Red Hat Single Sign-On Administration

Procedure 2.4. Instructions

1. From workstation, log in to the sso machine as the rhsso user. Extract from the rh-sso-7.6.0-server-dist.zip file and place its contents in the /opt directory. You can find the .zip file in the rhsso user home directory. Set the appropriate permissions to the directory for the rhsso user.

   [student@workstation ~]$ ssh rhsso@sso
   ...output omitted...
   [rhsso@sso ~]$ sudo unzip rh-sso-7.6.0-server-dist.zip -d /opt
   ...output omitted...
   [rhsso@sso ~]$ sudo chown -R rhsso:rhsso /opt/rh-sso-7.6

   Hide Solution

2. Replace the default RH-SSO H2 database with a PostgreSQL database. The URL of the PostgreSQL database is sso.lab.example.com and it uses the standard TCP port 5432. The name for the database is keycloack, the user is postgres, and the password is postgres.

   To do so, first create the EAP module for the PostgreSQL JDBC driver. You can find the postgresql-42.5.0.jar PostgreSQL JDBC driver jar file in the rhsso user home directory.

   Then, create the SSO extensions JBoss script to point to the PostgreSQL database. You can use, as a basis, the sso-extensions.cli JBoss script provided in the rhsso user home directory.

   Finally, launch the sso-extensions.cli script by using the JBoss management CLI.

   1. Create the directory structure for the module definition.

      [rhsso@sso ~]$ mkdir -p \
        /opt/rh-sso-7.6/modules/system/layers/keycloak/org/postgresql/main

   2. Copy the PostgreSQL JDBC driver jar file to the modules directory. You can find the jar file in the rhsso user home directory.

      [rhsso@sso ~]$ cp postgresql-42.5.0.jar \
        /opt/rh-sso-7.6/modules/system/layers/keycloak/org/postgresql/main/

   3. Copy the SSO extensions JBoss script to the /opt/rh-sso-7.6/bin directory. You can find the script in the rhsso user home directory.

      [rhsso@sso ~]$ cp sso-extensions.cli /opt/rh-sso-7.6/bin/

   4. Modify the /opt/rh-sso-7.6/bin/sso-extensions.cli file to point to the PostgreSQL database. You must provide the values for the DB_USERNAME, DB_PASSWORD, CONNECTION_URL, and FILE variables. The content of the file should be as follows. Note that the FILE line has been split so that it displays correctly in the PDF guide. Do not add the line break in your RH-SSO extensions JBoss script file.

      batch
      
      
      set DB_USERNAME=postgres
      set DB_PASSWORD=postgres
      set DRIVER_NAME=postgres
      set DRIVER_MODULE_NAME=org.postgres
      set XA_DATABASESOURCE_CLASS="org.postgresql.xa.PGXADataSource"
      set CONNECTION_URL="jdbc:postgresql://sso.lab.example.com:5432/keycloak"
      set FILE=/opt/rh-sso-7.6/modules/system/layers/keycloak/org/postgresql/main/postgresql-42.5.0.jar
      
      ...output omitted...

   5. Launch the sso-extensions.cli script by using the JBoss management CLI.

      [rhsso@sso ~]$ /opt/rh-sso-7.6/bin/jboss-cli.sh \
        --file=/opt/rh-sso-7.6/bin/sso-extensions.cli
      ...output omitted...
      10:35:29,140 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Red Hat Single Sign-On 7.6.0.GA (WildFly Core 15.0.8.Final-redhat-00001) started in 1983ms - Started 59 of 82 services (32 services are lazy, passive or on-demand)
      The batch executed successfully
      10:35:29,284 INFO  [org.jboss.as] (MSC service thread 1-1) WFLYSRV0050: Red Hat Single Sign-On 7.6.0.GA (WildFly Core 15.0.8.Final-redhat-00001) stopped in 41ms

   Hide Solution

3. Create the admin user for RH-SSO with redhat as the password. You can find the add-user-keycloak.sh script to add administration users to RH-SSO in the /opt/rh-sso-7.6/bin directory.

   [rhsso@sso ~]$ /opt/rh-sso-7.6/bin/add-user-keycloak.sh -u admin -p redhat
   Added 'admin' to '/opt/rh-sso-7.6/standalone/configuration/keycloak-add-user.json', restart server to load user

   Hide Solution

4. Configure RH-SSO as a service that starts on boot. Use rhsso as the user that owns the RH-SSO process and store the logs in the /opt/rh-sso-7.6/standalone/log/console.log file.

