[keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final

JTK jonesy at sydow.org
Fri Jun 28 10:13:28 EDT 2019 

I'll look into it. I'm sure it's something simple, but it's just not
clicking. As of now I'm only testing my CAC and so there is a Root CA along
with an intermediate CA which I have loaded into Keycloak.
This is the steps I used:

keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer

keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks -file
Email-CA-1.cer

...

Just for clarity and sanity check, with our current IdP, we only need to
load the public certs (Root/Intermediate) and as long as they are loaded,
any user certificate that is presented would be trusted if the chain is
loaded for that user certificate. We do not have access to the private keys
for the certificates loaded to the keystore.jks - I just want to make sure
that's not the issue.


At this point in time, I'd love to see ERROR in the server.log file, but I
just get INFO.

tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR"

The output of the above command has no output.


This is some of the output:

2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) *** Finished
2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) verify_data:  { 99,
40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 }
2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) ***
2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) update handshake
state: finished[20]
2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) [write] MD5 and SHA1
hashes:  len = 16
2019-06-28 13:55:07,508 INFO  [stdout] (default I/O-3) 0000: 14 00 00 0C 63
28 81 BC   CA 76 D6 D0 C0 B3 E6 08  ....c(...v......
2019-06-28 13:55:07,508 INFO  [stdout] (default I/O-3) Padded plaintext
before ENCRYPTION:  len = 16
2019-06-28 13:55:07,508 INFO  [stdout] (default I/O-3) 0000: 14 00 00 0C 63
28 81 BC   CA 76 D6 D0 C0 B3 E6 08  ....c(...v......
2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) default I/O-3,
WRITE: TLSv1.2 Handshake, length = 40
2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) %% Cached server
session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384]
2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) [Raw write]: length
= 6
2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) 0000: 14 03 03 00 01
01                                  ......
2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) [Raw write]: length
= 45
2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) 0000: 16 03 03 00 28
00 00 00   00 00 00 00 00 73 16 4F  ....(........s.O
2019-06-28 13:55:07,510 INFO  [stdout] (default I/O-3) 0010: C2 AA 1E 08 25
E9 36 15   77 D5 D4 18 E0 F8 BE BE  ....%.6.w.......
2019-06-28 13:55:07,510 INFO  [stdout] (default I/O-3) 0020: 24 8A F4 7F 33
D2 CA D3   C5 FA A5 05 54           $...3.......T

etc


Here is the output of keystore.jks

keytool -list -v -keystore keycloak.jks | grep DoD
Enter keystore password:  password
Owner: CN=Root CA, OU=PKI, O=Company, C=US
Issuer: CN=Root CA, OU=PKI, O=Company, C=US
Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US
Issuer: CN=Root CA, OU=PKI, O=Company, C=US


Sows the Root CA and the Intermediate CA (CA-1)


On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter <pnalyvayko at agi.com> wrote:

