I’m using keycloak v9.0.3 from here Docker as a kubernetes deploy.
Everything is working fine (importing realm from file, connecting to LDAP users etc) except of connecting to mssql server (additional users). I’m stuck on trying to connect to old mssql server (2014) in company network which where I can connect without encryption from k8s (tried with mssql-cli from k8s-master and k8s-worker1 where keycloak actually works as a container).
When using ENV var name: JDBC_PARAMS value: authentication=NotSpecified;encrypt=false jdbc driver even then tries to connect with TLS encryption and stops on “Failed to connect to database” because:
1. Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm
constraints
2. Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=SSL_Self_Signed_Fallback. Usage was tls server
which means that TLS connections is established and keysize limit check is failed although encrypt was set to false.
So eventually I was trying to decrase keysize limits with JAVA_OPTS
but then I was stuck because of file /etc/crypto-policies/back-ends/java.config → /usr/share/crypto-policies/DEFAULT/java.txt that overrides default JDK java.security file.
Everything is working fine now thank you @jangaraj !
But why jdbc driver doesnt work with encrypt=false in the first place - or am I missing something?
IMHO it works as expected encrypt=false disable TLS only on the JDBC driver level
But there is Java TLS level (java.security file), where it is failing - different place.
I expect that when encrypt is set to false docker image has encryption turned off on any level.
So at this point passing variables to JDBC driver via JDBC_PARAMS is pointless for vendor mssql.
So write about it in doc
here Docker → Database → Microsoft SQL Server Example
or in different paragraph about considirations of DB connection security levels.
Why should I write it? I’m just standard community user.
It will be nice if you create that (just PR https://github.com/keycloak/keycloak-containers/tree/master/server) to improve doc as thanks for community support. You have that problem and the best understanding of the issue, so help to other users with the same problem. Just contribute back.