[keycloak-dev] Certificate Management, Directory Services and Device Registration

Anil Saldhana Anil.Saldhana at redhat.com
Fri Dec 20 15:50:18 EST 2013


On 12/20/2013 02:32 PM, Bill Burke wrote:
>
> On 12/20/2013 3:23 PM, Anil Saldhana wrote:
>> Bill brought out some thoughts in my mind which I want to capture here
>> to see what your thoughts are:
>>
>> * Certificate Management
>> - We need a good system to CRUD certificates.  The only good Java based
>> oss I have seen is EJBCA.
>>
> Becoming a CA is way down the road, but my thoughts were that a realm
> could just create client-certs signed with the realm's keypair using
> Bouncycastle APIs.  There would be an option to download the truststore
> for the realm (for Java apps).  And a text pkcs format (forget the
> actual name) for non-Java apps.
Good idea.  But having a CA that helps users manage their certificates
within a particular corporate domain, may be important for an integrated 
solution.
CRUD/export-import truststores/keystores.

>
>
>> * Directory Server/Services
>> - We have ApacheDS and OpenDS (or the ForgeRock version) as two
>> possibilities in Java based directory servers. I am unsure if we have
>> really explored building a solution for directory services.
>>
> This is more part of federation no?  We need to brainstorm how we want
> to approach federation.  There's some who think the current Picketlink
> approach won't work and that other security products out there do
> syncing.  Maybe we'll have to do both.  I have some architectural ideas
> around this.
Great. I am glad you are thinking along these lines.  I will be looking 
out for your architectural ideas.  Like the other reply I sent,  what is 
really missing in the OSS world, is an integrated platform such as the 
Active Directory ecosystem.


To summarize, it makes sense to have an integrated, administered 
solution that is hopefully written in Java (no OS/Native issues) that 
helps the modern enterprise that deal with REST/Mobile client usecases.


More information about the keycloak-dev mailing list