Issue in Migrating standalone.xml with Vault Configuration on Linux
by Deepti Tyagi
Hi Team,
I am trying to migrate standalone.xml (from v3.0 to v4.6) that is having vault configurations enabled, using command (./jboss-cli.sh --file=migrate-standalone.cli) on Linux.
But it always throw the exception as highlighted though same works fine on Windows.
Is it a known issue? Any workaround?
04:36:53,835 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
("core-service" => "management"),
("security-realm" => "MySSLRealm")
]): org.jboss.as.server.services.security.VaultReaderException: WFLYSRV0227: Security exception accessing the vault
at org.jboss.as.server.services.security.VaultReaderImpl.retrieveFromVault(RuntimeVaultReader.java:190)
at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:115)
at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:65)
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionString(ExpressionResolverImpl.java:341)
at org.jboss.as.controller.ExpressionResolverImpl.parseAndResolve(ExpressionResolverImpl.java:246)
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionStringRecursively(ExpressionResolverImpl.java:143)
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:84)
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:66)
at org.jboss.as.controller.ModelControllerImpl.resolveExpressions(ModelControllerImpl.java:873)
at org.jboss.as.controller.OperationContextImpl.resolveExpressions(OperationContextImpl.java:1278)
at org.jboss.as.controller.AttributeDefinition$1.resolveExpressions(AttributeDefinition.java:603)
at org.jboss.as.controller.AttributeDefinition.resolveValue(AttributeDefinition.java:667)
at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:626)
at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:600)
at org.jboss.as.domain.management.security.SecurityRealmAddHandler.addKeyManagerService(SecurityRealmAddHandler.java:688)
at org.jboss.as.domain.management.security.SecurityRealmAddHandler.addSSLServices(SecurityRealmAddHandler.java:611)
at org.jboss.as.domain.management.security.SecurityRealmAddHandler.installServices(SecurityRealmAddHandler.java:237)
at org.jboss.as.domain.management.security.SecurityRealmAddHandler$ServiceInstallStepHandler.execute(SecurityRealmAddHandler.java:917)
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999)
at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743)
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467)
at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1411)
at org.jboss.as.controller.ModelControllerImpl.boot(ModelControllerImpl.java:521)
at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:470)
at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:432)
at org.jboss.as.server.ServerService.boot(ServerService.java:427)
at org.jboss.as.server.ServerService.boot(ServerService.java:386)
at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.jboss.security.vault.SecurityVaultException: javax.crypto.BadPaddingException: Given final block not properly padded
at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:297)
at org.jboss.as.server.services.security.VaultReaderImpl.getValue(RuntimeVaultReader.java:223)
at org.jboss.as.server.services.security.VaultReaderImpl.retrieveFromVault(RuntimeVaultReader.java:176)
... 28 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:975)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:833)
at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)
at javax.crypto.Cipher.doFinal(Cipher.java:2165)
at org.picketbox.util.EncryptionUtil.decrypt(EncryptionUtil.java:134)
at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:293)
... 30 more
04:36:53,855 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
04:36:53,865 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0050: Keycloak 4.6.0.Final (WildFly Core 6.0.2.Final) stopped in 15ms
Cannot start embedded server: WFLYEMB0021: Cannot start embedded process: JBTHR00005: Operation failed: WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
Below is the sample vault configurations in standalone.xml (Keycloak v3.0.0)
<system-properties>
<property name="javax.net.ssl.trustStore" value="/d0/certs/cert.keystore"/>
</system-properties>
<vault>
<vault-option name="KEYSTORE_URL" value="/d0/certs/cert.jceks"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-0Thq/RjbpgdvR0aONX4KnP"/>
<vault-option name="KEYSTORE_ALIAS" value="cert"/>
<vault-option name="SALT" value="asdf3421"/>
<vault-option name="ITERATION_COUNT" value="44"/>
<vault-option name="ENC_FILE_DIR" value="/d0/certs"/>
</vault>
<management>
<security-realms>
<security-realm name="MySSLRealm">
<server-identities>
<ssl>
<keystore alias="cert" keystore-password="${VAULT::DS::cert::1}" path="/d0/certs/cert.keystore"/>
</ssl>
</server-identities>
</security-realm>
...
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<buffer-cache name="default"/>
<server name="default-server">
<https-listener max-post-size="1048576000" name="default" security-realm="MySSLRealm" socket-binding="https"/>
...
Thanks,
Deepti
----------------------------------------------------------------------
This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.
