myapp on wildfly-10 used keycloak-6 for authencation for 2 years without any issue. The SSL certificate expired and I have reinstall a new SSL and upgrade to wildfly-21 and keycloak-12. I am getting a Connection refused error.
Here is the list of different steps:
I installed Sectigo Essential Wildcard SSL for keycloak-12 as the following:
- I issued a certificat from mydomain.net.csr
- I received 3 files: _mydomain_net.crt, AAA_Certificate_Services.crt and USERTrust_RSA_Certification_Authority.crt
openssl pkcs12 -export -in _mydomain.crt -inkey mydomain.net.key -out mydomain.net.pl12 -name default -CAfile AAA_Certificate_Services.crt -caname root
keytool -importkeystore -destkeystore mydomain.net.jks -srckeystore mydomain.net.pl12 -srcstoretype PKCS12 -alias default
cp mydomain.net.jks keycloak-12.0.4/standalone/configuration/
I configured keycloak standalone.xml as the following:
<server-identities>
<ssl>
<keystore path="mydomain.net.jks" relative-to="jboss.server.config.dir" keystore-password="mypass" />
</ssl>
</server-identities>
</security-realm>
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="UndertowRealm"/>
</host>
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="${jboss.server.config.dir}/mydomain.net.jks"/>
<property name="password" value="mypass"/>
<property name="hostname-verification-policy" value="WILDCARD"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
I added the certificated to the jvm:
cp _mydomain_net.cert to /usr/lib/jvm/java-8-oracle/jre/lib/security/
cd /usr/lib/jvm/java-8-oracle/jre/lib/security/
keytool -import -alias ca -file _mydomain.net.crt -keystore cacerts -storepass mypass
At this level I can access my keycloak installation via https without any issue.
I configured wildfly-21.0.2 as the following:
cp mydomain.net.jks standalone/configuration/mydomain.net.jks
cd wildfly-21.0.2
unzip keycloak-oidc-wildfly-adapter-12.0.4.zip
cp _mydomain_net.cert to /usr/lib/jvm/java-8-oracle/jre/lib/security/
cd /usr/lib/jvm/java-8-oracle/jre/lib/security/
keytool -import -alias ca -file _mydomain_net.crt -keystore cacerts -storepass mypass
my web.xml:
<security-constraint>
<web-resource-collection>
<url-pattern>/home/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>uma_authorization</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
</login-config>
<security-role>
<role-name>uma_authorization</role-name>
</security-role>
I can’t connect myapp from wildfly-21 to keycloak-12, the error:
[org.keycloak.adapters.KeycloakDeployment] (default task-1) Failed to load URLs from https://iam.mykeycloak.net/auth/realms/demo/.well-known/openid-configuration: java.net.ConnectException: Connection refused (Connection refused)
I am working on this issue for three days without any success and I have no idea on how to solve this problem. Thanks in advance for any idea/suggestion.