Running Red Hat SSO outside of OpenShift

In an article named Red Hat Single Sign-On: Give it a try for no cost!, I explained how to deploy Red Hat SSO very easily in any OpenShift cluster.

As pointed by a reader in a comment, as widespread OpenShift can be, not everyone has access to a running OpenShift cluster. So, here is how to run Red Hat SSO outside of OpenShift: using only plain Docker commands.

The rest of this procedure assumes you already have a token to access the Red Hat registry (full procedure described in my article and in the Red Hat SSO Getting Started guide, chapter 3, section 3.1).

Start by logging in with this token using the docker login command (do not forget to replace the login and password with yours):

docker login -u='1979710|nma-docker'

Confirm your Red Hat registry token is valid by pulling the Red Hat SSO image:

docker pull

We can continue by following the official Red Hat SSO Getting Started guide, chapter 4, section 4.1.2 to create HTTPS and JGroups Keystores, and Truststore:

mkdir keystore
openssl req -new -newkey rsa:2048 -x509 -keyout keystore/xpaas.key -out keystore/xpaas.crt -days 365 -subj "/CN=localhost" -nodes
keytool -genkeypair -keyalg RSA -keysize 2048 -dname "CN=localhost" -alias jboss -keystore keystore/keystore.jks -storepass secret -keypass secret
keytool -certreq -keyalg rsa -alias jboss -keystore keystore/keystore.jks -file keystore/sso.csr -storepass secret
openssl x509 -req -CA keystore/xpaas.crt -CAkey keystore/xpaas.key -in keystore/sso.csr -out keystore/sso.crt -days 365 -CAcreateserial
keytool -import -file keystore/xpaas.crt -alias -keystore keystore/keystore.jks -storepass secret -trustcacerts -noprompt
keytool -import -file keystore/sso.crt -alias jboss -keystore keystore/keystore.jks -storepass secret

mkdir jgroups
keytool -genseckey -alias secret-key -storetype JCEKS -keystore jgroups/jgroups.jceks -storepass secret -keypass secret

mkdir truststore
keytool -import -file keystore/xpaas.crt -alias -keystore truststore/truststore.jks -storepass secret -trustcacerts -noprompt

And finally, we can convert the official Red Hat SSO template to Docker commands:

docker run --name redhat-sso -m 1Gi \
           -p 8778:8778 -p 8080:8080 -p 8443:8443 -p 8888:8888 \
           -e SSO_HOSTNAME=localhost \
           -e SSO_ADMIN_USERNAME=admin \
           -e SSO_ADMIN_PASSWORD=password \
           -e SSO_REALM=test \
           -e HTTPS_KEYSTORE_DIR=/etc/keystore \
           -e HTTPS_KEYSTORE=keystore.jks \
           -e HTTPS_KEYSTORE_TYPE=jks \
           -e HTTPS_NAME=jboss \
           -e HTTPS_PASSWORD=secret \
           -e JGROUPS_ENCRYPT_KEYSTORE_DIR=/etc/jgroups \
           -e JGROUPS_ENCRYPT_KEYSTORE=jgroups.jceks \
           -e JGROUPS_ENCRYPT_NAME=secret-key \
           -e JGROUPS_ENCRYPT_PASSWORD=secret \
           -e JGROUPS_CLUSTER_PASSWORD=random \
           -e SSO_TRUSTSTORE=truststore.jks \
           -e SSO_TRUSTSTORE_DIR=/etc/truststore \
           -e SSO_TRUSTSTORE_PASSWORD=secret \
           -v $PWD/keystore:/etc/keystore \
           -v $PWD/jgroups:/etc/jgroups \
           -v $PWD/truststore:/etc/truststore \

You should see the Red Hat SSO server logs appearing in your console. Once the server started successfully, you can connect to the console at http://localhost:8080/auth/admin or https://localhost:8443/auth/admin and login with admin / password.

Of course, none of this is endorsed or supported by Red Hat! But for a test run, it’s an acceptable tradeoff.