Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-3888

SSO integration fails for multiple Realm certificates

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 7.12.0.GA
    • 7.11.0.GA
    • Cloud, Installer
    • None
    • False
    • False
    • CR2
    • Hide
      1. Create SSO/Keycloak with 2+ realms
      2. Deploy KieApp using SSO/Keycloak
        e.g.
        spec: 
          auth: 
            sso: 
              adminPassword: RedHat123
              adminUser: admin
              disableSSLCertValidation: true
              realm: demo
              url: https://keycloak-example.redhat.com/auth
          commonConfig: 
            adminPassword: RedHat123
            adminUser: admin
          environment: rhpam-authoring
          objects: 
            console: 
              ssoClient: 
                name: business-central
                secret: somePwd
            servers: 
            - name: kieserver
              ssoClient: 
                name: kie-server
                secret: someOtherPwd
        
      Show
      Create SSO/Keycloak with 2+ realms Deploy KieApp using SSO/Keycloak e.g. spec: auth: sso: adminPassword: RedHat 123 adminUser: admin disableSSLCertValidation: true realm: demo url: https://keycloak-example.redhat.com/auth commonConfig: adminPassword: RedHat 123 adminUser: admin environment: rhpam-authoring objects: console: ssoClient: name: business-central secret: somePwd servers: - name: kieserver ssoClient: name: kie-server secret: someOtherPwd
    • 2021 Week 46-48 (from Nov 15)

      When deploying RHPAM with the Operator and trying to integrate with a RH-SSO/Keycloak server for SSO if the Realm returns more than one certificate the scripts will fail and will not properly configure the keycloak subsystem.

      Keycloak Realms might have more than one Key provider configured (even though they're not active) and the scripts just query all the keys and greps the word `certificates` but in case it returns more than one causing the error in the grep:

      curl -k -H "Authorization: Bearer $TKN" https://$KC_URL/auth/admin/realms/$KC_REALM/keys | jq
      
