RH-SSO 7.2 on Red Hat Enterprise Linux 7.5 integrated with Identity Management or Directory Server
#sso , #rh-sso , #keycloak , #authentication , #authorization
RH-SSO server install. This can be done with yum/rpm or zip. Using zips allows you to leverage more middleware services on one VM/box.
$ unzip rh-sso-7.2.0.GA.zip $ cd rh-sso-7.2/bin $ ./add-user-keycloak.sh -u admin -p admin
EAP server install.
$ jboss-eap-7.1.0.zip $ cd jboss-eap-7.1 $ unzip rh-sso-7.2.0.GA-eap7-adapter.zip -d jboss-eap-7.1 $ unzip -o rh-sso-7.2.0.GA-saml-eap7-adapter.zip -d jboss-eap-7.1 $ cd bin $ ./standalone.sh & ENTER $ ./jboss-cli.sh -c --file=adapter-install.cli $ ./jboss-cli.sh -c --file=adapter-install-saml.cli $ fg 1 CTRL+C
Create certificates for the RH-SSO server:
-
Create the base keystore using java keytool.
$ keytool -genkeypair -alias pki-sso -keyalg RSA -keystore /opt/rh-sso-7.2/standalone/configuration/pki-sso.jks -storepass password --keypass password --dname "CN=host.example.com,O=OU.EXAMPLE.COM"
-
Create the certificate in PEM format from the keystore using the java keytool.
$ keytool -exportcert -keystore /opt/rh-sso-7.2/standalone/configuration/pki-sso.jks -alias pki-sso -keypass password -storepass password -file /opt/rh-sso-7.2/standalone/configuration/pki-sso.cer
Create certificates for the EAP-APP server:
-
Create the base keystore using java keytool. Alternatively, on the first server startup one is generated by default and you can use that one.
$ keytool -genkeypair -alias eap-app -keyalg RSA -keystore /opt/rh-sso-7.2/standalone/configuration/eap-app.jks -storepass password --keypass password --dname "CN=host.example.com,O=OU.EXAMPLE.COM"
-
Create the certificate in PEM format from the keystore using the java keytool.
$ keytool -exportcert -keystore /opt/jboss-eap-7.1/standalone/configuration/eap-app.jks -alias eap-app -keypass password -storepass password -file /opt/jboss-eap-7.1/standalone/configuration/eap-app.cer
Import opposing certificates into each server’s truststore. This one line command automatically creates the truststore and imports the certificate at the same time.
-
Import the EAP certificate into the RH-SSO truststore.
$ keytool -import -file /opt/jboss-eap-7.1/standalone/configuration/eap-app.cer -alias eap-app -keystore /opt/rh-sso-7.2/standalone/configuration/sso-trust.jks -keypass password -storepass password
-
Import the RH-SSO certificate into the EAP truststore.
$ keytool -import -file /opt/rh-sso-7.2/standalone/configuration/pki-sso.cer -alias pki-sso -keystore /opt/jboss-eap-7.1/standalone/configuration/eap-trust.jks -keypass password -storepass password
Review all Java Keystores:
$ keytool -list -keystore /opt/jboss-eap-7.1/standalone/configuration/eap-trust.jks -keypass password -storepass password $ keytool -list -keystore /opt/jboss-eap-7.1/standalone/configuration/eap-app.jks -keypass password -storepass password $ keytool -list -keystore /opt/rh-sso-7.2/standalone/configuration/sso-trust.jks -keypass password -storepass password $ keytool -list -keystore /opt/rh-sso-7.2/standalone/configuration/pki-sso.jks -keypass password -storepass password
Edit the servers to use the keystores and truststores.
