<div dir="ltr"><div>If truststore provider is configured, and enabled, then SSLSocketFactory will use our custom truststore. If truststore provider is not configured it will use the java default SSLSocketFactory.</div><div><br></div><div><a href="https://github.com/keycloak/keycloak/blob/1.9.0.CR1/services/src/main/java/org/keycloak/truststore/SSLSocketFactory.java#L49">https://github.com/keycloak/keycloak/blob/1.9.0.CR1/services/src/main/java/org/keycloak/truststore/SSLSocketFactory.java#L49</a><br></div><div><br></div><div>So without configuring truststore provider in keycloak-server.json the -Djavax.net.ssl.trustStore will be honored.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 19, 2016 at 1:12 PM, Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000"><span class="">
    <div>On 19/02/16 09:42, Marko Strukelj
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">I was thinking something like truststore use be
        &#39;on&#39; by default. Then checking URL - if it starts with <a>ldaps://</a>
        it means truststore SSLSocketFactory should be set. 
        <div><br>
        </div>
        <div>But not sure if that&#39;s really correct - maybe there are
          some other LDAP providers that are activated by some other url
          scheme, not &#39;ldap:&#39; / &#39;ldaps:&#39;. </div>
        <div>The switch you suggest could then be there so that
          truststore use can be turned off if someone wants to delegate
          it to default java implementation. <br>
        </div>
      </div>
    </blockquote></span>
    If it&#39;s on by default, will it work with the default java
    implementation and with &quot;javax.net.ssl.trustStore&quot; property? I am
    thinking about backwards compatibility. If someone used older
    Keycloak version and he set his truststore for LDAP by system
    property &quot;<code>javax.net.ssl.trustStore</code>&quot;,
    then after Keycloak upgrade, the things won&#39;t work for him (unless
    he edits keycloak-server.json and configured truststore SPI). Is it
    correct assumption?<br>
    <br>
    Then maybe it should be &quot;on&quot; by default, but LDAP providers migrated
    from previous version will still have it off? Or we can just put the
    note do migration guide.<span class="HOEnZb"><font color="#888888"><br>
    <br>
    <br>
    Marek</font></span><div><div class="h5"><br>
    <br>
    <blockquote type="cite">
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Fri, Feb 19, 2016 at 8:48 AM, Marek
          Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"><span>
                <div>On 18/02/16 22:40, Marko Strukelj wrote:<br>
                </div>
                <blockquote type="cite">
                  <pre>I saw it set during my manual LDAP connectivity tests, that&#39;s why I
added this &quot;ssl&quot;.equals(protocol) check.

But maybe it would be more appropriate to solve truststore activation
in some other way?</pre>
                </blockquote>
              </span> Yeah. I am thinking about something simple like
              just add on/off flag &quot;Use Truststore SPI&quot; to the LDAP
              provider configuration. When on, it will use the snippet
              you added to set
              &quot;org.keycloak.connections.truststore.SSLSocketFactory&quot; . <br>
              <br>
              That property &quot;securityProtocol&quot; is just the leftover from
              Picketlink, which wasn&#39;t never used in practice. Even
              Picketlink didn&#39;t use it AFAIR. It&#39;s fine to be removed.<span><font color="#888888"><br>
                  <br>
                  Marek</font></span>
              <div>
                <div><span style="color:#008000;font-weight:bold"><br>
                  </span>
                  <blockquote type="cite">
                    <pre>On Thu, Feb 18, 2016 at 10:17 PM, Marek Posolda <a href="mailto:mposolda@redhat.com" target="_blank">&lt;mposolda@redhat.com&gt;</a> wrote:
</pre>
                    <blockquote type="cite">
                      <pre>Ah, but we&#39;re not set securityProtocol anywhere in the LDAP provider admin
console ATM, so it can&#39;t work now. I will take a look for 1.9 and retest
with Active Directory. Thanks Marko for pointing this.

Marek


On 18/02/16 19:12, Marko Strukelj wrote:
</pre>
                      <blockquote type="cite">
                        <pre>LDAP store needs to have configuration property &#39;securityProtocol&#39; set
to &#39;ssl&#39; for truststore to be used.

See:
<a href="https://github.com/keycloak/keycloak/blob/1.9.0.CR1/federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/store/ldap/LDAPOperationManager.java#L488" target="_blank">https://github.com/keycloak/keycloak/blob/1.9.0.CR1/federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/store/ldap/LDAPOperationManager.java#L488</a>



On Thu, Feb 18, 2016 at 5:20 PM, Jason Axley <a href="mailto:jaxley@expedia.com" target="_blank">&lt;jaxley@expedia.com&gt;</a> wrote:
</pre>
                        <blockquote type="cite">
                          <pre>Will do.

This is Active Directory.

-Jason

From: Marek Posolda <a href="mailto:mposolda@redhat.com" target="_blank">&lt;mposolda@redhat.com&gt;</a>
Date: Thursday, February 18, 2016 at 8:15 AM

To: Jason Axley <a href="mailto:jaxley@expedia.com" target="_blank">&lt;jaxley@expedia.com&gt;</a>, <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">&quot;keycloak-user@lists.jboss.org&quot;</a>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">&lt;keycloak-user@lists.jboss.org&gt;</a>
Subject: Re: [keycloak-user] LDAPS configuration fails &quot;Test
authentication&quot;

That&#39;s possible. Could you please create JIRA for this?

Which LDAP server are you using btv? Not sure if it&#39;s related, but maybe
yes...

Thanks,
Marek

On 18/02/16 17:04, Jason Axley wrote:

I got the keystore working in the keycloak-server.json config to enable
SMTP
TLS connections to Amazon SES so I know that is being picked up:

&quot;truststore&quot;: {

       &quot;file&quot;: {

           &quot;file&quot;: &quot;${jboss.server.config.dir}/keycloak.jks&quot;,

           &quot;password&quot;: “password&quot;,

   &quot;hostname-verification-policy&quot;: &quot;WILDCARD&quot;,

   &quot;disabled&quot;: false

       }

   }


But, this same configuration is not applied to the LDAP connections.  I
finally got it to work by adding the Java keystore arguments to the
startup:

nohup ../bin/standalone.sh

-Djavax.net.ssl.trustStore=/opt/keycloak/keycloak-1.8.1.Final/standalone/configuration/keycloak.jks
-Djavax.net.ssl.trustStorePassword=password


Would seem to be a bug to not apply the same keystore configuration to
the
LDAP connections?

-Jason

From: Marek Posolda <a href="mailto:mposolda@redhat.com" target="_blank">&lt;mposolda@redhat.com&gt;</a>
Date: Wednesday, February 17, 2016 at 11:10 PM
To: Jason Axley <a href="mailto:jaxley@expedia.com" target="_blank">&lt;jaxley@expedia.com&gt;</a>, <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">&quot;keycloak-user@lists.jboss.org&quot;</a>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">&lt;keycloak-user@lists.jboss.org&gt;</a>
Subject: Re: [keycloak-user] LDAPS configuration fails &quot;Test
authentication&quot;

On 17/02/16 22:46, Jason Axley wrote:

I followed some documentation like
<a href="https://developer.jboss.org/wiki/LDAPSecurityRealmExamples" target="_blank">https://developer.jboss.org/wiki/LDAPSecurityRealmExamples</a> for
configuring
JBOSS to use LDAP over SSL to Active Directory but can’t seem to get
Keycloak to honor the trust settings in the configured keystore.

2016-02-17 21:33:49,670 ERROR
[org.keycloak.services.managers.LDAPConnectionTestManager] (default
task-2)
Error when authenticating to LDAP: simple bind failed:
<a href="http://server.example.com:636" target="_blank">server.example.com:636</a>: javax.naming.CommunicationException: simple bind
failed: <a href="http://server.example.com:636" target="_blank">server.example.com:636</a> [Root exception is
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find
valid certification path to requested target]

         at
com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)


This is the configuration I’m using for the standalone server:

            &lt;security-realm name=&quot;LdapSSLRealm&quot;&gt;

                &lt;authentication&gt;

                 &lt;truststore

path=&quot;keycloak.jks&quot;relative-to=&quot;jboss.server.config.dir&quot;keystore-password=“password&quot;
/&gt;

                &lt;/authentication&gt;

             &lt;/security-realm&gt;

         &lt;/security-realms&gt;

         &lt;outbound-connections&gt;

             &lt;ldap

name=“AD&quot;url=<a>&quot;ldaps://server.example.com:636&quot;</a>security-realm=&quot;LdapSSLRealm&quot;
/&gt;

         &lt;/outbound-connections&gt;


I have all of the certs in the chain imported into the keystore:

keytool -list -keystore ../configuration/keycloak.jks

Enter keystore password:


Keystore type: JKS

Keystore provider: SUN


Your keystore contains 5 entries


cert1, Feb 17, 2016, trustedCertEntry,

Certificate fingerprint (SHA1):
D5:BA:F5:07:21:7D:71:AA:F6:9B:53:41:C1:05:0C:48:A9:3F:57:CE

rootcert2, Feb 17, 2016, trustedCertEntry,

Certificate fingerprint (SHA1):
86:70:AB:0A:96:58:4D:73:C0:D5:13:A8:4D:B3:1D:EC:08:D7:7B:1A

mykey, Feb 12, 2016, trustedCertEntry,

Certificate fingerprint (SHA1):
20:8C:D9:BD:B7:75:12:53:F8:68:04:82:48:5C:D7:70:F5:6C:28:15

rootcert, Feb 17, 2016, trustedCertEntry,

Certificate fingerprint (SHA1):
36:28:1E:74:E0:A9:6E:0F:53:99:75:DA:62:20:24:D4:F6:34:CD:BD

intermediateu, Feb 17, 2016, trustedCertEntry,

Certificate fingerprint (SHA1):
E9:66:EE:CF:79:6A:C1:D0:13:18:59:9C:B4:29:08:54:DF:91:27:2D


Is there a way to find out if Keycloak/jboss is picking up this
truststore
config?  Seems that it’s not.  Any other ideas?

Yes, it seems that it&#39;s not picking it. AFAIK we don&#39;t support retrieve
truststore from the wildfly configuration of security-realm in
standalone.xml . Maybe we should...

At this moment, what should work to configure truststore is either:
- Configure truststore SPI in keycloak-server.json. See

<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e231" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e231</a>
- add system properties javax.net.ssl.trustStore and
javax.net.ssl.trustStorePassword

Marek

-Jason



_______________________________________________
keycloak-user mailing list

<a href="mailto:keycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">keycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user</a>




_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a>
</pre>
                        </blockquote>
                      </blockquote>
                    </blockquote>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>