Last active
January 16, 2018 13:23
-
-
Save Charnnarong/4e61dcd480f47d4ea8243e45ed52f1b1 to your computer and use it in GitHub Desktop.
Revisions
-
Charnnarong revised this gist
Jul 7, 2017 . 1 changed file with 5 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -243,7 +243,7 @@ result {"outcome" => "success"} ``` Apply step (1) to (13) on all EAP servers that appointed to be cluster members. ### <b>Configure EAP</b> @@ -367,7 +367,7 @@ Check if Mod_Cluster picks up new joining nodes.<br/> > 1.) On the left panel, under Eap_Cluster_Demo > Manage click **Users** , then Add user; located on the top right corner.<br/> > 2.) Username: Bob<br/> > 3.) Click Save.<br/> > 4.) Under Bob > Credentials. set new password/confirmation and turn off Temporary password if you wanted to, or leave it on to asked the user to create their new password on the first login. Once that's done, click on **Reset Password** and confirm.<br/> 8.) Add Client. Client is the target application that we want to secure.<br/> > 1.) Click on Eap_Cluster_Demo > Configure > Clients<br/> @@ -413,15 +413,15 @@ To <br/> [vagrant@eap-a bin]$ ./standalone.sh -c standalone-ha.xml -b 0.0.0.0 -bmanagement 0.0.0.0 ``` 10.) Log in to `http://10.100.199.40:10001/business-central` again. You will be redirected to Rh-sso with realm name banner e.g  11.) Enter your credential e.g Bob/Bob. Then if you choose to set temporary password enable you will be asked to update the password, otherwise, you will be redirected to Business-central application. However, this *will not work* yet. 12.) Assign Clients to User. > 1.) Eap_Cluster_Demo > Manage > Users > View All users > bob > edit <br/> > 2.) Bob > Role Mappings > Client Roles > Select drop down > choose `mod_cluster_eap`<br/> > 3.) Under **Available Roles** select **admin** click **Add selected** 13.) Go to `http://10.100.199.40:10001/business-central` again. Log in with your credential one more time. If there is any problem with logging in please try to clear cookies and/or restart eap server. -
Jul 7, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,427 @@ # Rh-SSO with EAP7 Cluster setup guide. This installation and configuration guide is intended to use as the main concept of integrating RedHat SSO with mod_cluster only. The guide doesn’t cover full brown cluster setup. For more advanced cluster setup, please refer [here](https://access.redhat.com/documentation/en-us/reference_architectures/2017/html-single/configuring_a_red_hat_jboss_eap_7_cluster/). Requirement</br> * Red Hat JBoss Core Services Apache HTTP Server 2.4.23 for RHEL 7 x86_64 * EAP 7 * BPMS * RH-SSO ## Mod Cluster <hr/> ### <b>Setup Mod Cluster</b> 1.) Download software [here](https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=core.service.apachehttp&version=3.1.0&productChanged=yes). Full installation guide [here](https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services_apache_http_server/2.4/html-single/apache_http_server_installation_guide/) 2.) Copy zip file to ```bash /opt/jbcs-httpd24-httpd-2.4.23-RHEL7-x86_64.zip ``` 3.) Unzip jbcs-httpd24-httpd-2.4.23-RHEL7-x86_64.zip ```bash [root@mod-cluster opt]# unzip jbcs-httpd24-httpd-2.4.23-RHEL7-x86_64.zip ``` 4.) Create the apache user group ```bash [root@mod-cluster opt]# groupadd -g 48 -r apache ``` 5.) Create the apache user in the apache user group ```bash [root@mod-cluster opt]# useradd -c "Apache" -u 48 -g apache -s /bin/sh -r apache ``` 6.) Assign the ownership of the Apache directories to the apache user to allow the user to run Apache HTTP Server ```bash [root@mod-cluster opt]# chown -R apache:apache jbcs-httpd24-2.4 ``` 7.) Disabled ssl ```bash [root@mod-cluster conf.d]# pwd /opt/jbcs-httpd24-2.4/httpd/conf.d [root@mod-cluster conf.d]# mv ssl.conf ssl.conf.disabled [root@mod-cluster conf.d]# touch ssl.conf [root@mod-cluster conf.d]# chown apache:apache ssl.conf ``` 8.) Post Installation Script ```bash [root@mod-cluster httpd]# pwd /opt/jbcs-httpd24-2.4/httpd [root@mod-cluster httpd]# ./.postinstall ``` 9.) Start Apache HTTP Server ```bash [root@mod-cluster sbin]# pwd /opt/jbcs-httpd24-2.4/httpd/sbin [root@mod-cluster sbin]# ./apachectl start ``` Check status ```bash [root@mod-cluster sbin]# netstat -ntlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name ... tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 4087/httpd tcp6 0 0 :::6666 :::* LISTEN 4087/httpd ... ``` <br/> ### <b>Config Mod Cluster</b> 1.) To bind all ip (0.0.0.0). Modify file /opt/jbcs-httpd24-2.4/httpd/conf ```bash #Listen 127.0.0.1:80 Listen 0.0.0.0:80 ``` 2.) Modify /opt/jbcs-httpd24-2.4/httpd/conf.d/mod_cluster.conf <br/> from ```xml # mod_proxy_balancer should be disabled when mod_cluster is used LoadModule proxy_cluster_module modules/mod_proxy_cluster.so LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so LoadModule manager_module modules/mod_manager.so LoadModule advertise_module modules/mod_advertise.so MemManagerFile /opt/jbcs-httpd24-2.4/httpd/cache/mod_cluster <IfModule manager_module> Listen 6666 <VirtualHost *:6666> <Directory /> Require ip 127.0.0.1 </Directory> ServerAdvertise on EnableMCPMReceive <Location /mod_cluster_manager> SetHandler mod_cluster-manager Require ip 127.0.0.1 </Location> </VirtualHost> </IfModule> ``` to ```xml # mod_proxy_balancer should be disabled when mod_cluster is used LoadModule proxy_cluster_module modules/mod_proxy_cluster.so LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so LoadModule manager_module modules/mod_manager.so LoadModule advertise_module modules/mod_advertise.so MemManagerFile /opt/jbcs-httpd24-2.4/httpd/cache/mod_cluster <IfModule manager_module> Listen 0.0.0.0:10001 ManagerBalancerName marlo-sso-demo-cluster <VirtualHost 0.0.0.0:10001> <Location /> Require all granted </Location> KeepAliveTimeout 300 MaxKeepAliveRequests 0 AdvertiseFrequency 5 EnableMCPMReceive On <Location /mod_cluster_manager> SetHandler mod_cluster-manager Require all granted </Location> </VirtualHost> </IfModule> ``` 3.) Stop and Start Server ```bash [root@mod-cluster sbin]# ./apachectl stop [root@mod-cluster sbin]# ./apachectl start ``` You can verify if the server is working.<br/>  And also check mod cluster manager at <br/>  <br/> ## EAP 7.0 <hr/> ### <b>Setup EAP</b> 1.) Download jboss-eap-7.0.0.zip 2.) Unzip EAP 7. ```bash [vagrant@eap-a demoBox]$ unzip jboss-eap-7.0.0.zip ``` 3.) Add admin user ```bash [vagrant@eap-a bin]$ ./add-user.sh -u admin -p admin ``` 4.) Start server. ```bash [vagrant@eap-a bin]$ pwd /home/vagrant/demoBox/jboss-eap-7.0/bin [vagrant@eap-a bin]$ ./standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 ``` 5.) Download [jboss-eap-7.0.3-patch.zip](https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=patches&version=7.0) 6.) Open eap console application > Patching > Apply a new Patch > Choose File. Choose **jboss-eap-7.0.3-patch.zip** > next > dismiss > Check on restart the server now > Finish 7.) Stop server. 8.) Download BPMS [jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip](https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=) 9.) Copy the zip to the root of EAP_HOME ```bash [vagrant@eap-a demoBox]$ ll total 393464 -rw-rw-r--. 1 vagrant vagrant 238927691 May 23 07:14 jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip drwxrwxr-x. 10 vagrant vagrant 221 Apr 18 2016 jboss-eap-7.0 -rw-rw-r--. 1 vagrant vagrant 163977055 May 23 08:14 jboss-eap-7.0.0.zip ``` 10.) Extract jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip ```bash [vagrant@eap-a demoBox]$ unzip jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip Archive: jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip replace jboss-eap-7.0/bin/appclient.conf? [y]es, [n]o, [A]ll, [N]one, [r]ename: A ``` 11.) Download [rh-sso-7.1.0-eap7-adapter.zip](https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=core.service.rhsso&version=6.4&productChanged=yes) and copy to EAP_HOME. 12.) Unzip rh-sso-7.1.0-eap7-adapter.zip ```bash [vagrant@eap-a jboss-eap-7.0]$ ll total 952 drwxrwxr-x. 3 vagrant vagrant 27 Apr 18 2016 appclient drwxrwxr-x. 4 vagrant vagrant 4096 Jun 17 19:45 bin drwxrwxr-x. 5 vagrant vagrant 52 Apr 18 2016 docs drwxrwxr-x. 5 vagrant vagrant 50 Apr 18 2016 domain -rw-rw-r--. 