Hi there,
I was interested in Keycloak work on SSL client certs for JDBC to connect
PostgreSQL. I hope someone can
give me some help, because i've been banging my head against this
all day.
First of all, I should mention that my client cert authentication is
working fine with psql in both 1-way and 2-way(mutual ssl authentication)
ssl authentication. So I am satisfied with the certs and keys. There are
two servers, one is keycloak server, another is postgresql server.
postgresql.crt
postgresql.key / postgresql.pk8
root.crt
Those files located in ${user.home}/.postgresql/ in my postgresql server.
In my PostgreSQL server, if I configure like this.
hostssl all all 0.0.0.0/0 md5
It is fine. My keycloak server will connect with my postgresql server very
well.
However when I configure like this.
hostssl all all 0.0.0.0/0 md5 clientcert=1
The connection will fail. The log is below.
Caused by: java.lang.RuntimeException: Failed to connect to database
Caused by: java.sql.SQLException: javax.resource.ResourceException:
IJ000453: Unable to get managed connection for
java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ000453: Unable to get
managed connection for java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ031084: Unable to create
connection
Caused by: org.postgresql.util.PSQLException: FATAL: connection
requires a valid client certificate"}}
*"connection requires a valid client certificate".*
I don't know how to config the client certificate in
keycloak (standalone.xml). At the meantime, I still can use 'psql' connect
my postgresql server in my keycloak server.
Questions:
1. Does keycloak support mutual authentication in ssl, when I try to
connect postgresql by 2-way authentication? (I guess so. This should be
JDBC's problem. But I am not sure. And I trid the instructions form
Postgresql JDBC Driver Doc.
https://jdbc.postgresql.org/documentation/head/ssl-client.html. It still
doesn't work.)
2. Could someone help me out, please?
Thank you for your time!
Cheers!
--
Hugh
Zhaohui Shangguan