[keycloak-dev] New truststore provider

Marko Strukelj mstrukel at redhat.com
Mon Jan 11 06:16:42 EST 2016 

The new truststore provider I’ve been working on for the last several
weeks has been merged to master.

It brings some changes in how to configure https connectivity between
Keycloak server and backend services like brokers, LDAP identity
providers, SMTP servers, and client applications for backchannel
events.

Previously it was possible to configure a truststore on HttpClient
provider using the following properties:

"connectionsHttpClient": {
   "truststore": "path to your .jks file containing public
certificates you trust",
   "truststorePassword': "password",
   "hostname-verification-policy": "WILDCARD",
   "disable-trust-manager": false
}


Not every outgoing connectivity used HttpClient provider though. LDAP
connectivity uses java’s internal LDAP JNDI factory implementation
that uses java.net.URLConnection, similarly connectivity to SMTP
servers via JavaMail API used java.net.URLConnection directly. These
would bypass HttpClient truststore configuration completely, and
default to JSSE configuration - that is whatever is configured at jvm
level using javax.net.ssl.trustStore system property or fallback to
cacerts file that comes with java.

By moving truststore configuration out of HttpClient provider it can
now be used by all these other facilities as well, and thus we truly
have a server-wide truststore configuration for our services.

The new truststore provider removes truststore and certificate
checking configuration from HttpClient provider. The above mentioned
configuration properties no longer have any effect. Instead, one has
to configure the truststore provider:

"truststore": {
   "file": {
       "file": "path to your .jks file containing public certificates
you trust",
       "password": "password",
       "hostname-verification-policy": "WILDCARD",
       "disabled": false
   }
}


If truststore provider is configured, it is used by HttpClient
provider and other services, if it is not configured (which is a
default - by missing entirely from keycloak-server.json file), or if
‘disabled’,  then HttpClient provider will fallback to JSSE
configuration. Note that this is not the same as the removed
‘disable-trust-manager’ setting in HttpClient provider configuration,
which rather than falling back to JSSE, turns off certificate checking
itself - accepting any certificate including self-signed ones. By the
way - that’s something that should never be enabled in a production
system, but was the default configuration. This mode is now no longer
available - you can’t disable certificate checking any more, you can
only delegate it downwards to the JVM.

More docs on this is available in ‘truststore’ section of Server
Installation (https://github.com/keycloak/keycloak/blob/master/docbook/auth-server-docs/reference/en/en-US/modules/server-installation.xml)

- marko

More information about the keycloak-dev mailing list