The goal of this article is to help developers understand and use Red Hat OpenShift image streams and application templates to deploy Red Hat's single sign-on (SSO) technology on OpenShift. Also see my earlier article about using SSO and OpenShift: Integrate Red Hat’s single sign-on technology 7.4 with Red Hat OpenShift.
SSO templates for OpenShift deployment
Use the following command to get a list of SSO deployment templates for OpenShift:
$ oc get templates -n openshift -o name | grep -o 'sso74.\+'
sso74-https
sso74-postgresql
sso74-postgresql-persistent
sso74-x509-https
sso74-x509-postgresql-persistent
Select the template for the behavior you want
You can use templates to define how SSO will be deployed on OpenShift. Each template offers different deployment options:
- TLS termination:
- Re-encrypt
- Pass-through
- Database back-end type:
- In-memory H2 database
- PostgreSQL database
- Storage:
- Ephemeral
- Persistent
You can use the template's name pattern to select a template that offers the behavior that you need. As an example, ocp4-x509 in the template name means the template uses re-encrypt Transport Layer Security (TLS) termination. If the template name includes postgresql, then the database back-end for that template is PostgreSQL. If it includes persistent, then you know that template preserves SSO data across database or SSO pod restarts.
SSO template features
Here is a listing of SSO templates and the features they provide:
SSO template: sso74-https:
- Pass-through TLS termination
- H2 in-memory database
- Ephemeral storage
SSO template: sso74-ocp4-x509-https:
- Re-encrypt TLS termination
- H2 in-memory database
- Ephemeral storage
SSO template: sso74-ocp4-x509-postgresql-persistent:
- Re-encrypt TLS termination
- PostgreSQL database
- Persistent storage
SSO template: sso74-postgresql:
- Pass-through TLS termination
- PostgreSQL database
- Ephemeral storage
SSO template: sso74-postgresql-persistent:
- Pass-through TLS termination
- PostgreSQL database
- Persistent storage
TLS termination in SSO templates
Single sign-on templates with the name pattern ocp4-x509 use re-encrypt TLS termination. All other templates use pass-through TLS termination. Let's consider the main differences between re-encrypt TLS termination and pass-through TLS termination.
Re-encrypt TLS termination
In re-encrypt TLS termination, the SSO keystore and truststore are automatically created when you deploy single sign-on on OpenShift. Deploying TLS is very simple because everything is configured automatically. On the downside, you cannot directly access the SSO keystore and truststore. Adding a new external certificate authority (CA) certificate to the SSO truststore requires rebuilding and redeploying a new SSO image.
Pass-through TLS termination
This style of TLS termination is very flexible, and updating the SSO truststore is easy to do. Adding external certificates is not complex. The downside of this approach is that it has to be configured manually, as described here.
Using templates to deploy SSO on OpenShift
Next, we'll use templates to deploy SSO on OpenShift.
Deploying SSO on OpenShift using a re-encrypt TLS termination template
Here's the command to create a project with one of the re-encrypt templates. In this case, we're choosing a PostgreSQL database and persistent storage:
$ oc new-project sso-74-reencrypt
$ oc new-app --template=sso74-ocp4-x509-postgresql-persistent
Remember that with the re-encrypt TLS termination templates, the deployment is configured for you. Next, we'll deploy SSO with one of the pass-through TLS termination templates. These require manual configuration.
Deploying SSO on OpenShift using a pass-through TLS termination template
We have to create the SSO keystore and truststore manually before deploying SSO with the pass-through TLS termination template. The keystore and truststore are passed to the SSO pod as OpenShift secrets. First, we'll create the HTTPS and JGroups keystores and truststore for the single sign-on server, then we'll deploy the SSO template.
Step 1: Create the keystores and truststore
Start by creating the HTTPS keystore:
Generate a CA certificate. Pick and remember the password. Provide identical password, when signing the certificate sign request with the CA certificate below:
$ openssl req -new -newkey rsa:4096 -x509 -keyout xpaas.key -out xpaas.crt -days 365 -subj "/CN=xpaas-sso-demo.ca"
Generate a CA certificate for the HTTPS keystore. Provide mykeystorepass as the keystore password:
$ keytool -genkeypair -keyalg RSA -keysize 2048 -dnsureame "CN=secure-sso-sso-app-demo.openshift.example.com" -alias jboss -keystore keystore.jks
Generate a certificate sign request for the HTTPS keystore. Provide mykeystorepass as the keystore password:
$ keytool -certreq -keyalg rsa -alias jboss -keystore keystore.jks -file sso.csr
Sign the certificate sign request with the CA certificate. Provide the same password that was used to generate the CA certificate:
$ openssl x509 -req -CA xpaas.crt -CAkey xpaas.key -in sso.csr -out sso.crt -days 365 -CAcreateserial
Import the CA certificate into the HTTPS keystore. Provide mykeystorepass as the keystore password. Reply yes to Trust this certificate? [no]: question:
$ keytool -import -file xpaas.crt -alias xpaas.ca -keystore keystore.jks
Import the signed certificate sign request into the HTTPS keystore. Provide mykeystorepass as the keystore password:
$ keytool -import -file sso.crt -alias jboss -keystore keystore.jks
The keystore.jks, truststore.jks, and jgroups.jceks are passed to SSO pods as OpenShift secrets. We will link these secrets to the default service account, which is used to run single sign-on pods:
$ oc create secret generic sso-app-secret --from-file=keystore.jks --from-file=jgroups.jceks --from-file=truststore.jks
secret/sso-app-secret created
$ oc secrets link default sso-app-secret
Step 2: Deploy the SSO template
Now, we can deploy SSO on OpenShift using the pass-through TLS termination template:
$ oc new-project sso-74-passthrough
$ oc new-app --template=sso74-postgresql-persistent
Note: For more details, see the requirements for deploying pass-through TLS termination SSO templates.
