I have my keycloak docker image (Quay) running as a non root user on rhel linux server, need to configure truststore certificate for LDAP provider using ldaps connection.
The scenarios we tried are below:
-
Tried to add
spi-truststore-file-file=path/to/truststore.jks
spi-truststore-file-password=change_me
spi-truststore-file-hostname-verification-policy=WILDCARD in the /opt/keycloak/conf/keycloak.conf file inside the container
ater that we updated the configuration using “kc.sh build” command, here the jks file is converted from pfx file using the below command:- openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]
- keytool -import -alias ldapcert -keystore truststore.jks -file ca-certificates.crt -storepass changeit -
noprompt - The permission for the jks and crt file is changed to “keycloak:keycloak”
- In the keycloak ldap provider configuration we enabled “Use Truststore SPI” to all three options(Only for ldaps, Never, Always).
from the above we are getting error as attached
-
We imported the certificate obtained from openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt] to default java cacerts inside the container using below command:
- keytool -import -alias ldapcert -cacerts -file ca-certificates.crt -storepass changeit -noprompt
Got the same error as attached above
- keytool -import -alias ldapcert -cacerts -file ca-certificates.crt -storepass changeit -noprompt
-
We added the root.cer file in the default java cacerts inside the container using below command:
- keytool -import -alias ldapcert -cacerts -file root.cer -storepass changeit -noprompt
- In the keycloak ldap provider configuration we enabled “Use Truststore SPI” is set to
options(Never).
Got the error as “no subject alternative dns name matching” after this we used the alternate hostname name from the certificate which worked but we want to connect using the actual domain.
