The lab is a collection of step-by-step tasks to:
- setup aio edge on GCP
- create a windows server instance
- install and setup AD and ADFS on that instance
- add apigee-sso on aio node
- setup second edge node with new Edge UI
- integrate them
Audience and Usage Notes
Although not required, to make the experience more smooth you better to have a trial GCP project. if you're using Googler GCP project, you better use Private Network IP addresses due to firewall enforcer. In case of a standard GCP project or QWIKLabs environment, use firewall rules to open required ports as per optional instructions section...
This lab is self-sufficient. Empty Google project as a starting point. No assumptions of Edge pre-installed components.
If you are a beginner in Linux Administration/Edge installation, it is recommended to get an access to the GCP project. If you know what you're doing, you can start with any 2 CentOs/RedHat nodes and a Windows box for AD/FS installation.
You can also use this lab for installing SSO/NEE on top of existing Edge topology or troubleshooting existing installation.
Prerequisites:
- GCP project
- Apigee rpm repo credentials
- Apigee Edge license
- RDP client
How will you use this tutorial?
How would you rate your experience with Google Cloud Platform?
1. Open https://console.cloud.google.com. Click on Activate Cloud Shell button.
2. Define useful environment variables at your workstation terminal window
export ZONE_ID=europe-west1-b
export PROJECT_ID=<your-project-id>
export APIGEE_SERVICE_ACCOUNT=apigee-sa
export JUMPBOX=jumpbox
gcloud config set compute/zone $ZONE_ID3. Create service account for cluster management cluster
For details: https://cloud.google.com/iam/docs/understanding-service-accounts
gcloud iam service-accounts create $APIGEE_SERVICE_ACCOUNT --display-name "Apigee Edge Service Account"
gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$APIGEE_SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" --role='roles/iam.serviceAccountUser'
gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$APIGEE_SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com --role roles/compute.admin4. Create jumpbox node we are going to use as Bastion Host
https://cloud.google.com/solutions/connecting-securely#bastion
gcloud compute instances create $JUMPBOX --image-family=centos-7 --image-project=centos-cloud --scopes=cloud-platform --service-account=$APIGEE_SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com 5. If not yet, open Compute Engine/VM Instances menu in console and click on SSH Combo-box button to open ssh session to the jumpbox and define environment
6. Define environment variable in jumpbox session
export PROJECT_ID=<your-project-id>
export ZONE_ID=europe-west1-b
gcloud config set compute/zone $ZONE_ID7. Create nodes for all-in-one Apigee Edge OPDK instance, exco-aio and another node for New Edge Experience components, exco-nee.
gcloud compute instances create --image-family=centos-7 --image-project=centos-cloud --machine-type=n1-standard-4 --boot-disk-size=25GB exco-aio
gcloud compute instances create --image-family=centos-7 --image-project=centos-cloud --machine-type=n1-standard-4 --boot-disk-size=25GB exco-nee8. In the console, click on REFRESH button to Validate list of VM instances.
9. Setup ssh passwordless key for an admin user called edge, which is an identity we are going to use to manage nodes.
sudo yum install -y jq
ssh-keygen -t rsa -f ~/.ssh/edge -C edge -q -N ""
SSH_KEYS=`gcloud compute project-info describe --format=json | jq -r '.commonInstanceMetadata.items[] | select( .key== "ssh-keys") | .value'`
EDGE_SSH_KEY=`cat ~/.ssh/edge.pub | awk '{print "edge:" $1 " " $2 " google-ssh {\"userName\":\"edge\",\"expireOn\":\"2019-12-30T20:12:00+0000\"}"}'`
gcloud compute project-info add-metadata --no-user-output-enabled --metadata-from-file ssh-keys=<( echo -e "$SSH_KEYS\n$EDGE_SSH_KEY" )11. In the Console, open Compute Engine/Metadata. Select SSH Keys tab and locate the key you just created.
11. Add following line the ~/.ssh/config file for the ssh passwordless configuration.
Host exco-aio
User edge
IdentityFile ~/.ssh/edge
Host exco-nee
User edge
IdentityFile ~/.ssh/edge11. Set up rw for user only permissions on ~/.ssh/config
sudo chmod 600 ~/.ssh/configSet up Edge Classic at exco-aio
1. Ssh into exco-aio node. Accept exco-aio node fingerprint.
ssh exco-aio Sync point. Verify that you are user edge at node exco-aio:
[yuriyl@jumpbox ~]$ ssh exco-aio Last login: Fri Jan 18 17:11:17 2019 from jumpbox.c.<project-id>.internal [edge@exco-aio ~]$
2. Verify that hostname returns single IPv4 address
$ hostname -i
10.132.0.33. Install utilities and setup apigee-install folder for user edge
sudo yum install -y mc nc wget
sudo mkdir /opt/apigee-install
sudo chown edge: /opt/apigee-install4. Copy license file and rpm repo credentials file to the /opt/apigee-install folder. This is a sample contents:
cat /opt/apigee-install/credentials.txt
User: <repo-user>
Password: <repo-password>cat /opt/apigee-install/license.txt
WI...
...
...Q==5. Define silent config file edge-aio.cfg
cat <<EOT > /opt/apigee-install/edge-aio.cfg
IP1=$(hostname -i)
HOSTIP="\$IP1"
ENABLE_SYSTEM_CHECK=n
ADMIN_EMAIL=admin@exco.com
APIGEE_ADMINPW=Apigee123!
LICENSE_FILE=/opt/apigee-install/license.txt
MSIP=\$IP1
LDAP_TYPE=1
APIGEE_LDAPPW=Apigee123!
MP_POD=gateway
REGION=dc-1
ZK_HOSTS="\$IP1"
ZK_CLIENT_HOSTS="\$IP1"
CASS_HOSTS="\$IP1"
PG_PWD=postgres
SKIP_SMTP=y
SMTPMAILFROM="admin@exco.com"
EOT
6. Define org/env/vhost provision file
cat <<EOT > /opt/apigee-install/edge-provision-org-env.cfg
IP1=$(hostname -i)
MSIP=\$IP1
ADMIN_EMAIL=admin@exco.com
APIGEE_ADMINPW="Apigee123!"
NEW_USER="y"
USER_NAME=orgadmin@exco.com
FIRST_NAME=OrgAdminName
LAST_NAME=OrgAdminLastName
USER_PWD=Apigee123!