      {
        "active": {
          "RS256": "JjkdTi-9yk6oIu8-Rk2zxKgZ-B1k2qHuqEJQKjTU7f0",
          "AES": "5b2bd960-992c-498e-9fad-fbe6fffa1702"
        },
        "keys": [
          {
            "providerId": "254d2ada-2464-4e7a-9236-edb27bebd0e4",
            "providerPriority": 100,
            "kid": "JjkdTi-9yk6oIu8-Rk2zxKgZ-B1k2qHuqEJQKjTU7f0",
            "status": "ACTIVE",
            "type": "RSA",
            "algorithm": "RS256",
            "publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkFEl29c4d7wpYU5dnU0URWtd0tlGK83y8k7O60GSQmgz0Asyozt7W7nHgoQATEZ+nnHSyYgdnbj93KslUfogM9T0xTN7FO9LTiR0NJNopn5eHC7UqUh4D0htX2wMIoITRxHqo/sEgIwPSjz43/gr7talWCf1Vw4j8+rwp3z2XPR7PNGGRjMoiAqsZfawmVm8tkWGdynefEYfM+szXObyzkuA5N2hI/RsN7Dg7D9X9xGNDXL40xfWQ8kMnc+bd4bENmiSG1IzQmOksiFlLuTe7cAdKMG2V/kB1ObyUKM38MKUCQNykec5PVMXKkOTrkBudqqzQEu/oknUEJBDtU/WCwIDAQAB",
            "certificate": "MIICnTCCAYUCBgF7l0N9qjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdtZXJjdXJ5MB4XDTIxMDgzMDEzMzEyN1oXDTMxMDgzMDEzMzMwN1owEjEQMA4GA1UEAwwHbWVyY3VyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJBRJdvXOHe8KWFOXZ1NFEVrXdLZRivN8vJOzutBkkJoM9ALMqM7e1u5x4KEAExGfp5x0smIHZ24/dyrJVH6IDPU9MUzexTvS04kdDSTaKZ+Xhwu1KlIeA9IbV9sDCKCE0cR6qP7BICMD0o8+N/4K+7WpVgn9VcOI/Pq8Kd89lz0ezzRhkYzKIgKrGX2sJlZvLZFhncp3nxGHzPrM1zm8s5LgOTdoSP0bDew4Ow/V/cRjQ1y+NMX1kPJDJ3Pm3eGxDZokhtSM0JjpLIhZS7k3u3AHSjBtlf5AdTm8lCjN/DClAkDcpHnOT1TFypDk65Abnaqs0BLv6JJ1BCQQ7VP1gsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAL2H3bW7t1H1PIqWUKOZyBrswqqM4plHm7frzKZUwZ4NNkJaxxmd/Ni8v4TC8JE/MW1oFCZFvdgSkvDrM/3Sm5upt0epKoulM8G3QbTIshow2yXXy0as1X5T/v225ijFgAj623i+fGztm6enpNQLEQCAsdEzDF3HVT/EKEqNsmgq5Rty+WSh0nm7kZj4RlfL37hDRG3w7o+ZxS07LMw3DR/xwTMjyGTJRqXK0xC3goQs0L8vdKbwthbVJqfZMeX+ZnOzcgXzlu1mbphd05ZOK6C6c0k+fXtKryVkCEwKtXFdMEGjCOWIS2NBQbmEv+pUdmN0pbrbLjxjYXoRUUzzssw==",
            "use": "SIG"
          },
          {
            "providerId": "c0936d14-e712-43f8-a4f6-8331b1327685",
            "providerPriority": 100,
            "kid": "IkUWPopNMGovREfMABqeD8t43KeWwsTvXnEyEDhe1kw",
            "status": "ACTIVE",
            "type": "RSA",
            "algorithm": "RS256",
            "publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqqj2AgYwyXSCIT48Y6KSBAjVWf2wrLCZl1YJ4T41sGLvd+B71E6AlVtgya/ZsLvMMVXOWrIUYSWQ0ypteb0GK/qbmFuJ+zSI89A9w4kE5dfDXtUHp2kgg/F4fGriGiIsWHjolR0efDjXl6+LONoM8JkG/nUohMaPZQE1kjtuQ0avN8OyBgo+5Gen96WqhXLX1zl02dq0JIWH//3H8mBDZ+GhKs8jDTeK4Y2ZE0KYfxKV2x4Tzpg5A9bXRf1P8HOAo3nqR9i8SdEtA0/W4RVDsFvy8uKNG673wSjW4KfCt9ApLxUopk3CZvGXgwlqHFDljN3ABKqSOBoleFgSXzTjeQIDAQAB",
            "certificate": "MIICnTCCAYUCBgF7l0N+BTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdtZXJjdXJ5MB4XDTIxMDgzMDEzMzEyN1oXDTMxMDgzMDEzMzMwN1owEjEQMA4GA1UEAwwHbWVyY3VyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqo9gIGMMl0giE+PGOikgQI1Vn9sKywmZdWCeE+NbBi73fge9ROgJVbYMmv2bC7zDFVzlqyFGElkNMqbXm9Biv6m5hbifs0iPPQPcOJBOXXw17VB6dpIIPxeHxq4hoiLFh46JUdHnw415evizjaDPCZBv51KITGj2UBNZI7bkNGrzfDsgYKPuRnp/elqoVy19c5dNnatCSFh//9x/JgQ2fhoSrPIw03iuGNmRNCmH8SldseE86YOQPW10X9T/BzgKN56kfYvEnRLQNP1uEVQ7Bb8vLijRuu98Eo1uCnwrfQKS8VKKZNwmbxl4MJahxQ5YzdwASqkjgaJXhYEl8043kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAneOXbOUlU2u3uddA3qlMgt4Rfaz9IO78LXSYY1NWcIIkuKitqTmGwMW/zrVpSukbT6WkTLhib+h9iPgc9cSpBG47ANWzuBohOm5SCqruxRzhgXQRBqb2RNVoe7T+JOru7IOLsx9XFi14OEbS48/MXcQFSWmCR+YHt8qzK9eKObwAWYZ5sucZOrF8vw3Apr8gtMgIJrnlzmfcjpAhOOufHlROfzJTx6+kjKq5GfcJBSfuYYB46bIgSirFAme+NGkcyCGiYSGvVKUrIuJon1Nx7aHPCKOl3zhTUaS2Rl9WT8EPA0Eku0zWWPnuCjjUtL2mTPzrXOtmuP0IsZvlBSFz1A==",
            "use": "ENC"
          },
          {
            "providerId": "e9b19b46-a213-4dd1-b6e2-a749d753a41d",
            "providerPriority": 100,
            "kid": "58290377-3e16-4f9a-a148-57a956da06fc",
            "status": "DISABLED",
            "type": "OCT",
            "algorithm": "HS256",
            "use": "SIG"
          },
          {
            "providerId": "fe639273-7bec-4270-9d60-0ca0e2dbdbfc",
            "providerPriority": 100,
            "kid": "5b2bd960-992c-498e-9fad-fbe6fffa1702",
            "status": "ACTIVE",
            "type": "OCT",
            "algorithm": "AES",
            "use": "ENC"
          }
        ]
      }
      

