mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-01 04:30:44 -05:00
Code Issues Packages Projects Releases Wiki Activity

Enable the TLS based JGroups encryption by default and update the docs

Browse Source 
Closes #37696

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
This commit is contained in:
Alexander Schwartz
2025-03-03 14:50:51 +01:00
committed by GitHub
parent a0de3c26d7
commit bc7ec1208e
23 changed files with 206 additions and 132 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/ci.yml
-35
View File
@@ -814,41 +814,6 @@ jobs:
with:
job-id: clustering-integration-tests
clustering-integration-tests-mtls:
name: Clustering IT (mTLS)
needs: build
runs-on: ubuntu-latest
timeout-minutes: 35
env:
MAVEN_OPTS: -Xmx1536m
steps:
- uses: actions/checkout@v4
- id: integration-test-setup
name: Integration test setup
uses: ./.github/actions/integration-test-setup
- name: Run cluster tests with mtls
run: |
./mvnw test ${{ env.SUREFIRE_RETRY }} -Pauth-server-cluster-quarkus,db-postgres "-Dwebdriver.chrome.driver=$CHROMEWEBDRIVER/chromedriver" -Dsession.cache.owners=2 -Dtest=RealmInvalidationClusterTest,JGroupsCertificateRotationClusterTest -Dauth.server.jgroups.mtls=true -Dauth.server.quarkus.log-level=org.keycloak.infinispan.module.certificates:DEBUG -pl testsuite/integration-arquillian/tests/base
- name: Upload JVM Heapdumps
if: always()
uses: ./.github/actions/upload-heapdumps
- uses: ./.github/actions/upload-flaky-tests
name: Upload flaky tests
env:
GH_TOKEN: ${{ github.token }}
with:
job-name: Clustering IT (mTLS)
- name: Surefire reports
if: always()
uses: ./.github/actions/archive-surefire-reports
with:
job-id: clustering-integration-tests-mtls
fips-unit-tests:
name: FIPS UT
runs-on: ubuntu-latest
docs/documentation/release_notes/topics/26_2_0.adoc
+9
View File
@@ -16,6 +16,15 @@ Use -1 to disable reloading. Defaults to `https-certificates-reload-period`, whi
For more information, check the link:https://www.keycloak.org/server/management-interface#_tls_support[Configuring the Management Interface] guide.
= Zero-configuration secure cluster communication
For clustering multiple nodes, {project_name} uses distributed caches.
Starting with this release for all TCP-based transport stacks, the communication between the nodes is encrypted with TLS and secured with automatically generated ephemeral keys and certificates.
This strengthens a secure-by-default setup and minimizes the configuration steps of new setups.
For more information, check the link:https://www.keycloak.org/server/caching#_securing_transport_stacks[Securing Transport Stacks] in the distributed caches guide.
= New cache for CRLs loaded for the X.509 authenticator
Now the Certificate Revocation Lists (CRL), that are used to validate certificates in the X.509 authenticator, are cached inside a new infinispan cache called `crl`. Caching improves the validation performance and decreases the memory consumption because just one CRL is maintained per source.
docs/documentation/tests/src/test/resources/ignored-links
+3 -1
View File
@@ -43,4 +43,6 @@ https://saml.xml.org*
https://www.keycloak.org/server/logging#_configuring_levels_as_individual_options
https://www.keycloak.org/observability/*
https://www.keycloak.org/high-availability/concepts-memory-and-cpu-sizing#_measuring_the_activity_of_a_running_keycloak_instance
http://example.com:8080
http://example.com:8080
# To be removed once KC 26.2 has been released
https://www.keycloak.org/server/caching#_securing_transport_stacks
docs/documentation/upgrading/topics/changes/changes-26_2_0.adoc
+13
View File
@@ -18,3 +18,16 @@ the `X-Forwarded-Port` header with the desired port.
The required JAR for the Oracle JDBC driver that needs to be explicitly added to the distribution has changed.
Instead of providing `ojdbc11` JAR, use `ojdbc17` JAR as stated in the https://www.keycloak.org/server/db#_installing_the_oracle_database_driver[Installing the Oracle Database driver] guide.