ORG_NAME=org
ORG_ADMIN=\$USER_NAME
ENV_NAME=dev
VHOST_PORT=9001
VHOST_NAME=default
VHOST_ALIAS=\${ORG_NAME}_\${ENV_NAME}.apigee.net
USE_ALL_MPS=y
EOT8. Install openjdk version 8.
sudo yum -y install java-1.8.0-openjdk
java -version8. Temporarily reset SELinux into permissive mode
sudo setenforce 09. Bootstrap Edge and install apigee-setup
wget https://software.apigee.com/bootstrap_4.19.01.sh -O /opt/apigee-install/bootstrap_4.19.01.sh
export REPO_CLIENT_ID=`awk '/User:/{print $2}' /opt/apigee-install/credentials.txt`
export REPO_PASSWORD=`awk '/Password:/{print $2}' /opt/apigee-install/credentials.txt`
sudo bash /opt/apigee-install/bootstrap_4.19.01.sh apigeeuser=$REPO_CLIENT_ID apigeepassword=$REPO_PASSWORD
sudo /opt/apigee/apigee-service/bin/apigee-service apigee-setup install10. Install Edge aio using edge-aio.cfg silent config file
sudo /opt/apigee/apigee-setup/bin/setup.sh -f /opt/apigee-install/edge-aio.cfg -p aio | tee /opt/apigee-install/edge-apigee-install-aio-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log10. Validate Edge AIO installation
/opt/apigee/apigee-service/bin/apigee-service apigee-validate install | tee /opt/apigee-install/edge-apigee-validate-install-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log
/opt/apigee/apigee-service/bin/apigee-service apigee-validate install | tee /opt/apigee-install/edge-apigee-validate-setup-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log
/opt/apigee/apigee-service/bin/apigee-service apigee-validate setup -f /opt/apigee-install/edge-aio.cfg | tee /opt/apigee-install/edge-apigee-validate-install-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log11. Provision org and env
/opt/apigee/apigee-service/bin/apigee-service apigee-provision setup-org -f /opt/apigee-install/edge-provision-org-env.cfg | tee /opt/apigee-install/edge-apigee-setup-org-install-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.logProvisioning Windows Server
1. Provision Windows Server 2016 instance exco-adfs
gcloud beta compute --project=$PROJECT_ID instances create exco-adfs --zone=$ZONE_ID --machine-type=n1-standard-2 --image=windows-server-2016-dc-v20181211 --image-project=windows-cloud --boot-disk-size=50GB --boot-disk-type=pd-standard --boot-disk-device-name=exco-adfs2. Reset and make a note of your Windows password. You need it to login into Windows box, but also to supply ADFS credentials.
gcloud compute reset-windows-password exco-adfs
3. Configure MS RDP client desktop entry for user apigee_sa
4. Log into exco-adfs box, double-click at the exco-adfs desktop entry.
5. In a browser, open Edge UI URL and use admin@exco.com:Apigee123 credentials to log in.
http://10.132.0.3:9000
Reference Configuration Information:
Server Name: exco-adfs
IP Address (ipconfig): 10.132.0.12
AD Forest: Exco.local
Federation Service Name: adfs.exco.com
DSRM Password: Apigee123!
1. Log into exco-adfs box, double-click at the exco-adfs desktop entry.
Installing the AD FS role
1. Using Server Manager. Dashboard open Add roles and features Wizard
2. Check 
checkbox and press Next.
3. In the Installation Type page, make sure that radiobutton: Role-based or feature-based installation is selected. Press Next
4. At the Server Selection page, select exco-adfs server. Next
5. Check Active Directory Domain Services. In pop-up add prerequisites.
Press Add features button.
6. Next. Next.
7. AD DS Page. Next
8. Confirmation page. Install.
9. Press Close button.
Promoting Server to Domain Controller
1. In Notifications,
click Promote this server to a domain controller.
2. Select Add a new forest radiobutton. Specify Exco.local. Next
3. Domain Controller Options. DSRM Password: Apigee123!
4. Next. DNS delegation warning. Next.
5. Additional Options. Make sure the default NetBIOS name is assigned. EXCO. Next.
6. Paths. Accept defaults. Next
7. Summary of All Installation Options/Selections. View Script
#
# Windows PowerShell script for AD DS Deployment
#
Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "WinThreshold" `
-DomainName "Exco.local" `
-DomainNetbiosName "EXCO" `
-ForestMode "WinThreshold" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true8. Next button click will trigger prerequisites check and will show the violated rule:
Change local administrator password
9. In the Start menu under Windows System group, right-click on Command Prompt; Select More; Run as an Administrator menu item.
10. Run following command to change local administrator password
net user administrator *Type and retype a password: Apigee123!
11. After the password is changed successfully, press Previous and Next button of the Prerequisites Check of the ADDS Configuration Wizard to trigger the prerequisites check. This time it will finish successfully only with some warnings but without errors.
12. Press Install.
After the server restarts, open the desktop again and log in.
NOTE: Please wait for the Group Policy Client message for some looong time.
Use Tools listbox to validate installed components.
Install the AD FS Server Role
1. Open Server Manager and chose Manage; Add Roles and Features. Next
2. At the Installation Type wizard page, check radio-button: Role-based or feature-based installation. Next
3. Select server. Next
4. Server Roles. Check Active Directory Federation Services box. Next
5. In the Features page, click Next.
6. AD FS. Next.
7. No need to restart the server. Press Install. Close.
For Details, see: https://www.digicert.com/csr-creation-ssl-installation-ad-fs-windows-server-2012-iis8.htm
http://woshub.com/how-to-create-self-signed-certificate-with-powershell/
https://docs.microsoft.com/en-us/powershell/module/pkiclient/?view=win10-ps
Create a CSR and Self-signed Certificate Using PowerShell
1. Start Windows PowerShell as Administrator
2. To see the list of available cmdlets for certificate manipulations, execute
Get-Command -Module PKI3. The New-SelfSignedCertificate can only install certificates to the My certificate store, and that requires local administrator rights on the device. Execute following fragment to create an adfs certificate:
$todaydt = Get-Date
$years = $todaydt.AddYears(10)
New-SelfSignedCertificate -dnsname adfs.exco.com -notafter $years -CertStoreLocation cert:\LocalMachine\MyOutput:
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
A3B12D1E00AABA4EDC8A2CA27BCAA22A8F7920E0 CN=adfs.exco.com4. Set up a certificate password variable
$CertPassword = ConvertTo-SecureString -String "Apigee123!" -Force –AsPlainText5. Prepare C:\adfs-certificates directory.
mkdir C:\adfs-certificates6. Export the certificate to an C:\adfs-certificates directory, using certificate thumbprint from the previous step.
Export-PfxCertificate -Cert cert:\LocalMachine\My\A3B12D1E00AABA4EDC8A2CA27BCAA22A8F7920E0 -FilePath C:\adfs-certificates\adfs-cert.pfx -Password $CertPasswordAdd apigee_sa to the Domain Admins group
1. Open Tools/Active Directory Users and Computers of the Service Manager. Navigate to Exco.local/Users.
2. Open Properties dialog of Domain Admins Security Group - Global. Activate Members tab.
3. Add apigee_sa to to this group.
4. Re-login your current session to refresh group memberships. [Don't tell me: I know. Just move to Linux.]
DNS Entry creation
1. Using Server Manager, open Tools/DNS Manager.
2. In the EXCO-ADFS DNS Server, right-click New Zone... context-menu item.
The New Zone wizard will open. To continue, click Next.
