[keycloak-user] LDAPS configuration fails "Test authentication"

Marek Posolda mposolda at redhat.com
Thu Feb 18 02:10:12 EST 2016 

On 17/02/16 22:46, Jason Axley wrote:
> I followed some documentation like 
> https://developer.jboss.org/wiki/LDAPSecurityRealmExamples for 
> configuring JBOSS to use LDAP over SSL to Active Directory but can’t 
> seem to get Keycloak to honor the trust settings in the configured 
> keystore.
>
> 2016-02-17 21:33:49,670 ERROR 
> [org.keycloak.services.managers.LDAPConnectionTestManager] (default 
> task-2) Error when authenticating to LDAP: simple bind failed: 
> server.example.com:636: javax.naming.CommunicationException: simple 
> bind failed: server.example.com:636 [Root exception is 
> javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to 
> find valid certification path to requested target]
>
>         at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
>
>
> This is the configuration I’m using for the standalone server:
>
> <security-realm name="LdapSSLRealm">
>
> <authentication>
>
> <truststore 
> path="keycloak.jks"relative-to="jboss.server.config.dir"keystore-password=“password"/>
>
> </authentication>
>
> </security-realm>
>
> </security-realms>
>
> <outbound-connections>
>
> <ldap 
> name=“AD"url="ldaps://server.example.com:636"security-realm="LdapSSLRealm"/>
>
> </outbound-connections>
>
>
> I have all of the certs in the chain imported into the keystore:
>
> keytool -list -keystore ../configuration/keycloak.jks
>
> Enter keystore password:
>
>
> Keystore type: JKS
>
> Keystore provider: SUN
>
>
> Your keystore contains 5 entries
>
>
> cert1, Feb 17, 2016, trustedCertEntry,
>
> Certificate fingerprint (SHA1): 
> D5:BA:F5:07:21:7D:71:AA:F6:9B:53:41:C1:05:0C:48:A9:3F:57:CE
>
> rootcert2, Feb 17, 2016, trustedCertEntry,
>
> Certificate fingerprint (SHA1): 
> 86:70:AB:0A:96:58:4D:73:C0:D5:13:A8:4D:B3:1D:EC:08:D7:7B:1A
>
> mykey, Feb 12, 2016, trustedCertEntry,
>
> Certificate fingerprint (SHA1): 
> 20:8C:D9:BD:B7:75:12:53:F8:68:04:82:48:5C:D7:70:F5:6C:28:15
>
> rootcert, Feb 17, 2016, trustedCertEntry,
>
> Certificate fingerprint (SHA1): 
> 36:28:1E:74:E0:A9:6E:0F:53:99:75:DA:62:20:24:D4:F6:34:CD:BD
>
> intermediateu, Feb 17, 2016, trustedCertEntry,
>
> Certificate fingerprint (SHA1): 
> E9:66:EE:CF:79:6A:C1:D0:13:18:59:9C:B4:29:08:54:DF:91:27:2D
>
>
> Is there a way to find out if Keycloak/jboss is picking up this 
> truststore config?  Seems that it’s not.  Any other ideas?
Yes, it seems that it's not picking it. AFAIK we don't support retrieve 
truststore from the wildfly configuration of security-realm in 
standalone.xml . Maybe we should...

At this moment, what should work to configure truststore is either:
- Configure truststore SPI in keycloak-server.json. See 
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e231
- add system properties |javax.net.ssl.trustStore and 
||javax.net.ssl.trustStorePassword

Marek
|
> -Jason
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160218/1eb87e22/attachment.html

More information about the keycloak-user mailing list