[keycloak-user] Adapter trustore: use default java trustore possible ?
Marko Strukelj
mstrukel at redhat.com
Fri Feb 19 09:53:07 EST 2016
Please don't hijack a thread. These sound like two separate issues. Here we
are talking about getting client adapter to connect to https protected
Keycloak server - which requires that some truststore is used by HttpClient
library used by adapter.
What you are talking about - realm keys - is something completely
different, and has nothing to do with a truststore.
On Fri, Feb 19, 2016 at 3:10 PM, Jeremy Simon <jeremy at jeremysimon.com>
wrote:
> Hey there,
>
> I had asked about this a while ago too. Far as I know, the current
> implementation uses the jks for the HTTPS communication only. All
> realms generate their own key pair.
>
> Now to get around that, maybe you could export a realm to JSON, put in
> what you want for the key information and import it as a new realm or
> server configuration. That might be a little crazy. The more I
> thought about it, since the realm key pairs are for signing and
> encrypting the JWTs (or saml), that it's kinda nice you can hit a key
> and generate new ones in case of a compromise...or to keep stuff
> revolving.
>
> Hope that helps!
>
> jeremy
> jeremy at jeremysimon.com
> www.JeremySimon.com
>
>
> On Fri, Feb 19, 2016 at 8:41 AM, Jérôme Revillard <jrevillard at gnubila.fr>
> wrote:
> > Any advise for this please ?
> >
> > Best,
> > Jerome
> >
> >
> > Le 17/02/2016 11:19, Jérôme Revillard a écrit :
> >
> > Yes, it seems to be the case for the server, but not for the clients. See
> > the trustore config description here:
> >
> https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config
> >
> > Best,
> > Jerome
> >
> > Le 17/02/2016 11:09, Bruno Oliveira a écrit :
> >
> > I'm not sure if I got your question in the right way. But from my
> > understanding Java truststore is the standard fall back.
> >
> > See item 3.2.5
> >
> https://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html
> >
> > On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard <jrevillard at gnubila.fr>
> > wrote:
> >>
> >> Dear all,
> >>
> >> I'm testing now a Keycloak server properly configured with https
> >> configuration.
> >> The server certificate is one which is already known by the default java
> >> trustore.
> >> Would it be possible to setup the keycloak.json adapter config to use
> >> this default java trustore ?
> >>
> >> Best,
> >> Jerome
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160219/00e3d7c6/attachment.html
More information about the keycloak-user
mailing list