<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">That's possible. Could you please
create JIRA for this? <br>
<br>
Which LDAP server are you using btv? Not sure if it's related, but
maybe yes...<br>
<br>
Thanks,<br>
Marek<br>
<br>
On 18/02/16 17:04, Jason Axley wrote:<br>
</div>
<blockquote
cite="mid:7237EFC8-93C7-400D-BAB7-545A5850F950@expedia.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div>
<div>
<div>I got the keystore working in the keycloak-server.json
config to enable SMTP TLS connections to Amazon SES so I
know that is being picked up:</div>
<div><br>
</div>
<div>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(255, 240, 165); background-color:
rgb(19, 119, 62);">
"truststore": {</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(255, 240, 165); background-color:
rgb(19, 119, 62);">
"file": {</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(255, 240, 165); background-color:
rgb(19, 119, 62);">
"file":
"${jboss.server.config.dir}/keycloak.jks",</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(255, 240, 165); background-color:
rgb(19, 119, 62);">
"password": “password",</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(255, 240, 165); background-color:
rgb(19, 119, 62);">
<span class="Apple-tab-span" style="white-space:pre"></span>
"hostname-verification-policy": "WILDCARD",</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(255, 240, 165); background-color:
rgb(19, 119, 62);">
<span class="Apple-tab-span" style="white-space:pre"></span>
"disabled": false</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(255, 240, 165); background-color:
rgb(19, 119, 62);">
}</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(255, 240, 165); background-color:
rgb(19, 119, 62);">
}</p>
</div>
<div>
</div>
</div>
</div>
<div><br>
</div>
<div>But, this same configuration is not applied to the LDAP
connections. I finally got it to work by adding the Java
keystore arguments to the startup:</div>
<div><br>
</div>
<div>
<p style="margin: 0px; font-size: 12px; font-family: Courier;
color: rgb(76, 47, 45); background-color: rgb(223, 219, 196);">
nohup ../bin/standalone.sh
-Djavax.net.ssl.trustStore=/opt/keycloak/keycloak-1.8.1.Final/standalone/configuration/keycloak.jks
-Djavax.net.ssl.trustStorePassword=password</p>
</div>
<div><br>
</div>
<div>Would seem to be a bug to not apply the same keystore
configuration to the LDAP connections?</div>
<div><br>
</div>
<div>-Jason</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Marek Posolda
<<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Wednesday,
February 17, 2016 at 11:10 PM<br>
<span style="font-weight:bold">To: </span>Jason Axley <<a
moz-do-not-send="true" href="mailto:jaxley@expedia.com"><a class="moz-txt-link-abbreviated" href="mailto:jaxley@expedia.com">jaxley@expedia.com</a></a>>,
"<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>"
<<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[keycloak-user] LDAPS configuration fails "Test
authentication"<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 17/02/16 22:46, Jason Axley
wrote:<br>
</div>
<blockquote
cite="mid:73069D77-A2F8-418C-BBC6-522938C1E4A2@expedia.com"
type="cite">
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif; font-size: 14px;">
I followed some documentation like <a
moz-do-not-send="true"
href="https://developer.jboss.org/wiki/LDAPSecurityRealmExamples"><a class="moz-txt-link-freetext" href="https://developer.jboss.org/wiki/LDAPSecurityRealmExamples">https://developer.jboss.org/wiki/LDAPSecurityRealmExamples</a></a> for
configuring JBOSS to use LDAP over SSL to Active
Directory but can’t seem to get Keycloak to honor the
trust settings in the configured keystore.</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif; font-size: 14px;">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif; font-size: 14px;">
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
2016-02-17 21:33:49,670 ERROR
[org.keycloak.services.managers.LDAPConnectionTestManager]
(default task-2) Error when authenticating to LDAP:
simple bind failed: server.example.com:636:
javax.naming.CommunicationException: simple bind
failed: server.example.com:636 [Root exception is
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested
target]</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
at
com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)</p>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif; font-size: 14px;">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif; font-size: 14px;">
This is the configuration I’m using for the standalone
server:</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif; font-size: 14px;">
<br>
</div>
<div>
<p style="color: rgb(1, 163, 175); font-family: Courier;
font-size: 12px; margin: 0px; background-color:
rgb(223, 219, 196);">
<span style="font-variant-ligatures:
no-common-ligatures; color: #4c2f2d"> </span><security-realm
<span style="font-variant-ligatures:
no-common-ligatures; color: #00a500">
name</span><span style="font-variant-ligatures:
no-common-ligatures; color: #4c2f2d">=</span><span
style="font-variant-ligatures: no-common-ligatures;
color: #b12512">"LdapSSLRealm"</span>></p>
<p style="color: rgb(1, 163, 175); font-family: Courier;
font-size: 12px; margin: 0px; background-color:
rgb(223, 219, 196);">
<span style="font-variant-ligatures:
no-common-ligatures; color: #4c2f2d">
</span><authentication></p>
<p style="color: rgb(177, 37, 18); font-family: Courier;
font-size: 12px; margin: 0px; background-color:
rgb(223, 219, 196);">
<span style="font-variant-ligatures:
no-common-ligatures; color: #4c2f2d">
</span><span style="font-variant-ligatures:
no-common-ligatures; color: #01a3af"><truststore
</span><span style="font-variant-ligatures:
no-common-ligatures; color: #00a500">path</span><span
style="font-variant-ligatures: no-common-ligatures;
color: #4c2f2d">=</span>"keycloak.jks"<span
style="font-variant-ligatures: no-common-ligatures;
color: #01a3af"></span><span
style="font-variant-ligatures: no-common-ligatures;
color: #00a500">relative-to</span><span
style="font-variant-ligatures: no-common-ligatures;
color: #4c2f2d">=</span>"jboss.server.config.dir"<span
style="font-variant-ligatures: no-common-ligatures;
color: #01a3af"></span><span
style="font-variant-ligatures: no-common-ligatures;
color: #00a500">keystore-password</span><span
style="font-variant-ligatures: no-common-ligatures;
color: #4c2f2d">=</span>“password"<span
style="font-variant-ligatures: no-common-ligatures;
color: #01a3af"> /></span></p>
<p style="color: rgb(1, 163, 175); font-family: Courier;
font-size: 12px; margin: 0px; background-color:
rgb(223, 219, 196);">
<span style="font-variant-ligatures:
no-common-ligatures; color: #4c2f2d">
</span></authentication></p>
<p style="color: rgb(1, 163, 175); font-family: Courier;
font-size: 12px; margin: 0px; background-color:
rgb(223, 219, 196);">
<span style="font-variant-ligatures:
no-common-ligatures; color: #4c2f2d">
</span></security-realm></p>
<p style="color: rgb(1, 163, 175); font-family: Courier;
font-size: 12px; margin: 0px; background-color:
rgb(223, 219, 196);">
<span style="font-variant-ligatures:
no-common-ligatures; color: #4c2f2d">
</span></security-realms></p>
<p style="color: rgb(1, 163, 175); font-family: Courier;
font-size: 12px; margin: 0px; background-color:
rgb(223, 219, 196);">
<span style="font-variant-ligatures:
no-common-ligatures; color: #4c2f2d">
</span><outbound-connections></p>
<p style="margin: 0px; background-color: rgb(223, 219,
196);"><span style="color: rgb(76, 47, 45);
font-family: Courier; font-size: 12px;"> </span><span
style="color: rgb(1, 163, 175); font-family:
Courier; font-size: 12px;"><ldap
</span><span style="color: rgb(0, 165, 0);
font-family: Courier; font-size: 12px;">name</span><span
style="color: rgb(76, 47, 45); font-family: Courier;
font-size: 12px;">=</span><font face="Courier"
color="#b12512"><span style="font-size: 12px;">“AD"</span></font><span
style="color: rgb(1, 163, 175); font-family:
Courier; font-size: 12px;"></span><span
style="color: rgb(0, 165, 0); font-family: Courier;
font-size: 12px;">url</span><span style="color:
rgb(76, 47, 45); font-family: Courier; font-size:
12px;">=</span><span style="color: rgb(177, 37, 18);
font-family: Courier; font-size: 12px;"><a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="ldaps://server.example.com:636"><a class="moz-txt-link-rfc2396E" href="ldaps://server.example.com:636">"ldaps://server.example.com:636"</a></a></span><span
style="color: rgb(1, 163, 175); font-family:
Courier; font-size: 12px;"></span><span
style="color: rgb(0, 165, 0); font-family: Courier;
font-size: 12px;">security-realm</span><span
style="color: rgb(76, 47, 45); font-family: Courier;
font-size: 12px;">=</span><span style="color:
rgb(177, 37, 18); font-family: Courier; font-size:
12px;">"LdapSSLRealm"</span><span style="color:
rgb(1, 163, 175); font-family: Courier; font-size:
12px;"> /></span></p>
<p style="color: rgb(1, 163, 175); font-family: Courier;
font-size: 12px; margin: 0px; background-color:
rgb(223, 219, 196);">
<span style="font-variant-ligatures:
no-common-ligatures; color: #4c2f2d">
</span></outbound-connections></p>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif; font-size: 14px;">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif; font-size: 14px;">
I have all of the certs in the chain imported into the
keystore:</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif; font-size: 14px;">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif; font-size: 14px;">
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
keytool -list -keystore ../configuration/keycloak.jks </p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
Enter keystore password: </p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196); min-height: 14px;">
<br>
</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
Keystore type: JKS</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
Keystore provider: SUN</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196); min-height: 14px;">
<br>
</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
Your keystore contains 5 entries</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196); min-height: 14px;">
<br>
</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
cert1, Feb 17, 2016, trustedCertEntry, </p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
Certificate fingerprint (SHA1):
D5:BA:F5:07:21:7D:71:AA:F6:9B:53:41:C1:05:0C:48:A9:3F:57:CE</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
rootcert2, Feb 17, 2016, trustedCertEntry, </p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
Certificate fingerprint (SHA1):
86:70:AB:0A:96:58:4D:73:C0:D5:13:A8:4D:B3:1D:EC:08:D7:7B:1A</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
mykey, Feb 12, 2016, trustedCertEntry, </p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
Certificate fingerprint (SHA1):
20:8C:D9:BD:B7:75:12:53:F8:68:04:82:48:5C:D7:70:F5:6C:28:15</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
rootcert, Feb 17, 2016, trustedCertEntry, </p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
Certificate fingerprint (SHA1):
36:28:1E:74:E0:A9:6E:0F:53:99:75:DA:62:20:24:D4:F6:34:CD:BD</p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
intermediateu, Feb 17, 2016, trustedCertEntry, </p>
<p style="margin: 0px; font-size: 12px; font-family:
Courier; color: rgb(76, 47, 45); background-color:
rgb(223, 219, 196);">
Certificate fingerprint (SHA1):
E9:66:EE:CF:79:6A:C1:D0:13:18:59:9C:B4:29:08:54:DF:91:27:2D</p>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif; font-size: 14px;">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif; font-size: 14px;">
Is there a way to find out if Keycloak/jboss is picking
up this truststore config? Seems that it’s not. Any
other ideas?</div>
</blockquote>
Yes, it seems that it's not picking it. AFAIK we don't
support retrieve truststore from the wildfly configuration
of security-realm in standalone.xml . Maybe we should...<br>
<br>
At this moment, what should work to configure truststore is
either:<br>
- Configure truststore SPI in keycloak-server.json. See <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e231"><a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e231">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e231</a></a><br>
- add system properties <code class="literal">javax.net.ssl.trustStore
and </code>
<code class="literal">javax.net.ssl.trustStorePassword<br>
<br>
Marek<br>
</code>
<blockquote
cite="mid:73069D77-A2F8-418C-BBC6-522938C1E4A2@expedia.com"
type="cite">
<div style="color: rgb(0, 0, 0); font-family: Calibri,
sans-serif; font-size: 14px;">
<div id="">
<div style="font-size: 14px;">
<div>-Jason</div>
</div>
<div>
<p class="MsoNormal" style="font-size: 11pt; margin:
0in 0in 0.0001pt;">
<span style="font-size: 8pt; color: rgb(31, 73,
125);"></span></p>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</div>
</span>
</blockquote>
<br>
</body>
</html>