Reputation: 321
WSO2 API Manager 4.0.0 Key Manager integration with Keycloak not working
I have followed this tutorial https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-keycloak-connector/ for integrating Keycloak as Key Manager with WSO2 API Manager 4.0.0 and everything is done as described but when I try to obtain client_credentials access_token an error is rising on WSO2 http client - Keycloak communication, viewing the traces it is related to feign. The error is this:
Caused by: feign.RetryableException: Hostname localhost not verified:
certificate: sha256/7mHCBc7ms9yqA/gz+nIRA9cUTRqrEgK3j9eX9fmpDZ0=
DN: CN=localhost
subjectAltNames: [] executing POST https://localhost:8443/auth/realms/master/clients-registrations/openid-connect
As it is described on error trace, it is a hostname verification as hostname is localhost. To bypass this I set hostname verification to be disabled, but it is still happening. I do not know how to skip this verification. These are my config files snippets:
deployment.toml
[transport.passthru_https]
sender.hostname_verifier = "AllowAll"
[transport.passthru_https.sender.parameters]
HostnameVerifier = "AllowAll"
[transport.passthru_http]
sender.hostname_verifier = "AllowAll"
api-manager.bat
set CMD_LINE_ARGS=%CMD_LINE_ARGS% -Djava.endorsed.dirs=%JAVA_ENDORSED% -Dorg.opensaml.httpclient.https.disableHostnameVerification=true -Dhttpclient.hostnameVerifier="AllowAll"
Also this localhost certificate is imported in client-truststore.jks in WSO2 installation.
Any idea about how to skip this hostname verification?
Upvotes: 1
Views: 928
Answers (1)
Reputation: 2218
WSO2 API Manager uses the Feign OKHTTP Client to communicate with Keycloak servers. The OKHTTP client requires the public cert with SAN entries as the same as CN.
The default public cert of the Keycloak doesn't contain any SAN values. Therefore, when trying to communicate with the Keycloak, the Feign client starts to throw SSL exceptions. To overcome this, you can follow this documentation, creating a new Keystore for the Keycloak and import that cert into the client-truststore.jks of the API Manager. The mentioned keytool commands generate the Keystore and certs with SAN entries.
Given is the same Keytool command from the API Manager Docs.
keytool -genkey -alias server -keyalg RSA -keysize 2048 -validity 3650 -keystore application.keystore -dname "CN=localhost,OU=Support,O=WSO2,L=Colombo,S=Western,C=LK" -storepass password -keypass password -noprompt -ext SAN=dns:localhost
Further, the mentioned hostname_verifier configurations are not applicable to disable the Hostname verification in OKHTTP client.
This is not an absolute solution for the behavior that you are facing, but you can go with this alternate approach (generating a new Keystore for the Keycloak) to overcome it.
Few points related to OKHTTP client were gathered from here. Hope this helps you to overcome the issue with an alternate approach.
Upvotes: 3
Related Questions
- How to add key manager using REST API in WSO2 APIM 4.0
- WSO2 API manager with keycloak using other realm than master
- Configuring WSO2 IS as a key manager
- integrating wso2 identity server and api manager
- How to integrate KeyCloak with WSo2 Identity Server? WSo2 IS as IDP
- WSO2 IS(pre-packaged) as Key Manager to API-M error
- WSO2 APIM: PKIX path building failed while configuring an endpoint with self signed certificate
- WSO2 api manager with keycloak auth server
- WSO2 API Manager Store - Access token key generation failure
- WSO2 Connect API Manager to Identity Server for key management