[keycloak-user] Docker X509 Apache Cert Lookup Client Certificate Passthrough

Fri Aug 9 03:42:42 EDT 2019

On Fri, Aug 9, 2019 at 12:59 AM Johnson, Freddie [USA] <
Johnson_Freddie at bah.com> wrote:

> Thanks for the awesome feedback. How would you recommend I activate the
> Apache SPI in the docker image? Should I add it to the standalone.xml and
> comment out the default provider or add it to the deployment URL as
> annotated in docker documentation: “To add a custom provider extend the
> Keycloak image and add the provider to the
> /opt/jboss/keycloak/standalone/deployments/ directory.” Does that count as
> a custom provider?
>

No problem. I'm glad I could help!

There are two approaches here. The first one is to extend the Keycloak
image and add your jar to the deployments directory. The second approach is
to mount a volume (Docker `-v` option for example) into the deployments and
put your jar there. There's also an S2I approach for OpenShift workloads.

>
> Any recommendations on how to `-Djavax.net.debug=all` in a docker
> container? I tried using the logging instructions at
> https://hub.docker.com/r/jboss/keycloak but that only works once the
> container is up and running and I can't see enough detail on the x509
> bundle import during the boot process like ./standalone.sh would
> physically. I'm noticing that it's not picking up all the certs in my
> bundle. I came to this conclusion by using the bundle without the "keytool"
> command and couldn't connect to Active Directory due to encrypted AD
> certification being signed by our internal CA.
>

You need to invoke it like this: `docker run jboss/keycloak:master
-Djavax.net.debug=all`. Then try logging your user using HTTPS port (8443
by default).

> I read through your links and it looks like it requires it to be a .crt
> and start with "/-----BEGIN CERTIFICATE-----/" for each cert which I made
> sure was present.
>

Yes, that is correct.

>
> Freddie
>
>
> ------------------------------
> *From:* Sebastian Laskawiec <slaskawi at redhat.com>
> *Sent:* Thursday, August 8, 2019 12:17 AM
> *To:* Johnson, Freddie [USA] <Johnson_Freddie at bah.com>
> *Cc:* keycloak-user at lists.jboss.org <keycloak-user at lists.jboss.org>
> *Subject:* [External] Re: [keycloak-user] Docker X509 Apache Cert Lookup
> Client Certificate Passthrough
>
> The only thing I found a bit weird is that you create `/etc/x509/https`
> directory. Keycloak image has a small script that tries to grab a key and a
> certificate in that directory and import them [1]. But I see you're already
> doing that in `RUN keytool ...` commands. Perhaps you should either put
> tls.crt and tls.key there and rely on our script or do everything by
> yourself (but in that case, please remember about modifying configuration
> similarly to [2]).
>
> The last advice I can give to you is to append `-Djavax.net.debug=all`
> argument to ./standalone.sh. This way you can see, what certificates are
> being picked up and if the TLS handshake looks correct (although, the
> debugging is really time-consuming).
>
> [1]
> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L14-L103
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jboss-2Ddockerfiles_keycloak_blob_master_server_tools_x509.sh-23L14-2DL103&d=DwMFaQ&c=f4NRRID3zFYDyClb0wZXwA&r=-x-6Hnt0_804eYuN09avGhi01rger6HlzpTYfUz-Yxc&m=-A3Bzffu9jGb_BSbt9aL8WUONjBaXS3OusU5thwyLU4&s=flSdhqgk-qj6C5224oL7X0zpvVsiKensW0S6vn1Ws7E&e=>
> [2]
> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L95
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jboss-2Ddockerfiles_keycloak_blob_master_server_tools_x509.sh-23L95&d=DwMFaQ&c=f4NRRID3zFYDyClb0wZXwA&r=-x-6Hnt0_804eYuN09avGhi01rger6HlzpTYfUz-Yxc&m=-A3Bzffu9jGb_BSbt9aL8WUONjBaXS3OusU5thwyLU4&s=gT9G0rZsFJoOWhpMueLYEiKwwaJ0Zo3M4jGVbUgaoKk&e=>
>
> On Thu, Aug 8, 2019 at 1:05 AM Johnson, Freddie [USA] <
> Johnson_Freddie at bah.com> wrote:
>
> Team --
>
> I'm currently having issues getting Keycloak to read the client
> certificate forwarded from proxy in HTTP header from Apache using Apache
> SPI Cert lookup. Instead, it reads the wildcard of the cert provided below
> in the virtual host of *.xxx.ninja from SSLProxyMachineCertificateFile.
> However, if i use that common name of the wildcard and assign it to any
> user, Keycloak will log that user in even though that is not the user
> originally making the initial request to the proxy. In short, how do I
> force Keycloak running in a container to use the apache spi to retrieve
> cert credentials in header? I tried developer documentation by adding spi
> per
> https://www.keycloak.org/docs/latest/server_admin/index.html#client-certificate-lookup
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_server-5Fadmin_index.html-23client-2Dcertificate-2Dlookup&d=DwMFaQ&c=f4NRRID3zFYDyClb0wZXwA&r=-x-6Hnt0_804eYuN09avGhi01rger6HlzpTYfUz-Yxc&m=-A3Bzffu9jGb_BSbt9aL8WUONjBaXS3OusU5thwyLU4&s=lgcdNQlv2JQ2hSCa8vFRRTGN6KHbXSHgKoA2vJ9_8VI&e=>
> to both standalone.xml and deployment folder but it's as if Keycloak is not
> recognizing the configuration change in container after build. If I remove
> SSLProxyMachineCertificateFile from Apache, Keycloak sends a message to the
> proxy saying "downstream ser!
>  ver expected client cert but none configured" so that option didn't work
> either. Details below:
>
> My apache reverse proxy is:
>
> <VirtualHost *:443>
>     SSLEngine on
>     SSLProxyEngine on
>     SSLVerifyClient optional
>     SSLVerifyDepth 4
>     SSLOptions +ExportCertData
>     SSLProxyCheckPeerName off
>     ProxyPreserveHost On
>
>     SSLProxyCACertificateFile "/usr/local/apache2/conf/ca-xxx-ninja.crt"
>     SSLCACertificateFile "/usr/local/apache2/conf/xxx_authorities.pem"
>     SSLProxyMachineCertificateFile
> "/usr/local/apache2/conf/proxy-wildcard-xxx-ninja.pem"
>
>     RequestHeader set SSL_CLIENT_CERT ""
>     RequestHeader set SSL_CLIENT_CERT_CHAIN_4 ""
>
>     ServerName sso.xxx.ninja
>     ProxyPass / https://keycloak:8443/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak-3A8443_&d=DwMFaQ&c=f4NRRID3zFYDyClb0wZXwA&r=-x-6Hnt0_804eYuN09avGhi01rger6HlzpTYfUz-Yxc&m=-A3Bzffu9jGb_BSbt9aL8WUONjBaXS3OusU5thwyLU4&s=jG19dn9ALjkctGtiq3exg_yRSx7P3qLDPE6TWXOxxwQ&e=>
>     ProxyPassReverse / https://keycloak:8443/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak-3A8443_&d=DwMFaQ&c=f4NRRID3zFYDyClb0wZXwA&r=-x-6Hnt0_804eYuN09avGhi01rger6HlzpTYfUz-Yxc&m=-A3Bzffu9jGb_BSbt9aL8WUONjBaXS3OusU5thwyLU4&s=jG19dn9ALjkctGtiq3exg_yRSx7P3qLDPE6TWXOxxwQ&e=>
>     ProxyRequests Off
>     RequestHeader set X-Forwarded-Port "443"
>     RequestHeader set X-Forwarded-Proto "https"
>     RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}i"
>     RequestHeader set CERT_CHAIN "%{SSL_CLIENT_CERT_CHAIN_4}i"
> </VirtualHost>
>
> My Keycloak Dockerfile (abbreviated - sanitized):
>
> ENV "X509_CA_BUNDLE"="/opt/xxx/xxx_authorities.pem"
> USER root
> RUN mkdir -p /etc/x509/https
> RUN mkdir -p /opt/xxx
> COPY "./certs/tls.crt" "/etc/x509/https"
> COPY "./certs/tls.key" "/etc/x509/https"
> COPY "./standalone.xml"
> "/opt/jboss/keycloak/standalone/configuration/standalone.xml" <----
> originally edited this file to hold apache spi
> COPY "./apache.xml"
> "/opt/jboss/keycloak/standalone/deployments/apache.xml" < ------- moved
> apache spi for x509 here per online instructions
> COPY "./certs/ca-xxx-ninja.crt" "/opt"
> COPY "./certs/xxx/xxx_authorities.pem" "/opt/xxx/"
> RUN keytool -noprompt -import -trustcacerts -alias root -file
> /opt/ca-xxx-ninja.crt -keystore $JAVA_HOME/jre/lib/security/cacerts
> -storepass changeit
> RUN keytool -noprompt -import -trustcacerts -alias xxx -file
> /opt/xxx/xxx_authorities.pem -keystore $JAVA_HOME/jre/lib/security/cacerts
> -storepass changeit
> USER 1000
> EXPOSE 8080 8443
>
> Any guidance/ideas you can provide would much appreciated as I've been
> working it for a few days now and can't seem to get over this last hurdle.
>
> Respectfully,
>
>
> Freddie Lee Johnson, Jr.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=f4NRRID3zFYDyClb0wZXwA&r=-x-6Hnt0_804eYuN09avGhi01rger6HlzpTYfUz-Yxc&m=-A3Bzffu9jGb_BSbt9aL8WUONjBaXS3OusU5thwyLU4&s=HwZgSQ3kMSz9a3N3BbVEDtnBC3WnZQrqtJKOl_fH_Mw&e=>
>
>