KEYCLOAK-11170 Create truststore SPI even when there is SSL Context

fidgi · Sep 3, 2019 · 36c5666 · 36c5666
1 parent 14e07f8
commit 36c5666
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 6 deletions.
diff --git a/server/tools/cli/x509-truststore.cli b/server/tools/cli/x509-truststore.cli
@@ -2,11 +2,11 @@ embed-server --server-config=$configuration_file --std-out=discard
 /subsystem=elytron/key-store=kcTrustStore:add(path=$keycloak_tls_truststore_file,type=JKS,credential-reference={clear-text=$keycloak_tls_truststore_password})
 /subsystem=elytron/trust-manager=kcTrustManager:add(key-store=kcTrustStore)
 if (outcome != success) of /subsystem=elytron/server-ssl-context=kcSSLContext:read-resource
-	/subsystem=elytron/server-ssl-context=kcSSLContext:add(trust-manager=kcTrustManager,want-client-auth=true)
-	batch
-	/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
-	/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=kcSSLContext)
-	run-batch
+    # Since WF requires a Key Manager for creating /subsystem=elytron/server-ssl-context, there's nothing we can do at this point.
+    # We can not automatically generate a self-signed key (Elytron doesn't support this, see https://docs.wildfly.org/13/WildFly_Elytron_Security.html#configure-ssltls),
+    # and we don't have anything else at hand.
+    # However, there is no big harm here - the Trust Store is more needed by Keycloak Truststore SPI.
+    echo "WARNING! There is no Key Manager (No Key Store specified). Skipping HTTPS Listener configuration..."
 else
     # The SSL Context has been added by keystore, not much to do - just append trust store and we are done.
 	/subsystem=elytron/server-ssl-context=kcSSLContext:write-attribute(name=trust-manager, value=kcTrustManager)

diff --git a/server/tools/x509.sh b/server/tools/x509.sh
@@ -66,7 +66,9 @@ function autogenerate_keystores() {
     echo "Creating Keycloak truststore.."
     # We use cat here, so that users could specify multiple CA Bundles using space or even wildcard:
     # X509_CA_BUNDLE=/var/run/secrets/kubernetes.io/serviceaccount/*.crt
-    cat "${X509_CA_BUNDLE}" > ${TEMPORARY_CERTIFICATE}
+    # Note, that there is no quotes here, that's intentional. Once can use spaces in the $X509_CA_BUNDLE like this:
+    # X509_CA_BUNDLE=/ca.crt /ca2.crt
+    cat ${X509_CA_BUNDLE} > ${TEMPORARY_CERTIFICATE}
     csplit -s -z -f crt- "${TEMPORARY_CERTIFICATE}" "${X509_CRT_DELIMITER}" '{*}'
     for CERT_FILE in crt-*; do
       keytool -import -noprompt -keystore "${JKS_TRUSTSTORE_PATH}" -file "${CERT_FILE}" \