Hi!
It was the time to shift the build from dev to production and now I am facing this weird issue. Yes, I am the one who opened this question back then.
The problem is that, now, we have a domain for the Keycloak instance (say keycloak.myapp.com) but for the Kibana, we are still using self signed certificate using openssl. Maybe there is something I am missing but with this setup, Keycloak doesn’t find Kibana redirects.
Hi @pablo
I did exactly what you mentioned in the config.yml and kibana.yml file and it’s working fine now. Thank you very much.
If I had 2 different certs for Keycloak and Kibana, (say “keycloak.myapp.com” and “kibana.myapp.com” respectively), what shall be the configurations?
My current config looks like this:
Kibana.yml
server.host: IP_ADDRESS # change this in production
server.port: PORT
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: PASSWORD # change this in production
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/kibana/config/kibana-key.pem" #self signed
server.ssl.certificate: "/usr/share/kibana/config/kibana.pem" #self signed
elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/root-ca.pem"] #self signed
opendistro_security.openid.root_ca: "/usr/share/kibana/config/leca.pem" #Let's Encrypt CA
## ADDED
opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "https://keycloak.myapp.com/auth/realms/kibana_realm/.well-known/openid-configuration" # change this in production
opendistro_security.openid.client_id: "kibana_client" # change this in production
opendistro_security.openid.client_secret: "SECRET" # change this in production
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.enable_global: true
opendistro_security.multitenancy.tenants.enable_private: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.multitenancy.enable_filter: false
My config.yml
openid_auth_domain:
order: 1
http_enabled: true
transport_enabled: true
http_authenticator:
type: openid
challenge: false
config:
openid_connect_url: https://keycloak.myapp.com/auth/realms/kibana_realm/.well-known/openid-configuration # change this in production
subject_key: "preferred_username"
roles_key: "roles"
openid_connect_idp.pemtrustedcas_filepath: "/usr/share/elasticsearch/config/leca.pem" #Let's Encrypt CA
openid_connect_idp.enable_ssl: true
openid_connect_idp.verify_hostnames: false
authentication_backend:
type: noop
Also, do you recommend to keep Keycloak and Kibana on the same instance (either on the same cluster or on same physical/logical node) or on different instance (on a different cluster)?
Regarding Keycloak and Kibana placement, for the production environment, it is always better to separate and create redundancy.
Regarding the certs, your config is correct. Both Kibana and ES security plug-in can successfully verify Keycloak’s certificate against the defined Root CA certificate.