[keycloak-user] Mutual SSL between keycloak and Postgresql

hugh shangguan hcsgzh at gmail.com
Mon Aug 27 21:14:29 EDT 2018 

Hi there,

I was interested in Keycloak work on SSL client certs for JDBC to connect
PostgreSQL.  I hope someone can
give me some help, because i've been banging my head against this
all day.

First of all, I should mention that my client cert authentication is
working fine with psql in both 1-way and 2-way(mutual ssl authentication)
ssl authentication. So I am satisfied with the certs and keys. There are
two servers, one is keycloak server, another is postgresql server.

postgresql.crt
postgresql.key / postgresql.pk8
root.crt

Those files located in ${user.home}/.postgresql/ in my postgresql server.

In my PostgreSQL server, if I configure like this.
hostssl    all      all       0.0.0.0/0    md5

It is fine. My keycloak server will connect with my postgresql server very
well.

However when I configure like this.
hostssl    all      all       0.0.0.0/0    md5   clientcert=1

The connection will fail. The log is below.
    Caused by: java.lang.RuntimeException: Failed to connect to database
    Caused by: java.sql.SQLException: javax.resource.ResourceException:
IJ000453: Unable to get managed connection for
java:jboss/datasources/KeycloakDS
    Caused by: javax.resource.ResourceException: IJ000453: Unable to get
managed connection for java:jboss/datasources/KeycloakDS
    Caused by: javax.resource.ResourceException: IJ031084: Unable to create
connection
    Caused by: org.postgresql.util.PSQLException: FATAL: connection
requires a valid client certificate"}}


*"connection requires a valid client certificate".*

I don't know how to config the client certificate in
keycloak (standalone.xml). At the meantime, I still can use 'psql' connect
my postgresql server in my keycloak server.

Questions:
1. Does keycloak support mutual authentication in ssl, when I try to
connect postgresql by 2-way authentication? (I guess so. This should be
JDBC's problem. But I am not sure. And I trid the instructions form
Postgresql JDBC Driver Doc.
https://jdbc.postgresql.org/documentation/head/ssl-client.html. It still
doesn't work.)

2. Could someone help me out, please?


Thank you for your time!

Cheers!

-- 
Hugh
Zhaohui Shangguan

More information about the keycloak-user mailing list