[keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final

JTK jonesy at sydow.org
Fri Jun 28 11:27:50 EDT 2019


Here is the standalone.xml file if anyone can sport or locate any obvious
errors associated with it.
https://zerobin.net/?740f9250fdc1a6f1#9FqhPJx0iNfQshWY8hA2aYdWPhWUEVHW5peZuGfU8cw=


Authentication flow:
https://imgur.com/tZYj9N9  (Bindings)
https://imgur.com/3v2HYtW (Flows)

On Fri, Jun 28, 2019 at 9:13 AM JTK <jonesy at sydow.org> wrote:

> I'll look into it. I'm sure it's something simple, but it's just not
> clicking. As of now I'm only testing my CAC and so there is a Root CA along
> with an intermediate CA which I have loaded into Keycloak.
> This is the steps I used:
>
> keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer
>
> keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks
> -file Email-CA-1.cer
>
> ...
>
> Just for clarity and sanity check, with our current IdP, we only need to
> load the public certs (Root/Intermediate) and as long as they are loaded,
> any user certificate that is presented would be trusted if the chain is
> loaded for that user certificate. We do not have access to the private
> keys for the certificates loaded to the keystore.jks - I just want to make
> sure that's not the issue.
>
>
> At this point in time, I'd love to see ERROR in the server.log file, but I
> just get INFO.
>
> tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR"
>
> The output of the above command has no output.
>
>
> This is some of the output:
>
> 2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) *** Finished
> 2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) verify_data:  { 99,
> 40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 }
> 2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) ***
> 2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) update handshake
> state: finished[20]
> 2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) [write] MD5 and
> SHA1 hashes:  len = 16
> 2019-06-28 13:55:07,508 INFO  [stdout] (default I/O-3) 0000: 14 00 00 0C
> 63 28 81 BC   CA 76 D6 D0 C0 B3 E6 08  ....c(...v......
> 2019-06-28 13:55:07,508 INFO  [stdout] (default I/O-3) Padded plaintext
> before ENCRYPTION:  len = 16
> 2019-06-28 13:55:07,508 INFO  [stdout] (default I/O-3) 0000: 14 00 00 0C
> 63 28 81 BC   CA 76 D6 D0 C0 B3 E6 08  ....c(...v......
> 2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) default I/O-3,
> WRITE: TLSv1.2 Handshake, length = 40
> 2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) %% Cached server
> session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384]
> 2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) [Raw write]: length
> = 6
> 2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) 0000: 14 03 03 00
> 01 01                                  ......
> 2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) [Raw write]: length
> = 45
> 2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) 0000: 16 03 03 00
> 28 00 00 00   00 00 00 00 00 73 16 4F  ....(........s.O
> 2019-06-28 13:55:07,510 INFO  [stdout] (default I/O-3) 0010: C2 AA 1E 08
> 25 E9 36 15   77 D5 D4 18 E0 F8 BE BE  ....%.6.w.......
> 2019-06-28 13:55:07,510 INFO  [stdout] (default I/O-3) 0020: 24 8A F4 7F
> 33 D2 CA D3   C5 FA A5 05 54           $...3.......T
>
> etc
>
>
> Here is the output of keystore.jks
>
> keytool -list -v -keystore keycloak.jks | grep DoD
> Enter keystore password:  password
> Owner: CN=Root CA, OU=PKI, O=Company, C=US
> Issuer: CN=Root CA, OU=PKI, O=Company, C=US
> Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US
> Issuer: CN=Root CA, OU=PKI, O=Company, C=US
>
>
> Sows the Root CA and the Intermediate CA (CA-1)
>
>
> On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter <pnalyvayko at agi.com>
> wrote:
>
>> We have successfully tested and deployed the CAC card & X509 auth without
>> any issues. One suggestion is In the SSL debug output search for a list of
>> CA authorities the KC server sends back to the client as a part of mutual
>> SSL handshake. For the mutual SSL to kick in, the  client certificates
>> registered on the client machine must be  signed by one of the CAs from
>> that list.
>>
>> For example, say your trusted store has a CA cert with the Subject:
>> CN=cert_auth
>>
>> Then you should be prompted to select a cert only if your client cert's
>> issuer (the cert used to sign the client cert) matches the subject above.
>>
>> You may also try  troubleshooting using "openssl s_client" to avoid
>> digging through thousands of lines of SSL debug output
>>
>> I hope it makes sense and helps :)
>>
>> Cheers
>>
>> --Peter
>>
>> ________________________________________
>> From: JTK [jonesy at sydow.org]
>> Sent: Friday, June 28, 2019 9:17 AM
>> To: Nalyvayko, Peter
>> Cc: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on
>> KeyCloak version 4.8.3.Final
>>
>> Thanks, I enabled the debug option for ssl in
