Follow the procedure for SSL connection for LDAP/AD store with Keycloak.

Prerequisites

  • For SSL, LDAP server must be reachable by using FQDN.
  • Ensure that, you have Truststore JKS file, to generate truststore certificate file.

Procedure

  1. Login to deployer VM.
  2. Generate the certification file: 
    $ true| openssl s_client -connect <LDAP_SERVER_IP>:<LDAP_SERVER_PORT> 2>/dev/null | openssl x509 > ldap_<LDAP_SERVER_IP>.crt
    For example: 
    true| openssl s_client -connect 10.101.127.58:636 2>/dev/null | openssl x509 > ldap_10.101.127.58.crt
    Note: If you already have the certificate file, skip step 2 and go to next step.
  3. Generate the truststore file: 
    $ keytool -import -keystore  <path to truststore certificate>/truststore.jks -file <path to credentials>/ldap_<LDAP_SERVER_IP>.crt -storepass <TRUSTSTORE_PASSWORD> -storetype JKS
    For example: 
    keytool -import -keystore /home/tco/truststore.jks -file /home/tco/ldap_10.101.127.58.crt -storepass password -storetype JKS
    Note: If you already have the truststore file, skip step 3 and go to next step.
  4. Certificate usage:
    1. To import the certificate:
      1. Create the secret from the truststore certificate file:
        $ kubectl create secret generic keycloak-ssl-secret --from-file=truststore.jks
      2. Restart the Keycloak:
        $ kubectl get pods | awk '/keycloak/{print $1}' | xargs  kubectl delete  pod
    2. To list the certificate:
      1. If certificate is present. It shows the keycloak-ssl-secret secret:
        $ kubectl get secrets | grep keycloak-ssl-secret
    3. To delete the certificate:
      1. Delete the secret keycloak-ssl-secret:
        $ kubectl delete secret keycloak-ssl-secret
      2. Restart the Keycloak:
        $ kubectl get pods | awk '/keycloak/{print $1}' | xargs  kubectl delete  pod
    4. To update the certificate:
      1. Use new truststore file. It will replace the exisiting truststore certificate file:
        $ kubectl create secret generic keycloak-ssl-secret --from-file=truststore.jks --dry-run=client -o yaml | kubectl apply -f -
      2. Restart the Keycloak:
        $ kubectl get pods | awk '/keycloak/{print $1}' | xargs  kubectl delete  pod