variables available for the EAP 6.4 / 7.0 for OpenShift image, it is not necessary to specify the form of `keycloak.json` adapter configuration file at this moment.
====
[[directory-structure-binary-builds]]
[start=4]
. Prepare the directory structure on the local file system.
+
Application archives in the *deployments/* subdirectory of the main binary build directory are copied directly to the xref:standard-deployments-directory[standard deployments directory] of the image being built on OpenShift. For the application to deploy, the directory hierarchy containing the web application data must be correctly structured.
+
Create main directory for the binary build on the local file system and *deployments/* subdirectory within it. Copy the previously built WAR archives of both the *service-jee-jaxrs* and *app-jee-jsp* quickstarts to the *deployments/* subdirectory:
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ ls
config pom.xml README.md src target
----
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ mkdir -p sso-eap7-bin-demo/deployments
----
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ cp target/app-jsp.war sso-eap7-bin-demo/deployments/
----
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ cp ../service-jee-jaxrs/target/service.war sso-eap7-bin-demo/deployments/
----
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ tree sso-eap7-bin-demo/
sso-eap7-bin-demo/
|__ deployments
|__ app-jsp.war
|__ service.war
1 directory, 2 files
----
+
[[standard-deployments-directory]]
[NOTE]
====
Location of the standard deployments directory depends on the underlying base image that was used to deploy the application. See the following table:
.Standard Location of the Deployments Directory
[cols="2", options="header"]
|===
| Name of the Underlying Base Image(s) | Standard Location of the Deployments Directory
| EAP for OpenShift 6.4 and 7.0 | *_$JBOSS_HOME/standalone/deployments_*
| Java S2I for OpenShift | *_/deployments_*
| JWS for OpenShift | *_$JWS_HOME/webapps_*
|===
====
. Identify the image stream for EAP 6.4 / 7.0 image.
+
[subs="verbatim,macros"]
----
$ oc get is -n openshift | grep eap | cut -d ' ' -f 1
jboss-eap64-openshift
jboss-eap70-openshift
jboss-eap71-openshift
----
[[eap-new-binary-build]]
[start=6]
. Create new binary build, specifying image stream and application name.
+
[NOTE]
====
Replace `--image-stream=jboss-eap70-openshift` parameter with the `--image-stream=jboss-eap64-openshift` one in the following `oc` command to deploy the JSP application on top of JBoss EAP 6.4 for OpenShift image.
====
+
[subs="verbatim,macros"]
----
$ oc new-build --binary=true \
--image-stream=jboss-eap70-openshift \
--name=eap-app
--> Found image 31895a4 (3 months old) in image stream "openshift/jboss-eap70-openshift" under tag "latest" for "jboss-eap70-openshift"
JBoss EAP 7.0
-------------
Platform for building and running JavaEE applications on JBoss EAP 7.0
Tags: builder, javaee, eap, eap7
* A source build using binary input will be created
* The resulting image will be pushed to image stream "eap-app:latest"
* A binary build was created, use 'start-build --from-dir' to trigger a new build
--> Creating resources with label build=eap-app ...
imagestream "eap-app" created
buildconfig "eap-app" created
--> Success
----
. Start the binary build. Instruct `oc` executable to use main directory of the binary build we created xref:directory-structure-binary-builds[in previous step] as the directory containing binary input for the OpenShift build. In the working directory of *app-jee-jsp* issue the following command.
+
[subs="verbatim,macros"]
----
app-jee-jsp]$ oc start-build eap-app \
--from-dir=./sso-eap7-bin-demo/ \
--follow
Uploading directory "sso-eap7-bin-demo" as binary input for the build ...
build "eap-app-1" started
Receiving source from STDIN as archive ...
Copying all war artifacts from /home/jboss/source/. directory into /opt/eap/standalone/deployments for later deployment...
Copying all ear artifacts from /home/jboss/source/. directory into /opt/eap/standalone/deployments for later deployment...
Copying all rar artifacts from /home/jboss/source/. directory into /opt/eap/standalone/deployments for later deployment...
Copying all jar artifacts from /home/jboss/source/. directory into /opt/eap/standalone/deployments for later deployment...
Copying all war artifacts from /home/jboss/source/deployments directory into /opt/eap/standalone/deployments for later deployment...
'/home/jboss/source/deployments/app-jsp.war' -> '/opt/eap/standalone/deployments/app-jsp.war'
'/home/jboss/source/deployments/service.war' -> '/opt/eap/standalone/deployments/service.war'
Copying all ear artifacts from /home/jboss/source/deployments directory into /opt/eap/standalone/deployments for later deployment...
Copying all rar artifacts from /home/jboss/source/deployments directory into /opt/eap/standalone/deployments for later deployment...
Copying all jar artifacts from /home/jboss/source/deployments directory into /opt/eap/standalone/deployments for later deployment...
Pushing image 172.30.82.129:5000/eap-app-demo/eap-app:latest ...
Pushed 6/7 layers, 86% complete
Pushed 7/7 layers, 100% complete
Push successful
----
. Create a new OpenShift application based on the build.
+
[subs="verbatim,macros"]
----
$ oc new-app eap-app
--> Found image 6b13d36 (2 minutes old) in image stream "eap-app-demo/eap-app" under tag "latest" for "eap-app"
eap-app-demo/eap-app-1:aa2574d9
-------------------------------
Platform for building and running JavaEE applications on JBoss EAP 7.0
Tags: builder, javaee, eap, eap7
* This image will be deployed in deployment config "eap-app"
* Ports 8080/tcp, 8443/tcp, 8778/tcp will be load balanced by service "eap-app"
* Other containers can access this service through the hostname "eap-app"
--> Creating resources ...
deploymentconfig "eap-app" created
service "eap-app" created
--> Success
Run 'oc status' to view your app.
----
. Stop all running containers of the EAP 6.4 / 7.0 JSP application in the current namespace.
+
[subs="verbatim,macros"]
----
$ oc get dc -o name
deploymentconfig/eap-app
----
+
[subs="verbatim,macros"]
----
$ oc scale dc/eap-app --replicas=0
deploymentconfig "eap-app" scaled
----
. Further configure the EAP 6.4 / 7.0 JSP application prior the deployment.
[[sso-public-key-details]]
.. Configure the application with proper details about the RH-SSO server instance.
+
[WARNING]
====
Ensure to replace the value of *_SSO_PUBLIC_KEY_* variable below with the actual content of the RSA public key for the `demo` realm, that has been xref:copy-rsa-public-key[copied].
====
+
[subs="verbatim,macros"]
----
$ oc set env dc/eap-app \
-e HOSTNAME_HTTP="eap-app-eap-app-demo.openshift.example.com" \
-e HOSTNAME_HTTPS="secure-eap-app-eap-app-demo.openshift.example.com" \
-e SSO_DISABLE_SSL_CERTIFICATE_VALIDATION="true" \
-e SSO_USERNAME="appuser" \
-e SSO_PASSWORD="apppassword" \
-e SSO_REALM="demo" \
-e SSO_URL="https://secure-sso-sso-app-demo.openshift.example.com/auth" \
-e SSO_PUBLIC_KEY="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkdhXyKx97oIoO6HwnV/MiX2EHO55Sn+ydsPzbjJevI5F31UvUco9uA8dGl6oM8HrnaWWv+i8PvmlaRMhhl6Xs68vJTEc6d0soP+6A+aExw0coNRp2PDwvzsXVWPvPQg3+iytStxu3Icndx+gC0ZYnxoRqL7rY7zKcQBScGEr78Nw6vZDwfe6d/PQ6W4xVErNytX9KyLFVAE1VvhXALyqEM/EqYGLmpjw5bMGVKRXnhmVo9E88CkFDH8E+aPiApb/gFul1GJOv+G8ySLoR1c8Y3L29F7C81odkVBp2yMm3RVFIGSPTjHqjO/nOtqYIfY4Wyw9mRIoY5SyW7044dZXRwIDAQAB" \
-e SSO_SECRET="0bb8c399-2501-4fcd-a183-68ac5132868d"
deploymentconfig "eap-app" updated
----
.. Configure the application with details about both the SSL and JGroups keystore.
+
[subs="verbatim,macros"]
----
$ oc set env dc/eap-app \
-e HTTPS_KEYSTORE_DIR="/etc/eap-secret-volume" \
-e HTTPS_KEYSTORE="eapkeystore.jks" \
-e HTTPS_PASSWORD="password" \
-e JGROUPS_ENCRYPT_SECRET="eap-jgroup-secret" \
-e JGROUPS_ENCRYPT_KEYSTORE_DIR="/etc/jgroups-encrypt-secret-volume" \
-e JGROUPS_ENCRYPT_KEYSTORE="eapjgroups.jceks" \
-e JGROUPS_ENCRYPT_PASSWORD="password"
deploymentconfig "eap-app" updated
----
.. Define OpenShift volumes for both the SSL and JGroups secrets created earlier.
+
[subs="verbatim,macros"]
----
$ oc volume dc/eap-app --add \
--name="eap-keystore-volume" \
--type=secret \
--secret-name="eap-ssl-secret" \
--mount-path="/etc/eap-secret-volume"
deploymentconfig "eap-app" updated
----
+
[subs="verbatim,macros"]
----
$ oc volume dc/eap-app --add \
--name="eap-jgroups-keystore-volume" \
--type=secret \
--secret-name="eap-jgroup-secret" \
--mount-path="/etc/jgroups-encrypt-secret-volume"
deploymentconfig "eap-app" updated
----
.. Configure the deployment config of the application to run application pods under the `default` OpenShift service account (default setting).
+
[subs="verbatim,macros"]
----
$ oc patch dc/eap-app --type=json \
-p '[{"op": "add", "path": "/spec/template/spec/serviceAccountName", "value": "default"}]'
"eap-app" patched
----
. Deploy container of the EAP 6.4 / 7.0 JSP application using the modified deployment config.
+
[subs="verbatim,macros"]
----
$ oc scale dc/eap-app --replicas=1
