Univention Bugzilla – Attachment 11017 Details for
Bug 55488
Use start TLS as default for LDAP federation in Keycloak
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
KC changes
ca.patch (text/plain), 2.32 KB, created by
Nikola Radovanovic
on 2022-12-12 12:02:03 CET
(
hide
)
Description:
KC changes
Filename:
MIME Type:
Creator:
Nikola Radovanovic
Created:
2022-12-12 12:02:03 CET
Size:
2.32 KB
patch
obsolete
>diff --git a/app/compose b/app/compose >index 2919c67..79e2af8 100644 >--- a/app/compose >+++ b/app/compose >@@ -24,6 +24,7 @@ with open(pwdfile, 'r') as fd: > X509_CA_BUNDLE: "/ca-certificates.crt" > volumes: > - /etc/ssl/certs/ca-certificates.crt:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro >+ - /etc/univention/ssl/ucsCA/CAcert.pem:/etc/pki/ca-trust/extracted/pem/ucsCAcert.pem:ro > - /var/lib/univention-appcenter/apps/keycloak/conf/UCS:/opt/keycloak/themes/UCS > #- /var/lib/univention-appcenter/apps/keycloak/data/development:/opt/jboss/keycloak/standalone/deployments/ > ports: >diff --git a/app/inst b/app/inst >index 9b1dadf..8d603e4 100644 >--- a/app/inst >+++ b/app/inst >@@ -136,6 +136,9 @@ do > > done > >+# add UCS rootCA to trusted CA certificates >+univention-app shell keycloak keytool -cacerts -import -alias ucsCA -file /etc/pki/ca-trust/extracted/pem/ucsCAcert.pem -storepass "changeit" -noprompt >+ > # another restart for the cache initialization > univention-app restart keycloak > >diff --git a/docs/configuration.rst b/docs/configuration.rst >index 95a7acf..eecbab4 100644 >--- a/docs/configuration.rst >+++ b/docs/configuration.rst >@@ -288,6 +288,32 @@ federation* is useful when administrators want to keep track of all users in > > For more information on |SPI|, see :cite:t:`keycloak-spi`. > >+.. _ad-hoc-federation-import-external-ca: >+ >+Import external CA certificates >+------------------------------- >+ >+Federation involves other, for example external, server systems and requires >+trust. Certificates are a way to implement trust. To tell your Keycloak >+system to trust another system for the ad-hoc federation, you need to >+import the CA certificate for that system. Keycloak needs the CA certificate >+to verify the encrypted connection with the other system. >+ >+Use the following steps to add the CA certificate of the other system: >+ >+.. code-block:: console >+ >+ $ docker cp /path/to/externalCA.pem keycloak:/externalCA.pem >+ $ univention-app shell keycloak \ >+ keytool -cacerts -import -alias ucsCA -file /externalCA.pem -storepass "changeit" -noprompt >+ >+Repeat this procedure when any CA certificate expires. In case of any CA related >+TLS error, restart the container: >+ >+.. code-block:: console >+ >+ $ docker restart keycloak >+ > .. _ad-hoc-federation-custom-auth-flow: > > Create custom authentication flow
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=11017">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 55488
: 11017