[keycloak-user] Docker X509 Apache Cert Lookup Client Certificate Passthrough

Sebastian Laskawiec slaskawi at redhat.com
Thu Aug 8 03:17:18 EDT 2019 

The only thing I found a bit weird is that you create `/etc/x509/https`
directory. Keycloak image has a small script that tries to grab a key and a
certificate in that directory and import them [1]. But I see you're already
doing that in `RUN keytool ...` commands. Perhaps you should either put
tls.crt and tls.key there and rely on our script or do everything by
yourself (but in that case, please remember about modifying configuration
similarly to [2]).

The last advice I can give to you is to append `-Djavax.net.debug=all`
argument to ./standalone.sh. This way you can see, what certificates are
being picked up and if the TLS handshake looks correct (although, the
debugging is really time-consuming).

[1]
https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L14-L103
[2]
https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L95

On Thu, Aug 8, 2019 at 1:05 AM Johnson, Freddie [USA] <
Johnson_Freddie at bah.com> wrote:

> Team --
>
> I'm currently having issues getting Keycloak to read the client
> certificate forwarded from proxy in HTTP header from Apache using Apache
> SPI Cert lookup. Instead, it reads the wildcard of the cert provided below
> in the virtual host of *.xxx.ninja from SSLProxyMachineCertificateFile.
> However, if i use that common name of the wildcard and assign it to any
> user, Keycloak will log that user in even though that is not the user
> originally making the initial request to the proxy. In short, how do I
> force Keycloak running in a container to use the apache spi to retrieve
> cert credentials in header? I tried developer documentation by adding spi
> per
> https://www.keycloak.org/docs/latest/server_admin/index.html#client-certificate-lookup
> to both standalone.xml and deployment folder but it's as if Keycloak is not
> recognizing the configuration change in container after build. If I remove
> SSLProxyMachineCertificateFile from Apache, Keycloak sends a message to the
> proxy saying "downstream ser!
>  ver expected client cert but none configured" so that option didn't work
> either. Details below:
>
> My apache reverse proxy is:
>
> <VirtualHost *:443>
>     SSLEngine on
>     SSLProxyEngine on
>     SSLVerifyClient optional
>     SSLVerifyDepth 4
>     SSLOptions +ExportCertData
>     SSLProxyCheckPeerName off
>     ProxyPreserveHost On
>
>     SSLProxyCACertificateFile "/usr/local/apache2/conf/ca-xxx-ninja.crt"
>     SSLCACertificateFile "/usr/local/apache2/conf/xxx_authorities.pem"
>     SSLProxyMachineCertificateFile
> "/usr/local/apache2/conf/proxy-wildcard-xxx-ninja.pem"
>
>     RequestHeader set SSL_CLIENT_CERT ""
>     RequestHeader set SSL_CLIENT_CERT_CHAIN_4 ""
>
>     ServerName sso.xxx.ninja
>     ProxyPass / https://keycloak:8443/
>     ProxyPassReverse / https://keycloak:8443/
>     ProxyRequests Off
>     RequestHeader set X-Forwarded-Port "443"
>     RequestHeader set X-Forwarded-Proto "https"
>     RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}i"
>     RequestHeader set CERT_CHAIN "%{SSL_CLIENT_CERT_CHAIN_4}i"
> </VirtualHost>
>
> My Keycloak Dockerfile (abbreviated - sanitized):
>
> ENV "X509_CA_BUNDLE"="/opt/xxx/xxx_authorities.pem"
> USER root
> RUN mkdir -p /etc/x509/https
> RUN mkdir -p /opt/xxx
> COPY "./certs/tls.crt" "/etc/x509/https"
> COPY "./certs/tls.key" "/etc/x509/https"
> COPY "./standalone.xml"
> "/opt/jboss/keycloak/standalone/configuration/standalone.xml" <----
> originally edited this file to hold apache spi
> COPY "./apache.xml"
> "/opt/jboss/keycloak/standalone/deployments/apache.xml" < ------- moved
> apache spi for x509 here per online instructions
> COPY "./certs/ca-xxx-ninja.crt" "/opt"
> COPY "./certs/xxx/xxx_authorities.pem" "/opt/xxx/"
> RUN keytool -noprompt -import -trustcacerts -alias root -file
> /opt/ca-xxx-ninja.crt -keystore $JAVA_HOME/jre/lib/security/cacerts
> -storepass changeit
> RUN keytool -noprompt -import -trustcacerts -alias xxx -file
> /opt/xxx/xxx_authorities.pem -keystore $JAVA_HOME/jre/lib/security/cacerts
> -storepass changeit
> USER 1000
> EXPOSE 8080 8443
>
> Any guidance/ideas you can provide would much appreciated as I've been
> working it for a few days now and can't seem to get over this last hurdle.
>
> Respectfully,
>
>
> Freddie Lee Johnson, Jr.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list