Manage Keycloak truststore using the Container Cloud web UI

Available since 2.26.0 (17.1.0 and 16.1.0)

While communicating with external services, Keycloak must validate the certificate of the remote server to ensure secured connection.

By default, the standard Java Truststore configuration is used for validating outgoing requests. In order to properly validate client self-signed certificates, the truststore configuration must be added. The truststore is used to ensure secured connection to identity brokers, LDAP identity providers, and so on.

If a custom truststore is set, only certificates from that truststore are used. If trusted public CA certificates are also required, they must be included in the custom truststore.

To add a custom truststore for Keycloak using the Container Cloud web UI:

  1. Log in to the Container Cloud web UI with the m:kaas:namespace@operator or m:kaas:namespace@writer permissions.

  2. Switch to the default project using the Switch Project action icon located on top of the main left-side navigation panel.

  3. In the Clusters tab, click the More action icon in the last column of the management cluster and select Configure cluster.

  4. In the window that opens, click Keycloak and select Configure trusted certificates.

    Note

    The Configure trusted certificates check box is available since Container Cloud 2.26.4 (Cluster releases 17.1.4 and 16.1.4).

  5. In the Truststore section that opens, fill out and save the form with the following parameters:

    Parameter

    Description

    Data

    Content of the truststore file. Click Upload to select the required file.

    Password

    Password of the truststore. Mandatory.

    Type

    Supported truststore types: jks, pkcs12, or bcfks.

    Hostname verification policy

    Optional verification of the host name of the server certificate:

    • The default WILDCARD value allows wildcards in subdomain names.

    • The STRICT value requires the Common Name (CN) to match the host name.

  6. Click Update.

Once a custom truststore for Keycloak is applied, the following configuration is added to the Cluster object:

spec:
  providerSpec:
    value:
      kaas:
        management:
          keycloak:
            truststore:
              data:
                value: # base64 encoded truststore file content
              password:
                value: # string
              type: # string
              hostnameVerificationPolicy: # string

Note

Use the same web UI menu to customize an existing truststore or reset it to default settings, which is available since Container Cloud 2.26.4 (Cluster releases 17.1.4 and 16.1.4).