= Zero-configuration secure cluster communication
For clustering multiple nodes, {project_name} uses distributed caches.
Starting with this release for all TCP-based transport stacks, the communication between the nodes is encrypted with TLS and secured with automatically generated ephemeral keys and certificates.
If you are not using a TCP-based transport stack, it is recommended to migrate to the `jdbc-ping` transport stack to benefit from the simplified configuration and enhanced security.
If you provided your own keystore and truststore to secure the TCP transport stack communication in previous releases, it is now recommended to migrate to the automatically generated ephemeral keys and certificates to benefit from the simplified setup.
If you are using a custom transport stack, this default behavior can be disabled by setting the option `cache-embedded-mtls-enabled` to `false`.
For more information, check the link:https://www.keycloak.org/server/caching#_securing_transport_stacks[Securing Transport Stacks] in the distributed caches guide.
docs/guides/server/caching.adoc
+20 -57
View File
@@ -212,7 +212,8 @@ The CLI options `cache-remote-username` and `cache-remote-password` are optional
If the {jdgserver_name} server has authentication enabled, {project_name} will fail to start.
== Transport stacks
Transport stacks ensure that distributed cache nodes in a cluster communicate in a reliable fashion.
Transport stacks ensure that {project_name} nodes in a cluster communicate in a reliable fashion.
{project_name} supports a wide range of transport stacks:
<@opts.expectedValues option="cache-stack"/>
@@ -251,77 +252,39 @@ By default, {project_name} uses `239.6.7.8` as multicast address for `jgroups.mc
NOTE: Use `-D<property>=<value>` to pass the properties via the `JAVA_OPTS_APPEND` environment variable or in the CLI command.
// Keeping this paragraph in 26.x as stacks like `ec2` where mentioned in the 26.0 docs.
// Should be removed for 27.0 when `jdbc-ping` is the general purpose default for everyone.
====
*Additional Stacks*
It is recommended to use one of the stacks available above.
Additional stacks are provided by Infinispan, but it is outside the scope of this guide how to configure them.
Please refer to {infinispan_embedding_docs}#cluster-transport[Setting up Infinispan cluster transport] for further documentation.
Please refer to {infinispan_embedding_docs}#cluster-transport[Setting up Infinispan cluster transport] and {infinispan_embedding_docs}#customizing-jgroups-stacks_cluster-transport[Customizing JGroups stacks] for further documentation.
====
=== Custom transport stacks
If none of the available transport stacks are enough for your deployment, you are able to change your cache configuration file
and define your own transport stack.
== Securing transport stacks
For more details, see {infinispan_embedding_docs}#customizing-jgroups-stacks_cluster-transport[Customizing JGroups stacks].
.defining a custom transport stack
[source]
----
<jgroups>
<stack name="my-encrypt-udp" extends="udp">
<SSL_KEY_EXCHANGE keystore_name="server.jks"
keystore_password="password"
stack.combine="INSERT_AFTER"
stack.position="VERIFY_SUSPECT2"/>
<ASYM_ENCRYPT asym_keylength="2048"
asym_algorithm="RSA"
change_key_on_coord_leave = "false"
change_key_on_leave = "false"
use_external_key_exchange = "true"
stack.combine="INSERT_BEFORE"
stack.position="pbcast.NAKACK2"/>
</stack>
</jgroups>
<cache-container name="keycloak">
<transport lock-timeout="60000" stack="my-encrypt-udp"/>
...
</cache-container>
----
By default, the value set to the `cache-stack` option has precedence over the transport stack you define in the cache configuration file.
If you are defining a custom stack, make sure the `cache-stack` option is not used for the custom changes to take effect.
== Securing cache communication
The current Infinispan cache implementation should be secured by various security measures such as RBAC, ACLs, and transport stack encryption.
JGroups handles all the communication between {project_name} server, and it supports Java SSL sockets for TCP communication.
{project_name} uses CLI options to configure the TLS communication without having to create a customized JGroups stack or modifying the cache XML file.
