122 lines
5.2 KiB
Text
122 lines
5.2 KiB
Text
|
|
[[_hawtio]]
|
|
===== Securing the Hawtio Administration Console
|
|
|
|
To secure the Hawtio Administration Console with {{book.project.name}}, complete the following steps:
|
|
|
|
. Add these properties to the `$FUSE_HOME/etc/system.properties` file:
|
|
+
|
|
[source]
|
|
----
|
|
hawtio.keycloakEnabled=true
|
|
hawtio.realm=keycloak
|
|
hawtio.keycloakClientConfig=${karaf.base}/etc/keycloak-hawtio-client.json
|
|
hawtio.rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal,org.apache.karaf.jaas.boot.principal.RolePrincipal
|
|
----
|
|
|
|
. Create a client in the {{book.project.name}} administration console in your realm. For example, in the {{book.project.name}} `demo` realm, create a client `hawtio-client`, specify `public` as the Access Type, and specify a redirect URI pointing to Hawtio: \http://localhost:8181/hawtio/*. You must also have a corresponding Web Origin configured (in this case, \http://localhost:8181).
|
|
|
|
. Create the `keycloak-hawtio-client.json` file in the `$FUSE_HOME/etc` directory using the similar content as below. Change the `realm`, `resource`, and `auth-server-url` properties according to your {{book.project.name}} environment. The `resource` property must point to the client created in the previous step. This file is used by the client (Hawtio Javascript application) side.
|
|
+
|
|
[source,json]
|
|
----
|
|
{
|
|
"realm" : "demo",
|
|
"resource" : "hawtio-client",
|
|
"auth-server-url" : "http://localhost:8080/auth",
|
|
"ssl-required" : "external",
|
|
"public-client" : true
|
|
}
|
|
----
|
|
|
|
. Create the `keycloak-hawtio.json` file in the `$FUSE_HOME/etc` dicrectory using similar content as below. Change the `realm` and `auth-server-url` properties according to your {{book.project.name}} environment. This file is used by the adapters on the server (JAAS Login module) side.
|
|
+
|
|
[source,json]
|
|
----
|
|
{
|
|
"realm" : "demo",
|
|
"resource" : "jaas",
|
|
"bearer-only" : true,
|
|
"auth-server-url" : "http://localhost:8080/auth",
|
|
"ssl-required" : "external",
|
|
"use-resource-role-mappings": false,
|
|
"principal-attribute": "preferred_username"
|
|
}
|
|
----
|
|
|
|
. Start {{book.fuseVersion}} and install the keycloak feature if you have not already. The commands in Karaf terminal are similar to this example:
|
|
+
|
|
[source, subs="attributes"]
|
|
----
|
|
features:addurl mvn:org.keycloak/keycloak-osgi-features/{{book.project.versionMvn}}/xml/features
|
|
features:install keycloak
|
|
----
|
|
|
|
. Go to http://localhost:8181/hawtio and log in as a user from your {{book.project.name}} realm.
|
|
+
|
|
Note that the user needs to have the proper realm role to successfully authenticate to Hawtio. The available roles are configured in the `$FUSE_HOME/etc/system.properties` file in `hawtio.roles`.
|
|
|
|
====== Securing Hawtio on EAP
|
|
|
|
To run Hawtio on the Wildfly 10 server, complete the following steps:
|
|
|
|
. Set up {{book.project.name}} as in the Securing the Hawtio Administration Console section above. The following assumptions apply: you have a {{book.project.name}} realm `demo` and client `hawtio-client`, and your {{book.project.name}} is running on `localhost:8080` while the Wildfly server with deployed Hawtio will be running on `localhost:8181`.
|
|
|
|
. Copy the `hawtio.war` archive to the `$EAP_HOME/standalone/configuration` directory. For more details about deploying Hawtio see the Fuse Hawtio documentation.
|
|
|
|
. Copy the `keycloak-hawtio.json` and `keycloak-hawtio-client.json` files with the above content to the `$EAP_HOME/standalone/configuration` directory.
|
|
|
|
. Install the {{book.project.name}} adapter subsystem to your Wildfly server as described in the <<fake/../../jboss-adapter.adoc#_jboss_adapter,JBoss adapter documentation>>
|
|
|
|
. In the `$EAP_HOME/standalone/configuration/standalone.xml` file configure the system properties as in this example:
|
|
+
|
|
[source,xml]
|
|
----
|
|
<extensions>
|
|
...
|
|
</extensions>
|
|
|
|
<system-properties>
|
|
<property name="hawtio.authenticationEnabled" value="true" />
|
|
<property name="hawtio.realm" value="hawtio" />
|
|
<property name="hawtio.roles" value="admin,viewer" />
|
|
<property name="hawtio.rolePrincipalClasses" value="org.keycloak.adapters.jaas.RolePrincipal" />
|
|
<property name="hawtio.keycloakEnabled" value="true" />
|
|
<property name="hawtio.keycloakClientConfig" value="${jboss.server.config.dir}/keycloak-hawtio-client.json" />
|
|
<property name="hawtio.keycloakServerConfig" value="${jboss.server.config.dir}/keycloak-hawtio.json" />
|
|
</system-properties>
|
|
----
|
|
|
|
. Add the Hawtio realm to the same file in the `security-domains` section:
|
|
+
|
|
[source,xml]
|
|
----
|
|
<security-domain name="hawtio" cache-type="default">
|
|
<authentication>
|
|
<login-module code="org.keycloak.adapters.jaas.BearerTokenLoginModule" flag="required">
|
|
<module-option name="keycloak-config-file" value="${hawtio.keycloakServerConfig}"/>
|
|
</login-module>
|
|
</authentication>
|
|
</security-domain>
|
|
----
|
|
|
|
. Add the `secure-deployment` section `hawtio` to the adapter subsystem. This ensures that the Hawtio WAR is able to find the JAAS login module classes.
|
|
|
|
+
|
|
[source,xml]
|
|
----
|
|
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
|
|
<secure-deployment name="hawtio.war" />
|
|
</subsystem>
|
|
----
|
|
|
|
. Restart the Wildfly server with Hawtio:
|
|
+
|
|
[source,xml]
|
|
----
|
|
cd $EAP_HOME/bin
|
|
./standalone.sh -Djboss.socket.binding.port-offset=101
|
|
----
|
|
|
|
. Access Hawtio at http://localhost:8181/hawtio. It is secured by {{book.project.name}}.
|
|
|