   1. Modify the JBoss configuration file in /opt/rh-sso-7.6/bin/init.d/jboss-eap.conf with the location of JBoss EAP, the username, the mode, and the log directory. The content of the file should be as follows:

      # General configuration for the init.d scripts,
      # not necessarily for JBoss EAP itself.
      # default location: /etc/default/jboss-eap
      
      ## Location of JDK
      # JAVA_HOME="/usr/lib/jvm/default-java"
      
      ## Location of JBoss EAP
      JBOSS_HOME="/opt/rh-sso-7.6"
      
      ## The username who should own the process.
      JBOSS_USER=rhsso
      
      ## The mode JBoss EAP should start, standalone or domain
      JBOSS_MODE=standalone
      
      ## Configuration for standalone mode
      # JBOSS_CONFIG=standalone.xml
      
      ## Configuration for domain mode
      # JBOSS_DOMAIN_CONFIG=domain.xml
      # JBOSS_HOST_CONFIG=host-master.xml
      
      ## The amount of time to wait for startup
      # STARTUP_WAIT=60
      
      ## The amount of time to wait for shutdown
      # SHUTDOWN_WAIT=60
      
      ## Location to keep the console log
      JBOSS_CONSOLE_LOG="/opt/rh-sso-7.6/standalone/log/console.log"
      
      ## Additionals args to include in startup
      JBOSS_OPTS="-b 0.0.0.0"

   2. Copy the modified service file to the /etc/default directory.

      [rhsso@sso ~]$ sudo cp /opt/rh-sso-7.6/bin/init.d/jboss-eap.conf /etc/default

   3. Copy the service start up script to the /etc/init.d directory. Give execute permissions to the service start up script and reset its SELinux security context.

      [rhsso@sso ~]$ sudo cp /opt/rh-sso-7.6/bin/init.d/jboss-eap-rhel.sh /etc/init.d
      [rhsso@sso ~]$ sudo chmod +x /etc/init.d/jboss-eap-rhel.sh
      [rhsso@sso ~]$ sudo restorecon /etc/init.d/jboss-eap-rhel.sh

   4. Add the new service to the list of automatically started services. Reload systemd manager configuration.

      [rhsso@sso ~]$ sudo chkconfig --add jboss-eap-rhel.sh
      [rhsso@sso ~]$ sudo systemctl daemon-reload

   5. Start the service and enable it on boot.

      [rhsso@sso ~]$ sudo service jboss-eap-rhel start
      Redirecting to /bin/systemctl start jboss-eap-rhel.service
      [rhsso@sso ~]$ sudo chkconfig jboss-eap-rhel.sh on

   Hide Solution

5. Create the demo realm. Then, create the johndoe user in the demo realm. You can use the RH-SSO web UI or the CLI. The configuration parameters for the johndoe user must be as follows:

   Parameter	Value
   Username	johndoe
   Email	johndoe@example.com
   First Name	John
   Last Name	Doe
   Enabled	true
   Password	redhat

   1. Add the RH-SSO directory to your PATH environment variable so that you can use the RH-SSO Admin CLI from any location on your file system.

      [rhsso@sso ~]$ export PATH=$PATH:/opt/rh-sso-7.6/bin

   2. Log in to the RH-SSO Admin CLI as the admin user in the master realm.

      [rhsso@sso ~]$ kcadm.sh config credentials \
        --server https://sso.lab.example.com:8080/auth --realm master --user admin
      Logging into https://sso.lab.example.com:8080/auth as user admin of realm master
      Enter password: redhat

   3. Create the demo realm.

      [rhsso@sso ~]$ kcadm.sh create realms -s realm=demo -s enabled=true
      Created new realm with id 'demo'

   4. Create the johndoe user in the demo realm. The ID for the user might differ in your system.

      [rhsso@sso ~]$ kcadm.sh create users -r demo -s username=johndoe \
        -s enabled=true -s email=johndoe@example.com -s firstName=John -s lastName=Doe
      Created new user with id '0e2fffc2-6a99-48d0-aa2a-1d1165bb4811'

   5. Set the password for the jonndoe user.

      [rhsso@sso ~]$ kcadm.sh set-password -r demo --username johndoe \
        --new-password redhat

   Hide Solution

6. Return to workstation as the student user.

   [rhsso@sso ~]$ exit
   logout
   Connection to sso closed.
   [student@workstation ~]$

   Hide Solution