According to the Server Administration Guide it is possible to connect to a LDAP user store over SSL/TLS (https://www.keycloak.org/docs/latest/server_admin/#connect-to-ldap-over-ssl)
Is there any possibility to configure a mutually authenticated TLS connection (i.e. it would be necessary to provide a client certificate and key in the connection settings)?
This is a requirement in one of our customer projects.
1 Like
I did not try this by myself. I suppose it might be possible by ensure
that all those 4 system properties are set accordingly:
“javax.net.ssl.keyStore”, “javax.net.ssl.keyStorePassword”,
“javax.net.ssl.trustStore” and “javax.net.ssl.trustStorePassword” . See
for example this docs for more details:
https://docs.oracle.com/cd/E17952_01/connector-j-8.0-en/connector-j-reference-using-ssl.html
.
Marek
Thanks for the quick answer. According to the provided link this applies to JDBC connections for MySql. What I need is a mutually authenticated TLS conection to a LDAP server, though. Or should the same mechanism work for ldaps, too? But if so, how to configure a dedicated client certificate for this dedicated ldap connection?
As far as I could find there is no configuration for a TLS client certificate for a LDAP user federation, neither in the GUI nor in the admin API. Also I could find nothing in the SPIs that could seem to help.
Thanks,
Ingo
I’m working on this as well to get openLDAP working with Keyacloak and mutual SSL. So far, what I have found is the following.
Mutual SSL is turned on using the jboss cli or elytron’s tool that is distributed with wildfly. There isn’t any options in Keycloak’s UI for this. I found the following links helpful in understanding more.
https://docs.wildfly.org/18/WildFly_Elytron_Security.html#configure-ssltls
I’m having a hardtime how this differs with one way ssl where we have already defined where the truststore and keystore are defined in the standalone.xml’s stanza
We already have public certs in the truststore and private keys in the keystore. Not sure why and exactly what using jboss to setup truststores, trustmanagers, and other things does.
I can also see in the undertow subsystem mutual https looks like it is has config in there.
Also, in the socket-binding-group stanza I can see that https-mutual is set to have a different port.
I hope that if anyone else sees this question and has answers, they can add some clarity.
StartTLS is broken in 10.0.2 There is a commit that fixes this that will go into release 11 https://github.com/keycloak/keycloak/commit/3c82f523ff76d74a3196e0a400a5574a08b1ba48