keycloak-scim/securing_apps/topics/oidc/java/fuse/hawtio.adoc
2018-02-08 23:30:35 +01:00

125 lines
5.5 KiB
Text

[[_hawtio]]
===== Securing the Hawtio Administration Console
To secure the Hawtio Administration Console with {project_name}, complete the following steps:
. Add these properties to the `$FUSE_HOME/etc/system.properties` file:
+
[source]
----
hawtio.keycloakEnabled=true
hawtio.realm=keycloak
hawtio.keycloakClientConfig=file://${karaf.base}/etc/keycloak-hawtio-client.json
hawtio.rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal,org.apache.karaf.jaas.boot.principal.RolePrincipal
----
. Create a client in the {project_name} administration console in your realm. For example, in the {project_name} `demo` realm, create a client `hawtio-client`, specify `public` as the Access Type, and specify a redirect URI pointing to Hawtio: \http://localhost:8181/hawtio/*. You must also have a corresponding Web Origin configured (in this case, \http://localhost:8181).
. Create the `keycloak-hawtio-client.json` file in the `$FUSE_HOME/etc` directory using content similar to that shown in the example below. Change the `realm`, `resource`, and `auth-server-url` properties according to your {project_name} environment. The `resource` property must point to the client created in the previous step. This file is used by the client (Hawtio Javascript application) side.
+
[source,json]
----
{
"realm" : "demo",
"resource" : "hawtio-client",
"auth-server-url" : "http://localhost:8080/auth",
"ssl-required" : "external",
"public-client" : true
}
----
. Create the `keycloak-hawtio.json` file in the `$FUSE_HOME/etc` dicrectory using content similar to that shown in the example below. Change the `realm` and `auth-server-url` properties according to your {project_name} environment. This file is used by the adapters on the server (JAAS Login module) side.
+
[source,json]
----
{
"realm" : "demo",
"resource" : "jaas",
"bearer-only" : true,
"auth-server-url" : "http://localhost:8080/auth",
"ssl-required" : "external",
"use-resource-role-mappings": false,
"principal-attribute": "preferred_username"
}
----
. Start {fuseVersion} and install the keycloak feature if you have not already done so. The commands in Karaf terminal are similar to this example:
+
[source, subs="attributes"]
----
features:addurl mvn:org.keycloak/keycloak-osgi-features/{project_versionMvn}/xml/features
features:install keycloak
----
. Go to http://localhost:8181/hawtio and log in as a user from your {project_name} realm.
+
Note that the user needs to have the proper realm role to successfully authenticate to Hawtio. The available roles are configured in the `$FUSE_HOME/etc/system.properties` file in `hawtio.roles`.
====== Securing Hawtio on {fuseHawtioEAPVersion}
To run Hawtio on the {fuseHawtioEAPVersion} server, complete the following steps:
. Set up {project_name} as described in the previous section, Securing the Hawtio Administration Console. It is assumed that:
* you have a {project_name} realm `demo` and client `hawtio-client`
* your {project_name} is running on `localhost:8080`
* the {fuseHawtioEAPVersion} server with deployed Hawtio will be running on `localhost:8181`. The directory with this server is referred in next steps as `$EAP_HOME`.
. Copy the `{fuseHawtioWARVersion}` archive to the `$EAP_HOME/standalone/configuration` directory. For more details about deploying Hawtio see the https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html-single/deploying_into_a_web_server/[Fuse Hawtio documentation].
. Copy the `keycloak-hawtio.json` and `keycloak-hawtio-client.json` files with the above content to the `$EAP_HOME/standalone/configuration` directory.
. Install the {project_name} adapter subsystem to your {fuseHawtioEAPVersion} server as described in the <<_jboss_adapter,JBoss adapter documentation>>.
. In the `$EAP_HOME/standalone/configuration/standalone.xml` file configure the system properties as in this example:
+
[source,xml,options="nowrap",subs="attributes+"]
----
<extensions>
...
</extensions>
<system-properties>
<property name="hawtio.authenticationEnabled" value="true" />
<property name="hawtio.realm" value="hawtio" />
<property name="hawtio.roles" value="admin,viewer" />
<property name="hawtio.rolePrincipalClasses" value="org.keycloak.adapters.jaas.RolePrincipal" />
<property name="hawtio.keycloakEnabled" value="true" />
<property name="hawtio.keycloakClientConfig" value="${jboss.server.config.dir}/keycloak-hawtio-client.json" />
<property name="hawtio.keycloakServerConfig" value="${jboss.server.config.dir}/keycloak-hawtio.json" />
</system-properties>
----
. Add the Hawtio realm to the same file in the `security-domains` section:
+
[source,xml,options="nowrap",subs="attributes+"]
----
<security-domain name="hawtio" cache-type="default">
<authentication>
<login-module code="org.keycloak.adapters.jaas.BearerTokenLoginModule" flag="required">
<module-option name="keycloak-config-file" value="${hawtio.keycloakServerConfig}"/>
</login-module>
</authentication>
</security-domain>
----
. Add the `secure-deployment` section `hawtio` to the adapter subsystem. This ensures that the Hawtio WAR is able to find the JAAS login module classes.
+
[source,xml,options="nowrap",subs="attributes+"]
----
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="{fuseHawtioWARVersion}" />
</subsystem>
----
. Restart the {fuseHawtioEAPVersion} server with Hawtio:
+
[source,bash]
----
cd $EAP_HOME/bin
./standalone.sh -Djboss.socket.binding.port-offset=101
----
. Access Hawtio at http://localhost:8181/hawtio. It is secured by {project_name}.