Página Principal Explorar Ajuda
Registe-se Iniciar Sessão
AFS
/
infrastructure-notes
2
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Árvore: 883a468866
Ramos Etiquetas
infrastructure-...
/
Keycloak Notes.md

Keycloak Notes.md 4.6 KB
Histórico Em bruto

keycloak notes

Basically just a log of my initial installation/tests... could be really out of date by the time you read this.

Generally useful stuff

admin guide scripts to do this?

Initial Standup Process

Stood up a basic server using our minion image.

highstate + highstate
sudo yum install java-11-openjdk
sudo yum update -y

# copied file to server
tar xvzf keycloak-12.0.2.tar.gz
sudo mv keycloak-12.0.2 /opt/keycloak
cd /opt/keycloak
# for standalone, the main configuration file is ./standalone/configuration/standalone.xml
# for a clustered environment, it's ./domain/configuration/domain.xml
./standalone.sh

Tunnel (run on local box)

ssh 10.20.26.85 -L 8080:127.0.0.1:8080

then browse to http://localhost:8080

  1. Create admin username and password
  2. click the administration console link and sign in

  3. Sign in... basically, I followed https://www.keycloak.org/docs/latest/getting_started/

Create certificates

install certbot - maybe not in production

I don't particularly like this method, but for now its our best choice.

sudo yum install --enablerepo=epel snapd
sudo systemctl start snapd
sudo snap set system proxy.http="http://proxy.pvt.xdrtest.accenturefederalcyber.com:80"
sudo snap set system proxy.https="http://proxy.pvt.xdrtest.accenturefederalcyber.com:80"
sudo snap install core; sudo snap refresh core
sudo ln -s /var/lib/snapd/snap /snap
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Generate cert

sudo certbot certonly --standalone -d keycloak.xdrtest.accenturefederalcyber.com
# entered my email, probably better to use net.eng if this is used in production

# export into a pkcs12 store for keycloak:
sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/keycloak.xdrtest.accenturefederalcyber.com/privkey.pem -in /etc/letsencrypt/live/keycloak.xdrtest.accenturefederalcyber.com/fullchain.pem -out /opt/keycloak/standalone/configuration/lets_encrypt_certs.pkcs12 -name keycloak.xdrtest.accenturefederalcyber.com
# set a password

vim /opt/keycloak/standalone/configuration/standalone.xml
# have to set the keystore here... 
# important line is:
                        <keystore path="lets_encrypt_certs.pkcs12" relative-to="jboss.server.config.dir" keystore-password="stupid" alias="keycloak.xdrtest.accenturefederalcyber.com" key-password="stupid" generate-self-signed-certificate-host="localhost"/>

Copy Duane's certificates

scp DuanesCA.tgz gc-dev-keycloak:
ssh gc-dev-keycloak
mkdir ca
cd ca
tar xvzf ../DuanesCA.tgz
vim chain.pem 
# Remove the text from the top
keytool -importcert -storetype PKCS12 -keystore duckfez-truststore.pkcs12 \
  -storepass password -alias ca -file chain.pem -noprompt
cp duckfez-truststore.pkcs12 /opt/keycloak/standalone/configuration/
cd /opt/keycloak/
./start.ftd.sh # modified standalone script is in place with SSL configured. Script binds to 0.0.0.0

... and much config and troubleshooting happened

Generate a better client cert from duane's stuff

Back on the mac:

cd
cd keycloak
openssl genrsa -out fdamstra.key 2048
openssl req -new -key fdamstra.key \
    -subj "/CN=frederick.t.damstra@accenturefederal.com/OU=MonkeyBOX Entertainment Group/O=AFS/C=US/L=Grand Rapids/ST=Michigan" \
    -out fdamstra.csr
openssl x509 -req -days 3650 -in fdamstra.csr -CA intermediae/ca.crt  -CAkey intermediae/ca.key -CAcreateserial -out fdamstra.crt
openssl pkcs12 -export -in fdamstra.crt -inkey fdamstra.key \
    -certfile chain.pem -out fdamstra.p12 \
    -passin pass:password \
    -passout pass:password

Then use Keychain Access to import the p12 (password is "password") Then doubleclick on the duckfez cert (has a red x), expand trust, and set trust to "always trust"

Then login!

Saml Notes from Keycloak

in keycloak:

  • created client scope 'role_list_single_value', changing to 'single role attribute'
  • Changes signed doccuments to signed assertions
  • Turned off 'Force POST Binding'
  • Maybe turned off Client Signature Required
  • Changed client scope to 'role list single value'

in teleport:

  • Removed reference to entity_descriptor,
  • Put certificate for keycloak in directly
  • Set service_provider_issuer to client ID

Future Reading

Information on using S3 for redundancy: https://medium.com/@georgijsr/sso-session-failover-with-keycloak-and-aws-s3-e0b1db985e12

Audit information

Show issued certificates

https://moose-splunk.pvt.xdr.accenturefederalcyber.com/en-US/app/splunk_app_aws/private_ca_status_dashboard

Look for the Identity Subordinate CA Audit Log