5 years, 4 months
Get the realms through the Client Admin Api
by Luca Stancapiano
I'm triing a simple call via Rest to my keycloak 4.7.0.Final server distribution. I created an admin user through the admin web console:
user: admin
pass: admin
The server works on the 8180 port and it starts through the command:
./standalone.sh -Djboss.socket.binding.port-offset=100
I try to do a simple call using the admin client api imported through the dependency in the pom:
<dependencies>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-admin-client</artifactId>
<version>4.7.0.Final</version>
<scope>test</scope>
</dependency>
</dependencies>
Here the java code:
Keycloak keycloak = Keycloak.getInstance("http://localhost:8180/auth", "master", "admin", "admin", "admin-cli");
keycloak.realm("master").clients().findAll();
when the findAll method is executed I receive the Exception:
javax.ws.rs.ProcessingException: java.lang.NullPointerException
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:599)
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436)
at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:148)
at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112)
at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
at com.sun.proxy.$Proxy29.findAll(Unknown Source)
at it.vige.school.resttest.schoolmodule.test.PresenceTest.setPresence(PresenceTest.java:42)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.junit.platform.commons.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:532)
at org.junit.jupiter.engine.execution.ExecutableInvoker.invoke(ExecutableInvoker.java:115)
at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.lambda$invokeTestMethod$6(TestMethodTestDescriptor.java:171)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72)
at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.invokeTestMethod(TestMethodTestDescriptor.java:167)
at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:114)
at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:59)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:108)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1540)
at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:112)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1540)
at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:112)
at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98)
at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74)
at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.submit(SameThreadHierarchicalTestExecutorService.java:32)
at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:57)
at org.junit.platform.engine.support.hierarchical.HierarchicalTestEngine.execute(HierarchicalTestEngine.java:51)
at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:220)
at org.junit.platform.launcher.core.DefaultLauncher.lambda$execute$6(DefaultLauncher.java:188)
at org.junit.platform.launcher.core.DefaultLauncher.withInterceptedStreams(DefaultLauncher.java:202)
at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:181)
at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:128)
at org.apache.maven.surefire.junitplatform.JUnitPlatformProvider.invokeAllTests(JUnitPlatformProvider.java:142)
at org.apache.maven.surefire.junitplatform.JUnitPlatformProvider.invoke(JUnitPlatformProvider.java:117)
at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:384)
at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:345)
at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:126)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:418)
Caused by: java.lang.NullPointerException
at org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:53)
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:586)
... 47 more
What i miss?
5 years, 4 months
Authz - Problem stacking entitlmenets
by cen
Hi
I am trying to stack all permissions from two different confidential
clients via entitelments API.
Steps:
1. Get access token for public client
2. Get entitlements for client 1:
Authorization: Bearer access_token
grant_type: urn:ietf:params:oauth:grant-type:uma-ticket
audience: client1
Returns RPT with all resources owned by user on client1. Works as expected.
3. Get entitlements for client 2
Authorization: Bearer access_token
grant_type: urn:ietf:params:oauth:grant-type:uma-ticket
audience: client2
rpt: {{rpt from step 2}}
Response: forbidden 403
{
"error": "access_denied",
"error_description": "not_authorized"
}
If I remove rpt parameter I get all permissions for client 2 as
expected. What is the reason for 403? Why would rpt param result in 403,
isn't it is supposed to be there just to stack additional permissions?
Must be some additional checks which I am not aware of. What are they?
reference doc:
https://www.keycloak.org/docs/4.6/authorization_services/#_service_obtain...
Best regards
5 years, 4 months
Link to account update in email sent to user
by Kjetil Nilsen
The link in the Update Your Account email is like this: {baseurl}/auth/realms/{realm}/login-actions/action-token?key=token
Is it possible to change this to for instance {baseurl}/{somethin else}/realms/{realm}/login-actions/action-token?key=token
We don't like to expose the link as it is to the users for security reasons.
Beste hilsen / Best regards
Kjetil Nilsen
Programmerer
LOGIQ AS
Tønne Huitfeldts plass 2, NO-1767 Halden, Norge
Mob. +47 958 89 571
kjetiln(a)logiq.no<mailto:kjetiln@logiq.no> www.logiq.no<http://www.logiq.no/>
5 years, 4 months
RSA Provider not working.
by Hariprasad N
Hi All,
I am using keycloak 4.7.0.Final, I create a realm 'Realm_1'
By default in keys section of realm three keys active which are.
1. HS256
2. AES
3. RS256
I created a user 'user1' and client 'client1' and I have a war file which
is deployed in wildfy server and secured with keycloak server(realm : Realm_1,
client : client1)
when i try to access the resources inside war it is redirecting to keycloak
login page and after login i am able to access resources, it is fine.
The problem is once I logged in, it is createing JWT token with 'HS256'
algorithm , i want to enforce to use any public key algorithms like 'RS256'.
To achieve this
1. I increased priority of RSA256 no use.
2. Deleted AES and HS256 no use, in this case when next time login it is
automatically falling back to HS256 and AES , it automatically created
two fall back providers for HS256 and AES .
So please tell me how can I enforce to use any public key algorithms.
