[keycloak-user] Add CA certificates for LDAPS ?
Jan Lieskovsky
jlieskov at redhat.com
Wed Oct 31 06:29:07 EDT 2018
Hey Mathieu, Meissa,
(just quickly to double-check,) what's the template name you have
deployed RH-SSO for OpenShift image from? (assuming this is issue on
OpenShift)
If the "*sso72-x509-https*" one (or some of **-x509-** based ones) was used
to deploy the RH-SSO server pod, this won't work. Reason being the **-x509-*
*are configured in the way, to auto-generate the RH-SSO truststore (use the
defaults, and let the user not to need to supply this). Even if custom
truststore / cert is supplied, the default one will be used. AFAICT this
isn't configurable (since wasn't intended to be).
If you want the custom cert / truststore to be actually honoured, you need
to deploy the RH-SSO pod from some other (some of the passthrough TLS based
templates
<https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html-single/red_hat_single_sign-on_for_openshift/#what_is_red_hat_single_sign_on>,
not the x509 re-encrypt TLS ones).
I will file JIRAs to:
- Mention this *-x509-* template deficiency in the templates,
- RFE to get the *-x509-* ones to honour custom certificates, if
supplied.
HTH & Sorry for the inconvenience
Thank you && Regards, Jan
--
Jan iankko Lieskovsky / Keycloak / RH-SSO Team
On Wed, Oct 31, 2018 at 11:17 AM Mathieu Poussin <me at mpouss.in> wrote:
> Hello Meissa.
>
> So far I could not find a way to do it, the project is now in standby, if
> we can't get it to work we will probably check for another solution,
> unfortunately.
>
> Thanks.
> Mathieu
>
>
> ---- On Wed, 31 Oct 2018 11:05:44 +0100 Meissa M'baye Sakho <
> msakho at redhat.com> wrote ----
> > Hello Mathieu,did you manage to make it work?If yes, could you tell me
> how?Meissa
> > Le mar. 2 oct. 2018 à 10:01, Mathieu Poussin <me at mpouss.in> a écrit :
> > Hello Marek.
> >
> > I've done that already but looks like it is completely ignored.
> > I have my custom truststore that have all my CA certificates (2), but
> I'm still seeing the same issue. (SPI is enabled on the LDAPS settings on
> the admin)
> > Is there a way to make sure it has been loaded correctly? (I don't see
> any error when the application starts but it's not working as expected)
> >
> > Thanks.
> > Mathieu
> >
> >
> > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda <
> mposolda at redhat.com> wrote ----
> > > You can configure the Truststore SPI, which is mentioned in our
> docs
> > > here:
> > >
> https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore
> > >
> > > Some additional notes around LDAP are here:
> > >
> https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl
> > >
> > > Marek
> > >
> > >
> > > On 01/10/18 13:27, Mathieu Poussin wrote:
> > > > Hello.
> > > >
> > > > What would be the recommended way to add a custom CA certificates
> ? The documentation has a lot of different ways and so far none of them
> worked :
> > > >
> > > > - The X509_CA_BUNDLE env variable thing (It's running in a
> container), I can see the certificates in the JKS store but looks like
> they are completely ignored by the app server.
> > > > - Added custom SPI to load a custom JKS store, same, no error at
> server start but they are completely ignored by the app server.
> > > >
> > > > This is the error I am getting :
> > > >
> > > > Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> > > > at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> > > > at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> > > > at
> sun.security.validator.Validator.validate(Validator.java:262)
> > > > at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>
> > > > at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>
> > > > at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>
> > > > at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
>
> > > > ... 99 more
> > > > Caused by:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> > > > at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>
> > > > at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
>
> > > > at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > > > at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> > > > ... 105 more
> > > >
> > > >
> > > > Another option would be to disable certificate verification on
> LDAPS as it's a trusted environment (last resort but well so far nothing
> else worked), would there be a way to do that?
> > > > Connecting over LDAP is not an option a this prevent some
> features to work like password reset.
> > > >
> > > > Thanks.
> > > >
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list