Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-3888

SSO integration fails for multiple Realm certificates

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 7.12.0.GA
    • 7.11.0.GA
    • Cloud, Installer
    • None
    • False
    • False
    • CR2
    • Hide
      1. Create SSO/Keycloak with 2+ realms
      2. Deploy KieApp using SSO/Keycloak
        e.g. 
        spec: 
  auth: 
    sso: 
      adminPassword: RedHat123
      adminUser: admin
      disableSSLCertValidation: true
      realm: demo
      url: https://keycloak-example.redhat.com/auth
  commonConfig: 
    adminPassword: RedHat123
    adminUser: admin
  environment: rhpam-authoring
  objects: 
    console: 
      ssoClient: 
        name: business-central
        secret: somePwd
    servers: 
    - name: kieserver
      ssoClient: 
        name: kie-server
        secret: someOtherPwd
      Show
      Create SSO/Keycloak with 2+ realms Deploy KieApp using SSO/Keycloak e.g. spec: auth: sso: adminPassword: RedHat 123 adminUser: admin disableSSLCertValidation: true realm: demo url: https://keycloak-example.redhat.com/auth commonConfig: adminPassword: RedHat 123 adminUser: admin environment: rhpam-authoring objects: console: ssoClient: name: business-central secret: somePwd servers: - name: kieserver ssoClient: name: kie-server secret: someOtherPwd
    • 2021 Week 46-48 (from Nov 15)

    Description

      When deploying RHPAM with the Operator and trying to integrate with a RH-SSO/Keycloak server for SSO if the Realm returns more than one certificate the scripts will fail and will not properly configure the keycloak subsystem.

      Keycloak Realms might have more than one Key provider configured (even though they're not active) and the scripts just query all the keys and greps the word `certificates` but in case it returns more than one causing the error in the grep:

      curl -k -H "Authorization: Bearer $TKN" https://$KC_URL/auth/admin/realms/$KC_REALM/keys | jq