3. Select Primary zone type of zone.
4. Select active directory zone replication scope: To all DNS servers running on domain controllers in this domain: Exco.local
5. Select Forward lookup zone type of lookup zone.
6. Enter Zone name: exco.com
7. Select allowed type of dynamic updates: Allow only secure dynamic updates.
8. Press Finish on the settings summary wizard page.
9. Use ipconfig command in the command window to obtain IP Address of this server.
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : c.prakashtest
Link-local IPv6 Address . . . . . : fe80::ed9e:46
IPv4 Address. . . . . . . . . . . : 10.132.0.12
...10. To create host record, open EXCO-ADFS/Forward lookup Zones subtree, right-click Exco.com item and chose New Host (A or AAAA)... context-menu item.
12. Fill the Name and IP address fields
Name: adfs
IP Address: <from the previous step>
Create associated pointer (PTR) record: check it.
12. Click on Add Host button.
Create KdsRootKey using PowerShell
1. In the PowerShell session, execute Add-KdsRootKey command (use Get-Help Add-KdsRootKey for details):
Import-Module ActiveDirectory
Add-KdsRootKey -EffectiveImmediatelyOutput:
Guid
----
4be76f4a-6306-dff3-b2cf-dce852dc4df3Federation Service Configuration
1. In the Server Manager, in the Notifications list, click the message Configure the federation service on this server.
2. AD FS Wizard. Radio-button Create the first federation server in a federation server farm. Next.
3. In Connect to AD DS page of AD FS Configuration Wizard, click on Change button to the right of <No credentials provided> textbox.
In the Windows Security dialog, enter name and password of apigee_sa user.
Click OK.
Next.
4. Specify Service Properties: Certificates and Federation Service names.
Press Import... button and navigate to C:\adfs-certificate to pick up adfs-cert. In the Enter certificate password dialog, enter private key password you used during certificate creation.
5. After the dialog closes, click on View button below adfs.exco.com combo-box to open Certificate dialog.
6. Click at the Install Certificate... button to import this certificate as a Trusted Root Certificate.
7. The Certificate Import Wizard will open. Select Local Machine as a Store Location. Chose Place all certificates in the following store radio-button and Browse... to select Trusted Root Certification Authorities.
8. Next and Finish. The Import was successful message should appear. Click OK to close the dialog.
9. Close Certificate dialog. You can open the certificate via View link again to verify that the certificate is now trusted.
?. Enter Federation Service Display Name: Exco AD FS Server 
Next.
10. Create adfs_sa Group Managed Service Account
Next.
11. Create WID instance to hold ADFS configuration database. Select the radiobutton.
12. Review selected options.
This server will be configured as the primary server in a new AD FS farm 'adfs.exco.com'. AD FS configuration will be stored in Windows Internal Database. Windows Internal Database feature will be installed on this server if it is not already installed. A group Managed Service Account EXCO\adfs_sa$ will be created if it does not already exist and this host will be added as a member. Federation service will be configured to run as EXCO\adfs_sa$.
Next. The prerequisite Check will run and pass successfully.
13. Click Configure to initiate AD FS installation.
Close.
1. Check status of the sign on page and enable it
PS C:\Windows\system32> Get-AdfsProperties | Select-Object EnableIdpInitiatedSignonpage
EnableIdpInitiatedSignonPage
----------------------------
False
PS C:\Windows\system32> Set-AdfsProperties –EnableIdpInitiatedSignonPage $True
PS C:\Windows\system32> Get-AdfsProperties | Select-Object EnableIdpInitiatedSignonpage
EnableIdpInitiatedSignonPage
----------------------------
True2. In a browser navigate to the following page:
https://adfs.exco.com/adfs/ls/idpinitiatedSignOn.aspx
Create Edge System Administrator User:
1. Open Tools/Active Directory Users and Computers
2. At the Exco.local/Users folder, right-click New/User
3. Fill the form for John Doe.
First name: Edge
Last name: Admin
User logon name: edgeadmin
Click Next.
4. Enter and confirm password: Welcome123!
Uncheck: User must change password at next logon
Check: Password never expires
Next.
5. Check the summary and press Finish
Full name: Edge Admin
User logon name: edgeadmin@Exco.local
The user must change the password at next logon.6. Double-click on a newly-created user account to open Properties editor and populate E-mail field with corresponding value of the edge System Administrator, admin@exco.com, that you used in silent config file.
7. Click OK to close the Properties editor.
Create John Doe Test User
1. Open Tools/Active Directory Users and Computers
2. At the Exco.local/Users folder, right-click New/User
3. Fill the form for John Doe.
First name: John
Last name: Doe
User logon name: johnd
Click Next.
4. Enter and confirm password: Welcome123!
Uncheck: User must change password at next logon
Check: Password never expires
Next.
5. Check the summary and press Finish
Full name: John Doe
User logon name: johnd@Exco.local
The password never expires.6. Double-click on a newly-created user account to open Properties editor and populate E-mail field with corresponding value of John Doe user's email, johnd@exco.com, you're going to create later.
7. At the Sign On page, enter the credentials of johnd@exco.com user.
https://adfs.exco.com/adfs/ls/idpinitiatedSignOn.aspx
User name: johnd@exco.local
Password: Welcome123!
Click Sign in.
You re signed in now.
8. To sign out, either clock on Sign Out button or navigate to the following link:
For Details: https://docs.apigee.com/private-cloud/v4.19.01/install-and-configure-edge-sso
Create the TLS keys and certificates
1. At the edge-aio node, create directory for PKI artifacts
sudo mkdir -p /opt/apigee/customer/application/apigee-sso/jwt-keys
sudo chown apigee: /opt/apigee/customer/application/apigee-sso/jwt-keys
cd /opt/apigee/customer/application/apigee-sso/jwt-keys/
sudo openssl genrsa -out edge-sso-privatekey.pem 2048
sudo openssl rsa -pubout -in edge-sso-privatekey.pem -out edge-sso-publickey.pem
sudo chown apigee: *.pem
# ssc
sudo mkdir -p /opt/apigee/customer/application/apigee-sso/saml/
sudo chown apigee: /opt/apigee/customer/application/apigee-sso/saml
cd /opt/apigee/customer/application/apigee-sso/saml/
sudo openssl genrsa -aes256 -out edge-sso-server-key.pem 2048
# password: Apigee123!2. Strip passphrase from the private key file
sudo openssl rsa -in edge-sso-server-key.pem -out edge-sso-server-key-np.pem 3. Create certificate request configuration file
NOTES:
https://www.openssl.org/docs/man1.1.0/apps/x509.html#BUGS
Extensions in certificates are not transferred to certificate requests and vice versa.
