1 p.m.
I've read through all the documentation I can find online both with the
official documents and everything else I could find and I believe I have
everything setup, with additional logging turned on, but I'm not getting
any type of prompt for a x509 certificate when logging in.
Here is the excerpts from the standalone.xml file where ssl-realm was
added to the management security-realms and under the subsystem.
<management>
<security-realms>
......
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="keycloak.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
</authentication>
</security-realm>
......
<subsystem xmlns="urn:jboss:domain:undertow:7.0"
default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default"
default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default1"
socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="default"
socket-binding="https"
security-realm="ssl-realm" verify-client="REQUESTED"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<access-log worker="default"
directory="${jboss.server.log.dir}" prefix="access"
suffix=".log"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
I've setup the Authentication Flows for the Browser to have x509/Validate
Username Form above the new Browser flow and it's required.
Everything is setup per the KeyCloak documentation to include the binding
settings.
The only thing I'm not sure about is if the keycloak.jks and truststore.jks
files are the issue.
I have enabled extra logging as best I know, but I'm not seeing anything in
the logs of any relevance when trying to authenticate into the Keycloak
Realm.
Can anyone assist? We are looking to most likely purchase this as a product
through RedHat SSO if it works well to get the support we need, but I've
been hung up on this for a few weeks and I know it shouldn't be this hard.
Thanks,
J
6:41 p.m.
New subject: Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final
One possible reason you are not getting prompted is that the intermediate or root certs in
your trust store do not match the intermediate or root certs used to sign the client
certificates registered on your client machine. To troubleshoot the SSL handshake you can
use -Djavax.net.debug, see https://access.redhat.com/solutions/973783 for more info.
________________________________________
From: keycloak-user-bounces(a)lists.jboss.org [keycloak-user-bounces(a)lists.jboss.org] on
behalf of JTK [jonesy(a)sydow.org]
Sent: Thursday, June 27, 2019 2:00 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version
4.8.3.Final
I've read through all the documentation I can find online both with the
official documents and everything else I could find and I believe I have
everything setup, with additional logging turned on, but I'm not getting
any type of prompt for a x509 certificate when logging in.
Here is the excerpts from the standalone.xml file where ssl-realm was
added to the management security-realms and under the subsystem.
<management>
<security-realms>
......
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="keycloak.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
</authentication>
</security-realm>
......
<subsystem xmlns="urn:jboss:domain:undertow:7.0"
default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default"
default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default1"
socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="default"
socket-binding="https"
security-realm="ssl-realm" verify-client="REQUESTED"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<access-log worker="default"
directory="${jboss.server.log.dir}" prefix="access"
suffix=".log"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
I've setup the Authentication Flows for the Browser to have x509/Validate
Username Form above the new Browser flow and it's required.
Everything is setup per the KeyCloak documentation to include the binding
settings.
The only thing I'm not sure about is if the keycloak.jks and truststore.jks
files are the issue.
I have enabled extra logging as best I know, but I'm not seeing anything in
the logs of any relevance when trying to authenticate into the Keycloak
Realm.
Can anyone assist? We are looking to most likely purchase this as a product
through RedHat SSO if it works well to get the support we need, but I've
been hung up on this for a few weeks and I know it shouldn't be this hard.
Thanks,
J
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:17 a.m.
Thanks, I enabled the debug option for ssl in
../keycloak/bin/standalone.conf
if [ "x$JAVA_OPTS" = "x" ]; then
JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M
-XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true"
JAVA_OPTS="$JAVA_OPTS
-Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true -Djavax.net.debug=ssl"
I am seeing no errors in the logs related to certificates. I do see the
root CA I'm trying to use along with the intermediate.
I am using a client certificate, but I'm providing it via a card reader on
my computer. So I'm presenting a token on a smart card per say and not a
soft cert loaded on my system.
Would this make a difference? Should I be seeing any sort of error output
in the logs if the certs were loaded wrong or any other JAVA related issue?
I can post the debug output, but it's quite line.
-
Note, we currently use a commercial based IdP which accepts our smart card
with tokens on them, so I assumed Keycloak by default would see a
certificate loaded locally or via the smart card reader.
On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter <pnalyvayko(a)agi.com> wrote:
One possible reason you are not getting prompted is that the
intermediate
or root certs in your trust store do not match the intermediate or root
certs used to sign the client certificates registered on your client
machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug,
see https://access.redhat.com/solutions/973783 for more info.
________________________________________
From: keycloak-user-bounces(a)lists.jboss.org [
keycloak-user-bounces(a)lists.jboss.org] on behalf of JTK [jonesy(a)sydow.org]
Sent: Thursday, June 27, 2019 2:00 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Not being prompted for x509 User Certs on
KeyCloak version 4.8.3.Final
I've read through all the documentation I can find online both with the
official documents and everything else I could find and I believe I have
everything setup, with additional logging turned on, but I'm not getting
any type of prompt for a x509 certificate when logging in.
Here is the excerpts from the standalone.xml file where ssl-realm was
added to the management security-realms and under the subsystem.
<management>
<security-realms>
......
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="keycloak.jks"
relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks"
relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
</authentication>
</security-realm>
......
<subsystem xmlns="urn:jboss:domain:undertow:7.0"
default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default"
default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default1"
socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="default"
socket-binding="https"
security-realm="ssl-realm" verify-client="REQUESTED"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<access-log worker="default"
directory="${jboss.server.log.dir}" prefix="access"
suffix=".log"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
I've setup the Authentication Flows for the Browser to have x509/Validate
Username Form above the new Browser flow and it's required.
Everything is setup per the KeyCloak documentation to include the binding
settings.
The only thing I'm not sure about is if the keycloak.jks and truststore.jks
files are the issue.
I have enabled extra logging as best I know, but I'm not seeing anything in
the logs of any relevance when trying to authenticate into the Keycloak
Realm.
Can anyone assist? We are looking to most likely purchase this as a product
through RedHat SSO if it works well to get the support we need, but I've
been hung up on this for a few weeks and I know it shouldn't be this hard.
Thanks,
J
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:32 a.m.
We have successfully tested and deployed the CAC card & X509 auth without any issues.
One suggestion is In the SSL debug output search for a list of CA authorities the KC
server sends back to the client as a part of mutual SSL handshake. For the mutual SSL to
kick in, the client certificates registered on the client machine must be signed by one
of the CAs from that list.
For example, say your trusted store has a CA cert with the Subject: CN=cert_auth
Then you should be prompted to select a cert only if your client cert's issuer (the
cert used to sign the client cert) matches the subject above.
You may also try troubleshooting using "openssl s_client" to avoid digging
through thousands of lines of SSL debug output
I hope it makes sense and helps :)
Cheers
--Peter
________________________________________
From: JTK [jonesy(a)sydow.org]
Sent: Friday, June 28, 2019 9:17 AM
To: Nalyvayko, Peter
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version
4.8.3.Final
Thanks, I enabled the debug option for ssl in ../keycloak/bin/standalone.conf
if [ "x$JAVA_OPTS" = "x" ]; then
JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m
-Djava.net.preferIPv4Stack=true"
JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true -Djavax.net.debug=ssl"
I am seeing no errors in the logs related to certificates. I do see the root CA I'm
trying to use along with the intermediate.
I am using a client certificate, but I'm providing it via a card reader on my
computer. So I'm presenting a token on a smart card per say and not a soft cert loaded
on my system.
Would this make a difference? Should I be seeing any sort of error output in the logs if
the certs were loaded wrong or any other JAVA related issue?
I can post the debug output, but it's quite line.
-
Note, we currently use a commercial based IdP which accepts our smart card with tokens on
them, so I assumed Keycloak by default would see a certificate loaded locally or via the
smart card reader.
On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter
<pnalyvayko@agi.com<mailto:pnalyvayko@agi.com>> wrote:
One possible reason you are not getting prompted is that the intermediate or root certs in
your trust store do not match the intermediate or root certs used to sign the client
certificates registered on your client machine. To troubleshoot the SSL handshake you can
use -Djavax.net.debug, see https://access.redhat.com/solutions/973783 for more info.
________________________________________
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>
[keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>]
on behalf of JTK [jonesy@sydow.org<mailto:jonesy@sydow.org>]
Sent: Thursday, June 27, 2019 2:00 PM
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version
4.8.3.Final
I've read through all the documentation I can find online both with the
official documents and everything else I could find and I believe I have
everything setup, with additional logging turned on, but I'm not getting
any type of prompt for a x509 certificate when logging in.
