[keycloak-user] jboss-cli SSL access to keycloak Management interface usage, in Elytron 2-way SSL config, failing: "problem accessing trust store: DerInputStream.getLength(): lengthTag=78, too big" ?
Pedro Igor Silva
psilva at redhat.com
Fri Sep 6 16:16:05 EDT 2019
Hi,
Seems to be related to the trust store format. I would suggest you to take
a look here [1]. Especially the "CLI Configuration" section so that you
configure the CLI properly instead of using systemprops for specifying both
key and trust stores.
[1]
https://docs.jboss.org/author/display/WFLY/SSL+with+Client+Cert+Migration
On Fri, Sep 6, 2019 at 4:11 PM PGNet Dev <pgnet.dev at gmail.com> wrote:
> I'm setting up a new install of keycloak 7.0.0 for 2-way TLS
>
> Starting with a working http controller
>
> /opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser
> --password=mgmtpass \
> --controller=remote+http://10.0.0.1:9990 \
> version
> JBoss Admin Command-line Interface
> JBOSS_HOME: /opt/keycloak
> Release: 9.0.2.Final
> Product: Keycloak 7.0.0
> JAVA_HOME: /usr/lib64/jvm/java-11-openjdk
> java.version: 11.0.4
> java.vm.vendor: Oracle Corporation
> java.vm.version: 11.0.4+11-suse-lp151.131.1-x8664
> os.name: Linux
> os.version: 5.2.11-26.gd6e8aab-default
>
> I configure JCEKS key-stores, and enable https for admin user access,
>
>
> /subsystem=elytron/key-store=twoWayKS:add(path=/etc/keycloak/keystore.server.jceks,credential-reference={store=master-cs,
> alias=ks-pass},type=jceks)
>
> /subsystem=elytron/key-store=twoWayTS:add(path=/etc/keycloak/truststore.server.jceks,credential-reference={store=master-cs,
> alias=ks-pass},type=jceks)
>
> /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,credential-reference={store=master-cs,
> alias=ks-pass})
> /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS)
>
> /subsystem=elytron/server-ssl-context=twoWaySSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true)
> batch
>
> /subsystem=undertow/server=default-server/http-listener=default:remove()
>
> /subsystem=undertow/server=default-server/https-listener=https:remove()
>
> /subsystem=undertow/server=default-server/https-listener=default:add(socket-binding=https,ssl-context=twoWaySSC,enable-http2=true)
> run-batch
>
> At this point,
>
> egrep "http-listener|https-listener"
> /usr/local/etc/keycloak/*/*/standalone.xml
> <https-listener name="default" socket-binding="https"
> ssl-context="twoWaySSC" enable-http2="true"/>
>
> and I can verify admin UI via http in browser has been disabled,
>
> http://10.0.0.1:8080/auth/admin
> "Unable to connect"
>
> and https is enabled,
>
> https://10.0.0.1:8443/auth/admin
> LOGIN is OK
>
> I still have http:// mgmt controller access at cmd-line
>
> /opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser
> --password=mgmtpass \
> --controller=remote+http://10.0.0.1:9990 \
> version
> JBoss Admin Command-line Interface
> JBOSS_HOME: /opt/keycloak
> Release: 9.0.2.Final
> Product: Keycloak 7.0.0
> JAVA_HOME: /usr/lib64/jvm/java-11-openjdk
> java.version: 11.0.4
> java.vm.vendor: Oracle Corporation
> java.vm.version: 11.0.4+11-suse-lp151.131.1-x8664
> os.name: Linux
> os.version: 5.2.11-26.gd6e8aab-default
>
> Setup 2way SSL for the Management interface,
>
> batch
>
> /core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)
>
> /core-service=management/management-interface=http-interface:write-attribute(name=ssl-context,
> value=twoWaySSC)
>
> /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding,
> value=management-https)
>
> /subsystem=elytron/client-ssl-context=twoWayCSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM)
> run-batch
>
> and verify *managment* UI https in browser,
>
> http://10.0.0.1:9990
> REDIRECTS TO https://10.0.0.1:9993
>
> and
>
> https://10.0.0.1:9993
> LOGIN is OK
>
> works as expected.
>
> But, checking cmd-line https access,
>
> /opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser
> --password=mgmtpass \
> --controller=remote+https://10.0.0.1:9993 \
> -Djavax.net.ssl.trustStore=/etc/keycloak/truststore.client.jceks \
> -Djavax.net.ssl.keyStore=/etc/keycloak/keystore.client.jceks \
> -Djavax.net.ssl.trustStorePassword=keypass \
> -Djavax.net.ssl.keyStorePassword=keypass \
> version
>
> where,
>
> keytool -list -storetype jceks -storepass keypass -keystore
> ./keystore.client.jceks
> Keystore type: JCEKS
> Keystore provider: SunJCE
>
> Your keystore contains 1 entry
>
> client-keystore, Sep 6, 2019, PrivateKeyEntry,
> Certificate fingerprint (SHA-256): 1F:...:6F
>
> keytool -list -storetype jceks -storepass keypass -keystore
> ./truststore.client.jceks
> Keystore type: JCEKS
> Keystore provider: SunJCE
>
> Your keystore contains 1 entry
>
> client-keystore, Sep 6, 2019, trustedCertEntry,
> Certificate fingerprint (SHA-256): 1F:...:6F
>
> fails with
>
> Failed to connect to the controller: Failed to resolve host
> '10.0.0.1': Failed to obtain SSLContext: Error constructing implementation
> (algorithm: Default, provider: SunJSSE, class:
> sun.security.ssl.SSLContextImpl$DefaultSSLContext): problem accessing trust
> store: DerInputStream.getLength(): lengthTag=78, too big.
>
>
> What's in my config, or missing from it, that's causing this error?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list