The only thing I found a bit weird is that you create `/etc/x509/https`
directory. Keycloak image has a small script that tries to grab a key and a
certificate in that directory and import them [1]. But I see you're already
doing that in `RUN keytool ...` commands. Perhaps you should either put
tls.crt and tls.key there and rely on our script or do everything by
yourself (but in that case, please remember about modifying configuration
similarly to [2]).
The last advice I can give to you is to append `-Djavax.net.debug=all`
argument to ./standalone.sh. This way you can see, what certificates are
being picked up and if the TLS handshake looks correct (although, the
debugging is really time-consuming).
[1]
https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5...
[2]
https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5...
On Thu, Aug 8, 2019 at 1:05 AM Johnson, Freddie [USA] <
Johnson_Freddie(a)bah.com> wrote:
Team --
I'm currently having issues getting Keycloak to read the client
certificate forwarded from proxy in HTTP header from Apache using Apache
SPI Cert lookup. Instead, it reads the wildcard of the cert provided below
in the virtual host of *.xxx.ninja from SSLProxyMachineCertificateFile.
However, if i use that common name of the wildcard and assign it to any
user, Keycloak will log that user in even though that is not the user
originally making the initial request to the proxy. In short, how do I
force Keycloak running in a container to use the apache spi to retrieve
cert credentials in header? I tried developer documentation by adding spi
per
https://www.keycloak.org/docs/latest/server_admin/index.html#client-certi...
to both standalone.xml and deployment folder but it's as if Keycloak is not
recognizing the configuration change in container after build. If I remove
SSLProxyMachineCertificateFile from Apache, Keycloak sends a message to the
proxy saying "downstream ser!
ver expected client cert but none configured" so that option didn't work
either. Details below:
My apache reverse proxy is:
<VirtualHost *:443>
SSLEngine on
SSLProxyEngine on
SSLVerifyClient optional
SSLVerifyDepth 4
SSLOptions +ExportCertData
SSLProxyCheckPeerName off
ProxyPreserveHost On
SSLProxyCACertificateFile "/usr/local/apache2/conf/ca-xxx-ninja.crt"
SSLCACertificateFile "/usr/local/apache2/conf/xxx_authorities.pem"
SSLProxyMachineCertificateFile
"/usr/local/apache2/conf/proxy-wildcard-xxx-ninja.pem"
RequestHeader set SSL_CLIENT_CERT ""
RequestHeader set SSL_CLIENT_CERT_CHAIN_4 ""
ServerName sso.xxx.ninja
ProxyPass /
https://keycloak:8443/
ProxyPassReverse /
https://keycloak:8443/
ProxyRequests Off
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}i"
RequestHeader set CERT_CHAIN "%{SSL_CLIENT_CERT_CHAIN_4}i"
</VirtualHost>
My Keycloak Dockerfile (abbreviated - sanitized):
ENV "X509_CA_BUNDLE"="/opt/xxx/xxx_authorities.pem"
USER root
RUN mkdir -p /etc/x509/https
RUN mkdir -p /opt/xxx
COPY "./certs/tls.crt" "/etc/x509/https"
COPY "./certs/tls.key" "/etc/x509/https"
COPY "./standalone.xml"
"/opt/jboss/keycloak/standalone/configuration/standalone.xml" <----
originally edited this file to hold apache spi
COPY "./apache.xml"
"/opt/jboss/keycloak/standalone/deployments/apache.xml" < ------- moved
apache spi for x509 here per online instructions
COPY "./certs/ca-xxx-ninja.crt" "/opt"
COPY "./certs/xxx/xxx_authorities.pem" "/opt/xxx/"
RUN keytool -noprompt -import -trustcacerts -alias root -file
/opt/ca-xxx-ninja.crt -keystore $JAVA_HOME/jre/lib/security/cacerts
-storepass changeit
RUN keytool -noprompt -import -trustcacerts -alias xxx -file
/opt/xxx/xxx_authorities.pem -keystore $JAVA_HOME/jre/lib/security/cacerts
-storepass changeit
USER 1000
EXPOSE 8080 8443
Any guidance/ideas you can provide would much appreciated as I've been
working it for a few days now and can't seem to get over this last hurdle.
Respectfully,
Freddie Lee Johnson, Jr.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user