Here is the excerpts from the standalone.xml file where ssl-realm was
added to the management security-realms and under the subsystem.
<management>
<security-realms>
......
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="keycloak.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
</authentication>
</security-realm>
......
<subsystem xmlns="urn:jboss:domain:undertow:7.0"
default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default"
default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default1"
socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="default"
socket-binding="https"
security-realm="ssl-realm" verify-client="REQUESTED"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<access-log worker="default"
directory="${jboss.server.log.dir}" prefix="access"
suffix=".log"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
I've setup the Authentication Flows for the Browser to have x509/Validate
Username Form above the new Browser flow and it's required.
Everything is setup per the KeyCloak documentation to include the binding
settings.
The only thing I'm not sure about is if the keycloak.jks and truststore.jks
files are the issue.
I have enabled extra logging as best I know, but I'm not seeing anything in
the logs of any relevance when trying to authenticate into the Keycloak
Realm.
Can anyone assist? We are looking to most likely purchase this as a product
through RedHat SSO if it works well to get the support we need, but I've
been hung up on this for a few weeks and I know it shouldn't be this hard.
Thanks,
J
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:13 a.m.
I'll look into it. I'm sure it's something simple, but it's just not
clicking. As of now I'm only testing my CAC and so there is a Root CA along
with an intermediate CA which I have loaded into Keycloak.
This is the steps I used:
keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer
keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks -file
Email-CA-1.cer
...
Just for clarity and sanity check, with our current IdP, we only need to
load the public certs (Root/Intermediate) and as long as they are loaded,
any user certificate that is presented would be trusted if the chain is
loaded for that user certificate. We do not have access to the private keys
for the certificates loaded to the keystore.jks - I just want to make sure
that's not the issue.
At this point in time, I'd love to see ERROR in the server.log file, but I
just get INFO.
tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR"
The output of the above command has no output.
This is some of the output:
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** Finished
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) verify_data: { 99,
40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 }
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) ***
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) update handshake
state: finished[20]
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) [write] MD5 and SHA1
hashes: len = 16
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C 63
28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v......
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) Padded plaintext
before ENCRYPTION: len = 16
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C 63
28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v......
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) default I/O-3,
WRITE: TLSv1.2 Handshake, length = 40
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) %% Cached server
session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384]
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length
= 6
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 14 03 03 00 01
01 ......
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length
= 45
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 16 03 03 00 28
00 00 00 00 00 00 00 00 73 16 4F ....(........s.O
2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0010: C2 AA 1E 08 25
E9 36 15 77 D5 D4 18 E0 F8 BE BE ....%.6.w.......
2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0020: 24 8A F4 7F 33
D2 CA D3 C5 FA A5 05 54 $...3.......T
etc
Here is the output of keystore.jks
keytool -list -v -keystore keycloak.jks | grep DoD
Enter keystore password: password
Owner: CN=Root CA, OU=PKI, O=Company, C=US
Issuer: CN=Root CA, OU=PKI, O=Company, C=US
Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US
Issuer: CN=Root CA, OU=PKI, O=Company, C=US
Sows the Root CA and the Intermediate CA (CA-1)
On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter <pnalyvayko(a)agi.com> wrote:
We have successfully tested and deployed the CAC card & X509 auth
without
any issues. One suggestion is In the SSL debug output search for a list of
CA authorities the KC server sends back to the client as a part of mutual
SSL handshake. For the mutual SSL to kick in, the client certificates
registered on the client machine must be signed by one of the CAs from
that list.
For example, say your trusted store has a CA cert with the Subject:
CN=cert_auth
Then you should be prompted to select a cert only if your client cert's
issuer (the cert used to sign the client cert) matches the subject above.
You may also try troubleshooting using "openssl s_client" to avoid
digging through thousands of lines of SSL debug output
I hope it makes sense and helps :)
Cheers
--Peter
________________________________________
From: JTK [jonesy(a)sydow.org]
Sent: Friday, June 28, 2019 9:17 AM
To: Nalyvayko, Peter
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on
KeyCloak version 4.8.3.Final
Thanks, I enabled the debug option for ssl in
../keycloak/bin/standalone.conf
if [ "x$JAVA_OPTS" = "x" ]; then
JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M
-XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true"
JAVA_OPTS="$JAVA_OPTS
-Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true -Djavax.net.debug=ssl"
I am seeing no errors in the logs related to certificates. I do see the
root CA I'm trying to use along with the intermediate.
I am using a client certificate, but I'm providing it via a card reader on
my computer. So I'm presenting a token on a smart card per say and not a
soft cert loaded on my system.
Would this make a difference? Should I be seeing any sort of error output
in the logs if the certs were loaded wrong or any other JAVA related issue?
I can post the debug output, but it's quite line.
-
Note, we currently use a commercial based IdP which accepts our smart card
with tokens on them, so I assumed Keycloak by default would see a
certificate loaded locally or via the smart card reader.
On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter <pnalyvayko(a)agi.com
<mailto:pnalyvayko@agi.com>> wrote:
One possible reason you are not getting prompted is that the intermediate
or root certs in your trust store do not match the intermediate or root
certs used to sign the client certificates registered on your client
machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug,
see https://access.redhat.com/solutions/973783 for more info.
________________________________________
From: keycloak-user-bounces(a)lists.jboss.org<mailto:
keycloak-user-bounces(a)lists.jboss.org> [
keycloak-user-bounces(a)lists.jboss.org<mailto:
keycloak-user-bounces(a)lists.jboss.org>] on behalf of JTK [jonesy(a)sydow.org
<mailto:jonesy@sydow.org>]
Sent: Thursday, June 27, 2019 2:00 PM
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: [keycloak-user] Not being prompted for x509 User Certs on
KeyCloak version 4.8.3.Final
I've read through all the documentation I can find online both with the
official documents and everything else I could find and I believe I have
everything setup, with additional logging turned on, but I'm not getting
any type of prompt for a x509 certificate when logging in.
Here is the excerpts from the standalone.xml file where ssl-realm was
added to the management security-realms and under the subsystem.
<management>
<security-realms>
......
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="keycloak.jks"
relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks"
relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
</authentication>
</security-realm>
......
<subsystem xmlns="urn:jboss:domain:undertow:7.0"
default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default"
default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default1"
socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="default"
socket-binding="https"
security-realm="ssl-realm" verify-client="REQUESTED"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<access-log worker="default"
directory="${jboss.server.log.dir}" prefix="access"
suffix=".log"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
I've setup the Authentication Flows for the Browser to have x509/Validate
Username Form above the new Browser flow and it's required.
Everything is setup per the KeyCloak documentation to include the binding
settings.
The only thing I'm not sure about is if the keycloak.jks and truststore.jks
files are the issue.
I have enabled extra logging as best I know, but I'm not seeing anything in
the logs of any relevance when trying to authenticate into the Keycloak
Realm.
Can anyone assist? We are looking to most likely purchase this as a product
through RedHat SSO if it works well to get the support we need, but I've
been hung up on this for a few weeks and I know it shouldn't be this hard.
Thanks,
J
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:27 a.m.
Here is the standalone.xml file if anyone can sport or locate any obvious
errors associated with it.
https://zerobin.net/?740f9250fdc1a6f1#9FqhPJx0iNfQshWY8hA2aYdWPhWUEVHW5pe...
Authentication flow:
https://imgur.com/tZYj9N9 (Bindings)
https://imgur.com/3v2HYtW (Flows)
On Fri, Jun 28, 2019 at 9:13 AM JTK <jonesy(a)sydow.org> wrote:
I'll look into it. I'm sure it's something simple, but
it's just not
clicking. As of now I'm only testing my CAC and so there is a Root CA along
with an intermediate CA which I have loaded into Keycloak.
This is the steps I used:
keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer
keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks
-file Email-CA-1.cer
...
Just for clarity and sanity check, with our current IdP, we only need to
load the public certs (Root/Intermediate) and as long as they are loaded,
any user certificate that is presented would be trusted if the chain is
loaded for that user certificate. We do not have access to the private
keys for the certificates loaded to the keystore.jks - I just want to make
sure that's not the issue.
At this point in time, I'd love to see ERROR in the server.log file, but I
just get INFO.
tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR"
The output of the above command has no output.
This is some of the output:
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** Finished
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) verify_data: { 99,
40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 }
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) ***
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) update handshake
state: finished[20]
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) [write] MD5 and
SHA1 hashes: len = 16
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C
63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v......
