3:32 p.m.
Hi there,
I was interested in Keycloak work on SSL client certs for JDBC to connect
PostgreSQL. I hope someone can give me some help.
First of all, I should mention that my client cert authentication is
working fine with psql in both 1-way and 2-way(mutual ssl) ssl
authentication. So I am satisfied with the certs and keys because I can use
psql connect keycloak server and postgresql server via mutual SSL. There
are two servers, one is keycloak server, another is postgresql server.
postgresql.crt
postgresql.key / postgresql.pk8
root.crt
Those files located in ${user.home}/.postgresql/ in my postgresql server.
In my PostgreSQL server, if I configure like this. (one-way SSL)
hostssl all all 0.0.0.0/0 md5
It is fine. My keycloak server will connect with my postgresql server very
well.
However when I configure like this. (Mutual SSL)
hostssl all all 0.0.0.0/0 md5 clientcert=1
The connection will fail. The log is below.
Caused by: java.lang.RuntimeException: Failed to connect to database
Caused by: java.sql.SQLException: javax.resource.ResourceException:
IJ000453: Unable to get managed connection for
java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ000453: Unable to get
managed connection for java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ031084: Unable to create
connection
Caused by: org.postgresql.util.PSQLException: FATAL: connection
requires a valid client certificate"}}
*"connection requires a valid client certificate".*
I don't know how to config the client certificate in
keycloak (standalone.xml). At the meantime, I still can use 'psql' connect
viamutual SSL to my postgresql server from my keycloak server.
Questions:
1. Does keycloak support mutual authentication ssl, when I try to connect
keycloak to postgresql in 2-way authentication? (I guess so because this is
about security. This should be JDBC's problem. But I am not sure. And I
trid the instructions form Postgresql JDBC Driver Doc.
https://jdbc.postgresql.org/documentation/head/ssl-client.html. It still
doesn't work.)
2. How to configure Keycloak to connect via mutual ssl between keycloak and
postgresql?
Thank you for your time!
Cheers!
--
Hugh
Zhaohui Shangguan