To enable TLS, `cache-embedded-mtls-enabled` must be set to `true`.
It requires a keystore with the certificate to use: `cache-embedded-mtls-key-store-file` sets the path to the keystore, and `cache-embedded-mtls-key-store-password` sets the password to decrypt it.
The truststore contains the valid certificates to accept connection from, and it can be configured with `cache-embedded-mtls-trust-store-file` (path to the truststore), and `cache-embedded-mtls-trust-store-password` (password to decrypt it).
To restrict unauthorized access, use a self-signed certificate for each {project_name} deployment.
Encryption using TLS is enabled by default for TCP-based transport stacks, which is also the default configuration
No additional CLI options or modifications of the cache XML are required as long as you are using a TCP-based transport stack.
[NOTE]
====
**Zero Configuration Encryption**
{project_name} offers a zero-configuration approach to encrypting network communication between nodes.
This feature automatically generates self-signed certificates, eliminating the need for manual certificate creation and management.
The generated certificate and associated keys are stored within the database of each {project_name} instance.
To enable zero-configuration TLS encryption, set the `cache-embedded-mtls-enabled` option to true.
No other `cache-embedded-mtls-*` must be set to enable the zero-configuration mode.
The `cache-embedded-mtls-rotation-interval-days` option (default: 30 days) configures the certificate rotation period, and the certificate's expiration duration is calculated as twice the specified interval.
If you are using a transport stack based on `UDP` or `TCP_NIO2`, proceed as follows to configure the encryption of the transport stack:
. Set the option `cache-embedded-mtls-enabled` to `false`.
. Follow the documentation in http://jgroups.org/manual5/index.html#ENCRYPT[JGroups Encryption documentation] and {infinispan_embedding_docs}#secure-cluster-transport[Encrypting cluster transport].
====
For JGroups stacks with `UDP` or `TCP_NIO2`, see the http://jgroups.org/manual5/index.html#ENCRYPT[JGroups Encryption documentation] on how to set up the protocol stack.
With TLS enabled, {project_name} auto-generates a self-signed RSA 2048 bit certificate to secure the connection and uses TLS 1.3 to secure the communication.
The keys and the certificate are stored in the database so they are available to all nodes.
By default, the certificate is valid for 60 days and is rotated at runtime every 30 days.
Use the option `cache-embedded-mtls-rotation-interval-days` to change this.
For more information about securing cache communication, see the {infinispan_embedding_docs}#secure-cluster-transport[Encrypting cluster transport] documentation.
=== Proving your own keys and certificates
Although not recommended for standard setups, if it is essential in a specific setup, you can configure the keystore with the certificate for the transport stack manually. `cache-embedded-mtls-key-store-file` sets the path to the keystore, and `cache-embedded-mtls-key-store-password` sets the password to decrypt it.
The truststore contains the valid certificates to accept connection from, and it can be configured with `cache-embedded-mtls-trust-store-file` (path to the truststore), and `cache-embedded-mtls-trust-store-password` (password to decrypt it).
To restrict unauthorized access, always use a self-signed certificate for each {project_name} deployment.
