86 lines
3.6 KiB
Text
86 lines
3.6 KiB
Text
|
|
[[_fuse_adapter_admin]]
|
|
===== Secure Fuse Admin Services
|
|
|
|
====== SSH authentication to Fuse terminal
|
|
|
|
{{book.project.name}} mainly addresses usecases for authentication of web applications, however if your other web services and applications are protected
|
|
with {{book.project.name}}, it may be good to protect non-web admin services like SSH with {{book.project.name}} credentials too. It's possible to do it
|
|
by using JAAS login module, which allows to remotely connect to {{book.project.name}} and verify credentials based on
|
|
<<fake/../../../oidc-generic.adoc#_resource_owner_password_credentials_flow,Resource Owner Password Credentials>>.
|
|
|
|
Example steps for enable SSH authentication:
|
|
|
|
* In {{book.project.name}} you need to create client (assume it's called `ssh-jmx-admin-client`), which will be used for SSH authentication.
|
|
This client needs to have switch `Direct Access Grants Enabled` to `On`.
|
|
|
|
* You need to update/specify this property in file `$FUSE_HOME/etc/org.apache.karaf.shell.cfg`:
|
|
|
|
[source]
|
|
----
|
|
sshRealm=keycloak
|
|
----
|
|
|
|
* Add file `$FUSE_HOME/etc/keycloak-direct-access.json` with the content similar to this (change based on your environment and {{book.project.name}} client settings):
|
|
|
|
[source,json]
|
|
----
|
|
{
|
|
"realm": "demo",
|
|
"resource": "ssh-jmx-admin-client",
|
|
"ssl-required" : "external",
|
|
"auth-server-url" : "http://localhost:8080/auth",
|
|
"credentials": {
|
|
"secret": "password"
|
|
}
|
|
}
|
|
----
|
|
This file contains configuration of the client application, which is used by JAAS DirectAccessGrantsLoginModule from `keycloak` JAAS realm for SSH authentication.
|
|
|
|
* Start Fuse and install `keycloak` JAAS realm into Fuse. This could be done easily by installing `keycloak-jaas` feature, which has JAAS realm predefined
|
|
(you are able to override it by using your own `keycloak` JAAS realm with higher ranking. See JBoss Fuse documentation for more details). Use those commands in Fuse terminal:
|
|
|
|
[source, subs="attributes"]
|
|
----
|
|
features:addurl mvn:org.keycloak/keycloak-osgi-features/{{book.project.versionMvn}}/xml/features
|
|
features:install keycloak-jaas
|
|
----
|
|
|
|
* Now let's type this from your terminal to login via SSH as `admin` user:
|
|
|
|
```
|
|
ssh -o PubkeyAuthentication=no -p 8101 admin@localhost
|
|
```
|
|
|
|
And login with password `password`.
|
|
|
|
NOTE: On some newer operating systems, you may also need to use this option of SSH command `-o HostKeyAlgorithms=+ssh-dss` because newer SSH clients
|
|
don't allow to use `ssh-dss` algorithm by default, but it's currently used by default in {{book.fuseVersion}} .
|
|
|
|
|
|
Note that your user needs to have realm role `admin` if he wants to do everything or some other roles to be able to do just subset of operations
|
|
(eg. role `viewer` to be able to run just read-only Karaf commands) . The available roles are configured in `$FUSE_HOME/etc/org.apache.karaf.shell.cfg` or `$FUSE_HOME/etc/system.properties` .
|
|
|
|
|
|
====== JMX authentication
|
|
|
|
This may be needed in case if you really want to use jconsole or other external tool to perform remote connection to JMX through RMI. Otherwise it may
|
|
be better to use just hawt.io/jolokia as jolokia agent is installed in hawt.io by default. See <<fake/../hawtio.adoc#_hawtio,Hawtio Admin Console>> section for more details.
|
|
|
|
* In file `$FUSE_HOME/etc/org.apache.karaf.management.cfg` you can change this property:
|
|
|
|
[source]
|
|
----
|
|
jmxRealm=keycloak
|
|
----
|
|
|
|
* You need `keycloak-jaas` feature and file `$FUSE_HOME/etc/keycloak-direct-access.json` as described in SSH section above.
|
|
|
|
* In jconsole you can fill URL like:
|
|
|
|
[source]
|
|
----
|
|
service:jmx:rmi://localhost:44444/jndi/rmi://localhost:1099/karaf-root
|
|
----
|
|
|
|
and credentials: admin/password (based on the user with admin privileges according to your environment)
|