> We have successfully tested and deployed the CAC card & X509 auth without
> any issues. One suggestion is In the SSL debug output search for a list of
> CA authorities the KC server sends back to the client as a part of mutual
> SSL handshake. For the mutual SSL to kick in, the  client certificates
> registered on the client machine must be  signed by one of the CAs from
> that list.
>
> For example, say your trusted store has a CA cert with the Subject:
> CN=cert_auth
>
> Then you should be prompted to select a cert only if your client cert's
> issuer (the cert used to sign the client cert) matches the subject above.
>
> You may also try  troubleshooting using "openssl s_client" to avoid
> digging through thousands of lines of SSL debug output
>
> I hope it makes sense and helps :)
>
> Cheers
>
> --Peter
>
> ________________________________________
> From: JTK [jonesy at sydow.org]
> Sent: Friday, June 28, 2019 9:17 AM
> To: Nalyvayko, Peter
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on
> KeyCloak version 4.8.3.Final
>
> Thanks, I enabled the debug option for ssl in
> ../keycloak/bin/standalone.conf
> if [ "x$JAVA_OPTS" = "x" ]; then
>    JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M
> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true"
>    JAVA_OPTS="$JAVA_OPTS
> -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
> -Djava.awt.headless=true -Djavax.net.debug=ssl"
>
> I am seeing no errors in the logs related to certificates. I do see the
> root CA I'm trying to use along with the intermediate.
> I am using a client certificate, but I'm providing it via a card reader on
> my computer. So I'm presenting a token on a smart card per say and not a
> soft cert loaded on my system.
> Would this make a difference? Should I be seeing any sort of error output
> in the logs if the certs were loaded wrong or any other JAVA related issue?
> I can post the debug output, but it's quite line.
> -
> Note, we currently use a commercial based IdP which accepts our smart card
> with tokens on them, so I assumed Keycloak by default would see a
> certificate loaded locally or via the smart card reader.
>
>
> On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter <pnalyvayko at agi.com
> <mailto:pnalyvayko at agi.com>> wrote:
> One possible reason you are not getting prompted is that the intermediate
> or root certs in your trust store do not match the intermediate or root
> certs used to sign the client certificates registered on your client
> machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug,
> see https://access.redhat.com/solutions/973783 for more info.
>
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org<mailto:
> keycloak-user-bounces at lists.jboss.org> [
> keycloak-user-bounces at lists.jboss.org<mailto:
> keycloak-user-bounces at lists.jboss.org>] on behalf of JTK [jonesy at sydow.org
> <mailto:jonesy at sydow.org>]
> Sent: Thursday, June 27, 2019 2:00 PM
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] Not being prompted for x509 User Certs on
> KeyCloak     version 4.8.3.Final
>
>  I've read through all the documentation I can find online both with the
> official documents and everything else I could find and I believe I have
> everything setup, with additional logging turned on, but I'm not getting
> any type of prompt for a x509 certificate when logging in.
>
>  Here is the excerpts from the standalone.xml file where ssl-realm was
> added to the management security-realms and under the subsystem.
>
>     <management>
>         <security-realms>
>          ......
>             <security-realm name="ssl-realm">
>                 <server-identities>
>                     <ssl>
>                         <keystore path="keycloak.jks"
> relative-to="jboss.server.config.dir" keystore-password="mypass"/>
>                     </ssl>
>                 </server-identities>
>                 <authentication>
>                     <truststore path="truststore.jks"
> relative-to="jboss.server.config.dir" keystore-password="mypass"/>
>                 </authentication>
>             </security-realm>
>             ......
>
>         <subsystem xmlns="urn:jboss:domain:undertow:7.0"
> default-server="default-server" default-virtual-host="default-host"
> default-servlet-container="default" default-security-domain="other">
>             <buffer-cache name="default"/>
>             <server name="default-server">
>                 <http-listener name="default1" socket-binding="http"
> redirect-socket="https" enable-http2="true"/>
>                 <https-listener name="default" socket-binding="https"
> security-realm="ssl-realm" verify-client="REQUESTED"/>
>                 <host name="default-host" alias="localhost">
>                     <location name="/" handler="welcome-content"/>
>                     <access-log worker="default"
> directory="${jboss.server.log.dir}" prefix="access" suffix=".log"/>
>                     <http-invoker security-realm="ApplicationRealm"/>
>                 </host>
>
>  I've setup the Authentication Flows for the Browser to have x509/Validate
> Username Form above the new Browser flow and it's required.
> Everything is setup per the KeyCloak documentation to include the binding
> settings.
>
> The only thing I'm not sure about is if the keycloak.jks and truststore.jks
> files are the issue.
> I have enabled extra logging as best I know, but I'm not seeing anything in
> the logs of any relevance when trying to authenticate into the Keycloak
> Realm.
>
> Can anyone assist? We are looking to most likely purchase this as a product
> through RedHat SSO if it works well to get the support we need, but I've
> been hung up on this for a few weeks and I know it shouldn't be this hard.
>
> Thanks,
> J
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list