I have a keycloak running inside a docker and I want to add a trusted certificate, so I ssh in to the container and copy the cert file and imported the certificate via the keytool
${JAVA_JDK}/jre/bin/keytool \
-import -trustcacerts \
-alias "efactory-nimble_salzburgresearch_at.crt" -file efac.crt \
-keystore ${JAVA_JDK}/jre/lib/security/cacerts \
-storepass changeit \
-noprompt
The response from the key tool was,
Picked up _JAVA_OPTIONS: -Xmx256m -Xms50m
Certificate was added to keystore
After successfully importing the certificate also Im getting this error in keycloak.
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
So my question is does the jvm needs to be restarted after adding the certificate inside a docker container & does any one else also came across this issue ?
Yes, the JVM needs restart after adding the certificate to the keystore - look here: Imported certificate to Java keystore, JVM ignores the new cert.
Other than that, you should probably have a more "persistent" way how to update the keystore since it'll be gone after the container is removed.
Related
I am trying to secure my SpringBoot server with SSL. I've generated a keystore and CSR. I received the intermediate and domain certificate from GoDaddy. I imported those into my keystore that was used to generate the CSR.
I used the following commands to generate the keystore and CSR.
keytool -genkey -alias server-alias -keyalg RSA -keysize 2048 -keystore keystore.jks -dname "CN=name,OU=Unit, O=Org, L=NoWhere, ST=NoWhere, C=CA"
keytool -certreq -alias server-alias -file domain.csr -keystore keystore.jks
In my SpringBoot application, I have the following configurations in my applications.properties file.
server.ssl.key-store-type=JKS
server.ssl.key-store=location/keystore.jks
server.ssl.key-store-password=password
server.ssl.key-alias=server-alias
security.require-ssl=true
I received the follow exception cause on startup:
Caused by: java.io.IOException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:317)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 common frames omitted
I would really appreciate any help. Thanks!
There seem to be (at least) a couple reasons that this can occur:
The keystore contains a cert but not a private key ... or at least not the right key. See How to resolve : java.io.IOException: jsse.alias_no_key_entry
You have simply configured the wrong alias; if you enter an alias that does not exist in the keystore, you will get this same error.
The alias being looked up needs to exist in the keystore, and the associated private key needs to exist there (not just the cert.) If those conditions aren't met, it will throw this error.
I have configured HTTPS on a Keycloak server by placing a certificate A.crt in a Java keystore and configuring that keystore in standalone.xml. HTTPS access has worked well from a given client so far. The certificate is signed by an intermediate CA B, which is signed by a root CA C.
I now encounter problems when accessing Keycloak from another client. It says: "unable to get local issuer certificate" or "certificate signed by unknown authority" (depending on the client software). I'm quite sure the root cause is that CA certificate B.crt is not known to this client. A strong indication is that I can access Keycloak from that client with curl --cacert B.crt https://keycloak....
Since I cannot predict which clients will have what CA certificates installed I would like to configure a bundle consisting of A.crt, B.crt, and C.crt as root certificate. If this were a server that directly took a PEM certificate I would use the bundle resulting from cat A.crt B.crt C.crt > bundle.crt, but because of its use of a Java keystore this is not an option with Keycloak.
So how can I store a server certificate bundle (it that's the right terminology) into a Java keystore so that Keycloak can make use of it in such a way that "all" clients can access the service?
UPDATE I've tried adding the intermediate and root certificates B and C to the keystore already used by Keycloak, but this did not solve the current issue:
keytool -import -alias b -file B.crt -keystore $KEYSTORE
keytool -import -alias c -file C.crt -keystore $KEYSTORE
You said having a keystore configured in your standalone.xml where A.crt was imported, but do you have a truststore? You could try adding B.crt in your truststore.
Unable to go through realm discovery phase. While the samples code works good with IDP SSO circle. Facing issues when updated our securityContext.xml with our Company's Metadata.xml , imported pfx certificate and added to keystore.