simple ca: https://serverfault.com/questions/845806/how-to-issue-ssl-certificate-with-san-extension
vi edge-sso-server-csr.conf
[req]
default_bits = 2048
default_keyfile = edge-sso-server-key.pem
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = UK
ST = London
L = London
O = Exco Ltd
CN = edge-sso.exco.com
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = edge-sso.exco.com4. Create certificate request
openssl req -new -out edge-sso-server-csr.pem -nodes -key edge-sso-server-key.pem -config edge-sso-server-csr.conf5. Verify CSR
openssl req -text -noout -verify -in edge-sso-server-csr.pem6. Generate and sign certificate
openssl req -x509 -nodes -days 3650 -key edge-sso-server-key.pem -out edge-sso-server-cer.pem -config edge-sso-server-csr.conf -extensions 'v3_req'7. Verify certificate
openssl x509 -text -noout -in edge-sso-server-cer.pemSSO Configuration
exco-adfs private network IP: 10.132.0.12
exco-aio private network IP: 10.132.0.10
AD FS IdP SAML metadata URL endpoint:
https://adfs.exco.com/FederationMetadata/2007-06/FederationMetadata.xml
FQDN: edge-sso.exco.com
1. At the exco-adfs Windows node, 'fix' FQDN record in "C:\Windows\System32\drivers\etc\hosts" edit as Administrator
cd C:\Windows\System32\drivers\etc\hosts
10.132.0.10 edge-sso.exco.com2. At the exco-aio node, configure /etc/hosts for AD FS Internal IP
10.132.0.12 adfs.exco.com3. Verify/fetch federation metadata
curl https://adfs.exco.com/FederationMetadata/2007-06/FederationMetadata.xml -k4. Configure sso tomcat truststore. Identify truststore file.
$ ls -ls /usr/java/latest
0 lrwxrwxrwx. 1 root root 28 Dec 19 18:16 /usr/java/latest -> /usr/java/jdk1.8.0_191-amd64
$ ls -ls /usr/java/latest/jre/lib/security
... cacerts
...5. At the Windows node exco-adfs, export adfs.exco.com public certificate. Navigate to the https://adfs.exco.com in a browser, right-click at the lock icon, switch to the Details tab, and press Copy to File... button.
6. In the Certificate Export Wizard, press Next, chose Base-64 encoded X.509 (.CER) radio-button, Press Next and enter
C:\adfs-certificates\adfs-cer
as a file name.
Click Finish. Confirm successful certificate export dialog.
7. copy to clipboard
type C:\adfs-certificates\adfs-cer.cer | clip
-----BEGIN CERTIFICATE-----
MIIDJDCCAgygAwIBAgIQbjAM4kBGMIpLJKSqd9bYUTANBgkqhkiG9w0BAQsFADAY
MRYwFAYDVQQDDA1hZGZzLmV4Y28uY29tMB4XDTE4MTIyMDE2NDcxNloXDTI4MTIy
MDE2NTcxMVowGDEWMBQGA1UEAwwNYWRmcy5leGNvLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKbob9LC1Di2uDOfBmjqKKIxUz2Wj3Xd3rXTckrG
QrMhUcVFDUGYt0wJqnKDlz2Jo92HiYbTJWqoSELDxkAEjQgfFnzK3PoNT2c9+5cz
jUDhXLTzyQDWZyZ17IbMSW8ehqo7rcFy4UqeYhby8hWZMfjZXFkqiG6KrR3TM0gn
VssDH1WCijc81t4DUQu1q6Ki8lfTZMa5Frd4V6+WzwFwWX2dcR/PL7JLD7D4evQW
q2aDLJmpCtgxLww1/FShfFgap8mNBL6KMXzJd4iI/eZF4LjLSaPTuDHD9ywPr2Ci
9N4t6NVPdYnAze5V9G8laHPbQHQ03566GeGxtWszPMncQLMCAwEAAaNqMGgwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAYBgNV
HREEETAPgg1hZGZzLmV4Y28uY29tMB0GA1UdDgQWBBSO09F3YH9ZWkj9TtE64jUe
SfQSgjANBgkqhkiG9w0BAQsFAAOCAQEAn3fQgzQtPN69vIpRyIgLAihmsLV4NZgV
7tC+EfuEg3R5sSv0cUbVg5fl1AdI0/B21YGRrMzLqrHXk7Zsxlu/H+vhQ92URyVE
wscRgMEjyi4n0LZ27605w84cY8q5QP84ymLeZhuHgDtfBb1XdG7omjBrFH1Ia6Gn
MqRshuS25h+vuIiMrkBGEM0Q8t+zMWO9fqau+Wq6JLM0aQ3eNwxK9dHKdCteTzuA
f/pllF+75fe6C5jCkt4uQqIIcUHraK8KxTaP3kbb0XHCdM9cxN/RRvnxhT6/vgtL
2QXWZz3H/zKUZI4XyHSkBTK1w1BDCX1W0QvgMT4PJyEYWUtRmXYm6A==
-----END CERTIFICATE-----8. At the exco-aio node, import adfs public certificate
vi /opt/apigee-install/adfs-cer.pem
# insert the certificate from your clipboard
export JAVA_HOME=/usr/java/latest
sudo keytool -importcert -file /opt/apigee-install/adfs-cer.pem -alias adfs-exco-com-cer -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
Trust this certificate? [no]: yes
Certificate was added to keystore9. Prepare silent configuration file for apigee-sso component:
- Edit IP1 address;
- SSO JWT key and certificate;
- Update idp metadata url;
- SSO SAML service provider key and certificate
vi /opt/apigee-install/edge-sso.cfg
IP1=10.132.0.10
IP2=$IP1
## Management Server configuration.
MSIP=$IP1
MGMT_PORT=8080
# Edge sys admin username and password as set when you installed Edge.
ADMIN_EMAIL=admin@exco.com
APIGEE_ADMINPW=Apigee123!
# Set the protocol for the Edge management API. Default is http.
# Set to https if you enabled TLS on the management API.
MS_SCHEME=http
## Postgres configuration.
PG_HOST=$IP1
PG_PORT=5432
# Postgres username and password as set when you installed Edge.
PG_USER=apigee
PG_PWD=postgres
# apigee-sso configuration.
SSO_PROFILE="saml"
# Externally accessible IP or DNS name of apigee-sso.
SSO_PUBLIC_URL_HOSTNAME=$IP2
# Default port is 9099. If changing, set both properties to the same value.
SSO_PUBLIC_URL_PORT=9099
SSO_TOMCAT_PORT=9099
# Set Tomcat TLS mode to DEFAULT to use HTTP access to apigee-sso.
SSO_TOMCAT_PROFILE=DEFAULT
SSO_PUBLIC_URL_SCHEME=http
# SSO admin user name. The default is ssoadmin.
SSO_ADMIN_NAME=ssoadmin
# SSO admin password using uppercase, lowercase, number, and special chars.
SSO_ADMIN_SECRET=Apigee123!
# Path to signing key and secret from "Create the TLS keys and certificates" above.
SSO_JWT_SIGNINIG_KEY_FILEPATH=/opt/apigee/customer/application/apigee-sso/jwt-keys/edge-sso-privatekey.pem
SSO_JWT_VERIFICATION_KEY_FILEPATH=/opt/apigee/customer/application/apigee-sso/jwt-keys/edge-sso-publickey.pem
# Name of SAML IDP. For example, okta or adfs.
SSO_SAML_IDP_NAME=adfs
# Text displayed to user when they attempt to access Edge UI.
SSO_SAML_IDP_LOGIN_TEXT="Please log in to your IDP"
# The metadata URL from your IDP.
# If you have a metadata file, and not a URL,
# see "Specifying a metadata file instead of a URL" below.
SSO_SAML_IDP_METADATA_URL=https://adfs.exco.com/FederationMetadata/2007-06/FederationMetadata.xml
# Specifies to skip TLS validation for the URL specified
# by SSO_SAML_IDP_METADATA_URL. Necessary if URL uses a self-signed cert.
# Default value is "n".
SSO_SAML_IDPMETAURL_SKIPSSLVALIDATION=n
# SAML service provider key and cert from "Create the TLS keys and certificates" above.
SSO_SAML_SERVICE_PROVIDER_KEY=/opt/apigee/customer/application/apigee-sso/saml/edge-sso-server-key-np.pem
SSO_SAML_SERVICE_PROVIDER_CERTIFICATE=/opt/apigee/customer/application/apigee-sso/saml/edge-sso-server-cer.pem
# The passphrase used when you created the SAML cert and key.
# The section "Create the TLS keys and certificates" above removes the passphrase,
# but this property is available if you require a passphrase.
# SSO_SAML_SERVICE_PROVIDER_PASSWORD=samlSP123
# Must configure an SMTP server so Edge SSO can send emails to users.
SKIP_SMTP=y
SMTPHOST=smtp.example.com
SMTPUSER=smtp@example.com
# omit for no username
SMTPPASSWORD=smtppwd
# omit for no password
SMTPSSL=n
SMTPPORT=25
SMTPMAILFROM="Exco <admin@exco.com>"
10. Install and configure apigee-sso component
/opt/apigee/apigee-setup/bin/setup.sh -p sso -f /opt/apigee-install/edge-sso.cfg | tee /opt/apigee-install/edge-apigee-install-sso-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log11. Install apigee-ssoadminapi
/opt/apigee/apigee-service/bin/apigee-service apigee-ssoadminapi install | tee /opt/apigee-install/edge-apigee-install-ssoadminapi-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log
# [not for googler project!] firewall for sso
gcloud compute firewall-rules create edge-sso --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:9099 --source-ranges=0.0.0.0/0
gcloud compute firewall-rules create edge-sso-s --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:9443 --source-ranges=0.0.0.0/012. Verify apigee sso saml metadata endpoint accessability from exco-adfs node, ie, using browser:
http://10.132.0.10:9099/saml/metadata
or curl:
curl http://10.132.0.10:9099/saml/metadata -o /opt/apigee-install/edge-sso-saml-metadata.xml
Configure apigee-sso for HTTPS access. Enable SSL_TERMINATION mode
For Details, see: https://docs.apigee.com/private-cloud/v4.19.01/configure-apigee-sso-https-access
1. Creating JKS file at the exco-aio node
https://docs.apigee.com/private-cloud/v4.19.01/configuring-ssl-edge-premises#creatingajksfile
cd /opt/apigee/customer/application/apigee-sso/saml/ sudo openssl pkcs12 -export -clcerts -in edge-sso-server-cer.pem -inkey edge-sso-server-key-np.pem -out apigee-sso-keystore.pkcs12 -name sso # Password: Apigee123! keytool -importkeystore -srckeystore apigee-sso-keystore.pkcs12 -srcstoretype pkcs12 -destkeystore apigee-sso-keystore.jks -deststoretype jks -alias sso # Passwords: Apigee123! $ sudo keytool -importkeystore -srckeystore apigee-sso-keystore.pkcs12 -srcstoretype pkcs12 -destkeystore apigee-sso-keystore.jks -deststoretype jks -alias sso Importing keystore apigee-sso-keystore.pkcs12 to apigee-sso-keystore.jks... Enter destination keystore password: Re-enter new password: Enter source keystore password: Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore apigee-sso-keystore.jks -destkeystore apigee-sso-keystore.jks -deststoretype pkcs12".
2. Define apigee-sso tomcat https configuration directories
sudo mkdir -p /opt/apigee/customer/application/apigee-sso/tomcat-ssl/ sudo chown apigee: /opt/apigee/customer/application/apigee-sso/tomcat-ssl/ sudo cp /opt/apigee/customer/application/apigee-sso/saml/apigee-sso-keystore.jks /opt/apigee/customer/application/apigee-sso/tomcat-ssl/ sudo chown apigee: /opt/apigee/customer/application/apigee-sso/tomcat-ssl/apigee-sso-keystore.jks
3. Create apigee-sso ssl termination silent config file. Override default settings.
vi /opt/apigee-install/edge-sso-ssl-termination.cfg
. /opt/apigee-install/edge-sso.cfg
# Enable SSL_TERMINATION mode.
SSO_TOMCAT_PROFILE=SSL_TERMINATION
# Specify the path to the keystore file.
SSO_TOMCAT_KEYSTORE_FILEPATH=/opt/apigee/customer/application/apigee-sso/tomcat-ssl/apigee-sso-keystore.jks
SSO_TOMCAT_KEYSTORE_ALIAS=sso
# The password specified when you created the keystore.
SSO_TOMCAT_KEYSTORE_PASSWORD=Apigee123!
# Specify the HTTPS port number between 1025 and 65535.
# Typically ports 1024 and below require root access by apigee-sso.
# The default is 9099.
SSO_TOMCAT_PORT=9443
SSO_PUBLIC_URL_PORT=9443
# Set public access scheme of apigee-sso to https.
SSO_PUBLIC_URL_SCHEME=https
SSO_PUBLIC_URL_HOSTNAME=edge-sso.exco.com
4. Configure the Edge SSO module
/opt/apigee/apigee-service/bin/apigee-service apigee-sso setup -f /opt/apigee-install/edge-sso-ssl-termination.cfg | tee /opt/apigee-install/edge-apigee-sso-setup-ssl-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log
NOTE: if required, use following command to restart apigee-sso server
apigee-service apigee-sso restartDeploy and Test edge-sso.exco.com public sertificate
1. At the exco-aio node, copy public certificate to exco-adfs Windows node into the
C:\adfs-certificates\edge-sso-server-cer.pem
file
cat edge-sso-server-cer.pem
-----BEGIN CERTIFICATE----- MIICfzCCAeigAwIBAgIJAKQFZ8aAwyMFMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV BAYTAlVLMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjERMA8GA1UE CgwIRXhjbyBMdGQxGjAYBgNVBAMMEWVkZ2Utc3NvLmV4Y28uY29tMB4XDTE4MTIz MTEyNDE0OVoXDTI4MTIyODEyNDE0OVowXjELMAkGA1UEBhMCVUsxDzANBgNVBAgM BkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMREwDwYDVQQKDAhFeGNvIEx0ZDEaMBgG A1UEAwwRZWRnZS1zc28uZXhjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAMoLRg0ohlQ9DkrnQRZ3mR6LqqMdsoUiI5XBmBWkXIVfKlJXR1BlkW1J3pDc plkQhc/pNnoRh2hbPN+bDYkmmjq2ULXkRhfdMpenUp4w/He+LQzMp+abjZWWH5LJ 9NIAQAHy9wHrQmWdYpJAe7eIS8x6/s0LsReQJY0/ho7KKfURAgMBAAGjRTBDMA4G A1UdDwEB/wQEAwIDiDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREEFTATghFl ZGdlLXNzby5leGNvLmNvbTANBgkqhkiG9w0BAQsFAAOBgQBmhVWMI03Z56I+q24q Baqk/TYhsk8EESg7kbUD7/neA11mEHtJLQSGk1/PMTcI22WR+Kid+saXJ3VNDAaA ItgWPlWT0AsPzus6JgU94Sen2RYFoNhzlwGIBUypo/11mq1cKJuO4u4g8vhngVkE N2uH6qqsZSS4ZdnAYYZQDLF8hA== -----END CERTIFICATE-----
2. On Windows box, open local machine certificate manager
certlm.msc
NOTE: If you are working with osx, use KeyChain Access application to add the trust certificate chain.
