83 lines
3.7 KiB
Text
83 lines
3.7 KiB
Text
|
|
[[_fuse_adapter_admin]]
|
|
===== Securing Fuse Administration Services
|
|
|
|
====== Using SSH Authentication to Fuse Terminal
|
|
|
|
{{book.project.name}} mainly addresses use cases for authentication of web applications; however, if your other web services and applications are protected
|
|
with {{book.project.name}}, protecting non-web administration services such as SSH with {{book.project.name}} credentials is a best pracrice. You can do this using the JAAS login module, which allows remote connection to {{book.project.name}} and verifies credentials based on
|
|
<<fake/../../../oidc-generic.adoc#_resource_owner_password_credentials_flow,Resource Owner Password Credentials>>.
|
|
|
|
To enable SSH authentication, complete the following steps:
|
|
|
|
. In {{book.project.name}} create a client (for example, `ssh-jmx-admin-client`), which will be used for SSH authentication.
|
|
This client needs to have `Direct Access Grants Enabled` selected to `On`.
|
|
|
|
. Update or specify this property in the `$FUSE_HOME/etc/org.apache.karaf.shell.cfg` file:
|
|
+
|
|
[source]
|
|
----
|
|
sshRealm=keycloak
|
|
----
|
|
|
|
. Add the `$FUSE_HOME/etc/keycloak-direct-access.json` file with the content similar to the following (based on your environment and {{book.project.name}} client settings):
|
|
+
|
|
[source,json]
|
|
----
|
|
{
|
|
"realm": "demo",
|
|
"resource": "ssh-jmx-admin-client",
|
|
"ssl-required" : "external",
|
|
"auth-server-url" : "http://localhost:8080/auth",
|
|
"credentials": {
|
|
"secret": "password"
|
|
}
|
|
}
|
|
----
|
|
This file specifies the client application configuration, which is used by JAAS DirectAccessGrantsLoginModule from the `keycloak` JAAS realm for SSH authentication.
|
|
|
|
. Start Fuse and install the `keycloak` JAAS realm into Fuse. The easiest way is to install the `keycloak-jaas` feature, which has the JAAS realm predefined; you can override it by using your own `keycloak` JAAS realm with higher ranking. For details see the JBoss Fuse documentation.
|
|
+
|
|
Use these commands in the Fuse terminal:
|
|
+
|
|
[source, subs="attributes"]
|
|
----
|
|
features:addurl mvn:org.keycloak/keycloak-osgi-features/{{book.project.versionMvn}}/xml/features
|
|
features:install keycloak-jaas
|
|
----
|
|
|
|
. Log in using SSH as `admin` user by typing the following in the terminal:
|
|
+
|
|
```
|
|
ssh -o PubkeyAuthentication=no -p 8101 admin@localhost
|
|
```
|
|
|
|
. Log in with password `password`.
|
|
|
|
NOTE: On some later operating systems, you might also need to use this option of SSH command `-o HostKeyAlgorithms=+ssh-dss` because later SSH clients do not allow using the `ssh-dss` algorithm by default, but it is currently used by default in {{book.fuseVersion}}.
|
|
|
|
Note that the user needs to have realm role `admin` to perform all operations or another role to perform a subset of operations (for example, the viewer role to be able to only run read-only Karaf commands). The available roles are configured in `$FUSE_HOME/etc/org.apache.karaf.shell.cfg` or `$FUSE_HOME/etc/system.properties`.
|
|
|
|
====== Using JMX Authentication
|
|
|
|
JMX authentication might be necessary if you want to use jconsole or another external tool to remotely connect to JMX through RMI. Otherwise it might be better to use hawt.io/jolokia, since the jolokia agent is installed in hawt.io by default. For more details see <<fake/../hawtio.adoc#_hawtio,Hawtio Admin Console>>.
|
|
|
|
To use JMX authentication, complete the following steps:
|
|
|
|
. In the `$FUSE_HOME/etc/org.apache.karaf.management.cfg` file, change this property:
|
|
+
|
|
[source]
|
|
----
|
|
jmxRealm=keycloak
|
|
----
|
|
|
|
. Install the `keycloak-jaas` feature and configure the `$FUSE_HOME/etc/keycloak-direct-access.json` file as described in the SSH section above.
|
|
|
|
. In jconsole you can use a URL such as:
|
|
|
|
[source]
|
|
----
|
|
service:jmx:rmi://localhost:44444/jndi/rmi://localhost:1099/karaf-root
|
|
----
|
|
|
|
and credentials: admin/password (based on the user with admin privileges according to your environment).
|