--
Thanks & Regards,
Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore – 560001, Karnataka, India.
Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>
5 years, 4 months
Keycloak behind reverse proxy
by Nikola Malenic
I configured mutual-ssl authentication on Keycloak. That means that user
coming to Keycloak does SSL handshake allowing Keycloak to extract data from
client certificate and map that data to an existing user at Keycloak, and
based on that authenticate the user.
Now, I need to configure reverse proxy in front of Keycloak. I'm using
Apache's httpd.
The problem is that user's browser now does SSL handshake with the reverse
proxy server instead of Keycloak and sends plain http request, disabling
Keycloak to map and authenticate the user.
Is there a proposed method to achieve this?
Can I configure some reverse proxy (maybe not httpd) to proxy requests on
the transport layer? For example, I've seen there is a way to do client
authentication on httpd and then send client certificate details to the
Wildfly thorugh AJP protocol, but how to map this data to the user then?
Or should I somehow configure Keycloak for this?
Maybe configure the proxy to be KC's client and do the authentication
somehow?
Many thanks,
Nikola
5 years, 4 months
Fw: SSO saml and jwt client
by Satrasala, Mahendra
I can SSO across different JWT clients but if I try to access a SAML client, I am redirected to the login page even if I have an active session for the user in keycloak after an OIDC authentication.
Is it possible to automatically authenticate the user for the SAML client? Simply put, I am trying to get a SAML assertion on behalf of the user after OIDC authentication.
Thanks in advance!!
5 years, 4 months
Problem using Keycloak behind reverse proxy since 4.5.0.Final
by Munene Kiruja
I have keycloak in a bare metal kubernetes singe nod cluster. Its installed using helm.
For https, we setup a reverse proxy in front of keycloak. First we use nginx with a lua extension for oidc, and moved on to envoy proxy. Results are the same - works until 4.4.0.Final. Everything is working well as long as we use keycloak versions up to 4.4.0.
>From 4.5.0 and up, access https<server_ip:port>/auth/admin redirects to http and fails.
I have spent much time going over the reverse proxy setup in the documentation (which seems to have nothing new lately that should justify any changes since 4.4.0) and not made any progress.
Can any one shed light on this darkness for us?
5 years, 4 months
Unable to query currently set bindCredentials for LDAP
by Dockendorf, Trey
I am using Puppet to automate the configuration of my Keycloak server and one thing I automate is the addition of LDAP authentication backends. I have discovered that bindCredential comes back as "**********" [1] which prevents Puppet from knowing if the value is set correctly. Is there a way to have Keycloak return the actual value that’s stored in the database? I have found where in the database this is stored but I’d rather not have to resort to direct database queries with Puppet as that would severely limit the database backends I can support.
If there is no way to expose actual bindCredential value, is there a way to test that the currently set bind credentials actually work? I have noticed that something like testLDAPConnection has to be provided the bind credentials rather than reading them from the realm’s configured LDAP.
Thanks,
- Trey
[1]
$ /opt/keycloak/bin/kcadm.sh get components/OSC-LDAP-osc -r osc --no-config --server http://localhost:8080/auth --realm master --user admin --password <OMIT> | jq .config.bindCredential
Logging into http://localhost:8080/auth as user admin of realm master
[
"**********"
]
--
Trey Dockendorf
HPC Systems Engineer
Ohio Supercomputer Center
5 years, 4 months
Security context not propagated to EJB Tier
by Manuel Waltschek
Hello,
I know this has already been asked and the documentation of keycloak also has a short entry on this topic:
"To propagate the security context to the EJB tier you need to configure it to use the "keycloak" security domain. This can be achieved with the @SecurityDomain annotation:",
which is exactly what I did with all my EJBs. I even made my own quickstart/testproject, since I am trying to secure an EAR-Deployment with EJBs on Wildfly 10 and I just cannot get Keycloak SAML to work properly. I also annotated these beans with @PermitAll.
I am using the wildfly-saml-adapter to authenticate against an external IdP and I have been debugging the adapter to figure out what is happening.
I can see that in org.keycloak.adapters.saml.wildfly.SecurityInfoHelper.propagateSessionInfo(KeycloakAccount) the SubjectInfo is created and the Principal is propagated to org.jboss.security.SecurityContext.
I configured my war in my ear to have a jboss-web.xml which points to "keycloak" security-domain, but it does not make any difference.
I am trying to invoke EJBContext.getCallerPrincipal() in my stateless EJB which always returns a SimplePrincipal with name anonymous. This is only true for my real application. Everything is working as expected in my test application, since I inject the Beans directly in a Servlet Endpoint.
On my real application they are looked up by a jndi lookup on code I have in jar deployments too. Can you please point me to any other ideas on what else I can try to get this working?
Thank you in advance,
Manuel Waltschek
5 years, 4 months