Adding a certificate to the SSO truststore
We might need to add a certificate to the SSO truststore if SSO is making outbound connections to an external server using HTTPS or LDAP. When we use one of the X509 templates (such as for re-encrypt TLS termination), the SSO keystore and truststore are generated automatically from OpenShift's internal X509 certificate serving service. In order to add a new certificate, we need to build a new SSO image.
Adding a certificate using a re-encrypt TLS termination template
Adding a certificate to the SSO truststore consists of the following steps:
- Retrieve the
java cacertsfile from the SSO pod. - Add the
new certificateto thejava cacertsfile located at/etc/pki/ca-trust/extracted/java/cacerts. (The file is copied automatically into SSO/opt/eap/keystores/truststore.jksduring deployment.) - Build a new SSO OpenShift image.
- Deploy the new SSO image.
Step 1: Retrieve java cacerts from the SSO pod
The SSO java cacerts file is retrieved from SSO running pod using the rsync command:
$ oc get pods
NAME READY STATUS RESTARTS AGE
<sso-pod-name> 1/1 Running 0 52s
$ oc rsync <sso-pod-name>:/etc/pki/ca-trust/extracted/java/cacerts .
Step 2: Add the new certificate to java cacerts
Adding a new certificate to the SSO truststore consists of adding this new certificate to the java cacerts file:
$ keytool -import -v -file <my-cert>.crt -alias my-cert -keystore ./cacerts -noprompt -storepass changeit
Step 3: Build the new SSO OpenShift image
A Dockerfile describes how the java cacerts file is added to build a new SSO OpenShift image:
FROM rh-sso-7/sso74-openshift-rhel8:latest
COPY cacerts /etc/pki/ca-trust/extracted/java/cacerts
We can use a Podman command to build a new image:
podman build -t docker-registry-default/project/name:tag .
podman build -t docker-registry-default/project/sso74:reencrypt-truststore-updated .
STEP 1: FROM rh-sso-7/sso74-openshift-rhel8:latest
STEP 2: COPY cacerts /etc/pki/ca-trust/extracted/java/cacerts
STEP 3: COMMIT docker-registry-default/project/sso74:reencrypt-truststore-updated
--> 356f138e3fd
356f138e3fdee0b7424eec5fec10f3b57ced6c896b829d55be1d60abc18280a3
The new image now contains the updated SSO truststore.
Step 4: Deploy the new SSO image
After the build finishes, you will push your new image to the OpenShift registry to deploy it. The new image will be uploaded when the SSO pod is restarted.
Adding a certificate using a pass-through TLS termination template
Adding a new certificate to SSO truststore with this template consists of the following steps:
- Retrieve the existing
truststore.jksfile. - Add new certificate to
truststore.jks. - Delete secret corresponding to the SSO truststore.
- Create a new secret that contains the
truststore.jksfile.
Step 1: Retrieve the SSO truststore.jks file
Retrieve the SSO truststore.jks file from OpenShift using the rsync command:
$ oc rsync <sso-pod-name>:/opt/eap/keystores/truststore.jks .
Step 2: Add new certificate to truststore.jks
Add this new certificate to the Java cacerts file:
$ keytool -import -v -file <my-cert>.crt -alias my-cert -keystore ./truststore.jks -noprompt -storepass changeit
Step 3: Delete the secret corresponding to the SSO truststore
Updating the SSO truststore consists of updating the secret used by the SSO pod. When the value of a secret is modified, you must delete the original pod and create a new one:
$ oc delete secret sso-app-secret
Step 4: Create a new secret that contains the truststore.jks file
After truststore.jks has been updated to contain your new certificate, you must re-create the secret, sso-app-secret. The updated secret encompasses jgroups.jceks, truststore.jks, and keystore.jks:
$ oc create secret generic sso-app-secret --from-file=keystore.jks --from-file=jgroups.jceks --from-file=truststore.jks
secret/sso-app-secret created
$ oc secrets link default sso-app-secret
You can now safely use SSO with the updated truststore deployed on OpenShift.
Conclusion
Templates offer very interesting features for deploying Red Hat's single sign-on technology on Red Hat OpenShift. As an end user, you can use one of the re-encrypt TLS termination templates, where TLS is configured automatically, or a pass-through termination TLS template, in which case you will do some of the TLS configuration manually. As you've seen in this article, it's much easier to add new certificates to the SSO truststore when using a pass-through TLS termination template. You can do it dynamically by updating the secret for the trustsrore.jks file. If you are using a re-encrypt TLS termination template, you will need to rebuild and redeploy your original SSO image.
