General question about certificates.
188 views
Skip to first unread message
Jonathan Brooks
Jul 11, 2021, 2:06:26 PM7/11/21
to dcm4che
Dear Vrinda/Gunter/everyone :-)
I noticed that all of the documentation refers to keystores containing files cacerts.jks and key.jks, but the files that are distributed end in .p12. Is this a problem?
Sorry for really basic question, but is it okay to use these files or do they need converting to .jks files? I attempted to modify as following to use the .p12 files but have run into problems (changes highlighted)
The reason I ask is because as part of the secure install, we have to run (as root):
keytool -importkeystore -srckeystore /opt/keycloak/standalone/configuration/keystores/cacerts.p12 -srcstorepass secret -destkeystore $JAVA_HOME/lib/security/cacerts -deststorepass changeit
Then after starting the standalone keycloak server, we have to connect to it using the jboss-cli.sh, and issue several commands:
/subsystem=elytron/key-store=httpsKS:add(credential-reference={clear-text=secret},type=PKCS12,path=/opt/keycloak/standalone/configuration/keystores/key.p12)
blah
blah
/subsystem=keycloak-server/spi=truststore/provider=file:map-put(name=properties,key=file,value=/usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts)
After issuing this last command the jboss-cli indicates that we should reload, and after typing reload the standalone server falls over, with this output:
18:41:21,413 FATAL [org.keycloak.services] (ServerService Thread Pool -- 57) Error during startup: java.lang.RuntimeException: Attribute 'password' missing in 'truststore':'file' configuration:
I note that the next command was intended to introduce an attribute "password" - so I guess I shouldn't have reloaded! D'oh!
Any suggestions for how to undo this last change would be much appreciated!
Best wishes,
Jon
Vrinda Nayak
Jul 12, 2021, 2:49:41 AM7/12/21
to dcm4che
The wiki pages have been updated to refer key.p12 and cacerts.p12 files. The formats of keystore and truststore were changed in 5.22.5 release. Regarding the startup failure, you may manually remove the spi truststore section from standalone configuration file of Keycloak ($KEYCLOAK_HOME/standalone/configuration/standalone.sh)
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="/usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts"/>
</properties>
</provider>
</spi>
<provider name="file" enabled="true">
<properties>
<property name="file" value="/usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts"/>
</properties>
</provider>
</spi>
and restart your Keycloak.
Jonathan Brooks
Jul 12, 2021, 5:22:13 PM7/12/21
to dcm...@googlegroups.com
Thanks Vrinda, and for updating the wiki. Can I check if the key type should be PKCS12?
Best wishes,
Jon
--
You received this message because you are subscribed to a topic in the Google Groups "dcm4che" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dcm4che/dC1wyXCchuc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dcm4che+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/a8d86fa4-a889-4857-a2f5-eb44629b8dd8n%40googlegroups.com.
Vrinda Nayak
Jul 13, 2021, 2:52:49 AM7/13/21
to dcm4che
The default configuration of archive and Keycloak makes use of PKCS12 keystore and truststore. If you're setting up archive manually (see point 1), copy the PKCS12 format keystore and truststore files .p12 files in your $WILDFLY_HOME/standalone/configuration/keystores and $KEYCLOAK_HOME/standalone/configuration/keystores locations.
Reply all
Reply to author
Forward
0 new messages