3. Right-click at Certificates - Local Computer/Trusted Root Certification Authority/Certificates tree node and select All Tasks/Import...
4. In the Certificate Import Wizard, make sure that Store Location is Local Machine, press Next and select
C:\adfs-certificates\edge-sso-server-cer.pem
file
Next.
5. Make sure you're importing certificate in the right Store Location
Next. Finish.
Confirm The import was successful dialog box.
6. Test SSO by navigating to the link at exco-adfs node
https://edge-sso.exco.com:9443
Configuring Edge as Relying Party in ADFS IDP
For Details, See: https://docs.apigee.com/api-platform/system-administration/configuring-edge-relying-party-adfs-idp
1. Open Tools/AD FS Management in the Server Manager
2. Right-click Relying Party Trust. Select Add Relying Party Trust... wizard
3. Make sure Claim aware radio-button is selected. Start.
4. Populate Federation metadata address field.
https://edge-sso.exco.com:9443/saml/metadata
Next.
5. Confirm this relying party's default display name.
Next.
6. In the Choose Access Control Policy dialog box, select I do not want to configure access control policies at this time checkbox, and select Next.
7. At the Ready to Add Trust wizard page, verify entered information and press Next.
8. Click Close to close Add Relying Party Trust wizard and to open Configure claims issuance policy for this application wizard.
Press Close.
9. The Edit Claim Rules properties editor should appear.
Add Claim Rules
1. Click Add Rule... button
2. Using Send LDAP Attributes as Claims claim rule template, press Next.
3. Enter following attributes:
Claim rule name: Email Address
Attribute store: Active Directory
LDAP Attribute: E-Mail-Addresses
Outgoing Claim Type: E-Mail Address
Finish.
4. Click Add Rule... button.
5. Select Transform an Incoming Claim as the Claim rule template, and click Next:
6. Enter following attributes:
Claim rule name: Incoming Email Claim
Incoming Claim Type: E-Mail Address
Outgoing claim type: Name ID
Outgoing name ID format: Email
Finish
7. Press OK button to close Edit Claim Issuance Policy properties editor.
8. Right-click on the relying party trust and select Properties.
Verify Advanced/Secure hash algorithm: SHA-256
9. Press OK button to close the properties editor.
Edit Access Control Policy
1. Make sure that edde-sso.exco.com Relying Party Trust item is selected and double-click on Edit Access Control Policy... action to open Properties editor.
2. Select Permit everyone policy and press Apply.
3. Press OK to close the editor.
Enable SAML on Edge UI
https://docs.apigee.com/private-cloud/v4.19.01/enable-saml-edge-ui
1. Add /etc/hosts entry for edge-sso.exco.com FQDN pointing at this node.
sudo vi /etc/hosts 10.132.0.10 edge-sso.exco.com
2. Create Edge UI silent configuration file.
vi /opt/apigee-install/edge-ui-sso.cfg
IP1=$(hostname)
# Comma separated list of URLs for the Edge UI,
# in the format: http_or_https://IP_or_hostname_of_UI:9000.
# You can have multiple URLs when you have multiple installations
# of the Edge UI or you have multiple data centers.
EDGEUI_PUBLIC_URIS=http://10.132.0.10:9000
# Publicly accessible URLs for Edge UI.
EDGEUI_SSO_REGISTERD_PUBLIC_URIS=$EDGEUI_PUBLIC_URIS
# Required variables
# Default is "n" to disable SAML support.
EDGEUI_SSO_ENABLED=y
# Information about apigee-sso.
# Externally accessible IP or DNS of apigee-sso.
SSO_PUBLIC_URL_HOSTNAME=edge-sso.exco.com
SSO_PUBLIC_URL_PORT=9443
# Default is http. Set to https if you enabled TLS on apigee-sso.
SSO_PUBLIC_URL_SCHEME=https
# SSO admin credentials as set when you installed apigee-sso.
SSO_ADMIN_NAME=ssoadmin
SSO_ADMIN_SECRET=Apigee123!
# The name of the OAuth client used to connect to apigee-sso.
# The default client name is edgeui.
EDGEUI_SSO_CLIENT_NAME=edgeui
# Oauth client password using uppercase, lowercase, number, and special chars.
EDGEUI_SSO_CLIENT_SECRET=Apigee123!
# If set, the existing EDGEUI client is deleted and new one is created.
# The default value is "n".
# Set to "y" when you configure SAML and change the value of
# any of the EDGEUI_* properties.
EDGEUI_SSO_CLIENT_OVERWRITE=y
3. Execute Edge UI reconfiguration
/opt/apigee/apigee-service/bin/apigee-service edge-ui configure-sso -f /opt/apigee-install/edge-ui-sso.cfg | tee /opt/apigee-install/edge-apigee-edge-ui-sso-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log
DEBUG Tips:
* action configure-sso call curl for oauth token:
curl -k -s -i -d grant_type=client_credentials https://edge-sso.exco.com:9443/oauth/token -H 'Content-Type: application/x-www-form-urlencoded;charset=utf-8' -H 'accept: application/json;charset=utf-8' -H 'Authorization: Basic c3NvYWRtaW46QXBpZ2VlMTIzIQ==' -v
* check for /etc/hosts, as at this point we are using FQDN
Configure Edge UI to support self-signed certs with Edge SSO
1. Edge UI
sudo vi /opt/apigee/edge-ui/conf/source/application.conf
play.ws.ssl {
trustManager = {
stores = [
{ type = "PEM", path = "/opt/apigee/customer/application/apigee-sso/saml/edge-sso-server-cer.pem" }
]
}
}2. Add trust certificate chain to the MS truststore.
keytool -importcert -alias startssl -keystore $JAVA_HOME/jre/lib/security/cacerts -file /opt/apigee/customer/application/apigee-sso/saml/edge-sso-server-cer.pem -storepass changeit
DEBUG Tips:
Error message like this in /opt/apigee/var/log/edge-ui/application.log indicates TLS connection problem.
