security-sso's People
Watchers
security-sso's Issues
Pre-registered RH-SSO scenario: Investigate Route's TLS Termination with Reencrypt using Open Shift Cert-manager
Background information: #2 where pre-registered RH-SSO scenario was executed but ran into a problem when running with secured Route with TLS Termination Reencrypt using Open Shift Cert-manager to provide self-signed certificate.
Failure symptom: when accessing Rute URL (e.g. https://acme-acme-test.apps.floes.os.fyre.ibm.com for Open Liberty home page), the browser is returned with Application not available message.
The snippet of OLA deployment yaml for certificate attribute:
apiVersion: openliberty.io/v1beta1
kind: OpenLibertyApplication
metadata:
name: acme
namespace: acme-test
spec:
applicationImage: 'image-registry.openshift-image-registry.svc:5000/acme-test/acme'
expose: true
service:
port: 9444
certificate:
isCA: true
route:
host: acme-acme-test.apps.floes.os.fyre.ibm.com
termination: reencrypt
certificate:
isCA: true
...
The first
Issue #1. The initial. The OG.
Testing SSO providers for Social Login: from auto-registered RH-SSO, IBM Security Verify and Open Liberty Operator
The issues uncovered during the initial testing have been verified (7/13/2020)
OpenLiberty/open-liberty-operator#176
OpenLiberty/open-liberty-operator#177
- (Complete 7/21/2020) Document in box: https://ibm.ent.box.com/notes/680678116868
Testing SSO providers for Social Login: (1) from pre-integrated RH-SSO (2) from pre-registered RH-SSO and Open Liberty Operator
Background dev work:
Delivery:
- Pre-integrated RH-SSO Test work items:
-
set up sso providers:
-
- facebookLogin
-
- linkedinLogin
-
- githubLogin (github.com)
-
- githubLogin (github.ibm.com)
-
- googleLogin
-
- twitterLogin
-
- oauth2Login (using github.com)
-
- oidcLogin (using google.com)
-
- oidcLogin (using rh-sso)
-
each sso provider configured in Liberty server variables
<variable name= value= />in a server xml file at image build time -
each sso provider passed in as environment variables at build time (Dockerfile)
-
each sso provider passed in as environment variables at start time (docker container)
-
validate parameters from tracing
server_trace.log -
investigated routes with TLS Termination: Edge and Re-encrypt (both not working at this time)
-
Test with TLS Termination Passthrough
-
Test with
getcert.shandserver.envto handle trust certificate between open liberty and social media as well as between open liberty and RH-SSO (within Open Shift cluster) -
validate RedirectToRPHostAndPort
-
pod event output
-
pod log (open liberty messages.log)
messages.log -
For testing purpose, "getcerts.sh" was used to handle trust certificate between open liberty and social media, as well as between open liberty and RH-SSO (within open shift cluster)
See item 2 on Pre-registered below- [ ] each sso provider passed in through an include file by the Liberty operator at start time.
- - [ ] When operator becomes available from Leo in an early build, try that out.ย Make sure ssl can be configured.
- - [ ] See if operator's ability to set redirectToRPHostAndPort is working.
- - [ ] Do full config from operator and make sure trace of config params matches what we got without operator.
- [ ] final test with the merged code -
Document the test details in box note (https://ibm.ent.box.com/notes/623216495506)
- Pre-registered RH-SSO and Open Liberty Operator work items:
-
Install Open Liberty Operator
-
Create secret (to contain client ID, secret for social media and RH-SSO)
-
Create OLA (OpenLibertyApplication) deployment yaml (with
ssospec and other env variables) -
Docker build time with ENV variables (
SEC_TLS_TRUSTDEFAULTCERTS=true,SEC_IMPORT_K8S_CERTS=true) -
Deploy OLA and also containing below ENV when Dockerfile not containing them:
-
- ENV
SEC_TLS_TRUSTDEFAULTCERTS=trueto handle trust certificates for social media
- ENV
-
- ENV
SEC_IMPORT_K8S_CERTS=trueto handle trust certificates for RH-SSO (within Open Shift Cluster)
- ENV
-
- Validate
cert_defaultKeyStore=/var/run/secrets/kubernetes.io/serviceaccount/ca.crtin server.env to handle the trust certificate for RH-SSO
- Validate
-
Secured Route with Passthrough TLS Termination
-
(Updated 4/14/2020) TLS Termination with Reencrypt using Open Shift Cert-manager worked, git issue closed: #3)
-
Passthrough scenario: messages.log
-
Passthrough scenario: server_trace.log.zip
-
Document the test details in box note (https://ibm.ent.box.com/notes/648295410899)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.