Truststore in KC 17 Quarkus for LDAPS/TLS

Hi,
I’m having trouble to find the option for configuring a truststore. In the Advanced Settings of LDAP there is a tooltip that points to a file named standalone.xml/domain.xml, but this only seems to exist in the WildFly-distribution and not in the Quarkus one we use.

The goal is to import the certificate of the LDAP server to use LDAPS/TLS. If somebody could shed some light on this issue I really would appreciate.

Thank you,
Stefan

You have to create the truststore file externally, copy it into the Keycloak image and configure it with these properties: Keycloak - Server - All configuration

1 Like

Yay thank you, worked!

1 Like

Hi @stefan1 @dasniko
I have a same problem but not works for me.
I define trust store and import cert in dockerfile.
Don’t know where the mistake is?

ENV KC_HTTPS_TRUST_STORE_FILE=conf/ldap-test.jks
ENV KC_HTTPS_TRUST_STORE_PASSWORD=PW1
RUN keytool -import -noprompt -trustcacerts -storepass PW1 -alias ldap-test -file ldap-test.cer -keystore conf/ldap-test.jks

Thank you
Breed

Sorry, I directly modified the conf/keycloak.conf, don’t know how it works with docker.

EDIT: doesn’t work for me either, I thought it worked at first glance, but it was only the LDAP-Connection-Test that worked. But when I try to authenticate I get this error - same as if i didn’t configure a truststore:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I added the following options to the conf/keycloak.conf:

https-trust-store-file=/opt/keycloak/truststore.jks
https-trust-store-password=********************

and added the CA-Certificate of the LDAP-Server with this command:

keytool -importcert -v -trustcacerts -alias ucs-ca -file ucsCAcert.pem -keystore truststore.jks

I also tried to add the certificate of the LDAP-Server:

rm truststore.jks
keytool -import -alias dc.ourdomain.de -keystore truststore.jks -file dc.ourdomain.de.cer

– same error

Ok it works with the default java keystore - for me on Ubuntu it was:

keytool -importcert -alias ucs-CA -keystore /usr/lib/jvm/default-java/lib/security/cacerts -file ucsCAcert.pem

https://plone.lucidsolutions.co.nz/linux/java/how-to-add-a-certificate-authority-ca-certificate-to-the-openjdk-cacerts

Still wondering why it doesn’t work with a custom added truststore.

@breed @dasniko

Found the right parameter:

--spi-truststore-file-file and --spi-truststore-file-password were the parameters i was looking for

And here is described how to add host certificates to the truststore (dunno if it also works with CA-Certificates, but I think so):

https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore

@stefan1 thank you for your reply.

But not works for me still.

ENV KC_SPI_TRUSTSTORE_FILE_FILE=conf/ldap-test.jks
ENV KC_SPI_TRUSTSTORE_FILE_PASSWORD=PW
RUN keytool -importcert -alias ldaptest-CA -storepass PW -noprompt -file /opt/keycloak/ldap-test.cer -keystore conf/ldap-test.jks

Similar problem with using

ENV KC_SPI_TRUSTSTORE_FILE_....