[keycloak-user] best way to save Keystore and Truststore passwords in standalone.xml?

Sebastian Laskawiec slaskawi at redhat.com
Mon Sep 9 05:00:16 EDT 2019


It depends what do you mean exactly.

Keycloak uses Elytron subsystem from Wildfly [1] to setup TLS. The main
goal here is to configure Undertow HTTPS listener. You may probably use a
Secure Credential Store here [2] but I highly recommend to look some
Wildfly manuals up.

Keycloak also provides its own Truststore SPI (that requires a Trust
Store). I'm not exactly sure, but maybe it is possible to use Elytron
Credential Store and pass the password using some reference. Maybe @Peter
Skopek <pskopek at redhat.com> or @Pedro Igor Silva <psilva at redhat.com> could
help here.

[1] https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem
[2]
https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem#UsingtheElytronSubsystem-CreateandUseaCredentialStore

On Sat, Sep 7, 2019 at 7:03 PM Chris Smith <chris.smith at cmfirstgroup.com>
wrote:

> How can the Keystore and Truststore passwords be reasonably  saved?  Just
> having them in plaintext in standalone.xml seems like kind of a "bad thing".
>
> Keycloak is running as a specific Active directory user, so set standalone
> as only accessible to that user and Domain Admins?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list