== Network Ports
model/infinispan/src/main/java/org/keycloak/infinispan/module/certificates/JGroupsCertificateHolder.java
+4 -2
View File
@@ -84,7 +84,8 @@ public class JGroupsCertificateHolder {
}
private static X509ExtendedKeyManager createKeyManager(JGroupsCertificate newCertificate) throws GeneralSecurityException, IOException {
var ks = CryptoIntegration.getProvider().getKeyStore(KeystoreUtil.KeystoreFormat.JKS);
KeystoreUtil.KeystoreFormat keystoreFormat = CryptoIntegration.getProvider().getSupportedKeyStoreTypes().findFirst().orElseThrow(() -> new RuntimeException("No supported keystore types found"));
var ks = CryptoIntegration.getProvider().getKeyStore(keystoreFormat);
ks.load(null, null);
ks.setKeyEntry(newCertificate.getAlias(), newCertificate.getPrivateKey(), KEY_PASSWORD, new java.security.cert.Certificate[]{newCertificate.getCertificate()});
var kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
@@ -98,7 +99,8 @@ public class JGroupsCertificateHolder {
}
private static X509ExtendedTrustManager createTrustManager(JGroupsCertificate oldCertificate, JGroupsCertificate newCertificate) throws GeneralSecurityException, IOException {
var ks = CryptoIntegration.getProvider().getKeyStore(KeystoreUtil.KeystoreFormat.JKS);
KeystoreUtil.KeystoreFormat keystoreFormat = CryptoIntegration.getProvider().getSupportedKeyStoreTypes().findFirst().orElseThrow(() -> new RuntimeException("No supported keystore types found"));
var ks = CryptoIntegration.getProvider().getKeyStore(keystoreFormat);
ks.load(null, null);
if (oldCertificate != null) {
addCertificateEntry(ks, oldCertificate);
quarkus/config-api/src/main/java/org/keycloak/config/CachingOptions.java
+3 -3
View File
@@ -76,14 +76,14 @@ public class CachingOptions {
public static final Option<Boolean> CACHE_EMBEDDED_MTLS_ENABLED = new OptionBuilder<>(CACHE_EMBEDDED_MTLS_ENABLED_PROPERTY, Boolean.class)
.category(OptionCategory.CACHE)
.description("Encrypts the network communication between Keycloak servers.")
.defaultValue(Boolean.FALSE)
.description("Encrypts the network communication between Keycloak servers. If no additional parameters about a keystore and truststore are provided, ephemeral key pairs and certificates are created and rotated automatically, which is recommended for standard setups.")
.defaultValue(Boolean.TRUE)
.build();
public static final Option<String> CACHE_EMBEDDED_MTLS_KEYSTORE = new OptionBuilder<>(CACHE_EMBEDDED_MTLS_KEYSTORE_FILE_PROPERTY, String.class)
.category(OptionCategory.CACHE)
.description("The Keystore file path. The Keystore must contain the certificate to use by the TLS protocol. " +
"By default, it lookup 'cache-mtls-keystore.p12' under conf/ directory.")
"By default, it looks up 'cache-mtls-keystore.p12' under conf/ directory.")
.build();
public static final Option<String> CACHE_EMBEDDED_MTLS_KEYSTORE_PASSWORD = new OptionBuilder<>(CACHE_EMBEDDED_MTLS_KEYSTORE_PASSWORD_PROPERTY, String.class)
quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/CachingPropertyMappers.java
+20
View File
@@ -55,6 +55,7 @@ final class CachingPropertyMappers {
.paramLabel("file")
.build(),
fromOption(CachingOptions.CACHE_EMBEDDED_MTLS_ENABLED)
.isEnabled(CachingPropertyMappers::getDefaultMtlsEnabled, "a TCP based cache-stack is used")
.build(),
fromOption(CachingOptions.CACHE_EMBEDDED_MTLS_KEYSTORE.withRuntimeSpecificDefault(getDefaultKeystorePathValue()))
.paramLabel("file")
@@ -124,12 +125,31 @@ final class CachingPropertyMappers {
return mappers.toArray(new PropertyMapper[0]);
}
private static boolean getDefaultMtlsEnabled() {
if (!cacheSetToInfinispan()) {
return false;
}
Optional<String> cacheStackOptional = getOptionalKcValue(CachingOptions.CACHE_STACK);
if (cacheStackOptional.isEmpty()) {
return true;
}
String cacheStack = cacheStackOptional.get();
return !(cacheStack.equals("udp") || cacheStack.equals("jdbc-ping-udp"));
}
private static boolean remoteHostSet() {
return getOptionalKcValue(CachingOptions.CACHE_REMOTE_HOST_PROPERTY).isPresent();
}
private static boolean cacheSetToInfinispan() {
if (InfinispanUtils.isRemoteInfinispan()) {
return false;
}
Optional<String> cache = getOptionalKcValue(CachingOptions.CACHE);
if (cache.isEmpty() && !Environment.isDevMode()) {
return true;
}
return cache.isPresent() && cache.get().equals(CachingOptions.Mechanism.ispn.name());
}
quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/storage/infinispan/jgroups/impl/JpaJGroupsTlsConfigurator.java
+2 -1
View File
@@ -21,6 +21,7 @@ import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.concurrent.TimeUnit;
import org.infinispan.configuration.parsing.ConfigurationBuilderHolder;
import org.jgroups.util.DefaultSocketFactory;
@@ -84,7 +85,7 @@ public class JpaJGroupsTlsConfigurator extends BaseJGroupsTlsConfigurator {
try {
var rotationDays = requiredIntegerProperty(CachingOptions.CACHE_EMBEDDED_MTLS_ROTATION);
var storage = session.getProvider(ServerConfigStorageProvider.class);
var data = fromJson(storage.loadOrCreate(CERTIFICATE_ID, () -> CertificateReloadManager.generateSelfSignedCertificate(rotationDays * 2L)));
var data = fromJson(storage.loadOrCreate(CERTIFICATE_ID, () -> CertificateReloadManager.generateSelfSignedCertificate(TimeUnit.DAYS.toSeconds(rotationDays) * 2L)));
return JGroupsCertificateHolder.create(data);
} catch (IOException | GeneralSecurityException e) {
throw new RuntimeException(e);
quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/CacheEmbeddedMtlsDistTest.java
Vendored
+1 -1
View File
@@ -41,7 +41,7 @@ public class CacheEmbeddedMtlsDistTest {
CachingOptions.CACHE_EMBEDDED_MTLS_TRUSTSTORE_PASSWORD,
CachingOptions.CACHE_EMBEDDED_MTLS_ROTATION
)) {
var result = dist.run("start-dev", "--cache=ispn", "--%s=1".formatted(option.getKey()));
var result = dist.run("start-dev", "--cache=ispn", "--cache-embedded-mtls-enabled=false", "--%s=1".formatted(option.getKey()));
result.assertError("Disabled option: '--%s'. Available only when property 'cache-embedded-mtls-enabled' is enabled".formatted(option.getKey()));
}
}
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt
Vendored
-2
View File
@@ -36,8 +36,6 @@ Cache:
The maximum number of entries that can be stored in-memory by the crl cache.
--cache-embedded-keys-max-count <max-count>
The maximum number of entries that can be stored in-memory by the keys cache.
--cache-embedded-mtls-enabled <true|false>
Encrypts the network communication between Keycloak servers. Default: false.
--cache-embedded-offline-client-sessions-max-count <max-count>
The maximum number of entries that can be stored in-memory by the
offlineClientSessions cache. Available only when embedded Infinispan
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt
Vendored
+6 -2
View File
@@ -37,10 +37,14 @@ Cache:
--cache-embedded-keys-max-count <max-count>
The maximum number of entries that can be stored in-memory by the keys cache.
--cache-embedded-mtls-enabled <true|false>
Encrypts the network communication between Keycloak servers. Default: false.
Encrypts the network communication between Keycloak servers. If no additional
parameters about a keystore and truststore are provided, ephemeral key pairs
and certificates are created and rotated automatically, which is recommended
for standard setups. Default: true. Available only when a TCP based
cache-stack is used.
--cache-embedded-mtls-key-store-file <file>
The Keystore file path. The Keystore must contain the certificate to use by
the TLS protocol. By default, it lookup 'cache-mtls-keystore.p12' under
the TLS protocol. By default, it looks up 'cache-mtls-keystore.p12' under
conf/ directory. Available only when property 'cache-embedded-mtls-enabled'
is enabled.
--cache-embedded-mtls-key-store-password <password>
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt
Vendored
+24 -1
View File
@@ -38,7 +38,30 @@ Cache:
--cache-embedded-keys-max-count <max-count>
The maximum number of entries that can be stored in-memory by the keys cache.
--cache-embedded-mtls-enabled <true|false>
Encrypts the network communication between Keycloak servers. Default: false.
Encrypts the network communication between Keycloak servers. If no additional
parameters about a keystore and truststore are provided, ephemeral key pairs
and certificates are created and rotated automatically, which is recommended
for standard setups. Default: true. Available only when a TCP based
cache-stack is used.