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) Padded plaintext
before ENCRYPTION: len = 16
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C
63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v......
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) default I/O-3,
WRITE: TLSv1.2 Handshake, length = 40
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) %% Cached server
session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384]
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length
= 6
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 14 03 03 00
01 01 ......
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length
= 45
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 16 03 03 00
28 00 00 00 00 00 00 00 00 73 16 4F ....(........s.O
2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0010: C2 AA 1E 08
25 E9 36 15 77 D5 D4 18 E0 F8 BE BE ....%.6.w.......
2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0020: 24 8A F4 7F
33 D2 CA D3 C5 FA A5 05 54 $...3.......T
etc
Here is the output of keystore.jks
keytool -list -v -keystore keycloak.jks | grep DoD
Enter keystore password: password
Owner: CN=Root CA, OU=PKI, O=Company, C=US
Issuer: CN=Root CA, OU=PKI, O=Company, C=US
Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US
Issuer: CN=Root CA, OU=PKI, O=Company, C=US
Sows the Root CA and the Intermediate CA (CA-1)
On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter <pnalyvayko(a)agi.com>
wrote:
> We have successfully tested and deployed the CAC card & X509 auth without
> any issues. One suggestion is In the SSL debug output search for a list of
> CA authorities the KC server sends back to the client as a part of mutual
> SSL handshake. For the mutual SSL to kick in, the client certificates
> registered on the client machine must be signed by one of the CAs from
> that list.
>
> For example, say your trusted store has a CA cert with the Subject:
> CN=cert_auth
>
> Then you should be prompted to select a cert only if your client cert's
> issuer (the cert used to sign the client cert) matches the subject above.
>
> You may also try troubleshooting using "openssl s_client" to avoid
> digging through thousands of lines of SSL debug output
>
> I hope it makes sense and helps :)
>
> Cheers
>
> --Peter
>
> ________________________________________
> From: JTK [jonesy(a)sydow.org]
> Sent: Friday, June 28, 2019 9:17 AM
> To: Nalyvayko, Peter
> Cc: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on
> KeyCloak version 4.8.3.Final
>
> Thanks, I enabled the debug option for ssl in
> ../keycloak/bin/standalone.conf
> if [ "x$JAVA_OPTS" = "x" ]; then
> JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M
> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true"
> JAVA_OPTS="$JAVA_OPTS
> -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
> -Djava.awt.headless=true -Djavax.net.debug=ssl"
>
> I am seeing no errors in the logs related to certificates. I do see the
> root CA I'm trying to use along with the intermediate.
> I am using a client certificate, but I'm providing it via a card reader
> on my computer. So I'm presenting a token on a smart card per say and not a
> soft cert loaded on my system.
> Would this make a difference? Should I be seeing any sort of error output
> in the logs if the certs were loaded wrong or any other JAVA related issue?
> I can post the debug output, but it's quite line.
> -
> Note, we currently use a commercial based IdP which accepts our smart
> card with tokens on them, so I assumed Keycloak by default would see a
> certificate loaded locally or via the smart card reader.
>
>
> On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter <pnalyvayko(a)agi.com
> <mailto:pnalyvayko@agi.com>> wrote:
> One possible reason you are not getting prompted is that the intermediate
> or root certs in your trust store do not match the intermediate or root
> certs used to sign the client certificates registered on your client
> machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug,
> see https://access.redhat.com/solutions/973783 for more info.
>
> ________________________________________
> From: keycloak-user-bounces(a)lists.jboss.org<mailto:
> keycloak-user-bounces(a)lists.jboss.org> [
> keycloak-user-bounces(a)lists.jboss.org<mailto:
> keycloak-user-bounces(a)lists.jboss.org>] on behalf of JTK [
> jonesy@sydow.org<mailto:jonesy@sydow.org>]
> Sent: Thursday, June 27, 2019 2:00 PM
> To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> Subject: [keycloak-user] Not being prompted for x509 User Certs on
> KeyCloak version 4.8.3.Final
>
> I've read through all the documentation I can find online both with the
> official documents and everything else I could find and I believe I have
> everything setup, with additional logging turned on, but I'm not getting
> any type of prompt for a x509 certificate when logging in.
>
> Here is the excerpts from the standalone.xml file where ssl-realm was
> added to the management security-realms and under the subsystem.
>
> <management>
> <security-realms>
> ......
> <security-realm name="ssl-realm">
> <server-identities>
> <ssl>
> <keystore path="keycloak.jks"
> relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
> </ssl>
> </server-identities>
> <authentication>
> <truststore path="truststore.jks"
> relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
> </authentication>
> </security-realm>
> ......
>
> <subsystem xmlns="urn:jboss:domain:undertow:7.0"
> default-server="default-server"
default-virtual-host="default-host"
> default-servlet-container="default"
default-security-domain="other">
> <buffer-cache name="default"/>
> <server name="default-server">
> <http-listener name="default1"
socket-binding="http"
> redirect-socket="https" enable-http2="true"/>
> <https-listener name="default"
socket-binding="https"
> security-realm="ssl-realm" verify-client="REQUESTED"/>
> <host name="default-host"
alias="localhost">
> <location name="/"
handler="welcome-content"/>
> <access-log worker="default"
> directory="${jboss.server.log.dir}" prefix="access"
suffix=".log"/>
> <http-invoker
security-realm="ApplicationRealm"/>
> </host>
>
> I've setup the Authentication Flows for the Browser to have x509/Validate
> Username Form above the new Browser flow and it's required.
> Everything is setup per the KeyCloak documentation to include the binding
> settings.
>
> The only thing I'm not sure about is if the keycloak.jks and
> truststore.jks
> files are the issue.
> I have enabled extra logging as best I know, but I'm not seeing anything
> in
> the logs of any relevance when trying to authenticate into the Keycloak
> Realm.
>
> Can anyone assist? We are looking to most likely purchase this as a
> product
> through RedHat SSO if it works well to get the support we need, but I've
> been hung up on this for a few weeks and I know it shouldn't be this hard.
>
> Thanks,
> J
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
10:57 a.m.
Run the command "openssl s_client -connect <host>:<port>" where host
and port are the Keycloak's host and the port number (e.g. login.mycompany.com:443)
and verify that the list of certificates listed under "Acceptable CA client
certificate names" is not empty and that the CA names match the client cert's
issuer
________________________________________
From: JTK [jonesy(a)sydow.org]
Sent: Friday, June 28, 2019 11:27 AM
To: Nalyvayko, Peter
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version
4.8.3.Final
Here is the standalone.xml file if anyone can sport or locate any obvious errors
associated with it.
https://zerobin.net/?740f9250fdc1a6f1#9FqhPJx0iNfQshWY8hA2aYdWPhWUEVHW5pe...
Authentication flow:
https://imgur.com/tZYj9N9 (Bindings)
https://imgur.com/3v2HYtW (Flows)
On Fri, Jun 28, 2019 at 9:13 AM JTK
<jonesy@sydow.org<mailto:jonesy@sydow.org>> wrote:
I'll look into it. I'm sure it's something simple, but it's just not
clicking. As of now I'm only testing my CAC and so there is a Root CA along with an
intermediate CA which I have loaded into Keycloak.
This is the steps I used:
keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer
keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks -file
Email-CA-1.cer
...
Just for clarity and sanity check, with our current IdP, we only need to load the public
certs (Root/Intermediate) and as long as they are loaded, any user certificate that is
presented would be trusted if the chain is loaded for that user certificate. We do not
have access to the private keys for the certificates loaded to the keystore.jks - I just
want to make sure that's not the issue.
At this point in time, I'd love to see ERROR in the server.log file, but I just get
INFO.
tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR"
The output of the above command has no output.
This is some of the output:
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** Finished
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) verify_data: { 99, 40, 129, 188,
202, 118, 214, 208, 192, 179, 230, 8 }
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) ***
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) update handshake state:
finished[20]
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) [write] MD5 and SHA1 hashes: len =
16
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C 63 28 81 BC CA
76 D6 D0 C0 B3 E6 08 ....c(...v......
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) Padded plaintext before ENCRYPTION:
len = 16
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C 63 28 81 BC CA
76 D6 D0 C0 B3 E6 08 ....c(...v......
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) default I/O-3, WRITE: TLSv1.2
Handshake, length = 40
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) %% Cached server session:
[Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384]
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length = 6
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 14 03 03 00 01 01
......