deploymentconfig "eap-app" scaled
----
. Expose the service as route.
+
[subs="verbatim,macros"]
----
$ oc get svc -o name
service/eap-app
----
+
[subs="verbatim,macros"]
----
$ oc get route
No resources found.
----
+
[subs="verbatim,macros"]
----
$ oc expose svc/eap-app
route "eap-app" exposed
----
+
[subs="verbatim,macros"]
----
$ oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
eap-app eap-app-eap-app-demo.openshift.example.com eap-app 8080-tcp None
----
===== Access the Application
Access the application in your browser using the URL *\http://eap-app-eap-app-demo.openshift.example.com/app-jsp*. You should see output similar to what you see in the following image:
[.text-center]
image:../images/sso_app_jee_jsp.svg[RH-SSO Example JSP Application]
Perform the following to test the application:
* Click the *INVOKE PUBLIC* button to access the `public` endpoint that doesn't require authentication.
+
You should see the *Message: public* output.
* Click the *LOGIN* button to be redirected for user authentication to the RH-SSO server instance against the `demo` realm.
+
Specify username and password of the RH-SSO user configured earlier (`appuser` / `apppassword`). Click *Log in*. The look of the application changes as shown in the following image:
+
[.text-center]
image:../images/sso_app_jee_jsp_logged_in.svg[RH-SSO Example JSP Application - After User Log-in]
* Click the *INVOKE SECURED* button to access the `secured` endpoint.
+
You should see the *Message: secured* output.
* Click the *INVOKE ADMIN* button to access the `admin` endpoint.
+
You should see *403 Forbidden* output.
+
[NOTE]
====
To invoke properly, the `admin` endpoint requires users with the `admin` RH-SSO role. Access for the `appuser` is forbidden because they only have the `user` role privilege, which allows them to access the `secured` endpoint.
====
+
Perform the following steps to add the `appuser` to the `admin` RH-SSO role:
+
. Access the administration console of the RH-SSO server's instance.
+
*\https://secure-sso-sso-app-demo.openshift.example.com/auth/admin*.
+
Use the xref:sso_server.adoc#sso-administrator-setup[credentials of the RH-SSO administrator user].
. Click *Users* in the *Manage* sidebar to view the user information for the `demo` realm.
. Click *View all users* button.
. Click the ID link for the *appuser* or alternatively click the *Edit* button in the *Actions* column.
. Click the *Role Mappings* tab.
. Select `admin` entry from the *Available Roles* list in the *Realm Roles* row.
. Click *Add selected>* button to add the `admin` role to the user.
. Return to EAP 6.4 / 7.0 JSP service application.
+
*\http://eap-app-eap-app-demo.openshift.example.com/app-jsp*.
. Click the *LOGOUT* button to reload role mappings for the `appuser`.
. Click the *LOGIN* button again and provider `appuser` credentials.
. Click the *INVOKE ADMIN* button again.
+
You should see the *Message: admin* output already.
[[upgrading-sso-db-from-70-to-71]]
=== Example Workflow: Updating Existing Database when Migrating {xpaasproduct-shortname} Image to a new version
@ -561,7 +63,7 @@ By default the database is automatically migrated when you start RH-SSO 7.2 for
[[automatic-db-migration]]
==== Automatic Database Migration
This process assumes that you are running RH-SSO 7.1 image link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_jboss_sso_for_openshift/#Example-Deploying-SSO[deployed using one of the following templates]:
This process assumes that you are running RH-SSO 7.1 image link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_single_sign-on_for_openshift/index#Example-Deploying-SSO[deployed using one of the following templates]:
* *_sso71-mysql_*
* *_sso71-postgresql_*
@ -638,7 +140,7 @@ See link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.
The database migration process handles the data schema update and performs manipulation of the data, therefore, stop all RH-SSO 7.1 instances before dynamic generation of the SQL migration file.
====
This guide assumes the RH-SSO 7.1 for OpenShift image has been previously link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_jboss_sso_for_openshift/#Example-Deploying-SSO[deployed using one of the following templates:]
This guide assumes the RH-SSO 7.1 for OpenShift image has been previously link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_single_sign-on_for_openshift/index#Example-Deploying-SSO[deployed using one of the following templates:]
* *_sso71-mysql_*
* *_sso71-postgresql_*
