[keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final

JTK jonesy at sydow.org
Fri Jun 28 12:41:39 EDT 2019


Obviously the certs are not loaded on the ELB as I need them.
openssl s_client -servername keycloak.domainhere.net -connect
keycloak.domainhere.net:8443 <http://keycloak.dev.domainhere.net:8443>
2>/dev/null | egrep "subject=|issuer=|notAfter="
subject=CN = keycloak.domainhere.net <http://keycloak.dev.domainhere.net>
issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon

I'm waiting on feedback from our internal team to find out when they can
load the Root CA/Intermediate certs on the proxy. It might not be until
next week, but I will update when I get a chance.

Thanks!

On Fri, Jun 28, 2019 at 10:57 AM Nalyvayko, Peter <pnalyvayko at agi.com>
wrote:

> Run the command "openssl s_client -connect <host>:<port>" where host and
> port are the Keycloak's host and the port number (e.g.
> login.mycompany.com:443) and verify that the list of  certificates listed
> under "Acceptable CA client certificate names" is not empty and that the CA
> names match the client cert's issuer
>
>
> ________________________________________
> From: JTK [jonesy at sydow.org]
> Sent: Friday, June 28, 2019 11:27 AM
> To: Nalyvayko, Peter
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on
> KeyCloak version 4.8.3.Final
>
> Here is the standalone.xml file if anyone can sport or locate any obvious
> errors associated with it.
>
> https://zerobin.net/?740f9250fdc1a6f1#9FqhPJx0iNfQshWY8hA2aYdWPhWUEVHW5peZuGfU8cw=
>
> Authentication flow:
> https://imgur.com/tZYj9N9  (Bindings)
> https://imgur.com/3v2HYtW (Flows)
>
> On Fri, Jun 28, 2019 at 9:13 AM JTK <jonesy at sydow.org<mailto:
> jonesy at sydow.org>> wrote:
> I'll look into it. I'm sure it's something simple, but it's just not
> clicking. As of now I'm only testing my CAC and so there is a Root CA along
> with an intermediate CA which I have loaded into Keycloak.
> This is the steps I used:
>
> keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer
>
> keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks
> -file Email-CA-1.cer
>
> ...
>
> Just for clarity and sanity check, with our current IdP, we only need to
> load the public certs (Root/Intermediate) and as long as they are loaded,
> any user certificate that is presented would be trusted if the chain is
> loaded for that user certificate. We do not have access to the private keys
> for the certificates loaded to the keystore.jks - I just want to make sure
> that's not the issue.
>
>
> At this point in time, I'd love to see ERROR in the server.log file, but I
> just get INFO.
>
> tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR"
>
> The output of the above command has no output.
>
>
> This is some of the output:
>
> 2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) *** Finished
> 2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) verify_data:  { 99,
> 40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 }
> 2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) ***
> 2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) update handshake
> state: finished[20]
> 2019-06-28 13:55:07,507 INFO  [stdout] (default I/O-3) [write] MD5 and
> SHA1 hashes:  len = 16
> 2019-06-28 13:55:07,508 INFO  [stdout] (default I/O-3) 0000: 14 00 00 0C
> 63 28 81 BC   CA 76 D6 D0 C0 B3 E6 08  ....c(...v......
> 2019-06-28 13:55:07,508 INFO  [stdout] (default I/O-3) Padded plaintext
> before ENCRYPTION:  len = 16
> 2019-06-28 13:55:07,508 INFO  [stdout] (default I/O-3) 0000: 14 00 00 0C
> 63 28 81 BC   CA 76 D6 D0 C0 B3 E6 08  ....c(...v......
> 2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) default I/O-3,
> WRITE: TLSv1.2 Handshake, length = 40
> 2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) %% Cached server
> session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384]
> 2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) [Raw write]: length
> = 6
> 2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) 0000: 14 03 03 00
> 01 01                                  ......
> 2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) [Raw write]: length
> = 45
> 2019-06-28 13:55:07,509 INFO  [stdout] (default I/O-3) 0000: 16 03 03 00
> 28 00 00 00   00 00 00 00 00 73 16 4F  ....(........s.O
> 2019-06-28 13:55:07,510 INFO  [stdout] (default I/O-3) 0010: C2 AA 1E 08
> 25 E9 36 15   77 D5 D4 18 E0 F8 BE BE  ....%.6.w.......
> 2019-06-28 13:55:07,510 INFO  [stdout] (default I/O-3) 0020: 24 8A F4 7F
> 33 D2 CA D3   C5 FA A5 05 54           $...3.......T
>
> etc
>
>
> Here is the output of keystore.jks
>
> keytool -list -v -keystore keycloak.jks | grep DoD
> Enter keystore password:  password
> Owner: CN=Root CA, OU=PKI, O=Company, C=US
> Issuer: CN=Root CA, OU=PKI, O=Company, C=US
> Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US
> Issuer: CN=Root CA, OU=PKI, O=Company, C=US
>
>
> Sows the Root CA and the Intermediate CA (CA-1)
>
>
> On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter <pnalyvayko at agi.com
> <mailto:pnalyvayko at agi.com>> wrote:
> We have successfully tested and deployed the CAC card & X509 auth without
> any issues. One suggestion is In the SSL debug output search for a list of
> CA authorities the KC server sends back to the client as a part of mutual
> SSL handshake. For the mutual SSL to kick in, the  client certificates
> registered on the client machine must be  signed by one of the CAs from
> that list.
>
> For example, say your trusted store has a CA cert with the Subject:
> CN=cert_auth
>
> Then you should be prompted to select a cert only if your client cert's