--cache-embedded-mtls-key-store-file <file>
The Keystore file path. The Keystore must contain the certificate to use by
the TLS protocol. By default, it looks up 'cache-mtls-keystore.p12' under
conf/ directory. Available only when property 'cache-embedded-mtls-enabled'
is enabled.
--cache-embedded-mtls-key-store-password <password>
The password to access the Keystore. Available only when property
'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-mtls-rotation-interval-days <days>
Rotation period in days of automatic JGroups MTLS certificates. Default: 30.
Available only when property 'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-mtls-trust-store-file <file>
The Truststore file path. It should contain the trusted certificates or the
Certificate Authority that signed the certificates. By default, it lookup
'cache-mtls-truststore.p12' under conf/ directory. Available only when
property 'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-mtls-trust-store-password <password>
The password to access the Truststore. Available only when property
'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-offline-client-sessions-max-count <max-count>
The maximum number of entries that can be stored in-memory by the
offlineClientSessions cache. Available only when embedded Infinispan
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt
Vendored
+6 -2
View File
@@ -38,10 +38,14 @@ Cache:
--cache-embedded-keys-max-count <max-count>
The maximum number of entries that can be stored in-memory by the keys cache.
--cache-embedded-mtls-enabled <true|false>
Encrypts the network communication between Keycloak servers. Default: false.
Encrypts the network communication between Keycloak servers. If no additional
parameters about a keystore and truststore are provided, ephemeral key pairs
and certificates are created and rotated automatically, which is recommended
for standard setups. Default: true. Available only when a TCP based
cache-stack is used.
--cache-embedded-mtls-key-store-file <file>
The Keystore file path. The Keystore must contain the certificate to use by
the TLS protocol. By default, it lookup 'cache-mtls-keystore.p12' under
the TLS protocol. By default, it looks up 'cache-mtls-keystore.p12' under
conf/ directory. Available only when property 'cache-embedded-mtls-enabled'
is enabled.
--cache-embedded-mtls-key-store-password <password>
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt
Vendored
+24 -1
View File
@@ -38,7 +38,30 @@ Cache:
--cache-embedded-keys-max-count <max-count>
The maximum number of entries that can be stored in-memory by the keys cache.
--cache-embedded-mtls-enabled <true|false>
Encrypts the network communication between Keycloak servers. Default: false.
Encrypts the network communication between Keycloak servers. If no additional
parameters about a keystore and truststore are provided, ephemeral key pairs
and certificates are created and rotated automatically, which is recommended
for standard setups. Default: true. Available only when a TCP based
cache-stack is used.
--cache-embedded-mtls-key-store-file <file>
The Keystore file path. The Keystore must contain the certificate to use by
the TLS protocol. By default, it looks up 'cache-mtls-keystore.p12' under
conf/ directory. Available only when property 'cache-embedded-mtls-enabled'
is enabled.
--cache-embedded-mtls-key-store-password <password>
The password to access the Keystore. Available only when property
'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-mtls-rotation-interval-days <days>
Rotation period in days of automatic JGroups MTLS certificates. Default: 30.
Available only when property 'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-mtls-trust-store-file <file>
The Truststore file path. It should contain the trusted certificates or the
Certificate Authority that signed the certificates. By default, it lookup
'cache-mtls-truststore.p12' under conf/ directory. Available only when
property 'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-mtls-trust-store-password <password>
The password to access the Truststore. Available only when property
'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-offline-client-sessions-max-count <max-count>
The maximum number of entries that can be stored in-memory by the
offlineClientSessions cache. Available only when embedded Infinispan
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt
Vendored
+6 -2
View File
@@ -38,10 +38,14 @@ Cache:
--cache-embedded-keys-max-count <max-count>
The maximum number of entries that can be stored in-memory by the keys cache.
--cache-embedded-mtls-enabled <true|false>
Encrypts the network communication between Keycloak servers. Default: false.
Encrypts the network communication between Keycloak servers. If no additional
parameters about a keystore and truststore are provided, ephemeral key pairs
and certificates are created and rotated automatically, which is recommended
for standard setups. Default: true. Available only when a TCP based
cache-stack is used.
