keycloak-scim/server_admin/topics/realms/keys.adoc
2017-09-07 14:09:11 +02:00

95 lines
5.8 KiB
Text

[[realm_keys]]
=== Realm Keys
The authentication protocols that are used by {project_name} require cryptographic signatures and sometimes
encryption. {project_name} uses asymmetric key pairs, a private and public key, to accomplish this.
{project_name} has a single active keypair at a time, but can have several passive keys as well. The active keypair
is used to create new signatures, while the passive keypairs can be used to verify previous signatures. This makes it
possible to regularly rotate the keys without any downtime or interruption to users.
When a realm is created a key pair and a self-signed certificate is automatically generated.
To view the active keys for a realm select the realm in the admin console click on `Realm settings` then `Keys`. This
will show the currently active keys for the realm. {project_name} currently only supports RSA signatures so there
is only one active keypair. In the future as more signature algorithms are added there will be more active keypairs.
To view all available keys select `All`. This will show all active, passive and disabled keys. A keypair can have the
status `Active`, but still not be selected as the currently active keypair for the realm. The selected active pair which
is used for signatures is selected based on the first key provider sorted by priority that is able to provide an
active keypair.
==== Rotating keys
It's recommended to regularly rotate keys. To do so you should start by creating new keys with a higher priority than
the existing active keys. Or create new keys with the same priority and making the previous keys passive.
Once new keys are available all new tokens and cookies will be signed with the new keys. When a user authenticates to an
application the SSO cookie is updated with the new signature. When OpenID Connect tokens are refreshed new tokens are
signed with the new keys. This means that over time all cookies and tokens will use the new keys and after a while the
old keys can be removed.
How long you wait to delete old keys is a tradeoff between security and making sure all cookies and tokens are updated.
In general it should be acceptable to drop old keys after a few weeks. Users that have not been active in the period
between the new keys where added and the old keys removed will have to re-authenticate.
This also applies to offline tokens. To make sure they are updated the applications need to refresh the tokens before
the old keys are removed.
As a guideline it may be a good idea to create new keys every 3-6 months and delete old keys 1-2 months after the new
keys where created.
==== Adding a generated keypair
To add a new generated keypair select `Providers` and choose `rsa-generated` from the dropdown. You can change the priority
to make sure the new keypair becomes the active keypair. You can also change the `keysize` if you want smaller or larger keys (default is 2048,
supported values are 1024, 2048 and 4096).
Click `Save` to add the new keys. This will generated a new keypair including a self-signed certificate.
Changing the priority for a provider will not cause the keys to be re-generated, but if you want to change the keysize
you can edit the provider and new keys will be generated.
==== Adding an existing keypair and certificate
To add a keypair and certificate obtained elsewhere select `Providers` and choose `rsa` from the dropdown. You can change
the priority to make sure the new keypair becomes the active keypair.
Click on `Select file` for `Private RSA Key` to upload your private key. The file should be encoded in PEM format. You
don't need to upload the public key as it is automatically extracted from the private key.
If you have a signed certificate for the keys click on `Select file` next to `X509 Certificate`. If you don't have one
you can skip this and a self-signed certificate will be generated.
==== Loading keys from a Java Keystore
To add a keypair and certificate stored in a Java Keystore file on the host select `Providers` and choose `java-keystore`
from the dropdown. You can change the priority to make sure the new keypair becomes the active keypair.
Fill in the values for `Keystore`, `Keystore Password`, `Key Alias` and `Key Password` and click on `Save`.
==== Making keys passive
Locate the keypair in `Active` or `All` then click on the provider in the `Provider` column. This will take you to the
configuration screen for the key provider for the keys. Click on `Active` to turn it `OFF`, then click on `Save`. The
keys will no longer be active and can only be used for verifying signatures.
==== Disabling keys
Locate the keypair in `Active` or `All` then click on the provider in the `Provider` column. This will take you to the
configuration screen for the key provider for the keys. Click on `Enabled` to turn it `OFF`, then click on `Save`. The
keys will no longer be enabled.
Alternatively, you can delete the provider from the `Providers` table.
==== Compromised keys
{project_name} has the signing keys stored just locally and they are never shared with the client applications, users or other
entities. However if you think that your realm signing key was compromised, you should first generate new keypair as described above and
then immediatelly remove the compromised keypair.
Then to ensure that client applications won't accept the tokens signed by the compromised key, you should update and push not-before policy for
the realm, which is doable from the admin console. Pushing new policy will ensure that client applications won't accept the existing
tokens signed by the compromised key, but also the client application will be forced to download new keypair from the {project_name}, hence
the tokens signed by the compromised key won't be valid anymore. Note that your REST and confidential clients must have set `Admin URL`, so that
{project_name} is able to send them the request about pushed not-before policy.