-
Notifications
You must be signed in to change notification settings - Fork 1
Configure HTTPS for Keycloak on RHEL 6.6
gocedar
cd CEDAR_CA
cp keycloak.jks $KEYCLOAK_HOME/standalone/configuration/
cd $KEYCLOAK_HOME/standalone/configuration/
vi standalone.xml
Locate the security-realms element, and add the content below to that block.
Note: make sure to replace <PASSWORD> with the actual password that was used in the previous step when using keytool! This password can be found the CEDAR password stash under the name Keycloak Keystore - keycloak.jks.
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="<PASSWORD>" />
</ssl>
</server-identities>
</security-realm>
Locate the server name="default-server" element and add a HTTPS listener to the default HTTP listener as follows:
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
Locate the <socket-binding-group element. You probably will need to modify the already existing HTTPS port. Change the line to the following:
<socket-binding name="https" port="${jboss.https.port:8543}"/>
Stop the server if it is running and restart it as follows:
gokk
./standalone.sh
At this moment you don't have the root certificate in your trust store, so accessing Keycloak from a browser on port 8543 should alert you about an invalid certificate.
You can test it from a Lynx browser on the host. If Lynx is not installed, you can install it as follows:
yum install lynx
And then test it:
lynx https://localhost:8543/
Lynx will alert you about the invalid SSL certificate. You can accept that and continue.
Note that this port may not necessarily be open on a machine so may not be externally accessible. Subsequent Nginx configuration steps will proxy to this port through port 80.