--cache-embedded-mtls-key-store-file <file>
The Keystore file path. The Keystore must contain the certificate to use by
the TLS protocol. By default, it lookup 'cache-mtls-keystore.p12' under
the TLS protocol. By default, it looks up 'cache-mtls-keystore.p12' under
conf/ directory. Available only when property 'cache-embedded-mtls-enabled'
is enabled.
--cache-embedded-mtls-key-store-password <password>
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelp.approved.txt
Vendored
+24 -1
View File
@@ -37,7 +37,30 @@ Cache:
--cache-embedded-keys-max-count <max-count>
The maximum number of entries that can be stored in-memory by the keys cache.
--cache-embedded-mtls-enabled <true|false>
Encrypts the network communication between Keycloak servers. Default: false.
Encrypts the network communication between Keycloak servers. If no additional
parameters about a keystore and truststore are provided, ephemeral key pairs
and certificates are created and rotated automatically, which is recommended
for standard setups. Default: true. Available only when a TCP based
cache-stack is used.
--cache-embedded-mtls-key-store-file <file>
The Keystore file path. The Keystore must contain the certificate to use by
the TLS protocol. By default, it looks up 'cache-mtls-keystore.p12' under
conf/ directory. Available only when property 'cache-embedded-mtls-enabled'
is enabled.
--cache-embedded-mtls-key-store-password <password>
The password to access the Keystore. Available only when property
'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-mtls-rotation-interval-days <days>
Rotation period in days of automatic JGroups MTLS certificates. Default: 30.
Available only when property 'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-mtls-trust-store-file <file>
The Truststore file path. It should contain the trusted certificates or the
Certificate Authority that signed the certificates. By default, it lookup
'cache-mtls-truststore.p12' under conf/ directory. Available only when
property 'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-mtls-trust-store-password <password>
The password to access the Truststore. Available only when property
'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-offline-client-sessions-max-count <max-count>
The maximum number of entries that can be stored in-memory by the
offlineClientSessions cache. Available only when embedded Infinispan
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelpAll.approved.txt
Vendored
+6 -2
View File
@@ -37,10 +37,14 @@ Cache:
--cache-embedded-keys-max-count <max-count>
The maximum number of entries that can be stored in-memory by the keys cache.
--cache-embedded-mtls-enabled <true|false>
Encrypts the network communication between Keycloak servers. Default: false.
Encrypts the network communication between Keycloak servers. If no additional
parameters about a keystore and truststore are provided, ephemeral key pairs
and certificates are created and rotated automatically, which is recommended
for standard setups. Default: true. Available only when a TCP based
cache-stack is used.
--cache-embedded-mtls-key-store-file <file>
The Keystore file path. The Keystore must contain the certificate to use by
the TLS protocol. By default, it lookup 'cache-mtls-keystore.p12' under
the TLS protocol. By default, it looks up 'cache-mtls-keystore.p12' under
conf/ directory. Available only when property 'cache-embedded-mtls-enabled'
is enabled.
--cache-embedded-mtls-key-store-password <password>
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelp.approved.txt
Vendored
+24 -1
View File
@@ -35,7 +35,30 @@ Cache:
--cache-embedded-keys-max-count <max-count>
The maximum number of entries that can be stored in-memory by the keys cache.
--cache-embedded-mtls-enabled <true|false>
Encrypts the network communication between Keycloak servers. Default: false.
Encrypts the network communication between Keycloak servers. If no additional
parameters about a keystore and truststore are provided, ephemeral key pairs
and certificates are created and rotated automatically, which is recommended
for standard setups. Default: true. Available only when a TCP based
cache-stack is used.
--cache-embedded-mtls-key-store-file <file>
The Keystore file path. The Keystore must contain the certificate to use by
the TLS protocol. By default, it looks up 'cache-mtls-keystore.p12' under
conf/ directory. Available only when property 'cache-embedded-mtls-enabled'
is enabled.
