Issues with using Keycloak 25.0.4 Receiving Ext.Ajax #1369

codwow · 2024-09-09T22:04:29Z

codwow
Sep 9, 2024

I originally post this issue #1368 but was told to post a discussion.

I'm currently just using podman for my deployment with separate containers and no docker compose. This is currently what it looks like

podman create --replace --name nginx
-p 20000:20000
-v /var/lib/containers/storage/volumes/nginx/_data/nginx.conf:/etc/nginx/nginx.conf
-v /var/lib/containers/storage/volumes/nginx/_data/[server cert].crt:/etc/nginx/cert.pem
-v /var/lib/containers/storage/volumes/nginx/_data/[server cert].key:/etc/nginx/privkey.pem
-v /var/lib/containers/storage/volumes/nginx/_data/dod_CAs.pem:/etc/nginx/dod-certs.pem
-v /var/lib/containers/storage/volumes/nginx/_data/index.html:/usr/share/nginx/html/index.html
--network stig-manager
registry1.dso.mil/ironbank/opensource/nginx/nginx:1.26.2

podman create --replace --name stig-manager-auth --restart=always
-e KEYCLOAK_ADMIN=admin
-e KEYCLOAK_ADMIN_PASSWORD=admin
-e KC_PROXY-HEADERS=xforwarded
-e KC_HOSTNAME=https://[ip of host]:20000/kc/
-e KC_HOSTNAME_ADMIN=https://[ip of host]:20000/kc
-e KC_SPI_X509CERT_LOOKUP_PROVIDER=nginx
-e KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT=SSL-CLIENT-CERT
-e KC_TRUSTSTORE_PATHS=/tmp/truststore.p12
-e KC_TRUSTSTORE_FILE_PASSWORD=1234
-v /var/lib/containers/storage/volumes/nginx/_data/dod_CAs.p12:/tmp/truststore.p12
-v stig-manager-auth:/opt/keycloak/data/
--network stig-manager
registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.4 start-dev

podman create --replace --name stig-manager-db --restart=always
-e MYSQL_ROOT_PASSWORD=rootpw
-e MYSQL_DATABASE=stigman
-e MYSQL_USER=stigman
-e MYSQL_PASSWORD=stigman
-v stig-manager-db:/var/lib/mysql
--network stig-manager
registry1.dso.mil/ironbank/opensource/mysql/mysql8:8.0.36-ubi9

podman create --replace --name stig-manager --restart=always
-e STIGMAN_OIDC_PROVIDER=http://stig-manager-auth:8080/realms/stigman
-e STIGMAN_CLIENT_OIDC_PROVIDER=https://[ip of host]:20000/kc/realms/stigman
-e STIGMAN_DB_HOST=stig-manager-db
-e STIGMAN_DB_PASSWORD=stigman
-e STIGMAN_CLASSIFICATION=U
-e STIGMAN_SWAGGER_ENABLED=true
-e STIGMAN_LOG_LEVEL=4
-e NODE_EXTRA_CA_CERTS=/tmp/truststore.crt
-v /var/lib/containers/storage/volumes/nginx/_data/[server cert].crt:/tmp/truststore.crt
--network stig-manager
registry1.dso.mil/ironbank/opensource/stig-manager/stig-manager:1.4.13

when using this configuration I get an Ext.Ajax error, I tried to configure the NODE_EXTRA_CA_CERTS but I wasn't sure which cert to point it too and nothing that I tried worked. The weird part is when I replace the stig-manager-auth container (keycloak) with the one below it works and authenticates without issue. The below container was taken from stigman-orchestration repo and the above container was modified from the stig-manager-auth to include the x.509 certificate authentication process instead of username and password

podman create --replace --name stig-manager-auth --restart=always
-e KEYCLOAK_ADMIN=admin
-e KEYCLOAK_ADMIN_PASSWORD=admin
-e KC_PROXY=edge
-e KC_HOSTNAME_URL=https://[ip of host]:20000/kc/
-e KC_HOSTNAME_ADMIN_URL=https://[ip of host]:20000/kc
-e KC_SPI_X509CERT_LOOKUP_PROVIDER=nginx
-e KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT=SSL-CLIENT-CERT
-e KC_SPI_TRUSTSTORE_FILE_FILE=/tmp/truststore.p12
-e KC_SPI_TRUSTSTORE_FILE_PASSWORD=1234
-v stig-manager-auth-old:/opt/keycloak/data/
-v /var/lib/containers/storage/volumes/nginx/_data/create-x509-user.jar:/opt/keycloak/providers/create-x509-user.jar
-v /var/lib/containers/storage/volumes/nginx/_data/dod_CAs.p12:/tmp/truststore.p12
--network stig-manager
registry1.dso.mil/ironbank/opensource/keycloak/keycloak:19.0.2 start-dev

codwow · 2024-09-10T19:54:41Z

codwow
Sep 10, 2024
Author

So it looks to be a problem with version 25 of keycloak. I was able to use 24.0.5 without issue

