Adding truststore to container running with Docker

[Will Furnell - STFC UKRI]

Hello,

 

I’m trying to set up an LDAPS connection to our LDAP server which has certificates from a not-normally-trusted root, so I need to add the root and intermediate certificates to the Java trust store. However, I can’t see any documentation for doing this with the official Docker container – I’ve only found this - https://www.keycloak.org/server/keycloak-truststore  but it doesn’t mention docker at all.

 

Has anyone been able to do this successfully please?

Thanks,

 

Will.

This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses. 

[Matthieu Huin]

Hello,

I've had a similar problem with a different containerized service (gerrit). I ended up following this gist: https://gist.github.com/stefanozanella/4124338 and modifying my container's entrypoint script to generate the trust store at runtime. Here's the modified entrypoint as an example: https://softwarefactory-project.io/r/c/software-factory/sf-config/+/25272/7/ansible/roles/sf-gerrit/templates/entrypoint.sh.j2

You can probably derive a solution from this.

Hope it helps,

MHU

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/LO4P265MB3615444729377B39DDE659D2BEB59%40LO4P265MB3615.GBRP265.PROD.OUTLOOK.COM.

--

Matthieu Huin

(He/Him/His)

Senior Software Developer

Red Hat

[Will Furnell - STFC UKRI]

Thank you – I will look into this if I can’t find another way, but was also slightly hoping I wouldn’t have to build my own container for this.

 

I do note that you can specify this information in standalone-ha.xml or as command line arguments to kc.sh – can I just add these to  the JAVA_OPTS_APPEND= environment variable – does this literally append to that script?

Thank you,

Will.

[Will Furnell - STFC UKRI]

To reply to myself – I found something that works – it turns out Keycloak _does_ have support for this via an environment variable – I just was bad at finding it 😊

Please see a sample below for what I’m adding to my ‘docker run’ if anyone else has the same issue

 

-v /etc/grid-security/certificates/:/etc/x509/gridcerts/ -e X509_CA_BUNDLE='/etc/x509/gridcerts/UKeScienceCA-2B.pem /etc/x509/gridcerts/UKeScienceRoot-2007.pem'

 

Thanks,

 

Will.

 

From: Matthieu Huin <mh...@redhat.com>
Sent: 23 June 2022 11:55
To: Furnell, Will (STFC,RAL,SC) <will.f...@stfc.ac.uk>
Cc: Keycloak User <keyclo...@googlegroups.com>
Subject: Re: [keycloak-user] Adding truststore to container running with Docker

 

Hello,