Follow the procedure for SSL connection for LDAP/AD store with Keycloak.
Prerequisites
- For SSL, LDAP server must be reachable by using FQDN.
- Ensure that, you have Truststore JKS file, to generate truststore certificate file.
Procedure
- Login to deployer VM.
- Generate the certification file:
$ true| openssl s_client -connect <LDAP_SERVER_IP>:<LDAP_SERVER_PORT> 2>/dev/null | openssl x509 > ldap_<LDAP_SERVER_IP>.crt
For example:
true| openssl s_client -connect 10.101.127.58:636 2>/dev/null | openssl x509 > ldap_10.101.127.58.crt
Note: If you already have the certificate file, skip step 2 and go to next step.
- Generate the truststore file:
$ keytool -import -keystore <path to truststore certificate>/truststore.jks -file <path to credentials>/ldap_<LDAP_SERVER_IP>.crt -storepass <TRUSTSTORE_PASSWORD> -storetype JKS
For example:
keytool -import -keystore /home/tco/truststore.jks -file /home/tco/ldap_10.101.127.58.crt -storepass password -storetype JKS
Note: If you already have the truststore file, skip step 3 and go to next step.
- Certificate usage:
- To import the certificate:
- Create the secret from the truststore certificate file:
$ kubectl create secret generic keycloak-ssl-secret --from-file=truststore.jks
- Restart the Keycloak:
$ kubectl get pods -A | awk '/keycloak/{print $1}' | xargs kubectl delete pod
- To list the certificate:
- If certificate is present. It shows the keycloak-ssl-secret secret:
$ kubectl get secrets | grep keycloak-ssl-secret
- To delete the certificate:
- Delete the secret keycloak-ssl-secret:
$ kubectl delete secret keycloak-ssl-secret
- Restart the Keycloak:
$ kubectl get pods -A | awk '/keycloak/{print $1}' | xargs kubectl delete pod
- To update the certificate:
- Use new truststore file. It will replace the exisiting truststore certificate file:
$ kubectl create secret generic keycloak-ssl-secret --from-file=truststore.jks --dry-run=client -o yaml | kubectl apply -f -
- Restart the Keycloak:
$ kubectl get pods -A | awk '/keycloak/{print $1}' | xargs kubectl delete pod