I got the keystore working in the keycloak-server.json config to enable SMTP TLS connections to Amazon SES so I know that is being picked up:
"truststore": {
"file": {
"file": "${jboss.server.config.dir}/keycloak.jks",
"password": “password",
"hostname-verification-policy": "WILDCARD",
"disabled": false
}
}
But, this same configuration is not applied to the LDAP connections. I finally got it to work by adding the Java keystore arguments to the startup:
nohup ../bin/standalone.sh -Djavax.net.ssl.trustStore=/opt/keycloak/keycloak-1.8.1.Final/standalone/configuration/keycloak.jks -Djavax.net.ssl.trustStorePassword=password
Would seem to be a bug to not apply the same keystore configuration to the LDAP connections?
-Jason
From: Marek Posolda <mposolda@redhat.com>
Date: Wednesday, February 17, 2016 at 11:10 PM
To: Jason Axley <jaxley@expedia.com>, "keycloak-user@lists.jboss.org" <keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] LDAPS configuration fails "Test authentication"
On 17/02/16 22:46, Jason Axley wrote:
Yes, it seems that it's not picking it. AFAIK we don't support retrieve truststore from the wildfly configuration of security-realm in standalone.xml . Maybe we should...I followed some documentation like https://developer.jboss.org/wiki/LDAPSecurityRealmExamples for configuring JBOSS to use LDAP over SSL to Active Directory but can’t seem to get Keycloak to honor the trust settings in the configured keystore.
2016-02-17 21:33:49,670 ERROR [org.keycloak.services.managers.LDAPConnectionTestManager] (default task-2) Error when authenticating to LDAP: simple bind failed: server.example.com:636: javax.naming.CommunicationException: simple bind failed: server.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
This is the configuration I’m using for the standalone server:
<security-realm name="LdapSSLRealm">
<authentication>
<truststore path="keycloak.jks"relative-to="jboss.server.config.dir"keystore-password=“password" />
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name=“AD"url="ldaps://server.example.com:636"security-realm="LdapSSLRealm" />
</outbound-connections>
I have all of the certs in the chain imported into the keystore:
keytool -list -keystore ../configuration/keycloak.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 5 entries
cert1, Feb 17, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): D5:BA:F5:07:21:7D:71:AA:F6:9B:53:41:C1:05:0C:48:A9:3F:57:CE
rootcert2, Feb 17, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 86:70:AB:0A:96:58:4D:73:C0:D5:13:A8:4D:B3:1D:EC:08:D7:7B:1A
mykey, Feb 12, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 20:8C:D9:BD:B7:75:12:53:F8:68:04:82:48:5C:D7:70:F5:6C:28:15
rootcert, Feb 17, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 36:28:1E:74:E0:A9:6E:0F:53:99:75:DA:62:20:24:D4:F6:34:CD:BD
intermediateu, Feb 17, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): E9:66:EE:CF:79:6A:C1:D0:13:18:59:9C:B4:29:08:54:DF:91:27:2D
Is there a way to find out if Keycloak/jboss is picking up this truststore config? Seems that it’s not. Any other ideas?
At this moment, what should work to configure truststore is either:
- Configure truststore SPI in keycloak-server.json. See http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e231
- add system propertiesjavax.net.ssl.trustStore andjavax.net.ssl.trustStorePassword
Marek
-Jason
_______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user