[keycloak-user] setting up TLS(SSL) through the X509_CA_BUNDLE environment variable
Meissa M'baye Sakho
msakho at redhat.com
Mon Nov 12 04:24:51 EST 2018
Hi Sebastian,
That's correct. I can see that my the truststore is created correctly with
my CA certificates.
I need now to configure the OutGoing HTTPS Request Truststore [3] with the
created truststore and the password.
The problem is that I can't set the password. I've checked into the
x509-truststore.cli [1] and see that it's picked from the
$keycloak_tls_truststore_password variable.
and created from your x509.sh script [2]
I've tried to use the same syntax in my cli below but it fails because the
$keycloak_tls_truststore_password is not know from my cli.
So Sebastien, do you know how I can get the trsustore password?
Is it possible to set it as an environment variable to the docker image?
[1]=
https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/server/tools/cli/x509-truststore.cli
[2]=
https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/server/tools/x509.sh
[3]=
https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore
Thanks,
Meissa
Le mer. 31 oct. 2018 à 09:08, Sebastian Laskawiec <slaskawi at redhat.com> a
écrit :
> Hey Meissa,
>
> The warning you see does no harm. As you can see here [1], the message is
> being thrown without stopping the script.
>
> Pulling JDK CAs has been implemented somewhat ahead of time. I asked the
> Cloud Enablement (and also other Red Hat teams) to put Kubernetes and
> OpenShift CAs into JDK lib directory. This way Keycloak will trust the
> OpenShift cluster out of the box. The warning you see clearly indicates
> that this feature hasn't been implemented yet.
>
> So the bottom line - please ignore this error. I'm pretty sure it will
> disappear in the future (and if not, I'll just remove or disable this
> feature).
>
> Thanks,
> Sebastian
>
> [1]
> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L88
>
> On Wed, Oct 31, 2018 at 8:59 AM Meissa M'baye Sakho <msakho at redhat.com>
> wrote:
>
>> Hi Sebastian,
>> Do you have any advice in this issue. It's related to the x509.sh script
>> and I would really apprecaite an input/help here.
>> Meissa
>> ---------- Forwarded message ---------
>> From: Meissa M'baye Sakho <msakho at redhat.com>
>> Date: mar. 30 oct. 2018 à 17:12
>> Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment
>> variable
>> To: keycloak-user <keycloak-user at lists.jboss.org>
>>
>>
>> hello everyone,
>> I'm using the jboss/keycloak:4.5.0.Final docker image.
>> I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment
>> variable as explained in the Jboss/keycloak docker image documentation.
>> I've mounted a volume to the image pointing to the cert file and defined
>> the env variable.
>> I'm running the image with the following command:
>> *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e
>> KEYCLOAK_PASSWORD=meissa \*
>> * -e PROXY_ADDRESS_FORWARDING=true \*
>> * -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets \*
>> * -v
>> /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \*
>> * -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \*
>> * -e
>> JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \*
>> * -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \*
>> * jboss/keycloak:4.5.0.Final*
>>
>>
>> When The container starts, I've checked that the cert has been corectly
>> mounted to the expected folder /var/run/secrets
>> But I see in the log that the certificat import fails (extract below):
>> *Creating HTTPS keystore via OpenShift's service serving x509 certificate
>> secrets..*
>> *HTTPS keystore successfully created at:
>> /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks*
>> *Creating Keycloak truststore..*
>> *Keycloak truststore successfully created at:
>> /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks*
>> *Importing certificates from system's Java CA certificate bundle into
>> Keycloak truststore..*
>> *Failed to import certificates from system's Java CA certificate bundle
>> into Keycloak truststore!*
>> *Setting JGroups discovery to dns.DNS_PING with properties
>> {dns_query=>bdf-opengie-test.paas.eclair.local}*
>>
>> I've checked in the script that handle the TLS import [1], but I'm not
>> able to guess why the import is failing.
>>
>> The following extract is a part of the scripts that is used by the image
>> to import the cert.
>> # Import existing system CA certificates into the newly generated
>> truststore
>> local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which
>> keytool)))"/../lib/security/cacerts")
>> if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" >
>> /dev/null; then
>> echo "Importing certificates from system's Java CA certificate bundle
>> into Keycloak truststore.."
>> keytool -importkeystore -noprompt \
>> -srckeystore "${SYSTEM_CACERTS}" \
>> -destkeystore "${JKS_TRUSTSTORE_PATH}" \
>> -srcstoretype jks -deststoretype jks \
>> -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null
>> if [ "$?" -ne "0" ]; then
>> echo "Successfully imported certificates from system's Java CA
>> certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}"
>> else
>> echo "Failed to import certificates from system's Java CA certificate
>> bundle into Keycloak truststore!"
>> fi
>>
>> Any advice?
>>
>> [1]=
>> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh
>>
>> Meissa
>>
>
More information about the keycloak-user
mailing list