forked from mswatosh/was-kerberos-database
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding Liberty with SQLServer environment
- Loading branch information
Showing
10 changed files
with
218 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -34,7 +34,7 @@ Password: password | |
| WSAdmin testing: | ||
| `/opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -conntype NONE -lang jython` | ||
|
|
||
| ### Liberty (Currently disabled) | ||
| ### Liberty | ||
| **Liberty doesn't support accessing databases using kerberos** | ||
|
|
||
| The Liberty environment is in liberty.yml | ||
|
|
@@ -49,6 +49,13 @@ http://localhost:9080/was-kerberos-database/example | |
| Which will respond with: `java.sql.SQLInvalidAuthorizationSpecException: [jcc][t4][201][11237][4.25.13] Connection authorization failure occurred. Reason: Security mechanism not supported. ` | ||
| This shows that DB2 won't accept user/password, because it is expecting kerberos authentication. | ||
|
|
||
| ### Liberty with SQLServer | ||
| **Liberty doesn't support accessing databases using kerberos** | ||
|
|
||
| The compose environment for Liberty with SQL Server is liberty-mssql.yml | ||
| Currently there is no kerberos configured for SQLServer | ||
|
|
||
|
|
||
| ### Kerberos | ||
| Realm: EXAMPLE.COM | ||
| User: db2user/[email protected] | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| version: '3' | ||
| volumes: | ||
| krb5kdc-data: | ||
| services: | ||
| liberty: | ||
| build: | ||
| context: ./liberty | ||
| dockerfile: mssql.Dockerfile | ||
| ports: | ||
| - "9080:9080" | ||
| - "443:443" | ||
| environment: | ||
| - KRB5_REALM=EXAMPLE.COM | ||
| - KRB5_KDC=kerberos | ||
| depends_on: | ||
| - "sqlserver" | ||
| networks: | ||
| krbnet: | ||
| ipv4_address: 10.5.0.4 | ||
| volumes: | ||
| - ./trace/liberty/logs:/logs | ||
| sqlserver: | ||
| build: sqlserver | ||
| ports: | ||
| - "1433:1433" | ||
| environment: | ||
| - KRB5_REALM=EXAMPLE.COM | ||
| - KRB5_KDC=kerberos | ||
| privileged: True | ||
| depends_on: | ||
| - "kerberos" | ||
| networks: | ||
| krbnet: | ||
| ipv4_address: 10.5.0.5 | ||
| kerberos: | ||
| build: kdc-server | ||
| ports: | ||
| - "88:88" | ||
| - "464:464" | ||
| - "749:749" | ||
| environment: | ||
| - KRB5_REALM=EXAMPLE.COM | ||
| - KRB5_KDC=localhost | ||
| - KRB5_PASS=password | ||
| volumes: | ||
| - krb5kdc-data:/var/lib/krb5kdc | ||
| networks: | ||
| krbnet: | ||
| ipv4_address: 10.5.0.9 | ||
| networks: | ||
| krbnet: | ||
| ipam: | ||
| config: | ||
| - subnet: 10.5.0.0/16 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| FROM open-liberty | ||
|
|
||
| USER root | ||
|
|
||
| RUN apt-get update | ||
| RUN apt-get install -y krb5-user libpam-krb5 libpam-ccreds auth-client-config | ||
| RUN chmod 777 /etc | ||
| RUN mkdir /etc/krb5 | ||
| RUN printf 'add_entry -password -p db2user/[email protected] -k 1 -e aes256-cts\npassword\nwkt /etc/krb5.keytab' | ktutil | ||
| RUN printf 'add_entry -password -p db2user/[email protected] -k 1 -e aes256-cts\npassword\nwkt /etc/krb5.keytab' | ktutil | ||
|
|
||
| ADD docker-entrypoint.sh / | ||
| RUN chmod a+x /docker-entrypoint.sh | ||
|
|
||
| #Copy new liberty image | ||
| #RUN rm /liberty/lib/com.ibm.ws.jdbc_1.0.33.jar | ||
| #COPY /updates /liberty | ||
|
|
||
| COPY mssql.server.xml /opt/ol/wlp/usr/servers/defaultServer/server.xml | ||
| COPY ./build/libs/was-kerberos-database.war /opt/ol/wlp/usr/servers/defaultServer/apps/was-kerberos-database.war | ||
| COPY ./build/dependencies/mssql.jar /opt/ol/wlp/usr/shared/mssql.jar | ||
|
|
||
| ENTRYPOINT ["/docker-entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| <server> | ||
|
|
||
| <featureManager> | ||
| <feature>servlet-4.0</feature> | ||
| <feature>jdbc-4.2</feature> | ||
| <feature>appSecurity-2.0</feature> | ||
| <feature>jca-1.7</feature> | ||
| <feature>cdi-2.0</feature> | ||
| </featureManager> | ||
|
|
||
| <library id="MSSQLLIB"> | ||
| <fileset dir="/opt/ol/wlp/usr/shared/" includes="mssql.jar"/> | ||
| </library> | ||
|
|
||
| <library id="loginLib"> | ||
| </library> | ||
|
|
||
| <webApplication id="was-kerberos-database" location="was-kerberos-database.war" name="was-kerberos-database"> | ||
