Re: [Hawkular-dev] https and accounts/keycloak
I'm not quite sure I understand what you mean by "SSL
support out of the
box". We cannot ship a distribution set for SSL if the keystore doesn't
have the appropriate certificates, and we cannot ship "default"
certificates. We *could* add those to the -dev profile, like we do with
the default username/password.
Right. I just want to make that clear to everyone. We will not have full secure/SSL
communications out of box if we just ship the distro as we are doing now. It will require
manual steps for people to perform, thus we need some really good docs here.
> Right now, it looks like there are steps required to:
>
> 1) create or obtain your own keystore/truststores
> 2) set up a security realm in WF
> 3) set up keycloak security specifically
The step 3 is already a set of 1 and 2. IIRC, the only difference is
that the keystore has to be named "keycloak.jks".
That seems odd they would require it to be named something specific. If they just pick up
the security-realm defined in standalone.xml (which is what the https listener uses), the
name shouldn't matter. Unless there is some OTHER setting specific to keycloak, in
addition to the standard security realm definition.
I can write up some docs since I'm testing the SSL functionality now - if you have any
links or notes or anything pass them my way. Right now, I'm flying blind wrt keycloak
:)