I'm migrating KeyCloak v15 (WildFly v23) passwords from the old vault to elytron credential store. It works fine for the standard use case. In standalone.xml
, I have:
/server/extensions/extension
:
<extension module="org.wildfly.extension.elytron"/>
/server/profile/subsystem
:
<subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="elytron" disallowed-providers="OracleUcrypto">
<providers>
<provider-loader name="elytron" module="org.wildfly.security.elytron"/>
</providers>
<audit-logging>
<file-audit-log name="local-audit" path="audit-log.log" relative-to="jboss.server.log.dir" format="JSON"/>
</audit-logging>
<credential-stores>
<credential-store name="credStore" location="/data/credStore.jceks">
<implementation-properties>
<property name="keyStoreType" value="JCEKS"/>
</implementation-properties>
<credential-reference clear-text="MASK-123456789;salt123;42"/>
</credential-store>
</credential-stores>
</subsystem>
and I access the passwords using
/server/profile/subsystem[@xmlns="urn:jboss:domain:jgroups:8.0"]/stacks/stack[@name="tcp"]/auth-protocol/digest-token/shared-secret-reference
:
<shared-secret-reference store="credStore" alias="myBlock::mySecret"/>
However, there is one secret I need to pass to a SPI in a property. Any idea how to do it? This was the old vault way:
/server/system-properties/property
:
<property name="secret" value="${VAULT::myBlock::mySecret::1}"/>
/server/profile/subsystem[@xmlns="urn:jboss:domain:keycloak-server:1.1"]/spi
:
<spi name="mySpi">
<provider name="file" enabled="true">
<properties>
<property name="password" value="${secret}"/>
</properties>
</provider>
</spi>
I found 2 possibilities:
export SECRET="$(secret-getter-script)"
) and use the variable instandalone.xml
:I had to rewrite our SPI to read Elytron credential store contents: