Uploaded image for project: 'WildFly WIP'
  1. WildFly WIP
  2. WFWIP-257

SSO layer cannot be properly used with SSO template

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • OpenShift
    • None
    • Hide

      Build from template:
      1. Checkout and replace templates for the stream:

      for resource in \
  eap-cd-image-stream.json \
  eap-cd-amq-persistent-s2i.json \
  eap-cd-amq-s2i.json \
  eap-cd-basic-s2i.json \
  eap-cd-https-s2i.json \
  eap-cd-sso-s2i.json \
  eap-cd-starter-s2i.json \
  eap-cd-third-party-db-s2i.json \
  eap-cd-tx-recovery-s2i.json 
do
 oc replace --force -f \
https://raw.githubusercontent.com/jboss-container-images/jboss-eap-7-openshift-image/eap-cd-dev/templates/${resource}  
done

      2. Initiate the application build (replace <NAMESPACE_NAME> with your namespace and <OPENSHIFT_HOST> with your OpenShift host ip):

      oc new-app --template=eap-cd-sso-s2i -p SSO_REALM=xpaas -p HTTPS_KEYSTORE=secure-eap-app-<NAMESPACE_NAME>.<OPENSHIFT_HOST>.nip.io.keystore -p SSO_SAML_KEYSTORE_SECRET=eap-app-secret -p SSO_SAML_KEYSTORE_PASSWORD=password -p SSO_SERVICE_URL= -p SSO_TRUSTSTORE=truststore -p HOSTNAME_HTTPS=secure-eap-app-<NAMESPACE_NAME>.<OPENSHIFT_HOST>.nip.io -p JGROUPS_ENCRYPT_KEYSTORE=jgroups.jceks -p HTTPS_PASSWORD=password -p SSO_SAML_CERTIFICATE_NAME=secure-eap-app-<NAMESPACE_NAME>.<OPENSHIFT_HOST>.nip.io -p HTTPS_NAME=secure-eap-app-<NAMESPACE_NAME>.<OPENSHIFT_HOST>.nip.io -p JGROUPS_ENCRYPT_PASSWORD=xpaasQEpassword -p JGROUPS_ENCRYPT_SECRET=eap-app-secret -p SSO_URL=https://secure-sso-app-<NAMESPACE_NAME>.<OPENSHIFT_HOST>.nip.io/auth -p SSO_TRUSTSTORE_SECRET=eap-app-secret -p SSO_PASSWORD=creator -p SSO_SAML_KEYSTORE=secure-eap-app-<NAMESPACE_NAME>.<OPENSHIFT_HOST>.nip.io.keystore -p HTTPS_SECRET=eap-app-secret -p JGROUPS_ENCRYPT_NAME=secret-key -p SSO_USERNAME=client -p APPLICATION_NAME=eap-app -p IMAGE_STREAM_NAMESPACE=<NAMESPACE_NAME> -p SSO_TRUSTSTORE_PASSWORD=password GALLEON_PROVISION_LAYERS=datasources-web-server,sso

      3. Check the resulting build in the namespace.

      Show
      Build from template: 1. Checkout and replace templates for the stream: for resource in \ eap-cd-image-stream.json \ eap-cd-amq-persistent-s2i.json \ eap-cd-amq-s2i.json \ eap-cd-basic-s2i.json \ eap-cd-https-s2i.json \ eap-cd-sso-s2i.json \ eap-cd-starter-s2i.json \ eap-cd-third-party-db-s2i.json \ eap-cd-tx-recovery-s2i.json do oc replace --force -f \ https://raw.githubusercontent.com/jboss-container-images/jboss-eap-7-openshift-image/eap-cd-dev/templates/${resource} done 2. Initiate the application build (replace <NAMESPACE_NAME> with your namespace and <OPENSHIFT_HOST> with your OpenShift host ip): oc new-app --template=eap-cd-sso-s2i -p SSO_REALM=xpaas -p HTTPS_KEYSTORE=secure-eap-app-<NAMESPACE_NAME>.<OPENSHIFT_HOST>.nip.io.keystore -p SSO_SAML_KEYSTORE_SECRET=eap-app-secret -p SSO_SAML_KEYSTORE_PASSWORD=password -p SSO_SERVICE_URL= -p SSO_TRUSTSTORE=truststore -p HOSTNAME_HTTPS=secure-eap-app-<NAMESPACE_NAME>.<OPENSHIFT_HOST>.nip.io -p JGROUPS_ENCRYPT_KEYSTORE=jgroups.jceks -p HTTPS_PASSWORD=password -p SSO_SAML_CERTIFICATE_NAME=secure-eap-app-<NAMESPACE_NAME>.<OPENSHIFT_HOST>.nip.io -p HTTPS_NAME=secure-eap-app-<NAMESPACE_NAME>.<OPENSHIFT_HOST>.nip.io -p JGROUPS_ENCRYPT_PASSWORD=xpaasQEpassword -p JGROUPS_ENCRYPT_SECRET=eap-app-secret -p SSO_URL=https://secure-sso-app-<NAMESPACE_NAME>.<OPENSHIFT_HOST>.nip.io/auth -p SSO_TRUSTSTORE_SECRET=eap-app-secret -p SSO_PASSWORD=creator -p SSO_SAML_KEYSTORE=secure-eap-app-<NAMESPACE_NAME>.<OPENSHIFT_HOST>.nip.io.keystore -p HTTPS_SECRET=eap-app-secret -p JGROUPS_ENCRYPT_NAME=secret-key -p SSO_USERNAME=client -p APPLICATION_NAME=eap-app -p IMAGE_STREAM_NAMESPACE=<NAMESPACE_NAME> -p SSO_TRUSTSTORE_PASSWORD=password GALLEON_PROVISION_LAYERS=datasources-web-server,sso 3. Check the resulting build in the namespace.