      The error during the sed command caused by a line break is the following:

      ++++ sed 's|<!-- ##KEYCLOAK_REALM_CERTIFICATE## -->|<Keys><Key signing="true" ><CertificatePem>MIICnTCCAYUCBgF7l0N9qjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdtZXJjdXJ5MB4XDTIxMDgzMDEzMzEyN1oXDTMxMDgzMDEzMzMwN1owEjEQMA4GA1UEAwwHbWVyY3VyeTCCAS
      IwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJBRJdvXOHe8KWFOXZ1NFEVrXdLZRivN8vJOzutBkkJoM9ALMqM7e1u5x4KEAExGfp5x0smIHZ24/dyrJVH6IDPU9MUzexTvS04kdDSTaKZ+Xhwu1KlIeA9IbV9sDCKCE0cR6qP7BICMD0o8+N/4K+7WpVgn9VcOI/Pq8Kd89lz0ezzRhkYzKIgKrGX2sJlZvLZFhnc
      p3nxGHzPrM1zm8s5LgOTdoSP0bDew4Ow/V/cRjQ1y+NMX1kPJDJ3Pm3eGxDZokhtSM0JjpLIhZS7k3u3AHSjBtlf5AdTm8lCjN/DClAkDcpHnOT1TFypDk65Abnaqs0BLv6JJ1BCQQ7VP1gsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAL2H3bW7t1H1PIqWUKOZyBrswqqM4plHm7frzKZUwZ4NNkJaxxmd/Ni8v4TC8
      JE/MW1oFCZFvdgSkvDrM/3Sm5upt0epKoulM8G3QbTIshow2yXXy0as1X5T/v225ijFgAj623i+fGztm6enpNQLEQCAsdEzDF3HVT/EKEqNsmgq5Rty+WSh0nm7kZj4RlfL37hDRG3w7o+ZxS07LMw3DR/xwTMjyGTJRqXK0xC3goQs0L8vdKbwthbVJqfZMeX+ZnOzcgXzlu1mbphd05ZOK6C6c0k+fXtKryVkCEwKtX
      FdMEGjCOWIS2NBQbmEv+pUdmN0pbrbLjxjYXoRUUzzssw==
      MIICnTCCAYUCBgF7l0N+BTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdtZXJjdXJ5MB4XDTIxMDgzMDEzMzEyN1oXDTMxMDgzMDEzMzMwN1owEjEQMA4GA1UEAwwHbWVyY3VyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqo9gIGMMl0giE+PGOikgQI1Vn9sKywmZdWCeE+NbBi73fge9ROgJVbY
      Mmv2bC7zDFVzlqyFGElkNMqbXm9Biv6m5hbifs0iPPQPcOJBOXXw17VB6dpIIPxeHxq4hoiLFh46JUdHnw415evizjaDPCZBv51KITGj2UBNZI7bkNGrzfDsgYKPuRnp/elqoVy19c5dNnatCSFh//9x/JgQ2fhoSrPIw03iuGNmRNCmH8SldseE86YOQPW10X9T/BzgKN56kfYvEnRLQNP1uEVQ7Bb8vLijRuu98Eo1u
      CnwrfQKS8VKKZNwmbxl4MJahxQ5YzdwASqkjgaJXhYEl8043kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAneOXbOUlU2u3uddA3qlMgt4Rfaz9IO78LXSYY1NWcIIkuKitqTmGwMW/zrVpSukbT6WkTLhib+h9iPgc9cSpBG47ANWzuBohOm5SCqruxRzhgXQRBqb2RNVoe7T+JOru7IOLsx9XFi14OEbS48/MXcQFSWm
      CR+YHt8qzK9eKObwAWYZ5sucZOrF8vw3Apr8gtMgIJrnlzmfcjpAhOOufHlROfzJTx6+kjKq5GfcJBSfuYYB46bIgSirFAme+NGkcyCGiYSGvVKUrIuJon1Nx7aHPCKOl3zhTUaS2Rl9WT8EPA0Eku0zWWPnuCjjUtL2mTPzrXOtmuP0IsZvlBSFz1A==</CertificatePem></Key></Keys>|g'
      sed: -e expression #1, char 985: unterminated `s' command
      

        1. sso-7.4.png
          sso-7.4.png
          51 kB
        2. sso-7.5.png
          sso-7.5.png
          65 kB

              mdessi-1 Massimiliano Dessi
              rhn-support-rromerom Ruben Romero Montes
              Jakub Schwan Jakub Schwan
              Jakub Schwan Jakub Schwan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: