-
Notifications
You must be signed in to change notification settings - Fork 1
Configure HTTPS for Keycloak on RHEL 6.6
The documentation below is based on the information from these pages:
http://docs.jboss.org/keycloak/docs/1.0-rc-1/userguide/html/server-installation.html
http://blog.keycloak.org/2015_06_01_archive.html
http://www.java-samples.com/showtutorial.php?tutorialid=210
https://docs.oracle.com/javase/tutorial/security/toolsign/step5.html
###Generate self signed certificate
Generate the certificate:
gocedar
cd CEDAR_CA
keytool -genkey -alias auth.metadatacenter.net -keyalg RSA -keystore keycloak.jks -validity 3650
This will prompt you for a keystore password. Provide one strong, and keep it in a safe place (KeePassX).
Then fill out the responses to the question as below:
What is your first and last name?
[Unknown]: auth.metadatacenter.net
What is the name of your organizational unit?
[Unknown]: BMIR
What is the name of your organization?
[Unknown]: MED
What is the name of your City or Locality?
[Unknown]: Stanford
What is the name of your State or Province?
[Unknown]: California
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=auth.metadatacenter.orgx, OU=BMIR, O=MED, L=Stanford, ST=California, C=US correct?
[no]: yes
At the end, enter the same password again, or just press Enter
###Make keystore accessible for Keycloak
cp keycloak.jks $KEYCLOAK_HOME/standalone/configuration/
###Modify Keycloak configuration
cd $KEYCLOAK_HOME/standalone/configuration/
vi standalone.xml
Locate the element, and add the below to that block
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />
</ssl>
</server-identities>
</security-realm>
Locate the element, add this line below the default http listener
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
Locate the <socket-binding-group element. You probably will need to modify the already existing https port. Change the line to the following:
<socket-binding name="https" port="${jboss.https.port:8543}"/>
###Verify the configuration Start the server
gokk
./bin/standalone.sh
Point your browser to the https port of nginx proxy, and check if the page is loading: