Connecting Red Hat Single Sign-on on Openshift to an External Database |

IT-блоги Connecting Red Hat Single Sign-on on Openshift to an External Database

DZone Security 14 ноября 2021 г. Rogerio Santos

The Red Hat Single Sign-On or just RHSSO is an enterprise version of Keycloak, which is an open-source Identity and Access Management solution aimed at modern applications and services. 

In the last few days, I needed to install RHSSO on Openshift version 4.8, however, I needed to implement small customization in the database connection.  By default a non-ephemeral RHSSO installation uses an embedded installation of PostgreSQL database, however, I would change the type of database from PostgreSQL to MySQL, and even change the location of this one to the outside of Openshift.

For non-Openshift installations it is common, however, for RHSSO 7.5 on Openshift 4.8, there are some details:

  • First point: The "Operator component" for RHSSO is not prepared until this date for managing a non-Postgres database.
  • Second Point: There isn't an official  RHSSO template for other databases either in version 7.5.
  • Third Point: We are talking about an environment Openshift 4.8.

The Solution

Forget the Operator Component. Until this date, it is in the Tech Preview version and does not support this implementation.

Basically, we need to create a custom image of RHSSO and change the data source to MySQL type. Remember  RHSSO is software that is performing inside of JBoss Enterprise Application Platform 7 (EAP7),  and because of that, we can customize it using a CLI (Command Line Interface).

For that, follow these below steps:

  1. Download the MySQL JDBC Driver. I used MySQL 8 (mysql-connector-java-8.0.27.jar).
  2. Create a file called sso-extensions.cli and put the below content. Basically, it is a property file with the params of MySQL Database and the commands for removing the PostgreSQL configuration. Notice that we remove a data source called KeycloakDS and after that, recreate it with the new definitions.
    set DB_DRIVER_NAME=mysql
    set DB_USERNAME=root
    set DB_PASSWORD=jujuba
    set DB_DRIVER=com.mysql.jdbc.Driver
    set DB_XA_DRIVER=com.mysql.cj.jdbc.MysqlXADataSource
    set DB_JDBC_URL=jdbc:mysql://mysql.database-poc:3306/sampledb
    set DB_EAP_MODULE=com.mysql
    set FILE=/opt/eap/extensions/mysql-connector-java-8.0.27.jar
    module add --name=$DB_EAP_MODULE --resources=$FILE --dependencies=javax.api,javax.resource.api
    /subsystem=datasources/jdbc-driver=$DB_DRIVER_NAME:add( \
      driver-name=$DB_DRIVER_NAME, \
      driver-module-name=$DB_EAP_MODULE, \
      driver-class-name=$DB_DRIVER, \
      driver-xa-datasource-class-name=$DB_XA_DRIVER \
    /subsystem=datasources/data-source=KeycloakDS:add( \
      jndi-name=java:jboss/datasources/KeycloakDS, \
      enabled=true, \
      use-java-context=true, \
      connection-url=$DB_JDBC_URL, \
      driver-name=$DB_DRIVER_NAME, \
      user-name=$DB_USERNAME, \
      password=$DB_PASSWORD \

  3. Create an image using the official RHSSO Image. (sso75-openshift-rhel8:latest). Below is the Dockerfile to create an image.
    COPY sso-extensions.cli /opt/eap/extensions/
    COPY mysql-connector-java-8.0.27.jar /opt/eap/extensions/mysql-connector-java-8.0.27.jar

    Notice that it is mandatory to copy the sso-extensions.cli file and mysql-connector-java-8.0.27.jar to folder called /opt/eap/extensions/

  4. Build and push the image for some service registry accessible from Openshift. I used the docker hub service.
    $docker build -t iamrogerio2/rhsso75-mysql:1.0 .
    $docker push iamrogerio2/rhsso75-mysql:1.0

    The published image is something like this:

  5. Deploy this image in an Openshift namespace. If the MySQL server is on and the parameters of sso-extensions.cli file are correct, the RHSSO will create a lot of tables in the database indicating that the connection is ok.

    Below is the command to create a namespace and deploy the image.

    $ oc new-project rhsso75-example
    $ oc new-app --docker-image="iamrogerio2/rhsso75-mysql:1.0"
    $ oc create route edge --service=rhsso75-mysql

    Notice that I need to create an HTTPS route using default certificates from Openshift.

  6. This is an optional step but is good practice. Create a configMap to store the file sso-extensions.cli, this way, you don't need to recreate the image if you need to change any database parameter. Basically, we import the sso-extensions.cli file into a configMap and set this configMap into deployConfig.
    $ oc create configmap jboss-cli --from-file=sso-extensions.cli
    $ oc set volume dc/rhsso75-mysql --add --name=jboss-cli -m /opt/eap/extensions -t configmap --configmap-name=jboss-cli --default-mode='0755' --overwrite

Final Consideration

Beyond PostgreSQL and MySQL, RHSSO works very well with the Oracle database.  This example is valid for an Oracle implementation too as long as it inserted the right JDBC Driver.

I didn't work with other database integrations, however, the official documentation for version 7.5 describes these databases:


Version (JDBC driver version)


10.3.27 (MariaDB Connector/J 2.7.2)


8.0 (MySQL Connector/J 8.0.23)

Oracle DB[1]

19c RAC 19.3 (Oracle JDBC Driver v19.10.0.0 (ojdbc8.jar))

Microsoft SQL Server

2019 (Microsoft JDBC Drivers 9.2.0 (.jre8.jar))

Enterprise DB Postgres Plus Advanced Server

13.2 (Postgres Plus Advanced Server Driver 42.2.12)


13.2 (JDBC4 Postgresql Driver, Version 42.2.18)

Enjoy :-).

Источник: DZone Security

Наш сайт является информационным посредником. Сообщить о нарушении авторских прав.

security tutorial red hat openshift middleware sso single sign on keycloak