      Currently available OpenShift templates for EAP CD are not able to properly configure EAP server with SSO client, resulting in the following errors: 

      15:55:01,843 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 38) MSC000001: Failed to start service jboss.deployment.unit."app-profile-jsp.war".undertow-deployment: org.jboss.msc.service.StartException in service jboss.deployment.unit."app-profile-jsp.war".undertow-deployment: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory.
	at org.wildfly.extension.undertow@7.3.0.CD18-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at org.jboss.threads@2.3.3.Final-redhat-00001//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads@2.3.3.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
	at org.jboss.threads@2.3.3.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at org.jboss.threads@2.3.3.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at java.base/java.lang.Thread.run(Thread.java:834)
	at org.jboss.threads@2.3.3.Final-redhat-00001//org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory.
	at io.undertow.servlet@2.0.26.SP3-redhat-00001//io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:254)
	at org.wildfly.extension.undertow@7.3.0.CD18-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:96)
	at org.wildfly.extension.undertow@7.3.0.CD18-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)
	... 8 more
Caused by: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory.
	at org.wildfly.security.elytron-web.undertow-server-servlet@1.6.0.Final-redhat-00001//org.wildfly.elytron.web.undertow.server.servlet.AuthenticationManager.initialSecurityHandler(AuthenticationManager.java:153)
	at org.wildfly.security.elytron-web.undertow-server-servlet@1.6.0.Final-redhat-00001//org.wildfly.elytron.web.undertow.server.servlet.AuthenticationManager.lambda$configure$2(AuthenticationManager.java:98)
	at io.undertow.servlet@2.0.26.SP3-redhat-00001//io.undertow.servlet.core.DeploymentManagerImpl.setupSecurityHandlers(DeploymentManagerImpl.java:442)
	at io.undertow.servlet@2.0.26.SP3-redhat-00001//io.undertow.servlet.core.DeploymentManagerImpl.access$600(DeploymentManagerImpl.java:121)
	at io.undertow.servlet@2.0.26.SP3-redhat-00001//io.undertow.servlet.core.DeploymentManagerImpl$1.call(DeploymentManagerImpl.java:224)
	at io.undertow.servlet@2.0.26.SP3-redhat-00001//io.undertow.servlet.core.DeploymentManagerImpl$1.call(DeploymentManagerImpl.java:186)
	at io.undertow.servlet@2.0.26.SP3-redhat-00001//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
	at io.undertow.servlet@2.0.26.SP3-redhat-00001//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at org.wildfly.extension.undertow@7.3.0.CD18-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
	at org.wildfly.extension.undertow@7.3.0.CD18-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
	at org.wildfly.extension.undertow@7.3.0.CD18-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
	at org.wildfly.extension.undertow@7.3.0.CD18-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
	at io.undertow.servlet@2.0.26.SP3-redhat-00001//io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:252)
	... 10 more

      I am marking this issue as blocker since the template is currently the only documented way for EAP to use SSO client on OpenShift.

              jdenise@redhat.com Jean Francois Denise
              mjurc@redhat.com Michal Jurc
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: