Hi,
Seems to be related to the trust store format. I would suggest you to take
a look here [1]. Especially the "CLI Configuration" section so that you
configure the CLI properly instead of using systemprops for specifying both
key and trust stores.
[1]
I'm setting up a new install of keycloak 7.0.0 for 2-way TLS
Starting with a working http controller
/opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser
--password=mgmtpass \
--controller=remote+http://10.0.0.1:9990 \
version
JBoss Admin Command-line Interface
JBOSS_HOME: /opt/keycloak
Release: 9.0.2.Final
Product: Keycloak 7.0.0
JAVA_HOME: /usr/lib64/jvm/java-11-openjdk
java.version: 11.0.4
java.vm.vendor: Oracle Corporation
java.vm.version: 11.0.4+11-suse-lp151.131.1-x8664
os.name: Linux
os.version: 5.2.11-26.gd6e8aab-default
I configure JCEKS key-stores, and enable https for admin user access,
/subsystem=elytron/key-store=twoWayKS:add(path=/etc/keycloak/keystore.server.jceks,credential-reference={store=master-cs,
alias=ks-pass},type=jceks)
/subsystem=elytron/key-store=twoWayTS:add(path=/etc/keycloak/truststore.server.jceks,credential-reference={store=master-cs,
alias=ks-pass},type=jceks)
/subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,credential-reference={store=master-cs,
alias=ks-pass})
/subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS)
/subsystem=elytron/server-ssl-context=twoWaySSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true)
batch
/subsystem=undertow/server=default-server/http-listener=default:remove()
/subsystem=undertow/server=default-server/https-listener=https:remove()
/subsystem=undertow/server=default-server/https-listener=default:add(socket-binding=https,ssl-context=twoWaySSC,enable-http2=true)
run-batch
At this point,
egrep "http-listener|https-listener"
/usr/local/etc/keycloak/*/*/standalone.xml
<https-listener name="default" socket-binding="https"
ssl-context="twoWaySSC" enable-http2="true"/>
and I can verify admin UI via http in browser has been disabled,
http://10.0.0.1:8080/auth/admin
"Unable to connect"
and https is enabled,
https://10.0.0.1:8443/auth/admin
LOGIN is OK
I still have http:// mgmt controller access at cmd-line
/opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser
--password=mgmtpass \
--controller=remote+http://10.0.0.1:9990 \
version
JBoss Admin Command-line Interface
JBOSS_HOME: /opt/keycloak
Release: 9.0.2.Final
Product: Keycloak 7.0.0
JAVA_HOME: /usr/lib64/jvm/java-11-openjdk
java.version: 11.0.4
java.vm.vendor: Oracle Corporation
java.vm.version: 11.0.4+11-suse-lp151.131.1-x8664
os.name: Linux
os.version: 5.2.11-26.gd6e8aab-default
Setup 2way SSL for the Management interface,
batch
/core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)
/core-service=management/management-interface=http-interface:write-attribute(name=ssl-context,
value=twoWaySSC)
/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding,
value=management-https)
/subsystem=elytron/client-ssl-context=twoWayCSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM)
run-batch
and verify *managment* UI https in browser,
http://10.0.0.1:9990
REDIRECTS TO
https://10.0.0.1:9993
and
https://10.0.0.1:9993
LOGIN is OK
works as expected.
But, checking cmd-line https access,
/opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser
--password=mgmtpass \
--controller=remote+https://10.0.0.1:9993 \
-Djavax.net.ssl.trustStore=/etc/keycloak/truststore.client.jceks \
-Djavax.net.ssl.keyStore=/etc/keycloak/keystore.client.jceks \
-Djavax.net.ssl.trustStorePassword=keypass \
-Djavax.net.ssl.keyStorePassword=keypass \
version
where,
keytool -list -storetype jceks -storepass keypass -keystore
./keystore.client.jceks
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 1 entry
client-keystore, Sep 6, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 1F:...:6F
keytool -list -storetype jceks -storepass keypass -keystore
./truststore.client.jceks
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 1 entry
client-keystore, Sep 6, 2019, trustedCertEntry,
Certificate fingerprint (SHA-256): 1F:...:6F
fails with
Failed to connect to the controller: Failed to resolve host
'10.0.0.1': Failed to obtain SSLContext: Error constructing implementation
(algorithm: Default, provider: SunJSSE, class:
sun.security.ssl.SSLContextImpl$DefaultSSLContext): problem accessing trust
store: DerInputStream.getLength(): lengthTag=78, too big.
What's in my config, or missing from it, that's causing this error?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user