[keycloak-user] best way to save Keystore and Truststore passwords in standalone.xml?

Chris Smith chris.smith at cmfirstgroup.com
Mon Sep 9 11:24:29 EDT 2019 

What I’m trying to avoid is having the ssl keystore password (keycloak.jks) and the truststore password (truststore.jks) as plaintext in the keycloak configuration file (in my case, standalone.xml).

I’ll try to lookup wildfly docs for more information and/or suggestions

From: Sebastian Laskawiec <slaskawi at redhat.com>
Sent: Monday, September 9, 2019 4:00 AM
To: Chris Smith <chris.smith at cmfirstgroup.com>; Peter Skopek <pskopek at redhat.com>; Pedro Igor Silva <psilva at redhat.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] best way to save Keystore and Truststore passwords in standalone.xml?

It depends what do you mean exactly.

Keycloak uses Elytron subsystem from Wildfly [1] to setup TLS. The main goal here is to configure Undertow HTTPS listener. You may probably use a Secure Credential Store here [2] but I highly recommend to look some Wildfly manuals up.

Keycloak also provides its own Truststore SPI (that requires a Trust Store). I'm not exactly sure, but maybe it is possible to use Elytron Credential Store and pass the password using some reference. Maybe @Peter Skopek<mailto:pskopek at redhat.com> or @Pedro Igor Silva<mailto:psilva at redhat.com> could help here.

[1] https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem
[2] https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem#UsingtheElytronSubsystem-CreateandUseaCredentialStore

On Sat, Sep 7, 2019 at 7:03 PM Chris Smith <chris.smith at cmfirstgroup.com<mailto:chris.smith at cmfirstgroup.com>> wrote:
How can the Keystore and Truststore passwords be reasonably  saved?  Just having them in plaintext in standalone.xml seems like kind of a "bad thing".

Keycloak is running as a specific Active directory user, so set standalone as only accessible to that user and Domain Admins?
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list