Re: [Hawkular-dev] https and accounts/keycloak
On 10/12/2015 03:07 PM, John Mazzitelli wrote:
So, does this mean we can't ship SSL support out of box? Seems
like some of these settings are very particular to the machine kettle is running on.
Assuming we don't have an installer, how can we zip up the distro and have it run with
SSL enabled out of box? I don't think we are going to be able to do that. If we
cannot, we are going to need some VERY clear and easy-to-follow documentation to enable
security.
I'm not quite sure I understand what you mean by "SSL support out of the
box". We cannot ship a distribution set for SSL if the keystore doesn't
have the appropriate certificates, and we cannot ship "default"
certificates. We *could* add those to the -dev profile, like we do with
the default username/password.
Right now, it looks like there are steps required to:
1) create or obtain your own keystore/truststores
2) set up a security realm in WF
3) set up keycloak security specifically
The step 3 is already a set of 1 and 2. IIRC, the only difference is
that the keystore has to be named "keycloak.jks".
Juca - did you happen to right down any notes on what you did to get
your system running? That could be the start to some docs.
Sure, I still have the puppet scripts for it. My setup is a bit
different than the usual, though, as I have a nginx proxy in front of
all the VMs, including Hawkular's. Once I get the MS6 items done, I'll
either document my setup with nginx (if I'm short in time) or setup a
new VM with a "pure" Wildfly setup (if time allows).
- Juca.