Setting the management server to HTTP in Keycloak 25

I’ve read the documentation here Configuring the Management Interface - Keycloak and I can’t find a solution to this. When I run Keycloak with metrics and health enabled, I see that it comes up with

Keycloak 25.0.0 on JVM (powered by Quarkus 3.8.5) started in 7.471s. Listening on:
http://0.0.0.0:8080 and https://0.0.0.0:8443.
Management interface listening on https://0.0.0.0:9000.

How can I get the management server to run over HTTP, rather than HTTPS?

For reference, I am also setting the following parameters:

KC_HTTP_ENABLED: 'true'
KC_PROXY_HEADERS: 'xforwarded'
KC_HTTP_MANAGEMENT_PORT: 9000
KC_HTTP_RELATIVE_PATH: /auth

What am I missing? Is this possible?

1 Like

IMHO it’s not possible to run the mgmt interface on http, if the “main” server has https certificates configured. You can only configure different certificates for the mgmt interface, but not run it on http.
Or, you have to operate completely without http on the Keycloak server, then also mgmt is http.
:man_shrugging:

Thanks for the clarification. Although, it’s not a particularly “clear” choice, IMO. I’m sticking with KC_LEGACY_OBSERVABILITY_INTERFACE for now, and then will figure out what to do between now and 26.

1 Like

Discuss it with the team!
For metrics, I don’t see a big issue.
For health, yes, there might be issues with LBs not able to use proper https for health checks.

1 Like

I’m planning to. First I want to get a sense of how things work so I can write a good issue. LBs are definitely a problem, but metrics also potentially. A lot of customers I work with, for better or worse, run http for internal things like metrics. Furthermore, a lot of people run http exclusively internally and let their ingress/LBs handle SSL termination for requests from the outside world. I don’t have to agree with it in order to need to figure out a solution for them.

1 Like

Yes, for the “agree”, no for the solution.
I usually tell most of my customers, that they will eventually have to deal with the requirements a software has, if they want to use it. These “features” will increase in the future. So better be prepared, than be late :wink:

1 Like

If anyone gets to this post and is looking for a temporary fix in their k8s environment, I validated that k8s http probes, which can be used for readiness and liveness probes, do not by default check the cert for validity:

If scheme field is set to HTTPS, the kubelet sends an HTTPS request skipping the certificate verification.

hi i think it’s related but i’m not sure…
i’m upgrading from18 to 25 and getting the following error

“Key material not provided to setup HTTPS. Please configure your keys/certificates or start the server in development mode.”

how can i solve it i tried
ENV KC_HOSTNAME_STRICT_HTTPS=“false”

but it doesn’t seems to help

I really think this was a bad idea to only allow https for the management interface.
This can be problematic when running behing a reverse-proxy on which we have no control.
It should be possible to enable both http and https for the management interface, like it is for the ‘normal’ interface.

Valid opinion, @omasseau. But complaining here doesn‘t help as this is a community forum to get help from the community. If you have valid arguments to improve Keycloak, you should start a discussion at Keycloak‘s GitHub repository, as this is the place where maintainers read.