-
Edit the RH-SSO standalone.xml:
<security-realm name="ApplicationRealm"> <server-identities> <ssl> <keystore path="pki-sso.jks" relative-to="jboss.server.config.dir" keystore-password="password" alias="pki-sso" key-password="password"/> </ssl> </server-identities> <authentication> <local default-user="$local" allowed-users="*" skip-group-loading="true"/> <properties path="application-users.properties" relative-to="jboss.server.config.dir"/> <truststore path="sso-trust.jks" relative-to="jboss.server.config.dir" keystore-password="password"/> </authentication> <authorization> <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> </authorization> </security-realm> -
Edit the EAP-APP standalone.xml:
<system-properties> <property name="javax.net.ssl.trustStorePassword" value="password"/> <property name="javax.net.ssl.trustStore" value="${jboss.server.config.dir}/eap-trust.jks"/> </system-properties><security-realm name="ApplicationRealm"> <server-identities> <ssl> <keystore path="eap-app.jks" relative-to="jboss.server.config.dir" keystore-password="password" alias="eap-app" key-password="password"/> </ssl> </server-identities> <authentication> <truststore path="eap-app.jks" relative-to="jboss.server.config.dir" keystore-password="password"/> </authentication> <authorization> <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> </authorization> </security-realm>
Run the servers and verify the configurations:
-
Run RH-SSO with debug and tech preview profiles for Fine-Grained Authentication management
/opt/rh-sso-7.2/bin/standalone.sh -Dkeycloak.profile=preview -Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true -b 0.0.0.0 &
-
Run EAP-APP with a port offset on the sockets to prevent conflict with the RH-SSO server
/opt/jboss-eap-7.1/bin/standalone.sh -b 0.0.0.0 -Djboss.socket.binding.port-offset=1000 -Djavax.net.debug=all &
Build a test app for the EAP-APP server
-
Clone the keycloak quickstarts. Use community because it appears the RH-SSO quickstarts are not up-to-date.
$ git clone git@github.com:keycloak/keycloak-quickstarts.git $ cd keycloak-quickstarts $ git checkout 3.4.3-Final $ cd app-profile-jee-jsp remove line '<file>${basedir}/config/keycloak.json</file>' from pom.xml $ mvn clean package -DskipTests $ cp target/app-profile-jsp.war $EAP-APP_HOME/standalone/deployments -
Add a client in the RH-SSO server.
TODO: add GUI steps to do this.
-
Add the keycloak deployment configuration for an OIDC app.
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"> <secure-deployment name="app-profile-jsp.war"> <realm>hackathon</realm> <auth-server-url>https://host.example.com:8443/auth</auth-server-url> <public-client>true</public-client> <ssl-required>EXTERNAL</ssl-required> <resource>app-profile-jsp</resource> </secure-deployment> </subsystem> -
Add the keycloak deployment configuration for a SAML app.
<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1"> <secure-deployment name="app-profile-saml.war"> <SP entityID="app-profile-saml" sslPolicy="EXTERNAL" logoutPage="/index.jsp"> <Keys> <Key signing="true"> <PrivateKeyPem></PrivateKeyPem> <CertificatePem></CertificatePem> </Key> </Keys> <IDP entityID="idp" signatureAlgorithm="RSA_SHA256" signatureCanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#"> <SingleSignOnService signRequest="true" validateResponseSignature="true" validateAssertionSignature="false" requestBinding="POST" bindingUrl="https://host.example.com:8443/auth/realms/hackathon/protocol/saml"/> <SingleLogoutService signRequest="true" signResponse="true" validateRequestSignature="true" validateResponseSignature="true" requestBinding="POST" responseBinding="POST" postBindingUrl="https://host.example.com:8443/auth/realms/hackathon/protocol/saml" redirectBindingUrl="https://host.example.com:8443/auth/realms/hackathon/protocol/saml"/> </IDP> </SP> </secure-deployment> </subsystem>
Set up RH-SSO to federate with LDAP
TODO add GUI steps to do this.
-
ldap://idm.example.com
-
cn=users,cn=accounts,dc=idm,dc=example,dc=com
-
CN=Directory Manager
-
Pa55word
Other
signing cert with IPA…