Jira and Keycloak Notes Added

Jira Notes.md

@@ -13,8 +13,15 @@
 # TLS Setup for RDS
 
 ```
+# for commercial
 curl https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
-y Place output in /home/jira/.postgresql/root.crt
+# For govcloud
+curl https://s3.us-gov-west-1.amazonaws.com/rds-downloads/rds-ca-us-gov-east-1-2017-root.pem -o root.crt
+```
+
+Place output in /home/jira/.postgresql/root.crt
+
+```
 vim /opt/jira-data/jira/dbconfig.xml
 # Add ?sslmode=verify-full to the <url>
 ```
@@ -129,21 +136,29 @@ terminates TLS and sends plain HTTP back to JIRA itself.
 
 # Migrating to GovCloud
 
-## 1. Presync original:
+## 0. Stop Jira
+
+```
+ssh prod-jira-server
+sudo systemctl stop jira
+sudo systemctl disable jira
+```
+
+## 1. Sync original:
 ```
 cd
 # I believe /opt/jira-data/jira/data/attachments is the correct directory, but it could be
 #   /opt/jira/data/attachments
 #   /opt/jira-data/jira/import/attachments
-time rsync --rsync-path="sudo rsync" -avz --delete --progress prod-jira-server:/opt/jira-data tmp/jira-data
 time rsync --rsync-path="sudo rsync" -avz --delete --progress prod-jira-server:/opt/atlassian tmp/atlassian
+time rsync --rsync-path="sudo rsync" -avz --delete --progress prod-jira-server:/opt/jira-data tmp/jira-data
 
 # then restore
-rsync --rsync-path="sudo rsync" -avz --delete --progress tmp/jira-data/jira-data/ gc-prod-jira-server:/opt/jira-data/
 rsync --rsync-path="sudo rsync" -avz --delete --progress tmp/atlassian/atlassian/ gc-prod-jira-server:/opt/atlassian/
+rsync --rsync-path="sudo rsync" -avz --delete --progress tmp/jira-data/jira-data/ gc-prod-jira-server:/opt/jira-data/
 ```
 
-## 2. Dry run of database dump
+## 2. Database Dump
 on legacy server:
 ```
 curl https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem -o root.crt
@@ -211,10 +226,20 @@ sudo ./atlassian-jira-software-8.12.1-x64.bin
 sudo chown -R jira:jira /opt/atlassian /opt/jira-data
 vim /opt/jira-data/jira/dbconfig.xml
 # update the db connection string
+vim /opt/atlassian/jira/conf/server.xml
+# Update jira.mdr.defpoint.com to jira.xdr.accenturefederalcyber.com
+vim /opt/atlassian/jira/bin/setenv.sh
+# Set:
+#  JVM_SUPPORT_RECOMMENDED_ARGS="-Dhttp.proxyHost=proxy.pvt.xdr.accenturefederalcyber.com -Dhttp.proxyPort=80 -Dhttps.proxyHost=proxy.pvt.xdr.accenturefederalcyber.com -Dhttps.proxyPort=80"
 ```
 
+```
+vim /opt/atlassian/jira/conf/okta-config-jira.xml
+# copy from okta, remove the <xml> header
+```
 
-
+Login and resolve any issues, probably with basename
+Update mail server.
 
 NOTES:
 new jira db:

