[keycloak-user] SSL connection to MySQL with self signed certificate

[Alexandre Filgueira]

Hi

We are trying to test keycloak connecting to a MySQL database using TLS with self signed certificates.
The container where this keycloak is running already has a truststore and a keystore file to be used, but I can’t find documentation on how to proceed.

I saw that you can add the truststore with a block like:

<spi name="truststore">
                <provider name="file" enabled="true">
                    <properties>
                        <property name="file" value="${env.APP_CONFIG_SSL_DATABASE_DIR}/truststore"/>
                        <property name="password" value="${env.APP_STORE_PASS}"/>
                        <property name="hostname-verification-policy" value="ANY"/>
                        <property name="disabled" value="false"/>
                    </properties>
                </provider>
</spi>

But what about the keystore?
In a regular JAVA application I would need to run my java jar file with something like these for example:

java -Djavax.net.ssl.trustStore=${APP_TRUSTED_SERVERS} -Djavax.net.ssl.trustStorePassword=${APP_STORE_PASS} -Djavax.net.ssl.keyStore=${APP_KEYSTORE_CLIENT} -Djavax.net.ssl.keyStorePassword=${APP_STORE_PASS} -jar target/myjarfile.jar

In my truststore I would need to store the CA certificate from MySQL, and in my keystore the client certificate to connect.

Then in my connection-url block I just define some booleans like useSSL, requireSSL and verifyServerCertificate.

Thanks