Running keycloak server on https

In this blog we will setup the keycloak instance with ssl encryption.


A running keycloak instance,

SSL certificates

NOTE: KEYCLOAK SETUP, follow the below mention links.

Keycloak Setup. Keycloak is an Open Source Identity and… | by Dheeraj kumar | Medium

Note: If you don’t have third party certificates, then you can generate one , self signed certificates by following the below mentioned blog or you can simply use these openssl commands.

#Create self-signed certificate

openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

How to create your own root ca to sign self signed certificates? | by Dheeraj kumar | Medium

Running the keycloak on https, consists of the two parts, In first part we will create the .Jks file which is needed for the keycloak server to provide ssl encryption, and in the second part, we will do the changes in the standalone.xml file to make our keycloak server compatible for https by using the .jks file that we have generated.

Step 1: Convert the x.509 cert and key to a pkcs12 file.

openssl pkcs12 -export -in server.crt -inkey server.key \
-out server.p12 -name [some-alias] \
-CAfile ca.crt -caname root

Note: Replace the crt and key name according to the certificates you have.

Step 2: Use the keytool to convert the pkcs12 file to a Java keystore.

keytool -importkeystore -deststorepass [test123/changeit] -destkeypass [test123/changeit] -destkeystore https.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password -alias [some-alias]

Note: server.p12 is the file that we created in the first step.

Step 3. Open the standalone.xml in keycloak. Location :- ./standalone/configuration/standalone.xml

In the standalone or domain configuration file, search for the security-realms element and add:

<security-realm name="UndertowRealm">
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />

Find the element server name="default-server" (it’s a child element of subsystem xmlns="urn:jboss:domain:undertow:3.0") and add:

<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<buffer-cache name="default"/>
<server name="default-server">
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>

Step 4. Save the file and restart the server.