Narrative

For a secure deployment it is important to encrypt all network traffic including cache messages. However, this is currently cumbersome and requires editing Infinispan XML files and refers to JGroups documentation. The complexity involved often results in it not being secured properly or not at all.

Value Proposition

Making it easier to configure encryption of cache messages makes it easier to setup a secure deployment of Keycloak.

Goals

• Provide a zero-config approach to encrypting cache messages (any additional config is required around this it should be provided through Keycloak config, and not Infinispan XML files)
• Enabling encryption by default
• Streamline the docs to describe the new zero-config encryption for TCP, and remove references to previous approaches (documentation should be self-contained in KC docs, and not refer to Infinispan docs)

Non-Goals