Docker @k8s problem connecting mssql server WITHOUT encryption / old weak encryption

Hi there,

I’m using keycloak v9.0.3 from here https://hub.docker.com/r/jboss/keycloak/ as a kubernetes deploy.
Everything is working fine (importing realm from file, connecting to LDAP users etc) except of connecting to mssql server (additional users). I’m stuck on trying to connect to old mssql server (2014) in company network which where I can connect without encryption from k8s (tried with mssql-cli from k8s-master and k8s-worker1 where keycloak actually works as a container).

When using ENV var name: JDBC_PARAMS value: authentication=NotSpecified;encrypt=false jdbc driver even then tries to connect with TLS encryption and stops on “Failed to connect to database” because:

    1. Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm 
    constraints
    2. Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=SSL_Self_Signed_Fallback.  Usage was tls server

which means that TLS connections is established and keysize limit check is failed although encrypt was set to false.

So eventually I was trying to decrase keysize limits with JAVA_OPTS

    - name: JAVA_OPTS
      value: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m
        -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman
        -Djava.awt.headless=true  --add-exports=java.base/sun.nio.ch=ALL-UNNAMED
        --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED
        -Djdk.tls.disabledAlgorithms=MD2 -Djdk.certpath.disabledAlgorithms=MD2 -Djdk.jar.disabledAlgorithms=MD2 
        -Dsecurity.overridePropertiesFile=false

but then I was stuck because of file /etc/crypto-policies/back-ends/java.config -> /usr/share/crypto-policies/DEFAULT/java.txt that overrides default JDK java.security file.

Any help? :slight_smile:

1 Like

Why you don’t overwrite /etc/crypto-policies/back-ends/java.config with own config (maybe with configmap)?

@jangaraj I’ll try this - thanks!

I was able to connect java.txt to my keyclock java.security via ConfigMap.

  1. create java.security file @k8s-master
cat keycloak.java.config
jdk.tls.ephemeralDHKeySize=2048
jdk.certpath.disabledAlgorithms=MD2
jdk.tls.disabledAlgorithms=MD2
jdk.tls.legacyAlgorithms=
  1. create configmap from file with key
kubectl create cm keycloak-java-config --from-file=java.security=keycloak.java.security
  1. edit keycloak deploy @ spec.template.spec.containers add
        volumeMounts:
        - mountPath: /usr/share/crypto-policies/DEFAULT/java.txt
          name: config-volume
          subPath: java.security

@ spec.template.spec add

      volumes:
      - configMap:
          defaultMode: 420
          name: keycloak-java-security
        name: config-volume

@ spec.template.spec.containers.env add

        - name: JAVA_OPTS
          value: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m
            -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman
            -Djava.awt.headless=true  --add-exports=java.base/sun.nio.ch=ALL-UNNAMED
            --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED
            -Djdk.tls.disabledAlgorithms=MD2 -Djdk.certpath.disabledAlgorithms=MD2
            -Djdk.jar.disabledAlgorithms=MD2 -Dsecurity.overridePropertiesFile=false

to cover options from JDK java.security.

Everything is working fine now :slight_smile: thank you @jangaraj !
But why jdbc driver doesnt work with encrypt=false in the first place - or am I missing something?

IMHO it works as expected encrypt=false disable TLS only on the JDBC driver level
But there is Java TLS level (java.security file), where it is failing - different place.

I expect that when encrypt is set to false docker image has encryption turned off on any level.
So at this point passing variables to JDBC driver via JDBC_PARAMS is pointless for vendor mssql.

That is wrong expectation: configuration on the higher level (JDBC driver) shouldn’t affect configuration on the lower level (Java itself).

So write about it in doc :slight_smile:
here https://hub.docker.com/r/jboss/keycloak/ -> Database -> Microsoft SQL Server Example
or in different paragraph about considirations of DB connection security levels.

Why should I write it? I’m just standard community user.

It will be nice if you create that (just PR https://github.com/keycloak/keycloak-containers/tree/master/server) to improve doc as thanks for community support. You have that problem and the best understanding of the issue, so help to other users with the same problem. Just contribute back.

1 Like

Sorry - I missed that :slight_smile:

  1. jdbc depends on java below
  2. give users ability to change connection settings on jdbc level
  3. jdbc level setting are ommited because of java security settings

Why bother users with JDBC_PARAMS in the first place?
And why useSSL=off works for postgres and ecnrypt=off doesnt work for mssql?