Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 2. 3scale integration with Red Hat Single Sign-On using OpenID Connect

3scale can synchronize client credentials between 3scale (Application credentials) and a Red Hat Single Sign-On server using OpenID Connect (OIDC). 3scale utilizes a service called Zync to synchronize calls to the Red Hat Single Sign-On server.

2.1. Prerequisites:
링크 복사

  • 3scale 2.1
  • A Red Hat Single Sign-On version as specified on the Supported Configurations page
  • SSL connection between Zync and RHSSO.

In order to connect 3scale and Red Hat Single Sign-On, perform the following configurations in Zync, your Red Hat Single Sign-On server and 3scale:

2.2. Configure Zync
링크 복사

In 3scale API Management Platform 2.1, self-signed and custom certificates are not supported and will be rejected by Zync. To establish an SSL connection between Zync and RHSSO, configure Zync to support custom certificates with the following workaround:

  1. Validate the new certificate with the following cURL command. The expected response is a JSON configuration of the realm. If validation fails it is an indicator that your certificate may not be correct. 

    curl -v https://<secure-sso-host>/auth/realms/master --cacert customCA.pem
    Copy to Clipboard Toggle word wrap

  2. Add the certificate bundle to the Zync pod:

    1. Gather the existing content of the /etc/pki/tls/cert.pem file on the Zync pod. Run: 

      oc exec <zync-pod-id> cat /etc/pki/tls/cert.pem | tee -a cacert.pem cert.pem
      Copy to Clipboard Toggle word wrap

    2. Append the contents of the custom CA certificate file to both cacert.pem and cert.pem: 

      cat customCA.pem | tee -a cacert.pem cert.pem
      Copy to Clipboard Toggle word wrap

  3. Log in to the 3scale AMP project in OpenShift and run the following commands. This updates the CA certificate used by the libraries that Zync depends on. 

    oc create configmap cacertpem --from-file=./cacert.pem
    Copy to Clipboard Toggle word wrap 
    oc create configmap certpem --from-file=./cert.pem
    Copy to Clipboard Toggle word wrap 
    oc set volume dc/zync --add --name=cacertpem --mount-path /opt/zync/vendor/bundle/ruby/2.3.0/gems/httpclient-2.8.3/lib/httpclient/cacert.pem --source='{"configMap":{"name":"cacertpem","items":[{"key":"cacert.pem","path":"cacert.pem"}]}}'
    Copy to Clipboard Toggle word wrap 
    oc set volume dc/zync --add --name=certpem --mount-path /etc/pki/tls/cert.pem --source='{"configMap":{"name":"certpem","items":[{"key":"cert.pem","path":"cert.pem"}]}}'
    Copy to Clipboard Toggle word wrap 
    oc patch dc/zync --type=json -p '[{"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts/0/subPath", "value":"cacert.pem"},{"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts/1/subPath", "value":"cert.pem"}]'
    Copy to Clipboard Toggle word wrap

2.3. Configure Red Hat Single Sign-On
링크 복사

  1. Create a realm

  2. Create a client:

    1. Specify a client ID
    2. Select the openid-connect client protocol

  3. Configure client permissions, setting the following:

    1. Access Type to confidential
    2. Standard Flow Enabled to OFF
    3. Direct Access Grants Enabled to OFF
    4. Service Accounts Enabled to ON

  4. Set service account roles for your client

    1. Navigate to the service account roles tab of your client
    2. In the client roles dropdown, select realm management
    3. In the available roles pane, select the manage-clients list item and assign the role by clicking Add Roles

  5. Note client credentials

    1. Take note of the client ID
    2. Navigate to the Credentials tab of your client and take note of the secret

2.4. Configure 3scale
링크 복사

Once you have created and configured a server and client in Red Hat Single Sign-On, you must configure 3scale to work with Red Hat Single Sign-On:

  1. Enable OIDC

    1. Select the service on which you want to enable Red Hat Single Sign-On, navigate to the APIs <your_service_name> integration page
    2. On that page, select edit integration settings
    3. Under the Authentication deployment options, select OpenID Connect
    4. Update the service

  2. Edit Your APIcast Configuration

    1. navigate to the APIs <your_service_name> integration page
    2. On that page, select edit APIcast configuration

    3. Under the Authentication Settings expandable heading, in the OpenID Connect Issuer field, enter your previously noted client credentials with the URL of your Red Hat Single Sign-On server: 

      https://<CLIENT_ID>:<CLIENT_SECRET>@<HOST>:<PORT>/auth/realms/<REALM_NAME>
      Copy to Clipboard Toggle word wrap
    4. Save your configuration

2.5. Test Integration
링크 복사

Peform the following procedures in 3scale and verify the results in Red Hat Single Sign-On to test your integration:

Expand
3scale ProcedureRed Hat Single Sign-On Result

Create an application for the service where you configured the OpenID Connect Issuer. Note the Client ID and client secret generated for the application

The new client appears in the Red Hat Single Sign-On realm you are using

Change the Redirect URL on the application in 3Scale

The Redirect URL was updated

Delete the application

The client is deleted from the realm

맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2025 Red Hat