How can I add SPNEGO authentication to a WildFly 10.1 load balancer?
Background:
All nodes are running on Windows.
The nodes themselves are running on WildFly 8.2.1 (because the application is tight to it) in a Wildfly 8.2.1 domain
The load balancer is running WildFly 10.1
The nodes are registering with mod_cluster
You need to get the SPNEGO support into your application.
WildFly 8 and 9 don't have the Undertow SPNEGO integration ready (WFLY-2553) . You should either switch to WildFly 10.x, or try to use a custom SPNEGO authentication method on your worker nodes. Try to use either
servlet filter approach or this custom authenticator.
My strong recommendation is to upgrade to WildFly 10+.
There isn't much to go by in your post as to what is and is not working. This forum is more about what custom code you have created that isn't working, and we can help you there. It seems in this instance you are looking more for an approach on how to setup Kerberos authentication into your WildFly nodes through a load-balancer. As info, it doesn't matter that there is a load-balancer involved, except that you specify a VIP name for the nodes in DNS and have the VIP name be the fully-qualified DNS host part of the name in the SPN which you will need to setup in order for clients to do Kerberos SSO against the WildFly nodes. I don't know anything about WildFly specifically, but I found this link for you which may help get you started: WildFly 9 - Kerberos Authentication for Domain Management Over HTTP
Related
I have a JavaEE application deployed in Payara application cluster with more than two nodes. Application uses Keycloak servlet adapter to enable integration with Keycloak. I have Keycloak 11.0 deployed in production with domain clustered mode. I have manually registered application cluster nodes under application clustering section of client configuration. I used ${application.session.host} in admin URL to enable keycloak to send back-channel logout call to appropriate cluster node. Load balancer with sticky session is used in front of application cluster to provide single node view and distribute requests. Everything works fine.
Now, I need to upgrade Keycloak to newer version, I am trying to upgrade to 18.0.2 (legacy version). However, newer version complies to OIDC Back-channel logout standard, and have separate config parameter under client configuration for back channel logout, separate then admin URL.
The problem is my clustered system doesn't work with this, back-channel logout param doesn't support ${application.session.host} in URL. Consequently, back-channel functionality breaks.
Moreover, Servlet Filter adapter implementation from Keycloak doesn't support handling back-channel logout as per my knowledge. I have implemented my own library to handle back-channel call: validating things as per standard and logging out appropriate session. For this sake, library stores sessions in an application scoped bean. In single node deployment of application, everything works but I don't have solution for multiple node application deployment from Keycloak regarding this, because Keycloak wouldn't know which node back-channel logout request would go, considering the fact that application deployment on each node is independent and client request distribution is configured with sticky sessions.
One solution is to use the Payara inbuilt Hazelcast datagrid to store the web sessions, and then any node should be able to handle the back-channel logout call across cluster.
But I am interested to know If keycloak has any solution on this.
I want to call a REST service running outside OpenShift via a Service and external domain name. This works perfect with a http:// request. The mechanism is described in the documentation : https://docs.okd.io/latest/dev_guide/integrating_external_services.html#saas-define-service-using-fqdn
However the external service is secured with https. In this case I got the following exception:
Host name 'external-test-service' does not match the certificate subject provided by the peer (CN=.xxx, O=xxx, L=xxx, ST=GR, C=CH); nested exception is javax.net.ssl.SSLPeerUnverifiedException: Host name 'external-test-service' does not match the certificate subject provided by the peer (CN=.xxx, O=xxx, L=xxx, ST=GR, C=CH)
The exception is clear to me because we use the Service name from OpenShift. This name does not correspond to the origin host name in the certificate. So currently I see three possibilities to solve this issue:
Add the name of the OpenShift Service to the certificate
Deactivate hostname verification before calling the external REST service
Configure OpenShift (don't know this is possible)
Has anybody solve this or a similar issue?
Currently I used OpenShift v3.9. We are running a simple Spring Boot application in a pod accessing REST services outside OpenShift.
Any hint will be appreciated.
Thank you
Markus
Ugly and might cost you extra $$
Defeats the purpose of TLS.
On Kubernetes 1.10 and earlier you can use ExternalName.
You can also use with OpenShift.
You can also use and Kubernetes Ingress with TLS. Also, documented for OpenShift
Hope it helps!
Can anyone tell me what configuration is needed in standalone.xml to integrate Wilfly Jboss 7 with Microsoft Azure Load balancer?
Create a web farm for the servers API in azure and route the traffic at round robin fashion to each server.
You may see the access log with the api URL.
I used OWSM policy Oracle/wss_http_token_service_policy on the rest based proxy service, it is working fine (authenticating with basic.credentilas) in my local machine weblogic server but not supporting in the dev/test server, so what extra setting is required here? or do we need to use any other policy, I want to use just the basic authentication configured in my realms. Could you please advise.
I have some applications deployed in JBoss Application Server 4.
I need to know how to get a list of deployed web services in that application server ?
Is there any informations in the jmx-console?
thanks
You should see all deployed web services at: http://localhost:8080/jbossws/services. Update IP and port information in that address accordingly.