Setting Up A Keycloak Server For Authenticating To FileMaker: Part 3: Installing A SSL Certificate

Security Can Be A Headache But It’s Important

Let’s Encrypt

Installing Certbot And Obtaining A SSL Certificate

sudo snap install coresudo snap refresh coresudo snap install --classic certbotsudo ln -s /snap/bin/certbot /usr/bin/certbotsudo shutdown -r now
sudo ufw allow 80/tcp
sudo certbot certonly --standalone --preferred-challenges http -d keycloak.mydomain.com --dry-run
sudo ufw deny 80/tcp

Installing The SSL Certificate

  • DOMAIN_SUBDOMAIN — for example mykeycloak.com or keycloak.mydomain.com
  • KEYCLOAK_SSL_ALIAS — the alias for your SSL certificate which can be anything but avoid weird characters
  • KEYCLOAK_SSL_PASSWORD — the password for your SSL certificate, again avoid weird characters
  • KEYSTORE_PASSWORD — this will be the password to access the Java keystore where your certificate will live
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/DOMAIN_SUBDOMAIN/fullchain.pem -inkey /etc/letsencrypt/live/DOMAIN_SUBDOMAIN/privkey.pem -out /etc/letsencrypt/live/DOMAIN_SUBDOMAIN/pkcs.p12 -name KEYCLOAK_SSL_ALIAS -passout pass:KEYCLOAK_SSL_PASSWORD
cd /opt/keycloak/current/standalone/configuration
sudo keytool -keystore keycloak.jks -genkey -alias key_to_be_deleted
sudo keytool -list -v -keystore keycloak.jks -storepass KEYSTORE_PASSWORD
sudo keytool -delete -noprompt -alias key_to_be_deleted -keystore keycloak.jks -storepass KEYSTORE_PASSWORD
sudo keytool -list -v -keystore keycloak.jks -storepass KEYSTORE_PASSWORD
sudo keytool -importkeystore -deststorepass KEYSTORE_PASSWORD -destkeypass KEYCLOAK_SSL_PASSWORD -destkeystore keycloak.jks -srckeystore /etc/letsencrypt/live/DOMAIN_SUBDOMAIN/pkcs.p12 -srcstoretype PKCS12 -srcstorepass KEYCLOAK_SSL_PASSWORD -alias KEYCLOAK_SSL_ALIAS

Configuring Keycloak To Use The SSL Certificate

sudo nano standalone.xml
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="KEYSTORE_PASSWORD" alias="KEYCLOAK_SSL_ALIAS" key-password="KEYCLOAK_SSL_PASSWORD"/>
</ssl>
</server-identities>
</security-realm>
https-listener name="https"
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="UndertowRealm"/>
</host>
</server>
sudo shutdown -r now
https://DOMAIN_SUBDOMAIN:8443/auth/
https://DOMAIN_SUBDOMAIN/auth/

Renewing The SSL Certificate Automatically

sudo systemctl list-timers
sudo systemctl enable snap.certbot.renew.timer
sudo systemctl status snap.certbot.renew.timer
cd /etc/letsencrypt/renewal-hooks/pre
sudo nano pre-hook.sh
#!/bin/bash# Open port 80
ufw allow 80/tcp
sudo chmod +x pre-hook.sh
cd /etc/letsencrypt/renewal-hooks/post
sudo nano post-hook.sh
#!/bin/bash# Close port 80
ufw deny 80/tcp
sudo chmod +x post-hook.sh
cd /etc/letsencrypt/renewal-hooks/deploy
sudo nano new-cert-to-keystore.sh
#!/bin/bash# Convert the private key and certificate to a PKCS12 file
openssl pkcs12 -export -in /etc/letsencrypt/live/DOMAIN_SUBDOMAIN/fullchain.pem -inkey /etc/letsencrypt/live/DOMAIN_SUBDOMAIN/privkey.pem -out /etc/letsencrypt/live/DOMAIN_SUBDOMAIN/pkcs.p12 -name KEYCLOAK_SSL_ALIAS -passout pass:KEYCLOAK_SSL_PASSWORD
# Remove the old certificate from our keystore
keytool -delete -noprompt -alias KEYCLOAK_SSL_ALIAS -keystore /opt/keycloak/current/standalone/configuration/keycloak.jks -storepass KEYSTORE_PASSWORD
# Import the new certificate to our keystore
keytool -importkeystore -deststorepass KEYSTORE_PASSWORD -destkeypass KEYCLOAK_SSL_PASSWORD -destkeystore /opt/keycloak/current/standalone/configuration/keycloak.jks -srckeystore /etc/letsencrypt/live/DOMAIN_SUBDOMAIN/pkcs.p12 -srcstoretype PKCS12 -srcstorepass KEYCLOAK_SSL_PASSWORD -alias KEYCLOAK_SSL_ALIAS
# Restart Keycloak
systemctl restart keycloak
sudo chmod +x new-cert-to-keystore.sh
sudo certbot renew --dry-run

Summary

--

--

--

FileMaker Developers; Keycloak Enthusiasts; Data Magicians

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

February 2022: Standing together, sharing the love

Decentralized Data In The Metaverse — Protecting & Amplifying Digital Information

Safupad Tiered System

Oxfam GB Helps At-Risk Communities Respond to COVID-19 with Odaseva

Disaster Recovery Plan: Why Your Website Needs One to Survive

Stop doing security the ‘right’ way

Toll begins recovery from Ransomware, Twitter API and more Daily Cyber Briefing Feb 5th, 2020

Big budget bucks boosted stocks

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sounds Essential

Sounds Essential

FileMaker Developers; Keycloak Enthusiasts; Data Magicians

More from Medium

Making Sure Your Code Is Clean Through Automation

Deploying a nodeJS Application on Azure App Service using ACR

OpenID Connect & OAUTH 2.0

The two main Sing-ins methods in OAuth.