[keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final
JTK
jonesy at sydow.org
Fri Jun 28 09:17:26 EDT 2019
Thanks, I enabled the debug option for ssl in
../keycloak/bin/standalone.conf
if [ "x$JAVA_OPTS" = "x" ]; then
JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M
-XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true"
JAVA_OPTS="$JAVA_OPTS
-Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true -Djavax.net.debug=ssl"
I am seeing no errors in the logs related to certificates. I do see the
root CA I'm trying to use along with the intermediate.
I am using a client certificate, but I'm providing it via a card reader on
my computer. So I'm presenting a token on a smart card per say and not a
soft cert loaded on my system.
Would this make a difference? Should I be seeing any sort of error output
in the logs if the certs were loaded wrong or any other JAVA related issue?
I can post the debug output, but it's quite line.
-
Note, we currently use a commercial based IdP which accepts our smart card
with tokens on them, so I assumed Keycloak by default would see a
certificate loaded locally or via the smart card reader.
On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter <pnalyvayko at agi.com> wrote:
> One possible reason you are not getting prompted is that the intermediate
> or root certs in your trust store do not match the intermediate or root
> certs used to sign the client certificates registered on your client
> machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug,
> see https://access.redhat.com/solutions/973783 for more info.
>
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org [
> keycloak-user-bounces at lists.jboss.org] on behalf of JTK [jonesy at sydow.org]
> Sent: Thursday, June 27, 2019 2:00 PM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Not being prompted for x509 User Certs on
> KeyCloak version 4.8.3.Final
>
> I've read through all the documentation I can find online both with the
> official documents and everything else I could find and I believe I have
> everything setup, with additional logging turned on, but I'm not getting
> any type of prompt for a x509 certificate when logging in.
>
> Here is the excerpts from the standalone.xml file where ssl-realm was
> added to the management security-realms and under the subsystem.
>
> <management>
> <security-realms>
> ......
> <security-realm name="ssl-realm">
> <server-identities>
> <ssl>
> <keystore path="keycloak.jks"
> relative-to="jboss.server.config.dir" keystore-password="mypass"/>
> </ssl>
> </server-identities>
> <authentication>
> <truststore path="truststore.jks"
> relative-to="jboss.server.config.dir" keystore-password="mypass"/>
> </authentication>
> </security-realm>
> ......
>
> <subsystem xmlns="urn:jboss:domain:undertow:7.0"
> default-server="default-server" default-virtual-host="default-host"
> default-servlet-container="default" default-security-domain="other">
> <buffer-cache name="default"/>
> <server name="default-server">
> <http-listener name="default1" socket-binding="http"
> redirect-socket="https" enable-http2="true"/>
> <https-listener name="default" socket-binding="https"
> security-realm="ssl-realm" verify-client="REQUESTED"/>
> <host name="default-host" alias="localhost">
> <location name="/" handler="welcome-content"/>
> <access-log worker="default"
> directory="${jboss.server.log.dir}" prefix="access" suffix=".log"/>
> <http-invoker security-realm="ApplicationRealm"/>
> </host>
>
> I've setup the Authentication Flows for the Browser to have x509/Validate
> Username Form above the new Browser flow and it's required.
> Everything is setup per the KeyCloak documentation to include the binding
> settings.
>
> The only thing I'm not sure about is if the keycloak.jks and truststore.jks
> files are the issue.
> I have enabled extra logging as best I know, but I'm not seeing anything in
> the logs of any relevance when trying to authenticate into the Keycloak
> Realm.
>
> Can anyone assist? We are looking to most likely purchase this as a product
> through RedHat SSO if it works well to get the support we need, but I've
> been hung up on this for a few weeks and I know it shouldn't be this hard.
>
> Thanks,
> J
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list