From 8802109255fec0bf5ad1b593b477088897611750 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Thu, 10 Oct 2019 13:41:28 +0200 Subject: [PATCH] 2019-10-10 update --- .../running-redhat-sso-outside-openshift.md | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 content/blog/running-redhat-sso-outside-openshift.md diff --git a/content/blog/running-redhat-sso-outside-openshift.md b/content/blog/running-redhat-sso-outside-openshift.md new file mode 100644 index 0000000..605bbba --- /dev/null +++ b/content/blog/running-redhat-sso-outside-openshift.md @@ -0,0 +1,75 @@ +--- +title: "Running Red Hat SSO outside of OpenShift" +date: 2019-10-10T00:00:00+02:00 +opensource: +- Keycloak +--- + +In an article named [Red Hat Single Sign-On: Give it a try for no cost!](https://developers.redhat.com/blog/2019/02/07/red-hat-single-sign-on-give-it-a-try-for-no-cost/), I explained how to deploy Red Hat SSO very easily in any OpenShift cluster. + +As pointed by a reader in a comment, as widespread OpenShift can be, not everyone has access to a running OpenShift cluster. So, here is how to run Red Hat SSO outside of OpenShift: using only plain Docker commands. + +The rest of this procedure assumes you already have a token to access the Red Hat registry (full procedure described in [my article](https://developers.redhat.com/blog/2019/02/07/red-hat-single-sign-on-give-it-a-try-for-no-cost/) and in the [Red Hat SSO Getting Started guide, chapter 3, section 3.1](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/html/red_hat_single_sign-on_for_openshift/get_started)). + +Start by logging in with this token using the *docker login* command (do not forget to replace the login and password with yours): + +```sh +docker login -u='1979710|nma-docker' -p=your.token.here registry.redhat.io +``` + +Confirm your Red Hat registry token is valid by pulling the Red Hat SSO image: + +```sh +docker pull registry.redhat.io/redhat-sso-7/sso73-openshift:1.0 +``` + +We can continue by following the official [Red Hat SSO Getting Started guide, chapter 4, section 4.1.2](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/html/red_hat_single_sign-on_for_openshift/advanced_concepts#Configuring-Keystores) to create HTTPS and JGroups Keystores, and Truststore: + +```sh +mkdir keystore +openssl req -new -newkey rsa:2048 -x509 -keyout keystore/xpaas.key -out keystore/xpaas.crt -days 365 -subj "/CN=localhost" -nodes +keytool -genkeypair -keyalg RSA -keysize 2048 -dname "CN=localhost" -alias jboss -keystore keystore/keystore.jks -storepass secret -keypass secret +keytool -certreq -keyalg rsa -alias jboss -keystore keystore/keystore.jks -file keystore/sso.csr -storepass secret +openssl x509 -req -CA keystore/xpaas.crt -CAkey keystore/xpaas.key -in keystore/sso.csr -out keystore/sso.crt -days 365 -CAcreateserial +keytool -import -file keystore/xpaas.crt -alias xpaas.ca -keystore keystore/keystore.jks -storepass secret -trustcacerts -noprompt +keytool -import -file keystore/sso.crt -alias jboss -keystore keystore/keystore.jks -storepass secret + +mkdir jgroups +keytool -genseckey -alias secret-key -storetype JCEKS -keystore jgroups/jgroups.jceks -storepass secret -keypass secret + +mkdir truststore +keytool -import -file keystore/xpaas.crt -alias xpaas.ca -keystore truststore/truststore.jks -storepass secret -trustcacerts -noprompt +``` + +And finally, we can convert the official [Red Hat SSO template](https://github.com/jboss-container-images/redhat-sso-7-openshift-image/blob/sso73-dev/templates/sso73-https.json) to Docker commands: + +```sh +docker run --name redhat-sso -m 1Gi \ + -p 8778:8778 -p 8080:8080 -p 8443:8443 -p 8888:8888 \ + -e SSO_HOSTNAME=localhost \ + -e SSO_ADMIN_USERNAME=admin \ + -e SSO_ADMIN_PASSWORD=password \ + -e SSO_REALM=test \ + -e HTTPS_KEYSTORE_DIR=/etc/keystore \ + -e HTTPS_KEYSTORE=keystore.jks \ + -e HTTPS_KEYSTORE_TYPE=jks \ + -e HTTPS_NAME=jboss \ + -e HTTPS_PASSWORD=secret \ + -e JGROUPS_ENCRYPT_KEYSTORE_DIR=/etc/jgroups \ + -e JGROUPS_ENCRYPT_KEYSTORE=jgroups.jceks \ + -e JGROUPS_ENCRYPT_NAME=secret-key \ + -e JGROUPS_ENCRYPT_PASSWORD=secret \ + -e JGROUPS_CLUSTER_PASSWORD=random \ + -e SSO_TRUSTSTORE=truststore.jks \ + -e SSO_TRUSTSTORE_DIR=/etc/truststore \ + -e SSO_TRUSTSTORE_PASSWORD=secret \ + -v $PWD/keystore:/etc/keystore \ + -v $PWD/jgroups:/etc/jgroups \ + -v $PWD/truststore:/etc/truststore \ + registry.redhat.io/redhat-sso-7/sso73-openshift:1.0 +``` + +You should see the Red Hat SSO server logs appearing in your console. +Once the server started successfully, you can connect to the console at **http://localhost:8080/auth/admin** or **https://localhost:8443/auth/admin** and login with *admin* / *password*. + +Of course, none of this is endorsed or supported by Red Hat! But for a test run, it's an acceptable tradeoff.