Keycloak Notes.md

@@ -0,0 +1,112 @@
+# keycloak notes
+
+Basically just a log of my initial installation/tests... could be really out of date by the time you read this.
+
+# Generally useful stuff
+
+[admin guide](https://www.keycloak.org/docs/10.0/server_admin/#_x509)
+[scripts to do this?](https://gist.github.com/malys/12baa68303b6012fe819849b558d43d4)
+
+# Initial Standup Process
+
+Stood up a basic server using our minion image.
+
+```
+highstate + highstate
+sudo yum install java-11-openjdk
+sudo yum update -y
+
+# copied file to server
+tar xvzf keycloak-12.0.2.tar.gz
+sudo mv keycloak-12.0.2 /opt/keycloak
+cd /opt/keycloak
+# for standalone, the main configuration file is ./standalone/configuration/standalone.xml
+# for a clustered environment, it's ./domain/configuration/domain.xml
+./standalone.sh
+```
+
+Tunnel (run on local box)
+```
+ssh 10.20.26.85 -L 8080:127.0.0.1:8080
+```
+then browse to http://localhost:8080
+
+1. Create admin username and password
+2. click the administration console link and sign in
+3. Sign in... basically, I followed https://www.keycloak.org/docs/latest/getting_started/
+
+```
+```
+
+# Create certificates
+
+## install certbot - maybe not in production
+I don't particularly like this method, but for now its our best choice.
+
+```
+sudo yum install --enablerepo=epel snapd
+sudo systemctl start snapd
+sudo snap set system proxy.http="http://proxy.pvt.xdrtest.accenturefederalcyber.com:80"
+sudo snap set system proxy.https="http://proxy.pvt.xdrtest.accenturefederalcyber.com:80"
+sudo snap install core; sudo snap refresh core
+sudo ln -s /var/lib/snapd/snap /snap
+sudo snap install --classic certbot
+sudo ln -s /snap/bin/certbot /usr/bin/certbot
+```
+
+## Generate cert
+
+```
+sudo certbot certonly --standalone -d keycloak.xdrtest.accenturefederalcyber.com
+# entered my email, probably better to use net.eng if this is used in production
+
+# export into a pkcs12 store for keycloak:
+sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/keycloak.xdrtest.accenturefederalcyber.com/privkey.pem -in /etc/letsencrypt/live/keycloak.xdrtest.accenturefederalcyber.com/fullchain.pem -out /opt/keycloak/standalone/configuration/lets_encrypt_certs.pkcs12 -name keycloak.xdrtest.accenturefederalcyber.com
+# set a password
+
+vim /opt/keycloak/standalone/configuration/standalone.xml
+# have to set the keystore here... 
+# important line is:
+                        <keystore path="lets_encrypt_certs.pkcs12" relative-to="jboss.server.config.dir" keystore-password="stupid" alias="keycloak.xdrtest.accenturefederalcyber.com" key-password="stupid" generate-self-signed-certificate-host="localhost"/>
+```
+
+## Copy Duane's certificates
+
+```
+scp DuanesCA.tgz gc-dev-keycloak:
+ssh gc-dev-keycloak
+mkdir ca
+cd ca
+tar xvzf ../DuanesCA.tgz
+vim chain.pem 
+# Remove the text from the top
+keytool -importcert -storetype PKCS12 -keystore duckfez-truststore.pkcs12 \
+  -storepass password -alias ca -file chain.pem -noprompt
+cp duckfez-truststore.pkcs12 /opt/keycloak/standalone/configuration/
+cd /opt/keycloak/
+./start.ftd.sh # modified standalone script is in place with SSL configured. Script binds to 0.0.0.0
+```
+
+... and much config and troubleshooting happened
+
+## Generate a better client cert from duane's stuff
+
+Back on the mac:
+```
+cd
+cd keycloak
+openssl genrsa -out fdamstra.key 2048
+openssl req -new -key fdamstra.key \
+    -subj "/CN=frederick.t.damstra@accenturefederal.com/OU=MonkeyBOX Entertainment Group/O=AFS/C=US/L=Grand Rapids/ST=Michigan" \
+    -out fdamstra.csr
+openssl x509 -req -days 3650 -in fdamstra.csr -CA intermediae/ca.crt  -CAkey intermediae/ca.key -CAcreateserial -out fdamstra.crt
+openssl pkcs12 -export -in fdamstra.crt -inkey fdamstra.key \
+    -certfile chain.pem -out fdamstra.p12 \
+    -passin pass:password \
+    -passout pass:password 
+```
+
+Then use Keychain Access to import the p12 (password is "password")
+Then doubleclick on the duckfez cert (has a red x), expand trust, and set trust to "always trust"
+
+Then login!