--cache-embedded-mtls-key-store-password <password>
The password to access the Keystore. Available only when property
'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-mtls-rotation-interval-days <days>
Rotation period in days of automatic JGroups MTLS certificates. Default: 30.
Available only when property 'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-mtls-trust-store-file <file>
The Truststore file path. It should contain the trusted certificates or the
Certificate Authority that signed the certificates. By default, it lookup
'cache-mtls-truststore.p12' under conf/ directory. Available only when
property 'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-mtls-trust-store-password <password>
The password to access the Truststore. Available only when property
'cache-embedded-mtls-enabled' is enabled.
--cache-embedded-offline-client-sessions-max-count <max-count>
The maximum number of entries that can be stored in-memory by the
offlineClientSessions cache. Available only when embedded Infinispan
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelpAll.approved.txt
Vendored
+6 -2
View File
@@ -35,10 +35,14 @@ Cache:
--cache-embedded-keys-max-count <max-count>
The maximum number of entries that can be stored in-memory by the keys cache.
--cache-embedded-mtls-enabled <true|false>
Encrypts the network communication between Keycloak servers. Default: false.
Encrypts the network communication between Keycloak servers. If no additional
parameters about a keystore and truststore are provided, ephemeral key pairs
and certificates are created and rotated automatically, which is recommended
for standard setups. Default: true. Available only when a TCP based
cache-stack is used.
--cache-embedded-mtls-key-store-file <file>
The Keystore file path. The Keystore must contain the certificate to use by
the TLS protocol. By default, it lookup 'cache-mtls-keystore.p12' under
the TLS protocol. By default, it looks up 'cache-mtls-keystore.p12' under
conf/ directory. Available only when property 'cache-embedded-mtls-enabled'
is enabled.
--cache-embedded-mtls-key-store-password <password>
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/containers/AbstractQuarkusDeployableContainer.java
-4
View File
@@ -237,10 +237,6 @@ public abstract class AbstractQuarkusDeployableContainer implements DeployableCo
System.setProperty("kc.cache-remote-create-caches", "true");
}
if (configuration.isJgroupsMtls()) {
commands.add("--cache-embedded-mtls-enabled=true");
}
return commands;
}
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/containers/KeycloakQuarkusConfiguration.java
+5 -10
View File
@@ -1,12 +1,17 @@
package org.keycloak.testsuite.arquillian.containers;
import com.fasterxml.jackson.core.type.TypeReference;
import org.jboss.arquillian.container.spi.ConfigurationException;
import org.jboss.arquillian.container.spi.client.container.ContainerConfiguration;
import org.jboss.logging.Logger;
import org.keycloak.common.crypto.FipsMode;
import org.keycloak.util.JsonSerialization;
import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;
/**
* @author mhajas
@@ -45,8 +50,6 @@ public class KeycloakQuarkusConfiguration implements ContainerConfiguration {
private String enabledFeatures;
private String disabledFeatures;
private boolean jgroupsMtls;
@Override
public void validate() throws ConfigurationException {
int basePort = getBindHttpPort();
@@ -232,12 +235,4 @@ public class KeycloakQuarkusConfiguration implements ContainerConfiguration {
public void setDisabledFeatures(String disabledFeatures) {
this.disabledFeatures = disabledFeatures;
}
public boolean isJgroupsMtls() {
return jgroupsMtls;
}
public void setJgroupsMtls(boolean jgroupsMtls) {
this.jgroupsMtls = jgroupsMtls;
}
}
testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml
-2
View File
@@ -676,7 +676,6 @@
</property>
<property name="javaOpts">-Xms512m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=512m -Djava.net.preferIPv4Stack=true</property>
<property name="outputToConsole">true</property>
<property name="jgroupsMtls">${auth.server.jgroups.mtls}</property>
</configuration>
</container>
<container qualifier="auth-server-quarkus-backend2" mode="manual" >
@@ -701,7 +700,6 @@
</property>
<property name="javaOpts">-Xms512m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=512m -Djava.net.preferIPv4Stack=true</property>
<property name="outputToConsole">true</property>
<property name="jgroupsMtls">${auth.server.jgroups.mtls}</property>
</configuration>
</container>
</group>