Keycloak

Форк
0
/
vault.adoc 
88 строк · 3.7 Кб
1
<#import "/templates/guide.adoc" as tmpl>
2
<#import "/templates/kc.adoc" as kc>
3

4
<@tmpl.guide
5
title="Using a vault"
6
summary="Learn how to use and configure a vault in {project_name}"
7
priority=30
8
includedOptions="vault vault-*">
9

10
{project_name} provides two out-of-the-box implementations of the Vault SPI: a plain-text file-based vault and Java KeyStore-based vault.
11

12
The file-based vault implementation is especially useful for Kubernetes/OpenShift secrets. You can mount Kubernetes secrets into the {project_name} Container, and the data fields will be available in the mounted folder with a flat-file structure.
13

14
The Java KeyStore-based vault implementation is useful for storing secrets in bare metal installations. You can use the KeyStore vault, which is encrypted using a password.
15

16
== Available integrations
17
Secrets stored in the vaults can be used at the following places of the Administration Console:
18

19
* Obtain the SMTP Mail server Password
20
* Obtain the LDAP Bind Credential when using LDAP-based User Federation
21
* Obtain the OIDC identity providers Client Secret when integrating external identity providers
22

23
== Enabling a vault
24
For enabling the file-based vault you need to build {project_name} first using the following build option:
25

26
<@kc.build parameters="--vault=file"/>
27

28
Analogically, for the Java KeyStore-based you need to specify the following build option:
29

30
<@kc.build parameters="--vault=keystore"/>
31

32
== Configuring the file-based vault
33

34
=== Setting the base directory to lookup secrets
35
Kubernetes/OpenShift secrets are basically mounted files. To configure a directory where these files should be mounted, enter this command:
36

37
<@kc.start parameters="--vault-dir=/my/path"/>
38

39
=== Realm-specific secret files
40
Kubernetes/OpenShift Secrets are used on a per-realm basis in {project_name}, which requires a naming convention for the file in place:
41
[source, bash]
42
----
43
${r"${vault.<realmname>_<secretname>}"}
44
----
45

46
=== Using underscores in the Name
47
To process the secret correctly, you double all underscores in the <realmname> or the <secretname>, separated by a single underscore.
48

49
.Example
50
* Realm Name: `sso_realm`
51
* Desired Name: `ldap_credential`
52
* Resulting file Name:
53
[source, bash]
54
----
55
sso__realm_ldap__credential
56
----
57
Note the doubled underscores between __sso__ and __realm__ and also between __ldap__ and __credential__.
58

59
== Configuring the Java KeyStore-based vault
60

61
In order to use the Java KeyStore-based vault, you need to create a KeyStore file first. You can use the following command for doing so:
62
[source, bash]
63
----
64
keytool -importpass -alias <realm-name>_<alias> -keystore keystore.p12 -storepass keystorepassword
65
----
66
and then enter a value you want to store in the vault. Note that the format of the `-alias` parameter depends on the key resolver used. The default key resolver is `REALM_UNDERSCORE_KEY`.
67

68
This by default results to storing the value in a form of generic PBEKey (password based encryption) within SecretKeyEntry.
69

70
You can then start {project_name} using the following runtime options:
71

72
<@kc.start parameters=" --vault-file=/path/to/keystore.p12 --vault-pass=<value> --vault-type=<value>"/>
73

74
Note that the `--vault-type` parameter is optional and defaults to `PKCS12`.
75

76
Secrets stored in the vault can then be accessed in a realm via the following placeholder (assuming using the `REALM_UNDERSCORE_KEY` key resolver): `${r"${vault.realm-name_alias}"}`.
77

78
== Example: Use an LDAP bind credential secret in the Admin Console
79

80
.Example setup
81
* A realm named `secrettest`
82
* A desired Name `ldapBc` for the bind Credential
83
* Resulting file name: `secrettest_ldapBc`
84

85
.Usage in Admin Console
86
You can then use this secret from the Admin Console by using `${r"${vault.ldapBc}"}` as the value for the `Bind Credential` when configuring your LDAP User federation.
87

88
</@tmpl.guide>
89

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.