Dear Vrinda/Gunter/everyone :-)
I noticed that all of the documentation refers to keystores containing files cacerts.jks and key.jks, but the files that are distributed end in .p12. Is this a problem?
Sorry for really basic question, but is it okay to use these files or do they need converting to .jks files? I attempted to modify as following to use the .p12 files but have run into problems (changes highlighted)
The reason I ask is because as part of the secure install, we have to run (as root):
keytool -importkeystore -srckeystore /opt/keycloak/standalone/configuration/keystores/cacerts.p12 -srcstorepass secret -destkeystore $JAVA_HOME/lib/security/cacerts -deststorepass changeit
Then after starting the standalone keycloak server, we have to connect to it using the jboss-cli.sh, and issue several commands:
/subsystem=elytron/key-store=httpsKS:add(credential-reference={clear-text=secret},type=PKCS12,path=/opt/keycloak/standalone/configuration/keystores/key.p12)
blah
blah
/subsystem=keycloak-server/spi=truststore/provider=file:map-put(name=properties,key=file,value=/usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts)
After issuing this last command the jboss-cli indicates that we should reload, and after typing reload the standalone server falls over, with this output:
18:41:21,413 FATAL [org.keycloak.services] (ServerService Thread Pool -- 57) Error during startup: java.lang.RuntimeException: Attribute 'password' missing in 'truststore':'file' configuration:
I note that the next command was intended to introduce an attribute "password" - so I guess I shouldn't have reloaded! D'oh!
Any suggestions for how to undo this last change would be much appreciated!
Best wishes,
Jon