I am running keycloak in a docker container. We are using PKI as one of the authentication
methods for our applications. I followed the instructions for keycloak(X.509 Client
Certificate User Authentication) to set this up, and everything seems to work. Next, we
needed to update keycloak to be FIPS compliant. For this, we are using the bouncy castle
FIPS provider(bc-fips-1.0.1.jar). I have set up the java.security file to make the bouncy
castle fips provider the default. This all works correctly as well.
However, once I update the java.security file to use
"com.sun.net.ssl.internal.ssl.Provider BCFIPS", PKI no longer works. Regular SSL
with out a client certificate provided works just fine, and we can log in with username
and password, but we need PKI.
I have updated the keycloak standalone.xml with the following:
<server-identities>
<ssl>
<keystore provider="BCFKS" path="keystore.bcfks"
relative-to="jboss.server.config.dir"
keystore-password="<password>" alias="keycloak"
key-password="<password>"/>
</ssl>
</server-identities>
<authentication>
<truststore provider="BCFKS" path="truststore.bcfks"
relative-to="jboss.server.config.dir"
keystore-password="<password>"/>
<local default-user="$local" allowed-users="*"
skip-group-loading="true"/>
<properties path="application-users.properties"
relative-to="jboss.server.config.dir"/>
</authentication>
I took the JKS files for the keystore and truststore that I was using before and imported
them to BCFKS files using this basic command:
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -srcstorepass
<password> -destkeystore keystore.bcfks -deststoretype BCFKS -deststorepass
<password> -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
-providerpath /path/to/jar/bc-fips-1.0.1.jar
I also updated the JAVA_OPTS to include -Djavax.net.debug=ssl. In the output, I can see
that my certificate is provided, and it looks correct.
In the log output after the client certificate is logged, I see the the following log
statements.
14:38:30,927 INFO [stdout] (default task-1) default task-1, fatal error: 46: General
SSLEngine problem
14:38:30,927 INFO [stdout] (default task-1) sun.security.validator.ValidatorException: No
trusted certificate found
14:38:30,927 INFO [stdout] (default task-1) %% Invalidated: [Session-2,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
14:38:30,927 INFO [stdout] (default task-1) default task-1, SEND TLSv1.2 ALERT: fatal,
description = certificate_unknown
14:38:30,927 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1.2 Alert, length =
2
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, fatal: engine already closed.
Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, called closeInbound()
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, fatal: engine already closed.
Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, called closeOutbound()
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, closeOutboundInternal()
Show replies by date