[keycloak-user] How to configure Mutual SSL between Keycloak and Postgresql

hugh shangguan hcsgzh at gmail.com
Tue Sep 4 16:32:21 EDT 2018 

Hi there,

I was interested in Keycloak work on SSL client certs for JDBC to connect
PostgreSQL.  I hope someone can give me some help.

First of all, I should mention that my client cert authentication is
working fine with psql in both 1-way and 2-way(mutual ssl) ssl
authentication. So I am satisfied with the certs and keys because I can use
psql connect keycloak server and postgresql server via mutual SSL. There
are two servers, one is keycloak server, another is postgresql server.

postgresql.crt
postgresql.key / postgresql.pk8
root.crt

Those files located in ${user.home}/.postgresql/ in my postgresql server.

In my PostgreSQL server, if I configure like this. (one-way SSL)
hostssl    all      all       0.0.0.0/0    md5

It is fine. My keycloak server will connect with my postgresql server very
well.

However when I configure like this. (Mutual SSL)
hostssl    all      all       0.0.0.0/0    md5   clientcert=1

The connection will fail. The log is below.
    Caused by: java.lang.RuntimeException: Failed to connect to database
    Caused by: java.sql.SQLException: javax.resource.ResourceException:
IJ000453: Unable to get managed connection for
java:jboss/datasources/KeycloakDS
    Caused by: javax.resource.ResourceException: IJ000453: Unable to get
managed connection for java:jboss/datasources/KeycloakDS
    Caused by: javax.resource.ResourceException: IJ031084: Unable to create
connection
    Caused by: org.postgresql.util.PSQLException: FATAL: connection
requires a valid client certificate"}}


*"connection requires a valid client certificate".*

I don't know how to config the client certificate in
keycloak (standalone.xml). At the meantime, I still can use 'psql' connect
viamutual SSL to my postgresql server from my keycloak server.

Questions:
1. Does keycloak support mutual authentication ssl, when I try to connect
keycloak to postgresql in 2-way authentication? (I guess so because this is
about security. This should be JDBC's problem. But I am not sure. And I
trid the instructions form Postgresql JDBC Driver Doc.
https://jdbc.postgresql.org/documentation/head/ssl-client.html. It still
doesn't work.)

2. How to configure Keycloak to connect via mutual ssl between keycloak and
postgresql?


Thank you for your time!

Cheers!
-- 
Hugh
Zhaohui Shangguan

More information about the keycloak-user mailing list