Adapter trustore: use default java trustore possible ? - keycloak-user - Jboss List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Adapter trustore: use default java trustore possible ?

SSL port on docker images

Undertow adapter documentation

Jérôme Revillard

Wednesday, 17 February 2016 Wed, 17 Feb '16

2:07 a.m.

Dear all, I'm testing now a Keycloak server properly configured with https configuration. The server certificate is one which is already known by the default java trustore. Would it be possible to setup the keycloak.json adapter config to use this default java trustore ? Best, Jerome

Attachments:

smime.p7s (application/pkcs7-signature — 3.8 KB)

Reply

Show replies by date

Bruno Oliveira

Wednesday, 17 February Wed, 17 Feb

4:09 a.m.

I'm not sure if I got your question in the right way. But from my understanding Java truststore is the standard fall back. See item 3.2.5 https://keycloak.github.io/docs/userguide/keycloak-server/html/server-ins... On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard <jrevillard(a)gnubila.fr> wrote:

Dear all, I'm testing now a Keycloak server properly configured with https configuration. The server certificate is one which is already known by the default java trustore. Would it be possible to setup the keycloak.json adapter config to use this default java trustore ? Best, Jerome _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

Jérôme Revillard

4:19 a.m.

Yes, it seems to be the case for the server, but not for the clients. See the trustore config description here: https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#... Best, Jerome Le 17/02/2016 11:09, Bruno Oliveira a écrit :

I'm not sure if I got your question in the right way. But from my understanding Java truststore is the standard fall back. See item 3.2.5 https://keycloak.github.io/docs/userguide/keycloak-server/html/server-ins... On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard <jrevillard(a)gnubila.fr <mailto:jrevillard@gnubila.fr>> wrote: Dear all, I'm testing now a Keycloak server properly configured with https configuration. The server certificate is one which is already known by the default java trustore. Would it be possible to setup the keycloak.json adapter config to use this default java trustore ? Best, Jerome _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

Jérôme Revillard

Friday, 19 February Fri, 19 Feb

7:41 a.m.

Any advise for this please ? Best, Jerome Le 17/02/2016 11:19, Jérôme Revillard a écrit :

Yes, it seems to be the case for the server, but not for the clients. See the trustore config description here: https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#... Best, Jerome Le 17/02/2016 11:09, Bruno Oliveira a écrit : > I'm not sure if I got your question in the right way. But from my > understanding Java truststore is the standard fall back. > > See item 3.2.5 > https://keycloak.github.io/docs/userguide/keycloak-server/html/server-ins... > > On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard > <jrevillard(a)gnubila.fr <mailto:jrevillard@gnubila.fr>> wrote: > > Dear all, > > I'm testing now a Keycloak server properly configured with https > configuration. > The server certificate is one which is already known by the > default java > trustore. > Would it be possible to setup the keycloak.json adapter config to use > this default java trustore ? > > Best, > Jerome > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

Jeremy Simon

8:10 a.m.

Hey there, I had asked about this a while ago too. Far as I know, the current implementation uses the jks for the HTTPS communication only. All realms generate their own key pair. Now to get around that, maybe you could export a realm to JSON, put in what you want for the key information and import it as a new realm or server configuration. That might be a little crazy. The more I thought about it, since the realm key pairs are for signing and encrypting the JWTs (or saml), that it's kinda nice you can hit a key and generate new ones in case of a compromise...or to keep stuff revolving. Hope that helps! jeremy jeremy(a)jeremysimon.com www.JeremySimon.com On Fri, Feb 19, 2016 at 8:41 AM, Jérôme Revillard <jrevillard(a)gnubila.fr> wrote:

Any advise for this please ? Best, Jerome Le 17/02/2016 11:19, Jérôme Revillard a écrit : Yes, it seems to be the case for the server, but not for the clients. See the trustore config description here: https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#... Best, Jerome Le 17/02/2016 11:09, Bruno Oliveira a écrit : I'm not sure if I got your question in the right way. But from my understanding Java truststore is the standard fall back. See item 3.2.5 https://keycloak.github.io/docs/userguide/keycloak-server/html/server-ins... On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard <jrevillard(a)gnubila.fr> wrote: > > Dear all, > > I'm testing now a Keycloak server properly configured with https > configuration. > The server certificate is one which is already known by the default java > trustore. > Would it be possible to setup the keycloak.json adapter config to use > this default java trustore ? > > Best, > Jerome > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

Marko Strukelj

8:53 a.m.

