Truststore in KC 17 Quarkus for LDAPS/TLS

stefan1 · March 18, 2022, 2:07pm

Hi,
I’m having trouble to find the option for configuring a truststore. In the Advanced Settings of LDAP there is a tooltip that points to a file named standalone.xml/domain.xml, but this only seems to exist in the WildFly-distribution and not in the Quarkus one we use.

The goal is to import the certificate of the LDAP server to use LDAPS/TLS. If somebody could shed some light on this issue I really would appreciate.

Thank you,
Stefan

dasniko · March 18, 2022, 2:19pm

You have to create the truststore file externally, copy it into the Keycloak image and configure it with these properties: Keycloak - Server - All configuration

stefan1 · March 18, 2022, 3:14pm

Yay thank you, worked!

breed · March 20, 2022, 7:15pm

Hi @stefan1 @dasniko
I have a same problem but not works for me.
I define trust store and import cert in dockerfile.
Don’t know where the mistake is?

ENV KC_HTTPS_TRUST_STORE_FILE=conf/ldap-test.jks
ENV KC_HTTPS_TRUST_STORE_PASSWORD=PW1
RUN keytool -import -noprompt -trustcacerts -storepass PW1 -alias ldap-test -file ldap-test.cer -keystore conf/ldap-test.jks

Thank you
Breed

stefan1 · March 21, 2022, 9:29am

Sorry, I directly modified the conf/keycloak.conf, don’t know how it works with docker.

EDIT: doesn’t work for me either, I thought it worked at first glance, but it was only the LDAP-Connection-Test that worked. But when I try to authenticate I get this error - same as if i didn’t configure a truststore:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I added the following options to the conf/keycloak.conf:

https-trust-store-file=/opt/keycloak/truststore.jks
https-trust-store-password=********************

and added the CA-Certificate of the LDAP-Server with this command:

keytool -importcert -v -trustcacerts -alias ucs-ca -file ucsCAcert.pem -keystore truststore.jks

I also tried to add the certificate of the LDAP-Server:

rm truststore.jks
keytool -import -alias dc.ourdomain.de -keystore truststore.jks -file dc.ourdomain.de.cer

– same error

stefan1 · March 21, 2022, 12:56pm

Ok it works with the default java keystore - for me on Ubuntu it was:

keytool -importcert -alias ucs-CA -keystore /usr/lib/jvm/default-java/lib/security/cacerts -file ucsCAcert.pem

https://plone.lucidsolutions.co.nz/linux/java/how-to-add-a-certificate-authority-ca-certificate-to-the-openjdk-cacerts

Still wondering why it doesn’t work with a custom added truststore.

stefan1 · March 21, 2022, 2:16pm

@breed @dasniko

Found the right parameter:

--spi-truststore-file-file and --spi-truststore-file-password were the parameters i was looking for

And here is described how to add host certificates to the truststore (dunno if it also works with CA-Certificates, but I think so):

https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore

breed · March 22, 2022, 1:41pm

@stefan1 thank you for your reply.

But not works for me still.

ENV KC_SPI_TRUSTSTORE_FILE_FILE=conf/ldap-test.jks
ENV KC_SPI_TRUSTSTORE_FILE_PASSWORD=PW

RUN keytool -importcert -alias ldaptest-CA -storepass PW -noprompt -file /opt/keycloak/ldap-test.cer -keystore conf/ldap-test.jks

breed · March 22, 2022, 8:26pm

[KC17] verifyServerCertificate with AWS Aurora DB (mysql) not working anymore

opened 05:01PM - 22 Mar 22 UTC

v1nc3nt27

kind/bug status/triage

### Describe the bug After switching from KC16 to KC17, verification of the d…atabase certs are not working anymore. In KC16, we set the trust store and parameters for verification via ENVs: ``` JAVA_OPTS='-Djavax.net.ssl.trustStore=/certs/truststore.jks -Djavax.net.ssl.trustStorePassword=[PASSWORD]' JDBC_PARAMS: "verifyServerCertificate=true&useSSL=true&requireSSL=true&enabledTLSProtocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3" ``` In KC17, we set: ``` KC_DB_URL= "jdbc:mysql://[AURORA_MYSQL_URL]:3306/keycloak_17_0_0?user=[USERNAME]&password=[PASSWORD]&verifyServerCertificate=true&useSSL=true&requireSSL=true&enabledTLSProtocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3&characterEncoding=UTF-8" KC_SPI_TRUSTSTORE_FILE_FILE= "/certs/truststore.jks" KC_SPI_TRUSTSTORE_FILE_PASSWORD="[PASSWORD]" ``` Changing the trust store path or password results in an error, hence, the trust store seems to be loaded correctly. ### Version 17.0.0 ### Expected behavior Since the trust store has not changed at all, we expect that the certificate verification works in KC17, too. If we change the parameter `verifyServerCertificate` to `False` the error disappears. ### Actual behavior The following exception is thrown: ``` ... 2022-03-22 11:52:26,680 WARN [io.agroal.pool] (agroal-11) Datasource '<default>': Communications link failure The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server. 2022-03-22 11:52:26,682 WARN [org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator] (JPA Startup Thread: keycloak-default) HHH000342: Could not obtain connection to query metadata: com.mysql.cj.jdbc.exceptions.CommunicationsException: Communications link failure The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server. at com.mysql.cj.jdbc.exceptions.SQLError.createCommunicationsException(SQLError.java:174) at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:64) at com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:829) at com.mysql.cj.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:449) at com.mysql.cj.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:242) at com.mysql.cj.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:198) at com.mysql.cj.jdbc.MysqlDataSource.getConnection(MysqlDataSource.java:416) at com.mysql.cj.jdbc.MysqlDataSource.getConnection(MysqlDataSource.java:128) at com.mysql.cj.jdbc.MysqlDataSource.getConnection(MysqlDataSource.java:113) at com.mysql.cj.jdbc.MysqlXADataSource.getXAConnection(MysqlXADataSource.java:52) at io.agroal.pool.ConnectionFactory.createConnection(ConnectionFactory.java:216) at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:513) at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:494) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at io.agroal.pool.util.PriorityScheduledExecutor.beforeExecute(PriorityScheduledExecutor.java:75) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1126) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: com.mysql.cj.exceptions.CJCommunicationsException: Communications link failure The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server. at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490) at com.mysql.cj.exceptions.ExceptionFactory.createException(ExceptionFactory.java:61) at com.mysql.cj.exceptions.ExceptionFactory.createException(ExceptionFactory.java:105) at com.mysql.cj.exceptions.ExceptionFactory.createException(ExceptionFactory.java:151) at com.mysql.cj.exceptions.ExceptionFactory.createCommunicationsException(ExceptionFactory.java:167) at com.mysql.cj.protocol.a.NativeProtocol.negotiateSSLConnection(NativeProtocol.java:317) at com.mysql.cj.protocol.a.NativeAuthenticationProvider.connect(NativeAuthenticationProvider.java:204) at com.mysql.cj.protocol.a.NativeProtocol.connect(NativeProtocol.java:1369) at com.mysql.cj.NativeSession.connect(NativeSession.java:133) at com.mysql.cj.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:949) at com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:819) ... 15 more Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:352) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:295) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:290) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1501) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1411) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:451) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:422) at com.mysql.cj.protocol.ExportControlled.performTlsHandshake(ExportControlled.java:347) at com.mysql.cj.protocol.StandardSocketFactory.performTlsHandshake(StandardSocketFactory.java:194) at com.mysql.cj.protocol.a.NativeSocketConnection.performTlsHandshake(NativeSocketConnection.java:101) at com.mysql.cj.protocol.a.NativeProtocol.negotiateSSLConnection(NativeProtocol.java:308) ... 20 more Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors at com.mysql.cj.protocol.ExportControlled$X509TrustManagerWrapper.checkServerTrusted(ExportControlled.java:408) at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1549) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ... 35 more Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:157) at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83) at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) at com.mysql.cj.protocol.ExportControlled$X509TrustManagerWrapper.checkServerTrusted(ExportControlled.java:402) ... 37 more 2022-03-22 11:52:26,895 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000128: Infinispan version: Infinispan 'Triskaidekaphobia' 13.0.5.Final 2022-03-22 11:52:27,062 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` 2022-03-22 11:52:27,069 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to use any JGroups configuration mechanisms provided in properties {}. Using default JGroups configuration! 2022-03-22 11:52:27,183 WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB 2022-03-22 11:52:27,184 WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20.00MB, but the OS only allocated 212.99KB 2022-03-22 11:52:27,184 WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB 2022-03-22 11:52:27,185 WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25.00MB, but the OS only allocated 212.99KB 2022-03-22 11:52:29,199 INFO [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) keycloak-17-698bdc8c8b-sn5s2-48664: no members discovered after 2003 ms: creating cluster as coordinator 2022-03-22 11:52:29,209 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [keycloak-17-698bdc8c8b-sn5s2-48664|0] (1) [keycloak-17-698bdc8c8b-sn5s2-48664] 2022-03-22 11:52:29,213 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `keycloak-17-698bdc8c8b-sn5s2-48664`, physical addresses are `[192.168.150.92:44031]` 2022-03-22 11:52:29,825 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: keycloak-17-698bdc8c8b-sn5s2-48664, Site name: null 2022-03-22 11:52:29,910 WARN [io.agroal.pool] (agroal-11) Datasource '<default>': Communications link failure The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server. 2022-03-22 11:52:29,929 INFO [org.infinispan.CLUSTER] (main) ISPN000080: Disconnecting JGroups channel `ISPN` 2022-03-22 11:52:29,973 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode 2022-03-22 11:52:29,973 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection 2022-03-22 11:52:29,973 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Communications link failure The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server. 2022-03-22 11:52:29,974 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Communications link failure The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server. 2022-03-22 11:52:29,974 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors 2022-03-22 11:52:29,974 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors 2022-03-22 11:52:29,975 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Path does not chain with any of the trust anchors 2022-03-22 11:52:29,975 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command. ``` ### How to Reproduce? _No response_ ### Anything else? The keystore contains the [aws rds root certificate](https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem) and the [Starfield Services Root Certificate Authority](https://www.amazontrust.com/repository/), both added (in that order) via: ``` keytool -import -alias mysqlServerCACert -file rds-ca-2019-root.pem -keystore truststore.jks keytool -import -alias aws_root_starfield -file aws_root_starfield.pem -keystore truststore.jks ```

sat2008 · January 20, 2023, 9:58pm

Hello Dasniko , I am new to Keycloak and we are currently configuring the keycloak Quarkus version running on a Linux and I am not able to figure out how to get my windows AD cert into keycloak for LDAPS . I can not find any detail information for this setup.
I noticed over 2K people viewed this topic it would be a great help
Is there a step by step documentation for how to Create truststore file and where to save into Keycloak ? Where to add the server certificate ? Thanks

lajibolala · April 26, 2023, 7:28pm

Hi, Can you help me on this question

dasniko · April 26, 2023, 7:34pm

RTD: Configuring trusted certificates for outgoing requests - Keycloak