Enabling SSL for keycloak using Cloudflare(Keycloak Part2)

This is the second part of the series “Securing MERN application using keycloak”

Overview

In this blog, I will provide the step-by-step guide to enable the SSL using cloudflare, for standalone keycloak installation in Ubuntu

Create a java keystore

A java Keystore is used to store the SSL certificate requests(CSR), certificates and certificates reply

Java Keystore can be created using Keytool as below:

keytool -genkey -alias <your_domain_name> -keyalg RSA -keystore keycloak.jks -keysize 2048
Enter keystore password: secret
    Re-enter new password: secret
    What is your first and last name?
    [Unknown]:  <DNS of the machine>
    What is the name of your organizational unit?
    [Unknown]:  Keycloak
    What is the name of your organization?
    [Unknown]:  <Org Name>
    What is the name of your City or Locality?
    [Unknown]:  Fremont
    What is the name of your State or Province?
    [Unknown]:  CA
    What is the two-letter country code for this unit?
    [Unknown]:  US
    Is CN=<DNS of the machine>, OU=Keycloak, O=<Org Name>, L=Fremont, ST=CA, C=US correct?
    [no]:  yes

After executing this command, the keycloak.jks file will be generated in the same directory as you executed the keytool command in.

Generate the Certificate Request (CSR)

keytool -v -certreq -keystore keystore.jks -keyalg rsa -alias <your_domain_name> > keycloak.careq

Certificate Signed Request

Add DNS Record in Cloudflare

Get the keycloak machine’s external IP and add a DNS record in the cloudflare as shown below

Make sure that the Proxy is enabled for the DNS record.

Cloudflare DNS entry with proxy enabled

Note: If the proxy is not enabled, then browsers complain as Cloudflare origin certificate certificate is not trusted

Use CSR and generate the certificate

Download the Certificate reply

Download Certificate

Download the CA root certificate

Cloudflare Origin CA root certificate can be downloaded from here as shown below:

Cloudflare Origin CA Root Certificate

Import the root certificate

Import the Cloudflare Origin CA root certificate into keystore

keytool -importcert -trustcacerts -keystore keystore.jks -file CARoot.pem -alias root

Import the certificate reply

Import the certificate reply from cloudflare into keystore

keytool -importcert -trustcacerts -alias <your_domain_name> -file keycloak_cert.pem -keystore keystore.jks

Configure Keycloak to Use the Keystore

1. Copy the keystore.jks file into the configuration/ directory
2. In the standalone configuration file, the security-realms element should look like this:

<security-realm name="UndertowRealm">
    <server-identities>
        <ssl>
            <keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />
        </ssl>
    </server-identities>
</security-realm> 

3. Next, in the standalone configuration file, the child element of subsystem xmlns="urn:jboss:domain:undertow:12.0", should contain the following stanza:

<subsystem xmlns="urn:jboss:domain:undertow:12.0">
   <buffer-cache name="default"/>
   <server name="default-server">
      <https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
   ...
</subsystem>

Restart the keycloak server and access the keycloak dashboard in the browser.

Secure Keycloak dashboard

SSL is enabled for the keycloak server.

Conclusion

In this blog, we have covered how to setup a java keystore in ubuntu, add the DNS record for keycloak in cloudflare, configure keycloak to use keystore and enable the SSL for keycloak.

References

1. Keycloak SSL setup guide

Server Installation and Configuration Guide

2. Guide to ecrypt traffic from cloudflare and origin server

Managing Cloudflare Origin CA certificates

Previous blog: Installing Keycloak in Ubuntu