Enabling SSL for keycloak using Cloudflare(Keycloak Part2)
This is the second part of the series “Securing MERN application using keycloak”
Overview
In this blog, I will provide the step-by-step guide to enable the SSL using cloudflare, for standalone keycloak installation in Ubuntu
Create a java keystore
A java Keystore is used to store the SSL certificate requests(CSR), certificates and certificates reply
Java Keystore can be created using Keytool as below:
keytool -genkey -alias <your_domain_name> -keyalg RSA -keystore keycloak.jks -keysize 2048Enter keystore password: secret
Re-enter new password: secret
What is your first and last name?
[Unknown]: <DNS of the machine>
What is the name of your organizational unit?
[Unknown]: Keycloak
What is the name of your organization?
[Unknown]: <Org Name>
What is the name of your City or Locality?
[Unknown]: Fremont
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=<DNS of the machine>, OU=Keycloak, O=<Org Name>, L=Fremont, ST=CA, C=US correct?
[no]: yes
After executing this command, the keycloak.jks
file will be generated in the same directory as you executed the keytool
command in.
Generate the Certificate Request (CSR)
keytool -v -certreq -keystore keystore.jks -keyalg rsa -alias <your_domain_name> > keycloak.careq
Add DNS Record in Cloudflare
Get the keycloak machine’s external IP and add a DNS record in the cloudflare as shown below
Make sure that the Proxy is enabled for the DNS record.
Note: If the proxy is not enabled, then browsers complain as Cloudflare origin certificate certificate is not trusted
Use CSR and generate the certificate
Download the Certificate reply
Download the CA root certificate
Cloudflare Origin CA root certificate can be downloaded from here as shown below:
Import the root certificate
Import the Cloudflare Origin CA root certificate into keystore
keytool -importcert -trustcacerts -keystore keystore.jks -file CARoot.pem -alias root
Import the certificate reply
Import the certificate reply from cloudflare into keystore
keytool -importcert -trustcacerts -alias <your_domain_name> -file keycloak_cert.pem -keystore keystore.jks
Configure Keycloak to Use the Keystore
- Copy the keystore.jks file into the configuration/ directory
- In the standalone configuration file, the
security-realms
element should look like this:
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />
</ssl>
</server-identities>
</security-realm>
3. Next, in the standalone configuration file, the child element of subsystem xmlns="urn:jboss:domain:undertow:12.0"
, should contain the following stanza:
<subsystem xmlns="urn:jboss:domain:undertow:12.0">
<buffer-cache name="default"/>
<server name="default-server">
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
...
</subsystem>
Restart the keycloak server and access the keycloak dashboard in the browser.
SSL is enabled for the keycloak server.
Conclusion
In this blog, we have covered how to setup a java keystore in ubuntu, add the DNS record for keycloak in cloudflare, configure keycloak to use keystore and enable the SSL for keycloak.
References
- Keycloak SSL setup guide
2. Guide to ecrypt traffic from cloudflare and origin server