[keycloak-user] Add CA certificates for LDAPS ?
Marek Posolda
mposolda at redhat.com
Wed Oct 31 09:20:59 EDT 2018
Few hints:
I would first check if truststore itself is correct. For example you can
use this command (replace with your actual truststore):
$ keytool -list -keystore /home/mposolda/tmp/dev1xy.truststore
Then you should see output like:
Your keystore contains 1 entry
mykey, 31-Oct-2012, trustedCertEntry,
Certificate fingerprint (SHA1):
9E:4E:B2:F2:91:42:D5:5F:17:E0:82:D8:0C:9B:04:A2:91:63:4B:E9
And then you know that alias is "mykey", so you may want to use:
$ keytool -exportcert -keystore /home/mposolda/tmp/dev1xy.truststore
-alias mykey -file /tmp/cert.crt
$ keytool -printcert -file /tmp/cert.crt
which should print all the details of your certificate. If any of the
above steps fails or certificate doesn't look as expected, you know that
issue is in the truststore file itself. Note that you are required to
provide the truststore password as well in those commands (keytool will
prompt you for it).
Another helpful thing can be to enable debug logging by adding this
system property to the command line when running Keycloak:
-Djavax.net.debug=all
That should print lots of debugging info to the server log. You can
especially take a look what it's logging when you click "Test
Connection" for your LDAP provider in the admin console. Especially if
it uses truststore file as expected, if certificate looks as expected etc.
Hope it helps,
Marek
On 31/10/18 11:07, Mathieu Poussin wrote:
> Hello Meissa.
>
> So far I could not find a way to do it, the project is now in standby, if we can't get it to work we will probably check for another solution, unfortunately.
>
> Thanks.
> Mathieu
>
>
> ---- On Wed, 31 Oct 2018 11:05:44 +0100 Meissa M'baye Sakho <msakho at redhat.com> wrote ----
> > Hello Mathieu,did you manage to make it work?If yes, could you tell me how?Meissa
> > Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me at mpouss.in> a écrit :
> > Hello Marek.
> >
> > I've done that already but looks like it is completely ignored.
> > I have my custom truststore that have all my CA certificates (2), but I'm still seeing the same issue. (SPI is enabled on the LDAPS settings on the admin)
> > Is there a way to make sure it has been loaded correctly? (I don't see any error when the application starts but it's not working as expected)
> >
> > Thanks.
> > Mathieu
> >
> >
> > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <mposolda at redhat.com> wrote ----
> > > You can configure the Truststore SPI, which is mentioned in our docs
> > > here:
> > > https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore
> > >
> > > Some additional notes around LDAP are here:
> > > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl
> > >
> > > Marek
> > >
> > >
> > > On 01/10/18 13:27, Mathieu Poussin wrote:
> > > > Hello.
> > > >
> > > > What would be the recommended way to add a custom CA certificates ? The documentation has a lot of different ways and so far none of them worked :
> > > >
> > > > - The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the certificates in the JKS store but looks like they are completely ignored by the app server.
> > > > - Added custom SPI to load a custom JKS store, same, no error at server start but they are completely ignored by the app server.
> > > >
> > > > This is the error I am getting :
> > > >
> > > > Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> > > > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> > > > at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> > > > at sun.security.validator.Validator.validate(Validator.java:262)
> > > > at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> > > > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> > > > at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> > > > at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> > > > ... 99 more
> > > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> > > > at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> > > > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> > > > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > > > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> > > > ... 105 more
> > > >
> > > >
> > > > Another option would be to disable certificate verification on LDAPS as it's a trusted environment (last resort but well so far nothing else worked), would there be a way to do that?
> > > > Connecting over LDAP is not an option a this prevent some features to work like password reset.
> > > >
> > > > Thanks.
> > > >
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
More information about the keycloak-user
mailing list