Skip to content

Keycloak Encryption

Keycloak provides secure user authentication using the OAuth 2.0 protocol. Keycloak serves as an interface to the existent user management.

After the default installation, SEAL Print Client is executable but a self-signed certificate is used, which has to be exchanged for the productive mode.

For security reasons, the following configuration steps are recommended.

Configure the SSL Encryption for Keycloak

In order to make the system secure, the following steps has to be executed:

  1. Convert your certificate to the PKCS12 format:

    • openssl pkcs12 -export -in <yourdomain.com.crt> -inkey <yourdomain.com.key> -out <yourdomain.com.p12> -name default -CAfile <your_provider_bundle.crt> -caname <root>

  2. Create a key store:

    • keytool -importkeystore -deststorepass <keystore_password> -destkeypass <key_password> -destkeystore <yourdomain.com.jks> -srckeystore <yourdomain.com.p12> -srcstoretype PKCS12 -srcstorepass <secret_password_used_in_csr> -alias default

      Literature - keytool

      For further information, refer to Keytool.

  3. Copy the generated key store into the JBoss configuration directory:

    • /opt/seal/infrastructure/data/seal-keycloak/configuration.

  4. In the security-realms section of /opt/seal/infrastructure/data/seal-keycloak/configuration/standalone.xml, insert the following lines:

    <security-realm name="SslRealm">
   <server-identities>
       <ssl>
           <keystore path="<yourdomain.com.jks>" relative-to="jboss.server.config.dir" keystore-password="<keystore_password>"/>
       </ssl>
   </server-identities>
</security-realm>

  5. In /opt/seal/infrastructure/data/seal-keycloak/configuration/standalone.xml, replace the existent https-listener by the following line:

    • <https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>

Change the Keycloak Administrator User

After the default installation, the following Keycloak administrator user is configured:

Username: admin
Password: SealAdmin1

Change the Password!

Change the Redirect URI in Keycloak

  1. Log on to the Keycloak administrator user interface.

  2. In Clients, select Client ID.

  3. Select seal-print-client.

  4. In Valid Redirect URIs, enter a URI with the hostname of the SEAL Print Client server.

  5. In Web Origins, enter a URI with the hostname of the SEAL Print Client server.

  6. Save the settings.

Back to top