Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-3888

SSO integration fails for multiple Realm certificates

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 7.12.0.GA
    • 7.11.0.GA
    • Cloud, Installer
    • None
    • False
    • False
    • CR2
    • Hide
      1. Create SSO/Keycloak with 2+ realms
      2. Deploy KieApp using SSO/Keycloak
        e.g. 
        spec: 
  auth: 
    sso: 
      adminPassword: RedHat123
      adminUser: admin
      disableSSLCertValidation: true
      realm: demo
      url: https://keycloak-example.redhat.com/auth
  commonConfig: 
    adminPassword: RedHat123
    adminUser: admin
  environment: rhpam-authoring
  objects: 
    console: 
      ssoClient: 
        name: business-central
        secret: somePwd
    servers: 
    - name: kieserver
      ssoClient: 
        name: kie-server
        secret: someOtherPwd
      Show
      Create SSO/Keycloak with 2+ realms Deploy KieApp using SSO/Keycloak e.g. spec: auth: sso: adminPassword: RedHat 123 adminUser: admin disableSSLCertValidation: true realm: demo url: https://keycloak-example.redhat.com/auth commonConfig: adminPassword: RedHat 123 adminUser: admin environment: rhpam-authoring objects: console: ssoClient: name: business-central secret: somePwd servers: - name: kieserver ssoClient: name: kie-server secret: someOtherPwd
    • 2021 Week 46-48 (from Nov 15)

      When deploying RHPAM with the Operator and trying to integrate with a RH-SSO/Keycloak server for SSO if the Realm returns more than one certificate the scripts will fail and will not properly configure the keycloak subsystem.

      Keycloak Realms might have more than one Key provider configured (even though they're not active) and the scripts just query all the keys and greps the word `certificates` but in case it returns more than one causing the error in the grep:

      curl -k -H "Authorization: Bearer $TKN" https://$KC_URL/auth/admin/realms/$KC_REALM/keys | jq

