[keycloak-user] Add CA certificates for LDAPS ?

Mathieu Poussin me at mpouss.in
Wed Oct 31 10:31:22 EDT 2018 

Hello Jan.

Thank you for your message.
In my case this is not deployed over OpenShift, but on a single host through Docker, we use our own docker image on top of the official one to add our own theme and .keystore.

I confirm that the certificates are in our custom keystore (checked with keytool -list), this is what we do in our Dockerfile :

FROM jboss/keycloak:4.5.0.Final

ADD themes/xxx /opt/jboss/keycloak/themes/xxx
ADD certs/xxx.keystore /opt/jboss/keycloak/standalone/configuration/xxx.keystore
ADD configuration/standalone.xml /opt/jboss/keycloak/standalone/configuration/standalone.xml

And the SPI we are adding in the standalone.xml :

            <spi name="truststore">
              <provider name="file" enabled="true">
                <properties>
                  <property name="file" value="/opt/jboss/keycloak/standalone/configuration/xxx.keystore" />
                  <property name="password" value="xxx" />
                  <property name="hostname-verification-policy" value="WILDCARD"/>
                  <property name="disabled" value="false"/>
                </properties>
              </provider>
            </spi>

But no luck so far.

 ---- On Wed, 31 Oct 2018 11:29:07 +0100 Jan Lieskovsky <jlieskov at redhat.com> wrote ---- 
 > Hey Mathieu, Meissa,
 >   (just quickly to double-check,) what's the template name you have deployed RH-SSO for OpenShift image from? (assuming this is issue on OpenShift)
 > If the "sso72-x509-https" one (or some of *-x509-* based ones) was used to deploy the RH-SSO server pod, this won't work. Reason being the *-x509-* are configured in the way, to auto-generate the RH-SSO truststore (use the defaults, and let the user not to need to supply this). Even if custom truststore / cert is supplied, the default one will be used. AFAICT this isn't configurable (since wasn't intended to be).
 > If you want the custom cert / truststore to be actually honoured, you need to deploy the RH-SSO pod from some other (some of the passthrough TLS based templates, not the x509 re-encrypt TLS ones).
 > 
 > I will file JIRAs to:Mention this *-x509-* template deficiency in the templates,
 > RFE to get the *-x509-* ones to honour custom certificates, if supplied.
 > 
 > HTH & Sorry for the inconvenience
 > Thank you && Regards, Jan--Jan iankko Lieskovsky / Keycloak / RH-SSO Team
 > 
 > 
 > 
 > On Wed, Oct 31, 2018 at 11:17 AM Mathieu Poussin <me at mpouss.in> wrote:
 >  Hello Meissa.
 >  
 >  So far I could not find a way to do it, the project is now in standby, if we can't get it to work we will probably check for another solution, unfortunately.
 >  
 >  Thanks.
 >  Mathieu
 >  
 >  
 >   ---- On Wed, 31 Oct 2018 11:05:44 +0100 Meissa M&#39;baye Sakho <msakho at redhat.com> wrote ---- 
 >   > Hello Mathieu,did you manage to make it work?If yes, could you tell me how?Meissa
 >   > Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me at mpouss.in> a écrit :
 >   >  Hello Marek.
 >   >  
 >   >  I've done that already but looks like it is completely ignored.
 >   >  I have my custom truststore that have all my CA certificates (2), but I'm still seeing the same issue. (SPI is enabled on the LDAPS settings on the admin)
 >   >  Is there a way to make sure it has been loaded correctly? (I don't see any error when the application starts but it's not working as expected)
 >   >  
 >   >  Thanks.
 >   >  Mathieu
 >   >  
 >   >  
 >   >   ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <mposolda at redhat.com> wrote ---- 
 >   >   > You can configure the Truststore SPI, which is mentioned in our docs  
 >   >   > here:  
 >   >   > https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore 
 >   >   >  
 >   >   > Some additional notes around LDAP are here:  
 >   >   > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl 
 >   >   >  
 >   >   > Marek 
 >   >   >  
 >   >   >  
 >   >   > On 01/10/18 13:27, Mathieu Poussin wrote: 
 >   >   > > Hello. 
 >   >   > > 
 >   >   > > What would be the recommended way to add a custom CA certificates ? The documentation has a lot of different ways and so far none of them worked : 
 >   >   > > 
 >   >   > > - The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the certificates in the JKS store  but looks like they are completely ignored by the app server. 
 >   >   > > - Added custom SPI to load a custom JKS store, same, no error at server start but they are completely ignored by the app server. 
 >   >   > > 
 >   >   > > This is the error I am getting : 
 >   >   > > 
 >   >   > > Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
 >   >   > >          at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) 
 >   >   > >          at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) 
 >   >   > >          at sun.security.validator.Validator.validate(Validator.java:262) 
 >   >   > >          at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) 
 >   >   > >          at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) 
 >   >   > >          at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) 
 >   >   > >          at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) 
 >   >   > >          ... 99 more 
 >   >   > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
 >   >   > >          at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) 
 >   >   > >          at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) 
 >   >   > >          at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) 
 >   >   > >          at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) 
 >   >   > >          ... 105 more 
 >   >   > > 
 >   >   > > 
 >   >   > > Another option would be to disable certificate verification on LDAPS as it's a trusted environment (last resort but well so far nothing else worked), would there be a way to do that? 
 >   >   > > Connecting over LDAP is not an option a this prevent some features to work like password reset. 
 >   >   > > 
 >   >   > > Thanks. 
 >   >   > > 
 >   >   > > 
 >   >   > > _______________________________________________ 
 >   >   > > keycloak-user mailing list 
 >   >   > > keycloak-user at lists.jboss.org 
 >   >   > > https://lists.jboss.org/mailman/listinfo/keycloak-user 
 >   >   >  
 >   >   >  
 >   >   > 
 >   >  
 >   >  
 >   >  _______________________________________________
 >   >  keycloak-user mailing list
 >   >  keycloak-user at lists.jboss.org
 >   >  https://lists.jboss.org/mailman/listinfo/keycloak-user
 >   >  
 >  
 >  
 >  
 >  _______________________________________________
 >  keycloak-user mailing list
 >  keycloak-user at lists.jboss.org
 >  https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list