Putting some Gravitee into Neo4j — Part II — go Gravitee

Preamble

You can see there is quite a dance going on.

  1. Your web browser communicates with the Neo4j Web Server.
  2. UI application elements move to your web browser. The Neo4j Web Server does not serve the application itself.
  3. Your web browser communicates with the Gravitee Gateway Server. This is the main part of the dance.
  4. The Gravitee Gateway Server communicates with the identity provider. This may lead to an authentication request.
  5. With the dance complete your web browser can access the database.

In this part I’ll focus on setting up the Gravitee Access Management solution.

Setup

  • Ports 8092, 8093 and 8094 must be accessible.
  • DNS name linked to the public ip address of the server. For the rest of the document I’ll assume the DNS name is apollo.yourdomain.io (I like Greek mythology).
  • Certificate is ready and waiting on the server.
ls -l /home/ec2-user
certificate files

Installation

sudo curl -sSL https://bit.ly/install-am-3x | bash
fancy installation output

Quite a lot happens after that fancy start. Java is installed. MongoDB is installed. Elasticsearch is installed. A gravitee group and user are created and finally the gateway, api and console application are installed.

In this post I’m not going into further detail on that. You can check everything is running by checking the ports:

sudo ss -lntp
game of ports

Your next action is to prepare the certificate files for usage. Gravitee uses both the Jetty and the Nginx webserver. For Jetty you need a keystore:

openssl pkcs12 -export \
-in /home/ec2-user/certificate.crt \
-inkey /home/ec2-user/private.key \
-out /home/ec2-user/apollo.yourdomain.io.p12 \
-name apollo.yourdomain.io \
-CAfile /home/ec2-user/ca_bundle.crt \
-caname "ZeroSSL Certificate apollo.yourdomain.io" \
-password pass:notverysecure
keytool -importkeystore \
-deststorepass notverysecure \
-destkeypass notverysecure \
-deststoretype JKS \
-srckeystore /home/ec2-user/apollo.yourdomain.io.p12 \
-srcstoretype JKS \
-srcstorepass notverysecure \
-destkeystore /home/ec2-user/apollo.yourdomain.io.jks \
-alias apollo.yourdomain.io

For Nginx the original format is fine but you do need the full chain of trust in one file:

cat /home/ec2-user/certificate.crt /home/ec2-user/ca_bundle.crt > /home/ec2-user/apollo.yourdomain.io.cert

And then you put everything in place:

sudo mkdir /opt/graviteeio/security
sudo cp /home/ec2-user/apollo.yourdomain.io.cert /opt/graviteeio/security/
sudo cp /home/ec2-user/apollo.yourdomain.io.jks /opt/graviteeio/security/
sudo cp /home/ec2-user/private.key /opt/graviteeio/security/apollo.yourdomain.io.key
sudo chown -R gravitee:gravitee /opt/graviteeio/security
ls -l /opt/graviteeio/security
ready to use

Fix /opt/graviteeio/am/gateway/config/gravitee.yml

http:
port: 8092
secured: true
ssl:
keystore:
type: jks
path: /opt/graviteeio/security/apollo.yourdomain.io.jks
password: notverysecure
...
services:
core:
http:
enabled: false
port: 18092
...

Fix /opt/graviteeio/am/management-api/config/gravitee.yml

jetty:
port: 8093
secured: true
ssl:
keystore:
type: jks
path: /opt/graviteeio/security/apollo.yourdomain.io.jks
password: notverysecure
...
services:
core:
http:
enabled: false
port: 18093
...

Fix /opt/graviteeio/am/management-ui/constants.json

{
"baseURL": "https://apollo.yourdomain.io:8093/management"
}

Fix /etc/nginx/conf.d/graviteeio-am-management-ui.conf

server {
listen 0.0.0.0:8094 ssl;
server_name apollo.yourdomain.io;
ssl_certificate /opt/graviteeio/security/apollo.yourdomain.io.cert;
ssl_certificate_key /opt/graviteeio/security/apollo.yourdomain.io.key;
root /opt/graviteeio/am/management-ui;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
}

Restart the services and verify the ports again (give it a couple of seconds).

sudo systemctl restart graviteeio-am-gateway.service
sudo systemctl restart graviteeio-am-management-api.service
sudo systemctl restart nginx
sudo ss -lntp
two ports less

Access the gateway url — https://apollo.yourdomain.io:8092 in a web browser. The response should be:
No security domain matches the request URI.
But more importantly this allows you to verify the certificate is in place correctly.

For a final test, access the UI url — https://apollo.yourdomain:8094 in a web browser. The response should be:

Well done. You’ve come quite a way and Gravitee is now running. Time to configure it!

Configuration

Instead of going for the obvious button … click Organization settings first. Then scroll down to and select Entrypoints.

Organization settings — Entrypoints

An entrypoint is how the application (Neo4j Browser) will contact Gravitee AM. In this Open-source Software setup of Gravitee there is only one possibility. Use the cogwheel to change the url of the default entrypoint to https://apollo.yourdomain.io:8092 and SAVE.

Entrypoint changed

You could now navigate your way back. Instead, select the administrator icon on the top right and … Create domain.

Create domain
Create domain
Domain created

New options appear on screen. Once more, do not do the obvious (despite the bright orange highlighting)! Click the new Settings menu option instead.

A few things need changing. Go through them one by one and make sure to SAVE on every panel:

  • General → Enable domain → SAVE
  • Login → User Registration → SAVE
  • User Accounts → Select the Default Identity Provider in the pull-down-menu → SAVE
  • Users → Create a new user (yourself for example) … fill out the mandatory fields, make sure to select the Default Identity Provider → Create
  • Groups → Create a new group … the name should be (lowercase) admin → Create

Next you click the new Applications menu option. Only one option … create a new application.

For the application type you go with Single Page App which fits the Neo4j Browser. You then fill out the form:

And Create

application menu

Almost there … a few more things need changing for the application:

  • Identity Providers → Enable → SAVE
  • Settings → OAuth2.0/OIDC → Scopes → ADD SCOPES
Application level OAuth2.0/OIDC Settings

Add profile, openid, email and groups as scopes then SAVE.

Scopes added

Done. You are done. You can now select the dashboard. Relax for a little while. In the next part you’ll install the Neo4j database and link it up, so don’t expect the lines on the dashboard to start moving yet.

Thoughts

  • You set up a broker that can handle SSO authentication flows for you. With configuration only.
  • You went with the default identity provider (and created a user and group in it), but you could as easily have plugged in an external identity provider such as Google or your organization’s Active Directory, or …
  • You defined an application that can handle the specific flow that the Neo4j database you are going to install on the same server requires. With configuration only.

Yes. It was a lot of work. But nothing compared to what custom building it would entail. You want to understand the concepts to better understand your decisions in the future. For now though … well done!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tom Geudens

At the age of 15, Tom Geudens’ parents gave him a choice. Either become a baker or go into IT. He went into IT …