SSL connection for LDAP/AD Store with
Keycloak
Follow
the procedure for SSL connection for LDAP/AD store with Keycloak.
- For SSL, LDAP server must be reachable by using FQDN.
- Ensure that, you have Truststore JKS file, to generate truststore certificate file.
- Login to deployer VM.
- Generate the certification file:$ true| openssl s_client -connect <LDAP_SERVER_IP>:<LDAP_SERVER_PORT> 2>/dev/null | openssl x509 > ldap_<LDAP_SERVER_IP>.crtFor example:true| openssl s_client -connect 10.101.127.58:636 2>/dev/null | openssl x509 > ldap_10.101.127.58.crtIf you already have the certificate file, skip step 2 and go to next step.
- Generate the truststore file:$ keytool -import -keystore <path to truststore certificate>/truststore.jks -file <path to credentials>/ldap_<LDAP_SERVER_IP>.crt -storepass <TRUSTSTORE_PASSWORD> -storetype JKSFor example:keytool -import -keystore /home/tco/truststore.jks -file /home/tco/ldap_10.101.127.58.crt -storepass password -storetype JKSIf you already have the truststore file, skip step 3 and go to next step.
- Certificate usage:
- To import the certificate:
- Create the secret from the truststore certificate file:$ kubectl create secret generic keycloak-ssl-secret --from-file=truststore.jks
- Restart the Keycloak:$ kubectl get pods | awk '/keycloak/{print $1}' | xargs kubectl delete pod
- To list the certificate:
- If certificate is present. It shows the keycloak-ssl-secret secret:$ kubectl get secrets | grep keycloak-ssl-secret
- To delete the certificate:
- Delete the secret keycloak-ssl-secret:$ kubectl delete secret keycloak-ssl-secret
- Restart the Keycloak:$ kubectl get pods | awk '/keycloak/{print $1}' | xargs kubectl delete pod
- To update the certificate:
- Use new truststore file. It will replace the exisiting truststore certificate file:$ kubectl create secret generic keycloak-ssl-secret --from-file=truststore.jks --dry-run=client -o yaml | kubectl apply -f -
- Restart the Keycloak:$ kubectl get pods | awk '/keycloak/{print $1}' | xargs kubectl delete pod