{
  "active": {
    "RS256": "JjkdTi-9yk6oIu8-Rk2zxKgZ-B1k2qHuqEJQKjTU7f0",
    "AES": "5b2bd960-992c-498e-9fad-fbe6fffa1702"
  },
  "keys": [
    {
      "providerId": "254d2ada-2464-4e7a-9236-edb27bebd0e4",
      "providerPriority": 100,
      "kid": "JjkdTi-9yk6oIu8-Rk2zxKgZ-B1k2qHuqEJQKjTU7f0",
      "status": "ACTIVE",
      "type": "RSA",
      "algorithm": "RS256",
      "publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkFEl29c4d7wpYU5dnU0URWtd0tlGK83y8k7O60GSQmgz0Asyozt7W7nHgoQATEZ+nnHSyYgdnbj93KslUfogM9T0xTN7FO9LTiR0NJNopn5eHC7UqUh4D0htX2wMIoITRxHqo/sEgIwPSjz43/gr7talWCf1Vw4j8+rwp3z2XPR7PNGGRjMoiAqsZfawmVm8tkWGdynefEYfM+szXObyzkuA5N2hI/RsN7Dg7D9X9xGNDXL40xfWQ8kMnc+bd4bENmiSG1IzQmOksiFlLuTe7cAdKMG2V/kB1ObyUKM38MKUCQNykec5PVMXKkOTrkBudqqzQEu/oknUEJBDtU/WCwIDAQAB",
      "certificate": "MIICnTCCAYUCBgF7l0N9qjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdtZXJjdXJ5MB4XDTIxMDgzMDEzMzEyN1oXDTMxMDgzMDEzMzMwN1owEjEQMA4GA1UEAwwHbWVyY3VyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJBRJdvXOHe8KWFOXZ1NFEVrXdLZRivN8vJOzutBkkJoM9ALMqM7e1u5x4KEAExGfp5x0smIHZ24/dyrJVH6IDPU9MUzexTvS04kdDSTaKZ+Xhwu1KlIeA9IbV9sDCKCE0cR6qP7BICMD0o8+N/4K+7WpVgn9VcOI/Pq8Kd89lz0ezzRhkYzKIgKrGX2sJlZvLZFhncp3nxGHzPrM1zm8s5LgOTdoSP0bDew4Ow/V/cRjQ1y+NMX1kPJDJ3Pm3eGxDZokhtSM0JjpLIhZS7k3u3AHSjBtlf5AdTm8lCjN/DClAkDcpHnOT1TFypDk65Abnaqs0BLv6JJ1BCQQ7VP1gsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAL2H3bW7t1H1PIqWUKOZyBrswqqM4plHm7frzKZUwZ4NNkJaxxmd/Ni8v4TC8JE/MW1oFCZFvdgSkvDrM/3Sm5upt0epKoulM8G3QbTIshow2yXXy0as1X5T/v225ijFgAj623i+fGztm6enpNQLEQCAsdEzDF3HVT/EKEqNsmgq5Rty+WSh0nm7kZj4RlfL37hDRG3w7o+ZxS07LMw3DR/xwTMjyGTJRqXK0xC3goQs0L8vdKbwthbVJqfZMeX+ZnOzcgXzlu1mbphd05ZOK6C6c0k+fXtKryVkCEwKtXFdMEGjCOWIS2NBQbmEv+pUdmN0pbrbLjxjYXoRUUzzssw==",
      "use": "SIG"
    },
    {
      "providerId": "c0936d14-e712-43f8-a4f6-8331b1327685",
      "providerPriority": 100,
      "kid": "IkUWPopNMGovREfMABqeD8t43KeWwsTvXnEyEDhe1kw",
      "status": "ACTIVE",
      "type": "RSA",
      "algorithm": "RS256",
      "publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqqj2AgYwyXSCIT48Y6KSBAjVWf2wrLCZl1YJ4T41sGLvd+B71E6AlVtgya/ZsLvMMVXOWrIUYSWQ0ypteb0GK/qbmFuJ+zSI89A9w4kE5dfDXtUHp2kgg/F4fGriGiIsWHjolR0efDjXl6+LONoM8JkG/nUohMaPZQE1kjtuQ0avN8OyBgo+5Gen96WqhXLX1zl02dq0JIWH//3H8mBDZ+GhKs8jDTeK4Y2ZE0KYfxKV2x4Tzpg5A9bXRf1P8HOAo3nqR9i8SdEtA0/W4RVDsFvy8uKNG673wSjW4KfCt9ApLxUopk3CZvGXgwlqHFDljN3ABKqSOBoleFgSXzTjeQIDAQAB",
      "certificate": "MIICnTCCAYUCBgF7l0N+BTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdtZXJjdXJ5MB4XDTIxMDgzMDEzMzEyN1oXDTMxMDgzMDEzMzMwN1owEjEQMA4GA1UEAwwHbWVyY3VyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqo9gIGMMl0giE+PGOikgQI1Vn9sKywmZdWCeE+NbBi73fge9ROgJVbYMmv2bC7zDFVzlqyFGElkNMqbXm9Biv6m5hbifs0iPPQPcOJBOXXw17VB6dpIIPxeHxq4hoiLFh46JUdHnw415evizjaDPCZBv51KITGj2UBNZI7bkNGrzfDsgYKPuRnp/elqoVy19c5dNnatCSFh//9x/JgQ2fhoSrPIw03iuGNmRNCmH8SldseE86YOQPW10X9T/BzgKN56kfYvEnRLQNP1uEVQ7Bb8vLijRuu98Eo1uCnwrfQKS8VKKZNwmbxl4MJahxQ5YzdwASqkjgaJXhYEl8043kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAneOXbOUlU2u3uddA3qlMgt4Rfaz9IO78LXSYY1NWcIIkuKitqTmGwMW/zrVpSukbT6WkTLhib+h9iPgc9cSpBG47ANWzuBohOm5SCqruxRzhgXQRBqb2RNVoe7T+JOru7IOLsx9XFi14OEbS48/MXcQFSWmCR+YHt8qzK9eKObwAWYZ5sucZOrF8vw3Apr8gtMgIJrnlzmfcjpAhOOufHlROfzJTx6+kjKq5GfcJBSfuYYB46bIgSirFAme+NGkcyCGiYSGvVKUrIuJon1Nx7aHPCKOl3zhTUaS2Rl9WT8EPA0Eku0zWWPnuCjjUtL2mTPzrXOtmuP0IsZvlBSFz1A==",
      "use": "ENC"
    },
    {
      "providerId": "e9b19b46-a213-4dd1-b6e2-a749d753a41d",
      "providerPriority": 100,
      "kid": "58290377-3e16-4f9a-a148-57a956da06fc",
      "status": "DISABLED",
      "type": "OCT",
      "algorithm": "HS256",
      "use": "SIG"
    },
    {
      "providerId": "fe639273-7bec-4270-9d60-0ca0e2dbdbfc",
      "providerPriority": 100,
      "kid": "5b2bd960-992c-498e-9fad-fbe6fffa1702",
      "status": "ACTIVE",
      "type": "OCT",
      "algorithm": "AES",
      "use": "ENC"
    }
  ]
}

