Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-2552

Problematic migration guidance (SSO7.x to 26.0) for migrating truststore configuration

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 26.0.10, 24.0.11
    • 24.0 GA (24.0.2), 26.0 GA (26.0.4)
    • None
    • None

      The migration guide 26.0 states: "For the PKCS12 files, the certs must be unencrypted, which means that no password is expected." However, when actually running keytool, an error occurs, requiring the -deststorepass to be at least 6 characters long.

      A workaround is to use the following command:
      openssl pkcs12 -in myTrustStore.p12 -nodes -password pass:123456 | openssl pkcs12 -export -out myTrustStore_nopass.p12 -nokeys -password pass:
      However, the following error occurred, and the connection could not be established:

      javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid requested target

      So the best recommendation for the migration guide would be to advise using PEM files directly instead of creating and managing keystores.
      This approach is simpler and avoids potential issues with openssl or keytool, which seem to have inconsistent behavior with empty passwords.
      But we should mention the problem with pkcs12 files that the user is aware of it.

              pzaoral Peter Zaoral
              rhn-support-wfink Wolf Fink
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: