[keycloak-user] setting up TLS(SSL) through the X509_CA_BUNDLE environment variable

Sebastian Laskawiec slaskawi at redhat.com
Tue Nov 13 03:37:41 EST 2018


So the variable you're pointing out is local to the script. Having said
that, you have no access to it from the outside.

I think the proper solution would be to modify Keycloak codebase
(especially Keycloak subsystem) and integrate it with Elytron. Probably +Pedro
Igor Silva <psilva at redhat.com> would be the best person to ask about that.

As for the short-term solution, I guess introducing two optional
environmental variables for storing Keystore and Truststore passwords would
be enough. If those variables were empty, we would generate a new password.
If not, we'd use it for generating JKS files.

Unfortunately adding this feature is not currently on our priority list.
Therefore, I highly encourage you to contribute it. If you plan to do so,
please remember about creating a JIRA for it. I will be more than happy to
review the code once you have something ready.

Thanks,
Sebastian

On Tue, Nov 13, 2018 at 9:14 AM Meissa M'baye Sakho <msakho at redhat.com>
wrote:

> Hello Sebastien,
> Any advice?
> I really need to access trustore password initilized loccally from the
> x509.sh script. (extrcat below)
> local PASSWORD=$(openssl rand -base64 32 2>/dev/null)
> local JKS_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.jks
>
> I'm stuck otherwise.
> How can I get access to it?
> Meissa
>
> Le lun. 12 nov. 2018 à 10:24, Meissa M'baye Sakho <msakho at redhat.com> a
> écrit :
>
>> Hi Sebastian,
>> That's correct. I can see that my the truststore is created correctly
>> with my CA certificates.
>> I need now to configure the OutGoing HTTPS Request Truststore [3] with
>> the created truststore and the password.
>> The problem is that I can't set the password. I've checked into the
>> x509-truststore.cli [1] and see that it's picked from the
>> $keycloak_tls_truststore_password variable.
>> and created from your x509.sh script [2]
>> I've tried to use the same syntax in my cli below but it fails because
>> the $keycloak_tls_truststore_password is not know from my cli.
>> So Sebastien, do you know how I can get the trsustore password?
>> Is it possible to set it as an environment variable to the docker image?
>>
>>
>> [1]=
>> https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/server/tools/cli/x509-truststore.cli
>> [2]=
>> https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/server/tools/x509.sh
>> [3]=
>> https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore
>> Thanks,
>> Meissa
>>
>>
>> Le mer. 31 oct. 2018 à 09:08, Sebastian Laskawiec <slaskawi at redhat.com>
>> a écrit :
>>
>>> Hey Meissa,
>>>
>>> The warning you see does no harm. As you can see here [1], the message
>>> is being thrown without stopping the script.
>>>
>>> Pulling JDK CAs has been implemented somewhat ahead of time. I asked the
>>> Cloud Enablement (and also other Red Hat teams) to put Kubernetes and
>>> OpenShift CAs into JDK lib directory. This way Keycloak will trust the
>>> OpenShift cluster out of the box. The warning you see clearly indicates
>>> that this feature hasn't been implemented yet.
>>>
>>> So the bottom line - please ignore this error. I'm pretty sure it will
>>> disappear in the future (and if not, I'll just remove or disable this
>>> feature).
>>>
>>> Thanks,
>>> Sebastian
>>>
>>> [1]
>>> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L88
>>>
>>> On Wed, Oct 31, 2018 at 8:59 AM Meissa M'baye Sakho <msakho at redhat.com>
>>> wrote:
>>>
>>>> Hi Sebastian,
>>>> Do you have any advice in this issue. It's related to the x509.sh
>>>> script and I would really apprecaite an input/help here.
>>>> Meissa
>>>> ---------- Forwarded message ---------
>>>> From: Meissa M'baye Sakho <msakho at redhat.com>
>>>> Date: mar. 30 oct. 2018 à 17:12
>>>> Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment
>>>> variable
>>>> To: keycloak-user <keycloak-user at lists.jboss.org>
>>>>
>>>>
>>>> hello everyone,
>>>> I'm using the jboss/keycloak:4.5.0.Final docker image.
>>>> I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment
>>>> variable as explained in the Jboss/keycloak docker image documentation.
>>>> I've mounted a volume to the image pointing to the cert file and
>>>> defined the env variable.
>>>> I'm running the image with the following command:
>>>>  *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e
>>>> KEYCLOAK_PASSWORD=meissa \*
>>>> *  -e PROXY_ADDRESS_FORWARDING=true \*
>>>> *  -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets
>>>> \*
>>>> *  -v
>>>> /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \*
>>>> *  -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \*
>>>> *  -e
>>>> JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \*
>>>> *  -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \*
>>>> *  jboss/keycloak:4.5.0.Final*
>>>>
>>>>
>>>> When The container starts, I've checked that the cert has been corectly
>>>> mounted to the expected folder /var/run/secrets
>>>> But I see in the log that the certificat import fails (extract below):
>>>> *Creating HTTPS keystore via OpenShift's service serving x509
>>>> certificate secrets..*
>>>> *HTTPS keystore successfully created at:
>>>> /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks*
>>>> *Creating Keycloak truststore..*
>>>> *Keycloak truststore successfully created at:
>>>> /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks*
>>>> *Importing certificates from system's Java CA certificate bundle into
>>>> Keycloak truststore..*
>>>> *Failed to import certificates from system's Java CA certificate bundle
>>>> into Keycloak truststore!*
>>>> *Setting JGroups discovery to dns.DNS_PING with properties
>>>> {dns_query=>bdf-opengie-test.paas.eclair.local}*
>>>>
>>>> I've checked in the script that handle the TLS import [1], but I'm not
>>>> able to guess why the import is failing.
>>>>
>>>> The following extract is a part of the scripts that is used by the
>>>> image to import the cert.
>>>> # Import existing system CA certificates into the newly generated
>>>> truststore
>>>> local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which
>>>> keytool)))"/../lib/security/cacerts")
>>>> if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit"
>>>> > /dev/null; then
>>>> echo "Importing certificates from system's Java CA certificate bundle
>>>> into Keycloak truststore.."
>>>> keytool -importkeystore -noprompt \
>>>> -srckeystore "${SYSTEM_CACERTS}" \
>>>> -destkeystore "${JKS_TRUSTSTORE_PATH}" \
>>>> -srcstoretype jks -deststoretype jks \
>>>> -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null
>>>> if [ "$?" -ne "0" ]; then
>>>> echo "Successfully imported certificates from system's Java CA
>>>> certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}"
>>>> else
>>>>   echo "Failed to import certificates from system's Java CA certificate
>>>> bundle into Keycloak truststore!"
>>>> fi
>>>>
>>>> Any advice?
>>>>
>>>> [1]=
>>>> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh
>>>>
>>>> Meissa
>>>>
>>>


More information about the keycloak-user mailing list