[keycloak-user] Adapter trustore: use default java trustore possible ?

Jérôme Revillard jrevillard at gnubila.fr
Fri Feb 19 10:43:13 EST 2016 

Hi Marko,

I use Keycloak 1.4.0.Final but it's the same with the latest one.

Here is the error that I get from the "KeycloakInstalled" adaptor but 
it's the same for at least the Jetty9.2 one:

//---------------------------------------------------------------------
Open the following URL in a browser. After login copy/paste the code 
back and press <enter>
https://sso.gnubila.fr/auth/realms/Tests/protocol/openid-connect/auth?response_type=code&client_id=pandora-web-service-client&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob

Code: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Exception in thread "main" javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to 
find valid certification path to requested target
     at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
     at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
     at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
     at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
     at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
     at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
     at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
     at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
     at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
     at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
     at 
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
     at 
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
     at 
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
     at 
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
     at 
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
     at 
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
     at 
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
     at 
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
     at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
     at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
     at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
     at 
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:122)
     at 
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:95)
     at 
org.keycloak.adapters.installed.KeycloakInstalled.processCode(KeycloakInstalled.java:232)
     at 
org.keycloak.adapters.installed.KeycloakInstalled.loginManual(KeycloakInstalled.java:168)
     at 
org.keycloak.adapters.installed.KeycloakInstalled.loginManual(KeycloakInstalled.java:147)
     at cmd_client.main(cmd_client.java:64)
Caused by: sun.security.validator.ValidatorException: PKIX path building 
failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target
     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
     at 
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
     at sun.security.validator.Validator.validate(Validator.java:260)
     at 
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
     at 
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
     at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
     at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
     ... 24 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target
     at 
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
     at 
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
     at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
     ... 30 more
//---------------------------------------------------------------------

Best,
Jerome

Le 19/02/2016 15:12, Marko Strukelj a écrit :
> What version of Keycloak are you using, and what have you tried so far?
>
> It sounds like you've tried to not set "truststore", and it didn't 
> work. What's the exception you get?
>
>
> On Fri, Feb 19, 2016 at 2:41 PM, Jérôme Revillard 
> <jrevillard at gnubila.fr <mailto:jrevillard at gnubila.fr>> wrote:
>
>     Any advise for this please ?
>
>     Best,
>     Jerome
>
>
>     Le 17/02/2016 11:19, Jérôme Revillard a écrit :
>>     Yes, it seems to be the case for the server, but not for the
>>     clients. See the trustore config description here:
>>     https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config
>>
>>     Best,
>>     Jerome
>>
>>     Le 17/02/2016 11:09, Bruno Oliveira a écrit :
>>>     I'm not sure if I got your question in the right way. But from
>>>     my understanding Java truststore is the standard fall back.
>>>
>>>     See item 3.2.5
>>>     https://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html
>>>
>>>     On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard
>>>     <jrevillard at gnubila.fr <mailto:jrevillard at gnubila.fr>> wrote:
>>>
>>>         Dear all,
>>>
>>>         I'm testing now a Keycloak server properly configured with https
>>>         configuration.
>>>         The server certificate is one which is already known by the
>>>         default java
>>>         trustore.
>>>         Would it be possible to setup the keycloak.json adapter
>>>         config to use
>>>         this default java trustore ?
>>>
>>>         Best,
>>>         Jerome
>>>
>>>         _______________________________________________
>>>         keycloak-user mailing list
>>>         keycloak-user at lists.jboss.org
>>>         <mailto:keycloak-user at lists.jboss.org>
>>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160219/37a3fb34/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3908 bytes
Desc: Signature cryptographique S/MIME
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160219/37a3fb34/attachment.bin

More information about the keycloak-user mailing list