[keycloak-user] Adapter trustore: use default java trustore possible ?

Jeremy Simon jeremy at jeremysimon.com
Fri Feb 19 10:39:56 EST 2016


Sorry, I simply misunderstood.  Not try to hijack anything... What good
would that do??
On Feb 19, 2016 9:53 AM, "Marko Strukelj" <mstrukel at redhat.com> wrote:

> Please don't hijack a thread. These sound like two separate issues. Here
> we are talking about getting client adapter to connect to https protected
> Keycloak server - which requires that some truststore is used by HttpClient
> library used by adapter.
>
> What you are talking about - realm keys - is something completely
> different, and has nothing to do with a truststore.
>
> On Fri, Feb 19, 2016 at 3:10 PM, Jeremy Simon <jeremy at jeremysimon.com>
> wrote:
>
>> Hey there,
>>
>> I had asked about this a while ago too.  Far as I know, the current
>> implementation uses the jks for the HTTPS communication only.  All
>> realms generate their own key pair.
>>
>> Now to get around that, maybe you could export a realm to JSON, put in
>> what you want for the key information and import it as a new realm or
>> server configuration.  That might be a little crazy.  The more I
>> thought about it, since the realm key pairs are for signing and
>> encrypting the JWTs (or saml), that it's kinda nice you can hit a key
>> and generate new ones in case of a compromise...or to keep stuff
>> revolving.
>>
>> Hope that helps!
>>
>> jeremy
>> jeremy at jeremysimon.com
>> www.JeremySimon.com
>>
>>
>> On Fri, Feb 19, 2016 at 8:41 AM, Jérôme Revillard <jrevillard at gnubila.fr>
>> wrote:
>> > Any advise for this please ?
>> >
>> > Best,
>> > Jerome
>> >
>> >
>> > Le 17/02/2016 11:19, Jérôme Revillard a écrit :
>> >
>> > Yes, it seems to be the case for the server, but not for the clients.
>> See
>> > the trustore config description here:
>> >
>> https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config
>> >
>> > Best,
>> > Jerome
>> >
>> > Le 17/02/2016 11:09, Bruno Oliveira a écrit :
>> >
>> > I'm not sure if I got your question in the right way. But from my
>> > understanding Java truststore is the standard fall back.
>> >
>> > See item 3.2.5
>> >
>> https://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html
>> >
>> > On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard <jrevillard at gnubila.fr
>> >
>> > wrote:
>> >>
>> >> Dear all,
>> >>
>> >> I'm testing now a Keycloak server properly configured with https
>> >> configuration.
>> >> The server certificate is one which is already known by the default
>> java
>> >> trustore.
>> >> Would it be possible to setup the keycloak.json adapter config to use
>> >> this default java trustore ?
>> >>
>> >> Best,
>> >> Jerome
>> >>
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160219/90033571/attachment-0001.html 


More information about the keycloak-user mailing list