[keycloak-user] setting up TLS(SSL) through the X509_CA_BUNDLE environment variable

Tue Nov 13 03:14:03 EST 2018

Hello Sebastien,
Any advice?
I really need to access trustore password initilized loccally from the
x509.sh script. (extrcat below)
local PASSWORD=$(openssl rand -base64 32 2>/dev/null)
local JKS_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.jks

I'm stuck otherwise.
How can I get access to it?
Meissa

Le lun. 12 nov. 2018 à 10:24, Meissa M'baye Sakho <msakho at redhat.com> a
écrit :

> Hi Sebastian,
> That's correct. I can see that my the truststore is created correctly with
> my CA certificates.
> I need now to configure the OutGoing HTTPS Request Truststore [3] with the
> created truststore and the password.
> The problem is that I can't set the password. I've checked into the
> x509-truststore.cli [1] and see that it's picked from the
> $keycloak_tls_truststore_password variable.
> and created from your x509.sh script [2]
> I've tried to use the same syntax in my cli below but it fails because the
> $keycloak_tls_truststore_password is not know from my cli.
> So Sebastien, do you know how I can get the trsustore password?
> Is it possible to set it as an environment variable to the docker image?
>
>
> [1]=
> https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/server/tools/cli/x509-truststore.cli
> [2]=
> https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/server/tools/x509.sh
> [3]=
> https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore
> Thanks,
> Meissa
>
>
> Le mer. 31 oct. 2018 à 09:08, Sebastian Laskawiec <slaskawi at redhat.com> a
> écrit :
>
>> Hey Meissa,
>>
>> The warning you see does no harm. As you can see here [1], the message is
>> being thrown without stopping the script.
>>
>> Pulling JDK CAs has been implemented somewhat ahead of time. I asked the
>> Cloud Enablement (and also other Red Hat teams) to put Kubernetes and
>> OpenShift CAs into JDK lib directory. This way Keycloak will trust the
>> OpenShift cluster out of the box. The warning you see clearly indicates
>> that this feature hasn't been implemented yet.
>>
>> So the bottom line - please ignore this error. I'm pretty sure it will
>> disappear in the future (and if not, I'll just remove or disable this
>> feature).
>>
>> Thanks,
>> Sebastian
>>
>> [1]
>> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L88
>>
>> On Wed, Oct 31, 2018 at 8:59 AM Meissa M'baye Sakho <msakho at redhat.com>
>> wrote:
>>
>>> Hi Sebastian,
>>> Do you have any advice in this issue. It's related to the x509.sh script
>>> and I would really apprecaite an input/help here.
>>> Meissa
>>> ---------- Forwarded message ---------
>>> From: Meissa M'baye Sakho <msakho at redhat.com>
>>> Date: mar. 30 oct. 2018 à 17:12
>>> Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment
>>> variable
>>> To: keycloak-user <keycloak-user at lists.jboss.org>
>>>
>>>
>>> hello everyone,
>>> I'm using the jboss/keycloak:4.5.0.Final docker image.
>>> I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment
>>> variable as explained in the Jboss/keycloak docker image documentation.
>>> I've mounted a volume to the image pointing to the cert file and defined
>>> the env variable.
>>> I'm running the image with the following command:
>>>  *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e
>>> KEYCLOAK_PASSWORD=meissa \*
>>> *  -e PROXY_ADDRESS_FORWARDING=true \*
>>> *  -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets
>>> \*
>>> *  -v
>>> /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \*
>>> *  -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \*
>>> *  -e
>>> JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \*
>>> *  -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \*
>>> *  jboss/keycloak:4.5.0.Final*
>>>
>>>
>>> When The container starts, I've checked that the cert has been corectly
>>> mounted to the expected folder /var/run/secrets
>>> But I see in the log that the certificat import fails (extract below):
>>> *Creating HTTPS keystore via OpenShift's service serving x509
>>> certificate secrets..*
>>> *HTTPS keystore successfully created at:
>>> /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks*
>>> *Creating Keycloak truststore..*
>>> *Keycloak truststore successfully created at:
>>> /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks*
>>> *Importing certificates from system's Java CA certificate bundle into
>>> Keycloak truststore..*
>>> *Failed to import certificates from system's Java CA certificate bundle
>>> into Keycloak truststore!*
>>> *Setting JGroups discovery to dns.DNS_PING with properties
>>> {dns_query=>bdf-opengie-test.paas.eclair.local}*
>>>
>>> I've checked in the script that handle the TLS import [1], but I'm not
>>> able to guess why the import is failing.
>>>
>>> The following extract is a part of the scripts that is used by the image
>>> to import the cert.
>>> # Import existing system CA certificates into the newly generated
>>> truststore
>>> local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which
>>> keytool)))"/../lib/security/cacerts")
>>> if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit"
>>> > /dev/null; then
>>> echo "Importing certificates from system's Java CA certificate bundle
>>> into Keycloak truststore.."
>>> keytool -importkeystore -noprompt \
>>> -srckeystore "${SYSTEM_CACERTS}" \
>>> -destkeystore "${JKS_TRUSTSTORE_PATH}" \
>>> -srcstoretype jks -deststoretype jks \
>>> -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null
>>> if [ "$?" -ne "0" ]; then
>>> echo "Successfully imported certificates from system's Java CA
>>> certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}"
>>> else
>>>   echo "Failed to import certificates from system's Java CA certificate
>>> bundle into Keycloak truststore!"
>>> fi
>>>
>>> Any advice?
>>>
>>> [1]=
>>> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh
>>>
>>> Meissa
>>>
>>