So the variable you're pointing out is local to the script. Having said
that, you have no access to it from the outside.
I think the proper solution would be to modify Keycloak codebase
(especially Keycloak subsystem) and integrate it with Elytron. Probably +Pedro
Igor Silva <psilva(a)redhat.com> would be the best person to ask about that.
As for the short-term solution, I guess introducing two optional
environmental variables for storing Keystore and Truststore passwords would
be enough. If those variables were empty, we would generate a new password.
If not, we'd use it for generating JKS files.
Unfortunately adding this feature is not currently on our priority list.
Therefore, I highly encourage you to contribute it. If you plan to do so,
please remember about creating a JIRA for it. I will be more than happy to
review the code once you have something ready.
Thanks,
Sebastian
On Tue, Nov 13, 2018 at 9:14 AM Meissa M'baye Sakho <msakho(a)redhat.com>
wrote:
Hello Sebastien,
Any advice?
I really need to access trustore password initilized loccally from the
x509.sh script. (extrcat below)
local PASSWORD=$(openssl rand -base64 32 2>/dev/null)
local JKS_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.jks
I'm stuck otherwise.
How can I get access to it?
Meissa
Le lun. 12 nov. 2018 à 10:24, Meissa M'baye Sakho <msakho(a)redhat.com> a
écrit :
> Hi Sebastian,
> That's correct. I can see that my the truststore is created correctly
> with my CA certificates.
> I need now to configure the OutGoing HTTPS Request Truststore [3] with
> the created truststore and the password.
> The problem is that I can't set the password. I've checked into the
> x509-truststore.cli [1] and see that it's picked from the
> $keycloak_tls_truststore_password variable.
> and created from your x509.sh script [2]
> I've tried to use the same syntax in my cli below but it fails because
> the $keycloak_tls_truststore_password is not know from my cli.
> So Sebastien, do you know how I can get the trsustore password?
> Is it possible to set it as an environment variable to the docker image?
>
>
> [1]=
>
https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/serve...
> [2]=
>
https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/serve...
> [3]=
>
https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...
> Thanks,
> Meissa
>
>
> Le mer. 31 oct. 2018 à 09:08, Sebastian Laskawiec <slaskawi(a)redhat.com>
> a écrit :
>
>> Hey Meissa,
>>
>> The warning you see does no harm. As you can see here [1], the message
>> is being thrown without stopping the script.
>>
>> Pulling JDK CAs has been implemented somewhat ahead of time. I asked the
>> Cloud Enablement (and also other Red Hat teams) to put Kubernetes and
>> OpenShift CAs into JDK lib directory. This way Keycloak will trust the
>> OpenShift cluster out of the box. The warning you see clearly indicates
>> that this feature hasn't been implemented yet.
>>
>> So the bottom line - please ignore this error. I'm pretty sure it will
>> disappear in the future (and if not, I'll just remove or disable this
>> feature).
>>
>> Thanks,
>> Sebastian
>>
>> [1]
>>
https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5...
>>
>> On Wed, Oct 31, 2018 at 8:59 AM Meissa M'baye Sakho
<msakho(a)redhat.com>
>> wrote:
>>
>>> Hi Sebastian,
>>> Do you have any advice in this issue. It's related to the x509.sh
>>> script and I would really apprecaite an input/help here.
>>> Meissa
>>> ---------- Forwarded message ---------
>>> From: Meissa M'baye Sakho <msakho(a)redhat.com>
>>> Date: mar. 30 oct. 2018 à 17:12
>>> Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment
>>> variable
>>> To: keycloak-user <keycloak-user(a)lists.jboss.org>
>>>
>>>
>>> hello everyone,
>>> I'm using the jboss/keycloak:4.5.0.Final docker image.
>>> I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment
>>> variable as explained in the Jboss/keycloak docker image documentation.
>>> I've mounted a volume to the image pointing to the cert file and
>>> defined the env variable.
>>> I'm running the image with the following command:
>>> *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e
>>> KEYCLOAK_PASSWORD=meissa \*
>>> * -e PROXY_ADDRESS_FORWARDING=true \*
>>> * -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets
>>> \*
>>> * -v
>>> /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \*
>>> * -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \*
>>> * -e
>>> JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \*
>>> * -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \*
>>> * jboss/keycloak:4.5.0.Final*
>>>
>>>
>>> When The container starts, I've checked that the cert has been corectly
>>> mounted to the expected folder /var/run/secrets
>>> But I see in the log that the certificat import fails (extract below):
>>> *Creating HTTPS keystore via OpenShift's service serving x509
>>> certificate secrets..*
>>> *HTTPS keystore successfully created at:
>>> /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks*
>>> *Creating Keycloak truststore..*
>>> *Keycloak truststore successfully created at:
>>> /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks*
>>> *Importing certificates from system's Java CA certificate bundle into
>>> Keycloak truststore..*
>>> *Failed to import certificates from system's Java CA certificate bundle
>>> into Keycloak truststore!*
>>> *Setting JGroups discovery to dns.DNS_PING with properties
>>> {dns_query=>bdf-opengie-test.paas.eclair.local}*
>>>
>>> I've checked in the script that handle the TLS import [1], but I'm
not
>>> able to guess why the import is failing.
>>>
>>> The following extract is a part of the scripts that is used by the
>>> image to import the cert.
>>> # Import existing system CA certificates into the newly generated
>>> truststore
>>> local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which
>>> keytool)))"/../lib/security/cacerts")
>>> if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass
"changeit"
>>> > /dev/null; then
>>> echo "Importing certificates from system's Java CA certificate
bundle
>>> into Keycloak truststore.."
>>> keytool -importkeystore -noprompt \
>>> -srckeystore "${SYSTEM_CACERTS}" \
>>> -destkeystore "${JKS_TRUSTSTORE_PATH}" \
>>> -srcstoretype jks -deststoretype jks \
>>> -storepass "${PASSWORD}" -srcstorepass "changeit"
>& /dev/null
>>> if [ "$?" -ne "0" ]; then
>>> echo "Successfully imported certificates from system's Java CA
>>> certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}"
>>> else
>>> echo "Failed to import certificates from system's Java CA
certificate
>>> bundle into Keycloak truststore!"
>>> fi
>>>
>>> Any advice?
>>>
>>> [1]=
>>>
https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5...
>>>
>>> Meissa
>>>
>>