@ -699,7 +201,7 @@ Use the following script to copy `DB_SERVICE_PREFIX_MAPPING` and `TX_DATABASE_PR
+
[NOTE]
====
Although the `DB_SERVICE_PREFIX_MAPPING` environment variable allows a link:https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_for_openshift/3/html-single/red_hat_jboss_enterprise_application_platform_for_openshift/#datasources[comma-separated list of *<name>-<database_type>=<PREFIX>* triplets] as its value, this example script accepts only one datasource triplet definition for demonstration purposes. You can modify the script for handling multiple datasource definition triplets.
Although the `DB_SERVICE_PREFIX_MAPPING` environment variable allows a link:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/red_hat_jboss_enterprise_application_platform_for_openshift/#datasources[comma-separated list of *<name>-<database_type>=<PREFIX>* triplets] as its value, this example script accepts only one datasource triplet definition for demonstration purposes. You can modify the script for handling multiple datasource definition triplets.
====
+
----
@ -1140,7 +642,7 @@ When importing objects from a non-master realm to `master` realm or vice versa,
[[realm-import-error-message]]
[.text-center]
image:../images/import_realm_error.svg[Example of Possible Error Message when Performing Partial Import from Previously Exported JSON File]
image:images/import_realm_error.png[Example of Possible Error Message when Performing Partial Import from Previously Exported JSON File]
In such cases, it is necessary first to create the missing clients, having the *Access Type* set to *bearer-only*. These clients can be created by manual copy of their characteristics from the source RH-SSO server, on which the export JSON file was created, to the target RH-SSO server, where the JSON file is imported. After creation of the necessary clients, click the *Import* button again.
@ -1161,7 +663,7 @@ The administration console import allows you to *overwrite* resources if you cho
=== Example Workflow: Configuring OpenShift to use RH-SSO for Authentication
Configure OpenShift to use the RH-SSO deployment as the authorization gateway for OpenShift. This follows on from xref:Example-Deploying-SSO[Example Workflow: Preparing and Deploying the {xpaasproduct-shortname} image], in which RH-SSO was deployed on OpenShift.
This example adds RH-SSO as an authentication method alongside the HTPasswd method configured in the https://access.redhat.com/documentation/en/red-hat-application-services/0/openshift-primer/#understand_roles_and_authentication[OpenShift Primer]. Once configured, both methods will be available for user login to your OpenShift web console.
This example adds RH-SSO as an authentication method alongside the HTPasswd method configured in the https://access.redhat.com/documentation/en/red-hat-xpaas/0/single/openshift-primer/#understand_roles_and_authentication[OpenShift Primer]. Once configured, both methods will be available for user login to your OpenShift web console.
==== Configuring RH-SSO Credentials
Log in to the encrypted RH-SSO web server at *$$https://secure-sso-$$_sso-app-demo_._openshift32.example.com_/auth/admin* using the xref:../advanced_concepts/advanced_concepts.adoc#sso-administrator-setup[administrator account] created during the RH-SSO deployment.
@ -1510,7 +1012,7 @@ Export the SAML Keys:
Download the Client Adapter:
. Click *Installation*.
. Use the *Format Option* drop-down menu to select a format. This example uses *Keycloak SAML WildFly/JBoss Subsystem*.
. Use the *Format Option* drop-down menu to select a format. This example uses *Keycloak SAML Wildfly/JBoss Subsystem*.
. Click *Download* and save the file *keycloak-saml-subsystem.xml*.
The *keystore-saml.jks* will be used with the other EAP keystores in the next section to create an OpenShift secret for the EAP application project. Copy the *keystore-saml.jks* file to an OpenShift node. +
@ -1583,7 +1085,7 @@ The *keycloak-saml-subsystem.xml*, exported from the RH-SSO client in a previous
+
The mount path of the *keystore-saml.jks* (in this example *_/etc/eap-secret-volume/keystore-saml.jks_*) can be specified in the application template with the parameter *EAP_HTTPS_KEYSTORE_DIR*. +
The aliases and passwords for the *PrivateKey* and the *Certificate* were configured when the SAML Keys were exported from the RH-SSO client.
. Delete the second *<CertificatePem>* tag and key and replace it with the realm certificate information:
. Delete the second *<CertificatePem>* tag and key and replace it with the the realm certificate information:
+
----
...

3
pom.xml
View file

@ -37,6 +37,7 @@
<module>server_development</module>
<module>server_installation</module>
<module>upgrading</module>
<module>openshift</module>
<module>aggregation</module>
<module>tests</module>
</modules>
@ -205,4 +206,4 @@
</plugins>
</pluginManagement>
</build>
</project>
</project>

10
tests/src/test/java/org/keycloak/documentation/test/OpenShiftTest.java Normal file
View file

@ -0,0 +1,10 @@
package org.keycloak.documentation.test;
public class OpenShiftTest extends AbstractDocsTest {
@Override
public String getGuideDirName() {
return "openshift";
}
}

2
tests/src/test/java/org/keycloak/documentation/test/utils/HttpUtils.java
View file

@ -36,7 +36,7 @@ public class HttpUtils {
response.setContent(w.toString());
}
response.setSuccess(true);
} else if (status == 302) {
} else if (status == 301 || status == 302) {
String location = URLDecoder.decode(connection.getHeaderField("Location"), "utf-8");
response.setRedirectLocation(location);
response.setSuccess(false);

4
tests/src/test/resources/ignored-link-redirects
View file

@ -7,4 +7,6 @@ https://apps.dev.microsoft.com/?mkt=en-us&deeplink=/appList/create/sapi&referrer
/wiki/spaces/ops4j/pages/5046841/Pax Web Extender - War
/wiki/spaces/ops4j/pages/5046828/Pax Web Extender - Whiteboard
/wiki/spaces/ops4j/pages/5046828/Pax Web Extender - Whiteboard
https://nodejs.org/en/
https://nodejs.org/en/
http://docs.openshift.com/container-platform/*
https://access.redhat.com/documentation/en/red-hat-jboss-middleware-for-openshift/3/single/openshift-primer/

4
tests/src/test/resources/ignored-links
View file

@ -14,4 +14,6 @@ http://node12:8080*
http://node21:8080*
http://node22:8080*
http://web.example.com*
https://github.com/keycloak/keycloak-documentation/blob/master/*
https://github.com/keycloak/keycloak-documentation/blob/master/*
https://openshift.example.com:8443/console
https://github.com/keycloak/keycloak-quickstarts.git

4
topics/templates/document-attributes-product.adoc
View file

@ -31,6 +31,9 @@
:developerguide_actiontoken_link: {developerguide_link}#_action_token_spi
:gettingstarted_name: Getting Started Guide
:gettingstarted_link: {project_doc_base_url}/getting_started_guide/
:xpaasproduct: Red Hat Single Sign-On for OpenShift
:xpaasproduct_link: {project_doc_base_url}/openshift/
:xpaasproduct-shortname: RH-SSO for OpenShift
:upgradingguide_name: Upgrading Guide
:upgradingguide_link: {project_doc_base_url}/upgrading_guide/
:installguide_name: Server Installation and Configuration Guide
@ -79,6 +82,7 @@
:appserver_managementcli_link: https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/configuration_guide/#management_cli_overview
:appserver_managementconsole_link: https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/configuration_guide/#management_console_overview
:jdgserver_name: JDG
:jdgserver_version: 7.1.0