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length = 45
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 16 03 03 00 28 00 00 00 00
00 00 00 00 73 16 4F ....(........s.O
2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0010: C2 AA 1E 08 25 E9 36 15 77
D5 D4 18 E0 F8 BE BE ....%.6.w.......
2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0020: 24 8A F4 7F 33 D2 CA D3 C5
FA A5 05 54 $...3.......T
etc
Here is the output of keystore.jks
keytool -list -v -keystore keycloak.jks | grep DoD
Enter keystore password: password
Owner: CN=Root CA, OU=PKI, O=Company, C=US
Issuer: CN=Root CA, OU=PKI, O=Company, C=US
Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US
Issuer: CN=Root CA, OU=PKI, O=Company, C=US
Sows the Root CA and the Intermediate CA (CA-1)
On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter
<pnalyvayko@agi.com<mailto:pnalyvayko@agi.com>> wrote:
We have successfully tested and deployed the CAC card & X509 auth without any issues.
One suggestion is In the SSL debug output search for a list of CA authorities the KC
server sends back to the client as a part of mutual SSL handshake. For the mutual SSL to
kick in, the client certificates registered on the client machine must be signed by one
of the CAs from that list.
For example, say your trusted store has a CA cert with the Subject: CN=cert_auth
Then you should be prompted to select a cert only if your client cert's issuer (the
cert used to sign the client cert) matches the subject above.
You may also try troubleshooting using "openssl s_client" to avoid digging
through thousands of lines of SSL debug output
I hope it makes sense and helps :)
Cheers
--Peter
________________________________________
From: JTK [jonesy@sydow.org<mailto:jonesy@sydow.org>]
Sent: Friday, June 28, 2019 9:17 AM
To: Nalyvayko, Peter
Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version
4.8.3.Final
Thanks, I enabled the debug option for ssl in ../keycloak/bin/standalone.conf
if [ "x$JAVA_OPTS" = "x" ]; then
JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m
-Djava.net.preferIPv4Stack=true"
JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true -Djavax.net.debug=ssl"
I am seeing no errors in the logs related to certificates. I do see the root CA I'm
trying to use along with the intermediate.
I am using a client certificate, but I'm providing it via a card reader on my
computer. So I'm presenting a token on a smart card per say and not a soft cert loaded
on my system.
Would this make a difference? Should I be seeing any sort of error output in the logs if
the certs were loaded wrong or any other JAVA related issue?
I can post the debug output, but it's quite line.
-
Note, we currently use a commercial based IdP which accepts our smart card with tokens on
them, so I assumed Keycloak by default would see a certificate loaded locally or via the
smart card reader.
On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter
<pnalyvayko@agi.com<mailto:pnalyvayko@agi.com><mailto:pnalyvayko@agi.com<mailto:pnalyvayko@agi.com>>>
wrote:
One possible reason you are not getting prompted is that the intermediate or root certs in
your trust store do not match the intermediate or root certs used to sign the client
certificates registered on your client machine. To troubleshoot the SSL handshake you can
use -Djavax.net.debug, see https://access.redhat.com/solutions/973783 for more info.
________________________________________
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>
[keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>]
on behalf of JTK
[jonesy@sydow.org<mailto:jonesy@sydow.org><mailto:jonesy@sydow.org<mailto:jonesy@sydow.org>>]
Sent: Thursday, June 27, 2019 2:00 PM
To:
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version
4.8.3.Final
I've read through all the documentation I can find online both with the
official documents and everything else I could find and I believe I have
everything setup, with additional logging turned on, but I'm not getting
any type of prompt for a x509 certificate when logging in.
Here is the excerpts from the standalone.xml file where ssl-realm was
added to the management security-realms and under the subsystem.
<management>
<security-realms>
......
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="keycloak.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
</authentication>
</security-realm>
......
<subsystem xmlns="urn:jboss:domain:undertow:7.0"
default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default"
default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default1"
socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="default"
socket-binding="https"
security-realm="ssl-realm" verify-client="REQUESTED"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<access-log worker="default"
directory="${jboss.server.log.dir}" prefix="access"
suffix=".log"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
I've setup the Authentication Flows for the Browser to have x509/Validate
Username Form above the new Browser flow and it's required.
Everything is setup per the KeyCloak documentation to include the binding
settings.
The only thing I'm not sure about is if the keycloak.jks and truststore.jks
files are the issue.
I have enabled extra logging as best I know, but I'm not seeing anything in
the logs of any relevance when trying to authenticate into the Keycloak
Realm.
Can anyone assist? We are looking to most likely purchase this as a product
through RedHat SSO if it works well to get the support we need, but I've
been hung up on this for a few weeks and I know it shouldn't be this hard.
Thanks,
J
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:41 a.m.
Obviously the certs are not loaded on the ELB as I need them.
openssl s_client -servername keycloak.domainhere.net -connect
keycloak.domainhere.net:8443 <http://keycloak.dev.domainhere.net:8443>
2>/dev/null | egrep "subject=|issuer=|notAfter="
subject=CN = keycloak.domainhere.net <http://keycloak.dev.domainhere.net>
issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
I'm waiting on feedback from our internal team to find out when they can
load the Root CA/Intermediate certs on the proxy. It might not be until
next week, but I will update when I get a chance.
Thanks!
On Fri, Jun 28, 2019 at 10:57 AM Nalyvayko, Peter <pnalyvayko(a)agi.com>
wrote:
Run the command "openssl s_client -connect
<host>:<port>" where host and
port are the Keycloak's host and the port number (e.g.
login.mycompany.com:443) and verify that the list of certificates listed
under "Acceptable CA client certificate names" is not empty and that the CA
names match the client cert's issuer
________________________________________
From: JTK [jonesy(a)sydow.org]
Sent: Friday, June 28, 2019 11:27 AM
To: Nalyvayko, Peter
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on
KeyCloak version 4.8.3.Final
Here is the standalone.xml file if anyone can sport or locate any obvious
errors associated with it.
https://zerobin.net/?740f9250fdc1a6f1#9FqhPJx0iNfQshWY8hA2aYdWPhWUEVHW5pe...
Authentication flow:
https://imgur.com/tZYj9N9 (Bindings)
https://imgur.com/3v2HYtW (Flows)
On Fri, Jun 28, 2019 at 9:13 AM JTK <jonesy(a)sydow.org<mailto:
jonesy(a)sydow.org>> wrote:
I'll look into it. I'm sure it's something simple, but it's just not
clicking. As of now I'm only testing my CAC and so there is a Root CA along
with an intermediate CA which I have loaded into Keycloak.
This is the steps I used:
keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer
keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks
-file Email-CA-1.cer
...
Just for clarity and sanity check, with our current IdP, we only need to
load the public certs (Root/Intermediate) and as long as they are loaded,
any user certificate that is presented would be trusted if the chain is
loaded for that user certificate. We do not have access to the private keys
for the certificates loaded to the keystore.jks - I just want to make sure
that's not the issue.
At this point in time, I'd love to see ERROR in the server.log file, but I
just get INFO.
tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR"
The output of the above command has no output.
This is some of the output:
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** Finished
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) verify_data: { 99,
40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 }
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) ***
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) update handshake
state: finished[20]
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) [write] MD5 and
SHA1 hashes: len = 16
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C
63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v......
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) Padded plaintext
before ENCRYPTION: len = 16
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C
63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v......
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) default I/O-3,
WRITE: TLSv1.2 Handshake, length = 40
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) %% Cached server
session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384]
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length
= 6
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 14 03 03 00
01 01 ......
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length
= 45
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 16 03 03 00
28 00 00 00 00 00 00 00 00 73 16 4F ....(........s.O
2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0010: C2 AA 1E 08
25 E9 36 15 77 D5 D4 18 E0 F8 BE BE ....%.6.w.......
2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0020: 24 8A F4 7F
33 D2 CA D3 C5 FA A5 05 54 $...3.......T
etc
Here is the output of keystore.jks
keytool -list -v -keystore keycloak.jks | grep DoD
Enter keystore password: password
Owner: CN=Root CA, OU=PKI, O=Company, C=US
Issuer: CN=Root CA, OU=PKI, O=Company, C=US
Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US
Issuer: CN=Root CA, OU=PKI, O=Company, C=US
Sows the Root CA and the Intermediate CA (CA-1)
On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter <pnalyvayko(a)agi.com
<mailto:pnalyvayko@agi.com>> wrote:
We have successfully tested and deployed the CAC card & X509 auth without
any issues. One suggestion is In the SSL debug output search for a list of
CA authorities the KC server sends back to the client as a part of mutual
SSL handshake. For the mutual SSL to kick in, the client certificates
registered on the client machine must be signed by one of the CAs from
that list.
For example, say your trusted store has a CA cert with the Subject:
CN=cert_auth
Then you should be prompted to select a cert only if your client cert's
issuer (the cert used to sign the client cert) matches the subject above.
You may also try troubleshooting using "openssl s_client" to avoid
digging through thousands of lines of SSL debug output
I hope it makes sense and helps :)
Cheers
--Peter
________________________________________
From: JTK [jonesy@sydow.org<mailto:jonesy@sydow.org>]
Sent: Friday, June 28, 2019 9:17 AM
To: Nalyvayko, Peter
Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on
KeyCloak version 4.8.3.Final
Thanks, I enabled the debug option for ssl in
../keycloak/bin/standalone.conf
if [ "x$JAVA_OPTS" = "x" ]; then
JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M
-XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true"
JAVA_OPTS="$JAVA_OPTS
-Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true -Djavax.net.debug=ssl"
I am seeing no errors in the logs related to certificates. I do see the
root CA I'm trying to use along with the intermediate.
I am using a client certificate, but I'm providing it via a card reader on
my computer. So I'm presenting a token on a smart card per say and not a
soft cert loaded on my system.
Would this make a difference? Should I be seeing any sort of error output
in the logs if the certs were loaded wrong or any other JAVA related issue?
I can post the debug output, but it's quite line.
-
Note, we currently use a commercial based IdP which accepts our smart card
with tokens on them, so I assumed Keycloak by default would see a
certificate loaded locally or via the smart card reader.
On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter <pnalyvayko(a)agi.com
<mailto:pnalyvayko@agi.com><mailto:pnalyvayko@agi.com<mailto:
pnalyvayko(a)agi.com>>> wrote:
One possible reason you are not getting prompted is that the intermediate
or root certs in your trust store do not match the intermediate or root
certs used to sign the client certificates registered on your client
machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug,
see https://access.redhat.com/solutions/973783 for more info.
________________________________________
From: keycloak-user-bounces(a)lists.jboss.org<mailto:
keycloak-user-bounces(a)lists.jboss.org><mailto:
keycloak-user-bounces(a)lists.jboss.org<mailto:
keycloak-user-bounces(a)lists.jboss.org>> [
keycloak-user-bounces(a)lists.jboss.org<mailto:
keycloak-user-bounces(a)lists.jboss.org><mailto:
keycloak-user-bounces(a)lists.jboss.org<mailto:
keycloak-user-bounces(a)lists.jboss.org>>] on behalf of JTK [
jonesy@sydow.org<mailto:jonesy@sydow.org><mailto:jonesy@sydow.org<mailto:
jonesy(a)sydow.org>>]
Sent: Thursday, June 27, 2019 2:00 PM
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org
><mailto:keycloak-user@lists.jboss.org<mailto:
keycloak-user(a)lists.jboss.org>>
Subject: [keycloak-user] Not being prompted for x509 User Certs on
KeyCloak version 4.8.3.Final
I've read through all the documentation I can find online both with the
official documents and everything else I could find and I believe I have
everything setup, with additional logging turned on, but I'm not getting
any type of prompt for a x509 certificate when logging in.
Here is the excerpts from the standalone.xml file where ssl-realm was
added to the management security-realms and under the subsystem.
<management>
<security-realms>
......
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="keycloak.jks"
relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks"
relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
</authentication>
</security-realm>
......
<subsystem xmlns="urn:jboss:domain:undertow:7.0"
default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default"
default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default1"
socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="default"
socket-binding="https"
security-realm="ssl-realm" verify-client="REQUESTED"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<access-log worker="default"
directory="${jboss.server.log.dir}" prefix="access"
suffix=".log"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
I've setup the Authentication Flows for the Browser to have x509/Validate
Username Form above the new Browser flow and it's required.
Everything is setup per the KeyCloak documentation to include the binding
settings.
The only thing I'm not sure about is if the keycloak.jks and truststore.jks
files are the issue.
I have enabled extra logging as best I know, but I'm not seeing anything in
the logs of any relevance when trying to authenticate into the Keycloak
Realm.
Can anyone assist? We are looking to most likely purchase this as a product
through RedHat SSO if it works well to get the support we need, but I've
been hung up on this for a few weeks and I know it shouldn't be this hard.
Thanks,
J
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org
><mailto:keycloak-user@lists.jboss.org<mailto:
keycloak-user(a)lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:39 a.m.
Just now getting back to this due to the holiday week, but I don't believe
we need the chain loaded on the ELB on the smart card, as it's a
pass-through and the certs in question that are on the smart card are
loaded into the KeyCloak keystore, and once a user launches the KeyCloak
interface it should reference the internal KeyCloak keystore to verify the
chain. I would only need the certs on the ELB if we were requiring user
certs prior to the KeyCloak website, which we aren't.
It looks like I'm back to square one. Thoughts?
On Fri, Jun 28, 2019 at 11:41 AM JTK <jonesy(a)sydow.org> wrote:
Obviously the certs are not loaded on the ELB as I need them.
openssl s_client -servername keycloak.domainhere.net -connect
keycloak.domainhere.net:8443 <http://keycloak.dev.domainhere.net:8443>
2>/dev/null | egrep "subject=|issuer=|notAfter="
subject=CN = keycloak.domainhere.net <http://keycloak.dev.domainhere.net>
issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
I'm waiting on feedback from our internal team to find out when they can
load the Root CA/Intermediate certs on the proxy. It might not be until
next week, but I will update when I get a chance.
Thanks!
On Fri, Jun 28, 2019 at 10:57 AM Nalyvayko, Peter <pnalyvayko(a)agi.com>
wrote:
> Run the command "openssl s_client -connect <host>:<port>" where
host and
> port are the Keycloak's host and the port number (e.g.
> login.mycompany.com:443) and verify that the list of certificates
> listed under "Acceptable CA client certificate names" is not empty and
that
> the CA names match the client cert's issuer
>
>
> ________________________________________
> From: JTK [jonesy(a)sydow.org]
> Sent: Friday, June 28, 2019 11:27 AM
> To: Nalyvayko, Peter
> Cc: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on
> KeyCloak version 4.8.3.Final
>
> Here is the standalone.xml file if anyone can sport or locate any obvious
> errors associated with it.
>
> https://zerobin.net/?740f9250fdc1a6f1#9FqhPJx0iNfQshWY8hA2aYdWPhWUEVHW5pe...
>
> Authentication flow:
> https://imgur.com/tZYj9N9 (Bindings)
> https://imgur.com/3v2HYtW (Flows)
>
> On Fri, Jun 28, 2019 at 9:13 AM JTK <jonesy(a)sydow.org<mailto:
> jonesy(a)sydow.org>> wrote:
> I'll look into it. I'm sure it's something simple, but it's just not
> clicking. As of now I'm only testing my CAC and so there is a Root CA along
> with an intermediate CA which I have loaded into Keycloak.
> This is the steps I used:
>
> keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer
>
> keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks
> -file Email-CA-1.cer
>
> ...
>
> Just for clarity and sanity check, with our current IdP, we only need to
> load the public certs (Root/Intermediate) and as long as they are loaded,
> any user certificate that is presented would be trusted if the chain is
> loaded for that user certificate. We do not have access to the private keys
> for the certificates loaded to the keystore.jks - I just want to make sure
> that's not the issue.
>
>
> At this point in time, I'd love to see ERROR in the server.log file, but
> I just get INFO.
>
> tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR"
>
> The output of the above command has no output.
>
>
> This is some of the output:
>
> 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** Finished
> 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) verify_data: {
> 99, 40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 }
> 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) ***
> 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) update handshake
> state: finished[20]
> 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) [write] MD5 and
> SHA1 hashes: len = 16
> 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C
> 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v......
> 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) Padded plaintext
> before ENCRYPTION: len = 16
> 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C
> 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v......
> 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) default I/O-3,
> WRITE: TLSv1.2 Handshake, length = 40
> 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) %% Cached server
> session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384]
> 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]:
> length = 6
> 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 14 03 03 00
> 01 01 ......
> 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]:
> length = 45
> 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 16 03 03 00
> 28 00 00 00 00 00 00 00 00 73 16 4F ....(........s.O
> 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0010: C2 AA 1E 08
> 25 E9 36 15 77 D5 D4 18 E0 F8 BE BE ....%.6.w.......