Please don't hijack a thread. These sound like two separate issues. Here we are talking about getting client adapter to connect to https protected Keycloak server - which requires that some truststore is used by HttpClient library used by adapter. What you are talking about - realm keys - is something completely different, and has nothing to do with a truststore. On Fri, Feb 19, 2016 at 3:10 PM, Jeremy Simon <jeremy(a)jeremysimon.com> wrote:

Hey there, I had asked about this a while ago too. Far as I know, the current implementation uses the jks for the HTTPS communication only. All realms generate their own key pair. Now to get around that, maybe you could export a realm to JSON, put in what you want for the key information and import it as a new realm or server configuration. That might be a little crazy. The more I thought about it, since the realm key pairs are for signing and encrypting the JWTs (or saml), that it's kinda nice you can hit a key and generate new ones in case of a compromise...or to keep stuff revolving. Hope that helps! jeremy jeremy(a)jeremysimon.com www.JeremySimon.com On Fri, Feb 19, 2016 at 8:41 AM, Jérôme Revillard <jrevillard(a)gnubila.fr> wrote: > Any advise for this please ? > > Best, > Jerome > > > Le 17/02/2016 11:19, Jérôme Revillard a écrit : > > Yes, it seems to be the case for the server, but not for the clients. See > the trustore config description here: > https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#... > > Best, > Jerome > > Le 17/02/2016 11:09, Bruno Oliveira a écrit : > > I'm not sure if I got your question in the right way. But from my > understanding Java truststore is the standard fall back. > > See item 3.2.5 > https://keycloak.github.io/docs/userguide/keycloak-server/html/server-ins... > > On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard <jrevillard(a)gnubila.fr> > wrote: >> >> Dear all, >> >> I'm testing now a Keycloak server properly configured with https >> configuration. >> The server certificate is one which is already known by the default java >> trustore. >> Would it be possible to setup the keycloak.json adapter config to use >> this default java trustore ? >> >> Best, >> Jerome >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

Jeremy Simon

9:39 a.m.

Sorry, I simply misunderstood. Not try to hijack anything... What good would that do?? On Feb 19, 2016 9:53 AM, "Marko Strukelj" <mstrukel(a)redhat.com> wrote:

Please don't hijack a thread. These sound like two separate issues. Here we are talking about getting client adapter to connect to https protected Keycloak server - which requires that some truststore is used by HttpClient library used by adapter. What you are talking about - realm keys - is something completely different, and has nothing to do with a truststore. On Fri, Feb 19, 2016 at 3:10 PM, Jeremy Simon <jeremy(a)jeremysimon.com> wrote: > Hey there, > > I had asked about this a while ago too. Far as I know, the current > implementation uses the jks for the HTTPS communication only. All > realms generate their own key pair. > > Now to get around that, maybe you could export a realm to JSON, put in > what you want for the key information and import it as a new realm or > server configuration. That might be a little crazy. The more I > thought about it, since the realm key pairs are for signing and > encrypting the JWTs (or saml), that it's kinda nice you can hit a key > and generate new ones in case of a compromise...or to keep stuff > revolving. > > Hope that helps! > > jeremy > jeremy(a)jeremysimon.com > www.JeremySimon.com > > > On Fri, Feb 19, 2016 at 8:41 AM, Jérôme Revillard <jrevillard(a)gnubila.fr> > wrote: > > Any advise for this please ? > > > > Best, > > Jerome > > > > > > Le 17/02/2016 11:19, Jérôme Revillard a écrit : > > > > Yes, it seems to be the case for the server, but not for the clients. > See > > the trustore config description here: > > > https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#... > > > > Best, > > Jerome > > > > Le 17/02/2016 11:09, Bruno Oliveira a écrit : > > > > I'm not sure if I got your question in the right way. But from my > > understanding Java truststore is the standard fall back. > > > > See item 3.2.5 > > > https://keycloak.github.io/docs/userguide/keycloak-server/html/server-ins... > > > > On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard <jrevillard(a)gnubila.fr > > > > wrote: > >> > >> Dear all, > >> > >> I'm testing now a Keycloak server properly configured with https > >> configuration. > >> The server certificate is one which is already known by the default > java > >> trustore. > >> Would it be possible to setup the keycloak.json adapter config to use > >> this default java trustore ? > >> > >> Best, > >> Jerome > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user(a)lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

Marko Strukelj

9:55 a.m.

That's just an expression used when someone steers the thread into an unrelated topic :) On Fri, Feb 19, 2016 at 4:39 PM, Jeremy Simon <jeremy(a)jeremysimon.com> wrote:

Sorry, I simply misunderstood. Not try to hijack anything... What good would that do?? On Feb 19, 2016 9:53 AM, "Marko Strukelj" <mstrukel(a)redhat.com> wrote: > Please don't hijack a thread. These sound like two separate issues. Here > we are talking about getting client adapter to connect to https protected > Keycloak server - which requires that some truststore is used by HttpClient > library used by adapter. > > What you are talking about - realm keys - is something completely > different, and has nothing to do with a truststore. > > On Fri, Feb 19, 2016 at 3:10 PM, Jeremy Simon <jeremy(a)jeremysimon.com> > wrote: > >> Hey there, >> >> I had asked about this a while ago too. Far as I know, the current >> implementation uses the jks for the HTTPS communication only. All >> realms generate their own key pair. >> >> Now to get around that, maybe you could export a realm to JSON, put in >> what you want for the key information and import it as a new realm or >> server configuration. That might be a little crazy. The more I >> thought about it, since the realm key pairs are for signing and >> encrypting the JWTs (or saml), that it's kinda nice you can hit a key >> and generate new ones in case of a compromise...or to keep stuff >> revolving. >> >> Hope that helps! >> >> jeremy >> jeremy(a)jeremysimon.com >> www.JeremySimon.com >> >> >> On Fri, Feb 19, 2016 at 8:41 AM, Jérôme Revillard <jrevillard(a)gnubila.fr> >> wrote: >> > Any advise for this please ? >> > >> > Best, >> > Jerome >> > >> > >> > Le 17/02/2016 11:19, Jérôme Revillard a écrit : >> > >> > Yes, it seems to be the case for the server, but not for the clients. >> See >> > the trustore config description here: >> > >> https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#... >> > >> > Best, >> > Jerome >> > >> > Le 17/02/2016 11:09, Bruno Oliveira a écrit : >> > >> > I'm not sure if I got your question in the right way. But from my >> > understanding Java truststore is the standard fall back. >> > >> > See item 3.2.5 >> > >> https://keycloak.github.io/docs/userguide/keycloak-server/html/server-ins... >> > >> > On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard < >> jrevillard(a)gnubila.fr> >> > wrote: >> >> >> >> Dear all, >> >> >> >> I'm testing now a Keycloak server properly configured with https >> >> configuration. >> >> The server certificate is one which is already known by the default >> java >> >> trustore. >> >> Would it be possible to setup the keycloak.json adapter config to use >> >> this default java trustore ? >> >> >> >> Best, >> >> Jerome >> >> >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user(a)lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user(a)lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user(a)lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >

Reply

Bill Burke

10:01 a.m.

So, how do you like the new keycloak logo? On 2/19/2016 10:55 AM, Marko Strukelj wrote:

That's just an expression used when someone steers the thread into an unrelated topic :) On Fri, Feb 19, 2016 at 4:39 PM, Jeremy Simon <jeremy(a)jeremysimon.com <mailto:jeremy@jeremysimon.com>> wrote: Sorry, I simply misunderstood. Not try to hijack anything... What good would that do?? On Feb 19, 2016 9:53 AM, "Marko Strukelj" <mstrukel(a)redhat.com <mailto:mstrukel@redhat.com>> wrote: Please don't hijack a thread. These sound like two separate issues. Here we are talking about getting client adapter to connect to https protected Keycloak server - which requires that some truststore is used by HttpClient library used by adapter. What you are talking about - realm keys - is something completely different, and has nothing to do with a truststore. On Fri, Feb 19, 2016 at 3:10 PM, Jeremy Simon <jeremy(a)jeremysimon.com <mailto:jeremy@jeremysimon.com>> wrote: Hey there, I had asked about this a while ago too. Far as I know, the current implementation uses the jks for the HTTPS communication only. All realms generate their own key pair. Now to get around that, maybe you could export a realm to JSON, put in what you want for the key information and import it as a new realm or server configuration. That might be a little crazy. The more I thought about it, since the realm key pairs are for signing and encrypting the JWTs (or saml), that it's kinda nice you can hit a key and generate new ones in case of a compromise...or to keep stuff revolving. Hope that helps! jeremy jeremy(a)jeremysimon.com <mailto:jeremy@jeremysimon.com> www.JeremySimon.com <http://www.JeremySimon.com> On Fri, Feb 19, 2016 at 8:41 AM, Jérôme Revillard <jrevillard(a)gnubila.fr <mailto:jrevillard@gnubila.fr>> wrote: > Any advise for this please ? > > Best, > Jerome > > > Le 17/02/2016 11:19, Jérôme Revillard a écrit : > > Yes, it seems to be the case for the server, but not for the clients. See > the trustore config description here: > https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#... > > Best, > Jerome > > Le 17/02/2016 11:09, Bruno Oliveira a écrit : > > I'm not sure if I got your question in the right way. But from my > understanding Java truststore is the standard fall back. > > See item 3.2.5 > https://keycloak.github.io/docs/userguide/keycloak-server/html/server-ins... > > On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard <jrevillard(a)gnubila.fr <mailto:jrevillard@gnubila.fr>> > wrote: >> >> Dear all, >> >> I'm testing now a Keycloak server properly configured with https >> configuration. >> The server certificate is one which is already known by the default java >> trustore. >> Would it be possible to setup the keycloak.json adapter config to use >> this default java trustore ? >> >> Best, >> Jerome >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

Reply

Marko Strukelj

10:13 a.m.

:) Bill can confirm, but I think -Djavax.net.ssl.trustStore should work on the adapter side, and using adapter 'truststore' property is optional. If set it overrides Java runtime trustore config, if not java runtime truststore is used. On Fri, Feb 19, 2016 at 5:01 PM, Bill Burke <bburke(a)redhat.com> wrote:

So, how do you like the new keycloak logo? On 2/19/2016 10:55 AM, Marko Strukelj wrote: That's just an expression used when someone steers the thread into an unrelated topic :) On Fri, Feb 19, 2016 at 4:39 PM, Jeremy Simon <jeremy(a)jeremysimon.com> wrote: > Sorry, I simply misunderstood. Not try to hijack anything... What good > would that do?? > On Feb 19, 2016 9:53 AM, "Marko Strukelj" <mstrukel(a)redhat.com> wrote: > >> Please don't hijack a thread. These sound like two separate issues. Here >> we are talking about getting client adapter to connect to https protected >> Keycloak server - which requires that some truststore is used by HttpClient >> library used by adapter. >> >> What you are talking about - realm keys - is something completely >> different, and has nothing to do with a truststore. >> >> On Fri, Feb 19, 2016 at 3:10 PM, Jeremy Simon < <jeremy(a)jeremysimon.com> >> jeremy(a)jeremysimon.com> wrote: >> >>> Hey there, >>> >>> I had asked about this a while ago too. Far as I know, the current >>> implementation uses the jks for the HTTPS communication only. All >>> realms generate their own key pair. >>> >>> Now to get around that, maybe you could export a realm to JSON, put in >>> what you want for the key information and import it as a new realm or >>> server configuration. That might be a little crazy. The more I >>> thought about it, since the realm key pairs are for signing and >>> encrypting the JWTs (or saml), that it's kinda nice you can hit a key >>> and generate new ones in case of a compromise...or to keep stuff >>> revolving. >>> >>> Hope that helps! >>> >>> jeremy >>> jeremy(a)jeremysimon.com >>> www.JeremySimon.com >>> >>> >>> On Fri, Feb 19, 2016 at 8:41 AM, Jérôme Revillard < >>> jrevillard(a)gnubila.fr> wrote: >>> > Any advise for this please ? >>> > >>> > Best, >>> > Jerome >>> > >>> > >>> > Le 17/02/2016 11:19, Jérôme Revillard a écrit : >>> > >>> > Yes, it seems to be the case for the server, but not for the clients. >>> See >>> > the trustore config description here: >>> > >>> https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#... >>> > >>> > Best, >>> > Jerome >>> > >>> > Le 17/02/2016 11:09, Bruno Oliveira a écrit : >>> > >>> > I'm not sure if I got your question in the right way. But from my >>> > understanding Java truststore is the standard fall back. >>> > >>> > See item 3.2.5 >>> > >>> https://keycloak.github.io/docs/userguide/keycloak-server/html/server-ins... >>> > >>> > On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard < >>> <jrevillard@gnubila.fr>jrevillard(a)gnubila.fr> >>> > wrote: >>> >> >>> >> Dear all, >>> >> >>> >> I'm testing now a Keycloak server properly configured with https >>> >> configuration. >>> >> The server certificate is one which is already known by the default >>> java >>> >> trustore. >>> >> Would it be possible to setup the keycloak.json adapter config to use >>> >> this default java trustore ? >>> >> >>> >> Best, >>> >> Jerome >>> >> >>> >> _______________________________________________ >>> >> keycloak-user mailing list >>> >> keycloak-user(a)lists.jboss.org >>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> > >>> > >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user(a)lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> > >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user(a)lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ keycloak-user mailing listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hathttp://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

Jérôme Revillard

10:24 a.m.

Ok thanks I will check and let you know if I have problems. Best, Jerome Le 19/02/2016 17:13, Marko Strukelj a écrit :

:) Bill can confirm, but I think -Djavax.net.ssl.trustStore should work on the adapter side, and using adapter 'truststore' property is optional. If set it overrides Java runtime trustore config, if not java runtime truststore is used. On Fri, Feb 19, 2016 at 5:01 PM, Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com>> wrote: So, how do you like the new keycloak logo? On 2/19/2016 10:55 AM, Marko Strukelj wrote: > That's just an expression used when someone steers the thread > into an unrelated topic :) > > On Fri, Feb 19, 2016 at 4:39 PM, Jeremy Simon > <jeremy(a)jeremysimon.com <mailto:jeremy@jeremysimon.com>> wrote: > > Sorry, I simply misunderstood. Not try to hijack anything... > What good would that do?? > > On Feb 19, 2016 9:53 AM, "Marko Strukelj" > <mstrukel(a)redhat.com <mailto:mstrukel@redhat.com>> wrote: > > Please don't hijack a thread. These sound like two > separate issues. Here we are talking about getting client > adapter to connect to https protected Keycloak server - > which requires that some truststore is used by HttpClient > library used by adapter. > > What you are talking about - realm keys - is something > completely different, and has nothing to do with a > truststore. > > On Fri, Feb 19, 2016 at 3:10 PM, Jeremy Simon > <jeremy(a)jeremysimon.com <mailto:jeremy@jeremysimon.com>> > wrote: > > Hey there, > > I had asked about this a while ago too. Far as I > know, the current > implementation uses the jks for the HTTPS > communication only. All > realms generate their own key pair. > > Now to get around that, maybe you could export a > realm to JSON, put in > what you want for the key information and import it > as a new realm or > server configuration. That might be a little crazy. > The more I > thought about it, since the realm key pairs are for > signing and > encrypting the JWTs (or saml), that it's kinda nice > you can hit a key > and generate new ones in case of a compromise...or to > keep stuff > revolving. > > Hope that helps! > > jeremy > jeremy(a)jeremysimon.com <mailto:jeremy@jeremysimon.com> > www.JeremySimon.com <http://www.JeremySimon.com> > > > On Fri, Feb 19, 2016 at 8:41 AM, Jérôme Revillard > <jrevillard(a)gnubila.fr > <mailto:jrevillard@gnubila.fr>> wrote: > > Any advise for this please ? > > > > Best, > > Jerome > > > > > > Le 17/02/2016 11:19, Jérôme Revillard a écrit : > > > > Yes, it seems to be the case for the server, but > not for the clients. See > > the trustore config description here: > > > https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#... > > > > Best, > > Jerome > > > > Le 17/02/2016 11:09, Bruno Oliveira a écrit : > > > > I'm not sure if I got your question in the right > way. But from my > > understanding Java truststore is the standard fall > back. > > > > See item 3.2.5 > > > https://keycloak.github.io/docs/userguide/keycloak-server/html/server-ins... > > > > On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard > <jrevillard(a)gnubila.fr <mailto:jrevillard@gnubila.fr>> > > wrote: > >> > >> Dear all, > >> > >> I'm testing now a Keycloak server properly > configured with https > >> configuration. > >> The server certificate is one which is already > known by the default java > >> trustore. > >> Would it be possible to setup the keycloak.json > adapter config to use > >> this default java trustore ? > >> > >> Best, > >> Jerome > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user(a)lists.jboss.org > <mailto:keycloak-user@lists.jboss.org> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > <mailto:keycloak-user@lists.jboss.org> > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > <mailto:keycloak-user@lists.jboss.org> > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

Marko Strukelj

8:12 a.m.

What version of Keycloak are you using, and what have you tried so far? It sounds like you've tried to not set "truststore", and it didn't work. What's the exception you get? On Fri, Feb 19, 2016 at 2:41 PM, Jérôme Revillard <jrevillard(a)gnubila.fr> wrote:

Any advise for this please ? Best, Jerome Le 17/02/2016 11:19, Jérôme Revillard a écrit : Yes, it seems to be the case for the server, but not for the clients. See the trustore config description here: https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#... Best, Jerome Le 17/02/2016 11:09, Bruno Oliveira a écrit : I'm not sure if I got your question in the right way. But from my understanding Java truststore is the standard fall back. See item 3.2.5 https://keycloak.github.io/docs/userguide/keycloak-server/html/server-ins... On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard <jrevillard(a)gnubila.fr> wrote: > Dear all, > > I'm testing now a Keycloak server properly configured with https > configuration. > The server certificate is one which is already known by the default java > trustore. > Would it be possible to setup the keycloak.json adapter config to use > this default java trustore ? > > Best, > Jerome > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

Jérôme Revillard

9:43 a.m.

Hi Marko, I use Keycloak 1.4.0.Final but it's the same with the latest one. Here is the error that I get from the "KeycloakInstalled" adaptor but it's the same for at least the Jetty9.2 one: //--------------------------------------------------------------------- Open the following URL in a browser. After login copy/paste the code back and press <enter> https://sso.gnubila.fr/auth/realms/Tests/protocol/openid-connect/auth?res... Code: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:122) at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:95) at org.keycloak.adapters.installed.KeycloakInstalled.processCode(KeycloakInstalled.java:232) at org.keycloak.adapters.installed.KeycloakInstalled.loginManual(KeycloakInstalled.java:168) at org.keycloak.adapters.installed.KeycloakInstalled.loginManual(KeycloakInstalled.java:147) at cmd_client.main(cmd_client.java:64) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ... 24 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 30 more //--------------------------------------------------------------------- Best, Jerome Le 19/02/2016 15:12, Marko Strukelj a écrit :

What version of Keycloak are you using, and what have you tried so far? It sounds like you've tried to not set "truststore", and it didn't work. What's the exception you get? On Fri, Feb 19, 2016 at 2:41 PM, Jérôme Revillard <jrevillard(a)gnubila.fr <mailto:jrevillard@gnubila.fr>> wrote: Any advise for this please ? Best, Jerome Le 17/02/2016 11:19, Jérôme Revillard a écrit : > Yes, it seems to be the case for the server, but not for the > clients. See the trustore config description here: > https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#... > > Best, > Jerome > > Le 17/02/2016 11:09, Bruno Oliveira a écrit : >> I'm not sure if I got your question in the right way. But from >> my understanding Java truststore is the standard fall back. >> >> See item 3.2.5 >> https://keycloak.github.io/docs/userguide/keycloak-server/html/server-ins... >> >> On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard >> <jrevillard(a)gnubila.fr <mailto:jrevillard@gnubila.fr>> wrote: >> >> Dear all, >> >> I'm testing now a Keycloak server properly configured with https >> configuration. >> The server certificate is one which is already known by the >> default java >> trustore. >> Would it be possible to setup the keycloak.json adapter >> config to use >> this default java trustore ? >> >> Best, >> Jerome >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> <mailto:keycloak-user@lists.jboss.org> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

3218

days inactive

3220

days old

keycloak-user@lists.jboss.org

Manage subscription

12 comments

5 participants

tags (0)

participants (5)

Bill Burke
Bruno Oliveira
Jeremy Simon
Jérôme Revillard
Marko Strukelj