# keycloak notes

Basically just a log of my initial installation/tests... could be really out of date by the time you read this.

# Generally useful stuff

[admin guide](https://www.keycloak.org/docs/10.0/server_admin/#_x509)
[scripts to do this?](https://gist.github.com/malys/12baa68303b6012fe819849b558d43d4)

# Initial Standup Process

Stood up a basic server using our minion image.

```
highstate + highstate
sudo yum install java-11-openjdk
sudo yum update -y

# copied file to server
tar xvzf keycloak-12.0.2.tar.gz
sudo mv keycloak-12.0.2 /opt/keycloak
cd /opt/keycloak
# for standalone, the main configuration file is ./standalone/configuration/standalone.xml
# for a clustered environment, it's ./domain/configuration/domain.xml
./standalone.sh
```

Tunnel (run on local box)
```
ssh 10.20.26.85 -L 8080:127.0.0.1:8080
```
then browse to http://localhost:8080

1. Create admin username and password
2. click the administration console link and sign in
3. Sign in... basically, I followed https://www.keycloak.org/docs/latest/getting_started/

```
```

# Create certificates

## install certbot - maybe not in production
I don't particularly like this method, but for now its our best choice.

```
sudo yum install --enablerepo=epel snapd
sudo systemctl start snapd
sudo snap set system proxy.http="http://proxy.pvt.xdrtest.accenturefederalcyber.com:80"
sudo snap set system proxy.https="http://proxy.pvt.xdrtest.accenturefederalcyber.com:80"
sudo snap install core; sudo snap refresh core
sudo ln -s /var/lib/snapd/snap /snap
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
```

## Generate cert

```
sudo certbot certonly --standalone -d keycloak.xdrtest.accenturefederalcyber.com
# entered my email, probably better to use net.eng if this is used in production

# export into a pkcs12 store for keycloak:
sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/keycloak.xdrtest.accenturefederalcyber.com/privkey.pem -in /etc/letsencrypt/live/keycloak.xdrtest.accenturefederalcyber.com/fullchain.pem -out /opt/keycloak/standalone/configuration/lets_encrypt_certs.pkcs12 -name keycloak.xdrtest.accenturefederalcyber.com
# set a password

vim /opt/keycloak/standalone/configuration/standalone.xml
# have to set the keystore here... 
# important line is:
                        <keystore path="lets_encrypt_certs.pkcs12" relative-to="jboss.server.config.dir" keystore-password="stupid" alias="keycloak.xdrtest.accenturefederalcyber.com" key-password="stupid" generate-self-signed-certificate-host="localhost"/>
```

## Copy Duane's certificates

```
scp DuanesCA.tgz gc-dev-keycloak:
ssh gc-dev-keycloak
mkdir ca
cd ca
tar xvzf ../DuanesCA.tgz
vim chain.pem 
# Remove the text from the top
keytool -importcert -storetype PKCS12 -keystore duckfez-truststore.pkcs12 \
  -storepass password -alias ca -file chain.pem -noprompt
cp duckfez-truststore.pkcs12 /opt/keycloak/standalone/configuration/
cd /opt/keycloak/
./start.ftd.sh # modified standalone script is in place with SSL configured. Script binds to 0.0.0.0
```

... and much config and troubleshooting happened

## Generate a better client cert from duane's stuff

Back on the mac:
```
cd
cd keycloak
openssl genrsa -out fdamstra.key 2048
openssl req -new -key fdamstra.key \
    -subj "/CN=frederick.t.damstra@accenturefederal.com/OU=MonkeyBOX Entertainment Group/O=AFS/C=US/L=Grand Rapids/ST=Michigan" \
    -out fdamstra.csr
openssl x509 -req -days 3650 -in fdamstra.csr -CA intermediae/ca.crt  -CAkey intermediae/ca.key -CAcreateserial -out fdamstra.crt
openssl pkcs12 -export -in fdamstra.crt -inkey fdamstra.key \
    -certfile chain.pem -out fdamstra.p12 \
    -passin pass:password \
    -passout pass:password 
```

Then use Keychain Access to import the p12 (password is "password")
Then doubleclick on the duckfez cert (has a red x), expand trust, and set trust to "always trust"

Then login!

## Saml Notes from Keycloak

in keycloak:
* created client scope 'role_list_single_value', changing to 'single role attribute'
* Changes signed doccuments to signed assertions
* Turned off 'Force POST Binding'
* Maybe turned off Client Signature Required
* Changed client scope to 'role list single value'

in teleport:
* Removed reference to entity_descriptor, 
* Put certificate for keycloak in directly
* Set service_provider_issuer to client ID



# Future Reading

Information on using S3 for redundancy:
https://medium.com/@georgijsr/sso-session-failover-with-keycloak-and-aws-s3-e0b1db985e12


# Audit information

## Show issued certificates

https://moose-splunk.pvt.xdr.accenturefederalcyber.com/en-US/app/splunk_app_aws/private_ca_status_dashboard

Look for the Identity Subordinate CA Audit Log

##