| <application-bnd> | ||
| <security-role name="Manager" id="Manager"> | ||
| <user name="user1"/> | ||
| </security-role> | ||
| <security-role name="Employee" id="Employee"> | ||
| <user name="user2"/> | ||
| </security-role> | ||
| </application-bnd> | ||
| </webApplication> | ||
|
|
||
| <basicRegistry realm="defaultRealm"> | ||
| <user password="password" name="user1"/> | ||
| <user password="password" name="user2" /> | ||
| </basicRegistry> | ||
|
|
||
| <!-- Must be named JaasClient for the JCC driver --> | ||
| <jaasLoginContextEntry id="JaasClient" name="JaasClient" loginModuleRef="krb5LoginModule" /> | ||
| <jaasLoginModule id="krb5LoginModule" className="com.ibm.security.auth.module.Krb5LoginModule" controlFlag="REQUIRED" libraryRef="loginLib"> | ||
| <options credsType="both" useKeytab="/etc/krb5.keytab" principal="db2user/[email protected]"/>- <!-- debug="false" useDefaultCcache="true" --> | ||
| </jaasLoginModule> | ||
|
|
||
| <dataSource id="db2ds" jndiName="jdbc/db2ds"> | ||
| <jdbcDriver libraryRef="MSSQLLIB"/> | ||
| <properties.microsoft.sqlserver databaseName="TESTDB" serverName="sqlserver" portNumber="1433"/> | ||
| </dataSource> | ||
|
|
||
| <dataSource id="noKrb5" jndiName="jdbc/nokrb5"> | ||
| <jdbcDriver libraryRef="MSSQLLIB"/> | ||
| <properties.microsoft.sqlserver databaseName="TESTDB" serverName="sqlserver" portNumber="1433"/> | ||
| <containerAuthData user="SA" password="P@ssw0rd"/> | ||
| </dataSource> | ||
|
|
||
| <!-- | ||
| <spnego | ||
| includeClientGSSCredentialInSubject="true" | ||
| krb5Config="/etc/krb5.conf" | ||
| krb5Keytab="/etc/krb5.keytab"/> | ||
| --> | ||
| <logging traceSpecification="*=info:RRA=all:WAS.j2c=all:WAS.database=all:com.ibm.ws.db2.logwriter=all"/> | ||
| <!-- | ||
| <logging traceSpecification="*=info:RRA=all:WAS.j2c=all:WAS.database=all:com.ibm.ws.db2.logwriter=all:com.microsoft.sqlserver.*=all:SSL=all:com.ibm.ws.security.*=all:com.ibm.ws.security.policy.*=off"/> | ||
| --> | ||
|
|
||
| </server> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| FROM mcr.microsoft.com/mssql/server:2019-latest | ||
|
|
||
| USER root | ||
|
|
||
| ENV ACCEPT_EULA=Y | ||
| ENV MSSQL_SA_PASSWORD=P@ssw0rd | ||
|
|
||
| ADD docker-entrypoint.sh / | ||
| RUN chmod a+x /docker-entrypoint.sh | ||
|
|
||
| RUN mkdir /usr/src/app | ||
| COPY /usr/src/app/createschema.sh /usr/src/app/createschema.sh | ||
| RUN chmod a+x /usr/src/app/createschema.sh | ||
| COPY /usr/src/app/setup.sql /usr/src/app/setup.sql | ||
| RUN chmod a+x /usr/src/app/setup.sql | ||
|
|
||
| ENTRYPOINT ["/docker-entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| #!/bin/sh | ||
|
|
||
| if [ -z ${KRB5_REALM} ]; then | ||
| echo "No KRB5_REALM Provided. Exiting ..." | ||
| exit 1 | ||
| fi | ||
|
|
||
| if [ -z ${KRB5_KDC} ]; then | ||
| echo "No KRB5_KDC Provided. Exting ..." | ||
| exit 1 | ||
| fi | ||
|
|
||
| if [ -z ${KRB5_ADMINSERVER} ]; then | ||
| echo "KRB5_ADMINSERVER provided. Using ${KRB5_KDC} in place." | ||
| KRB5_ADMINSERVER=${KRB5_KDC} | ||
| fi | ||
|
|
||
| echo "Creating Krb5 Client Configuration" | ||
|
|
||
| cat <<EOT > /etc/krb5.conf | ||
| [libdefaults] | ||
| dns_lookup_realm = false | ||
| ticket_lifetime = 24h | ||
| renew_lifetime = 7d | ||
| forwardable = true | ||
| rdns = false | ||
| default_realm = ${KRB5_REALM} | ||
| [realms] | ||
| ${KRB5_REALM} = { | ||
| kdc = ${KRB5_KDC} | ||
| admin_server = ${KRB5_ADMINSERVER} | ||
| } | ||
| EOT | ||
|
|
||
| #sqlservr must be on the right to run in the foreground and keep the container alive | ||
| /usr/src/app/createschema.sh & /opt/mssql/bin/sqlservr |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| #wait for the SQL Server to come up | ||
| sleep 45s | ||
|
|
||
| hostname sqlserver | ||
|
|
||
| #run the setup script to create the DB and the schema in the DB | ||
| /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P P@ssw0rd -d master -i /usr/src/app/setup.sql |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| CREATE DATABASE TESTDB; | ||
| GO | ||
| USE TESTDB; | ||
| GO |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters