[keycloak-user] Adapter trustore: use default java trustore possible ?

Marko Strukelj mstrukel at redhat.com
Fri Feb 19 10:55:31 EST 2016


That's just an expression used when someone steers the thread into an
unrelated topic :)

On Fri, Feb 19, 2016 at 4:39 PM, Jeremy Simon <jeremy at jeremysimon.com>
wrote:

> Sorry, I simply misunderstood.  Not try to hijack anything... What good
> would that do??
> On Feb 19, 2016 9:53 AM, "Marko Strukelj" <mstrukel at redhat.com> wrote:
>
>> Please don't hijack a thread. These sound like two separate issues. Here
>> we are talking about getting client adapter to connect to https protected
>> Keycloak server - which requires that some truststore is used by HttpClient
>> library used by adapter.
>>
>> What you are talking about - realm keys - is something completely
>> different, and has nothing to do with a truststore.
>>
>> On Fri, Feb 19, 2016 at 3:10 PM, Jeremy Simon <jeremy at jeremysimon.com>
>> wrote:
>>
>>> Hey there,
>>>
>>> I had asked about this a while ago too.  Far as I know, the current
>>> implementation uses the jks for the HTTPS communication only.  All
>>> realms generate their own key pair.
>>>
>>> Now to get around that, maybe you could export a realm to JSON, put in
>>> what you want for the key information and import it as a new realm or
>>> server configuration.  That might be a little crazy.  The more I
>>> thought about it, since the realm key pairs are for signing and
>>> encrypting the JWTs (or saml), that it's kinda nice you can hit a key
>>> and generate new ones in case of a compromise...or to keep stuff
>>> revolving.
>>>
>>> Hope that helps!
>>>
>>> jeremy
>>> jeremy at jeremysimon.com
>>> www.JeremySimon.com
>>>
>>>
>>> On Fri, Feb 19, 2016 at 8:41 AM, Jérôme Revillard <jrevillard at gnubila.fr>
>>> wrote:
>>> > Any advise for this please ?
>>> >
>>> > Best,
>>> > Jerome
>>> >
>>> >
>>> > Le 17/02/2016 11:19, Jérôme Revillard a écrit :
>>> >
>>> > Yes, it seems to be the case for the server, but not for the clients.
>>> See
>>> > the trustore config description here:
>>> >
>>> https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config
>>> >
>>> > Best,
>>> > Jerome
>>> >
>>> > Le 17/02/2016 11:09, Bruno Oliveira a écrit :
>>> >
>>> > I'm not sure if I got your question in the right way. But from my
>>> > understanding Java truststore is the standard fall back.
>>> >
>>> > See item 3.2.5
>>> >
>>> https://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html
>>> >
>>> > On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard <
>>> jrevillard at gnubila.fr>
>>> > wrote:
>>> >>
>>> >> Dear all,
>>> >>
>>> >> I'm testing now a Keycloak server properly configured with https
>>> >> configuration.
>>> >> The server certificate is one which is already known by the default
>>> java
>>> >> trustore.
>>> >> Would it be possible to setup the keycloak.json adapter config to use
>>> >> this default java trustore ?
>>> >>
>>> >> Best,
>>> >> Jerome
>>> >>
>>> >> _______________________________________________
>>> >> keycloak-user mailing list
>>> >> keycloak-user at lists.jboss.org
>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160219/ac9b75bb/attachment-0001.html 


More information about the keycloak-user mailing list