Re: [keycloak-dev] Requirements to Elytron for Client 2-way SSL authentication

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Marek Posolda" <mposolda(a)redhat.com&gt;, keycloak-dev(a)lists.jboss.org Sent: Thursday, 16 July, 2015 2:40:11 PM Subject: Re: [keycloak-dev] Requirements to Elytron for Client 2-way SSL authentication On 7/16/2015 4:20 AM, Marek Posolda wrote: >> I'm not sure we really need to have any special integration with >> Elytron. We just need to make sure that it can support certificate >> chains the way we want to support it. I'm pretty sure EAP 6.x can >> support what we want, read on... >> >> The certficate chain is available from the HttpServletRequest as per the >> spec. I'm not exactly sure on the specifics, but all you need is one >> "root" certificate in the web server's trust store. Then you could >> conceivably create a trusted certificate chain as follows: >> >> 1) Organization root certificate. >> >> 2) Root cert signs Realm cert. >> >> 3) Realm cert signs client cert. >> >> Following me? My guess is that it would be really easy to issue our own >> client certs and that we could have a Required Action that helped set >> this up. >> > Yeah, so if we can just put root certificate in truststore at startup, > it's easy. The issue might be if we want root CA to be added to > truststore at "runtime" as Stian mentioned in other mail. Will try to > doublecheck if it's possible. > I don't know how well cert chains are supported. I guess you'll find out :) For client auth, shouldn't we just support the best practices and whatever the spec requires? 2-way SSL is a pain in the ass, wouldn't you be better off with PIN+OTP? Much easier to set up and manage.

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev