[keycloak-user] Is there clear x509 configuration in a domain clustered environment using external DB

JTK jonesy at sydow.org
Wed Aug 21 13:05:22 EDT 2019 

I've stood up a stand-alone version to use x509 and with the help off this
list I was able to get it working, but the configuration documentation is
not clear for setting it up in a domain clustered environment.
For example ssl-realm is added to standalone.xml to get it to work in
conjunction with the https-listener and browser flow, but in the clustered
domain setup, you don't configure domain.xml with the additional ssl-realm
information.
i.e.
            <security-realm name="ssl-realm">
                <server-identities>
                    <ssl>
                        <keystore path="keystore.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <truststore path="truststore.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
                </authentication>
&
                <https-listener name="https" socket-binding="https"
security-realm="ssl-realm" enabled-protocols="TLSv1.2"
verify-client="REQUESTED" enable-http2="true"/>

I did add that information to the host.xml and even the host-master.xml
file, but I'm not getting prompted for my cert.

This is what I'm running to launch KeyCloak with the debug setup for
SSL,handshake
/opt/keycloak/bin/domain.sh --host-config=host-master.xml
-Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=10.10.10.7
-Djboss.bind.address=10.10.10.7 -Djboss.bind.address.private=10.10.10.7
-Djboss.https.port=443 -Djboss.tx.node.id=dev-master
-Djboss.node.name=dev-master
-Djava.security.egd=file:/dev/./urandom -Djavax.net.debug=ssl,handshake

I also have this enabled in domain.xml
        <logger category="org.keycloak.authentication.authenticators.x509">
            <level name="TRACE"/>
        </logger>
        <logger category="org.keycloak.services.x509">
            <level name="TRACE"/>
        </logger>

Do I need to enable debug for console below in domain.xml to get more
detailed info? Right now it's set to INFO
        <console-handler name="CONSOLE">
            <level name="DEBUG"/>

I have the Root CA and the intermediate loaded for the x509 cert which I am
presenting. I've double checked the Browser Flow, which is setup just like
the working standalone.
I just want to make sure there isn't something else I'm missing because
there seems to be a lack of clarity from the standalone setup vs the domain
clustered setup. For now, I'm using just the master node, to ensure I'm not
hitting the slave node when testing.

Thanks

More information about the keycloak-user mailing list