Server Configuration Posts

How to Remove Docker’s Dangling Image on Windows 10

There are times where i need to clean all unused, dangling docker images on my laptop. Previously im running below command,

docker image prune -a

But it seems like altho almost all images are gone, i can see still some images are still occupying my laptop’s disk. So i have to do something to delete them.

The workaround is quite easy, run PowerShell as Administrator and run below command,

docker rmi $(docker images --quiet --filter "dangling=true") -f

Executing that command will generates this log,

And i can see that my harddisk is now have more free spaces :-)

Google+

Integrating Spring Boot Login with Keycloak or Red Hat Single Sign On

When we are managing many applications, one of the most painful part is managing its user and access right. Because usually different applications have their own user management, and sometimes each user have different credentials between multiple applications.

We can solve this problem by having a one point user management where other application can use this tools for managing their user authentication and authorization. This is where Red Hat Single Sign On (or its opensource product, Keycloak) can comes in handy. It provides an end to end user management lifecyle, from activating a new user, managing them, assigning their access right until deactivating them. On this example, we’ll start with a simple login page by using Keycloak, and how other application (in this example is a Spring Boot app) is connecting to it.

First we need to create a java project with below pom file, im using keycloak-adapter bom and keycloak-spring-boot-starter library for this.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.edw</groupId>
    <artifactId>spring-boot-and-rhsso-otp</artifactId>
    <version>1.0-SNAPSHOT</version>

    <packaging>war</packaging>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.2.6.RELEASE</version>
        <relativePath/>
    </parent>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.keycloak.bom</groupId>
                <artifactId>keycloak-adapter-bom</artifactId>
                <version>9.0.2</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <dependencies>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-spring-boot-starter</artifactId>
            <version>9.0.2</version>
        </dependency>

        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>jstl</artifactId>
        </dependency>

        <dependency>
            <groupId>org.apache.tomcat.embed</groupId>
            <artifactId>tomcat-embed-jasper</artifactId>
            <scope>provided</scope>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

And perhaps the most important part in this project is, the application.properties. In here, we are putting our Keycloak’s url, realm name, client name, and secret. Also we are defining that only user with admin role can access a URL with /admin/ pattern.

### server port
server.port=8080
spring.application.name=Spring Boot with RHSSO Login

### rhsso configuration
keycloak.auth-server-url=https://rhsso/auth/
keycloak.realm=my-realm
keycloak.resource=my-client
keycloak.public-client=false
keycloak.bearer-only=false
keycloak.principal-attribute=preferred_username
keycloak.credentials.secret=11111111-1111-1111-1111-111111111111

### spring boot ui configuration
spring.mvc.view.prefix=/WEB-INF/jsp/
spring.mvc.view.suffix=.jsp

### authorization
keycloak.security-constraints[0].authRoles[0]=admin
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/admin/*

Next is we need to create a user and role on Red Hat SSO,

After that, we need to create a client and its password,

And put those corresponding values inside application.properties.

We can test whether configuration works well or not by directly accessing to admin page (/admin/index). A successful configuration would prevent an unauthorized user from accessing admin page by showing a Keycloak login page. Admin page only accessible once a user has successfully login thru Keycloak or Red Hat Single Sign On.

Full code can be downloaded on my github page,

https://github.com/edwin/spring-boot-and-rhsso

Have fun with RHSSO and Keycloak (H)

Google+

Fixing “SSL routines:tls_process_ske_dhe:dh key too small” on Containerized RHEL8

I have a very unique error today, so basically my RHEL 8 (Red Hat Enterpise Linux) cannot connect to another system due to SSL issue. The exception is quite clear, and can be seen below.

error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

It is quite easy to do it in a standalone infrastructure, but this problem happen on a containerized application which make it much more complicated.

After searching for a solution, i come up with this Dockerfile

FROM registry.redhat.io/application/application-rhel8:7.8.0

user root
RUN update-crypto-policies --set LEGACY 

user 185

Build it,

docker build -f Dockerfile -t application-rhel8-modified:7.8.0 .

Deploy it, and i can see that the previous error is no longer exist.

Google+

How to Connect to Red Hat AMQ using Artemis and SSL

We can protect our AMQ end point using a specific SSL, preventing those who doesnt have the exact certificate to connecting to my AMQ server’s endpoint.

In order to do so, first we need to create a very simple certificate to be use by our AMQ server with a simple keytool command

keytool -genkey -alias artemists -keyalg RSA -sigalg SHA1withRSA -keystore artemis.ts -keysize 2048

It will generate a new file, artemis.ts

And generate a new keystore,

keytool -genkey -v -keystore broker02.ks -alias broker02 -sigalg SHA1withRSA  -keyalg RSA -keysize 2048 -validity 10000

Put string “password” if you need to input a password while generating those two items.

And reference those files on our AMQ broker.xml configuration,

<acceptor name="core">
tcp://0.0.0.0:61617?protocols=CORE;sslEnabled=true;
	keyStorePath=D:/tmp/broker02.ks;keyStorePassword=password;
	trustStorePath=D:/tmp/artemis.ts;trustStorePassword=password;
	enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,RSA;enabledProtocols=TLSv1,TLSv1.1,TLSv1.2;
	sslProvider=JDK;sniHost=localhost;anycastPrefix=jms.queue.;multicastPrefix=jms.topic;tcpSendBufferSize=1048576;
	tcpReceiveBufferSize=1048576;useEpoll=true;
	amqpCredits=1000;amqpMinCredits=300
</acceptor>

Start our server,

artemis run

We can connect using our artemis client with below command,

artemis producer --url tcp://127.0.0.1:61617?sslEnabled=true --message-count 1

The first time connected, it will shows error on your client’s side,

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)

And on your server’s side,

Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) [java.base:]
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) [java.base:]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) [java.base:]
        at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:285) [java.base:]
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181) [java.base:]
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) [java.base:]
        at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:685) [java.base:]

Means you need to use your server’s cert on your client while making request, there are multiple ways of doing that. The simplest is by putting your server’s certificate on your local client’s trust store.

keytool -exportcert -alias artemists -keystore artemis.ts -file artemis.cer
keytool -exportcert -alias broker-server -keystore broker02.ks -file broker02.cer

keytool -import -alias artemists -file artemis.cer -cacerts
keytool -import -alias broker-server -file broker02.cer -cacerts

Use password “changeit” while importing your certificate to client’s cacerts.

When re-run artemis producer again, it should gives a successful message like this

\bin>artemis producer --url tcp://127.0.0.1:61617?sslEnabled=true --message-count 1
Producer ActiveMQQueue[TEST], thread=0 Started to calculate elapsed time ...

Producer ActiveMQQueue[TEST], thread=0 Produced: 1 messages
Producer ActiveMQQueue[TEST], thread=0 Elapsed time in second : 0 s
Producer ActiveMQQueue[TEST], thread=0 Elapsed time in milli second : 27 milli seconds
Google+

Connecting From Jenkins to Git Repository such as Gitlab, without Plugins

Basically all you need is your repository url, username and password.

First is adding your git username and password on Jenkins credentials,

And after that, we can create a username and password credentials, and we give an id with the name of “devops”.

Use this jenkins script to execute git commands,

node('maven') {
	stage('Clone') {
		sh "git config --global http.sslVerify false"
		git branch:"branch-01", url:"https://git.mygit.id/git/something/project.git", credentialsId:'devops'
	}
}
Google+