Issues with Veo on-premise installation

stephanf · 31. Dezember 2024 um 11:00

Hi everyone,

I have been attempting to set up Verinice-Veo on premise for a few weeks and cannot get it to work. Here’s my set up:

Nginix reverse proxy

Server 1: verinice-veo-web

Server 2: verinince-veo, verinince-veo-accounts, verinince-veo-forms, verinince-veo-history, verinice-veo-reporting, keycloak

I am able to log in to the front-end, and am able to get to a plage to allow me to create a Unit, but there are a myriad of errors that mean that nothing loads.

The main cause of this seem to be a couple of issues:

It’s not clear where the /veo/ url is mean to point. Debugging with curl seems to give me 404 errors from every component. If I leave it pointing to the REST API, I get error 400 (bad request)

I keep getting “Expected 1 client for the account. Got 0.” For most components.

I think it may be a Keycloak configuration error, but I used the template configuration from the documentation. I have double-checked the application configurations in all of the different elements and cannot find where I’m going wrong.

Any pointers would be great, if anyone has seen this before? If anyone has a template nginx reverse proxy configuration, that would also be helpful.

Thanks in advance, Stephan

AlexanderK · 2. Januar 2025 um 14:29

Hi stephanf,

just to clarify: „veo on-premise“ as a product for end-users and whitelabel-providers will begin rolling out later this year. It will be based on the official binary containers and include a Helm chart for easy setup and installation.

If you want to build your own binaries from the source code and run those locally that is of course fine as well, but it will not be a version covered by our support contracts.

I’m not sure how your setup looks like right now so I’ll try to mention a few control points:

make sure that you have built and are running all services (including history, reporting, accounts…) from the verinice-veo repositories. You can technically run only the core veo service but certain functions (such as reports, object version history) will not work and throw errors otherwise.
make sure that you have imported the provided Keycloak config export. It configures the roles, scopes etc. required by the veo OIDC clients.
make sure that your veo REST API service is using the OIDC realm and client-id that was set up via the imported realm (i.e. Realm: „verinice-veo“ and OIDC client „veo-on-premise“)
404 errors points to something wrong with the Keycloak config
make sure that you have a created a „client“ with an ID that matches the user group of the account in Keycloak. I.e. you should have created a client in verinice with the uuid „4148d239-b543-42bb-bd01-9d0743201335“ and have a Keycloak account as a member of the group called „veo_client:4148d239-b543-42bb-bd01-9d0743201335“. This is usually both set up correctly when you use the „verinice-account“ REST service to create new clients and users. If you created the user manually or used the one included in the configuration export this will not automatically be the case.
Creation of new clients (including matching Keycloak-Accounts) is triggered by AMQP-events. We are in the process of writing a lovely command line interface to make this easier. Until this is available, you will have to follow the instructions in veo-accounts and use an AMQP client (i.e. pika for python or the RabbitMQ Web-Interface to send the event:
- see index.md

I think the most likely problem you’re facing right now is that you have a Keycloak account with either no client-group or a client-group that does not exist as an actual client in the veo database. The documentation linked to above should get you started with that.

stephanf · 4. Januar 2025 um 11:48

Hi Alexander,
Thanks for the reply! So, yes, you’re right, I had only created an account in Keycloak and not through the accounts API.
Checking through Keycloak, I have two groups already in there called „veo_client:[uuid]“.
I’ve attempted to use the „/initial“ endpoint shown in the docs using the uuid in the group to create a new client via swagger-ui and get a 403 unauthorised error, specifically:

error=„insufficient_scope“,error_description=„The request requires higher privileges than provided by the access token.“,error_uri=„RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage“ x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 0

From the documentation, it implies a „secret api key“ is required to make the /initial call but it doesn’t state where to generate the secret. I’ve tried using the credentials for the veo-accounts client in Keycloak and get a 401 unauthorised error.

I feel like I’m really close to cracking this and thank you for your help so far!
Stephan

richard · 20. Februar 2025 um 16:01

Hello Stephan,
the „secret api key“ is defined in the accounts-service through the enviroment-variable „veo_accounts_auth_apiKeys_clientInit“ or in the application.properties with the variable „veo.accounts.auth.apiKeys.clientInit“. If you’re doing your „/initial“-Request throught Postman then you need to add the Header „Authorization“ with the value you entered for the clientInit.

Kind regards,
Richard

AlexanderK · 21. Februar 2025 um 15:13

Sorry for not getting back to you on this earlier - richard is correct: this is simply a shared secret defined in the mentioned properties setting used to create the first account in a new client. This initial account will then be able to use OAuth2 to create additional users with its automatically assigned role „veo-accountmanagers“.

stephanf · 22. Februar 2025 um 07:36

Thank you. I have managed to create the initial user, but the frontend is still slightly broken. I need to go through all of the settings again and spend some time getting that up and running.

Thanks again for your help!

stephanf · 24. Februar 2025 um 11:57

Hi! Thanks for your replies! I have managed to get the /initial endpoint to work, but as others have said in other posts, I’m not seeing any RabbitMQ messages and accounts are not being created in PostgreSQL.

I think I understand the relationship between the client ID passed in the /initial request, the Keycloak client and the Veo user, but it isn’t joining up.

In the front end, most things are still not loading because I’m getting errors about the client with the UUID not existing, or 0 clients being passed when 1 is expected, depending on how I create the user initially.

I assume that these issues would go away if the messaging was working.

RabbitMQ seems to have a bunch of veo exchanges and queues configured. I have also checked the roles and permissions of the Keycloak client and added the relevant roles.

I can see four connections in the RabbitMQ management interface, but can’t determine which of the services are connected.

Any tips would be greatly appreciated! I feel like I’m 99% of the way there…

stephanf · 27. Februar 2025 um 09:58

OK, I’ve resolved all of the errors and I can log in. I had to manually create the client record in postgresql.
I get to Create Unit, give it a name, get a message saying that no profiles are available and a banner about loading demo data. Skip through that to the next page, „Determine which domains“ and it hangs.
I have a few questions:

Is there any seed data? I can’t see anything in the database.
Is there an obvious reason that the Domains page hangs?

The only error I get in Chrome is: „Error handling response: Error: runtime/sendMessage: The message port closed before a response was received.“

If I manually try to populate the domains table, I just get 400 errors.
I’ve been through the documentation and can’t find any other references to this. Again, I may be missing something.

Thanks,
Stephan