I'm trying to setup a test enviroment with Keycloak and Samba Active Directory, using the User Storage Federation feature from Keycloak to connect to the LDAP database of Samba AD.
Both services are being deployed in containers with Docker, the images I'm using are:
- Keycloak: https://quay.io/repository/keycloak/keycloak
- Samba AD: https://github.com/babim/docker-sambaad
The Samba container generates self-signed certificates in PEM format when starts running, it generates three files called ca.pem, cert.pem and key.pem.
As explained in the documentation here "Outgoing HTTPS Request Truststore", Keycloak requieres the setup of a truststore.jks file to ensure it is connecting to a trusted server. So following the instructions from the documentation, I generated a truststore.jks file using the ca.pem and cert.pem from the SAMBA container with these commands:
$ sudo keytool -import -alias samba-cert -keystore truststore.jks -file cert.pem
$ sudo keytool -import -alias samba-ca -keystore truststore.jks -file ca.pem
And then added this configuration in the standalone-ha.xml file (the docker image uses by default standalone-ha.xml instead of standalone.xml)
...
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="/opt/jboss/keycloak/standalone/configuration/truststore.jks"/>
<property name="password" value="ExamplePassword1"/>
<property name="hostname-verification-policy" value="WILDCARD"/>
<property name="enabled" value="true"/>
</properties>
</provider>
</spi>
...
After this, I use chmod to change the value of truststore.jks and standalone-ha.xml to 655, just to make sure that the container can read them when it is initializing. Then I use this docker run command to start the container:
docker run --name keycloak_app -p 443:8443 \
-v /srv/data/certs:/etc/x509/https \
-v /srv/data/sambaCerts/truststore.jks:/opt/jboss/keycloak/standalone/configuration/truststore.jks \
-v /srv/data/standalone-ha.xml:/opt/jboss/keycloak/standalone/configuration/standalone-ha.xml \
-e KEYCLOAK_USER=admin \
-e KEYCLOAK_PASSWORD=ExamplePassword2 \
quay.io/keycloak/keycloak:14.0.0
But here is the problem, it logs this error:
ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.security.key-store.kcKeyStore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.kcKeyStore: WFLYELY00004: Unable to start the service.
at org.wildfly.extension.elytron@15.0.1.Final//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:200)
at org.jboss.msc@1.4.12.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
at org.jboss.msc@1.4.12.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
at org.jboss.msc@1.4.12.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.io.IOException: keystore password was incorrect
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2117)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:243)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at org.wildfly.security.elytron-private@1.15.3.Final//org.wildfly.security.keystore.AtomicLoadKeyStoreSpi.engineLoad(AtomicLoadKeyStoreSpi.java:53)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at org.wildfly.extension.elytron@15.0.1.Final//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:163)
... 8 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 14 more
And this is where I'm really lost right now, I been searching for around a week mainly looking for the "Caused by: java.io.IOException: keystore password was incorrect" but with no luck.
If I start the container without my modified standalone-ha.xml file, it starts perfectly fine and the website is accessible without any problems, but then if I try to setup the User Storage Federation without this, Keycloak can find my Samba AD server but it can't authenticate to it, probably because it doesn't see it as a trusted server.