1 vagrant vagrant 419 Apr 18 2016 JBossEULA.txt -rw-rw-r--. 1 vagrant vagrant 366066 Apr 18 2016 jboss-modules.jar -rw-rw-r--. 1 vagrant vagrant 26530 Apr 18 2016 LICENSE.txt drwxrwxr-x. 3 vagrant vagrant 20 Apr 18 2016 modules -rw-rw-r--. 1 vagrant vagrant 561153 Jun 3 05:22 rh-sso-7.1.0-eap7-adapter.zip drwxrwxr-x. 8 vagrant vagrant 91 Jun 17 19:27 standalone -rw-rw-r--. 1 vagrant vagrant 65 Jun 17 19:38 version.txt drwxrwxr-x. 4 vagrant vagrant 158 Apr 18 2016 welcome-content [vagrant@eap-a jboss-eap-7.0]$ unzip rh-sso-7.1.0-eap7-adapter.zip [vagrant@eap-a jboss-eap-7.0]$ rm rh-sso-7.1.0-eap7-adapter.zip ``` 13.) Install rh-sso-7.1.0-eap7-adapter adapter. ```bash [vagrant@eap-a bin]$ pwd /home/vagrant/demoBox/jboss-eap-7.0/bin [vagrant@eap-a bin]$ ./jboss-cli.sh --file=adapter-install-offline.cli ``` result ```json {"outcome" => "success"} {"outcome" => "success"} { "outcome" => "success", "result" => [("keycloak" => "1.1.0")] } {"outcome" => "success"} ``` Apply step (1) to (13) on all EAP servers that appointed to be a cluster members. ### <b>Configure EAP</b> 1.) Modify JBOSS_HOME/standalone/configuration/standalone-ha.xml <br/> from ```xml <subsystem xmlns="urn:jboss:domain:modcluster:2.0"> <mod-cluster-config advertise-socket="modcluster" connector="ajp"> <dynamic-load-provider> <load-metric type="cpu"/> </dynamic-load-provider> </mod-cluster-config> </subsystem> ``` to ```xml <subsystem xmlns="urn:jboss:domain:modcluster:2.0"> <mod-cluster-config advertise-socket="modcluster" proxies="proxy1" connector="ajp"> <dynamic-load-provider> <load-metric type="cpu"/> </dynamic-load-provider> </mod-cluster-config> </subsystem> ``` 2.) Add outbound-socket-binding <br/> from ```xml <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> ... ... ... </socket-binding-group> ``` to ```xml <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> <outbound-socket-binding name="proxy1"> <remote-destination host="10.100.199.40" port="10001"/> </outbound-socket-binding> </socket-binding-group> ``` 3.) Add Keycloak sub system to /*[name()='server']/*[name()='extensions'] ```xml <extension module="org.keycloak.keycloak-adapter-subsystem"/> ``` 4.) Add security domain to /*[name()='server']/*[name()='profile']/*[name()='subsystem xmlns="urn:jboss:domain:security:1.2"']/*[name()='security-domains'] ```xml <security-domain name="keycloak"> <authentication> <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/> </authentication> </security-domain> ``` 5.) Add to /*[name()='server']/*[name()='profile'] ```xml <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/> ``` 6.) Commnet out /*[name()='server']/*[name()='profile']/*[name()='subsystem xmlns="urn:jboss:domain:undertow:3.1"']/*[name()='server']/*[name()='host']/*[name()='single-sign-on'] From ```xml <single-sign-on/> ``` To ```xml <!--<single-sign-on/>--> ``` 7.) Apply step 1 and 6 to another EAP-node. 8.) Start both EAP nodes. ```bash [vagrant@eap-a bin]$ ./standalone.sh -c standalone-ha.xml -b 0.0.0.0 -bmanagement 0.0.0.0 ``` Check if Mod_Cluster picks up new joining nodes.<br/>  <br/> ## Red Hat Single Sign-On 7.1.0 Server <hr/> 1.) Download [rh-sso-7.1.0.zip](https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=core.service.rhsso) 2.) Unzip the file ```bash [vagrant@keycloak demoBox]$ unzip rh-sso-7.1.0.zip ``` 3.) Add Rh-sso user ```bash [vagrant@keycloak demoBox]$ cd rh-sso-7.1/ [vagrant@keycloak rh-sso-7.1]$ cd bin/ [vagrant@keycloak bin]$ ./add-user-keycloak.sh -r master -u admin -p admin ``` 4.) Start rh-sso server ```bash [vagrant@keycloak bin]$ ./standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 ``` 5.) Log in to Rh-SSO <i>`http://<your host here>:8080/auth/admin`</i> e.g <i>`http://10.100.199.10:8080/auth/admin`</i> <br/> > username: admin<br/> > password: admin 6.) Add new Realm. > 1.) Hover curser on dropdown menu located on the top left corner, next to **Master** realm<br/> > 2.) Click **Add Realm**, then enter realm name *Eap_Cluster_Demo*<br/> 7.) Add user > 1.) On the left panel, under Eap_Cluster_Demo > Manage click **Users** , then Add user; located on the top right corner.<br/> > 2.) Username: Bob<br/> > 3.) Click Save.<br/> > 4.) Under Bob > Credentials. set new password / confirmation and turn off Temporary password if you wanted to, or leave it on then user will be asked to create their new password on the first login. Once that's done, click on **Reset Password** and confirm.<br/> 8.) Add Client. Client is the target application that we want to secure.<br/> > 1.) Click on Eap_Cluster_Demo > Configure > Clients<br/> > 2.) Click on **Create**<br/> > 3.) Client ID: mod_cluster_eap<br/> > 4.) Client Protocol: openid-connect<br/> > 5.) Root URL: http://<mod_cluster_host>:<mod_cluster_port>/business-central e.g. http://10.100.199.40:10001/business-central<br/> > 6.) Click **Save**<br/> > 7.) Configure mod_cluster_eap by Click on Eap_Cluster_Demo > Configure > Clients > mod_cluster_eap > Edit<br/> > 8.) Mod_cluster_eap > Settings > Access Type > Change **public** to **confidential** Click **Save**<br/> > 9.) Mod_cluster_eap > Roles > click **Add Role**<br/> > 10.) Role Name: admin<br/> > 11.) Click **Save**<br/> > 12.) Click on Mod_cluster_eap > Installation > Format Option = *Keycloak OIDC JBoss Subsystem XML*<br/> > 13.) Copy code snippet aside, we will use it shortly in EAP configuration. 9.) Configure EAP to redirect authentication from business-central to SSO.<br/> > 1.) Open EAP_HOME/standalone/configuration/standalone-ha.xml<br/> > 2.) Find `<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>`<br/> > 3.) Add code snippet from 8.13 into above tag and replace `WAR MODULE NAME.war` to `business-central.war`. <br/>Also add `<principal-attribute>preferred_username</principal-attribute>`. This will make business central displays username instead of user id on the top right corner. <br/> From<br/> ```xml <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/> ``` To <br/> ```xml <subsystem xmlns="urn:jboss:domain:keycloak:1.1"> <secure-deployment name="business-central.war"> <realm>Eap_Cluster_Demo</realm> <auth-server-url>http://10.100.199.10:8080/auth</auth-server-url> <ssl-required>EXTERNAL</ssl-required> <resource>mod_cluster_eap</resource> <credential name="secret">624b9a97-6279-48d4-b701-9f33e3df5bae</credential> <use-resource-role-mappings>true</use-resource-role-mappings> <principal-attribute>preferred_username</principal-attribute> </secure-deployment> </subsystem> ``` > 4.) Save the configuration and restart EAP server. ```bash [vagrant@eap-a bin]$ ./standalone.sh -c standalone-ha.xml -b 0.0.0.0 -bmanagement 0.0.0.0 ``` 10.) Login to `http://10.100.199.40:10001/business-central` again. You will be redirect to Rh-sso with realm name banner e.g  11.) Enter your credential e.g Bob/Bob. Then if you choose to set temporary password enable you will be ask to update password, otherwise you will be redirect to Business-central application. However, this *will not work* yet. 12.) Assign Clients to User. > 1.) Eap_Cluster_Demo > Manage > Users > View All users > bob > edit <br/> > 2.) Bob > Role Mappings > Client Roles > Select drop down > choose `mod_cluster_eap`<br/> > 3.) Under **Available Roles** select **admin** click **Add selected** 13.) Go to `http://10.100.199.40:10001/business-central` again. Login with your credential one more time. If there is any problem with logging in plase try to clear cookies and/or restart eap server.