Attachment 11017 Details for Bug 55488

[patch] KC changes

ca.patch (text/plain), 2.32 KB, created by Nikola Radovanovic on 2022-12-12 12:02 CET

(hide)

Description:

Filename:

MIME Type:

Creator: Nikola Radovanovic

Created: 2022-12-12 12:02 CET

Size: 2.32 KB

patch

obsolete

>diff --git a/app/compose b/app/compose
>index 2919c67..79e2af8 100644
>--- a/app/compose
>+++ b/app/compose
>@@ -24,6 +24,7 @@ with open(pwdfile, 'r') as fd:
>       X509_CA_BUNDLE: "/ca-certificates.crt"
>     volumes:
>       - /etc/ssl/certs/ca-certificates.crt:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
>+      - /etc/univention/ssl/ucsCA/CAcert.pem:/etc/pki/ca-trust/extracted/pem/ucsCAcert.pem:ro
>       - /var/lib/univention-appcenter/apps/keycloak/conf/UCS:/opt/keycloak/themes/UCS
>       #- /var/lib/univention-appcenter/apps/keycloak/data/development:/opt/jboss/keycloak/standalone/deployments/
>     ports:
>diff --git a/app/inst b/app/inst
>index 9b1dadf..8d603e4 100644
>--- a/app/inst
>+++ b/app/inst
>@@ -136,6 +136,9 @@ do
> 
> done
> 
>+# add UCS rootCA to trusted CA certificates
>+univention-app shell keycloak keytool -cacerts -import -alias ucsCA -file /etc/pki/ca-trust/extracted/pem/ucsCAcert.pem -storepass "changeit" -noprompt
>+
> # another restart for the cache initialization
> univention-app restart keycloak
> 
>diff --git a/docs/configuration.rst b/docs/configuration.rst
>index 95a7acf..eecbab4 100644
>--- a/docs/configuration.rst
>+++ b/docs/configuration.rst
>@@ -288,6 +288,32 @@ federation* is useful when administrators want to keep track of all users in
> 
>    For more information on |SPI|, see :cite:t:`keycloak-spi`.
> 
>+.. _ad-hoc-federation-import-external-ca:
>+
>+Import external CA certificates
>+-------------------------------
>+
>+Federation involves other, for example external, server systems and requires
>+trust. Certificates are a way to implement trust. To tell your Keycloak
>+system to trust another system for the ad-hoc federation, you need to
>+import the CA certificate for that system. Keycloak needs the CA certificate
>+to verify the encrypted connection with the other system.
>+
>+Use the following steps to add the CA certificate of the other system:
>+
>+.. code-block:: console
>+
>+   $ docker cp /path/to/externalCA.pem keycloak:/externalCA.pem
>+   $ univention-app shell keycloak \
>+   keytool -cacerts -import -alias ucsCA -file /externalCA.pem -storepass "changeit" -noprompt
>+
>+Repeat this procedure when any CA certificate expires. In case of any CA related
>+TLS error, restart the container:
>+
>+.. code-block:: console
>+
>+  $ docker restart keycloak
>+
> .. _ad-hoc-federation-custom-auth-flow:
> 
> Create custom authentication flow

Actions: View | Diff

Attachments on bug 55488: 11017