fa7ca9c680
encryption protocol, which is the default setting for the templates using re-encrypt TLS termination Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
32 lines
3.7 KiB
Text
32 lines
3.7 KiB
Text
=== What Is Red Hat Single Sign-On?
|
|
Red Hat Single Sign-On (RH-SSO) is an integrated sign-on solution available as a Red Hat JBoss Middleware for OpenShift containerized image. The {xpaasproduct} image provides an authentication server for users to centrally log in, log out, register, and manage user accounts for web applications, mobile applications, and RESTful web services.
|
|
|
|
[[sso-templates]]
|
|
Red Hat offers multiple OpenShift application templates utilizing the {xpaasproduct-shortname} image version number 7.2. These define the resources needed to develop Red Hat Single Sign-On 7.2 server based deployment and can be split into the following two categories:
|
|
|
|
[[passthrough-templates]]
|
|
* Templates using HTTPS and JGroups keystores and a truststore for the RH-SSO server, all prepared beforehand. These secure the TLS communication using link:https://docs.openshift.com/container-platform/latest/architecture/networking/routes.html#passthrough-termination[passthrough TLS termination]:
|
|
|
|
** *_sso72-https_*: RH-SSO 7.2 backed by internal H2 database on the same pod.
|
|
** *_sso72-mysql_*: RH-SSO 7.2 backed by ephemeral MySQL database on a separate pod.
|
|
** *_sso72-mysql-persistent_*: RH-SSO 7.2 backed by persistent MySQL database on a separate pod.
|
|
** *_sso72-postgresql_*: RH-SSO 7.2 backed by ephemeral PostgreSQL database on a separate pod.
|
|
** *_sso72-postgresql-persistent_*: RH-SSO 7.2 backed by persistent PostgreSQL database on a separate pod.
|
|
|
|
[[reencrypt-templates]]
|
|
* Templates using OpenShift's internal link:https://docs.openshift.com/container-platform/latest/dev_guide/secrets.html#service-serving-certificate-secrets[service serving x509 certificate secrets] to automatically create the HTTPS keystore used for serving secure content. The JGroups cluster traffic is authenticated using the `AUTH` protocol and encrypted using the `ASYM_ENCRYPT` protocol. The RH-SSO server truststore is also created automatically, containing the */var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt* CA certificate file, which is used to sign the certificate for HTTPS keystore. Moreover, the truststore for the RH-SSO server is pre-populated with the all known, trusted CA certificate files found in the Java system path. These templates secure the TLS communication using link:https://docs.openshift.com/container-platform/latest/architecture/networking/routes.html#re-encryption-termination[re-encryption TLS termination]:
|
|
|
|
** *_sso72-x509-https_*: RH-SSO 7.2 with auto-generated HTTPS keystore and RH-SSO truststore, backed by internal H2 database. The `ASYM_ENCRYPT` JGroups protocol is used for encryption of cluster traffic.
|
|
** *_sso72-x509-mysql-persistent_*: RH-SSO 7.2 with auto-generated HTTPS keystore and RH-SSO truststore, backed by persistent MySQL database. The `ASYM_ENCRYPT` JGroups protocol is used for encryption of cluster traffic.
|
|
** *_sso72-x509-postgresql-persistent_*: RH-SSO 7.2 with auto-generated HTTPS keystore and RH-SSO truststore, backed by persistent PostgreSQL database. The `ASYM_ENCRYPT` JGroups protocol is used for encryption of cluster traffic.
|
|
|
|
Other templates that integrate with RH-SSO are also available:
|
|
|
|
* *_eap64-sso-s2i_*: RH-SSO-enabled Red Hat JBoss Enterprise Application Platform 6.4.
|
|
* *_eap70-sso-s2i_*: RH-SSO-enabled Red Hat JBoss Enterprise Application Platform 7.0.
|
|
* *_eap71-sso-s2i_*: RH-SSO enabled Red Hat JBoss Enterprise Application Platform 7.1.
|
|
* *_datavirt63-secure-s2i_*: RH-SSO-enabled Red Hat JBoss Data Virtualization 6.3.
|
|
|
|
These templates contain environment variables specific to RH-SSO that enable automatic RH-SSO client registration when deployed.
|
|
|
|
See xref:Auto-Man-Client-Reg[Automatic and Manual RH-SSO Client Registration Methods] for more information.
|