[keycloak-user] Docker X509 Apache Cert Lookup Client Certificate Passthrough

Johnson, Freddie [USA] Johnson_Freddie at bah.com
Thu Aug 8 18:58:46 EDT 2019 

Thanks for the awesome feedback. How would you recommend I activate the Apache SPI in the docker image? Should I add it to the standalone.xml and comment out the default provider or add it to the deployment URL as annotated in docker documentation: “To add a custom provider extend the Keycloak image and add the provider to the /opt/jboss/keycloak/standalone/deployments/ directory.” Does that count as a custom provider?


Any recommendations on how to `-Djavax.net.debug=all` in a docker container? I tried using the logging instructions at https://hub.docker.com/r/jboss/keycloak but that only works once the container is up and running and I can't see enough detail on the x509 bundle import during the boot process like ./standalone.sh would physically. I'm noticing that it's not picking up all the certs in my bundle. I came to this conclusion by using the bundle without the "keytool" command and couldn't connect to Active Directory due to encrypted AD certification being signed by our internal CA.  I read through your links and it looks like it requires it to be a .crt and start with "/-----BEGIN CERTIFICATE-----/" for each cert which I made sure was present.


Freddie

________________________________
From: Sebastian Laskawiec <slaskawi at redhat.com>
Sent: Thursday, August 8, 2019 12:17 AM
To: Johnson, Freddie [USA] <Johnson_Freddie at bah.com>
Cc: keycloak-user at lists.jboss.org <keycloak-user at lists.jboss.org>
Subject: [External] Re: [keycloak-user] Docker X509 Apache Cert Lookup Client Certificate Passthrough

The only thing I found a bit weird is that you create `/etc/x509/https` directory. Keycloak image has a small script that tries to grab a key and a certificate in that directory and import them [1]. But I see you're already doing that in `RUN keytool ...` commands. Perhaps you should either put tls.crt and tls.key there and rely on our script or do everything by yourself (but in that case, please remember about modifying configuration similarly to [2]).

The last advice I can give to you is to append `-Djavax.net.debug=all` argument to ./standalone.sh. This way you can see, what certificates are being picked up and if the TLS handshake looks correct (although, the debugging is really time-consuming).

[1] https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L14-L103<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jboss-2Ddockerfiles_keycloak_blob_master_server_tools_x509.sh-23L14-2DL103&d=DwMFaQ&c=f4NRRID3zFYDyClb0wZXwA&r=-x-6Hnt0_804eYuN09avGhi01rger6HlzpTYfUz-Yxc&m=-A3Bzffu9jGb_BSbt9aL8WUONjBaXS3OusU5thwyLU4&s=flSdhqgk-qj6C5224oL7X0zpvVsiKensW0S6vn1Ws7E&e=>
[2] https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L95<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jboss-2Ddockerfiles_keycloak_blob_master_server_tools_x509.sh-23L95&d=DwMFaQ&c=f4NRRID3zFYDyClb0wZXwA&r=-x-6Hnt0_804eYuN09avGhi01rger6HlzpTYfUz-Yxc&m=-A3Bzffu9jGb_BSbt9aL8WUONjBaXS3OusU5thwyLU4&s=gT9G0rZsFJoOWhpMueLYEiKwwaJ0Zo3M4jGVbUgaoKk&e=>

On Thu, Aug 8, 2019 at 1:05 AM Johnson, Freddie [USA] <Johnson_Freddie at bah.com<mailto:Johnson_Freddie at bah.com>> wrote:
Team --

I'm currently having issues getting Keycloak to read the client certificate forwarded from proxy in HTTP header from Apache using Apache SPI Cert lookup. Instead, it reads the wildcard of the cert provided below in the virtual host of *.xxx.ninja from SSLProxyMachineCertificateFile. However, if i use that common name of the wildcard and assign it to any user, Keycloak will log that user in even though that is not the user originally making the initial request to the proxy. In short, how do I force Keycloak running in a container to use the apache spi to retrieve cert credentials in header? I tried developer documentation by adding spi per https://www.keycloak.org/docs/latest/server_admin/index.html#client-certificate-lookup<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_server-5Fadmin_index.html-23client-2Dcertificate-2Dlookup&d=DwMFaQ&c=f4NRRID3zFYDyClb0wZXwA&r=-x-6Hnt0_804eYuN09avGhi01rger6HlzpTYfUz-Yxc&m=-A3Bzffu9jGb_BSbt9aL8WUONjBaXS3OusU5thwyLU4&s=lgcdNQlv2JQ2hSCa8vFRRTGN6KHbXSHgKoA2vJ9_8VI&e=> to both standalone.xml and deployment folder but it's as if Keycloak is not recognizing the configuration change in container after build. If I remove SSLProxyMachineCertificateFile from Apache, Keycloak sends a message to the proxy saying "downstream ser!
 ver expected client cert but none configured" so that option didn't work either. Details below:

My apache reverse proxy is:

<VirtualHost *:443>
    SSLEngine on
    SSLProxyEngine on
    SSLVerifyClient optional
    SSLVerifyDepth 4
    SSLOptions +ExportCertData
    SSLProxyCheckPeerName off
    ProxyPreserveHost On

    SSLProxyCACertificateFile "/usr/local/apache2/conf/ca-xxx-ninja.crt"
    SSLCACertificateFile "/usr/local/apache2/conf/xxx_authorities.pem"
    SSLProxyMachineCertificateFile "/usr/local/apache2/conf/proxy-wildcard-xxx-ninja.pem"

    RequestHeader set SSL_CLIENT_CERT ""
    RequestHeader set SSL_CLIENT_CERT_CHAIN_4 ""

    ServerName sso.xxx.ninja
    ProxyPass / https://keycloak:8443/<https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak-3A8443_&d=DwMFaQ&c=f4NRRID3zFYDyClb0wZXwA&r=-x-6Hnt0_804eYuN09avGhi01rger6HlzpTYfUz-Yxc&m=-A3Bzffu9jGb_BSbt9aL8WUONjBaXS3OusU5thwyLU4&s=jG19dn9ALjkctGtiq3exg_yRSx7P3qLDPE6TWXOxxwQ&e=>
    ProxyPassReverse / https://keycloak:8443/<https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak-3A8443_&d=DwMFaQ&c=f4NRRID3zFYDyClb0wZXwA&r=-x-6Hnt0_804eYuN09avGhi01rger6HlzpTYfUz-Yxc&m=-A3Bzffu9jGb_BSbt9aL8WUONjBaXS3OusU5thwyLU4&s=jG19dn9ALjkctGtiq3exg_yRSx7P3qLDPE6TWXOxxwQ&e=>
    ProxyRequests Off
    RequestHeader set X-Forwarded-Port "443"
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}i"
    RequestHeader set CERT_CHAIN "%{SSL_CLIENT_CERT_CHAIN_4}i"
</VirtualHost>

My Keycloak Dockerfile (abbreviated - sanitized):

ENV "X509_CA_BUNDLE"="/opt/xxx/xxx_authorities.pem"
USER root
RUN mkdir -p /etc/x509/https
RUN mkdir -p /opt/xxx
COPY "./certs/tls.crt" "/etc/x509/https"
COPY "./certs/tls.key" "/etc/x509/https"
COPY "./standalone.xml" "/opt/jboss/keycloak/standalone/configuration/standalone.xml" <---- originally edited this file to hold apache spi
COPY "./apache.xml" "/opt/jboss/keycloak/standalone/deployments/apache.xml" < ------- moved apache spi for x509 here per online instructions
COPY "./certs/ca-xxx-ninja.crt" "/opt"
COPY "./certs/xxx/xxx_authorities.pem" "/opt/xxx/"
RUN keytool -noprompt -import -trustcacerts -alias root -file /opt/ca-xxx-ninja.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
RUN keytool -noprompt -import -trustcacerts -alias xxx -file /opt/xxx/xxx_authorities.pem -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
USER 1000
EXPOSE 8080 8443

Any guidance/ideas you can provide would much appreciated as I've been working it for a few days now and can't seem to get over this last hurdle.

Respectfully,


Freddie Lee Johnson, Jr.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=f4NRRID3zFYDyClb0wZXwA&r=-x-6Hnt0_804eYuN09avGhi01rger6HlzpTYfUz-Yxc&m=-A3Bzffu9jGb_BSbt9aL8WUONjBaXS3OusU5thwyLU4&s=HwZgSQ3kMSz9a3N3BbVEDtnBC3WnZQrqtJKOl_fH_Mw&e=>

More information about the keycloak-user mailing list