      The error during the sed command caused by a line break is the following:

      ++++ sed 's|<!-- ##KEYCLOAK_REALM_CERTIFICATE## -->|<Keys><Key signing="true" ><CertificatePem>MIICnTCCAYUCBgF7l0N9qjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdtZXJjdXJ5MB4XDTIxMDgzMDEzMzEyN1oXDTMxMDgzMDEzMzMwN1owEjEQMA4GA1UEAwwHbWVyY3VyeTCCAS
IwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJBRJdvXOHe8KWFOXZ1NFEVrXdLZRivN8vJOzutBkkJoM9ALMqM7e1u5x4KEAExGfp5x0smIHZ24/dyrJVH6IDPU9MUzexTvS04kdDSTaKZ+Xhwu1KlIeA9IbV9sDCKCE0cR6qP7BICMD0o8+N/4K+7WpVgn9VcOI/Pq8Kd89lz0ezzRhkYzKIgKrGX2sJlZvLZFhnc
p3nxGHzPrM1zm8s5LgOTdoSP0bDew4Ow/V/cRjQ1y+NMX1kPJDJ3Pm3eGxDZokhtSM0JjpLIhZS7k3u3AHSjBtlf5AdTm8lCjN/DClAkDcpHnOT1TFypDk65Abnaqs0BLv6JJ1BCQQ7VP1gsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAL2H3bW7t1H1PIqWUKOZyBrswqqM4plHm7frzKZUwZ4NNkJaxxmd/Ni8v4TC8
JE/MW1oFCZFvdgSkvDrM/3Sm5upt0epKoulM8G3QbTIshow2yXXy0as1X5T/v225ijFgAj623i+fGztm6enpNQLEQCAsdEzDF3HVT/EKEqNsmgq5Rty+WSh0nm7kZj4RlfL37hDRG3w7o+ZxS07LMw3DR/xwTMjyGTJRqXK0xC3goQs0L8vdKbwthbVJqfZMeX+ZnOzcgXzlu1mbphd05ZOK6C6c0k+fXtKryVkCEwKtX
FdMEGjCOWIS2NBQbmEv+pUdmN0pbrbLjxjYXoRUUzzssw==
MIICnTCCAYUCBgF7l0N+BTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdtZXJjdXJ5MB4XDTIxMDgzMDEzMzEyN1oXDTMxMDgzMDEzMzMwN1owEjEQMA4GA1UEAwwHbWVyY3VyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqo9gIGMMl0giE+PGOikgQI1Vn9sKywmZdWCeE+NbBi73fge9ROgJVbY
Mmv2bC7zDFVzlqyFGElkNMqbXm9Biv6m5hbifs0iPPQPcOJBOXXw17VB6dpIIPxeHxq4hoiLFh46JUdHnw415evizjaDPCZBv51KITGj2UBNZI7bkNGrzfDsgYKPuRnp/elqoVy19c5dNnatCSFh//9x/JgQ2fhoSrPIw03iuGNmRNCmH8SldseE86YOQPW10X9T/BzgKN56kfYvEnRLQNP1uEVQ7Bb8vLijRuu98Eo1u
CnwrfQKS8VKKZNwmbxl4MJahxQ5YzdwASqkjgaJXhYEl8043kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAneOXbOUlU2u3uddA3qlMgt4Rfaz9IO78LXSYY1NWcIIkuKitqTmGwMW/zrVpSukbT6WkTLhib+h9iPgc9cSpBG47ANWzuBohOm5SCqruxRzhgXQRBqb2RNVoe7T+JOru7IOLsx9XFi14OEbS48/MXcQFSWm
CR+YHt8qzK9eKObwAWYZ5sucZOrF8vw3Apr8gtMgIJrnlzmfcjpAhOOufHlROfzJTx6+kjKq5GfcJBSfuYYB46bIgSirFAme+NGkcyCGiYSGvVKUrIuJon1Nx7aHPCKOl3zhTUaS2Rl9WT8EPA0Eku0zWWPnuCjjUtL2mTPzrXOtmuP0IsZvlBSFz1A==</CertificatePem></Key></Keys>|g'
sed: -e expression #1, char 985: unterminated `s' command

      Attachments

        1. sso-7.4.png
          sso-7.4.png
          51 kB
        2. sso-7.5.png
          sso-7.5.png
          65 kB

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. RHPAM-4017 SSO integration is not configured in OCP images

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              mdessi-1 Massimiliano Dessi
              rhn-support-rromerom Ruben Romero Montes
              Jakub Schwan Jakub Schwan
              Jakub Schwan Jakub Schwan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: