Keycloak became the cornerstone of the Zerto appliance back in 10.0 (wow, its been almost 5 years!) and over that time we have tried to simply getting started with it as well as integrating it with other identity providers like LDAP OIDC and SAML too.
However sometimes things still trip up customers. This post is just a list of things that I would check if I were troubleshooting. This certainly won’t take the place of a support ticket, but I would highly recommend checking these items before doing so just to save yourself time.
Check DNS servers
The first thing you should check (especially on a new ZVM appliance) is the DNS servers configured on the appliance. The Zerto appliance has a CLI based menu system which will print on the currently configured DNS servers. It is also capable of doing all of the backend configuration needed for the various containerized services on the appliance. I do NOT recommend trying to manually edit dns server settings manually.
To verify existing DNS servers login to the CLI using the username zadmin with the password configured during initial configuration. Next selection option “2 : Configure Network Settings”.
Now select “5 : DNS Servers Manager”
Finally select “1 : Print All Configured DNS Servers”
The system will list the DNS servers, check this list to see if there are any that do not belong here. If there are incorrect DNS servers, press Enter and then navigate back into the DNS manager and select option “3 : Remove DNS Server” to remove them. You can also use “2 : Add DNS Server” to add what you need.
Before proceeding make sure you have the DNS servers you need to resolve your identity provider’s name/URL. (NOTE: Need to be able to resolve the name even if you are using an IP for LDAP(s) server!)
Check the Certificates installed in Keycloak
After we have validated that we can resolve DNS to our upstream IDP (identity provider) we can move on to certificate verification. Certificates are required to be uploaded into Keycloaks trust store for pretty much all upstream IDPs with the exception of LDAP (LDAPS does need a certificate too).
Since 10.0 Update 4 (aka 10.4) Zerto has provided two APIs to help check and upload certificates. If you are following the documentation to SCP certificates to the appliance and then run a bunch of commands, STOP… read on to learn about how to use the API.
Checking existing certificates via API
Navigate to the Management Console of your ZVM, mine is https://192.168.50.30/management once logged in click the top right corner menu, and select APIs. Once you are on the Swagger page, the first thing to do is click Authorize.
A box will pop up where you need to click Authorize again, the button will change to “Logout”. Once it does click Close.