I’m using keycloak v9.0.3 from here https://hub.docker.com/r/jboss/keycloak/ as a kubernetes deploy.
Everything is working fine (importing realm from file, connecting to LDAP users etc) except of connecting to mssql server (additional users). I’m stuck on trying to connect to old mssql server (2014) in company network which where I can connect without encryption from k8s (tried with mssql-cli from k8s-master and k8s-worker1 where keycloak actually works as a container).
When using ENV var name: JDBC_PARAMS value: authentication=NotSpecified;encrypt=false jdbc driver even then tries to connect with TLS encryption and stops on “Failed to connect to database” because:
1. Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints 2. Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=SSL_Self_Signed_Fallback. Usage was tls server
which means that TLS connections is established and keysize limit check is failed although encrypt was set to false.
So eventually I was trying to decrase keysize limits with JAVA_OPTS
- name: JAVA_OPTS value: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED -Djdk.tls.disabledAlgorithms=MD2 -Djdk.certpath.disabledAlgorithms=MD2 -Djdk.jar.disabledAlgorithms=MD2 -Dsecurity.overridePropertiesFile=false
but then I was stuck because of file
/usr/share/crypto-policies/DEFAULT/java.txt that overrides default JDK java.security file.