Enabling security Debug/Trace logging in RHSSO on OpenShift
Environment
- Red Hat Single Sign-On (RH-SSO)
- 7.x
- Red Hat OpenShift Container Platform (OpenShift)
- 3.x
- 4.x
Issue
- I have a running RH-SSO server deployed on OpenShift. I need to change some changes for the running JBoss EAP server and I want the changes permanent. What should I do?
- Enable additional debug or trace logging in RHSSO in OpenShift
- What log levels do I enable for security?
- How do I enable / turn on all security logging
- Debug authentication / authorization
Resolution
The RH-SSO and JBoss EAP deployed on OpenShift by default use standalone-openshift.xml
configuration file.
Instead of changing the file directly, the suggested way is to use a customized CLI script to apply the changes. Here is a sample on how to enable:
- Create a script named
sso.cli
with below content. Put the CLI command which changed JBoss EAP server configuration settings into this file. Note that there is no need to put connection command. In this example, it is:
/subsystem=logging/logger=org.jboss.security:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.security:add(level=ALL)
/subsystem=logging/logger=org.keycloak:add(level=TRACE)
/subsystem=logging/logger=org.picketbox:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.domain.management.security:add(level=ALL)
/subsystem=logging/logger=org.wildfly.security:add(level=ALL)
/subsystem=logging/logger=org.wildfly.elytron:add(level=ALL)
/subsystem=logging/logger=org.jboss.remoting:add(level=ALL)
/subsystem=logging/logger=org.jboss.sasl:add(level=ALL)
- Create a
configmap
jboss-cli to hold the CLI file. Note that the key name must besso-extensions.cli
, with the value as the CLI file name just created (sso.cli
in this case):
oc create configmap jboss-cli --from-file=sso-extensions.cli=sso.cli
- Change the running
DeploymentConfig
to mount theconfigmap
with proper permissions. Note that we must mount the script to/opt/eap/extensions
because this is a fixed location from where OpenShift will find the script. ThisConfigChange
operation will trigger a new rollout of theDeploymentConfig
. Wait a while for the new pod rolling out.
oc set volume dc/sso --add --name=jboss-cli -m /opt/eap/extensions -t configmap --configmap-name=jboss-cli --default-mode='0755' --overwrite
- Once the settings are not necessary and needed to be reverted, please do below:
oc edit dc/sso
(And manually remove the Volume entry and Mount entry. Save the change. This will trigger a new DeploymentConfig rollout.)
(Optionally, delete the configmap by oc delete cm jboss-cli)
Root Cause
Above is an example to show how to change the configuration settings in OpenShift.
It applies to any configuration change for JBoss EAP layer on OpenShift so long as it could be executed via JBoss CLI.
When run this example, It will produce large number output in the log files and delay the server startup time, consume large number of volume space hence might cause performance degradation.
It is not suggested for a Production environment unless it is requested by Red Hat Support team for troubleshooting purpose.
Diagnostic Steps
When the server should startup in the configured DEBUG/TRACE
level for the logger.
Examine the RH-SSO server startup log, notice below, for example:
07:15:39,994 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Red Hat Single Sign-On 7.4.7.GA (WildFly Core 10.1.20.Final-redhat-00001) started in 2530ms - Started 56 of 87 services (40 services are lazy, passive or on-demand)
standalone embedded /subsystem=logging/logger=org.keycloak/:add(category=org.keycloak,level=TRACE,use-parent-handlers=true)
{"outcome" => "success"}
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments