Integrating Keycloak with OpenLDAP via ldaps

sweixel · February 28, 2021, 8:52pm

I’m having trouble getting resutls of POST /{realm}/testLDAPConnection with osixia OpenLDAP. The test works if I change OpenLDAP LDAP_TLS_VERIFY_CLIENT=try. However, when LDAP_TLS_VERIFY_CLIENT=demand, the tls connection fails because keycloak doesn’t respond with a certificate during tls handhsake.

My keycloak instance is running in a container with the valid certificates in /etc/x509/https/tls.crt and /etc/x509/https/tls.key that match the requested certificate authorities requested by OpenLDAP. The logs seem to indicate that OpenLDAP is requesting signature algorityms that don’t match. My certificates are SHA256withRSA. OpenLDAPis requesting certificates like rsa_pkcs1_sha256, rsa_pss_pss_sha256, and rsa_pss_rsae_sha256. Are these the same as SHA256withRSA? Do I need to change something in my keycloak config or OpenLDAPconfig?

19:32:20,682 ERROR [stderr] (default task-51) javax.net.ssl|DEBUG|CE|default task-51|2021-02-28 19:32:20.681 UTC|CertificateRequest.java:672|Consuming CertificateRequest handshake message (
19:32:20,682 ERROR [stderr] (default task-51) “CertificateRequest”: {
19:32:20,682 ERROR [stderr] (default task-51) “certificate types”: [rsa_sign, dss_sign, ecdsa_sign]
19:32:20,682 ERROR [stderr] (default task-51) “supported signature algorithms”: [rsa_pkcs1_sha384, rsa_pss_pss_sha384, rsa_pss_rsae_sha384, ecdsa_secp384r1_sha384, rsa_pkcs1_sha512, rsa_pss_pss_sha512, rsa_pss_rsae_sha512, ecdsa_secp521r1_sha512, rsa_pkcs1_sha256, rsa_pss_pss_sha256, rsa_pss_rsae_sha256, ecdsa_secp256r1_sha256, ed25519]
19:32:20,682 ERROR [stderr] (default task-51) “certificate authorities”: [***********]
19:32:20,682 ERROR [stderr] (default task-51) }
19:32:20,682 ERROR [stderr] (default task-51) )
19:32:20,682 ERROR [stderr] (default task-51) javax.net.ssl|ALL|CE|default task-51|2021-02-28 19:32:20.682 UTC|X509Authentication.java:244|No X.509 cert selected for RSA
…
19:32:20,690 ERROR [stderr] (default task-51) javax.net.ssl|WARNING|CE|default task-51|2021-02-28 19:32:20.690 UTC|CertificateRequest.java:775|No available authentication scheme

sweixel · March 6, 2021, 6:51am

This seems to be a bug in Keycloak. Keyloak doesn’t provide a certificate in response to a CertificateRequest, even though a certificate exists in the keystore that matches a certificate authorities in the Certificate Request. The same cert and key can be used with curl to successfully get a response from OpenLDAP. Any suggestions on how to get Keycloak to respond to CertificateRequest? Here’s my settings:
#host
cert_dir=“certs”
#keycloak
keycloak_version=12.0.4
keycloak_port=443
keycloak_admin_username=admin
keycloak_admin_password=password
keycloak_container_name=keycloak_test_00
#openldap
openldap_version=1.5.0
openldap_port=636
openldap_admin_password=password
openldap_container_name=openldap_test_00
docker run -p $keycloak_port:8443
–name $keycloak_container_name
–env DB_VENDOR=H2
–env DB_PASSWORD=password
–env KEYCLOAK_USER=$keycloak_admin_username
–env KEYCLOAK_PASSWORD=$keycloak_admin_password
–env KEYCLOAK_LOG_LEVEL=“TRACE”
–env JAVA_OPTS_APPEND="-Djavax.net.debug=all"
–env X509_CA_BUNDLE=/etc/x509/https/$hostname_short.ca.crt
-v $pwd/$cert_dir/$hostname_short.ca.crt:/etc/x509/https/$hostname_short.ca.crt
-v $pwd/$cert_dir/$hostname_short.crt:/etc/x509/https/tls.crt
-v $pwd/$cert_dir/$hostname_short.key:/etc/x509/https/tls.key
-detach
jboss/keycloak:$keycloak_version
docker run -p $openldap_port:636
–name $openldap_container_name
–hostname $hostname_fqdn
–env LDAP_DOMAIN="$domainname"
–env LDAP_ADMIN_PASSWORD="$openldap_admin_password"
–env LDAP_TLS_CRT_FILENAME=$hostname_short.crt
–env LDAP_TLS_KEY_FILENAME=$hostname_short.key
–env LDAP_TLS_CA_CRT_FILENAME=$hostname_short.ca.crt
–env LDAP_TLS_VERIFY_CLIENT=$tls_verify_client
-v $pwd/$cert_dir/:/container/service/slapd/assets/certs
-detach
osixia/openldap:$openldap_version

