keycloak_quarkus: allow setting "sensitive options" using a Java KeyStore file

[hwo-wd]

SUMMARY

As per https://www.keycloak.org/server/configuration#_setting_sensitive_options_using_a_java_keystore_file the idea is to set these three configuration properties/env variables:

• KC_CONFIG_KEYSTORE
• KC_CONFIG_KEYSTORE_PASSWORD
• KC_CONFIG_KEYSTORE_TYPE

The idea is to set sensitive fields¹ in the key store instead; for the time being, the PCI-DSS4 auditor wants to have

• keycloak_quarkus_db_pass

in the keystore, to "provide an additional layer of obstruction"...

Note that this item is different to #172 as this one is about the configuration options, while the former is about a vault provider for client secrets etc.

ISSUE TYPE

• Feature Idea

Footnotes

1. these need to be in keycloak.conf though, since Quarkus doesn't seem to provide a similar option as of now. ↩