i'm having trouble finding how I can add a trusted host using kcadm cli tool. This is in realm->realm settings->client registration->client registration policies->trusted hosts
it's part of components.
kcadm get components -r demorealm -F "name,id,config(*)" -q name="Trusted Hosts"
I found that if you export the database, it will produce a json file and you will find all the information that you need there.
Related
Is it possible to create Realm through the CLI - GUI?
I would like to know if it is possible to create a realm via CLI - GUI. (I started the gui with the command “. \ Jboss-cli.sh --gui”)
If possible, how can I do this?
Thank you
Pretty certain you can't use the Jboss-cli for that, but you can use kcadm.sh to manage realms and clients. See official docs.
It just uses Keycloak's rest endpoints, so you could use another tool to make those requests if you wish e.g postman/newman.
However if you require a GUI, why not just use the web based admin panel?
If it is running on a remote server you can use ssh with the -N flag to forward the remote port to some local port which you can access with your browser.
I have followed the getting started instructions here: https://linkerd.io/2/getting-started/ for installing linkerd but i am not able to install cli of linkerd.
Please see the command below: curl -sL https://run.linkerd.io/install | sh
Please see the error below:
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option
Can anyone please help me to solve it.
The provides installation instructions from the Linkerd website are indeed vague, they provide instruction for Linux (shell) users as well as a brew install command for OSX users.
If you are interested in installing LinkerD on your Windows machine, the recommandation is to download the binary (.exe - for Windows) directly form their release page: https://github.com/linkerd/linkerd2/releases
After you have downloaded the binary, you should be able to update your %PATH% environment variable to add the location of the binary, this will allow you to refer to the linkerd directly from your command prompt.
Linkerd started supporting Windows with a Chocolatey package: https://chocolatey.org/packages/Linkerd2
To use it, make sure that you have Chocolatey installed and run:
choco install linkerd2
After the installation, verify that the install was successful with:
linkerd --help
You should see the list of commands available to the Linkerd CLI.
I'd like to use keycloak CLI ( kcadm.sh ) to generate a set of clients which have some attributes (taken from the Web Interface) such as:
Access type=confidential
Direct Access Grant Enabled=On
Is there a reference for all attributes that can be passed to the Admin CLI? In the examples I can only see some
basic attributes.
Thanks
It is easiest to set attributes by using the -s in your command. Like this
kcadm.sh create clients -r oidcrealm -s "clientId=testClient" -s "directAccessGrantsEnabled=true" -s "publicClient=false"
As for reference, the REST API docs a mentioned in the previous answere is good, but another tip is to set you desiered configuration in the keycloak GUI the export the configuration like this.
kcadm.sh get clients -r oidcrealm
All attributes will then be listed with the current values.
kcadm.sh also accepts JSON as input so if you have alot of attributes it is probably easier to run like this and gives a better overview later
kcadm.sh create clients -r oidcrealm -f - << EOF
{
"clientId" : "oidc-client",
"redirectUris": ["http://react:3000"],
"standardFlowEnabled": true,
"publicClient": true,
"attributes": {
"pkce.code.challenge.method":"S256"
}
}
EOF
You can use REST API docs as reference.
Note that:
The Admin CLI works by making HTTP requests to Admin REST endpoints.
Access to them is protected and requires authentication.
Consult the Admin REST API documentation for details about JSON
attributes for specific endpoints.
I am following this tutorial for connecting Raspberry Pi to AWS IoT using Node.js SDK. I see the following in vim ~/.aws/credentials
[default]
aws_access_key_id = SOMETHING
aws_secret_access_key = SOMETHINGELSE
When I enter the command aws iot describe-endpoint I get the following response:
{
"endpointAddress": "A34SXNTM6AT7XH.iot.us-west-2.amazonaws.com"
}
However when I browse to that URL: https://a34sxntm6at7xh.iot.us-west-2.amazonaws.com/
I get the following error:
Missing Authentication Token
Any idea what could be wrong and how could it be solved?
Here's the files in the ~/certs folder:
pi#raspberrypi:~/certs $ ls
certificate.pem.crt private.pem.key public.pem.key root-CA.pem
Mona,
Your custom endpoint responds to two protocols: MQTT and HTTPS. However, it does not serve any web content and thus does not work in the browser as a site URL. The "endpointAddress" you get from aws iot describe-endpoint will be plugged into your Node.js Device SDK that you're using in the Raspberry Pi example you linked (no https://).
You can also interface with device shadows using the HTTPS version of the endpoint by signing requests with AWS Signature version 4. More on that here: http://docs.aws.amazon.com/iot/latest/developerguide/thing-shadow-rest-api.html and here: http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html though you will likely get going faster by using the AWS CLI or AWS SDK to perform operations like this.
Ryan # AWS
By default, the example programs will look in the current directory for your certificate and private key files, but you can also use the '-f' option to specify another directory if you want to. As for the 'Missing Authentication Token' message you noticed when trying to access the endpoint from your browser, you can safely ignore it.
If you use "TLS mutual authentication" you need to connect on port 8443, so in your example, it would be https://a34sxntm6at7xh.iot.us-west-2.amazonaws.com:8443/things/<thing_name>/shadow
When executin the follow command:
gsutil notifyconfig watchbucket -i myapp-channel -t myapp-token https://myapp.appspot.com/gcsnotify gs://mybucket
I receive the follow answer, but I used the same command before in another buckets and it worked:
Watching bucket gs://mybucket/ with application URL https://myapp.appspot.com/gcsnotify...
Failure: <HttpError 401 when requesting https://www.googleapis.com/storage/v1beta2/b/mybucket/o/watch?alt=json returned "Unauthorized WebHook callback channel: https://myapp.appspot.com/gcsnotify">.
I used gsutil config to set permissions and tried with gsutil config -e also.
I already tried to set the permissions, made myself owner of the project, but is not working, any help?
I was getting the same error. You must configure gsutil to use a service account before you can watch a bucket.
An additional security requirement was recently added for Object Change Notification. You must add your endpoint domain as a trusted domain on your cloud project. To do that, the domain first has to be whitelisted with the Google Webmaster Tools.
See instructions here:
https://developers.google.com/storage/docs/object-change-notification#_Authorization
I also determined that I needed to:
Whitelist my appspot domain
Create a service account before I can watch a bucket.
At first I was using the google cloud shell and I figured it should just be authenticated. gsutil ls listed the objects in my bucket so I assumed I was authenticated. However that is not the case.
You need to instal gsutil or google cloud sdk, log in, get the .p12 file from the service account, and auth it as Wind Up Toy described. After that it will work.