LDAPS

LDAPS is used to secure your LDAP connection. Refer to the Keycloak documentation on LDAP for more information.

Keycloak uses the default location within the container:

/opt/jboss/keycloak/standalone/configuration/keystores

Copy in your certificate authority (CA):

# Replace <CA.pem> with your certificate authority.
# Replace <container_ID> with your container ID.
docker ps|grep cloak
docker cp <CA.pem> <container_ID>:/opt/jboss

Drop into the container:

# Replace <container_ID> with your container ID.
docker exec -u root -it <container_ID> /bin/bash

Add the keystore:

# Replace <CA.pem> with your certificate authority.
cd /opt/jboss/keycloak/standalone/configuration/keystores
keytool -keystore truststore -storepass anaconda -noprompt -trustcacerts -importcert -alias ldap-ca -file /opt/jboss/<CA.pem>

Add the following to the CA certs bundle:

# Replace <CA.pem> with your certificate authority.
cp /opt/jboss/<CA.pem> /etc/pki/ca-trust/source/anchors/
update-ca-trust

This will update the CA certs bundle found in the following file path:

/etc/pki/ca-trust/extracted/java

Restart the container:

# Replace <container_ID> with your container ID.
docker ps|grep cloak
docker restart <container_ID>

Troubleshooting

If you have any issues, verify the CA against the LDAPS server:

# Replace <CA.pem> with your certificate authority.
openssl s_client -CAfile <CA.pem> -connect ldapserver.com:636

This should return the following string:

Verify return code: 0 (ok)

You can inspect the keystore you created with the following command:

keytool -list -v -keystore /opt/jboss/keycloak/standalone/configuration/keystores/truststore -storepass anaconda