Keycloak¶

Keycloak provides secure user authentication using the OAuth 2.0/OpenID Connect protocol. Keycloak serves as an interface to the existent user management e.g. Active Directory.

If there is an OAuth 2.0/OpenID Connect service availabe keycloak is not needed and the service could be used directly.

After the default installation, SEAL Print Client is executable but self-signed certificates are used, which have to be exchanged for the productive mode.

For security reasons, the following configuration steps are recommended.

Configure the TLS Encryption for Keycloak¶

In order to make the system secure, the following steps have to be executed:

Convert your certificate to the PKCS12 format:
- openssl pkcs12 -export -in <yourdomain.com.crt> -inkey <yourdomain.com.key> -out <yourdomain.com.p12> -name default -CAfile <your_provider_bundle.crt> -caname <root>
Create a key store:
- keytool -importkeystore -deststorepass <keystore_password> -destkeypass <key_password> -destkeystore <yourdomain.com.jks> -srckeystore <yourdomain.com.p12> -srcstoretype PKCS12 -srcstorepass <secret_password_used_in_csr> -alias default
  
  Literature
  
  For further information, refer to Keytool.
Copy the generated key store into the JBoss configuration directory, C:\ProgramData\SEAL Systems\infrastructure\data\seal-keycloak\configuration.

In the security-realms section of C:ProgramData\SEAL Systems\infrastructure\data\seal-keycloak\configuration\standalone.xml, insert the following lines:

<security-realm name="SslRealm">
   <server-identities>
       <ssl>
           <keystore path="<yourdomain.com.jks>" relative-to="jboss.server.config.dir" keystore-password="<keystore_password>"/>
       </ssl>
   </server-identities>
</security-realm>

In C:\ProgramData\SEAL Systems\infrastructure\data\seal-keycloak\configuration\standalone.xml, replace the existent https-listener by the following line:
- <https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>