| | |
| | | $ oc project $OCP_PROJECT_PREFIX-bservices |
| | | ----- |
| | | |
| | | . Create a new OpenShift Container Platform application based on a simple RESTful service implemented using Wildfly Swarm: |
| | | . Create a new application based on a simple RESTful service implemented using Wildfly Swarm: |
| | | + |
| | | ----- |
| | | $ oc create -f https://raw.githubusercontent.com/gpe-mw-training/3scale_onpremise_implementation_labs/secure/services/wfswarm-date-service/wf-swarm-oauth.yaml |
| | |
| | | $ oc new-app \ |
| | | --template=wf-swarm-oauth \ |
| | | --param=TRUSTSTORE_PASSWORD=$pleaseHackMePasswd \ |
| | | --param=TRUSTSTORE_PATH=/app/certs/"$rhsso_realm"_truststore.jks |
| | | --param=TRUSTSTORE_PATH=/app/certs/"$rhsso_realm"_truststore.jks \ |
| | | --param=KEYCLOAK_ADAPTER_PATH=/app/rhsso-config/keycloak.json |
| | | ----- |
| | | + |
| | | This command creates deployment config with a paused pod. |
| | | This command creates a deployment config with a paused pod. |
| | | The pod includes a Java based container. |
| | | The `--XmX` of the JVM in the container is set to 80% of 1Gi; so about 800 MB |
| | | |
| | | === Java Truststore |
| | | |
| | | In this section, you add realm certificate to a Java truststore: |
| | | In this section, you add a SSO realm certificate to a Java truststore: |
| | | |
| | | . Create Java truststore populated with this realm certificate: |
| | | . Create Java truststore populated with the realm certificate created in a previous section of the lab: |
| | | + |
| | | ----- |
| | | $ keytool -import \ |
| | |
| | | -keystore /tmp/"$rhsso_realm"_truststore.jks \ |
| | | -storepass $pleaseHackMePasswd |
| | | ----- |
| | | + |
| | | Recall that the SSO realm certificate is in the file (/tmp/$rhsso_realm.pem) being imported into the Java truststore. |
| | | |
| | | . Confirm contents of Java truststore: |
| | | . Confirm contents of the Java truststore: |
| | | + |
| | | ----- |
| | | $ keytool -v \ |
| | |
| | | -storepass $pleaseHackMePasswd |
| | | ----- |
| | | |
| | | . Create a secret with your previously created truststore: |
| | | . Create a secret from the previously created truststore: |
| | | + |
| | | ---- |
| | | $ oc create secret generic sso-truststore-secret \ |
| | |
| | | --type=secret \ |
| | | --secret-name=sso-truststore-secret |
| | | ----- |
| | | + |
| | | Notice that the mount point on the DC where the truststore will reside matches that of the template parameter: `TRUSTSTORE_PATH`. |
| | | |
| | | |
| | | === `keycloak.json` adapter |
| | |
| | | ----- |
| | | $ echo " |
| | | { |
| | | "realm": "$rhsso_realm", |
| | | "bearer-only": true, |
| | | "auth-server-url": "$rhsso_url/auth", |
| | | "ssl-required": "external", |
| | | "realm-public-key": "$RSA_PUB_KEY", |
| | | "resource": "realm-management", |
| | | "use-resource-role-mappings": true |
| | | \"realm\": \"$rhsso_realm\", |
| | | \"bearer-only\": \"true\", |
| | | \"auth-server-url\": \"$rhsso_url/auth\", |
| | | \"ssl-required\": \"external\", |
| | | \"realm-public-key\": \"$RSA_PUB_KEY\", |
| | | \"resource\": \"realm-management\", |
| | | \"use-resource-role-mappings\": \"true\" |
| | | }" > /tmp/keycloak.json |
| | | ---- |
| | | ----- |
| | | |
| | | . Create a ConfigMap from the `keycloak.json` file. |
| | | + |
| | | You then mount it as a volume and point WildFly Swarm to the mounted `keycloak.json`. |
| | | |
| | | . Create a ConfigMap called `date-service-rhsso` in the `bservices` project on OpenShift from the `keycloak.json` file: |
| | | .. Create a ConfigMap called `date-service-rhsso` in the `bservices` project on OpenShift from the `keycloak.json` file: |
| | | + |
| | | ---- |
| | | $ oc create configmap keycloak-resource-cm --from-file=/tmp/keycloak.json |
| | | ---- |
| | | |
| | | . Mount the configmap as a volume in the Swarm DC: |
| | | .. Mount the configmap as a volume in the Swarm DC: |
| | | + |
| | | ----- |
| | | $ oc set volume dc/wf-swarm-oauth --add --overwrite \ |
| | |
| | | | sed 's/.*access_token":"//g' | sed 's/".*//g') |
| | | |
| | | $ curl -k -v -X GET \ |
| | | -H "Accept: application/json" \ |
| | | -H "Authorization: Bearer $TKN" \ |
| | | https://`oc get route/wf-swarm-oauth --template "{{.spec.host}}"`/time/now |
| | | ----- |