I am connecting to Keycloak remotely. And when I try to open the Admin Console, I get an error saying HTTPS required.
In one of the websites, it says that I should do this: "update REALM set ssl_required='NONE' where id = 'master';"
But I do not know the consequences of doing this. Will this make it unsecure? Or can I reverse this?
Thank you
(And If I would run Keycloak within a docker image would this problem be solved?)
Admim console uses open id connect protocol, which needs HTTPS to be secure. So it isn't good idea to disable ssl in the prod environment.
Keycloak in the container doesn't solve your problem. But it provides user friendly approach to generate selfsigned cert - Keycloak Docker HTTPS required
Secure option is to generate valid TLS certificate and use it in your Keycloak instance, so you have valid secure TLS/HTTPS connection.
Related
I am using Ansible on a Linux computer connecting to a windows 8.1 embedded computer. It's able to connect with username and password over the HTTPS port 5986, but I need to specify the option:
ansible_winrm_server_cert_validation=ignore
The ansible documentation specifies:
The following is necessary for Python 2.7.9+ (or any older Python that
has backported SSLContext, eg, Python 2.7.5 on RHEL7) when using
default WinRM self-signed certificates:
The windows computer has an SSL listener that was configured with Self-SignedCertificates from the powershell script:
https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
My question is that if I'm ignoring server cert validation, does that compromise the encryption that HTTPS is supposed to provide? or is server cert validation just a separate process of HTTPS?
Thanks
Yes, if you ignore certificate validation as recommended in the default Ansible config for WinRM, your connection is not secure - someone can spoof the target server using a man in the middle (MITM) attack on the HTTPS connection. (There should really be a security warning in the Ansible docs.)
The best alternative seems to be NTLM/Negotiate authentication, instead of HTTPS, removing the need for an SSL certificate. Your Ansible control machine will need to be able to authenticate over NTLM as a Windows user, just like using an SMB file share.
You will need pywinrm 0.2.0 or higher for NTLM/Negotiate support.
Useful links
Why NTLM/Negotiate for WinRM - background on why it's good to avoid the complex setup to install SSL certificates by using NTLM (Ruby based but still useful)
Example Ansible setup for NTLM
More complete Ansible setup including NTLM
Certificate validation is a separate process than encryption. The communication will be encrypted. You can read more on the issues with self-signed certificates but the high level is you remove any way for Ansible to validate who exactly is on the other side of the connection an open your self to a man in the middle attack that HTTPS usually protects you from.
Like in the title: How to disable the requirement of https on Keycloak? Using only the terminal, as I can't log in to the administrator panel, because... there's no https.
You could change "Require SSL" in Realm settings, Login tab.
The options are
external requests
Keycloak can run out of the box without SSL so long as you stick to
private IP addresses like localhost, 127.0.0.1, 10.0.x.x, 192.168.x.x,
and 172..16.x.x. If you don’t have SSL/HTTPS configured on the server
or you try to access Keycloak over HTTP from a non-private IP adress
you will get an error.
none
Keycloak does not require SSL. This should really only be used in
development when you are playing around with things.
all requests
Keycloak requires SSL for all IP addresses.
The SSL mode for each realm can be configured in the Keycloak admin console.
We have an app on Wildfly Server, secured with keycloak, everything works fine, but now we have to make an access for an app, deployed on the same server. I don't want to write a "complex" code with all certificates for https and OAuth2, we use for it, but I would like to grant an access for the second app from localhost, to make request on the first one (via rest-api) and get an response. When I check with curl from terminal of the server - I get also an Unathorized-Error, so I need to do all the same operations as for public access (take Token for access from OAuth provider). How could I set up Keycloak, to grant an access from localhost, for example. I haven't found smth. equal neither in Keycloak nor in standalone-full.xml (there are no any properties for this), where I could put exclusions.
I appreciate your help!
Add localhost to Valid Redirect Uris and Web Origins of Keycloak's client or you can simply use * for development purposes so that all Uris are valid.
I'm using the Keycloak authorization server in order to manage my application permissions. However, I've found out the standalone server can be accessed locally only.
http://localhost:8080/auth works, but not it does http://myhostname:8080/auth. This issue doesn't permit accessing the server from the internal network.
The standalone Keycloak server runs on the top of a JBoss Wildfly instance and this server doesn't allow accessing it externally by default, for security reasons (it should be only for the administration console, but seems to affect every url in case of Keycloak). It has to be booted with the -b=0.0.0.0 option to enable it.
However, if your Wildfly is running on a remote machine and you try to
access your administrative page through the network by it’s IP address
or hostname, let’s say, at http://54.94.240.170:8080/, you will
probably see a graceful This webpage is not available error, in
another words, Wildfly said “No, thanks, I’m not allowing requests
from another guys than the ones at my local machine”.
See also:
Enable Wildfly remote access
Wildfly remotely access administration console doesnt work
you can start keycloak server with this command
standalone.bat -b 0.0.0.0
For anyone who happens by here now, I found this in the documentation for Keycloak 8:
Users can interact with Keycloak without SSL so long as they stick to
private IP addresses like localhost, 127.0.0.1, 10.0.x.x, 192.168.x.x,
and 172.16.x.x. If you try to access Keycloak without SSL from a
non-private IP address you will get an error.
This is how you can disable it from the admin console, just click on your realm, and make the mentioned option.
Note: Don't forget the following
standalone.bat -b 0.0.0.0
After a fresh install, I'm able to login into the https://host:9443/carbon URL, but not able to register a local user through dashboard due to an
immediate redirect onto the URL https://localhost:9443/samlsso.
Which files needs to be configured to reflect the valid hostname? Are
there any digital certificates required to secure SSL that host and where is the place to store it?
Thanks in advance for hints how to setup the WSO2 Identity environment.
Regards,
Claude
You can change the hostname value for key IdentityProviderSSOServiceURL in repository/conf/security/authenticators.xml file.