> 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0020: 24 8A F4 7F
> 33 D2 CA D3 C5 FA A5 05 54 $...3.......T
>
> etc
>
>
> Here is the output of keystore.jks
>
> keytool -list -v -keystore keycloak.jks | grep DoD
> Enter keystore password: password
> Owner: CN=Root CA, OU=PKI, O=Company, C=US
> Issuer: CN=Root CA, OU=PKI, O=Company, C=US
> Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US
> Issuer: CN=Root CA, OU=PKI, O=Company, C=US
>
>
> Sows the Root CA and the Intermediate CA (CA-1)
>
>
> On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter <pnalyvayko(a)agi.com
> <mailto:pnalyvayko@agi.com>> wrote:
> We have successfully tested and deployed the CAC card & X509 auth without
> any issues. One suggestion is In the SSL debug output search for a list of
> CA authorities the KC server sends back to the client as a part of mutual
> SSL handshake. For the mutual SSL to kick in, the client certificates
> registered on the client machine must be signed by one of the CAs from
> that list.
>
> For example, say your trusted store has a CA cert with the Subject:
> CN=cert_auth
>
> Then you should be prompted to select a cert only if your client cert's
> issuer (the cert used to sign the client cert) matches the subject above.
>
> You may also try troubleshooting using "openssl s_client" to avoid
> digging through thousands of lines of SSL debug output
>
> I hope it makes sense and helps :)
>
> Cheers
>
> --Peter
>
> ________________________________________
> From: JTK [jonesy@sydow.org<mailto:jonesy@sydow.org>]
> Sent: Friday, June 28, 2019 9:17 AM
> To: Nalyvayko, Peter
> Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on
> KeyCloak version 4.8.3.Final
>
> Thanks, I enabled the debug option for ssl in
> ../keycloak/bin/standalone.conf
> if [ "x$JAVA_OPTS" = "x" ]; then
> JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M
> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true"
> JAVA_OPTS="$JAVA_OPTS
> -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
> -Djava.awt.headless=true -Djavax.net.debug=ssl"
>
> I am seeing no errors in the logs related to certificates. I do see the
> root CA I'm trying to use along with the intermediate.
> I am using a client certificate, but I'm providing it via a card reader
> on my computer. So I'm presenting a token on a smart card per say and not a
> soft cert loaded on my system.
> Would this make a difference? Should I be seeing any sort of error output
> in the logs if the certs were loaded wrong or any other JAVA related issue?
> I can post the debug output, but it's quite line.
> -
> Note, we currently use a commercial based IdP which accepts our smart
> card with tokens on them, so I assumed Keycloak by default would see a
> certificate loaded locally or via the smart card reader.
>
>
> On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter <pnalyvayko(a)agi.com
> <mailto:pnalyvayko@agi.com><mailto:pnalyvayko@agi.com<mailto:
> pnalyvayko(a)agi.com>>> wrote:
> One possible reason you are not getting prompted is that the intermediate
> or root certs in your trust store do not match the intermediate or root
> certs used to sign the client certificates registered on your client
> machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug,
> see https://access.redhat.com/solutions/973783 for more info.
>
> ________________________________________
> From: keycloak-user-bounces(a)lists.jboss.org<mailto:
> keycloak-user-bounces(a)lists.jboss.org><mailto:
> keycloak-user-bounces(a)lists.jboss.org<mailto:
> keycloak-user-bounces(a)lists.jboss.org>> [
> keycloak-user-bounces(a)lists.jboss.org<mailto:
> keycloak-user-bounces(a)lists.jboss.org><mailto:
> keycloak-user-bounces(a)lists.jboss.org<mailto:
> keycloak-user-bounces(a)lists.jboss.org>>] on behalf of JTK [
>
jonesy@sydow.org<mailto:jonesy@sydow.org><mailto:jonesy@sydow.org<mailto:
> jonesy(a)sydow.org>>]
> Sent: Thursday, June 27, 2019 2:00 PM
> To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org
> ><mailto:keycloak-user@lists.jboss.org<mailto:
> keycloak-user(a)lists.jboss.org>>
> Subject: [keycloak-user] Not being prompted for x509 User Certs on
> KeyCloak version 4.8.3.Final
>
> I've read through all the documentation I can find online both with the
> official documents and everything else I could find and I believe I have
> everything setup, with additional logging turned on, but I'm not getting
> any type of prompt for a x509 certificate when logging in.
>
> Here is the excerpts from the standalone.xml file where ssl-realm was
> added to the management security-realms and under the subsystem.
>
> <management>
> <security-realms>
> ......
> <security-realm name="ssl-realm">
> <server-identities>
> <ssl>
> <keystore path="keycloak.jks"
> relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
> </ssl>
> </server-identities>
> <authentication>
> <truststore path="truststore.jks"
> relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
> </authentication>
> </security-realm>
> ......
>
> <subsystem xmlns="urn:jboss:domain:undertow:7.0"
> default-server="default-server"
default-virtual-host="default-host"
> default-servlet-container="default"
default-security-domain="other">
> <buffer-cache name="default"/>
> <server name="default-server">
> <http-listener name="default1"
socket-binding="http"
> redirect-socket="https" enable-http2="true"/>
> <https-listener name="default"
socket-binding="https"
> security-realm="ssl-realm" verify-client="REQUESTED"/>
> <host name="default-host"
alias="localhost">
> <location name="/"
handler="welcome-content"/>
> <access-log worker="default"
> directory="${jboss.server.log.dir}" prefix="access"
suffix=".log"/>
> <http-invoker
security-realm="ApplicationRealm"/>
> </host>
>
> I've setup the Authentication Flows for the Browser to have x509/Validate
> Username Form above the new Browser flow and it's required.
> Everything is setup per the KeyCloak documentation to include the binding
> settings.
>
> The only thing I'm not sure about is if the keycloak.jks and
> truststore.jks
> files are the issue.
> I have enabled extra logging as best I know, but I'm not seeing anything
> in
> the logs of any relevance when trying to authenticate into the Keycloak
> Realm.
>
> Can anyone assist? We are looking to most likely purchase this as a
> product
> through RedHat SSO if it works well to get the support we need, but I've
> been hung up on this for a few weeks and I know it shouldn't be this hard.
>
> Thanks,
> J
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org
> ><mailto:keycloak-user@lists.jboss.org<mailto:
> keycloak-user(a)lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
11:02 a.m.
Can you confirm that the SSL termination is handled by individual Keycloak instances?
From: JTK <jonesy(a)sydow.org>
Sent: Friday, July 5, 2019 8:40 AM
To: Nalyvayko, Peter <pnalyvayko(a)agi.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version
4.8.3.Final
Just now getting back to this due to the holiday week, but I don't believe we need the
chain loaded on the ELB on the smart card, as it's a pass-through and the certs in
question that are on the smart card are loaded into the KeyCloak keystore, and once a user
launches the KeyCloak interface it should reference the internal KeyCloak keystore to
verify the chain. I would only need the certs on the ELB if we were requiring user certs
prior to the KeyCloak website, which we aren't.
It looks like I'm back to square one. Thoughts?
On Fri, Jun 28, 2019 at 11:41 AM JTK
<jonesy@sydow.org<mailto:jonesy@sydow.org>> wrote:
Obviously the certs are not loaded on the ELB as I need them.
openssl s_client -servername keycloak.domainhere.net<http://keycloak.domainhere.net>
-connect keycloak.domainhere.net:8443<http://keycloak.dev.domainhere.net:8443>
2>/dev/null | egrep "subject=|issuer=|notAfter="
subject=CN = keycloak.domainhere.net<http://keycloak.dev.domainhere.net>
issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
I'm waiting on feedback from our internal team to find out when they can load the Root
CA/Intermediate certs on the proxy. It might not be until next week, but I will update
when I get a chance.
Thanks!
On Fri, Jun 28, 2019 at 10:57 AM Nalyvayko, Peter
<pnalyvayko@agi.com<mailto:pnalyvayko@agi.com>> wrote:
Run the command "openssl s_client -connect <host>:<port>" where host
and port are the Keycloak's host and the port number (e.g.
login.mycompany.com:443<http://login.mycompany.com:443>) and verify that the list of
certificates listed under "Acceptable CA client certificate names" is not empty
and that the CA names match the client cert's issuer
________________________________________
From: JTK [jonesy@sydow.org<mailto:jonesy@sydow.org>]
Sent: Friday, June 28, 2019 11:27 AM
To: Nalyvayko, Peter
Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version
4.8.3.Final
Here is the standalone.xml file if anyone can sport or locate any obvious errors
associated with it.
https://zerobin.net/?740f9250fdc1a6f1#9FqhPJx0iNfQshWY8hA2aYdWPhWUEVHW5pe...
Authentication flow:
https://imgur.com/tZYj9N9 (Bindings)
https://imgur.com/3v2HYtW (Flows)
On Fri, Jun 28, 2019 at 9:13 AM JTK
<jonesy@sydow.org<mailto:jonesy@sydow.org><mailto:jonesy@sydow.org<mailto:jonesy@sydow.org>>>
wrote:
I'll look into it. I'm sure it's something simple, but it's just not
clicking. As of now I'm only testing my CAC and so there is a Root CA along with an
intermediate CA which I have loaded into Keycloak.
This is the steps I used:
keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer
keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks -file
Email-CA-1.cer
...
Just for clarity and sanity check, with our current IdP, we only need to load the public
certs (Root/Intermediate) and as long as they are loaded, any user certificate that is
presented would be trusted if the chain is loaded for that user certificate. We do not
have access to the private keys for the certificates loaded to the keystore.jks - I just
want to make sure that's not the issue.
At this point in time, I'd love to see ERROR in the server.log file, but I just get
INFO.
tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR"
The output of the above command has no output.
This is some of the output:
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** Finished
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) verify_data: { 99, 40, 129, 188,
202, 118, 214, 208, 192, 179, 230, 8 }
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) ***
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) update handshake state:
finished[20]
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) [write] MD5 and SHA1 hashes: len =
16
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C 63 28 81 BC CA
76 D6 D0 C0 B3 E6 08 ....c(...v......
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) Padded plaintext before ENCRYPTION:
len = 16
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C 63 28 81 BC CA
76 D6 D0 C0 B3 E6 08 ....c(...v......
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) default I/O-3, WRITE: TLSv1.2
Handshake, length = 40
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) %% Cached server session:
[Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384]
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length = 6
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 14 03 03 00 01 01
......
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length = 45
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 16 03 03 00 28 00 00 00 00
00 00 00 00 73 16 4F ....(........s.O
2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0010: C2 AA 1E 08 25 E9 36 15 77
D5 D4 18 E0 F8 BE BE ....%.6.w.......
2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0020: 24 8A F4 7F 33 D2 CA D3 C5
FA A5 05 54 $...3.......T
etc
Here is the output of keystore.jks
keytool -list -v -keystore keycloak.jks | grep DoD
Enter keystore password: password
Owner: CN=Root CA, OU=PKI, O=Company, C=US
Issuer: CN=Root CA, OU=PKI, O=Company, C=US
Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US
Issuer: CN=Root CA, OU=PKI, O=Company, C=US
Sows the Root CA and the Intermediate CA (CA-1)
On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter
<pnalyvayko@agi.com<mailto:pnalyvayko@agi.com><mailto:pnalyvayko@agi.com<mailto:pnalyvayko@agi.com>>>
wrote:
We have successfully tested and deployed the CAC card & X509 auth without any issues.
One suggestion is In the SSL debug output search for a list of CA authorities the KC
server sends back to the client as a part of mutual SSL handshake. For the mutual SSL to
kick in, the client certificates registered on the client machine must be signed by one
of the CAs from that list.
For example, say your trusted store has a CA cert with the Subject: CN=cert_auth
Then you should be prompted to select a cert only if your client cert's issuer (the
cert used to sign the client cert) matches the subject above.
You may also try troubleshooting using "openssl s_client" to avoid digging
through thousands of lines of SSL debug output
I hope it makes sense and helps :)
Cheers
--Peter
________________________________________
From: JTK
[jonesy@sydow.org<mailto:jonesy@sydow.org><mailto:jonesy@sydow.org<mailto:jonesy@sydow.org>>]
Sent: Friday, June 28, 2019 9:17 AM
To: Nalyvayko, Peter
Cc:
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version
4.8.3.Final
Thanks, I enabled the debug option for ssl in ../keycloak/bin/standalone.conf
if [ "x$JAVA_OPTS" = "x" ]; then
JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m
-Djava.net.preferIPv4Stack=true"
JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true -Djavax.net.debug=ssl"
I am seeing no errors in the logs related to certificates. I do see the root CA I'm
trying to use along with the intermediate.
I am using a client certificate, but I'm providing it via a card reader on my
computer. So I'm presenting a token on a smart card per say and not a soft cert loaded
on my system.
Would this make a difference? Should I be seeing any sort of error output in the logs if
the certs were loaded wrong or any other JAVA related issue?
I can post the debug output, but it's quite line.
-
Note, we currently use a commercial based IdP which accepts our smart card with tokens on
them, so I assumed Keycloak by default would see a certificate loaded locally or via the
smart card reader.
On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter
<pnalyvayko@agi.com<mailto:pnalyvayko@agi.com><mailto:pnalyvayko@agi.com<mailto:pnalyvayko@agi.com>><mailto:pnalyvayko@agi.com<mailto:pnalyvayko@agi.com><mailto:pnalyvayko@agi.com<mailto:pnalyvayko@agi.com>>>>
wrote:
One possible reason you are not getting prompted is that the intermediate or root certs in
your trust store do not match the intermediate or root certs used to sign the client
certificates registered on your client machine. To troubleshoot the SSL handshake you can
use -Djavax.net.debug, see https://access.redhat.com/solutions/973783 for more info.
________________________________________
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>>
[keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>>]
on behalf of JTK
[jonesy@sydow.org<mailto:jonesy@sydow.org><mailto:jonesy@sydow.org<mailto:jonesy@sydow.org>><mailto:jonesy@sydow.org<mailto:jonesy@sydow.org><mailto:jonesy@sydow.org<mailto:jonesy@sydow.org>>>]
Sent: Thursday, June 27, 2019 2:00 PM
To:
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>>
Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version
4.8.3.Final
I've read through all the documentation I can find online both with the
official documents and everything else I could find and I believe I have
everything setup, with additional logging turned on, but I'm not getting
any type of prompt for a x509 certificate when logging in.
Here is the excerpts from the standalone.xml file where ssl-realm was
added to the management security-realms and under the subsystem.
<management>
<security-realms>
......
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="keycloak.jks"
relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks"
relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
</authentication>
</security-realm>
......
<subsystem xmlns="urn:jboss:domain:undertow:7.0"
default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default"
default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default1"
socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="default"
socket-binding="https"
security-realm="ssl-realm" verify-client="REQUESTED"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<access-log worker="default"
directory="${jboss.server.log.dir}" prefix="access"
suffix=".log"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
I've setup the Authentication Flows for the Browser to have x509/Validate
Username Form above the new Browser flow and it's required.
Everything is setup per the KeyCloak documentation to include the binding
settings.
The only thing I'm not sure about is if the keycloak.jks and truststore.jks
files are the issue.
I have enabled extra logging as best I know, but I'm not seeing anything in
the logs of any relevance when trying to authenticate into the Keycloak
Realm.
Can anyone assist? We are looking to most likely purchase this as a product
through RedHat SSO if it works well to get the support we need, but I've
been hung up on this for a few weeks and I know it shouldn't be this hard.
Thanks,
J
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:05 a.m.
Yes, there is no proxy, just a ELB with pass-through. I'm wondering if I
have something misconfigured in the config file.
On Mon, Jul 8, 2019, 11:02 AM Nalyvayko, Peter <pnalyvayko(a)agi.com> wrote:
Can you confirm that the SSL termination is handled by individual
Keycloak
instances?
*From:* JTK <jonesy(a)sydow.org>
*Sent:* Friday, July 5, 2019 8:40 AM
*To:* Nalyvayko, Peter <pnalyvayko(a)agi.com>
*Cc:* keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Not being prompted for x509 User Certs on
KeyCloak version 4.8.3.Final
Just now getting back to this due to the holiday week, but I don't believe
we need the chain loaded on the ELB on the smart card, as it's a
pass-through and the certs in question that are on the smart card are
loaded into the KeyCloak keystore, and once a user launches the KeyCloak
interface it should reference the internal KeyCloak keystore to verify the
chain. I would only need the certs on the ELB if we were requiring user
certs prior to the KeyCloak website, which we aren't.
It looks like I'm back to square one. Thoughts?
