Hi Sebastian, Do you have any advice in this issue. It's related to the x509.sh script and I would really apprecaite an input/help here. Meissa ---------- Forwarded message --------- From: Meissa M'baye Sakho <msakho(a)redhat.com&gt; Date: mar. 30 oct. 2018 à 17:12 Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment variable To: keycloak-user <keycloak-user(a)lists.jboss.org&gt; hello everyone, I'm using the jboss/keycloak:4.5.0.Final docker image. I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment variable as explained in the Jboss/keycloak docker image documentation. I've mounted a volume to the image pointing to the cert file and defined the env variable. I'm running the image with the following command: *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e KEYCLOAK_PASSWORD=meissa \* * -e PROXY_ADDRESS_FORWARDING=true \* * -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets \* * -v /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \* * -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \* * -e JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \* * -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \* * jboss/keycloak:4.5.0.Final* When The container starts, I've checked that the cert has been corectly mounted to the expected folder /var/run/secrets But I see in the log that the certificat import fails (extract below): *Creating HTTPS keystore via OpenShift's service serving x509 certificate secrets..* *HTTPS keystore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks* *Creating Keycloak truststore..* *Keycloak truststore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks* *Importing certificates from system's Java CA certificate bundle into Keycloak truststore..* *Failed to import certificates from system's Java CA certificate bundle into Keycloak truststore!* *Setting JGroups discovery to dns.DNS_PING with properties {dns_query=>bdf-opengie-test.paas.eclair.local}* I've checked in the script that handle the TLS import [1], but I'm not able to guess why the import is failing. The following extract is a part of the scripts that is used by the image to import the cert. # Import existing system CA certificates into the newly generated truststore local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))"/../lib/security/cacerts") if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" > /dev/null; then echo "Importing certificates from system's Java CA certificate bundle into Keycloak truststore.." keytool -importkeystore -noprompt \ -srckeystore "${SYSTEM_CACERTS}" \ -destkeystore "${JKS_TRUSTSTORE_PATH}" \ -srcstoretype jks -deststoretype jks \ -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null if [ "$?" -ne "0" ]; then echo "Successfully imported certificates from system's Java CA certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}" else echo "Failed to import certificates from system's Java CA certificate bundle into Keycloak truststore!" fi Any advice? [1]= https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5... Meissa

Hi Sebastian, That's correct. I can see that my the truststore is created correctly with my CA certificates. I need now to configure the OutGoing HTTPS Request Truststore [3] with the created truststore and the password. The problem is that I can't set the password. I've checked into the x509-truststore.cli [1] and see that it's picked from the $keycloak_tls_truststore_password variable. and created from your x509.sh script [2] I've tried to use the same syntax in my cli below but it fails because the $keycloak_tls_truststore_password is not know from my cli. So Sebastien, do you know how I can get the trsustore password? Is it possible to set it as an environment variable to the docker image? [1]= https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/serve... [2]= https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/serve... [3]= https://www.keycloak.org/docs/latest/server_installation/index.html#_trus... Thanks, Meissa Le mer. 31 oct. 2018 à 09:08, Sebastian Laskawiec <slaskawi(a)redhat.com&gt; a écrit : > Hey Meissa, > > The warning you see does no harm. As you can see here [1], the message is > being thrown without stopping the script. > > Pulling JDK CAs has been implemented somewhat ahead of time. I asked the > Cloud Enablement (and also other Red Hat teams) to put Kubernetes and > OpenShift CAs into JDK lib directory. This way Keycloak will trust the > OpenShift cluster out of the box. The warning you see clearly indicates > that this feature hasn't been implemented yet. > > So the bottom line - please ignore this error. I'm pretty sure it will > disappear in the future (and if not, I'll just remove or disable this > feature). > > Thanks, > Sebastian > > [1] > https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5... > > On Wed, Oct 31, 2018 at 8:59 AM Meissa M'baye Sakho <msakho(a)redhat.com&gt; > wrote: > >> Hi Sebastian, >> Do you have any advice in this issue. It's related to the x509.sh script >> and I would really apprecaite an input/help here. >> Meissa >> ---------- Forwarded message --------- >> From: Meissa M'baye Sakho <msakho(a)redhat.com&gt; >> Date: mar. 30 oct. 2018 à 17:12 >> Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment >> variable >> To: keycloak-user <keycloak-user(a)lists.jboss.org&gt; >> >> >> hello everyone, >> I'm using the jboss/keycloak:4.5.0.Final docker image. >> I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment >> variable as explained in the Jboss/keycloak docker image documentation. >> I've mounted a volume to the image pointing to the cert file and defined >> the env variable. >> I'm running the image with the following command: >> *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e >> KEYCLOAK_PASSWORD=meissa \* >> * -e PROXY_ADDRESS_FORWARDING=true \* >> * -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets >> \* >> * -v >> /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \* >> * -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \* >> * -e >> JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \* >> * -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \* >> * jboss/keycloak:4.5.0.Final* >> >> >> When The container starts, I've checked that the cert has been corectly >> mounted to the expected folder /var/run/secrets >> But I see in the log that the certificat import fails (extract below): >> *Creating HTTPS keystore via OpenShift's service serving x509 >> certificate secrets..* >> *HTTPS keystore successfully created at: >> /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks* >> *Creating Keycloak truststore..* >> *Keycloak truststore successfully created at: >> /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks* >> *Importing certificates from system's Java CA certificate bundle into >> Keycloak truststore..* >> *Failed to import certificates from system's Java CA certificate bundle >> into Keycloak truststore!* >> *Setting JGroups discovery to dns.DNS_PING with properties >> {dns_query=>bdf-opengie-test.paas.eclair.local}* >> >> I've checked in the script that handle the TLS import [1], but I'm not >> able to guess why the import is failing. >> >> The following extract is a part of the scripts that is used by the image >> to import the cert. >> # Import existing system CA certificates into the newly generated >> truststore >> local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which >> keytool)))"/../lib/security/cacerts") >> if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" >> > /dev/null; then >> echo "Importing certificates from system's Java CA certificate bundle >> into Keycloak truststore.." >> keytool -importkeystore -noprompt \ >> -srckeystore "${SYSTEM_CACERTS}" \ >> -destkeystore "${JKS_TRUSTSTORE_PATH}" \ >> -srcstoretype jks -deststoretype jks \ >> -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null >> if [ "$?" -ne "0" ]; then >> echo "Successfully imported certificates from system's Java CA >> certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}" >> else >> echo "Failed to import certificates from system's Java CA certificate >> bundle into Keycloak truststore!" >> fi >> >> Any advice? >> >> [1]= >> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5... >> >> Meissa >> >

So the variable you're pointing out is local to the script. Having said that, you have no access to it from the outside. I think the proper solution would be to modify Keycloak codebase (especially Keycloak subsystem) and integrate it with Elytron. Probably +Pedro Igor Silva <psilva(a)redhat.com&gt; would be the best person to ask about that. As for the short-term solution, I guess introducing two optional environmental variables for storing Keystore and Truststore passwords would be enough. If those variables were empty, we would generate a new password. If not, we'd use it for generating JKS files. Unfortunately adding this feature is not currently on our priority list. Therefore, I highly encourage you to contribute it. If you plan to do so, please remember about creating a JIRA for it. I will be more than happy to review the code once you have something ready. Thanks, Sebastian On Tue, Nov 13, 2018 at 9:14 AM Meissa M'baye Sakho <msakho(a)redhat.com&gt; wrote: > Hello Sebastien, > Any advice? > I really need to access trustore password initilized loccally from the > x509.sh script. (extrcat below) > local PASSWORD=$(openssl rand -base64 32 2>/dev/null) > local JKS_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.jks > > I'm stuck otherwise. > How can I get access to it? > Meissa > > Le lun. 12 nov. 2018 à 10:24, Meissa M'baye Sakho <msakho(a)redhat.com&gt; a > écrit : > >> Hi Sebastian, >> That's correct. I can see that my the truststore is created correctly >> with my CA certificates. >> I need now to configure the OutGoing HTTPS Request Truststore [3] with >> the created truststore and the password. >> The problem is that I can't set the password. I've checked into the >> x509-truststore.cli [1] and see that it's picked from the >> $keycloak_tls_truststore_password variable. >> and created from your x509.sh script [2] >> I've tried to use the same syntax in my cli below but it fails because >> the $keycloak_tls_truststore_password is not know from my cli. >> So Sebastien, do you know how I can get the trsustore password? >> Is it possible to set it as an environment variable to the docker image? >> >> >> [1]= >> https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/serve... >> [2]= >> https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/serve... >> [3]= >> https://www.keycloak.org/docs/latest/server_installation/index.html#_trus... >> Thanks, >> Meissa >> >> >> Le mer. 31 oct. 2018 à 09:08, Sebastian Laskawiec <slaskawi(a)redhat.com&gt; >> a écrit : >> >>> Hey Meissa, >>> >>> The warning you see does no harm. As you can see here [1], the message >>> is being thrown without stopping the script. >>> >>> Pulling JDK CAs has been implemented somewhat ahead of time. I asked >>> the Cloud Enablement (and also other Red Hat teams) to put Kubernetes and >>> OpenShift CAs into JDK lib directory. This way Keycloak will trust the >>> OpenShift cluster out of the box. The warning you see clearly indicates >>> that this feature hasn't been implemented yet. >>> >>> So the bottom line - please ignore this error. I'm pretty sure it will >>> disappear in the future (and if not, I'll just remove or disable this >>> feature). >>> >>> Thanks, >>> Sebastian >>> >>> [1] >>> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5... >>> >>> On Wed, Oct 31, 2018 at 8:59 AM Meissa M'baye Sakho <msakho(a)redhat.com&gt; >>> wrote: >>> >>>> Hi Sebastian, >>>> Do you have any advice in this issue. It's related to the x509.sh >>>> script and I would really apprecaite an input/help here. >>>> Meissa >>>> ---------- Forwarded message --------- >>>> From: Meissa M'baye Sakho <msakho(a)redhat.com&gt; >>>> Date: mar. 30 oct. 2018 à 17:12 >>>> Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment >>>> variable >>>> To: keycloak-user <keycloak-user(a)lists.jboss.org&gt; >>>> >>>> >>>> hello everyone, >>>> I'm using the jboss/keycloak:4.5.0.Final docker image. >>>> I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment >>>> variable as explained in the Jboss/keycloak docker image documentation. >>>> I've mounted a volume to the image pointing to the cert file and >>>> defined the env variable. >>>> I'm running the image with the following command: >>>> *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e >>>> KEYCLOAK_PASSWORD=meissa \* >>>> * -e PROXY_ADDRESS_FORWARDING=true \* >>>> * -v >>>> /home/centos/docker-opengie/docker-image/staging:/var/run/secrets \* >>>> * -v >>>> /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \* >>>> * -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \* >>>> * -e >>>> JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \* >>>> * -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \* >>>> * jboss/keycloak:4.5.0.Final* >>>> >>>> >>>> When The container starts, I've checked that the cert has been >>>> corectly mounted to the expected folder /var/run/secrets >>>> But I see in the log that the certificat import fails (extract below): >>>> *Creating HTTPS keystore via OpenShift's service serving x509 >>>> certificate secrets..* >>>> *HTTPS keystore successfully created at: >>>> /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks* >>>> *Creating Keycloak truststore..* >>>> *Keycloak truststore successfully created at: >>>> /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks* >>>> *Importing certificates from system's Java CA certificate bundle into >>>> Keycloak truststore..* >>>> *Failed to import certificates from system's Java CA certificate >>>> bundle into Keycloak truststore!* >>>> *Setting JGroups discovery to dns.DNS_PING with properties >>>> {dns_query=>bdf-opengie-test.paas.eclair.local}* >>>> >>>> I've checked in the script that handle the TLS import [1], but I'm not >>>> able to guess why the import is failing. >>>> >>>> The following extract is a part of the scripts that is used by the >>>> image to import the cert. >>>> # Import existing system CA certificates into the newly generated >>>> truststore >>>> local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which >>>> keytool)))"/../lib/security/cacerts") >>>> if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass >>>> "changeit" > /dev/null; then >>>> echo "Importing certificates from system's Java CA certificate bundle >>>> into Keycloak truststore.." >>>> keytool -importkeystore -noprompt \ >>>> -srckeystore "${SYSTEM_CACERTS}" \ >>>> -destkeystore "${JKS_TRUSTSTORE_PATH}" \ >>>> -srcstoretype jks -deststoretype jks \ >>>> -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null >>>> if [ "$?" -ne "0" ]; then >>>> echo "Successfully imported certificates from system's Java CA >>>> certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}" >>>> else >>>> echo "Failed to import certificates from system's Java CA >>>> certificate bundle into Keycloak truststore!" >>>> fi >>>> >>>> Any advice? >>>> >>>> [1]= >>>> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5... >>>> >>>> Meissa >>>> >>>