How to import SSL certificate from Windows Active Directory as LDAP Provider

Related to Copied

Error when trying to connect to LDAP: ‘SSLHandshakeFailed’, javax.net.ssl.SSLHandshakeException, PKIX path building failed, Keycloak

Problem Copied

ITRS Analytics includes Keycloak component for user administration functions. Users can follow the User Federation section in the documentation to integrate Windows Active Directory in their environment.

If the Active Directory is secured with custom certificates or from additional root authorities, user may encounter verification errors with LDAP connections. A common symptom is the below error message when pressing the Test Connection button.

Error when trying to connect to LDAP: 'SSLHandshakeFailed'

Possible Causes Copied

User may check the Keycloak logs on the ITRS Analytics server where kubectl command is available.

kubectl logs <keycloak-pod-id-xxxxx> -n kotsadm

The error below may be found:

[Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Possible Solution Copied

User should work with their Active Directory admin to obtain the root CA files. Please refer to Keycloak documentation linked below for the supported certificate formats. There could be more than one certificate involved so it may be easier to consolidate in one PEM file. We are also using PEM format in this article.

1. On the directory where the PEM file (assuming the PEM file is named my-ca-certs.pem) is located, issue the below command to create a ConfigMap.

kubectl create configmap -n kotsadm my-ca-certs --from-file=my-ca-certs.pem

2. Edit the deployment for Keycloak component with the below command.

kubectl edit deployments -n kotsadm keycloak

A text editor like “vi” should appear. Please note that YAML syntax is sensitive to space and alignment. It is important to add the new entries exactly as described.

(a) volumes

Search for the volumes: section. Add 4 lines below to match the configMap above.

volumes:
- configMap:
    defaultMode: 420
    name: my-ca-certs
  name: my-ca-certs

(b) volumeMounts

Search for the volumeMounts: section. Add 3 lines below so the volume is mounted to /opt/keycloak/data/import2/ directory.

volumeMounts:
- mountPath: /opt/keycloak/data/import2/
  name: my-ca-certs
  readOnly: true

(c) env

Search for the env: section. Add 2 lines below to assign the path to PEM file for KC_TRUSTSTORE_PATHS environment variable.

- env:
  - name: KC_TRUSTSTORE_PATHS
    value: /opt/keycloak/data/import2/my-ca-certs.pem

After saving the configuration in the text editor, the keycloak pod should restart automatically to refresh the settings.

Verification Copied

1. User can open a shell to the Keycloak pod. The PEM file should be created which links to the configMap.

kubectl exec <keycloak-pod-id-xxxxx> -it -n kotsadm -- /bin/bash
ls -l /opt/keycloak/data/import2/

2. At the User Federation settings in Keycloak, press the Test Connection button on LDAP Settings tab again. The following message should display:

Successfully connected to LDAP

Related Articles Copied

• ITRS Analytics - User Federation
• Keycloak - Configuring trusted certificates (link to Keycloak documentation)