search

SSSD / sssd-ci-containers

Setup containerized environment for testing and developing SSSD.
GNU General Public License v3.0
10 stars 21 forks source link

keycloak: add KC_HTTPS_TRUST_STORE_TYPE #108

Open sumit-bose opened 3 weeks ago

sumit-bose commented 3 weeks ago

It looks like recent version of keycloak require that the KC_HTTPS_TRUST_STORE_TYPE environment variable is set. Otherwise an error like "kc.sh[54]: Unable to determine 'https-trust-store-type' automatically. Adjust the file extension or specify the property." might occur and keycloak fails to start.

sumit-bose commented 3 weeks ago

Hi,

it looks like in recent version of keycloak KC_HTTPS_TRUST_STORE_FILE, KC_HTTPS_TRUST_STORE_PASSWORD and KC_HTTPS_TRUST_STORE_TYPE are deprecated in favor of System Truststore.

Additionally there are the messages

Oct 25 12:41:25 master.keycloak.test kc.sh[304]: 2024-10-25 12:41:25,881 WARN  [org.keycloak.services] (main) KC-SERVICES0110: Environment variable 'KEYCLOAK_ADMIN' is deprecated, use 'KC_BOOTSTRAP_ADMIN_USERNAME' instead
Oct 25 12:41:25 master.keycloak.test kc.sh[304]: 2024-10-25 12:41:25,881 WARN  [org.keycloak.services] (main) KC-SERVICES0110: Environment variable 'KEYCLOAK_ADMIN_PASSWORD' is deprecated, use 'KC_BOOTSTRAP_ADMIN_PASSWORD' instead

asking to change KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD as well.

Since I wasn't sure about backwards compatibility I only added KC_HTTPS_TRUST_STORE_TYPE for the time being but I can prepare an additional pull-request with the other changes if needed as well.

bye, Sumit

sumit-bose commented 2 weeks ago

In ipa-tuura deployment we execute:

keytool -importcert -alias bridge -file /opt/keycloak/bridge.crt -keystore /opt/keycloak/keystore.jks -trustcacerts -storepass redhat -noprompt

Maybe it is enough to change the keystore file to have .jks filename extension?

Hi,

yes, this works for me as well, not sure what would be the preferable solution.

bye, Sumit

justin-stephenson commented 2 weeks ago

In ipa-tuura deployment we execute:

keytool -importcert -alias bridge -file /opt/keycloak/bridge.crt -keystore /opt/keycloak/keystore.jks -trustcacerts -storepass redhat -noprompt

Maybe it is enough to change the keystore file to have .jks filename extension?

Hi,

yes, this works for me as well, not sure what would be the preferable solution.

bye, Sumit

I'm fine with either approach, Ack.