이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 18. Configuring the Management Interface


The management interface allows accessing management endpoints via a different HTTP server than the primary one. It provides the possibility to hide endpoints like /metrics or /health from the outside world and, therefore, hardens the security. The most significant advantage might be seen in Kubernetes environments as the specific management port might not be exposed.

18.1. Management interface configuration

The management interface is turned on when something is exposed on it. Management endpoints such as /metrics and /health are exposed on the default management port 9000 when metrics and health are enabled. The management interface provides a set of options and is fully configurable.

Note

If management interface properties are not explicitly set, their values are automatically inherited from the default HTTP server.

18.1.1. Port

In order to change the port for the management interface, you can use the Red Hat build of Keycloak option http-management-port.

18.1.2. Relative path

You can change the relative path of the management interface, as the prefix path for the management endpoints can be different. You can achieve it via the Red Hat build of Keycloak option http-management-relative-path.

For instance, if you set the CLI option --http-management-relative-path=/management, the metrics, and health endpoints will be accessed on the /management/metrics and /management/health paths.

User is automatically redirected to the path where Red Hat build of Keycloak is hosted when the relative path is specified. It means when the relative path is set to /management, and the user access localhost:9000/, the page is redirected to localhost:9000/management.

Note

If you do not explicitly set the value for it, the value from the http-relative-path property is used. For instance, if you set the CLI option --http-relative-path=/auth, these endpoints are accessible on the /auth/metrics and /auth/health paths.

18.1.3. TLS support

When the TLS is set for the default Red Hat build of Keycloak server, the management interface will be accessible through HTTPS as well. The management interface can run only either on HTTP or HTTPS, not both as for the main server.

Specific Red Hat build of Keycloak management interface options with the prefix https-management-* were provided for setting different TLS parameters for the management HTTP server. Their function is similar to their counterparts for the main HTTP server, for details see Configuring TLS. When these options are not explicitly set, the TLS parameters are inherited from the default HTTP server.

18.1.4. Disable Management interface

The management interface is automatically turned off when nothing is exposed on it. Currently, only health checks and metrics are exposed on the management interface regardless. If you want to disable exposing them on the management interface, set the Red Hat build of Keycloak property legacy-observability-interface to true.

Warning

Exposing health and metrics endpoints on the default server is not recommended for security reasons, and you should always use the management interface. Beware, the legacy-observability-interface option is deprecated and will be removed in future releases. It only allows you to give more time for the migration.

18.2. Relevant options

 Value

http-management-port

Port of the management interface.

Relevant only when something is exposed on the management interface - see the guide for details.

CLI: --http-management-port
Env: KC_HTTP_MANAGEMENT_PORT

9000 (default)

http-management-relative-path 🛠

Set the path relative to / for serving resources from management interface.

The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details.

CLI: --http-management-relative-path
Env: KC_HTTP_MANAGEMENT_RELATIVE_PATH

/ (default)

https-management-certificate-file

The file path to a server certificate or certificate chain in PEM format for the management server.

If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details.

CLI: --https-management-certificate-file
Env: KC_HTTPS_MANAGEMENT_CERTIFICATE_FILE

 

https-management-certificate-key-file

The file path to a private key in PEM format for the management server.

If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details.

CLI: --https-management-certificate-key-file
Env: KC_HTTPS_MANAGEMENT_CERTIFICATE_KEY_FILE

 

https-management-client-auth 🛠

Configures the management interface to require/request client authentication.

If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details.

CLI: --https-management-client-auth
Env: KC_HTTPS_MANAGEMENT_CLIENT_AUTH

none (default), request, required

https-management-key-store-file

The key store which holds the certificate information instead of specifying separate files for the management server.

If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details.

CLI: --https-management-key-store-file
Env: KC_HTTPS_MANAGEMENT_KEY_STORE_FILE

 

https-management-key-store-password

The password of the key store file for the management server.

If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details.

CLI: --https-management-key-store-password
Env: KC_HTTPS_MANAGEMENT_KEY_STORE_PASSWORD

password (default)

legacy-observability-interface 🛠

If metrics/health endpoints should be exposed on the main HTTP server (not recommended).

If set to true, the management interface is disabled.

CLI: --legacy-observability-interface
Env: KC_LEGACY_OBSERVABILITY_INTERFACE

DEPRECATED.

true, false (default)

Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.