[keycloak-user] Adapter trustore: use default java trustore possible ?

Bill Burke bburke at redhat.com
Fri Feb 19 11:01:16 EST 2016 

So, how do you like the new keycloak logo?

On 2/19/2016 10:55 AM, Marko Strukelj wrote:
> That's just an expression used when someone steers the thread into an 
> unrelated topic :)
>
> On Fri, Feb 19, 2016 at 4:39 PM, Jeremy Simon <jeremy at jeremysimon.com 
> <mailto:jeremy at jeremysimon.com>> wrote:
>
>     Sorry, I simply misunderstood.  Not try to hijack anything... What
>     good would that do??
>
>     On Feb 19, 2016 9:53 AM, "Marko Strukelj" <mstrukel at redhat.com
>     <mailto:mstrukel at redhat.com>> wrote:
>
>         Please don't hijack a thread. These sound like two separate
>         issues. Here we are talking about getting client adapter to
>         connect to https protected Keycloak server - which requires
>         that some truststore is used by HttpClient library used by
>         adapter.
>
>         What you are talking about - realm keys - is something
>         completely different, and has nothing to do with a truststore.
>
>         On Fri, Feb 19, 2016 at 3:10 PM, Jeremy Simon
>         <jeremy at jeremysimon.com <mailto:jeremy at jeremysimon.com>> wrote:
>
>             Hey there,
>
>             I had asked about this a while ago too.  Far as I know,
>             the current
>             implementation uses the jks for the HTTPS communication
>             only.  All
>             realms generate their own key pair.
>
>             Now to get around that, maybe you could export a realm to
>             JSON, put in
>             what you want for the key information and import it as a
>             new realm or
>             server configuration.  That might be a little crazy.  The
>             more I
>             thought about it, since the realm key pairs are for
>             signing and
>             encrypting the JWTs (or saml), that it's kinda nice you
>             can hit a key
>             and generate new ones in case of a compromise...or to keep
>             stuff
>             revolving.
>
>             Hope that helps!
>
>             jeremy
>             jeremy at jeremysimon.com <mailto:jeremy at jeremysimon.com>
>             www.JeremySimon.com <http://www.JeremySimon.com>
>
>
>             On Fri, Feb 19, 2016 at 8:41 AM, Jérôme Revillard
>             <jrevillard at gnubila.fr <mailto:jrevillard at gnubila.fr>> wrote:
>             > Any advise for this please ?
>             >
>             > Best,
>             > Jerome
>             >
>             >
>             > Le 17/02/2016 11:19, Jérôme Revillard a écrit :
>             >
>             > Yes, it seems to be the case for the server, but not for
>             the clients. See
>             > the trustore config description here:
>             >
>             https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config
>             >
>             > Best,
>             > Jerome
>             >
>             > Le 17/02/2016 11:09, Bruno Oliveira a écrit :
>             >
>             > I'm not sure if I got your question in the right way.
>             But from my
>             > understanding Java truststore is the standard fall back.
>             >
>             > See item 3.2.5
>             >
>             https://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html
>             >
>             > On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard
>             <jrevillard at gnubila.fr <mailto:jrevillard at gnubila.fr>>
>             > wrote:
>             >>
>             >> Dear all,
>             >>
>             >> I'm testing now a Keycloak server properly configured
>             with https
>             >> configuration.
>             >> The server certificate is one which is already known by
>             the default java
>             >> trustore.
>             >> Would it be possible to setup the keycloak.json adapter
>             config to use
>             >> this default java trustore ?
>             >>
>             >> Best,
>             >> Jerome
>             >>
>             >> _______________________________________________
>             >> keycloak-user mailing list
>             >> keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>             >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>             >
>             >
>             >
>             > _______________________________________________
>             > keycloak-user mailing list
>             > keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>             > https://lists.jboss.org/mailman/listinfo/keycloak-user
>             >
>             >
>             > _______________________________________________
>             > keycloak-user mailing list
>             > keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>             > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>             _______________________________________________
>             keycloak-user mailing list
>             keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160219/42d9c653/attachment.html

More information about the keycloak-user mailing list