Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Keycloak Secure Admin Console via TLS Certificate

See: https://github.com/jboss-developer/jboss-eap-quickstarts/blob/7.2.0.GA/helloworld-mutual-ssl-secured

Keystore generation

cd $JBOSS_HOME/standalone/configuration

Generate Server Keystore

KS_NAME=server.keystore
KS_STOREPASS=secret
KS_KEYPASS=secret
KS_DNAME="CN=localhost, OU=R&D, O=tdlabs, L=Saarbrücken, ST=SL, C=DE"

keytool -genkey \
 -keyalg RSA \
 -keystore $KS_NAME \
 -storepass $KS_STOREPASS \
 -keypass $KS_KEYPASS \
 -dname "$KS_DNAME" \
 -validity 365

Client Keystore

Generate Client Keystore

CLIENT_KS_NAME=client.keystore
CLIENT_KS_STOREPASS=secret
CLIENT_KS_KEYPASS=secret
CLIENT_CERT_CN=keycloak-admin
CLIENT_KS_DNAME="CN=$CLIENT_CERT_CN, OU=R&D, O=tdlabs, L=Saarbrücken, ST=SL, C=DE"

keytool -genkey \
 -keyalg RSA \
 -keystore $CLIENT_KS_NAME \
 -storepass $CLIENT_KS_STOREPASS \
 -keypass $CLIENT_KS_KEYPASS \
 -dname "$CLIENT_KS_DNAME" \
 -validity 365 \
 -keysize 2048 \
 -storetype pkcs12

Export client certificate

keytool -exportcert \
  -keystore $CLIENT_KS_NAME \
  -storetype pkcs12 \
  -storepass $CLIENT_KS_STOREPASS \
  -keypass $CLIENT_KS_KEYPASS \
  -file client.crt

Import client certificate into client truststore

keytool -import \
  -file client.crt \
  -alias $CLIENT_CERT_CN \
  -keystore client.truststore \
  -storepass $CLIENT_KS_STOREPASS \
  -noprompt

Export client certificate in pkcs12 format

keytool -importkeystore \
  -srckeystore $CLIENT_KS_NAME \
  -srcstorepass $CLIENT_KS_STOREPASS \
  -destkeystore clientCert.p12 \
  -srcstoretype PKCS12 \
  -deststoretype PKCS12 \
  -deststorepass $CLIENT_KS_STOREPASS

Minimal CLI Configuration

# Batch script to configure mutual(two way) SSL and role based access control in the JBoss EAP server
# embed-server -c=standalone.xml --std-out=echo
# embed-server -c=standalone-ha.xml --std-out=echo

# Start batching commands
batch

set kcKeystorePassword=${env.KEYCLOAK_KEYSTORE_PASSWORD:secret}
set httpCipherSuites="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"

# Add the keystores, key manager, trust manager and ssl context configuration in the elytron subsystem
/subsystem=elytron/key-store=kcKeyStore:add(path=server.keystore,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=$kcKeystorePassword})
/subsystem=elytron/key-store=kcTrustStore:add(path=client.truststore,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=$kcKeystorePassword})
/subsystem=elytron/key-manager=kcKeyManager:add(key-store=kcKeyStore,credential-reference={clear-text=$kcKeystorePassword})
/subsystem=elytron/trust-manager=kcTrustManager:add(key-store=kcTrustStore)
/subsystem=elytron/server-ssl-context=kcAdminSSLContext:add( \
 key-manager=kcKeyManager, \
 trust-manager=kcTrustManager, \
 cipher-suite-filter=$httpCipherSuites, \
 protocols=[TLSv1.2], \
 need-client-auth=true \
)

# Configure dedicated https-listener for admin console access with custom port

/socket-binding-group=standard-sockets/socket-binding=https-admin/:add(port=${jboss.https-admin.port:8444})
/subsystem=undertow/server=default-server/https-listener=https-admin:add( \
  socket-binding=https-admin, \
  proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:true}", \
  enable-http2=true, \
  ssl-context=kcAdminSSLContext \
)

# Restrict access to /auth/admin to port 8444
/subsystem=undertow/configuration=filter/expression-filter=portAccess:add(expression="path-prefix('/auth/admin') and not equals(%p, 8444) -> response-code(403)")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=portAccess:add()

# Run the batch commands
run-batch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.