Used below command to add to keystore :
keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass PFX_P12_FILE_PASS -srcalias SOURCE_ALIAS -destkeystore samlKeystore.jks -deststoretype jks -deststorepass nalle123 -destalias alias
PFB Exception Trace :
org.opensaml.common.SAMLRuntimeException: Can't obtain SP signing key
at org.springframework.security.saml.key.JKSKeyManager.getCredential(JKSKeyManager.java:193)
at org.springframework.security.saml.metadata.MetadataGenerator.getServerKeyInfo(MetadataGenerator.java:205)
at org.springframework.security.saml.metadata.MetadataGenerator.buildSPSSODescriptor(MetadataGenerator.java:329)
at org.springframework.security.saml.metadata.MetadataGenerator.generateMetadata(MetadataGenerator.java:189)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.processMetadataInitialization(MetadataGeneratorFilter.java:127)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
and console messages as below :
No default metadata configured, generating with default values, please pre-configure metadata for production use
Unable to retrieve keystore entry for entityID (keystore alias): apollo
Check for invalid keystore entityID/alias entry password
Used the entityBaseURL as the end party url shared with client. Also tried with entity id that appears in metadata.xml.
Any help is truly appreciated.
While using self-signed Keystore using keytool command, key-pair password (specified for keytool option -keypass) and keystore file password must be same.
We can create self-signed Keystore using below command
keytool -genkeypair -alias springsaml -keypass <password> -keystore saml-keystore.jks
when receive message "Enter keystore password" on terminal, enter the same password, which is provided for keytool option "-keypass"
Apologies for my lack of understanding of certificates in general. I have a .p12 file (with a non-expired certificate) and a valid password so I can list the contents using:
keytool -list -keystore file.p12 -storepass password -storetype PKCS12 -v
In my Java code I am attempting an HTTPS post but keep getting this error:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching [host.path.com] found
This same post works against one of my other environments which does not have any authentication required and the link is HTTP (vs. HTTPS). How do I make this .p12 file work for it to be recognized in the handshake?
You could use the following command
keytool -v -importkeystore -srckeystore alice.p12 -srcstoretype PKCS12 -destkeystore "c:\Program Files\Java\jre1.8.0_71\lib\security\cacerts" -deststoretype JKS
Default password for your cacerts will be changeit
Where trust store will be your JRE trust store
Please refer here for more information
http://www.webfarmr.eu/2010/04/import-pkcs12-private-keys-into-jks-keystores-using-java-keytool/
I recently downloaded and installed Jmeter 2.11. afterwards I tried the record functionality of the program, but that resulted in an error message:
“Could not create script recording proxy – see log for detail”.
I have try modifying the “environment variables”, but that does not help.
In the Log from the application the following message was shown.
2014/08/19 10:23:02 WARN - jmeter.protocol.http.proxy.ProxyControl: Could not open/read key store C:\apache-jmeter-2.11\bin\proxyserver.jks (The system cannot find the file specified)
2014/08/19 10:23:02 INFO - jmeter.protocol.http.proxy.ProxyControl: Creating Proxy CA in C:\apache-jmeter-2.11\bin\proxyserver.jks
2014/08/19 10:23:02 ERROR - jmeter.protocol.http.proxy.ProxyControl: Could not initialise key store java.io.IOException: Command :'keytool -genkeypair -alias :root_ca: -dname "CN=_ DO NOT INSTALL unless this is your certificate (JMeter root CA), OU=Username: TATG, C=US" -keyalg RSA -keystore proxyserver.jks -storepass {redacted) -keypass {redacted) -validity 7 -ext bc:c' failed, code: 1
Illegal option: -ext
Try keytool -help
at org.apache.jorphan.exec.KeyToolUtils.genkeypair(KeyToolUtils.java:168)
at org.apache.jorphan.exec.KeyToolUtils.generateProxyCA(KeyToolUtils.java:230)
I notice the proxyserver.jks is missing under the bin directory.
How can I resolve this problem or get a copy of this file(ie. hack the directory)?
Read this, it answers exactly this issue:
https://wiki.apache.org/jmeter/TestRecording210