[keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final

Nalyvayko, Peter pnalyvayko at agi.com
Thu Jun 27 19:41:03 EDT 2019 

One possible reason you are not getting prompted is that the intermediate or root certs in your trust store do not match the intermediate or root certs used to sign the client certificates registered on your client machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug, see https://access.redhat.com/solutions/973783 for more info.

________________________________________
From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of JTK [jonesy at sydow.org]
Sent: Thursday, June 27, 2019 2:00 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak     version 4.8.3.Final

 I've read through all the documentation I can find online both with the
official documents and everything else I could find and I believe I have
everything setup, with additional logging turned on, but I'm not getting
any type of prompt for a x509 certificate when logging in.

 Here is the excerpts from the standalone.xml file where ssl-realm was
added to the management security-realms and under the subsystem.

    <management>
        <security-realms>
         ......
            <security-realm name="ssl-realm">
                <server-identities>
                    <ssl>
                        <keystore path="keycloak.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <truststore path="truststore.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
                </authentication>
            </security-realm>
            ......

        <subsystem xmlns="urn:jboss:domain:undertow:7.0"
default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default" default-security-domain="other">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default1" socket-binding="http"
redirect-socket="https" enable-http2="true"/>
                <https-listener name="default" socket-binding="https"
security-realm="ssl-realm" verify-client="REQUESTED"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <access-log worker="default"
directory="${jboss.server.log.dir}" prefix="access" suffix=".log"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                </host>

 I've setup the Authentication Flows for the Browser to have x509/Validate
Username Form above the new Browser flow and it's required.
Everything is setup per the KeyCloak documentation to include the binding
settings.

The only thing I'm not sure about is if the keycloak.jks and truststore.jks
files are the issue.
I have enabled extra logging as best I know, but I'm not seeing anything in
the logs of any relevance when trying to authenticate into the Keycloak
Realm.

Can anyone assist? We are looking to most likely purchase this as a product
through RedHat SSO if it works well to get the support we need, but I've
been hung up on this for a few weeks and I know it shouldn't be this hard.

Thanks,
J
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list