Make sure you restart Edge UI after changing playframework truststore certificate.
2019-01-02 15:31:36,628 [ERROR] from play.core.server.netty.PlayDefaultUpstreamHandler in New I/O worker #5 - Exception caught in Netty
java.lang.IllegalArgumentException: invalid version format: ミ]Z^Uᅠ←^G ;^D○フS^Pᅣ^Fᅣᆴネ5<U+FFF0>↓ヤPE<U+FFC1>ᅤZCネE^EV^Z<U+FFE7>¢Y<U+FFD0>^@"ᅧᅧ^S^A^S^B^S^C<U+FFC0>+
<U+FFC0>/<U+FFC0>,<U+FFC0>0ᅩ로ᄄ<U+FFC0>^S<U+FFC0>^T^@ワ^@ン^@/^@5
at org.jboss.netty.handler.codec.http.HttpVersion.<init>(HttpVersion.java:94) ~[io.netty.netty-3.10.5.Final.jar:na]
at org.jboss.netty.handler.codec.http.HttpVersion.valueOf(HttpVersion.java:62) ~[io.netty.netty-3.10.5.Final.jar:na]
ADFS Event Logs
In case of problems, Event Viewer contains useful debugging information. To open eventvwr, in Server Manager, chose:
Application and Services Logs > AD FS > Admin.
Edge SSO: Add and Test a User
1. Create .netrc entry for Management API
vi ~/.netrc
machine 10.132.0.10 login admin@exco.com password Apigee123!2. Create johnd@exco.local edge user in the org org.
curl -n -H "Content-Type: application/json" -X POST http://10.132.0.10:8080/v1/users -d '{"emailId": "johnd@exco.com", "firstName": "John", "lastName": "Doe", "password": "Apigee123!"}'3. Add new user to org organization
curl -n -H "Content-Type:application/x-www-form-urlencoded" -X POST http://10.132.0.10:8080/v1/o/org/userroles/user/users?id=johnd@exco.com
4. Navigate to
https://adfs.exco.com/adfs/ls/idpinitiatedSignOn.aspx
5. User johnd credentials to sign into ADFS account:
Test user: johnd@exco.local
Password: Welcome123!
6. In a separate browser window, navigate to Edge UI site:
You are automatically redirected to the Dashboard page of the Edge UI via Sign-sign on mechanism.
Tracing SSO Redirects
Actually, during SSO processing of SAML claims, there are three redirects involved:
--> redirect to edge-sso.exco.com
--> redirect to adfs.eco.com
--> redirect to Edge UI
Let's use Chrome DevTools and SAML Chrome Panel extension to follow the redirect chain.
1. In the chrome web store (https://chrome.google.com), search for SAML Chrome Panel extension
https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en
Add it to your Chrome.
2. If you're logged in the AD FS, navigate to
https://adfs.exco.com/adfs/ls/?wa=wsignout1.0
to sign out.
3. Right-click at the current web-page and select Inspect context menu item to open DevTools pane. Select SAML tab (if required, use chevron icon).
4. In the current browser tab, navigate to Edge UI
5. Click at the Please log in to your IDP link.
We are redirected to the Sign In page of the Exco AD FS Server.
You can see SAML Request datagram.
6. Use System Admin credentials:
Username: edgeadmin@exco.local
Password: Welcome123!
Click Sign in button. At this point you are signed in the Exco AD FS server, redirected to edge-sso.exco.com:9443 and then to the 10.132.0.10:9000.
The SAML panel shows SAML assertion with status Success.
https://docs.apigee.com/private-cloud/v4.19.01/installing-beta-release-edge-new-unified-experience
Prerequisites:
[ ] classic edge-ui with sso at exco-aio
[ ] different node: exco-nee; 10.154.0.11
1. From jumbox ssh to exco-nee node
ssh exco-nee
2. Install utilities and setup apigee-install folder for user edge
sudo yum -y install mc nc wget sudo mkdir /opt/apigee-install sudo chown edge: /opt/apigee-install
IMPORTANT: You shall have an access to the apigee rpm repositories and edge license file.
3. Install Oracle JDK
cd /opt/apigee-install wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "https://download.oracle.com/otn-pub/java/jdk/8u191-b12/2787e4a523244c269598db4e85c51e0c/jdk-8u191-linux-x64.rpm" sudo yum -y install jdk-8u191-linux-x64.rpm
4. Temporarily reset SELinux into permissive mode
sudo setenforce 0
5. Bootstrap Edge and install apigee-setup
wget https://software.apigee.com/bootstrap_4.19.01.sh -O /opt/apigee-install/bootstrap_4.19.01.sh
export REPO_CLIENT_ID=`awk '/User:/{print $2}' /opt/apigee-install/credentials.txt`
export REPO_PASSWORD=`awk '/Password:/{print $2}' /opt/apigee-install/credentials.txt`
sudo bash /opt/apigee-install/bootstrap_4.19.01.sh apigeeuser=$REPO_CLIENT_ID apigeepassword=$REPO_PASSWORD
sudo /opt/apigee/apigee-service/bin/apigee-service apigee-setup install
6. 'Fix' networking connectivity between nodes via FQDN
sudo vi /etc/hosts
10.132.0.10 edge-sso.exco.com7. Copy and install public edge-sso-server-cer.pem certificate
sudo mkdir -p /opt/apigee/customer/application/apigee-sso/saml/ cd /opt/apigee/customer/application sudo chown -R apigee: apigee-sso/saml/
8. At the jumpbox, copy certificate between nodes
## return to jumpbox exit scp -3 exco-aio:/opt/apigee/customer/application/apigee-sso/saml/edge-sso-server-cer.pem exco-nee:/tmp # go back to exco-nee ssh exco-nee
9. Import certificate into jvm's keystore
sudo cp /tmp/edge-sso-server-cer.pem /opt/apigee/customer/application/apigee-sso/saml sudo chown apigee: /opt/apigee/customer/application/apigee-sso/saml/edge-sso-server-cer.pem export JAVA_HOME=/usr/java/latest sudo keytool -importcert -alias startssl -keystore $JAVA_HOME/jre/lib/security/cacerts -file /opt/apigee/customer/application/apigee-sso/saml/edge-sso-server-cer.pem -storepass changeit
10. Define edge-ui-nee silent config file
vi /opt/apigee-install/edge-ui-nee.cfg
# IP of the Edge Management Server.
# This node also hosts the Edge SSO module and the current, or classic, Edge UI.
IP1=10.132.0.10
# IP of the New Edge experience node.
IP2=10.132.0.11
# Edge sys admin credentials.
ADMIN_EMAIL=admin@exco.com
APIGEE_ADMINPW=Apigee123!
