Skip to main content

FAQ: Security with Keycloak

How to resolve “PKI not found” error when connecting to Keycloak behind Nginx with a custom PKI?

If you’re using Keycloak behind an Nginx reverse proxy with a custom Public Key Infrastructure (PKI), OpenMetadata may fail to authenticate due to missing trusted certificates. This results in a “PKI not found” or TLS validation error.

Resolution

To allow OpenMetadata to trust your custom CA:
  1. Extend the OpenMetadata Docker image and import your custom CA certificate into the Java truststore.
  2. Use the following command (replace paths accordingly):
   keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts \
     -storepass changeit -noprompt -alias my-custom-ca \
     -file /path/to/your/custom-ca.crt
  1. Alternatively, if you’re using Helm, you can update your deployment by modifying the container image or using an initContainer to patch the truststore and setting:
OPENMETADATA_OPTS="-Djavax.net.ssl.trustStore=/path/to/keystore.jks \
-Djavax.net.ssl.trustStorePassword=changeit"
For guidance on extending the Docker image, refer to the official documentation: Extending OpenMetadata Docker Image (GKE Example) This enables OpenMetadata to establish a secure connection with Keycloak behind your Nginx reverse proxy using a custom certificate authority.