Hi,
I’m looking to make identity production ready like this document mentioned
Does anyone have an example step by step guide? Using self signed cert at the moment is ok for demo purpose.
Thank you.
Hi @ntt.duynh the document you refer to, has a link to Keycloak documentation, Keycloak is a thing of its own, so their documentation is in a better position to clarify aspects to consider for going to prod.
This is the link in case you need it right away: Configuring Keycloak for production - Keycloak
You can see in the component architecture why we refer you to Keycloak, it is the backbone of Identity. Overview Components | Camunda Platform 8 Docs
Thanks Manzano. Let me try that.
Hi @g.manzano
I have tried the following steps
- Configure keycloak to enable tls, using its auto generated certificate.
- Create a .jks file from keycloak certificate
kubectl get secret camunda-keycloak-crt -o jsonpath='{.data.ca\.crt}'|base64 -d > keycloak-ca.crt
keytool -import -alias keycloak -keystore keycloak.jks -storetype jks -file keycloak-ca.crt -storepass changeit -noprompt
kubectl create secret generic keycloak-jks --from-file=keycloak.jks
- Configure identity environment variables, following this document mentioned in camunda guide
“How-to” Guides
identity:
service:
type: NodePort
keycloak:
image:
tag: "16.1.1-debian-10-r52"
auth:
tls:
enabled: true
autoGenerated: true
httpRelativePath: "/auth"
customReadinessProbe:
httpGet:
path: /auth/realms/master
port: http
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
successThreshold: 1
service:
type: NodePort
extraEnvVars:
- name: KEYCLOAK_PROXY_ADDRESS_FORWARDING
value: "true"
- name: KEYCLOAK_FRONTEND_URL
value: "http://example.keycloak.com"
env:
- name: IDENTITY_URL
value: "http://example.identity.com"
- name: SERVER_PORT
value: "443"
- name: SERVER_SSL_KEYSTORE
value: "/app/certificates/keycloak.jks"
- name: SERVER_SSL_KEYSTOREPASSWORD
valueFrom:
secretKeyRef:
name: keycloak-keystore
key: keystore-password
extraVolumeMounts:
- name: keystore
mountPath: /app/certificates/
extraVolumes:
- name: keystore
secret:
secretName: keycloak-jks
optional: false
Here’s the error I got
2023-05-18 09:10:40.824 ERROR 1 --- [ main] o.s.b.SpringApplication : Application run failed
org.springframework.context.ApplicationContextException: Failed to start bean 'webServerStartStop'
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:181) ~[spring-context-6.0.2.jar!/:6.0.2]
at org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:356) ~[spring-context-6.0.2.jar!/:6.0.2]
at java.lang.Iterable.forEach(Unknown Source) ~[?:?]
at org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:155) ~[spring-context-6.0.2.jar!/:6.0.2]
at org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:123) ~[spring-context-6.0.2.jar!/:6.0.2]
at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:932) ~[spring-context-6.0.2.jar!/:6.0.2]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:587) ~[spring-context-6.0.2.jar!/:6.0.2]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:730) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:432) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:308) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1302) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1291) ~[spring-boot-3.0.0.jar!/:3.0.0]
at io.camunda.identity.Application.main(Application.java:18) ~[classes!/:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) ~[identity.jar:?]
at org.springframework.boot.loader.Launcher.launch(Launcher.java:95) ~[identity.jar:?]
at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) ~[identity.jar:?]
at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:65) ~[identity.jar:?]
Caused by: org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat server
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:235) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:44) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:178) ~[spring-context-6.0.2.jar!/:6.0.2]
... 21 more
Caused by: java.lang.IllegalArgumentException: standardService.connector.startFailed
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:238) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:288) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:219) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:44) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:178) ~[spring-context-6.0.2.jar!/:6.0.2]
... 21 more
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1085) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:234) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:288) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:219) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:44) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:178) ~[spring-context-6.0.2.jar!/:6.0.2]
... 21 more
Caused by: java.lang.IllegalArgumentException: Alias name [null] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:106) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:70) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:206) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1172) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1258) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:588) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1082) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:234) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:288) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:219) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:44) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:178) ~[spring-context-6.0.2.jar!/:6.0.2]
... 21 more
Caused by: java.io.IOException: Alias name [null] does not identify a key entry
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:350) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:104) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:70) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:206) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1172) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1258) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:588) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1082) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:234) ~[tomcat-embed-core-10.1.1.jar!/:?]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:288) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:219) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:44) ~[spring-boot-3.0.0.jar!/:3.0.0]
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:178) ~[spring-context-6.0.2.jar!/:6.0.2]
... 21 more
Please let me know your ideas.
Another question is that my Identity is making requests from an external IP address. Since I cannot disable SSL in my setup as described here, does enabling TLS as described here solves the problem?
Hi @ntt.duynh
Seems like the error you get has to do with your beans, so you will need to fix that before you Spring application can start and look up for Identity. In general any error of type " Failed to start bean…" is basically an error in the setup of your project. That is a purely Spring error, so somewhere you are missing something, check how you load the beans in Spring, sometimes it is a missing dependency.
In your case, seems like the certificate you configure cannot be found/loaded/ by the embedded tomcat of your spring boot application, and therefore Tomcat fails to start. My experience tells me that this error points to a mismatch between the alias of the certificate in the JVM and the alias specified in your keystore. Try searching for: Spring Boot Tomcat Error: Alias name does not identify a key entry.
Regarding your second question, the solution to this issue will depend largely on your environment and if you are able to load the certificate, however Camunda documentation suggest few things, but they are only suggestion, because it goes beyond the Camunda domain, I would normally try asking in the Keycloack community, Community - Keycloak, because there many users have projects with similar setups and it is likely that someone there has more details or a solution.
Cheers !
1 Like