What I’m trying to avoid is having the ssl keystore password (keycloak.jks) and the truststore password (truststore.jks) as plaintext in the keycloak configuration file (in my case, standalone.xml). I’ll try to lookup wildfly docs for more information and/or suggestions From: Sebastian Laskawiec <slaskawi(a)redhat.com&gt; Sent: Monday, September 9, 2019 4:00 AM To: Chris Smith <chris.smith(a)cmfirstgroup.com>; Peter Skopek <pskopek(a)redhat.com>; Pedro Igor Silva <psilva(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] best way to save Keystore and Truststore passwords in standalone.xml? It depends what do you mean exactly. Keycloak uses Elytron subsystem from Wildfly [1] to setup TLS. The main goal here is to configure Undertow HTTPS listener. You may probably use a Secure Credential Store here [2] but I highly recommend to look some Wildfly manuals up. Keycloak also provides its own Truststore SPI (that requires a Trust Store). I'm not exactly sure, but maybe it is possible to use Elytron Credential Store and pass the password using some reference. Maybe @Peter Skopek<mailto:pskopek@redhat.com> or @Pedro Igor Silva<mailto:psilva@redhat.com> could help here. [1] https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem [2] https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem#Us... On Sat, Sep 7, 2019 at 7:03 PM Chris Smith <chris.smith@cmfirstgroup.com<mailto:chris.smith@cmfirstgroup.com>> wrote: How can the Keystore and Truststore passwords be reasonably saved? Just having them in plaintext in standalone.xml seems like kind of a "bad thing". Keycloak is running as a specific Active directory user, so set standalone as only accessible to that user and Domain Admins? _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user