1

I have followed this tutorial https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-keycloak-connector/ for integrating Keycloak as Key Manager with WSO2 API Manager 4.0.0 and everything is done as described but when I try to obtain client_credentials access_token an error is rising on WSO2 http client - Keycloak communication, viewing the traces it is related to feign. The error is this:

Caused by: feign.RetryableException: Hostname localhost not verified:
    certificate: sha256/7mHCBc7ms9yqA/gz+nIRA9cUTRqrEgK3j9eX9fmpDZ0=
    DN: CN=localhost
    subjectAltNames: [] executing POST https://localhost:8443/auth/realms/master/clients-registrations/openid-connect

As it is described on error trace, it is a hostname verification as hostname is localhost. To bypass this I set hostname verification to be disabled, but it is still happening. I do not know how to skip this verification. These are my config files snippets:

deployment.toml

[transport.passthru_https]
sender.hostname_verifier = "AllowAll"

[transport.passthru_https.sender.parameters]
HostnameVerifier = "AllowAll"

[transport.passthru_http]
sender.hostname_verifier = "AllowAll"

api-manager.bat

set CMD_LINE_ARGS=%CMD_LINE_ARGS% -Djava.endorsed.dirs=%JAVA_ENDORSED% -Dorg.opensaml.httpclient.https.disableHostnameVerification=true -Dhttpclient.hostnameVerifier="AllowAll"

Also this localhost certificate is imported in client-truststore.jks in WSO2 installation.

Any idea about how to skip this hostname verification?

Community
  • 1
  • 1
Burillodev
  • 322
  • 1
  • 3
  • 14
  • Have you tried generating a Self-Signed cert for the Keystore as instructed in the mentioned docs? Or you are using the default cert that is generated by the Keycloak? – Athiththan Jul 01 '21 at 11:12
  • I am using the default cert generated by keycloak in the keystore application.keystore inside standalone folder. In the guide says that you can use that certificate. It is the one I imported in WSO2 client-truststore.jks – Burillodev Jul 01 '21 at 12:55

1 Answers1

2

WSO2 API Manager uses the Feign OKHTTP Client to communicate with Keycloak servers. The OKHTTP client requires the public cert with SAN entries as the same as CN.

The default public cert of the Keycloak doesn't contain any SAN values. Therefore, when trying to communicate with the Keycloak, the Feign client starts to throw SSL exceptions. To overcome this, you can follow this documentation, creating a new Keystore for the Keycloak and import that cert into the client-truststore.jks of the API Manager. The mentioned keytool commands generate the Keystore and certs with SAN entries.

Given is the same Keytool command from the API Manager Docs.

keytool -genkey -alias server -keyalg RSA -keysize 2048 -validity 3650 -keystore application.keystore -dname "CN=localhost,OU=Support,O=WSO2,L=Colombo,S=Western,C=LK" -storepass password -keypass password -noprompt -ext SAN=dns:localhost

Further, the mentioned hostname_verifier configurations are not applicable to disable the Hostname verification in OKHTTP client.

This is not an absolute solution for the behavior that you are facing, but you can go with this alternate approach (generating a new Keystore for the Keycloak) to overcome it.

Few points related to OKHTTP client were gathered from here. Hope this helps you to overcome the issue with an alternate approach.

Athiththan
  • 1,874
  • 8
  • 18
  • After creating the certificate with the keytool command you provided it works perfectly. Thank you very much! – Burillodev Jul 02 '21 at 00:03