curl -s -k --verbose --key ./$cert_dir/$hostname_short.key --cert ./$cert_dir/$hostname_short.crt ldaps://$hostname_fqdn:$openldap_port

Logs:
KeyManagerImpl.java:164|found key for : keycloak-https-key (
05:34:39,887 ERROR [stderr] (MSC service thread 1-1) “certificate” : {
05:34:39,887 ERROR [stderr] (MSC service thread 1-1) “version” : “v1”,
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) “serial number” : “01”,
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) “signature algorithm”: “SHA256withRSA”,
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) “issuer” : “CN=MYDOMAINHERE”,
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) “not before” : “2021-03-06 05:33:16.000 GMT”,
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) “not after” : “2022-03-06 05:33:16.000 GMT”,
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) “subject” : “CN=MYDOMAINHERE”,
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) “subject public key” : “RSA”}
05:34:39,888 ERROR [stderr] (MSC service thread 1-1) )

05:35:29,483 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.483 GMT|CertificateRequest.java:672|Consuming CertificateRequest handshake message (
05:35:29,483 ERROR [stderr] (default task-1) "CertificateRequest": {
05:35:29,483 ERROR [stderr] (default task-1)   "certificate types": [rsa_sign, dss_sign, ecdsa_sign]
05:35:29,483 ERROR [stderr] (default task-1)   "supported signature algorithms": [rsa_pkcs1_sha384, rsa_pss_pss_sha384, rsa_pss_rsae_sha384, ecdsa_secp384r1_sha384, rsa_pkcs1_sha512, rsa_pss_pss_sha512, rsa_pss_rsae_sha512, ecdsa_secp521r1_sha512, rsa_pkcs1_sha256, rsa_pss_pss_sha256, rsa_pss_rsae_sha256, ecdsa_secp256r1_sha256, ed25519]
05:35:29,483 ERROR [stderr] (default task-1)   "certificate authorities": [CN=MYDOMAINHERE]
05:35:29,483 ERROR [stderr] (default task-1) }
05:35:29,483 ERROR [stderr] (default task-1) )
05:35:29,484 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.483 GMT|X509Authentication.java:244|No X.509 cert selected for RSA
05:35:29,484 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.484 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384
05:35:29,484 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.484 GMT|X509Authentication.java:244|No X.509 cert selected for RSASSA-PSS
05:35:29,484 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.484 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pss_pss_sha384
05:35:29,484 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.484 GMT|X509Authentication.java:244|No X.509 cert selected for RSA
05:35:29,484 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.484 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pss_rsae_sha384
05:35:29,485 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.485 GMT|X509Authentication.java:244|No X.509 cert selected for EC
05:35:29,485 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.485 GMT|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384
05:35:29,485 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.485 GMT|X509Authentication.java:244|No X.509 cert selected for RSA
05:35:29,485 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.485 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512
05:35:29,485 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.485 GMT|X509Authentication.java:244|No X.509 cert selected for RSASSA-PSS
05:35:29,485 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.485 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pss_pss_sha512
05:35:29,486 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.486 GMT|X509Authentication.java:244|No X.509 cert selected for RSA
05:35:29,486 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.486 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pss_rsae_sha512
05:35:29,486 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.486 GMT|X509Authentication.java:244|No X.509 cert selected for EC
05:35:29,486 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.486 GMT|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512
05:35:29,486 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.486 GMT|X509Authentication.java:244|No X.509 cert selected for RSA
05:35:29,486 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.486 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256
05:35:29,487 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.486 GMT|X509Authentication.java:244|No X.509 cert selected for RSASSA-PSS
05:35:29,487 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.487 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pss_pss_sha256
05:35:29,487 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.487 GMT|X509Authentication.java:244|No X.509 cert selected for RSA
05:35:29,487 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.487 GMT|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pss_rsae_sha256
05:35:29,487 ERROR [stderr] (default task-1) javax.net.ssl|ALL|A2|default task-1|2021-03-06 05:35:29.487 GMT|X509Authentication.java:244|No X.509 cert selected for EC
05:35:29,488 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.487 GMT|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256
05:35:29,488 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.488 GMT|CertificateRequest.java:744|Unable to produce CertificateVerify for signature scheme: ed25519
05:35:29,488 ERROR [stderr] (default task-1) javax.net.ssl|WARNING|A2|default task-1|2021-03-06 05:35:29.488 GMT|CertificateRequest.java:775|No available authentication scheme
05:35:29,497 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.497 GMT|SSLSocketInputRecord.java:488|Raw read (
05:35:29,497 ERROR [stderr] (default task-1)   0000: 16 03 03 00 04                                     .....
05:35:29,497 ERROR [stderr] (default task-1) )
05:35:29,497 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.497 GMT|SSLSocketInputRecord.java:214|READ: TLSv1.2 handshake, length = 4
05:35:29,498 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.498 GMT|SSLSocketInputRecord.java:488|Raw read (
05:35:29,498 ERROR [stderr] (default task-1)   0000: 0E 00 00 00                                        ....
05:35:29,498 ERROR [stderr] (default task-1) )
05:35:29,498 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.498 GMT|SSLSocketInputRecord.java:247|READ: TLSv1.2 handshake, length = 4
05:35:29,498 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.498 GMT|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
05:35:29,498 ERROR [stderr] (default task-1) <empty>
05:35:29,498 ERROR [stderr] (default task-1) )
05:35:29,498 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.498 GMT|CertificateMessage.java:299|No X.509 certificate for client authentication, use empty Certificate message instead
05:35:29,499 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A2|default task-1|2021-03-06 05:35:29.499 GMT|CertificateMessage.java:330|Produced client Certificate handshake message (
05:35:29,499 ERROR [stderr] (default task-1) "Certificates": <empty list>
05:35:29,499 ERROR [stderr] (default task-1) )

sweixel · April 12, 2021, 5:44pm

Keycloak doesn’t respond with a certificate to CertificateRequests for ldaps, because the SSL Context that is created isn’t associated with a keystore. I submitted a pull request to https://issues.redhat.com/browse/KEYCLOAK-17354. This fix will allow setting keystore with
-Dkeycloak.tls.keystore.path=KEYSTORE
-Dkeycloak.tls.keystore.password=KEYSTORE-PASSWORD

Topic		Replies	Views
Trust Certificates from Mailserver and LDAP-Server Getting advice	0	350	June 15, 2023
X509 authentication fails with "No trusted certificate found" Configuring the server	1	909	February 22, 2021
Trouble setting up HTTPS Configuring the server	0	387	January 16, 2021
How keycloak 16.1.1 config one way tls? authentication , ldap	0	41	March 19, 2024
Cannot connect Keycloak with SMTP TLS enable Configuring the server	1	3381	June 18, 2020

Integrating Keycloak with OpenLDAP via ldaps

Related Topics