This installation and configuration guide is intended to use as the main concept of integrating RedHat SSO with mod_cluster only. The guide doesn’t cover full brown cluster setup. For more advanced cluster setup, please refer here.
Requirement
- Red Hat JBoss Core Services Apache HTTP Server 2.4.23 for RHEL 7 x86_64
- EAP 7
- BPMS
- RH-SSO
1.) Download software here. Full installation guide here
2.) Copy zip file to
/opt/jbcs-httpd24-httpd-2.4.23-RHEL7-x86_64.zip3.) Unzip jbcs-httpd24-httpd-2.4.23-RHEL7-x86_64.zip
[root@mod-cluster opt]# unzip jbcs-httpd24-httpd-2.4.23-RHEL7-x86_64.zip4.) Create the apache user group
[root@mod-cluster opt]# groupadd -g 48 -r apache5.) Create the apache user in the apache user group
[root@mod-cluster opt]# useradd -c "Apache" -u 48 -g apache -s /bin/sh -r apache6.) Assign the ownership of the Apache directories to the apache user to allow the user to run Apache HTTP Server
[root@mod-cluster opt]# chown -R apache:apache jbcs-httpd24-2.47.) Disabled ssl
[root@mod-cluster conf.d]# pwd
/opt/jbcs-httpd24-2.4/httpd/conf.d
[root@mod-cluster conf.d]# mv ssl.conf ssl.conf.disabled
[root@mod-cluster conf.d]# touch ssl.conf
[root@mod-cluster conf.d]# chown apache:apache ssl.conf8.) Post Installation Script
[root@mod-cluster httpd]# pwd
/opt/jbcs-httpd24-2.4/httpd
[root@mod-cluster httpd]# ./.postinstall9.) Start Apache HTTP Server
[root@mod-cluster sbin]# pwd
/opt/jbcs-httpd24-2.4/httpd/sbin
[root@mod-cluster sbin]# ./apachectl startCheck status
[root@mod-cluster sbin]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
...
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 4087/httpd
tcp6 0 0 :::6666 :::* LISTEN 4087/httpd
...1.) To bind all ip (0.0.0.0). Modify file /opt/jbcs-httpd24-2.4/httpd/conf
#Listen 127.0.0.1:80
Listen 0.0.0.0:802.) Modify /opt/jbcs-httpd24-2.4/httpd/conf.d/mod_cluster.conf
from
# mod_proxy_balancer should be disabled when mod_cluster is used
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule advertise_module modules/mod_advertise.so
MemManagerFile /opt/jbcs-httpd24-2.4/httpd/cache/mod_cluster
<IfModule manager_module>
Listen 6666
<VirtualHost *:6666>
<Directory />
Require ip 127.0.0.1
</Directory>
ServerAdvertise on
EnableMCPMReceive
<Location /mod_cluster_manager>
SetHandler mod_cluster-manager
Require ip 127.0.0.1
</Location>
</VirtualHost>
</IfModule>
to
# mod_proxy_balancer should be disabled when mod_cluster is used
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule advertise_module modules/mod_advertise.so
MemManagerFile /opt/jbcs-httpd24-2.4/httpd/cache/mod_cluster
<IfModule manager_module>
Listen 0.0.0.0:10001
ManagerBalancerName marlo-sso-demo-cluster
<VirtualHost 0.0.0.0:10001>
<Location />
Require all granted
</Location>
KeepAliveTimeout 300
MaxKeepAliveRequests 0
AdvertiseFrequency 5
EnableMCPMReceive On
<Location /mod_cluster_manager>
SetHandler mod_cluster-manager
Require all granted
</Location>
</VirtualHost>
</IfModule>
3.) Stop and Start Server
[root@mod-cluster sbin]# ./apachectl stop
[root@mod-cluster sbin]# ./apachectl startYou can verify if the server is working.
And also check mod cluster manager at
1.) Download jboss-eap-7.0.0.zip
2.) Unzip EAP 7.
[vagrant@eap-a demoBox]$ unzip jboss-eap-7.0.0.zip3.) Add admin user
[vagrant@eap-a bin]$ ./add-user.sh -u admin -p admin4.) Start server.
[vagrant@eap-a bin]$ pwd
/home/vagrant/demoBox/jboss-eap-7.0/bin
[vagrant@eap-a bin]$ ./standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.05.) Download jboss-eap-7.0.3-patch.zip
6.) Open eap console application > Patching > Apply a new Patch > Choose File. Choose jboss-eap-7.0.3-patch.zip > next > dismiss > Check on restart the server now > Finish
7.) Stop server.
8.) Download BPMS jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip
9.) Copy the zip to the root of EAP_HOME
[vagrant@eap-a demoBox]$ ll
total 393464
-rw-rw-r--. 1 vagrant vagrant 238927691 May 23 07:14 jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip
drwxrwxr-x. 10 vagrant vagrant 221 Apr 18 2016 jboss-eap-7.0
-rw-rw-r--. 1 vagrant vagrant 163977055 May 23 08:14 jboss-eap-7.0.0.zip10.) Extract jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip
[vagrant@eap-a demoBox]$ unzip jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip
Archive: jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip
replace jboss-eap-7.0/bin/appclient.conf? [y]es, [n]o, [A]ll, [N]one, [r]ename: A11.) Download rh-sso-7.1.0-eap7-adapter.zip and copy to EAP_HOME.
12.) Unzip rh-sso-7.1.0-eap7-adapter.zip
[vagrant@eap-a jboss-eap-7.0]$ ll
total 952
drwxrwxr-x. 3 vagrant vagrant 27 Apr 18 2016 appclient
drwxrwxr-x. 4 vagrant vagrant 4096 Jun 17 19:45 bin
drwxrwxr-x. 5 vagrant vagrant 52 Apr 18 2016 docs
drwxrwxr-x. 5 vagrant vagrant 50 Apr 18 2016 domain
-rw-rw-r--. 1 vagrant vagrant 419 Apr 18 2016 JBossEULA.txt
-rw-rw-r--. 1 vagrant vagrant 366066 Apr 18 2016 jboss-modules.jar
-rw-rw-r--. 1 vagrant vagrant 26530 Apr 18 2016 LICENSE.txt
drwxrwxr-x. 3 vagrant vagrant 20 Apr 18 2016 modules
-rw-rw-r--. 1 vagrant vagrant 561153 Jun 3 05:22 rh-sso-7.1.0-eap7-adapter.zip
drwxrwxr-x. 8 vagrant vagrant 91 Jun 17 19:27 standalone
-rw-rw-r--. 1 vagrant vagrant 65 Jun 17 19:38 version.txt
drwxrwxr-x. 4 vagrant vagrant 158 Apr 18 2016 welcome-content
[vagrant@eap-a jboss-eap-7.0]$ unzip rh-sso-7.1.0-eap7-adapter.zip
[vagrant@eap-a jboss-eap-7.0]$ rm rh-sso-7.1.0-eap7-adapter.zip13.) Install rh-sso-7.1.0-eap7-adapter adapter.
[vagrant@eap-a bin]$ pwd
/home/vagrant/demoBox/jboss-eap-7.0/bin
[vagrant@eap-a bin]$ ./jboss-cli.sh --file=adapter-install-offline.cliresult
{"outcome" => "success"}
{"outcome" => "success"}
{
"outcome" => "success",
"result" => [("keycloak" => "1.1.0")]
}
{"outcome" => "success"}Apply step (1) to (13) on all EAP servers that appointed to be cluster members.
1.) Modify JBOSS_HOME/standalone/configuration/standalone-ha.xml
from
<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
<mod-cluster-config advertise-socket="modcluster" connector="ajp">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>to
<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
<mod-cluster-config advertise-socket="modcluster" proxies="proxy1" connector="ajp">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>2.) Add outbound-socket-binding
from
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
...
...
...
</socket-binding-group>to
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<outbound-socket-binding name="proxy1">
<remote-destination host="10.100.199.40" port="10001"/>
</outbound-socket-binding>
</socket-binding-group>3.) Add Keycloak sub system to /[name()='server']/[name()='extensions']
<extension module="org.keycloak.keycloak-adapter-subsystem"/>4.) Add security domain to /[name()='server']/[name()='profile']/[name()='subsystem xmlns="urn:jboss:domain:security:1.2"']/[name()='security-domains']
<security-domain name="keycloak">
<authentication>
<login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
</authentication>
</security-domain>5.) Add to /[name()='server']/[name()='profile']
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>6.) Commnet out /[name()='server']/[name()='profile']/[name()='subsystem xmlns="urn:jboss:domain:undertow:3.1"']/[name()='server']/[name()='host']/[name()='single-sign-on']
From
<single-sign-on/>To
<!--<single-sign-on/>-->7.) Apply step 1 and 6 to another EAP-node.