On Fri, Jun 28, 2019 at 11:41 AM JTK <jonesy(a)sydow.org> wrote:
Obviously the certs are not loaded on the ELB as I need them.
openssl s_client -servername keycloak.domainhere.net -connect
keycloak.domainhere.net:8443 <http://keycloak.dev.domainhere.net:8443>
2>/dev/null | egrep "subject=|issuer=|notAfter="
subject=CN = keycloak.domainhere.net <http://keycloak.dev.domainhere.net>
issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
I'm waiting on feedback from our internal team to find out when they can
load the Root CA/Intermediate certs on the proxy. It might not be until
next week, but I will update when I get a chance.
Thanks!
On Fri, Jun 28, 2019 at 10:57 AM Nalyvayko, Peter <pnalyvayko(a)agi.com>
wrote:
Run the command "openssl s_client -connect <host>:<port>" where
host and
port are the Keycloak's host and the port number (e.g.
login.mycompany.com:443) and verify that the list of certificates listed
under "Acceptable CA client certificate names" is not empty and that the CA
names match the client cert's issuer
________________________________________
From: JTK [jonesy(a)sydow.org]
Sent: Friday, June 28, 2019 11:27 AM
To: Nalyvayko, Peter
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on
KeyCloak version 4.8.3.Final
Here is the standalone.xml file if anyone can sport or locate any obvious
errors associated with it.
https://zerobin.net/?740f9250fdc1a6f1#9FqhPJx0iNfQshWY8hA2aYdWPhWUEVHW5pe...
Authentication flow:
https://imgur.com/tZYj9N9 (Bindings)
https://imgur.com/3v2HYtW (Flows)
On Fri, Jun 28, 2019 at 9:13 AM JTK <jonesy(a)sydow.org<mailto:
jonesy(a)sydow.org>> wrote:
I'll look into it. I'm sure it's something simple, but it's just not
clicking. As of now I'm only testing my CAC and so there is a Root CA along
with an intermediate CA which I have loaded into Keycloak.
This is the steps I used:
keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer
keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks
-file Email-CA-1.cer
...
Just for clarity and sanity check, with our current IdP, we only need to
load the public certs (Root/Intermediate) and as long as they are loaded,
any user certificate that is presented would be trusted if the chain is
loaded for that user certificate. We do not have access to the private keys
for the certificates loaded to the keystore.jks - I just want to make sure
that's not the issue.
At this point in time, I'd love to see ERROR in the server.log file, but I
just get INFO.
tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR"
The output of the above command has no output.
This is some of the output:
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** Finished
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) verify_data: { 99,
40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 }
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) ***
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) update handshake
state: finished[20]
2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) [write] MD5 and
SHA1 hashes: len = 16
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C
63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v......
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) Padded plaintext
before ENCRYPTION: len = 16
2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C
63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v......
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) default I/O-3,
WRITE: TLSv1.2 Handshake, length = 40
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) %% Cached server
session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384]
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length
= 6
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 14 03 03 00
01 01 ......
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length
= 45
2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 16 03 03 00
28 00 00 00 00 00 00 00 00 73 16 4F ....(........s.O
2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0010: C2 AA 1E 08
25 E9 36 15 77 D5 D4 18 E0 F8 BE BE ....%.6.w.......
2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0020: 24 8A F4 7F
33 D2 CA D3 C5 FA A5 05 54 $...3.......T
etc
Here is the output of keystore.jks
keytool -list -v -keystore keycloak.jks | grep DoD
Enter keystore password: password
Owner: CN=Root CA, OU=PKI, O=Company, C=US
Issuer: CN=Root CA, OU=PKI, O=Company, C=US
Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US
Issuer: CN=Root CA, OU=PKI, O=Company, C=US
Sows the Root CA and the Intermediate CA (CA-1)
On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter <pnalyvayko(a)agi.com
<mailto:pnalyvayko@agi.com>> wrote:
We have successfully tested and deployed the CAC card & X509 auth without
any issues. One suggestion is In the SSL debug output search for a list of
CA authorities the KC server sends back to the client as a part of mutual
SSL handshake. For the mutual SSL to kick in, the client certificates
registered on the client machine must be signed by one of the CAs from
that list.
For example, say your trusted store has a CA cert with the Subject:
CN=cert_auth
Then you should be prompted to select a cert only if your client cert's
issuer (the cert used to sign the client cert) matches the subject above.
You may also try troubleshooting using "openssl s_client" to avoid
digging through thousands of lines of SSL debug output
I hope it makes sense and helps :)
Cheers
--Peter
________________________________________
From: JTK [jonesy@sydow.org<mailto:jonesy@sydow.org>]
Sent: Friday, June 28, 2019 9:17 AM
To: Nalyvayko, Peter
Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on
KeyCloak version 4.8.3.Final
Thanks, I enabled the debug option for ssl in
../keycloak/bin/standalone.conf
if [ "x$JAVA_OPTS" = "x" ]; then
JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M
-XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true"
JAVA_OPTS="$JAVA_OPTS
-Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true -Djavax.net.debug=ssl"
I am seeing no errors in the logs related to certificates. I do see the
root CA I'm trying to use along with the intermediate.
I am using a client certificate, but I'm providing it via a card reader on
my computer. So I'm presenting a token on a smart card per say and not a
soft cert loaded on my system.
Would this make a difference? Should I be seeing any sort of error output
in the logs if the certs were loaded wrong or any other JAVA related issue?
I can post the debug output, but it's quite line.
-
Note, we currently use a commercial based IdP which accepts our smart card
with tokens on them, so I assumed Keycloak by default would see a
certificate loaded locally or via the smart card reader.
On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter <pnalyvayko(a)agi.com
<mailto:pnalyvayko@agi.com><mailto:pnalyvayko@agi.com<mailto:
pnalyvayko(a)agi.com>>> wrote:
One possible reason you are not getting prompted is that the intermediate
or root certs in your trust store do not match the intermediate or root
certs used to sign the client certificates registered on your client
machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug,
see https://access.redhat.com/solutions/973783 for more info.
________________________________________
From: keycloak-user-bounces(a)lists.jboss.org<mailto:
keycloak-user-bounces(a)lists.jboss.org><mailto:
keycloak-user-bounces(a)lists.jboss.org<mailto:
keycloak-user-bounces(a)lists.jboss.org>> [
keycloak-user-bounces(a)lists.jboss.org<mailto:
keycloak-user-bounces(a)lists.jboss.org><mailto:
keycloak-user-bounces(a)lists.jboss.org<mailto:
keycloak-user-bounces(a)lists.jboss.org>>] on behalf of JTK [
jonesy@sydow.org<mailto:jonesy@sydow.org><mailto:jonesy@sydow.org<mailto:
jonesy(a)sydow.org>>]
Sent: Thursday, June 27, 2019 2:00 PM
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org
><mailto:keycloak-user@lists.jboss.org<mailto:
keycloak-user(a)lists.jboss.org>>
Subject: [keycloak-user] Not being prompted for x509 User Certs on
KeyCloak version 4.8.3.Final
I've read through all the documentation I can find online both with the
official documents and everything else I could find and I believe I have
everything setup, with additional logging turned on, but I'm not getting
any type of prompt for a x509 certificate when logging in.
Here is the excerpts from the standalone.xml file where ssl-realm was
added to the management security-realms and under the subsystem.
<management>
<security-realms>
......
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="keycloak.jks"
relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks"
relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
</authentication>
</security-realm>
......
<subsystem xmlns="urn:jboss:domain:undertow:7.0"
default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default"
default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default1"
socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="default"
socket-binding="https"
security-realm="ssl-realm" verify-client="REQUESTED"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<access-log worker="default"
directory="${jboss.server.log.dir}" prefix="access"
suffix=".log"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
I've setup the Authentication Flows for the Browser to have x509/Validate
Username Form above the new Browser flow and it's required.
Everything is setup per the KeyCloak documentation to include the binding
settings.
The only thing I'm not sure about is if the keycloak.jks and truststore.jks
files are the issue.
I have enabled extra logging as best I know, but I'm not seeing anything in
the logs of any relevance when trying to authenticate into the Keycloak
Realm.
Can anyone assist? We are looking to most likely purchase this as a product
through RedHat SSO if it works well to get the support we need, but I've
been hung up on this for a few weeks and I know it shouldn't be this hard.
Thanks,
J
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org
><mailto:keycloak-user@lists.jboss.org<mailto:
keycloak-user(a)lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
1993
days inactive
2004
days old
10 comments
2 participants
participants (2)
-
JTK -
Nalyvayko, Peter