Skip to content
This repository has been archived by the owner on Apr 17, 2023. It is now read-only.

Configure HTTPS for Keycloak on RHEL 6.6

Jump to bottom
Attila Levente EGYEDI edited this page Feb 23, 2016 · 25 revisions

The documentation below is based on the information from these pages:

http://docs.jboss.org/keycloak/docs/1.0-rc-1/userguide/html/server-installation.html

http://blog.keycloak.org/2015_06_01_archive.html

http://www.java-samples.com/showtutorial.php?tutorialid=210

https://docs.oracle.com/javase/tutorial/security/toolsign/step5.html

###Generate self signed certificate

Generate the certificate:

gocedar
cd CEDAR_CA
keytool -genkey -alias auth.metadatacenter.net -keyalg RSA -keystore keycloak.jks -validity 3650

This will prompt you for a keystore password. Provide one strong, and keep it in a safe place (KeePassX).

Then fill out the responses to the question as below:

What is your first and last name?
[Unknown]:  auth.metadatacenter.net
What is the name of your organizational unit?
[Unknown]:  BMIR
What is the name of your organization?
[Unknown]:  MED
What is the name of your City or Locality?
[Unknown]:  Stanford
What is the name of your State or Province?
[Unknown]:  California
What is the two-letter country code for this unit?
[Unknown]:  US
Is CN=auth.metadatacenter.orgx, OU=BMIR, O=MED, L=Stanford, ST=California, C=US correct?
[no]:  yes

At the end, enter the same password again, or just press Enter

###Make keystore accessible for Keycloak

cp keycloak.jks $KEYCLOAK_HOME/standalone/configuration/

###Modify Keycloak configuration

cd $KEYCLOAK_HOME/standalone/configuration/
vi standalone.xml

Locate the element, and add the below to that block

<security-realm name="UndertowRealm">
  <server-identities>
    <ssl>
      <keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />
    </ssl>
  </server-identities>
</security-realm>

Locate the element, add this line below the default http listener

<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>

Locate the <socket-binding-group element. You probably will need to modify the already existing https port. Change the line to the following:

<socket-binding name="https" port="${jboss.https.port:8543}"/>

###Verify the configuration Start the server

gokk
./bin/standalone.sh

Point your browser to the https port of nginx proxy, and check if the page is loading:

https://auth.metadatacenter.net

Clone this wiki locally