[keycloak-user] jboss-cli SSL access to keycloak Management interface usage, in Elytron 2-way SSL config, failing: "problem accessing trust store: DerInputStream.getLength(): lengthTag=78, too big" ?
PGNet Dev
pgnet.dev at gmail.com
Fri Sep 6 15:05:52 EDT 2019
I'm setting up a new install of keycloak 7.0.0 for 2-way TLS
Starting with a working http controller
/opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser --password=mgmtpass \
--controller=remote+http://10.0.0.1:9990 \
version
JBoss Admin Command-line Interface
JBOSS_HOME: /opt/keycloak
Release: 9.0.2.Final
Product: Keycloak 7.0.0
JAVA_HOME: /usr/lib64/jvm/java-11-openjdk
java.version: 11.0.4
java.vm.vendor: Oracle Corporation
java.vm.version: 11.0.4+11-suse-lp151.131.1-x8664
os.name: Linux
os.version: 5.2.11-26.gd6e8aab-default
I configure JCEKS key-stores, and enable https for admin user access,
/subsystem=elytron/key-store=twoWayKS:add(path=/etc/keycloak/keystore.server.jceks,credential-reference={store=master-cs, alias=ks-pass},type=jceks)
/subsystem=elytron/key-store=twoWayTS:add(path=/etc/keycloak/truststore.server.jceks,credential-reference={store=master-cs, alias=ks-pass},type=jceks)
/subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,credential-reference={store=master-cs, alias=ks-pass})
/subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS)
/subsystem=elytron/server-ssl-context=twoWaySSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true)
batch
/subsystem=undertow/server=default-server/http-listener=default:remove()
/subsystem=undertow/server=default-server/https-listener=https:remove()
/subsystem=undertow/server=default-server/https-listener=default:add(socket-binding=https,ssl-context=twoWaySSC,enable-http2=true)
run-batch
At this point,
egrep "http-listener|https-listener" /usr/local/etc/keycloak/*/*/standalone.xml
<https-listener name="default" socket-binding="https" ssl-context="twoWaySSC" enable-http2="true"/>
and I can verify admin UI via http in browser has been disabled,
http://10.0.0.1:8080/auth/admin
"Unable to connect"
and https is enabled,
https://10.0.0.1:8443/auth/admin
LOGIN is OK
I still have http:// mgmt controller access at cmd-line
/opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser --password=mgmtpass \
--controller=remote+http://10.0.0.1:9990 \
version
JBoss Admin Command-line Interface
JBOSS_HOME: /opt/keycloak
Release: 9.0.2.Final
Product: Keycloak 7.0.0
JAVA_HOME: /usr/lib64/jvm/java-11-openjdk
java.version: 11.0.4
java.vm.vendor: Oracle Corporation
java.vm.version: 11.0.4+11-suse-lp151.131.1-x8664
os.name: Linux
os.version: 5.2.11-26.gd6e8aab-default
Setup 2way SSL for the Management interface,
batch
/core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)
/core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=twoWaySSC)
/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
/subsystem=elytron/client-ssl-context=twoWayCSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM)
run-batch
and verify *managment* UI https in browser,
http://10.0.0.1:9990
REDIRECTS TO https://10.0.0.1:9993
and
https://10.0.0.1:9993
LOGIN is OK
works as expected.
But, checking cmd-line https access,
/opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser --password=mgmtpass \
--controller=remote+https://10.0.0.1:9993 \
-Djavax.net.ssl.trustStore=/etc/keycloak/truststore.client.jceks \
-Djavax.net.ssl.keyStore=/etc/keycloak/keystore.client.jceks \
-Djavax.net.ssl.trustStorePassword=keypass \
-Djavax.net.ssl.keyStorePassword=keypass \
version
where,
keytool -list -storetype jceks -storepass keypass -keystore ./keystore.client.jceks
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 1 entry
client-keystore, Sep 6, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 1F:...:6F
keytool -list -storetype jceks -storepass keypass -keystore ./truststore.client.jceks
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 1 entry
client-keystore, Sep 6, 2019, trustedCertEntry,
Certificate fingerprint (SHA-256): 1F:...:6F
fails with
Failed to connect to the controller: Failed to resolve host '10.0.0.1': Failed to obtain SSLContext: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext): problem accessing trust store: DerInputStream.getLength(): lengthTag=78, too big.
What's in my config, or missing from it, that's causing this error?
More information about the keycloak-user
mailing list