Keycloak unable to connect to SQL Server running on Windows

Configuring the server
1

Keycloak container is unable to connect to a remote SQL Server database and is stuck in a boot loop.
Output from container logs:

{"logs":"Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: \"Certificates do not conform to algorithm constraints\". ClientConnectionId:8c3fca80-a572-4014-abe0-6e55adf39c44

{"logs":"Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints

{"logs":"Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints

{"logs":"Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate:
 CN=SSL_Self_Signed_Fallback.  Usage was tls server

{"logs":"\u001B[0m\u001B[31m12:14:07,280 FATAL [org.keycloak.services] (ServerService Thread Pool -- 56) java.lang.RuntimeException: Failed to connect to database

I’m running Keycloak version 10.0.1 in a docker container on a Linux machine and the SQL Server DB is hosted on a Windows machine

2

That’s a requirement which is coming from java.security file (e.g. /etc/java/java-11-openjdk/java-11-openjdk-11.0.7.10-1.el8_1.x86_64/conf/security/java.security in jboss/keycloak:10.0.1 image).

Naive solution: edit java.security and allow your “weaker” certificates, because you are using it in your DB server.

Proper secure solution is to configure your DB with more “stronger” certificate, which will satisfy java.security constraints. Of course how to configure SQL Server is not in the scope of this forum - please consult it with DB doc.

1 Like
3

Thanks for the reply @jangaraj
Based on that premise, I was able to connect my Keycloak container to SQL Server 2017 normally without any complaints about the key lengths.
Apparently SQL Server 2014 and older used 1024 bit long keys by default. I haven’t been successful at configuring my 2012 DB server with a stronger cert yet. Will update the thread in case I make a progress on that front.