[Hawkular-dev] https and accounts/keycloak
John Mazzitelli
mazz at redhat.com
Mon Oct 12 09:47:58 EDT 2015
> I'm not quite sure I understand what you mean by "SSL support out of the
> box". We cannot ship a distribution set for SSL if the keystore doesn't
> have the appropriate certificates, and we cannot ship "default"
> certificates. We *could* add those to the -dev profile, like we do with
> the default username/password.
Right. I just want to make that clear to everyone. We will not have full secure/SSL communications out of box if we just ship the distro as we are doing now. It will require manual steps for people to perform, thus we need some really good docs here.
>
> > Right now, it looks like there are steps required to:
> >
> > 1) create or obtain your own keystore/truststores
> > 2) set up a security realm in WF
> > 3) set up keycloak security specifically
>
> The step 3 is already a set of 1 and 2. IIRC, the only difference is
> that the keystore has to be named "keycloak.jks".
>
That seems odd they would require it to be named something specific. If they just pick up the security-realm defined in standalone.xml (which is what the https listener uses), the name shouldn't matter. Unless there is some OTHER setting specific to keycloak, in addition to the standard security realm definition.
I can write up some docs since I'm testing the SSL functionality now - if you have any links or notes or anything pass them my way. Right now, I'm flying blind wrt keycloak :)
More information about the hawkular-dev
mailing list