Attachment #11017 for bug #55488

View | Details | Raw Unified | Return to bug 55488
Collapse All | Expand All

Lines 24-29 with open(pwdfile, 'r') as fd: Link Here

(-)a/app/compose (+1 lines)
24	X509_CA_BUNDLE: "/ca-certificates.crt"	24	X509_CA_BUNDLE: "/ca-certificates.crt"
25	volumes:	25	volumes:
26	- /etc/ssl/certs/ca-certificates.crt:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro	26	- /etc/ssl/certs/ca-certificates.crt:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
		27	- /etc/univention/ssl/ucsCA/CAcert.pem:/etc/pki/ca-trust/extracted/pem/ucsCAcert.pem:ro
27	- /var/lib/univention-appcenter/apps/keycloak/conf/UCS:/opt/keycloak/themes/UCS	28	- /var/lib/univention-appcenter/apps/keycloak/conf/UCS:/opt/keycloak/themes/UCS
28	#- /var/lib/univention-appcenter/apps/keycloak/data/development:/opt/jboss/keycloak/standalone/deployments/	29	#- /var/lib/univention-appcenter/apps/keycloak/data/development:/opt/jboss/keycloak/standalone/deployments/
29	ports:	30	ports:

Lines 136-141 do Link Here

(-)a/app/inst (+3 lines)
136		136
137	done	137	done
138		138
		139	# add UCS rootCA to trusted CA certificates
		140	univention-app shell keycloak keytool -cacerts -import -alias ucsCA -file /etc/pki/ca-trust/extracted/pem/ucsCAcert.pem -storepass "changeit" -noprompt
		141
139	# another restart for the cache initialization	142	# another restart for the cache initialization
140	univention-app restart keycloak	143	univention-app restart keycloak
141		144





   For more information on |SPI|, see :cite:t:`keycloak-spi`.

.. _ad-hoc-federation-import-external-ca:

Import external CA certificates
-------------------------------

Federation involves other, for example external, server systems and requires
trust. Certificates are a way to implement trust. To tell your Keycloak
system to trust another system for the ad-hoc federation, you need to
import the CA certificate for that system. Keycloak needs the CA certificate
to verify the encrypted connection with the other system.

Use the following steps to add the CA certificate of the other system:

.. code-block:: console

   $ docker cp /path/to/externalCA.pem keycloak:/externalCA.pem
   $ univention-app shell keycloak \
   keytool -cacerts -import -alias ucsCA -file /externalCA.pem -storepass "changeit" -noprompt

Repeat this procedure when any CA certificate expires. In case of any CA related
TLS error, restart the container:

.. code-block:: console

  $ docker restart keycloak

.. _ad-hoc-federation-custom-auth-flow:

Create custom authentication flow

Return to bug 55488

Lines 288-293 federation* is useful when administrators want to keep track of all users in Link Here

(-)a/docs/configuration.rst (+26 lines)
288		288
289	For more information on \|SPI\|, see :cite:t:`keycloak-spi`.	289	For more information on \|SPI\|, see :cite:t:`keycloak-spi`.
290		290
		291	.. _ad-hoc-federation-import-external-ca:
		292
		293	Import external CA certificates
		294	-------------------------------
		295
		296	Federation involves other, for example external, server systems and requires
		297	trust. Certificates are a way to implement trust. To tell your Keycloak
		298	system to trust another system for the ad-hoc federation, you need to
		299	import the CA certificate for that system. Keycloak needs the CA certificate
		300	to verify the encrypted connection with the other system.
		301
		302	Use the following steps to add the CA certificate of the other system:
		303
		304	.. code-block:: console
		305
		306	$ docker cp /path/to/externalCA.pem keycloak:/externalCA.pem
		307	$ univention-app shell keycloak \
		308	keytool -cacerts -import -alias ucsCA -file /externalCA.pem -storepass "changeit" -noprompt
		309
		310	Repeat this procedure when any CA certificate expires. In case of any CA related
		311	TLS error, restart the container:
		312
		313	.. code-block:: console
		314
		315	$ docker restart keycloak
		316
291	.. _ad-hoc-federation-custom-auth-flow:	317	.. _ad-hoc-federation-custom-auth-flow:
292		318
293	Create custom authentication flow	319	Create custom authentication flow