[Hawkular-dev] https and accounts/keycloak
Juraci Paixão Kröhling
jpkroehling at redhat.com
Mon Oct 12 05:09:57 EDT 2015
By the way: on that instance, I have these URLs on the Keycloak subsystem:
<auth-server-url>https://hawkular.kroehling.de/auth</auth-server-url>
<auth-server-url-for-backend-requests>http://192.168.122.230:8080/auth</auth-server-url-for-backend-requests>
This means: users of the application would be redirected to the first
URL when logging in, while the internal backend calls are made using the
second URL.
- Juca.
On 10/12/2015 10:48 AM, Juraci Paixão Kröhling wrote:
> I have an instance with TLS at https://hawkular.kroehling.de working,
> but I can't promise to keep it running 24x7 :) It's a bit old already
> (MS4, IIRC) , but the setup should not be too different between MS4 and
> MS5.
>
> When setting it up, there were a few issues (like, using http by default
> in some components without the possibility of overriding it), but the UI
> worked fine once those were fixed and merged. Granted, I haven't tested
> *everything*, so, I can't say that it all worked :)
>
> Anyway, about the error you are seeing: it seems like the certificate is
> missing from "some" keystore. Have you added the cert to the
> keycloak.jks keystore? There are a few Keycloak-specific steps that are
> required, documented here:
>
> http://keycloak.github.io/docs/userguide/html_single/index.html#d4e336
>
>
> - Juca.
>
> On 10/10/2015 12:08 AM, John Mazzitelli wrote:
>> I'm trying to figure out what does or does not work over HTTPS. So I
>> configured kettle with my own self-signed keystore using these
>> instructions:
>>
>> http://blog.eisele.net/2015/01/ssl-with-wildfly-8-and-undertow.html
>>
>> I can see the UI at https://localhost:8443 - I first had to tell
>> Firefox to accept the certificate (so I know its really going over
>> SSL). And the fact I can see the login screen tells me the SSL setup
>> is OK and I'm able to access the UI over https. However, when I try to
>> log in, I get an exception - and its a similar exception I get when
>> the agent tries to call into kettle.
>>
>> Has anyone tried accessing kettle over https and have you seen any
>> keycloak issues when doing so? (nudge, nudge, juca :-)
>>
>> Here's the exception I get when I try to log into the UI - I'm curious
>> if there are other configuration settings we need to get HTTPS to work:
>>
>> 384109 [default task-21] ERROR io.undertow.request - UT005023:
>> Exception handling request to /hawkular/accounts/personas/current
>> java.lang.RuntimeException: Unable to resolve realm public key remotely
>> at
>> org.keycloak.adapters.AdapterDeploymentContext.resolveRealmKey(AdapterDeploymentContext.java:134)
>>
>> at
>> org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:83)
>>
>> at
>> org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:71)
>>
>> at
>> org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:47)
>>
>> at
>> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68)
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>
>> at
>> io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHandler.java:62)
>>
>> at
>> io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsChainHandler.java:59)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
>>
>> at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
>> at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>> at
>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
>>
>> at
>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
>>
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:957)
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:892)
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
>> at
>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
>>
>> at
>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
>> at
>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
>> at
>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
>>
>> at
>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
>>
>> at
>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
>>
>> at
>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
>>
>> at
>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
>>
>> at
>> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
>>
>> at
>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
>>
>> at
>> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
>>
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>>
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
>>
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
>>
>> at
>> org.keycloak.adapters.AdapterDeploymentContext.resolveRealmKey(AdapterDeploymentContext.java:105)
>>
>> ... 16 more
>> Caused by: sun.security.validator.ValidatorException: PKIX path
>> building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>> at
>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>> at
>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>>
>> at sun.security.validator.Validator.validate(Validator.java:260)
>> at
>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>>
>> at
>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>>
>> at
>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>>
>> at
>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
>>
>> ... 35 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
>>
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
>>
>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>> at
>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
>> _______________________________________________
>> hawkular-dev mailing list
>> hawkular-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>>
More information about the hawkular-dev
mailing list