1 Reply Latest reply on Apr 24, 2019 11:02 AM by Gunter Zeilinger

    How to set up SSL for Administration Console AND protecting it with Keycloak?

    Gunter Zeilinger Newbie

      I followed Protecting Wildfly Adminstration Console With Keycloak , with Wildfly 16.0.0.Final and Keycloak (Wildfly Adapter) 5.0.0, and configured a <server-ssl-context name="httpsSSC">:

       

      <subsystem xmlns="urn:wildfly:elytron:6.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">

        <tls>

        <key-stores>

        <key-store name="httpsKS">

        <credential-reference clear-text="secret"/>

        <implementation type="JKS"/>

        <file path="/home/gunter/wildfly-16.0.0.Final/standalone/configuration/dcm4chee-arc/key.jks"/>

        </key-store>
        </key-stores>

        <key-managers>
        <key-manager name="httpsKM" algorithm="SunX509" key-store="httpsKS">
        <credential-reference clear-text="secret"/>
        </key-manager>

        </key-managers>
        <server-ssl-contexts>

        <server-ssl-context name="httpsSSC" protocols="TLSv1.2" key-manager="httpsKM"/>

        </server-ssl-contexts>
        </tls>

      </subsystem>

       


      and referred it by  the <http-interface> element of the <management-interfaces> and changed also <socket-binding> to https="management-https":

       

      <management>
        <management-interfaces>
        <http-interface http-authentication-factory="keycloak-mgmt-http-authentication" ssl-context="httpsSSC">
        <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
        <socket-binding https="management-https"/>
        </http-interface>
        </management-interfaces>
        <access-control provider="rbac" use-identity-roles="true">
        <role-mapping>
        <role name="SuperUser">
        <include>
        <user name="$local"/>
        </include>
        </role>
        </role-mapping>
        </access-control>
      </management>



      The request to https://localhost:9993 got redirected to the Keycloak Login page, but the redirect back to https://localhost:9993/console/index.html did not load the Admin Console.
      The  server.log of the Keycloak adapter looks:

      2019-04-19 14:53:58,191 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (management task-4) Evaluating request for path [https://localhost:9993/management]

      2019-04-19 14:53:58,203 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (management task-4) adminRequest https://localhost:9993/management

      2019-04-19 14:53:58,203 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-4) --> authenticate()

      2019-04-19 14:53:58,204 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-4) try bearer

      2019-04-19 14:53:58,205 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-4) try query paramter auth

      2019-04-19 14:53:58,205 DEBUG [org.keycloak.adapters.RequestAuthenticator] (management task-4) NOT_ATTEMPTED: bearer only

      2019-04-19 14:53:59,451 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (management task-2) Evaluating request for path [https://localhost:9993/management]

      2019-04-19 14:53:59,452 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (management task-2) adminRequest https://localhost:9993/management

      2019-04-19 14:53:59,452 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-2) --> authenticate()

      2019-04-19 14:53:59,452 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-2) try bearer

      2019-04-19 14:53:59,452 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-2) try query paramter auth

      2019-04-19 14:53:59,452 DEBUG [org.keycloak.adapters.RequestAuthenticator] (management task-2) NOT_ATTEMPTED: bearer only

      2019-04-19 14:54:30,863 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (management task-1) Evaluating request for path [https://localhost:9993/management]

      2019-04-19 14:54:30,864 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (management task-1) adminRequest https://localhost:9993/management

      2019-04-19 14:54:30,864 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-1) --> authenticate()

      2019-04-19 14:54:30,864 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-1) try bearer

      2019-04-19 14:54:45,636 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-1) try query paramter auth

      2019-04-19 14:54:45,636 DEBUG [org.keycloak.adapters.RequestAuthenticator] (management task-1) NOT_ATTEMPTED: bearer only

      compared with working pure (no SSL) http://localhost:9990 :

      2019-04-19 14:42:33,652 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (management task-1) Evaluating request for path [http://localhost:9990/management]

      2019-04-19 14:42:33,666 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (management task-1) adminRequest http://localhost:9990/management

      2019-04-19 14:42:33,667 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-1) --> authenticate()

      2019-04-19 14:42:33,668 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-1) try bearer

      2019-04-19 14:42:33,669 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-1) try query paramter auth

      2019-04-19 14:42:33,670 DEBUG [org.keycloak.adapters.RequestAuthenticator] (management task-1) NOT_ATTEMPTED: bearer only

      2019-04-19 14:42:34,520 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (management task-3) Evaluating request for path [http://localhost:9990/management]

      2019-04-19 14:42:34,521 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (management task-3) adminRequest http://localhost:9990/management

      2019-04-19 14:42:34,522 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-3) --> authenticate()

      2019-04-19 14:42:34,522 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-3) try bearer

      2019-04-19 14:42:34,522 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-3) try query paramter auth

      2019-04-19 14:42:34,523 DEBUG [org.keycloak.adapters.RequestAuthenticator] (management task-3) NOT_ATTEMPTED: bearer only

      2019-04-19 14:42:34,665 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (management task-3) Evaluating request for path [http://localhost:9990/management]

      2019-04-19 14:42:34,665 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (management task-3) adminRequest http://localhost:9990/management

      2019-04-19 14:42:34,665 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-3) --> authenticate()

      2019-04-19 14:42:34,665 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-3) try bearer

      2019-04-19 14:42:34,665 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (management task-3) Found [1] values in authorization header, selecting the first value for Bearer.

      2019-04-19 14:42:34,666 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (management task-3) Verifying access_token

      2019-04-19 14:42:34,683 TRACE [org.keycloak.adapters.BearerTokenRequestAuthenticator] (management task-3)       access_token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJJN2RkWEJTUm9iQ1R0NnJnQTBzc3FqVHo0WERfVUFFQTdndV9tOF9EdjlzIn0.eyJqdGkiOiIzMGNmMmI2Yi0yNjlkLTRhOGItODYzNS1jZGEzMWNhNTNlYzIiLCJleHAiOjE1NTU2NzgwNTQsIm5iZiI6MCwiaWF0IjoxNTU1Njc3NzU0LCJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo4ODQzL2F1dGgvcmVhbG1zL2RjbTRjaGUiLCJhdWQiOlsicmVhbG0tbWFuYWdlbWVudCIsImFjY291bnQiXSwic3ViIjoiMTQ0ZTRkZjYtNjQ2Ni00YjdlLWFlNmQtMGViOGZjNzdlZGNjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoid2lsZGZseS1jb25zb2xlIiwibm9uY2UiOiI5NWEyMjUxNC0xZDczLTQ0N2QtODNhMC01ZDQ3OTcwY2RmYmEiLCJhdXRoX3RpbWUiOjE1NTU2NzczOTcsInNlc3Npb25fc3RhdGUiOiJiNTEyMzNhOS0xODAwLTQ2MmYtYTZiMi0yNTVkZjNlM2UyMDIiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6OTk5MCJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiQURNSU5JU1RSQVRPUiIsImF1ZGl0bG9nIiwiYWRtaW4iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInF1ZXJ5LXJlYWxtcyIsInZpZXctYXV0aG9yaXphdGlvbiIsInF1ZXJ5LWNsaWVudHMiLCJxdWVyeS11c2VycyIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIiwicXVlcnktZ3JvdXBzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImdpdmVuX25hbWUiOiIiLCJmYW1pbHlfbmFtZSI6IiJ9.signature

      2019-04-19 14:42:34,739 TRACE [org.keycloak.adapters.rotation.JWKPublicKeyLocator] (management task-3) Going to send request to retrieve new set of realm public keys for client wildfly-management

      2019-04-19 14:42:34,927 DEBUG [org.keycloak.adapters.rotation.JWKPublicKeyLocator] (management task-3) Realm public keys successfully retrieved for client wildfly-management. New kids: [I7ddXBSRobCTt6rgA0ssqjTz4XD_UAEA7gu_m8_Dv9s]

      2019-04-19 14:42:34,929 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (management task-3) successful authorized

      2019-04-19 14:42:34,936 TRACE [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (management task-3) checking whether to refresh.

      2019-04-19 14:42:34,936 TRACE [org.keycloak.adapters.AdapterUtils] (management task-3) use realm role mappings

      2019-04-19 14:42:34,936 TRACE [org.keycloak.adapters.AdapterUtils] (management task-3) Setting roles:

      2019-04-19 14:42:34,936 TRACE [org.keycloak.adapters.AdapterUtils] (management task-3)    role: ADMINISTRATOR

      2019-04-19 14:42:34,937 TRACE [org.keycloak.adapters.AdapterUtils] (management task-3)    role: auditlog

      2019-04-19 14:42:34,937 TRACE [org.keycloak.adapters.AdapterUtils] (management task-3)    role: admin

      2019-04-19 14:42:34,937 TRACE [org.keycloak.adapters.AdapterUtils] (management task-3)    role: user


      Debugging
      BearerTokenRequestAuthenticator.authenticate(HttpFacade exchange)

      exchange.getRequest().getHeaders("Authorization");


      always returned null with SSL configured.