# Edge Management Server information.
APIGEE_PORT_HTTP_MS=8080
MSIP=$IP1
MS_SCHEME=http
#
# New Edge experience configuration.
#
# Enable the New Edge experience.
EDGEUI_ENABLE_UNIFIED_UI=y
# Specify IP and port for the New Edge experience.
MANAGEMENT_UI_PORT=3001
MANAGEMENT_UI_IP=$IP2
# Specify a Private Cloud deployment.
MANAGEMENT_UI_APP_ENV=OPDK
# Disable TLS on the New Edge experience.
# This release does not support TLS.
MANAGEMENT_UI_SCHEME=http
# Location of New Edge experience.
MANAGEMENT_UI_PUBLIC_URIS=http://$IP2:3001
MANAGEMENT_UI_SSO_REGISTERED_PUBLIC_URIS=$MANAGEMENT_UI_PUBLIC_URIS
MANAGEMENT_UI_SSO_CSRF_SECRET=Apigee123!
MANAGEMENT_UI_SSO_CSRF_EXPIRATION_HOURS=24
MANAGEMENT_UI_SSO_STRICT_TRANSPORT_SECURITY_AGE_HOURS=24
MANAGEMENT_UI_SSO_PUBLIC_KEY_CACHE_HOURS=0.5
# SSO configuration for the New Edge experience.
MANAGEMENT_UI_SSO_ENABLED=y
MANAGEMENT_UI_SSO_CLIENT_OVERWRITE=y
MANAGEMENT_UI_SSO_CLIENT_ID=newueclient
MANAGEMENT_UI_SSO_CLIENT_SECRET=Apigee123!
#
# Shoehorn UI configuration.
#
# The first two properties use the same values as the New Edge experience.
SHOEHORN_SCHEME=$MANAGEMENT_UI_SCHEME
SHOEHORN_IP=$MANAGEMENT_UI_IP
SHOEHORN_PORT=9000
#
# Edge Classic UI configuration.
# Some settings are for the classic UI,
# but are still required to configure the New Edge experience.
#
# These settings assume that Classic UI is installed on the Management Server.
CLASSIC_UI_IP=$MSIP
CLASSIC_UI_PORT=9000
CLASSIC_UI_SCHEME=http
EDGEUI_PUBLIC_URIS=http://$IP1:9000
# Information about publicly accessible URL for Classic UI.
EDGEUI_SSO_REGISTERD_PUBLIC_URIS=$EDGEUI_PUBLIC_URIS
# Enable SSO.
EDGEUI_SSO_ENABLED=y
# The name of the OAuth client used to connect to apigee-sso.
# The default client name is edgeui.
# Apigee recommends that you use the same settings as you used
# when enabling SAML on the classic Edge UI.
EDGEUI_SSO_CLIENT_NAME=edgeui
# Oauth client password using uppercase, lowercase, number, and special chars.
EDGEUI_SSO_CLIENT_SECRET=Apigee123!
# If set, existing EDGEUI client will deleted and new one will be created.
EDGEUI_SSO_CLIENT_OVERWRITE=y
# Information about Edge SSO module.
# Externally accessible IP or DNS of Edge SSO module.
SSO_PUBLIC_URL_HOSTNAME=edge-sso.exco.com
SSO_PUBLIC_URL_PORT=9443
# Default is http. Set to https if you enabled TLS on the Edge SSO module.
# If Edge SSO uses a self-signed cert, you must also set MANAGEMENT_UI_SKIP_VERIFY to "y".
SSO_PUBLIC_URL_SCHEME=https
# MANAGEMENT_UI_SKIP_VERIFY=y
# SSO admin credentials as set when you installed Edge SSO module.
SSO_ADMIN_NAME=ssoadmin
SSO_ADMIN_SECRET=Apigee123!
#
# Required SMTP information.
#
SKIP_SMTP=y # Skip now and configure later by specifying "y".
SMTPHOST=smtp.gmail.com
SMTPUSER=your@email.com
SMTPPASSWORD=yourEmailPassword
SMTPSSL=y
SMTPPORT=465 # If no SSL, use a different port, such as 25.
SMTPMAILFROM="My Company myco@company.com"
11. Install Shoehorn
/opt/apigee/apigee-service/bin/apigee-service edge-ui install | tee /opt/apigee-install/edge-apigee-install-edge-ui-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log
12. Configure Shoehorn
/opt/apigee/apigee-service/bin/apigee-service edge-ui setup -f /opt/apigee-install/edge-ui-nee.cfg | tee /opt/apigee-install/edge-apigee-setup-edge-ui-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log
13. Configure SSO for Shoehorn
/opt/apigee/apigee-service/bin/apigee-service edge-ui configure-sso -f /opt/apigee-install/edge-ui-nee.cfg | tee /opt/apigee-install/edge-apigee-install-edge-ui-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log
14. Install Edge Management UI
/opt/apigee/apigee-service/bin/apigee-service edge-management-ui install | tee /opt/apigee-install/edge-apigee-install-edge-mui-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log
15. Configure Edge Management UI
/opt/apigee/apigee-service/bin/apigee-service edge-management-ui setup -f /opt/apigee-install/edge-ui-nee.cfg | tee /opt/apigee-install/edge-apigee-setup-edge-mui-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log
16. Configure SSO for Edge Management UI
/opt/apigee/apigee-service/bin/apigee-service edge-management-ui configure-sso -f /opt/apigee-install/edge-ui-nee.cfg | tee /opt/apigee-install/edge-apigee-configure-sso-edge-mui-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log
Go SSL_CERT_FILE environment variable configuration
https://golang.org/pkg/crypto/x509/
# example
export SSL_CERT_FILE=/opt/apigee/customer/application/apigee-sso/saml/edge-sso-server-cer.pem
Edit some Edge 19.01 files to configure GO runtime truststore certificate so that Management UI can successfully connect to apigee-sso.
1. Add export env variable line to the export.sh script
vi /opt/apigee/apigee-service-4.19.01-0.0.1354/lib/exports.sh
export SSL_CERT_FILE
2. In the service-functions.sh script, add lines in the _dump_vars() and _infer_defaults() variables
/opt/apigee/apigee-service-4.19.01-0.0.1354/lib/service-functions.sh
# 1
_dump_vars()
{
notice "SSL_CERT_FILE=/opt/apigee/customer/application/apigee-sso/saml/edge-sso-server-cer.pem"
_infer_defaults()
{
...
SSL_CERT_FILE=/opt/apigee/customer/application/apigee-sso/saml/edge-sso-server-cer.pem
3. OPTIONAL: If using access to external IPs: firewall configuration
# firewall for edge-nui gcloud compute firewall-rules create edge-nui --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:3001 --source-ranges=0.0.0.0/0
4. You can navigate now to the Classic Edge UI and New Edge Experience using SSO
EDGE: http://10.132.0.10:9000
NEE: http://10.132.0.11:3001
1. WHENEVER REQUIRED: Uninstall edge-management-ui
/opt/apigee/apigee-service/bin/apigee-service edge-management-ui uninstall | tee /opt/apigee-install/edge-apigee-uninstall-edge-mui-`date -u +\"%Y-%m-%dT%H:%M:%SZ\"`.log