LDAPS is used to secure your LDAP connection. Refer to the Keycloak documentation on LDAP for more information.
Keycloak uses the default location within the container:
Copy in your certificate authority (CA):
# Replace <CA.pem> with your certificate authority.
# Replace <container_ID> with your container ID.
docker ps|grep cloak
docker cp <CA.pem> <container_ID>:/opt/jboss
Drop into the container:
# Replace <container_ID> with your container ID.
docker exec -u root -it <container_ID> /bin/bash
Add the keystore:
# Replace <CA.pem> with your certificate authority.
cd /opt/jboss/keycloak/standalone/configuration/keystores
keytool -keystore truststore -storepass anaconda -noprompt -trustcacerts -importcert -alias ldap-ca -file /opt/jboss/<CA.pem>
Add the following to the CA certs bundle:
# Replace <CA.pem> with your certificate authority.
cp /opt/jboss/<CA.pem> /etc/pki/ca-trust/source/anchors/
This will update the CA certs bundle found in the following file path:
Restart the container:
# Replace <container_ID> with your container ID.
docker ps|grep cloak
docker restart <container_ID>
If you have any issues, verify the CA against the LDAPS server:
# Replace <CA.pem> with your certificate authority.
openssl s_client -CAfile <CA.pem> -connect ldapserver.com:636
This should return the following string:
Verify return code: 0 (ok)
You can inspect the keystore you created with the following command:
keytool -list -v -keystore /opt/jboss/keycloak/standalone/configuration/keystores/truststore -storepass anaconda