Manage Keycloak truststore using the Container Cloud web UI¶
Available since 2.26.0 (17.1.0 and 16.1.0)
While communicating with external services, Keycloak must validate the certificate of the remote server to ensure secured connection.
By default, the standard Java Truststore configuration is used for validating outgoing requests. In order to properly validate client self-signed certificates, the truststore configuration must be added. The truststore is used to ensure secured connection to identity brokers, LDAP identity providers, and so on.
If a custom truststore is set, only certificates from that truststore are used. If trusted public CA certificates are also required, they must be included in the custom truststore.
To add a custom truststore for Keycloak using the Container Cloud web UI:
Log in to the Container Cloud web UI with the
m:kaas:namespace@operator
orm:kaas:namespace@writer
permissions.Switch to the default project using the Switch Project action icon located on top of the main left-side navigation panel.
In the Clusters tab, click the More action icon in the last column of the management cluster and select Configure cluster.
In the window that opens, click Keycloak and select Configure trusted certificates.
Note
The Configure trusted certificates check box is available since Container Cloud 2.26.4 (Cluster releases 17.1.4 and 16.1.4).
In the Truststore section that opens, fill out and save the form with the following parameters:
Parameter
Description
Data
Content of the truststore file. Click Upload to select the required file.
Password
Password of the truststore. Mandatory.
Type
Supported truststore types: jks, pkcs12, or bcfks.
Hostname verification policy
Optional verification of the host name of the server certificate:
The default WILDCARD value allows wildcards in subdomain names.
The STRICT value requires the Common Name (CN) to match the host name.
Click Update.
Once a custom truststore for Keycloak is applied, the following configuration
is added to the Cluster
object:
spec:
providerSpec:
value:
kaas:
management:
keycloak:
truststore:
data:
value: # base64 encoded truststore file content
password:
value: # string
type: # string
hostnameVerificationPolicy: # string
Note
Use the same web UI menu to customize an existing truststore or reset it to default settings, which is available since Container Cloud 2.26.4 (Cluster releases 17.1.4 and 16.1.4).