1:10 a.m.
On 17/02/16 22:46, Jason Axley wrote:
I followed some documentation like
https://developer.jboss.org/wiki/LDAPSecurityRealmExamples for
configuring JBOSS to use LDAP over SSL to Active Directory but can’t
seem to get Keycloak to honor the trust settings in the configured
keystore.
2016-02-17 21:33:49,670 ERROR
[org.keycloak.services.managers.LDAPConnectionTestManager] (default
task-2) Error when authenticating to LDAP: simple bind failed:
server.example.com:636: javax.naming.CommunicationException: simple
bind failed: server.example.com:636 [Root exception is
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
This is the configuration I’m using for the standalone server:
<security-realm name="LdapSSLRealm">
<authentication>
<truststore
path="keycloak.jks"relative-to="jboss.server.config.dir"keystore-password=“password"/>
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap
name=“AD"url="ldaps://server.example.com:636"security-realm="LdapSSLRealm"/>
</outbound-connections>
I have all of the certs in the chain imported into the keystore:
keytool -list -keystore ../configuration/keycloak.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 5 entries
cert1, Feb 17, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
D5:BA:F5:07:21:7D:71:AA:F6:9B:53:41:C1:05:0C:48:A9:3F:57:CE
rootcert2, Feb 17, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
86:70:AB:0A:96:58:4D:73:C0:D5:13:A8:4D:B3:1D:EC:08:D7:7B:1A
mykey, Feb 12, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
20:8C:D9:BD:B7:75:12:53:F8:68:04:82:48:5C:D7:70:F5:6C:28:15
rootcert, Feb 17, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
36:28:1E:74:E0:A9:6E:0F:53:99:75:DA:62:20:24:D4:F6:34:CD:BD
intermediateu, Feb 17, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
E9:66:EE:CF:79:6A:C1:D0:13:18:59:9C:B4:29:08:54:DF:91:27:2D
Is there a way to find out if Keycloak/jboss is picking up this
truststore config? Seems that it’s not. Any other ideas?
Yes, it seems that
it's not picking it. AFAIK we don't support retrieve
truststore from the wildfly configuration of security-realm in
standalone.xml . Maybe we should...
At this moment, what should work to configure truststore is either:
- Configure truststore SPI in keycloak-server.json. See
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
- add system properties |javax.net.ssl.trustStore and
||javax.net.ssl.trustStorePassword
Marek
|
-Jason
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user