[keycloak-user] Adapter trustore: use default java trustore possible ?

Marko Strukelj mstrukel at redhat.com
Fri Feb 19 11:13:09 EST 2016


:)

Bill can confirm, but I think -Djavax.net.ssl.trustStore should work on the
adapter side, and using adapter 'truststore' property is optional. If set
it overrides Java runtime trustore config, if not java runtime truststore
is used.

On Fri, Feb 19, 2016 at 5:01 PM, Bill Burke <bburke at redhat.com> wrote:

> So, how do you like the new keycloak logo?
>
>
> On 2/19/2016 10:55 AM, Marko Strukelj wrote:
>
> That's just an expression used when someone steers the thread into an
> unrelated topic :)
>
> On Fri, Feb 19, 2016 at 4:39 PM, Jeremy Simon <jeremy at jeremysimon.com>
> wrote:
>
>> Sorry, I simply misunderstood.  Not try to hijack anything... What good
>> would that do??
>> On Feb 19, 2016 9:53 AM, "Marko Strukelj" <mstrukel at redhat.com> wrote:
>>
>>> Please don't hijack a thread. These sound like two separate issues. Here
>>> we are talking about getting client adapter to connect to https protected
>>> Keycloak server - which requires that some truststore is used by HttpClient
>>> library used by adapter.
>>>
>>> What you are talking about - realm keys - is something completely
>>> different, and has nothing to do with a truststore.
>>>
>>> On Fri, Feb 19, 2016 at 3:10 PM, Jeremy Simon < <jeremy at jeremysimon.com>
>>> jeremy at jeremysimon.com> wrote:
>>>
>>>> Hey there,
>>>>
>>>> I had asked about this a while ago too.  Far as I know, the current
>>>> implementation uses the jks for the HTTPS communication only.  All
>>>> realms generate their own key pair.
>>>>
>>>> Now to get around that, maybe you could export a realm to JSON, put in
>>>> what you want for the key information and import it as a new realm or
>>>> server configuration.  That might be a little crazy.  The more I
>>>> thought about it, since the realm key pairs are for signing and
>>>> encrypting the JWTs (or saml), that it's kinda nice you can hit a key
>>>> and generate new ones in case of a compromise...or to keep stuff
>>>> revolving.
>>>>
>>>> Hope that helps!
>>>>
>>>> jeremy
>>>> jeremy at jeremysimon.com
>>>> www.JeremySimon.com
>>>>
>>>>
>>>> On Fri, Feb 19, 2016 at 8:41 AM, Jérôme Revillard <
>>>> jrevillard at gnubila.fr> wrote:
>>>> > Any advise for this please ?
>>>> >
>>>> > Best,
>>>> > Jerome
>>>> >
>>>> >
>>>> > Le 17/02/2016 11:19, Jérôme Revillard a écrit :
>>>> >
>>>> > Yes, it seems to be the case for the server, but not for the clients.
>>>> See
>>>> > the trustore config description here:
>>>> >
>>>> https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config
>>>> >
>>>> > Best,
>>>> > Jerome
>>>> >
>>>> > Le 17/02/2016 11:09, Bruno Oliveira a écrit :
>>>> >
>>>> > I'm not sure if I got your question in the right way. But from my
>>>> > understanding Java truststore is the standard fall back.
>>>> >
>>>> > See item 3.2.5
>>>> >
>>>> https://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html
>>>> >
>>>> > On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard <
>>>> <jrevillard at gnubila.fr>jrevillard at gnubila.fr>
>>>> > wrote:
>>>> >>
>>>> >> Dear all,
>>>> >>
>>>> >> I'm testing now a Keycloak server properly configured with https
>>>> >> configuration.
>>>> >> The server certificate is one which is already known by the default
>>>> java
>>>> >> trustore.
>>>> >> Would it be possible to setup the keycloak.json adapter config to use
>>>> >> this default java trustore ?
>>>> >>
>>>> >> Best,
>>>> >> Jerome
>>>> >>
>>>> >> _______________________________________________
>>>> >> keycloak-user mailing list
>>>> >> keycloak-user at lists.jboss.org
>>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
> Bill Burke
> JBoss, a division of Red Hathttp://bill.burkecentral.com
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160219/4393bde2/attachment-0001.html 


More information about the keycloak-user mailing list