In our keycloak we have written admin-cli command to make things smooth after keycloak bought up .We will create some basic Realm/user/group and other details from the help of admin-cli .
Now we want to add the SMTP server details through admin-cli . How can be achieve this ?
Ok at last too many hit and try i found the solution . Here is the details how to add the SMTP server details via admin-cli
First Step Enable HTTPS(As in our case keycloak running on HTTPS)
/opt/keycloak/bin/kcadm.sh config truststore --trustpass keycloak /opt/keycloak/security/ssl/keycloak.jks
Second Step Login with client admin-cli
/opt/keycloak/bin/kcadm.sh config credentials --server https://{{keycloak_server_IP}}:{{keycloak_port}}/auth --realm master --user admin --password admin --client admin-cli
If realm not created create it via this
/opt/keycloak/bin/kcadm.sh create realms -s realm=SURE -s enabled=true
and then run below command
/opt/keycloak/bin/kcadm.sh update realms/CRUE_Realm -x -s 'smtpServer.host=Your Host Name' -s 'smtpServer.from=email#somemail.com' -s 'smtpServer.fromDisplayName=Mail Support' -s 'smtpServer.auth=false' -s 'smtpServer.ssl=false'
You can also use this command
/opt/keycloak/bin/kcadm.sh update realms/CRUE_Realm -f - << EOF
{"smtpServer" : {
"replyToDisplayName" : "...",
"starttls" : "",
"auth" : "true",
"envelopeFrom" : "...",
"ssl" : "true",
"password" : "...",
"port" : "...",
"host" : "...",
"replyTo" : "...",
"from" : "...",
"fromDisplayName" : "...",
"user" : "..."
}
}
EOF
Related
I'm using a client "admin-cli" in order to create users in my application.
Recently, I've deployed to the production environnement.
I've recreated my keycloak configuration from scratch. Bur the admin-cli can't add users in the environnement.
In order to understand this issue, I've create in my developpemnt environnment a new client myClientAdmin and assign the same rigth as the admin-cli.
And I reproduce the same issue as in my production environnement.
Then I try with kcadm to solve or have a better understanding of this issue.
kcadm.sh config credentials --server http://localhost:8080/auth --realm mira --client admin-cli --secret secret1
kcadm.sh get-roles -r mira --uusername service-account-admin-cli --cclientid realm-management
---> "name" : "realm-admin"
kcadm.sh get users -r mira -q role=XXX --fields "username" --> works fine
kcadm.sh config credentials --server http://localhost:8080/auth --realm mira --client myClientAdmin --secret secret2
kcadm.sh get-roles -r mira --uusername service-account-myClientAdmin --cclientid realm-management
---> "name" : "realm-admin"
kcadm.sh get users -r mira -q role=XXX --fields "username" --> doesn't works
---> Logs of keycloak
13:07:46,001 DEBUG [org.keycloak.services.error.KeycloakErrorHandler] (default task-45) Error response 403: org.keycloak.services.ForbiddenException
at org.keycloak.keycloak-services#16.0.0//org.keycloak.services.resources.admin.permissions.UserPermissions.requireQuery(UserPermissions.java:283)
at org.keycloak.keycloak-services#16.0.0//org.keycloak.services.resources.admin.UsersResource.getUsers(UsersResource.java:275)
at jdk.internal.reflect.GeneratedMethodAccessor551.invoke(Unknown Source)
I don't undestand this issue the two clients seems to have the same client roles : real-admin
Can anyone help me ?
Keycloak 16.0.0
best regards
I set up my mongoDB cluster with TLS authentication.
I can successfully connect on a mongos instance using :
/opt/cluster/stacks/mongoDB/bin/mongosh --tls --host $(hostname).domain.name -tlsCAFile /opt/cluster/security/ssl/cert.pem --port 27017
I have a Kafka connect mongoDB sink that has the following configuration :
{
"name": "client-order-request-mongodb-sink",
"config": {
"connector.class": "com.mongodb.kafka.connect.MongoSinkConnector",
"database":"Trading",
"collection":"ClientOrderRequest",
"topics":"ClientOrderRequest",
"connection.uri":"mongodb://hostname1.domain.name:27017,pre-hostname2.domain.name:27017",
"mongo.errors.tolerance": "all",
"mongo.errors.log.enable": "true",
"errors.log.include.messages": "true",
"writemodel.strategy":"com.mongodb.kafka.connect.sink.writemodel.strategy.ReplaceOneBusinessKeyStrategy",
"document.id.strategy": "com.mongodb.kafka.connect.sink.processor.id.strategy.PartialValueStrategy",
"document.id.strategy.overwrite.existing": "true",
"document.id.strategy.partial.value.projection.type": "allowlist",
"document.id.strategy.partial.value.projection.list": "localReceiveTime,clientId,orderId"
}
}
It is working fine if I redeploy mongoDB without authentication, but now when I try to instantiate it with the following curl command :
curl -X POST -H "Content-Type: application/json" --data '#connect-task-sink-mongodb-client-order-request.json' $KAFKA_CONNECT_LEADER_NODE/connectors/
I have the following error:
{"error_code":400,"message":"Connector configuration is invalid and contains the following 1 error(s):\nUnable to connect to the server.\nYou can also find the above list of errors at the endpoint /connector-plugins/{connectorType}/config/validate"}
From the mongoDB kafka connect sink documentation I found that I needed to set up global variable of the KAFKA_OPTS so before starting the distributed connect server I do:
export KAFKA_OPTS="\
-Djavax.net.ssl.trustStore=/opt/cluster/security/ssl/keystore.jks \
-Djavax.net.ssl.trustStorePassword=\"\" \
-Djavax.net.ssl.keyStore=/opt/cluster/security/ssl/keystore.jks \
-Djavax.net.ssl.keyStorePassword=\"\""
Notice that I put an empty password because when I list the entry of my keystore with:
keytool -v -list -keystore key.jks
Then I just press enter when the password is prompted.
So the issue was that the ssl connection wasn't enabled on the client side.
If you want to do so with the mongoDB kafka connect plugin you need to state it in the connection.uri config parameter such as:
"connection.uri":"mongodb://hostname1.domain.name:27017,pre-hostname2.domain.name:27017/?ssl=true"
howt to set vscode proxy ? please.
Host name : http://proxy.my.com
Port number : 8080
Proxy authentication
Login : usn
Password: pwd
/***********vscode settings.json****************/
"http.proxy": "http://proxy.my.com:8080",
"http.proxyAuthorization": ????????,
"http.proxyStrictSSL": false
how to configure ?? please help me
I am trying to set up a mongodb 2.6.8 replicaset using ssl. I compiled mongo manually with ssl support and enabled ssl in my configuration as follows:
sslMode=requireSSL
sslPEMKeyFile=/etc/ssl/mongodb.pem
sslCAFile=/etc/ssl/client.pem
sslWeakCertificateValidation=true
replSet=rs0
I created the mongodb.pem and client.pem files bu running openssl as follows on each server:
# openssl req -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key -subj '/C=US/ST=MA/L=Waltham/CN=<fully qualified domain name>'
# cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
# openssl req -new -x509 -days 365 -nodes -out client-cert.crt -keyout client-cert.key -subj '/C=US/ST=MA/L=Waltham/CN=<fully qualified domain name>'
# cat client-cert.key client-cert.crt > client.pem
On each server I can confirm that the certificates and ssl is working because on each of my servers I can do the following:
mongo --ssl --sslPEMKeyFile=/etc/ssl/client.pem --sslCAFile=/etc/ssl/mongodb.pem <fully qualified domain name>
drops me into the mongo shell.
On the primary node, I can do rs.initiate() and rs.status() and it looks fine:
> rs.initiate()
{
"info2" : "no configuration explicitly specified -- making one",
"me" : "<fqdn node 1>:27017",
"info" : "Config now saved locally. Should come online in about a minute.",
"ok" : 1
}
> rs.status()
{
"set" : "rs0",
"date" : ISODate("2015-04-02T20:25:27Z"),
"myState" : 1,
"members" : [
{
"_id" : 0,
"name" : "<fqdn node 1>:27017",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 23,
"optime" : Timestamp(1428006318, 1),
"optimeDate" : ISODate("2015-04-02T20:25:18Z"),
"electionTime" : Timestamp(1428006318, 2),
"electionDate" : ISODate("2015-04-02T20:25:18Z"),
"self" : true
}
],
"ok" : 1
}
However, when I attempt to add the second member, I get the dreaded 13144 error:
rs0:PRIMARY> rs.add("<fqdn node 2>:27017")
{
"errmsg" : "exception: need most members up to reconfigure, not ok : <fqdn node 2>:27017",
"code" : 13144,
"ok" : 0
}
I should also note that connecting between the two hosts works fine, i.e., while on node 1:
mongo --ssl --host <fqdn node 2>
or while on node 2:
mongo --ssl --host <fqdn node 1>
both work.
How do I pass in the ssl option and/or the certificates to the rs.add() command?
I don't actually care about passing the certificates (which is why I specified sslWeakCertificateValidation=true); I'm more concerned about making sure the communication between the nodes is in ssl.
It's difficult to be certain what was wrong, but I've got a few observations:
You may have got that error if the other mongod process was started without the replSet=rs0 item in its configuration
You may have got that error because the servers cannot communicate on port 27017, e.g. if a firewall is blocking them. It's worth verifying the connectivity by, on each server, connecting the mongo client to the other server.
There is a problem with your mongod.pem file. You have created it by concatenating the server's private key and certificate; but it should not contain the key. It should be just an ascending chain of certificates, starting with the server and ending with the root. If the server is self-certified, then there is no need to concatenate anything else.
I create admin-user for some db. Look dump:
>db.system.users.find().pretty()
{
"_id" : ObjectId("533aa7175572233602378633"),
"user" : "root",
"pwd" : "06dbc97127a71ab5b359a6a6e9ff5f53",
"roles" : [
"readWrite",
"userAdmin",
"dbAdmin",
"readWriteAnyDatabase",
"userAdminAnyDatabase",
"dbAdminAnyDatabase"
]
}
Check login:
mongo some_db -u root -p 5415 - ok!
mongo some_db -u root -p 54153 - error!
mongo some_db - ok! Why this method allows you to enter into the database?
You have to set the auth configuration to true to require authentication.
Important tip: If you set the option to true but you don't have any users you can still connect using "localhost" from inside the server
Source here
You won't be able to access anything because you are not authenticated.