Docker @k8s problem connecting mssql server WITHOUT encryption / old weak encryption

cml · June 6, 2020, 5:17pm

Hi there,

I’m using keycloak v9.0.3 from here Docker as a kubernetes deploy.
Everything is working fine (importing realm from file, connecting to LDAP users etc) except of connecting to mssql server (additional users). I’m stuck on trying to connect to old mssql server (2014) in company network which where I can connect without encryption from k8s (tried with mssql-cli from k8s-master and k8s-worker1 where keycloak actually works as a container).

When using ENV var name: JDBC_PARAMS value: authentication=NotSpecified;encrypt=false jdbc driver even then tries to connect with TLS encryption and stops on “Failed to connect to database” because:

    1. Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm 
    constraints
    2. Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=SSL_Self_Signed_Fallback.  Usage was tls server

which means that TLS connections is established and keysize limit check is failed although encrypt was set to false.

So eventually I was trying to decrase keysize limits with JAVA_OPTS

    - name: JAVA_OPTS
      value: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m
        -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman
        -Djava.awt.headless=true  --add-exports=java.base/sun.nio.ch=ALL-UNNAMED
        --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED
        -Djdk.tls.disabledAlgorithms=MD2 -Djdk.certpath.disabledAlgorithms=MD2 -Djdk.jar.disabledAlgorithms=MD2 
        -Dsecurity.overridePropertiesFile=false

but then I was stuck because of file /etc/crypto-policies/back-ends/java.config → /usr/share/crypto-policies/DEFAULT/java.txt that overrides default JDK java.security file.

Any help?

jangaraj · June 6, 2020, 8:36pm

Why you don’t overwrite /etc/crypto-policies/back-ends/java.config with own config (maybe with configmap)?

cml · June 7, 2020, 7:50am

@jangaraj I’ll try this - thanks!

cml · June 7, 2020, 9:09am

I was able to connect java.txt to my keyclock java.security via ConfigMap.

create java.security file @k8s-master

cat keycloak.java.config
jdk.tls.ephemeralDHKeySize=2048
jdk.certpath.disabledAlgorithms=MD2
jdk.tls.disabledAlgorithms=MD2
jdk.tls.legacyAlgorithms=

create configmap from file with key

kubectl create cm keycloak-java-config --from-file=java.security=keycloak.java.security

edit keycloak deploy @ spec.template.spec.containers add

        volumeMounts:
        - mountPath: /usr/share/crypto-policies/DEFAULT/java.txt
          name: config-volume
          subPath: java.security

@ spec.template.spec add

      volumes:
      - configMap:
          defaultMode: 420
          name: keycloak-java-security
        name: config-volume

@ spec.template.spec.containers.env add

        - name: JAVA_OPTS
          value: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m
            -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman
            -Djava.awt.headless=true  --add-exports=java.base/sun.nio.ch=ALL-UNNAMED
            --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED
            -Djdk.tls.disabledAlgorithms=MD2 -Djdk.certpath.disabledAlgorithms=MD2
            -Djdk.jar.disabledAlgorithms=MD2 -Dsecurity.overridePropertiesFile=false

to cover options from JDK java.security.

Everything is working fine now thank you @jangaraj !
But why jdbc driver doesnt work with encrypt=false in the first place - or am I missing something?

jangaraj · June 8, 2020, 8:39am

IMHO it works as expected encrypt=false disable TLS only on the JDBC driver level
But there is Java TLS level (java.security file), where it is failing - different place.

cml · June 8, 2020, 9:11am

I expect that when encrypt is set to false docker image has encryption turned off on any level.
So at this point passing variables to JDBC driver via JDBC_PARAMS is pointless for vendor mssql.

jangaraj · June 8, 2020, 9:51am

That is wrong expectation: configuration on the higher level (JDBC driver) shouldn’t affect configuration on the lower level (Java itself).

cml · June 8, 2020, 9:57am

So write about it in doc
here Docker → Database → Microsoft SQL Server Example
or in different paragraph about considirations of DB connection security levels.

jangaraj · June 8, 2020, 12:54pm

Why should I write it? I’m just standard community user.

It will be nice if you create that (just PR https://github.com/keycloak/keycloak-containers/tree/master/server) to improve doc as thanks for community support. You have that problem and the best understanding of the issue, so help to other users with the same problem. Just contribute back.

cml · June 8, 2020, 1:22pm

Sorry - I missed that

cml · June 8, 2020, 1:28pm

jdbc depends on java below
give users ability to change connection settings on jdbc level
jdbc level setting are ommited because of java security settings

Why bother users with JDBC_PARAMS in the first place?
And why useSSL=off works for postgres and ecnrypt=off doesnt work for mssql?

Topic		Replies	Views
Keycloak unable to connect to SQL Server running on Windows Configuring the server database	2	2725	April 20, 2021
Keycloak with MSSQL in Kubernetes Configuring the server	3	1237	January 29, 2023
Need help with MSSQL JDBC connectionstring Configuring the server	1	1681	January 16, 2023
How to setup Keycloak 20+ and MS-SQL Server Configuring the server	0	3381	December 31, 2022
KeyCloak Microsoft SQL server connection error "KIX path building failed Exception" Configuring the server database	3	4095	September 27, 2022

Docker @k8s problem connecting mssql server WITHOUT encryption / old weak encryption

Related Topics