Issue exposing admin console on dedicated url
102 views
Skip to first unread message
Marco Savoca
Jul 13, 2024, 5:35:42 AM7/13/24
to keyclo...@googlegroups.com
Hallo keycloak users,
I was able to successfully set up a keycloak v25.0.1 bare metal cluster (JDBC-Ping Infinispan) in production mode. As reverse proxy I’m using HA-Proxy (kc.domain). The hostnames of the nodes are kc{1,2,3}.domain.
Now I’m trying to expose the admin console on a dedicated url (admin.kc1.domain) but I’m running into a certificate issue. Despite setting the path to the certificate and the private key for the admin url using the relevant config options, the server still uses the wrong certificate (kc1.domain). Clearly the browser does not want to connect on https://admin.kc1.domain:8443.
Nevertheless the metrics and health endpoints use the right certificate and the browser connects successfully (https://admin.kc1.domain:9000/{health,metrics}).
Did I misunderstood something?
My keycloak.conf:
# Database
db=postgres
db-username=keycloak
kc.db-password
db-url=jdbc:postgresql://db1.domain/keycloak
db-url-host=db1.domain
# If the server should expose healthcheck endpoints.
health-enabled=true
# If the server should expose metrics endpoints.
metrics-enabled=true
# HTTP
# Server certs
https-certificate-file=/etc/pki/tls/certs/keycloak.crt
https-management-certificate-file=/etc/pki/tls/certs/admin.keycloak.crt
# Server private keys
https-certificate-key-file=/etc/pki/tls/private/keycloak.key
https-management-certificate-key-file=/etc/pki/tls/private/admin.keycloak.key
# The proxy address forwarding mode if the server is behind a reverse proxy.
proxy-headers=forwarded
# Hostname for the Keycloak server.
hostname=https://kc1.domain:8443
hostname-backchannel-dynamic=true
hostname-admin=https://admin.kc1.domain:8443
# JDBC-Ping Cache
cache-config-file=cache-ispn-jdbc-ping.xml
cache-embedded-mtls-enabled=true
cache-embedded-mtls-key-store-file=/etc/pki/tls/private/jdbc.kc1.keycloak.store
cache-embedded-mtls-key-store-password=passwd
# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
spi-sticky-session-encoder-infinispan-should-attach-route=false
# vault
vault=keystore
vault-file=/opt/keycloak/vault.p12
vault-pass=passwd
# keystore for credentials
config-keystore=/opt/keycloak/keystore.p12
config-keystore-password=passwd
Kind regards,
Marco
I was able to successfully set up a keycloak v25.0.1 bare metal cluster (JDBC-Ping Infinispan) in production mode. As reverse proxy I’m using HA-Proxy (kc.domain). The hostnames of the nodes are kc{1,2,3}.domain.
Now I’m trying to expose the admin console on a dedicated url (admin.kc1.domain) but I’m running into a certificate issue. Despite setting the path to the certificate and the private key for the admin url using the relevant config options, the server still uses the wrong certificate (kc1.domain). Clearly the browser does not want to connect on https://admin.kc1.domain:8443.
Nevertheless the metrics and health endpoints use the right certificate and the browser connects successfully (https://admin.kc1.domain:9000/{health,metrics}).
Did I misunderstood something?
My keycloak.conf:
# Database
db=postgres
db-username=keycloak
kc.db-password
db-url=jdbc:postgresql://db1.domain/keycloak
db-url-host=db1.domain
# If the server should expose healthcheck endpoints.
health-enabled=true
# If the server should expose metrics endpoints.
metrics-enabled=true
# HTTP
# Server certs
https-certificate-file=/etc/pki/tls/certs/keycloak.crt
https-management-certificate-file=/etc/pki/tls/certs/admin.keycloak.crt
# Server private keys
https-certificate-key-file=/etc/pki/tls/private/keycloak.key
https-management-certificate-key-file=/etc/pki/tls/private/admin.keycloak.key
# The proxy address forwarding mode if the server is behind a reverse proxy.
proxy-headers=forwarded
# Hostname for the Keycloak server.
hostname=https://kc1.domain:8443
hostname-backchannel-dynamic=true
hostname-admin=https://admin.kc1.domain:8443
# JDBC-Ping Cache
cache-config-file=cache-ispn-jdbc-ping.xml
cache-embedded-mtls-enabled=true
cache-embedded-mtls-key-store-file=/etc/pki/tls/private/jdbc.kc1.keycloak.store
cache-embedded-mtls-key-store-password=passwd
# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
spi-sticky-session-encoder-infinispan-should-attach-route=false
# vault
vault=keystore
vault-file=/opt/keycloak/vault.p12
vault-pass=passwd
# keystore for credentials
config-keystore=/opt/keycloak/keystore.p12
config-keystore-password=passwd
Kind regards,
Marco
Marco Savoca
Jul 13, 2024, 5:35:43 AM7/13/24
to Keycloak User
Reply all
Reply to author
Forward
0 new messages