The idea is to set sensitive fields[^1] in the key store instead; for the time being, the PCI-DSS4 auditor wants to have
keycloak_quarkus_db_pass
in the keystore, to "provide an additional layer of obstruction"...
[^1]: these need to be in keycloak.conf though, since Quarkus doesn't seem to provide a similar option as of now.
Note that this item is different to #172 as this one is about the configuration options, while the former is about a vault provider for client secrets etc.
SUMMARY
As per https://www.keycloak.org/server/configuration#_setting_sensitive_options_using_a_java_keystore_file the idea is to set these three configuration properties/env variables:
KC_CONFIG_KEYSTOREKC_CONFIG_KEYSTORE_PASSWORDKC_CONFIG_KEYSTORE_TYPEThe idea is to set sensitive fields[^1] in the key store instead; for the time being, the PCI-DSS4 auditor wants to have
keycloak_quarkus_db_passin the keystore, to "provide an additional layer of obstruction"...
[^1]: these need to be in
keycloak.confthough, since Quarkus doesn't seem to provide a similar option as of now.Note that this item is different to #172 as this one is about the configuration options, while the former is about a vault provider for client secrets etc.
ISSUE TYPE