3:24 a.m.
Hi Sebastian,
That's correct. I can see that my the truststore is created correctly with
my CA certificates.
I need now to configure the OutGoing HTTPS Request Truststore [3] with the
created truststore and the password.
The problem is that I can't set the password. I've checked into the
x509-truststore.cli [1] and see that it's picked from the
$keycloak_tls_truststore_password variable.
and created from your x509.sh script [2]
I've tried to use the same syntax in my cli below but it fails because the
$keycloak_tls_truststore_password is not know from my cli.
So Sebastien, do you know how I can get the trsustore password?
Is it possible to set it as an environment variable to the docker image?
[1]=
https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/serve...
[2]=
https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/serve...
[3]=
https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
Thanks,
Meissa
Le mer. 31 oct. 2018 à 09:08, Sebastian Laskawiec <slaskawi(a)redhat.com> a
écrit :
Hey Meissa,
The warning you see does no harm. As you can see here [1], the message is
being thrown without stopping the script.
Pulling JDK CAs has been implemented somewhat ahead of time. I asked the
Cloud Enablement (and also other Red Hat teams) to put Kubernetes and
OpenShift CAs into JDK lib directory. This way Keycloak will trust the
OpenShift cluster out of the box. The warning you see clearly indicates
that this feature hasn't been implemented yet.
So the bottom line - please ignore this error. I'm pretty sure it will
disappear in the future (and if not, I'll just remove or disable this
feature).
Thanks,
Sebastian
[1]
https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5...
On Wed, Oct 31, 2018 at 8:59 AM Meissa M'baye Sakho <msakho(a)redhat.com>
wrote:
> Hi Sebastian,
> Do you have any advice in this issue. It's related to the x509.sh script
> and I would really apprecaite an input/help here.
> Meissa
> ---------- Forwarded message ---------
> From: Meissa M'baye Sakho <msakho(a)redhat.com>
> Date: mar. 30 oct. 2018 à 17:12
> Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment
> variable
> To: keycloak-user <keycloak-user(a)lists.jboss.org>
>
>
> hello everyone,
> I'm using the jboss/keycloak:4.5.0.Final docker image.
> I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment
> variable as explained in the Jboss/keycloak docker image documentation.
> I've mounted a volume to the image pointing to the cert file and defined
> the env variable.
> I'm running the image with the following command:
> *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e
> KEYCLOAK_PASSWORD=meissa \*
> * -e PROXY_ADDRESS_FORWARDING=true \*
> * -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets \*
> * -v
> /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \*
> * -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \*
> * -e
> JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \*
> * -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \*
> * jboss/keycloak:4.5.0.Final*
>
>
> When The container starts, I've checked that the cert has been corectly
> mounted to the expected folder /var/run/secrets
> But I see in the log that the certificat import fails (extract below):
> *Creating HTTPS keystore via OpenShift's service serving x509 certificate
> secrets..*
> *HTTPS keystore successfully created at:
> /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks*
> *Creating Keycloak truststore..*
> *Keycloak truststore successfully created at:
> /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks*
> *Importing certificates from system's Java CA certificate bundle into
> Keycloak truststore..*
> *Failed to import certificates from system's Java CA certificate bundle
> into Keycloak truststore!*
> *Setting JGroups discovery to dns.DNS_PING with properties
> {dns_query=>bdf-opengie-test.paas.eclair.local}*
>
> I've checked in the script that handle the TLS import [1], but I'm not
> able to guess why the import is failing.
>
> The following extract is a part of the scripts that is used by the image
> to import the cert.
> # Import existing system CA certificates into the newly generated
> truststore
> local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which
> keytool)))"/../lib/security/cacerts")
> if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass
"changeit" >
> /dev/null; then
> echo "Importing certificates from system's Java CA certificate bundle
> into Keycloak truststore.."
> keytool -importkeystore -noprompt \
> -srckeystore "${SYSTEM_CACERTS}" \
> -destkeystore "${JKS_TRUSTSTORE_PATH}" \
> -srcstoretype jks -deststoretype jks \
> -storepass "${PASSWORD}" -srcstorepass "changeit" >&
/dev/null
> if [ "$?" -ne "0" ]; then
> echo "Successfully imported certificates from system's Java CA
> certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}"
> else
> echo "Failed to import certificates from system's Java CA certificate
> bundle into Keycloak truststore!"
> fi
>
> Any advice?
>
> [1]=
> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5...
>
> Meissa
>