Hi everyone,
I have been attempting to set up Verinice-Veo on premise for a few weeks and cannot get it to work. Here’s my set up:
Nginix reverse proxy
Server 1: verinice-veo-web
Server 2: verinince-veo, verinince-veo-accounts, verinince-veo-forms, verinince-veo-history, verinice-veo-reporting, keycloak
I am able to log in to the front-end, and am able to get to a plage to allow me to create a Unit, but there are a myriad of errors that mean that nothing loads.
The main cause of this seem to be a couple of issues:
It’s not clear where the /veo/ url is mean to point. Debugging with curl seems to give me 404 errors from every component. If I leave it pointing to the REST API, I get error 400 (bad request)
I keep getting “Expected 1 client for the account. Got 0.” For most components.
I think it may be a Keycloak configuration error, but I used the template configuration from the documentation. I have double-checked the application configurations in all of the different elements and cannot find where I’m going wrong.
Any pointers would be great, if anyone has seen this before? If anyone has a template nginx reverse proxy configuration, that would also be helpful.
Thanks in advance, Stephan
Hi stephanf,
just to clarify: „veo on-premise“ as a product for end-users and whitelabel-providers will begin rolling out later this year. It will be based on the official binary containers and include a Helm chart for easy setup and installation.
If you want to build your own binaries from the source code and run those locally that is of course fine as well, but it will not be a version covered by our support contracts.
I’m not sure how your setup looks like right now so I’ll try to mention a few control points:
- make sure that you have built and are running all services (including history, reporting, accounts…) from the verinice-veo repositories. You can technically run only the core veo service but certain functions (such as reports, object version history) will not work and throw errors otherwise.
- make sure that you have imported the provided Keycloak config export. It configures the roles, scopes etc. required by the veo OIDC clients.
- make sure that your veo REST API service is using the OIDC realm and client-id that was set up via the imported realm (i.e. Realm: „verinice-veo“ and OIDC client „veo-on-premise“)
- 404 errors points to something wrong with the Keycloak config
- make sure that you have a created a „client“ with an ID that matches the user group of the account in Keycloak. I.e. you should have created a client in verinice with the uuid „4148d239-b543-42bb-bd01-9d0743201335“ and have a Keycloak account as a member of the group called „veo_client:4148d239-b543-42bb-bd01-9d0743201335“. This is usually both set up correctly when you use the „verinice-account“ REST service to create new clients and users. If you created the user manually or used the one included in the configuration export this will not automatically be the case.
- Creation of new clients (including matching Keycloak-Accounts) is triggered by AMQP-events. We are in the process of writing a lovely command line interface to make this easier. Until this is available, you will have to follow the instructions in veo-accounts and use an AMQP client (i.e. pika for python or the RabbitMQ Web-Interface to send the event:
I think the most likely problem you’re facing right now is that you have a Keycloak account with either no client-group or a client-group that does not exist as an actual client in the veo database. The documentation linked to above should get you started with that.
Hi Alexander,
Thanks for the reply! So, yes, you’re right, I had only created an account in Keycloak and not through the accounts API.
Checking through Keycloak, I have two groups already in there called „veo_client:[uuid]“.
I’ve attempted to use the „/initial“ endpoint shown in the docs using the uuid in the group to create a new client via swagger-ui and get a 403 unauthorised error, specifically:
error=„insufficient_scope“,error_description=„The request requires higher privileges than provided by the access token.“,error_uri=„RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage“ x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 0
From the documentation, it implies a „secret api key“ is required to make the /initial call but it doesn’t state where to generate the secret. I’ve tried using the credentials for the veo-accounts client in Keycloak and get a 401 unauthorised error.
I feel like I’m really close to cracking this and thank you for your help so far!
Stephan
Support
Status
Shop