>> ../keycloak/bin/standalone.conf
>> if [ "x$JAVA_OPTS" = "x" ]; then
>>    JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M
>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true"
>>    JAVA_OPTS="$JAVA_OPTS
>> -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
>> -Djava.awt.headless=true -Djavax.net.debug=ssl"
>>
>> I am seeing no errors in the logs related to certificates. I do see the
>> root CA I'm trying to use along with the intermediate.
>> I am using a client certificate, but I'm providing it via a card reader
>> on my computer. So I'm presenting a token on a smart card per say and not a
>> soft cert loaded on my system.
>> Would this make a difference? Should I be seeing any sort of error output
>> in the logs if the certs were loaded wrong or any other JAVA related issue?
>> I can post the debug output, but it's quite line.
>> -
>> Note, we currently use a commercial based IdP which accepts our smart
>> card with tokens on them, so I assumed Keycloak by default would see a
>> certificate loaded locally or via the smart card reader.
>>
>>
>> On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter <pnalyvayko at agi.com
>> <mailto:pnalyvayko at agi.com>> wrote:
>> One possible reason you are not getting prompted is that the intermediate
>> or root certs in your trust store do not match the intermediate or root
>> certs used to sign the client certificates registered on your client
>> machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug,
>> see https://access.redhat.com/solutions/973783 for more info.
>>
>> ________________________________________
>> From: keycloak-user-bounces at lists.jboss.org<mailto:
>> keycloak-user-bounces at lists.jboss.org> [
>> keycloak-user-bounces at lists.jboss.org<mailto:
>> keycloak-user-bounces at lists.jboss.org>] on behalf of JTK [
>> jonesy at sydow.org<mailto:jonesy at sydow.org>]
>> Sent: Thursday, June 27, 2019 2:00 PM
>> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> Subject: [keycloak-user] Not being prompted for x509 User Certs on
>> KeyCloak     version 4.8.3.Final
>>
>>  I've read through all the documentation I can find online both with the
>> official documents and everything else I could find and I believe I have
>> everything setup, with additional logging turned on, but I'm not getting
>> any type of prompt for a x509 certificate when logging in.
>>
>>  Here is the excerpts from the standalone.xml file where ssl-realm was
>> added to the management security-realms and under the subsystem.
>>
>>     <management>
>>         <security-realms>
>>          ......
>>             <security-realm name="ssl-realm">
>>                 <server-identities>
>>                     <ssl>
>>                         <keystore path="keycloak.jks"
>> relative-to="jboss.server.config.dir" keystore-password="mypass"/>
>>                     </ssl>
>>                 </server-identities>
>>                 <authentication>
>>                     <truststore path="truststore.jks"
>> relative-to="jboss.server.config.dir" keystore-password="mypass"/>
>>                 </authentication>
>>             </security-realm>
>>             ......
>>
>>         <subsystem xmlns="urn:jboss:domain:undertow:7.0"
>> default-server="default-server" default-virtual-host="default-host"
>> default-servlet-container="default" default-security-domain="other">
>>             <buffer-cache name="default"/>
>>             <server name="default-server">
>>                 <http-listener name="default1" socket-binding="http"
>> redirect-socket="https" enable-http2="true"/>
>>                 <https-listener name="default" socket-binding="https"
>> security-realm="ssl-realm" verify-client="REQUESTED"/>
>>                 <host name="default-host" alias="localhost">
>>                     <location name="/" handler="welcome-content"/>
>>                     <access-log worker="default"
>> directory="${jboss.server.log.dir}" prefix="access" suffix=".log"/>
>>                     <http-invoker security-realm="ApplicationRealm"/>
>>                 </host>
>>
>>  I've setup the Authentication Flows for the Browser to have x509/Validate
>> Username Form above the new Browser flow and it's required.
>> Everything is setup per the KeyCloak documentation to include the binding
>> settings.
>>
>> The only thing I'm not sure about is if the keycloak.jks and
>> truststore.jks
>> files are the issue.
>> I have enabled extra logging as best I know, but I'm not seeing anything
>> in
>> the logs of any relevance when trying to authenticate into the Keycloak
>> Realm.
>>
>> Can anyone assist? We are looking to most likely purchase this as a
>> product
>> through RedHat SSO if it works well to get the support we need, but I've
>> been hung up on this for a few weeks and I know it shouldn't be this hard.
>>
>> Thanks,
>> J
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>


More information about the keycloak-user mailing list