Securing Keycloak

---

Caution - change password

For security reasons, SEAL Systems strongly recommends changing the password of the preconfigured Keycloak user and configuring the TLS encryption. This way you can also avoid certificate warnings in the browser.

---

Changing the admin Password

After finishing the standard installation, the preconfigured administrator user is available:

• User name: admin

• Password: SealAdmin1

Change the password of this user as follows:

1. In your Web browser, open the Keycloak user interface: https://localhost:32769

2. Open the Administration Console

3. Log on with the preconfigured admin user and SealAdmin1 password.

4. In Manage Account, in the Admin menu in the right upper corner change the password and memorize the new one.

---

Securing Clients

After fnishing the standard installation any predefined clients already have predefined secrets. For security reasons change the secrets for all clients and configure them on the client side.

1. In your Web browser, open the Keycloak user interface: https://localhost:32769

2. Open the Administration Console.

3. In the Configure menu on the left, select Clients to open the client list.

   

4. In the Client ID column, select the following clients, one by one:

   • seal-easyprima
   • seal-mobile-print
   • seal-opcli
   • seal-plossysadmin
   • seal-plossyscli
   • seal-print-client

5. In each configuration dialog select the Credentials tab and click on Regenerate Secret to create a new secret.

   Regenerating secrets using PLOSSYS Administrator as example:

   

6. For details on how to configure the new secret for the associated client, see the corresponding client documentation:

   • easyPRIMA
   • SEAL DocPrint (seal-mobile-print)
   • SEAL OP-CLI
   • PLOSSYS Administrator
   • PLOSSYS CLI
   • SEAL Operator/SEAL Print Client

---

Configuring the TLS Encryption

1. Get a certificate as Java keystore, see requirements.

   Literature

   For details on how to create a keystore and convert credentials, see Convert Certificates.

2. Copy the Java keystore into the JBoss configuration directory:

   C:\ProgramData\SEAL Systems\data\seal-keycloak\configuration
   

3. In the security-realms section of C:\ProgramData\SEAL Systems\data\seal-keycloak\configuration\standalone.xml, insert the following lines:

   <security-realm name="SslRealm">
      <server-identities>
          <ssl>
              <keystore path="<yourdomain.com.jks>" relative-to="jboss.server.config.dir" keystore-password="<keystore_password>"/>
          </ssl>
      </server-identities>
   </security-realm>
   

4. In C:\ProgramData\SEAL Systems\data\seal-keycloak\configuration\standalone.xml, replace the existing https-listener line by the following line:

   <https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>
   

5. Restart the seal-keycloak service.

---