OpenMetadata/openmetadata-docs/content/v1.7.x/deployment/security/keycloak/troubleshooting.md

title	description	slug	collate
Fix PKI Not Found When Using Keycloak with Custom PKI	Learn how to resolve PKI not found errors in OpenMetadata when using Keycloak behind Nginx with custom PKI by importing CA certificates into the truststore.	/deployment/security/keycloak/troubleshooting	false

FAQ: Security with Keycloak

How to resolve "PKI not found" error when connecting to Keycloak behind Nginx with a custom PKI?

If you're using Keycloak behind an Nginx reverse proxy with a custom Public Key Infrastructure (PKI), OpenMetadata may fail to authenticate due to missing trusted certificates. This results in a "PKI not found" or TLS validation error.

Resolution

To allow OpenMetadata to trust your custom CA:

1. Extend the OpenMetadata Docker image and import your custom CA certificate into the Java truststore.
2. Use the following command (replace paths accordingly):

   keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts \
     -storepass changeit -noprompt -alias my-custom-ca \
     -file /path/to/your/custom-ca.crt

3. Alternatively, if you're using Helm, you can update your deployment by modifying the container image or using an initContainer to patch the truststore and setting:

OPENMETADATA_OPTS="-Djavax.net.ssl.trustStore=/path/to/keystore.jks \
-Djavax.net.ssl.trustStorePassword=changeit"

For guidance on extending the Docker image, refer to the official documentation:

Extending OpenMetadata Docker Image (GKE Example)

This enables OpenMetadata to establish a secure connection with Keycloak behind your Nginx reverse proxy using a custom certificate authority.