3 replies

cd-rite Sep 11, 2024
Maintainer

@codwow Oh, that's great! I mean, sorry it wasted some of your time, but I'm glad you figured it out! Thanks for posting the problem with that version of Keycloak, hopefully it will save other users some trouble!

codwow Oct 14, 2024
Author

@cd-rite can I submit an issue about supporting keycloak 25+? I think it would be important so everyone can utilize the latest version.

cd-rite Oct 14, 2024
Maintainer

HI @codwow I don't think the issue is with STIG Manager, but in some significant changes to the way you configure Keycloak that were made in 25+. You'll likely have to adjust your Keycloak configuration for it to work, but not STIGMan.

For example, it looks like the KC_HOSTNAME_URL would just be KC_HOSTNAME in 25+. KC_PROXY has also been removed as of 26.0.0:
https://www.keycloak.org/docs/latest/upgrading/index.html#new-hostname-options
https://www.keycloak.org/docs/latest/upgrading/index.html#deprecated-proxy-option
This page describes how to map command line params to their envvar equivalents:
https://www.keycloak.org/server/configuration
(Environment variable format - Values for environment variables use the uppercased KC_<key_with_underscores>= format.)

codwow · 2025-01-24T22:16:01Z

codwow
Jan 24, 2025
Author

I was able to get version keycloak 26.1.0 working. Im issue was I was trying to run keycloak in https and https even though it was behind a reverse proxy. I also needed to add the cas that signed the web certificate to stig manager. I don't know why this was working with earlier versions of keycloak but I guess they fixed some issues which caused stig manager to freak out since I didn't provide the ca certs

4 replies

jace5869 Apr 25, 2025

I'm trying to get 26.x working and encountering all kinds of issues. Is it possible you could post your docker-compose file?

codwow Apr 25, 2025
Author

I'm using podman without docker compose but here are the create container commands

#!/bin/bash
podman create --name nginx \
  --replace --restart=unless-stopped --ip=10.89.0.13 --label=prod \
  -p 443:443 \
  -v /STIG-Manager/nginx/nginx.conf:/etc/nginx/nginx.conf \
  -v /STIG-Manager/nginx/[hostname FQDN].pem:/etc/nginx/cert.pem \
  -v /STIG-Manager/nginx/[hostname FQDN].key:/etc/nginx/privkey.pem \
  -v /STIG-Manager/DOD_CAs/dod_CAs.pem:/etc/nginx/dod-certs.pem \
  -v /STIG-Manager/nginx/index.html:/usr/share/nginx/html/registration/index.html \
  --network stig-manager-network \
  --cap-add "cap_net_bind_service" \
  --log-driver journald \
  registry1.dso.mil/ironbank/opensource/nginx/nginx:1.26.2

 #!/bin/bash
podman create --name stig-manager-auth-db \
  -p 3307:3306 \
  --replace --restart=unless-stopped --ip=10.89.0.14 --label=prod \
  -e MYSQL_DATABASE=keycloak \
  -e MYSQL_USER=[redacted] \
  -v stig-manager-auth-db:/var/lib/mysql \
  --secret=password-stig-manager-db-auth,type=env,target=MYSQL_PASSWORD \
  --secret=password-stig-manager-db-auth-root,type=env,target=MYSQL_ROOT_PASSWORD \
  --network stig-manager-network \
  --log-driver journald \
  registry1.dso.mil/ironbank/opensource/mysql/mysql8:8.0.36-ubi9 --innodb-buffer-pool-size=512M --sort_buffer_size=128M

#!/bin/bash
podman create --name stig-manager-auth \
  --replace --restart=unless-stopped --ip=10.89.0.11 --label=prod \
  -e KC_BOOTSTRAP_ADMIN_USERNAME=[redacted] \
  -e KC_PROXY-HEADERS=xforwarded \
  -e KC_HOSTNAME=https://[hostname FQDN]/keycloak/ \
  -e KC_HOSTNAME_ADMIN=https://[hostname FQDN]/keycloak/ \
  -e KC_SPI_X509CERT_LOOKUP_PROVIDER=nginx \
  -e KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT=SSL-CLIENT-CERT \
  -e KC_TRUSTSTORE_PATHS=/tmp/truststore.p12 \
  -e KC_TRUSTSTORE_FILE_PASSWORD=[redacted] \
  -e JAVA_OPTS="-Dkeycloak.profile.feature.upload_scripts=enabled --add-exports java.base/sun.security.provider=ALL-UNNAMED" \
  -e KC_FEATURES=fips \
  -e KC_FEATURES_DISABLED=kerberos \
  -e KC_TRANSACTION_XA_ENABLED=true \
  -e KC_DB=mysql \
  -e KC_USERNAME=[redacted] \
  -e KC_DB_URL_HOST=stig-manager-auth-db \
  -e KC_HTTP_ENABLED=true \
  -v /STIG-Manager/DOD_CAs/dod_CAs.p12:/tmp/truststore.p12 \
  -v /STIG-Manager/Keycloak/bc-fips-1.0.2.4.jar:/opt/keycloak/providers/bc-fips-1.0.2.4.jar \
  -v /STIG-Manager/Keycloak/bcpkix-fips-1.0.7.jar:/opt/keycloak/providers/bcpkix-fips-1.0.7.jar \
  -v /STIG-Manager/Keycloak/bctls-fips-1.0.19.jar:/opt/keycloak/providers/bctls-fips-1.0.19.jar \
  --secret=password-stig-manager-db-auth,type=env,target=KC_DB_PASSWORD \
  --secret=password-stig-manager-auth,type=env,target=KC_BOOTSTRAP_ADMIN_PASSWORD \
  --network stig-manager-network \
  quay.io/keycloak/keycloak:26.1.0 start

 #!/bin/bash
podman create --name stig-manager-db \
  -p 3306:3306 \
  --replace --restart=unless-stopped --ip=10.89.0.12 --label=prod \
  -e MYSQL_DATABASE=stigman \
  -e MYSQL_USER=[redacted] \
  -v stig-manager-db:/var/lib/mysql \
  --secret=password-stig-manager-db,type=env,target=MYSQL_PASSWORD \
  --secret=password-stig-manager-db-root,type=env,target=MYSQL_ROOT_PASSWORD \
  --network stig-manager-network \
  --log-driver journald \
  registry1.dso.mil/ironbank/opensource/mysql/mysql8:8.0.36-ubi9 --character-set-server=utf8

#!/bin/bash
podman create --name stig-manager \
  --replace --restart=unless-stopped --ip=10.89.0.10 --label=prod \
  -e STIGMAN_OIDC_PROVIDER=http://stig-manager-auth:8080/realms/stigman \
  -e STIGMAN_CLIENT_OIDC_PROVIDER=https://[hostname FQDN]/keycloak/realms/stigman \
  -e STIGMAN_DB_HOST=stig-manager-db \
  -e STIGMAN_CLASSIFICATION=U \
  -e STIGMAN_SWAGGER_ENABLED=true \
  -e STIGMAN_SWAGGER_SERVER=https://[hostname FQDN]/api \
  -e NODE_EXTRA_CA_CERTS=/tmp/certs.pem \
  -v /STIG-Manager/DOD_CAs/dod_CAs.pem:/tmp/certs.pem \
  --secret=password-stig-manager-db,type=env,target=STIGMAN_DB_PASSWORD \
  --network stig-manager-network \
  --log-driver journald \
  registry1.dso.mil/ironbank/opensource/stig-manager/stig-manager:1.5.7

jace5869 Apr 29, 2025

8000

Thank you! I think this will help with setting up 26.x.

Are you doing x509 CAC auth? I assume so since the kc_proxy_headers are there.
How are you mapping to users?
I'm trying to get LDAP working and when mapping using SubAltName it worked for most everyone except newer accounts. Looks like anyone newer than 1.5-2 years it couldn't parse their cert or something.

So I tried changing the flow to do Subject DN with expression and matching to user name which is employeeID (10 digit edipi)
That seems to be working for now but Ixo scantly get weird issues with LDAP sync.

Just curious how you're handling auth and accounts and such.

codwow Apr 29, 2025
Author

We match to the users CN or "issued to" for their x.509 cert. We don't integrate with AD due to how our environment is structured so we just manually create the users on request

Issues with using Keycloak 25.0.4 Receiving Ext.Ajax #1369

Uh oh!

Uh oh!

codwow Sep 9, 2024

Replies: 2 comments · 7 replies

Uh oh!

codwow Sep 10, 2024 Author

Uh oh!

cd-rite Sep 11, 2024 Maintainer

Uh oh!

codwow Oct 14, 2024 Author

Uh oh!

Uh oh!

cd-rite Oct 14, 2024 Maintainer

Uh oh!

codwow Jan 24, 2025 Author

Uh oh!

jace5869 Apr 25, 2025

Uh oh!

codwow Apr 25, 2025 Author

Uh oh!

jace5869 Apr 29, 2025

Uh oh!

codwow Apr 29, 2025 Author

codwow
Sep 9, 2024

Replies: 2 comments 7 replies

codwow
Sep 10, 2024
Author

cd-rite Sep 11, 2024
Maintainer

codwow Oct 14, 2024
Author

cd-rite Oct 14, 2024
Maintainer

codwow
Jan 24, 2025
Author

codwow Apr 25, 2025
Author

codwow Apr 29, 2025
Author