Skip to content
Fetching contributors…
Cannot retrieve contributors at this time
177 lines (127 sloc) 7.58 KB

Setting up HTTPS/SSL

{project_name} is not set up by default to handle SSL/HTTPS. It is highly recommended that you either enable SSL on the {project_name} server itself or on a reverse proxy in front of the {project_name} server.

This default behavior is defined by the SSL/HTTPS mode of each {project_name} realm. This is discussed in more detail in the {adminguide_name}, but let’s give some context and a brief overview of these modes.

external requests

{project_name} can run out of the box without SSL so long as you stick to private IP addresses like localhost,, 10.0.x.x, 192.168.x.x, and 172.16.x.x. If you don’t have SSL/HTTPS configured on the server or you try to access {project_name} over HTTP from a non-private IP adress you will get an error.


{project_name} does not require SSL. This should really only be used in development when you are playing around with things.

all requests

{project_name} requires SSL for all IP addresses.

The SSL mode for each realm can be configured in the {project_name} admin console.

Enabling SSL/HTTPS for the {project_name} Server

If you are not using a reverse proxy or load balancer to handle HTTPS traffic for you, you’ll need to enable HTTPS for the {project_name} server. This involves

  1. Obtaining or generating a keystore that contains the private key and certificate for SSL/HTTP traffic

  2. Configuring the {project_name} server to use this keypair and certificate.

Creating the Certificate and Java Keystore

In order to allow HTTPS connections, you need to obtain a self signed or third-party signed certificate and import it into a Java keystore before you can enable HTTPS in the web container you are deploying the {project_name} Server to.

Self Signed Certificate

In development, you will probably not have a third party signed certificate available to test a {project_name} deployment so you’ll need to generate a self-signed one using the keytool utility that comes with the Java JDK.

$ keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity 10950
    Enter keystore password: secret
    Re-enter new password: secret
    What is your first and last name?
    [Unknown]:  localhost
    What is the name of your organizational unit?
    [Unknown]:  Keycloak
    What is the name of your organization?
    [Unknown]:  Red Hat
    What is the name of your City or Locality?
    [Unknown]:  Westford
    What is the name of your State or Province?
    [Unknown]:  MA
    What is the two-letter country code for this unit?
    [Unknown]:  US
    Is CN=localhost, OU=Keycloak, O=Test, L=Westford, ST=MA, C=US correct?
    [no]:  yes

You should answer What is your first and last name ? question with the DNS name of the machine you’re installing the server on. For testing purposes, localhost should be used. After executing this command, the keycloak.jks file will be generated in the same directory as you executed the keytool command in.

If you want a third-party signed certificate, but don’t have one, you can obtain one for free at You’ll have to do a little set up first before doing this though.

The first thing to do is generate a Certificate Request:

$ keytool -certreq -alias yourdomain -keystore keycloak.jks > keycloak.careq

Where yourdomain is a DNS name for which this certificate is generated for. Keytool generates the request:


Send this ca request to your CA. The CA will issue you a signed certificate and send it to you. Before you import your new cert, you must obtain and import the root certificate of the CA. You can download the cert from CA (ie.: root.crt) and import as follows:

$ keytool -import -keystore keycloak.jks -file root.crt -alias root

Last step is to import your new CA generated certificate to your keystore:

$ keytool -import -alias yourdomain -keystore keycloak.jks -file your-certificate.cer
Configure {project_name} to Use the Keystore

Now that you have a Java keystore with the appropriate certificates, you need to configure your {project_name} installation to use it. First, you must edit the standalone.xml, standalone-ha.xml, or host.xml file to use the keystore and enable HTTPS. You may then either move the keystore file to the configuration/ directory of your deployment or the file in a location you choose and provide an absolute path to it. If you are using absolute paths, remove the optional relative-to parameter from your configuration (See operating mode).

Add the new security-realm element using the CLI:

$ /core-service=management/security-realm=UndertowRealm:add()

$ /core-service=management/security-realm=UndertowRealm/server-identity=ssl:add(keystore-path=keycloak.jks, keystore-relative-to=jboss.server.config.dir, keystore-password=secret)

If using domain mode, the commands should be executed in every host using the /host=<host_name>/ prefix (in order to create the security-realm in all of them), like this, which you would repeat for each host:

$ /host=<host_name>/core-service=management/security-realm=UndertowRealm/server-identity=ssl:add(keystore-path=keycloak.jks, keystore-relative-to=jboss.server.config.dir, keystore-password=secret)

In the standalone or host configuration file, the security-realms element should look like this:

<security-realm name="UndertowRealm">
            <keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />

Next, in the standalone or each domain configuration file, search for any instances of security-realm. Modify the https-listener to use the created realm:

$ /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=security-realm, value=UndertowRealm)

If using domain mode, prefix the command with the profile that is being used with: /profile=<profile_name>/.

The resulting element, server name="default-server", which is a child element of subsystem xmlns="{subsystem_undertow_xml_urn}", should contain the following stanza:

<subsystem xmlns="{subsystem_undertow_xml_urn}">
   <buffer-cache name="default"/>
   <server name="default-server">
      <https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
You can’t perform that action at this time.