Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save pedro-hos/0c7e00f996244917f93da47e10168b22 to your computer and use it in GitHub Desktop.
Save pedro-hos/0c7e00f996244917f93da47e10168b22 to your computer and use it in GitHub Desktop.

Rh-SSO with EAP7 Cluster setup guide.

This installation and configuration guide is intended to use as the main concept of integrating RedHat SSO with mod_cluster only. The guide doesn’t cover full brown cluster setup. For more advanced cluster setup, please refer here.

Requirement

  • Red Hat JBoss Core Services Apache HTTP Server 2.4.23 for RHEL 7 x86_64
  • EAP 7
  • BPMS
  • RH-SSO

Mod Cluster


Setup Mod Cluster

1.) Download software here. Full installation guide here

2.) Copy zip file to

    /opt/jbcs-httpd24-httpd-2.4.23-RHEL7-x86_64.zip

3.) Unzip jbcs-httpd24-httpd-2.4.23-RHEL7-x86_64.zip

[root@mod-cluster opt]# unzip jbcs-httpd24-httpd-2.4.23-RHEL7-x86_64.zip

4.) Create the apache user group

[root@mod-cluster opt]# groupadd -g 48 -r apache

5.) Create the apache user in the apache user group

[root@mod-cluster opt]# useradd -c "Apache" -u 48 -g apache -s /bin/sh -r apache

6.) Assign the ownership of the Apache directories to the apache user to allow the user to run Apache HTTP Server

[root@mod-cluster opt]# chown -R apache:apache jbcs-httpd24-2.4

7.) Disabled ssl

[root@mod-cluster conf.d]# pwd
/opt/jbcs-httpd24-2.4/httpd/conf.d
[root@mod-cluster conf.d]# mv ssl.conf ssl.conf.disabled
[root@mod-cluster conf.d]# touch ssl.conf
[root@mod-cluster conf.d]# chown apache:apache ssl.conf

8.) Post Installation Script

[root@mod-cluster httpd]# pwd
/opt/jbcs-httpd24-2.4/httpd
[root@mod-cluster httpd]# ./.postinstall

9.) Start Apache HTTP Server

[root@mod-cluster sbin]# pwd
/opt/jbcs-httpd24-2.4/httpd/sbin
[root@mod-cluster sbin]# ./apachectl start

    Check status

[root@mod-cluster sbin]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
...
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      4087/httpd
tcp6       0      0 :::6666                 :::*                    LISTEN      4087/httpd
...

Config Mod Cluster

1.) To bind all ip (0.0.0.0). Modify file /opt/jbcs-httpd24-2.4/httpd/conf

#Listen 127.0.0.1:80
Listen 0.0.0.0:80

2.) Modify /opt/jbcs-httpd24-2.4/httpd/conf.d/mod_cluster.conf
from

# mod_proxy_balancer should be disabled when mod_cluster is used
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule advertise_module modules/mod_advertise.so

MemManagerFile /opt/jbcs-httpd24-2.4/httpd/cache/mod_cluster

<IfModule manager_module>
  Listen 6666
  <VirtualHost *:6666>
    <Directory />
      Require ip 127.0.0.1
    </Directory>
    ServerAdvertise on
    EnableMCPMReceive
    <Location /mod_cluster_manager>
      SetHandler mod_cluster-manager
      Require ip 127.0.0.1
   </Location>
  </VirtualHost>
</IfModule> 

to

# mod_proxy_balancer should be disabled when mod_cluster is used
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule advertise_module modules/mod_advertise.so

MemManagerFile /opt/jbcs-httpd24-2.4/httpd/cache/mod_cluster

<IfModule manager_module>
  Listen 0.0.0.0:10001
  ManagerBalancerName marlo-sso-demo-cluster
  <VirtualHost 0.0.0.0:10001>
    <Location />
     Require all granted
    </Location>
    KeepAliveTimeout 300
    MaxKeepAliveRequests 0
    AdvertiseFrequency 5
    EnableMCPMReceive On
    <Location /mod_cluster_manager>
      SetHandler mod_cluster-manager
      Require all granted
   </Location>
  </VirtualHost>
</IfModule> 

3.) Stop and Start Server

[root@mod-cluster sbin]# ./apachectl stop
[root@mod-cluster sbin]# ./apachectl start

You can verify if the server is working.
img

And also check mod cluster manager at
img


EAP 7.0


Setup EAP

1.) Download jboss-eap-7.0.0.zip

2.) Unzip EAP 7.

[vagrant@eap-a demoBox]$ unzip jboss-eap-7.0.0.zip

3.) Add admin user

[vagrant@eap-a bin]$ ./add-user.sh -u admin -p admin

4.) Start server.

[vagrant@eap-a bin]$ pwd
/home/vagrant/demoBox/jboss-eap-7.0/bin
[vagrant@eap-a bin]$ ./standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0

5.) Download jboss-eap-7.0.3-patch.zip

6.) Open eap console application > Patching > Apply a new Patch > Choose File. Choose jboss-eap-7.0.3-patch.zip > next > dismiss > Check on restart the server now > Finish

7.) Stop server.

8.) Download BPMS jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip

9.) Copy the zip to the root of EAP_HOME

[vagrant@eap-a demoBox]$ ll
total 393464
-rw-rw-r--.  1 vagrant vagrant 238927691 May 23 07:14 jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip
drwxrwxr-x. 10 vagrant vagrant       221 Apr 18  2016 jboss-eap-7.0
-rw-rw-r--.  1 vagrant vagrant 163977055 May 23 08:14 jboss-eap-7.0.0.zip

10.) Extract jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip

[vagrant@eap-a demoBox]$ unzip jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip
Archive:  jboss-bpmsuite-6.4.0.GA-deployable-eap7.x.zip
replace jboss-eap-7.0/bin/appclient.conf? [y]es, [n]o, [A]ll, [N]one, [r]ename: A

11.) Download rh-sso-7.1.0-eap7-adapter.zip and copy to EAP_HOME.

12.) Unzip rh-sso-7.1.0-eap7-adapter.zip

[vagrant@eap-a jboss-eap-7.0]$ ll
total 952
drwxrwxr-x. 3 vagrant vagrant     27 Apr 18  2016 appclient
drwxrwxr-x. 4 vagrant vagrant   4096 Jun 17 19:45 bin
drwxrwxr-x. 5 vagrant vagrant     52 Apr 18  2016 docs
drwxrwxr-x. 5 vagrant vagrant     50 Apr 18  2016 domain
-rw-rw-r--. 1 vagrant vagrant    419 Apr 18  2016 JBossEULA.txt
-rw-rw-r--. 1 vagrant vagrant 366066 Apr 18  2016 jboss-modules.jar
-rw-rw-r--. 1 vagrant vagrant  26530 Apr 18  2016 LICENSE.txt
drwxrwxr-x. 3 vagrant vagrant     20 Apr 18  2016 modules
-rw-rw-r--. 1 vagrant vagrant 561153 Jun  3 05:22 rh-sso-7.1.0-eap7-adapter.zip
drwxrwxr-x. 8 vagrant vagrant     91 Jun 17 19:27 standalone
-rw-rw-r--. 1 vagrant vagrant     65 Jun 17 19:38 version.txt
drwxrwxr-x. 4 vagrant vagrant    158 Apr 18  2016 welcome-content
[vagrant@eap-a jboss-eap-7.0]$ unzip rh-sso-7.1.0-eap7-adapter.zip
[vagrant@eap-a jboss-eap-7.0]$ rm rh-sso-7.1.0-eap7-adapter.zip

13.) Install rh-sso-7.1.0-eap7-adapter adapter.

[vagrant@eap-a bin]$ pwd
/home/vagrant/demoBox/jboss-eap-7.0/bin
[vagrant@eap-a bin]$ ./jboss-cli.sh --file=adapter-install-offline.cli

result

{"outcome" => "success"}
{"outcome" => "success"}
{
    "outcome" => "success",
    "result" => [("keycloak" => "1.1.0")]
}
{"outcome" => "success"}

Apply step (1) to (13) on all EAP servers that appointed to be cluster members.

Configure EAP

1.) Modify JBOSS_HOME/standalone/configuration/standalone-ha.xml
from

<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
    <mod-cluster-config advertise-socket="modcluster" connector="ajp">
        <dynamic-load-provider>
            <load-metric type="cpu"/>
        </dynamic-load-provider>
    </mod-cluster-config>
</subsystem>

to

<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
    <mod-cluster-config advertise-socket="modcluster" proxies="proxy1" connector="ajp">
        <dynamic-load-provider>
            <load-metric type="cpu"/>
        </dynamic-load-provider>
    </mod-cluster-config>
</subsystem>

2.) Add outbound-socket-binding
from

<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
    ...
    ...
    ...
</socket-binding-group>

to

<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
    <outbound-socket-binding name="proxy1">
        <remote-destination host="10.100.199.40" port="10001"/>
    </outbound-socket-binding>
</socket-binding-group>

3.) Add Keycloak sub system to /[name()='server']/[name()='extensions']

    <extension module="org.keycloak.keycloak-adapter-subsystem"/>

4.) Add security domain to /[name()='server']/[name()='profile']/[name()='subsystem xmlns="urn:jboss:domain:security:1.2"']/[name()='security-domains']

<security-domain name="keycloak">
    <authentication>
        <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
    </authentication>
</security-domain>

5.) Add to /[name()='server']/[name()='profile']

    <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>

6.) Commnet out /[name()='server']/[name()='profile']/[name()='subsystem xmlns="urn:jboss:domain:undertow:3.1"']/[name()='server']/[name()='host']/[name()='single-sign-on']

From

    <single-sign-on/>

To

    <!--<single-sign-on/>-->

7.) Apply step 1 and 6 to another EAP-node.

8.) Start both EAP nodes.

[vagrant@eap-a bin]$  ./standalone.sh -c standalone-ha.xml -b 0.0.0.0 -bmanagement 0.0.0.0

Check if Mod_Cluster picks up new joining nodes.
img


Red Hat Single Sign-On 7.1.0 Server


1.) Download rh-sso-7.1.0.zip

2.) Unzip the file

[vagrant@keycloak demoBox]$ unzip rh-sso-7.1.0.zip

3.) Add Rh-sso user

[vagrant@keycloak demoBox]$ cd rh-sso-7.1/
[vagrant@keycloak rh-sso-7.1]$ cd bin/
[vagrant@keycloak bin]$ ./add-user-keycloak.sh -r master -u admin -p admin

4.) Start rh-sso server

[vagrant@keycloak bin]$ ./standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0

5.) Log in to Rh-SSO http://<your host here>:8080/auth/admin e.g http://10.100.199.10:8080/auth/admin

username: admin
password: admin

6.) Add new Realm.

1.) Hover curser on dropdown menu located on the top left corner, next to Master realm
2.) Click Add Realm, then enter realm name Eap_Cluster_Demo

7.) Add user

1.) On the left panel, under Eap_Cluster_Demo > Manage click Users , then Add user; located on the top right corner.
2.) Username: Bob
3.) Click Save.
4.) Under Bob > Credentials. set new password/confirmation and turn off Temporary password if you wanted to, or leave it on to asked the user to create their new password on the first login. Once that's done, click on Reset Password and confirm.

8.) Add Client. Client is the target application that we want to secure.

1.) Click on Eap_Cluster_Demo > Configure > Clients
2.) Click on Create
3.) Client ID: mod_cluster_eap
4.) Client Protocol: openid-connect
5.) Root URL: http://<mod_cluster_host>:<mod_cluster_port>/business-central e.g. http://10.100.199.40:10001/business-central
6.) Click Save
7.) Configure mod_cluster_eap by Click on Eap_Cluster_Demo > Configure > Clients > mod_cluster_eap > Edit
8.) Mod_cluster_eap > Settings > Access Type > Change public to confidential Click Save
9.) Mod_cluster_eap > Roles > click Add Role
10.) Role Name: admin
11.) Click Save
12.) Click on Mod_cluster_eap > Installation > Format Option = Keycloak OIDC JBoss Subsystem XML
13.) Copy code snippet aside, we will use it shortly in EAP configuration.

9.) Configure EAP to redirect authentication from business-central to SSO.

1.) Open EAP_HOME/standalone/configuration/standalone-ha.xml
2.) Find <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
3.) Add code snippet from 8.13 into above tag and replace WAR MODULE NAME.war to business-central.war.
Also add <principal-attribute>preferred_username</principal-attribute>. This will make business central displays username instead of user id on the top right corner.

From

<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>

To

<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
    <secure-deployment name="business-central.war">
        <realm>Eap_Cluster_Demo</realm>
        <auth-server-url>http://10.100.199.10:8080/auth</auth-server-url>
        <ssl-required>EXTERNAL</ssl-required>
        <resource>mod_cluster_eap</resource>
        <credential name="secret">624b9a97-6279-48d4-b701-9f33e3df5bae</credential>
        <use-resource-role-mappings>true</use-resource-role-mappings>
        <principal-attribute>preferred_username</principal-attribute>
    </secure-deployment>
</subsystem>

4.) Save the configuration and restart EAP server.

[vagrant@eap-a bin]$ ./standalone.sh -c standalone-ha.xml -b 0.0.0.0 -bmanagement 0.0.0.0

10.) Log in to http://10.100.199.40:10001/business-central again. You will be redirected to Rh-sso with realm name banner e.g img

11.) Enter your credential e.g Bob/Bob. Then if you choose to set temporary password enable you will be asked to update the password, otherwise, you will be redirected to Business-central application. However, this will not work yet.

12.) Assign Clients to User.

1.) Eap_Cluster_Demo > Manage > Users > View All users > bob > edit
2.) Bob > Role Mappings > Client Roles > Select drop down > choose mod_cluster_eap
3.) Under Available Roles select admin click Add selected

13.) Go to http://10.100.199.40:10001/business-central again. Log in with your credential one more time. If there is any problem with logging in please try to clear cookies and/or restart eap server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment