I'm configuring keycloak as an SP which is connecting to a PingFederate IDP.
I'd like to import the IDP's certificate file into keycloack so that the trust will succeed.
How do I import a crt file into keycloak?
This has been documented in the keycloak's site.
https://www.keycloak.org/docs/3.3/server_installation/topics/network/outgoing.html
keytool -import -alias HOSTDOMAIN -keystore truststore.jks -file host-certificate.cer
The truststore is configured within the standalone.xml, standalone-ha.xml, or domain.xml file in your distribution. The location of this file depends on your operating mode.
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="path to your .jks file containing public certificates"/>
<property name="password" value="password"/>
<property name="hostname-verification-policy" value="WILDCARD"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
New link: https://www.keycloak.org/server/outgoinghttp#_outgoing_https_request_truststore
Keycloak looks to be built on top of the WildFly app server, which is a Java server. Haven't tried it, but I expect you just need to use keytool and import the crt into the Java trust store:
keytool -v -import -file file.crt -alias idp -keystore <whatever keystore your Java process is using>
Keystore default location will depend on OS/java location, but once you do that and (perhaps) restart the Java process you should be good to go.
Navigate to the location of your keycloak.jks trust store (keycloak_install_dir/standalone/configuration)
Then import the .crt into that store using:
sudo keytool -v -importcert -file <your_cert>.crt -alias <whatever_alias_you_want> -keystore keycloak.jks -storepass <the_pw_for_keycloak.jks>
Related
The Keycloak is hosted inside a Docker container. The objective is to do the ideneity federation between the keyclaok(K1) and another partnering Keycloak (K2). K2 is hosted behind an SSL connection.
According to the documentation, I configure the trust store. But still, I get this following error,
Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
Im updating the standalone.xml for this purpose
[1] - https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore
Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml instead of standalone.xml by default. This is the reason why Keycloak did not recognize the new trust store. Below are the steps to configure trust store in Keycloak with docker based deployments.
Step 1 :
Add the following steps to the standalone-ha.xml file.
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="/opt/jboss/truststore.jks"/>
<property name="password" value="password"/>
<property name="hostname-verification-policy" value="WILDCARD"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
Step 2:
Copy the file to the docker container
docker cp standalone-ha.xml continer_id:/opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
Step 3:
Copy the certificate inside the container. The certificate can be exported from the browser itself (public certificate).
docker cp cert.crt 9fbd81264f65:/opt/jboss/cert.crt
Step 4:
ssh into the container
docker exec -it container_id bash
Step 5:
keytool -import -alias efactory-nimble.salzburgresearch.at -keystore truststore.jks -file cert.crt
Step 6:
docker restart container_id
[1] - https://lists.jboss.org/pipermail/keycloak-user/2018-October/016066.html
I have a keystore, which contains only 1 keypair (foo). From that keypair, I generated a csr, which was signed by a CA using the certificate bar (bar is the issuer of foo). The issue I have is that I'm unable to import back the certificate foo in my keystore with this command
keytool -importcert -alias foo -file foo.p7b keypass 123456 -keystore keystore.jks -storepass 123456
It failed with the error
Failed to establish chain from reply.
If add the public certificate bar in my keystore, then it is working fine.
Therefore, one will simply think that I absolutely need to insert the public certificate bar in my keystore, but what is bugging me here is that if I use KeyStore Explorer to import the certificate foo in my keystore (which is only containing the keypair foo), then it is working fine. In other word, I able to import the certificate with KeyStore Explorer ("Import CA reply"), but not keytool.
Is anyone have an idea what I'm doing wrong ?
I want that my app should use some third party APIs with ssl .
Step 1 : I created key at my home directory keytool -genkey -alias tomcat -keypass mypassword -keystore TestKeyStore.keystore -storepass mypassword -keyalg RSA -validity 360 -keysize 2048
Step 2 :I added connector in server.xml from eclipse
<Connector port="8443" SSLEnabled="true" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75" enableLookups="true"
disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https"
secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/media/prashant/important/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/conf/TestKeyStore.keystore"
keystorePass="mypassword" />
When I restart project tomcat Is taking to long time to start and it show nothing at the end . I tried to increase startup time also still not help me. Any idea what I am missing?
Please give more information. But i would check if you have allowed port 8443 in your firewall. To check its allowed, (if its a Linux machine) run telnet 8443. You will connect, meaning its allowed. Otherwise, details from logs will help further
I'm trying to authenticate through CAS+LDAP in a Jboss app. The config is like this:
Server 1: Jboss 6.10. Cas is deployed here.
Server 1: LDAP using OpenDS.
Server 2: Jboss whith the app to login into.
I've configured both jboss to use SSL correctly and the CAS succesfyuly reads and authenticates against the LDAP.
When I get to (through https) server1:8443/app/ i'm redirected to server2:8443/cas/ and the login screen is displayed. I login with a valid user on the LDAP but when the flow gets back to the app i'm always getting this:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
I've read its a certificate problem and, as it is a dev enviroment i'm trying the self-signed certificate. So I did this:
Gen the self signed in Server1 with
keytool -genkey -alias jbosskey -keypass password -keyalg RSA -keystore server.keystore
Get the certificate of the Server1 with:
keytool -export -alias jbosskey -keypass password -file server.crt -keystore server.keystore
Copy the server.crt to Server2 and import it to the truststore of Jboss.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jboss-6.1.0.Final\server.truststore
This gets me the eception. So I also imported to the cacerts of the JVM.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jdk160_18\jre\lib\security\cacerts
Not working, so I tried to add the certificate to the keystore of the Jboss at Server2.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jboss-6.1.0.Final\keystore.jks
The Server1 Jboss server.xml
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="${jboss.web.https.port}" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="password" sslProtocol = "TLS"
/>
The Server2 Jboss server.xml
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="C:\dev\jboss-6.1.0.Final\keystore.jks"
keystorePass="password"
truststoreFile="C:\dev\jboss-6.1.0.Final\server.truststore"
truststorePass="password"
sslProtocol = "TLS" />
I've been stuck on this for a couple of days and don't know if i'm missing something. Did I missed something important with the keytool?
Thanks in advance.
Hi I have created a web service client in eclipse from wsdl file. But when I try to access the service from client it says.
No SSL configuration available for the endpoint. And then the address of my endpoint.
Please let me know how can I provide ssl configuration through key store to my webservice client.
I have standalone client and keystore provided by the client.
TIA
You can do this by using Apache CXF and set up the client conduit. Refer to the Configuring SSL Support section in this great tutorial.
Hope this helps.
You may start by checking whats there in your keystore:
keytool -list -keystore D:\Tomcat\ukdp.keystore -storepass 123456
A sample of what your conduit definition might look like:-
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
xsi:schemaLocation="
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
<http:conduit name="{http://apache.org/hello_world}HelloWorld.http-conduit">
<http:tlsClientParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password"
file="my/file/dir/Morpit.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="my/file/dir/Truststore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:authorization>
<sec:UserName>Betty</sec:UserName>
<sec:Password>password</sec:Password>
</http:authorization>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
</beans>
Also I found some Threads which could help you:-
Apache CXF wsdl download via SSL/TLS
Problems accessing a HTTPS Webservice
No SSL configuration is available for endpoint
SSL configuration for fedex web service using command line