[Hawkular-dev] https and accounts/keycloak
John Mazzitelli
mazz at redhat.com
Mon Oct 12 09:07:58 EDT 2015
So, does this mean we can't ship SSL support out of box? Seems like some of these settings are very particular to the machine kettle is running on. Assuming we don't have an installer, how can we zip up the distro and have it run with SSL enabled out of box? I don't think we are going to be able to do that. If we cannot, we are going to need some VERY clear and easy-to-follow documentation to enable security.
Right now, it looks like there are steps required to:
1) create or obtain your own keystore/truststores
2) set up a security realm in WF
3) set up keycloak security specifically
Juca - did you happen to right down any notes on what you did to get your system running? That could be the start to some docs.
----- Original Message -----
> By the way: on that instance, I have these URLs on the Keycloak subsystem:
>
> <auth-server-url>https://hawkular.kroehling.de/auth</auth-server-url>
> <auth-server-url-for-backend-requests>http://192.168.122.230:8080/auth</auth-server-url-for-backend-requests>
>
> This means: users of the application would be redirected to the first
> URL when logging in, while the internal backend calls are made using the
> second URL.
>
> - Juca.
>
> On 10/12/2015 10:48 AM, Juraci Paixão Kröhling wrote:
> > I have an instance with TLS at https://hawkular.kroehling.de working,
> > but I can't promise to keep it running 24x7 :) It's a bit old already
> > (MS4, IIRC) , but the setup should not be too different between MS4 and
> > MS5.
> >
> > When setting it up, there were a few issues (like, using http by default
> > in some components without the possibility of overriding it), but the UI
> > worked fine once those were fixed and merged. Granted, I haven't tested
> > *everything*, so, I can't say that it all worked :)
> >
> > Anyway, about the error you are seeing: it seems like the certificate is
> > missing from "some" keystore. Have you added the cert to the
> > keycloak.jks keystore? There are a few Keycloak-specific steps that are
> > required, documented here:
> >
> > http://keycloak.github.io/docs/userguide/html_single/index.html#d4e336
> >
> >
> > - Juca.
> >
> > On 10/10/2015 12:08 AM, John Mazzitelli wrote:
> >> I'm trying to figure out what does or does not work over HTTPS. So I
> >> configured kettle with my own self-signed keystore using these
> >> instructions:
> >>
> >> http://blog.eisele.net/2015/01/ssl-with-wildfly-8-and-undertow.html
> >>
> >> I can see the UI at https://localhost:8443 - I first had to tell
> >> Firefox to accept the certificate (so I know its really going over
> >> SSL). And the fact I can see the login screen tells me the SSL setup
> >> is OK and I'm able to access the UI over https. However, when I try to
> >> log in, I get an exception - and its a similar exception I get when
> >> the agent tries to call into kettle.
> >>
> >> Has anyone tried accessing kettle over https and have you seen any
> >> keycloak issues when doing so? (nudge, nudge, juca :-)
> >>
> >> Here's the exception I get when I try to log into the UI - I'm curious
> >> if there are other configuration settings we need to get HTTPS to work:
> >>
> >> 384109 [default task-21] ERROR io.undertow.request - UT005023:
> >> Exception handling request to /hawkular/accounts/personas/current
> >> java.lang.RuntimeException: Unable to resolve realm public key remotely
> >> at
> >> org.keycloak.adapters.AdapterDeploymentContext.resolveRealmKey(AdapterDeploymentContext.java:134)
> >>
> >> at
> >> org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:83)
> >>
> >> at
> >> org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:71)
> >>
> >> at
> >> org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:47)
> >>
> >> at
> >> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68)
> >>
> >> at
> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >>
> >> at
> >> io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHandler.java:62)
> >>
> >> at
> >> io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsChainHandler.java:59)
> >>
> >> at
> >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
> >>
> >> at
> >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
> >>
> >> at
> >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
> >>
> >> at
> >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
> >>
> >> at
> >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
> >> at
> >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
> >> at
> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> >>
> >> at
> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> >>
> >> at java.lang.Thread.run(Thread.java:745)
> >> Caused by: javax.net.ssl.SSLHandshakeException:
> >> sun.security.validator.ValidatorException: PKIX path building failed:
> >> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> >> find valid certification path to requested target
> >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
> >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> >> at
> >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
> >>
> >> at
> >> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
> >>
> >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:957)
> >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:892)
> >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
> >> at
> >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
> >>
> >> at
> >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
> >> at
> >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
> >> at
> >> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
> >>
> >> at
> >> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
> >>
> >> at
> >> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
> >>
> >> at
> >> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
> >>
> >> at
> >> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
> >>
> >> at
> >> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
> >>
> >> at
> >> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
> >>
> >> at
> >> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
> >>
> >> at
> >> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> >>
> >> at
> >> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
> >>
> >> at
> >> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
> >>
> >> at
> >> org.keycloak.adapters.AdapterDeploymentContext.resolveRealmKey(AdapterDeploymentContext.java:105)
> >>
> >> ... 16 more
> >> Caused by: sun.security.validator.ValidatorException: PKIX path
> >> building failed:
> >> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> >> find valid certification path to requested target
> >> at
> >> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> >> at
> >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> >>
> >> at sun.security.validator.Validator.validate(Validator.java:260)
> >> at
> >> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> >>
> >> at
> >> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> >>
> >> at
> >> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> >>
> >> at
> >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
> >>
> >> ... 35 more
> >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> >> unable to find valid certification path to requested target
> >> at
> >> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
> >>
> >> at
> >> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
> >>
> >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> >> at
> >> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
> >> _______________________________________________
> >> hawkular-dev mailing list
> >> hawkular-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/hawkular-dev
> >>
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>
More information about the hawkular-dev
mailing list