> issuer (the cert used to sign the client cert) matches the subject above.
>
> You may also try  troubleshooting using "openssl s_client" to avoid
> digging through thousands of lines of SSL debug output
>
> I hope it makes sense and helps :)
>
> Cheers
>
> --Peter
>
> ________________________________________
> From: JTK [jonesy at sydow.org<mailto:jonesy at sydow.org>]
> Sent: Friday, June 28, 2019 9:17 AM
> To: Nalyvayko, Peter
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on
> KeyCloak version 4.8.3.Final
>
> Thanks, I enabled the debug option for ssl in
> ../keycloak/bin/standalone.conf
> if [ "x$JAVA_OPTS" = "x" ]; then
>    JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M
> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true"
>    JAVA_OPTS="$JAVA_OPTS
> -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
> -Djava.awt.headless=true -Djavax.net.debug=ssl"
>
> I am seeing no errors in the logs related to certificates. I do see the
> root CA I'm trying to use along with the intermediate.
> I am using a client certificate, but I'm providing it via a card reader on
> my computer. So I'm presenting a token on a smart card per say and not a
> soft cert loaded on my system.
> Would this make a difference? Should I be seeing any sort of error output
> in the logs if the certs were loaded wrong or any other JAVA related issue?
> I can post the debug output, but it's quite line.
> -
> Note, we currently use a commercial based IdP which accepts our smart card
> with tokens on them, so I assumed Keycloak by default would see a
> certificate loaded locally or via the smart card reader.
>
>
> On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter <pnalyvayko at agi.com
> <mailto:pnalyvayko at agi.com><mailto:pnalyvayko at agi.com<mailto:
> pnalyvayko at agi.com>>> wrote:
> One possible reason you are not getting prompted is that the intermediate
> or root certs in your trust store do not match the intermediate or root
> certs used to sign the client certificates registered on your client
> machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug,
> see https://access.redhat.com/solutions/973783 for more info.
>
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org<mailto:
> keycloak-user-bounces at lists.jboss.org><mailto:
> keycloak-user-bounces at lists.jboss.org<mailto:
> keycloak-user-bounces at lists.jboss.org>> [
> keycloak-user-bounces at lists.jboss.org<mailto:
> keycloak-user-bounces at lists.jboss.org><mailto:
> keycloak-user-bounces at lists.jboss.org<mailto:
> keycloak-user-bounces at lists.jboss.org>>] on behalf of JTK [
> jonesy at sydow.org<mailto:jonesy at sydow.org><mailto:jonesy at sydow.org<mailto:
> jonesy at sydow.org>>]
> Sent: Thursday, June 27, 2019 2:00 PM
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org>>
> Subject: [keycloak-user] Not being prompted for x509 User Certs on
> KeyCloak     version 4.8.3.Final
>
>  I've read through all the documentation I can find online both with the
> official documents and everything else I could find and I believe I have
> everything setup, with additional logging turned on, but I'm not getting
> any type of prompt for a x509 certificate when logging in.
>
>  Here is the excerpts from the standalone.xml file where ssl-realm was
> added to the management security-realms and under the subsystem.
>
>     <management>
>         <security-realms>
>          ......
>             <security-realm name="ssl-realm">
>                 <server-identities>
>                     <ssl>
>                         <keystore path="keycloak.jks"
> relative-to="jboss.server.config.dir" keystore-password="mypass"/>
>                     </ssl>
>                 </server-identities>
>                 <authentication>
>                     <truststore path="truststore.jks"
> relative-to="jboss.server.config.dir" keystore-password="mypass"/>
>                 </authentication>
>             </security-realm>
>             ......
>
>         <subsystem xmlns="urn:jboss:domain:undertow:7.0"
> default-server="default-server" default-virtual-host="default-host"
> default-servlet-container="default" default-security-domain="other">
>             <buffer-cache name="default"/>
>             <server name="default-server">
>                 <http-listener name="default1" socket-binding="http"
> redirect-socket="https" enable-http2="true"/>
>                 <https-listener name="default" socket-binding="https"
> security-realm="ssl-realm" verify-client="REQUESTED"/>
>                 <host name="default-host" alias="localhost">
>                     <location name="/" handler="welcome-content"/>
>                     <access-log worker="default"
> directory="${jboss.server.log.dir}" prefix="access" suffix=".log"/>
>                     <http-invoker security-realm="ApplicationRealm"/>
>                 </host>
>
>  I've setup the Authentication Flows for the Browser to have x509/Validate
> Username Form above the new Browser flow and it's required.
> Everything is setup per the KeyCloak documentation to include the binding
> settings.
>
> The only thing I'm not sure about is if the keycloak.jks and truststore.jks
> files are the issue.
> I have enabled extra logging as best I know, but I'm not seeing anything in
> the logs of any relevance when trying to authenticate into the Keycloak
> Realm.
>
> Can anyone assist? We are looking to most likely purchase this as a product
> through RedHat SSO if it works well to get the support we need, but I've
> been hung up on this for a few weeks and I know it shouldn't be this hard.
>
> Thanks,
> J
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list