4:47 p.m.
I wanted to give an update which might help other users.
The first issue we had was related to the load balancer and to be specific
Amazon ELB.
I was under the impression it was set to be pass-thru, but instead it was
setup to do SSL termination.
After that was fixed, then I was getting prompted for certificates and I
was seeing logs, which I was happy with, even error logs, even better.
The next issue was related to when our PFX chain was imported into the
keystore. The issue was that PFX file had a different password than the
keystore in the standalone.xml configuration file.
After changing the password and re-importing it back it, that error logs
related to padding for the keystore were resolved. Basically error in
padding in our case = wrong password in the keystore.
The last issue was locating the correct RegEx for our instance. For us,
this worked:
User Identity Source: Subject Alternative Name
A regular expression to extract user identity : RFC822Name=(.*?)(?:,|$)
A big shout out to Peter! Thanks for your assistance.
On Thu, Jun 27, 2019 at 12:37 PM JTK <jonesy(a)sydow.org> wrote:
Hello,
I've read through all the documentation I can find online both with the
official documents and everything else I could find and I believe I have
everything setup, with additional logging turned on, but I'm not getting
any type of prompt for a x509 certificate when logging in.
Here is the excerpt from the standalone.xml file
<management>
<security-realms>
......
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="keycloak.jks"
relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks"
relative-to="jboss.server.config.dir"
keystore-password="mypass"/>
</authentication>
</security-realm>
......
<subsystem xmlns="urn:jboss:domain:undertow:7.0"
default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default"
default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default1"
socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="default"
socket-binding="https"
security-realm="ssl-realm" verify-client="REQUESTED"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<access-log worker="default"
directory="${jboss.server.log.dir}" prefix="access"
suffix=".log"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
I've setup the Authentication Flows for the Browser to have x509/Validate
Username Form above the new Browser flow and it's required.
Everything is setup per the KeyCloak documentation to include the binding
settings.
The only thing I'm not sure about is if the keycloak.jks and
truststore.jks files are the issue.
I have enabled extra logging as best I know, but I'm not seeing anything
in the logs of any relevance when trying to authenticate into the Keycloak
Realm.
Can anyone assist? We are looking to most likely purchase this as a
product through RedHat SSO if it works well to get the support we need, but
I've been hung up on this for a few weeks and I know it shouldn't be this
hard.
Thanks,
J
2011
days inactive
2011
days old
0 comments
1 participants
participants (1)
-
JTK