{
  "active": {
    "RS256": "JjkdTi-9yk6oIu8-Rk2zxKgZ-B1k2qHuqEJQKjTU7f0",
    "AES": "5b2bd960-992c-498e-9fad-fbe6fffa1702"
  },
  "keys": [
    {
      "providerId": "254d2ada-2464-4e7a-9236-edb27bebd0e4",
      "providerPriority": 100,
      "kid": "JjkdTi-9yk6oIu8-Rk2zxKgZ-B1k2qHuqEJQKjTU7f0",
      "status": "ACTIVE",
      "type": "RSA",
      "algorithm": "RS256",
      "publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkFEl29c4d7wpYU5dnU0URWtd0tlGK83y8k7O60GSQmgz0Asyozt7W7nHgoQATEZ+nnHSyYgdnbj93KslUfogM9T0xTN7FO9LTiR0NJNopn5eHC7UqUh4D0htX2wMIoITRxHqo/sEgIwPSjz43/gr7talWCf1Vw4j8+rwp3z2XPR7PNGGRjMoiAqsZfawmVm8tkWGdynefEYfM+szXObyzkuA5N2hI/RsN7Dg7D9X9xGNDXL40xfWQ8kMnc+bd4bENmiSG1IzQmOksiFlLuTe7cAdKMG2V/kB1ObyUKM38MKUCQNykec5PVMXKkOTrkBudqqzQEu/oknUEJBDtU/WCwIDAQAB",
      "certificate": "MIICnTCCAYUCBgF7l0N9qjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdtZXJjdXJ5MB4XDTIxMDgzMDEzMzEyN1oXDTMxMDgzMDEzMzMwN1owEjEQMA4GA1UEAwwHbWVyY3VyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJBRJdvXOHe8KWFOXZ1NFEVrXdLZRivN8vJOzutBkkJoM9ALMqM7e1u5x4KEAExGfp5x0smIHZ24/dyrJVH6IDPU9MUzexTvS04kdDSTaKZ+Xhwu1KlIeA9IbV9sDCKCE0cR6qP7BICMD0o8+N/4K+7WpVgn9VcOI/Pq8Kd89lz0ezzRhkYzKIgKrGX2sJlZvLZFhncp3nxGHzPrM1zm8s5LgOTdoSP0bDew4Ow/V/cRjQ1y+NMX1kPJDJ3Pm3eGxDZokhtSM0JjpLIhZS7k3u3AHSjBtlf5AdTm8lCjN/DClAkDcpHnOT1TFypDk65Abnaqs0BLv6JJ1BCQQ7VP1gsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAL2H3bW7t1H1PIqWUKOZyBrswqqM4plHm7frzKZUwZ4NNkJaxxmd/Ni8v4TC8JE/MW1oFCZFvdgSkvDrM/3Sm5upt0epKoulM8G3QbTIshow2yXXy0as1X5T/v225ijFgAj623i+fGztm6enpNQLEQCAsdEzDF3HVT/EKEqNsmgq5Rty+WSh0nm7kZj4RlfL37hDRG3w7o+ZxS07LMw3DR/xwTMjyGTJRqXK0xC3goQs0L8vdKbwthbVJqfZMeX+ZnOzcgXzlu1mbphd05ZOK6C6c0k+fXtKryVkCEwKtXFdMEGjCOWIS2NBQbmEv+pUdmN0pbrbLjxjYXoRUUzzssw==",
      "use": "SIG"
    },
    {
      "providerId": "c0936d14-e712-43f8-a4f6-8331b1327685",
      "providerPriority": 100,
      "kid": "IkUWPopNMGovREfMABqeD8t43KeWwsTvXnEyEDhe1kw",
      "status": "ACTIVE",
      "type": "RSA",
      "algorithm": "RS256",
      "publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqqj2AgYwyXSCIT48Y6KSBAjVWf2wrLCZl1YJ4T41sGLvd+B71E6AlVtgya/ZsLvMMVXOWrIUYSWQ0ypteb0GK/qbmFuJ+zSI89A9w4kE5dfDXtUHp2kgg/F4fGriGiIsWHjolR0efDjXl6+LONoM8JkG/nUohMaPZQE1kjtuQ0avN8OyBgo+5Gen96WqhXLX1zl02dq0JIWH//3H8mBDZ+GhKs8jDTeK4Y2ZE0KYfxKV2x4Tzpg5A9bXRf1P8HOAo3nqR9i8SdEtA0/W4RVDsFvy8uKNG673wSjW4KfCt9ApLxUopk3CZvGXgwlqHFDljN3ABKqSOBoleFgSXzTjeQIDAQAB",
      "certificate": "MIICnTCCAYUCBgF7l0N+BTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdtZXJjdXJ5MB4XDTIxMDgzMDEzMzEyN1oXDTMxMDgzMDEzMzMwN1owEjEQMA4GA1UEAwwHbWVyY3VyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqo9gIGMMl0giE+PGOikgQI1Vn9sKywmZdWCeE+NbBi73fge9ROgJVbYMmv2bC7zDFVzlqyFGElkNMqbXm9Biv6m5hbifs0iPPQPcOJBOXXw17VB6dpIIPxeHxq4hoiLFh46JUdHnw415evizjaDPCZBv51KITGj2UBNZI7bkNGrzfDsgYKPuRnp/elqoVy19c5dNnatCSFh//9x/JgQ2fhoSrPIw03iuGNmRNCmH8SldseE86YOQPW10X9T/BzgKN56kfYvEnRLQNP1uEVQ7Bb8vLijRuu98Eo1uCnwrfQKS8VKKZNwmbxl4MJahxQ5YzdwASqkjgaJXhYEl8043kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAneOXbOUlU2u3uddA3qlMgt4Rfaz9IO78LXSYY1NWcIIkuKitqTmGwMW/zrVpSukbT6WkTLhib+h9iPgc9cSpBG47ANWzuBohOm5SCqruxRzhgXQRBqb2RNVoe7T+JOru7IOLsx9XFi14OEbS48/MXcQFSWmCR+YHt8qzK9eKObwAWYZ5sucZOrF8vw3Apr8gtMgIJrnlzmfcjpAhOOufHlROfzJTx6+kjKq5GfcJBSfuYYB46bIgSirFAme+NGkcyCGiYSGvVKUrIuJon1Nx7aHPCKOl3zhTUaS2Rl9WT8EPA0Eku0zWWPnuCjjUtL2mTPzrXOtmuP0IsZvlBSFz1A==",
      "use": "ENC"
    },
    {
      "providerId": "e9b19b46-a213-4dd1-b6e2-a749d753a41d",
      "providerPriority": 100,
      "kid": "58290377-3e16-4f9a-a148-57a956da06fc",
      "status": "DISABLED",
      "type": "OCT",
      "algorithm": "HS256",
      "use": "SIG"
    },
    {
      "providerId": "fe639273-7bec-4270-9d60-0ca0e2dbdbfc",
      "providerPriority": 100,
      "kid": "5b2bd960-992c-498e-9fad-fbe6fffa1702",
      "status": "ACTIVE",
      "type": "OCT",
      "algorithm": "AES",
      "use": "ENC"
    }
  ]
}

