[keycloak-user] Adapter trustore: use default java trustore possible ?
Jérôme Revillard
jrevillard at gnubila.fr
Fri Feb 19 11:24:39 EST 2016
Ok thanks I will check and let you know if I have problems.
Best,
Jerome
Le 19/02/2016 17:13, Marko Strukelj a écrit :
> :)
>
> Bill can confirm, but I think -Djavax.net.ssl.trustStore should work
> on the adapter side, and using adapter 'truststore' property is
> optional. If set it overrides Java runtime trustore config, if not
> java runtime truststore is used.
>
> On Fri, Feb 19, 2016 at 5:01 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> So, how do you like the new keycloak logo?
>
>
> On 2/19/2016 10:55 AM, Marko Strukelj wrote:
>> That's just an expression used when someone steers the thread
>> into an unrelated topic :)
>>
>> On Fri, Feb 19, 2016 at 4:39 PM, Jeremy Simon
>> <jeremy at jeremysimon.com <mailto:jeremy at jeremysimon.com>> wrote:
>>
>> Sorry, I simply misunderstood. Not try to hijack anything...
>> What good would that do??
>>
>> On Feb 19, 2016 9:53 AM, "Marko Strukelj"
>> <mstrukel at redhat.com <mailto:mstrukel at redhat.com>> wrote:
>>
>> Please don't hijack a thread. These sound like two
>> separate issues. Here we are talking about getting client
>> adapter to connect to https protected Keycloak server -
>> which requires that some truststore is used by HttpClient
>> library used by adapter.
>>
>> What you are talking about - realm keys - is something
>> completely different, and has nothing to do with a
>> truststore.
>>
>> On Fri, Feb 19, 2016 at 3:10 PM, Jeremy Simon
>> <jeremy at jeremysimon.com <mailto:jeremy at jeremysimon.com>>
>> wrote:
>>
>> Hey there,
>>
>> I had asked about this a while ago too. Far as I
>> know, the current
>> implementation uses the jks for the HTTPS
>> communication only. All
>> realms generate their own key pair.
>>
>> Now to get around that, maybe you could export a
>> realm to JSON, put in
>> what you want for the key information and import it
>> as a new realm or
>> server configuration. That might be a little crazy.
>> The more I
>> thought about it, since the realm key pairs are for
>> signing and
>> encrypting the JWTs (or saml), that it's kinda nice
>> you can hit a key
>> and generate new ones in case of a compromise...or to
>> keep stuff
>> revolving.
>>
>> Hope that helps!
>>
>> jeremy
>> jeremy at jeremysimon.com <mailto:jeremy at jeremysimon.com>
>> www.JeremySimon.com <http://www.JeremySimon.com>
>>
>>
>> On Fri, Feb 19, 2016 at 8:41 AM, Jérôme Revillard
>> <jrevillard at gnubila.fr
>> <mailto:jrevillard at gnubila.fr>> wrote:
>> > Any advise for this please ?
>> >
>> > Best,
>> > Jerome
>> >
>> >
>> > Le 17/02/2016 11:19, Jérôme Revillard a écrit :
>> >
>> > Yes, it seems to be the case for the server, but
>> not for the clients. See
>> > the trustore config description here:
>> >
>> https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config
>> >
>> > Best,
>> > Jerome
>> >
>> > Le 17/02/2016 11:09, Bruno Oliveira a écrit :
>> >
>> > I'm not sure if I got your question in the right
>> way. But from my
>> > understanding Java truststore is the standard fall
>> back.
>> >
>> > See item 3.2.5
>> >
>> https://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html
>> >
>> > On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard
>> <jrevillard at gnubila.fr <mailto:jrevillard at gnubila.fr>>
>> > wrote:
>> >>
>> >> Dear all,
>> >>
>> >> I'm testing now a Keycloak server properly
>> configured with https
>> >> configuration.
>> >> The server certificate is one which is already
>> known by the default java
>> >> trustore.
>> >> Would it be possible to setup the keycloak.json
>> adapter config to use
>> >> this default java trustore ?
>> >>
>> >> Best,
>> >> Jerome
>> >>
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160219/0aea07c4/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3908 bytes
Desc: Signature cryptographique S/MIME
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160219/0aea07c4/attachment-0001.bin
More information about the keycloak-user
mailing list