8.) Start both EAP nodes.
[vagrant@eap-a bin]$ ./standalone.sh -c standalone-ha.xml -b 0.0.0.0 -bmanagement 0.0.0.0Check if Mod_Cluster picks up new joining nodes.
1.) Download rh-sso-7.1.0.zip
2.) Unzip the file
[vagrant@keycloak demoBox]$ unzip rh-sso-7.1.0.zip3.) Add Rh-sso user
[vagrant@keycloak demoBox]$ cd rh-sso-7.1/
[vagrant@keycloak rh-sso-7.1]$ cd bin/
[vagrant@keycloak bin]$ ./add-user-keycloak.sh -r master -u admin -p admin4.) Start rh-sso server
[vagrant@keycloak bin]$ ./standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.05.) Log in to Rh-SSO http://<your host here>:8080/auth/admin e.g http://10.100.199.10:8080/auth/admin
username: admin
password: admin
6.) Add new Realm.
1.) Hover curser on dropdown menu located on the top left corner, next to Master realm
2.) Click Add Realm, then enter realm name Eap_Cluster_Demo
7.) Add user
1.) On the left panel, under Eap_Cluster_Demo > Manage click Users , then Add user; located on the top right corner.
2.) Username: Bob
3.) Click Save.
4.) Under Bob > Credentials. set new password/confirmation and turn off Temporary password if you wanted to, or leave it on to asked the user to create their new password on the first login. Once that's done, click on Reset Password and confirm.
8.) Add Client. Client is the target application that we want to secure.
1.) Click on Eap_Cluster_Demo > Configure > Clients
2.) Click on Create
3.) Client ID: mod_cluster_eap
4.) Client Protocol: openid-connect
5.) Root URL: http://<mod_cluster_host>:<mod_cluster_port>/business-central e.g. http://10.100.199.40:10001/business-central
6.) Click Save
7.) Configure mod_cluster_eap by Click on Eap_Cluster_Demo > Configure > Clients > mod_cluster_eap > Edit
8.) Mod_cluster_eap > Settings > Access Type > Change public to confidential Click Save
9.) Mod_cluster_eap > Roles > click Add Role
10.) Role Name: admin
11.) Click Save
12.) Click on Mod_cluster_eap > Installation > Format Option = Keycloak OIDC JBoss Subsystem XML
13.) Copy code snippet aside, we will use it shortly in EAP configuration.
9.) Configure EAP to redirect authentication from business-central to SSO.
1.) Open EAP_HOME/standalone/configuration/standalone-ha.xml
2.) Find<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
3.) Add code snippet from 8.13 into above tag and replaceWAR MODULE NAME.wartobusiness-central.war.
Also add<principal-attribute>preferred_username</principal-attribute>. This will make business central displays username instead of user id on the top right corner.
From
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>To
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="business-central.war">
<realm>Eap_Cluster_Demo</realm>
<auth-server-url>http://10.100.199.10:8080/auth</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
<resource>mod_cluster_eap</resource>
<credential name="secret">624b9a97-6279-48d4-b701-9f33e3df5bae</credential>
<use-resource-role-mappings>true</use-resource-role-mappings>
<principal-attribute>preferred_username</principal-attribute>
</secure-deployment>
</subsystem>4.) Save the configuration and restart EAP server.
[vagrant@eap-a bin]$ ./standalone.sh -c standalone-ha.xml -b 0.0.0.0 -bmanagement 0.0.0.010.) Log in to http://10.100.199.40:10001/business-central again. You will be redirected to Rh-sso with realm name banner e.g
11.) Enter your credential e.g Bob/Bob. Then if you choose to set temporary password enable you will be asked to update the password, otherwise, you will be redirected to Business-central application. However, this will not work yet.
12.) Assign Clients to User.
1.) Eap_Cluster_Demo > Manage > Users > View All users > bob > edit
2.) Bob > Role Mappings > Client Roles > Select drop down > choosemod_cluster_eap
3.) Under Available Roles select admin click Add selected
13.) Go to http://10.100.199.40:10001/business-central again. Log in with your credential one more time. If there is any problem with logging in please try to clear cookies and/or restart eap server.