      The error during the sed command caused by a line break is the following:

      ++++ sed 's|<!-- ##KEYCLOAK_REALM_CERTIFICATE## -->|<Keys><Key signing="true" ><CertificatePem>MIICnTCCAYUCBgF7l0N9qjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdtZXJjdXJ5MB4XDTIxMDgzMDEzMzEyN1oXDTMxMDgzMDEzMzMwN1owEjEQMA4GA1UEAwwHbWVyY3VyeTCCAS
IwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJBRJdvXOHe8KWFOXZ1NFEVrXdLZRivN8vJOzutBkkJoM9ALMqM7e1u5x4KEAExGfp5x0smIHZ24/dyrJVH6IDPU9MUzexTvS04kdDSTaKZ+Xhwu1KlIeA9IbV9sDCKCE0cR6qP7BICMD0o8+N/4K+7WpVgn9VcOI/Pq8Kd89lz0ezzRhkYzKIgKrGX2sJlZvLZFhnc
p3nxGHzPrM1zm8s5LgOTdoSP0bDew4Ow/V/cRjQ1y+NMX1kPJDJ3Pm3eGxDZokhtSM0JjpLIhZS7k3u3AHSjBtlf5AdTm8lCjN/DClAkDcpHnOT1TFypDk65Abnaqs0BLv6JJ1BCQQ7VP1gsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAL2H3bW7t1H1PIqWUKOZyBrswqqM4plHm7frzKZUwZ4NNkJaxxmd/Ni8v4TC8
JE/MW1oFCZFvdgSkvDrM/3Sm5upt0epKoulM8G3QbTIshow2yXXy0as1X5T/v225ijFgAj623i+fGztm6enpNQLEQCAsdEzDF3HVT/EKEqNsmgq5Rty+WSh0nm7kZj4RlfL37hDRG3w7o+ZxS07LMw3DR/xwTMjyGTJRqXK0xC3goQs0L8vdKbwthbVJqfZMeX+ZnOzcgXzlu1mbphd05ZOK6C6c0k+fXtKryVkCEwKtX
FdMEGjCOWIS2NBQbmEv+pUdmN0pbrbLjxjYXoRUUzzssw==
MIICnTCCAYUCBgF7l0N+BTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdtZXJjdXJ5MB4XDTIxMDgzMDEzMzEyN1oXDTMxMDgzMDEzMzMwN1owEjEQMA4GA1UEAwwHbWVyY3VyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqo9gIGMMl0giE+PGOikgQI1Vn9sKywmZdWCeE+NbBi73fge9ROgJVbY
Mmv2bC7zDFVzlqyFGElkNMqbXm9Biv6m5hbifs0iPPQPcOJBOXXw17VB6dpIIPxeHxq4hoiLFh46JUdHnw415evizjaDPCZBv51KITGj2UBNZI7bkNGrzfDsgYKPuRnp/elqoVy19c5dNnatCSFh//9x/JgQ2fhoSrPIw03iuGNmRNCmH8SldseE86YOQPW10X9T/BzgKN56kfYvEnRLQNP1uEVQ7Bb8vLijRuu98Eo1u
CnwrfQKS8VKKZNwmbxl4MJahxQ5YzdwASqkjgaJXhYEl8043kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAneOXbOUlU2u3uddA3qlMgt4Rfaz9IO78LXSYY1NWcIIkuKitqTmGwMW/zrVpSukbT6WkTLhib+h9iPgc9cSpBG47ANWzuBohOm5SCqruxRzhgXQRBqb2RNVoe7T+JOru7IOLsx9XFi14OEbS48/MXcQFSWm
CR+YHt8qzK9eKObwAWYZ5sucZOrF8vw3Apr8gtMgIJrnlzmfcjpAhOOufHlROfzJTx6+kjKq5GfcJBSfuYYB46bIgSirFAme+NGkcyCGiYSGvVKUrIuJon1Nx7aHPCKOl3zhTUaS2Rl9WT8EPA0Eku0zWWPnuCjjUtL2mTPzrXOtmuP0IsZvlBSFz1A==</CertificatePem></Key></Keys>|g'
sed: -e expression #1, char 985: unterminated `s' command

        1. sso-7.4.png
          sso-7.4.png
          51 kB
        2. sso-7.5.png
          sso-7.5.png
          65 kB

            mdessi-1 Massimiliano Dessi
            rhn-support-rromerom Ruben Romero Montes
            Jakub Schwan Jakub Schwan
            Jakub Schwan Jakub Schwan
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: