Configuring RH-SSO with TLS v1.3 using Elytron

Solution Verified - Updated

Environment

  • RH-SSO
    • 7
  • TLS v1.3
  • Elytron
  • JDK 11

Issue

How is it possible to configure RH-SSO with TLS v1.3 ?

Resolution

In order to enable RH-SSO with TLS v1.3 using Elytron, you need to have:

  • A JKS Keystore
  • Execute a batch file sso.cli to configure TLS v1.3
  • JDK 11

The batch file is as follows:

# Start batching commands

batch

# Add the keystore, key manager and ssl context configuration in the elytron subsystem

/subsystem=elytron/key-store=httpsKS:add(relative-to=jboss.server.config.dir,path=keycloak.jks,credential-reference={clear-text=password},type=JKS)
/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,credential-reference={clear-text=password})
/subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.3"])
/subsystem=elytron/server-ssl-context=httpsSSC:write-attribute(name=cipher-suite-names,value=TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256)

# Change the undertow subsystem configuration to use the ssl context defined in the previous step for https

/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=httpsSSC)

# Run the batch commands
run-batch

# Reload the server configuration
reload

For a complete example, see the diagnostics step section.

Diagnostic Steps

1. Creating a keystore using self-signed certificate

For the 1st question: What is your first and last name?
- supply the DNS name of the machine where you are installing the server.
- For testing purposes, provide localhost.

The keystore file keycloak.jks needs to be placed in /standalone/configuration directory

$ cd <rhsso-install-dir>/standalone/configuration

#generating the keystore using keytool

$ keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity 10950
    Enter keystore password: password
    Re-enter new password: password
    What is your first and last name?
    [Unknown]:  localhost
    What is the name of your organizational unit?
    [Unknown]:  Keycloak
    What is the name of your organization?
    [Unknown]:  Red Hat
    What is the name of your City or Locality?
    [Unknown]:  Westford
    What is the name of your State or Province?
    [Unknown]:  MA
    What is the two-letter country code for this unit?
    [Unknown]:  US
    Is CN=localhost, OU=Keycloak, O=Test, L=Westford, ST=MA, C=US correct?
    [no]:  yes

2. Configuring RH-SSO to use TLS v1.3

2.1 RH-SSO Elytron sso.cli script

RH-SSO is using Elytron sso.cli script to access to configure the RH-SSO keystore to use TLS v1.3

sso.cli script

# Start batching commands

batch

# Add the keystore, key manager and ssl context configuration in the elytron subsystem

/subsystem=elytron/key-store=httpsKS:add(relative-to=jboss.server.config.dir,path=keycloak.jks,credential-reference={clear-text=password},type=JKS)
/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,credential-reference={clear-text=password})
/subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.3"])
/subsystem=elytron/server-ssl-context=httpsSSC:write-attribute(name=cipher-suite-names,value=TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256)

# Change the undertow subsystem configuration to use the ssl context defined in the previous step for https

/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=httpsSSC)

# Run the batch commands
run-batch

# Reload the server configuration
reload

Note:

To enable TLS v1.3, you need to update the ssl-context with 

/subsystem=elytron/server-ssl-context=httpsSSC:write-attribute(name=cipher-suite-names,value=TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256)

See also Jboss documentation 1.2.12. Enabling support for the TLS 1.3 protocol with the OpenSSL provider.

2.2 Using sso.cli script

Make sure that RH-SSO is already up and and running.

Run the following jboss-cli.sh command to execute the sso.cli script:

$ sh jboss-cli.sh --connect --file=sso.cli

The batch executed successfully
process-state: reload-required

Important Note:
You need to do a reload or restart the application, to the sso.cli batch file taken into account.

3. Testing

You can very that you can connect to the RH-SSO instance using openssl and TLS v1.3

openssl s_client -connect localhost:8443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = US, ST = Carolina, L = Raleigh, O = Red Hat, OU = Support, CN = rootCA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = US, ST = Carolina, L = Raleigh, O = Red Hat, OU = Support, CN = rootCA
verify return:1
depth=0 C = US, ST = US, L = MA, O = Westford, OU = Keycloak, CN = localhost
verify return:1
---
Certificate chain
 0 s:C = US, ST = US, L = MA, O = Westford, OU = Keycloak, CN = localhost
   i:C = US, ST = Carolina, L = Raleigh, O = Red Hat, OU = Support, CN = rootCA
 1 s:C = US, ST = Carolina, L = Raleigh, O = Red Hat, OU = Support, CN = rootCA
   i:C = US, ST = Carolina, L = Raleigh, O = Red Hat, OU = Support, CN = rootCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDTzCCAjcCFEzwc2mgRh5C38A+dp7I1PL4L/p7MA0GCSqGSIb3DQEBCwUAMGcx
CzAJBgNVBAYTAlVTMREwDwYDVQQIDAhDYXJvbGluYTEQMA4GA1UEBwwHUmFsZWln
aDEQMA4GA1UECgwHUmVkIEhhdDEQMA4GA1UECwwHU3VwcG9ydDEPMA0GA1UEAwwG
cm9vdENBMB4XDTIyMTEyODA4NTU0NFoXDTIzMTEyODA4NTU0NFowYTELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAlVTMQswCQYDVQQHEwJNQTERMA8GA1UEChMIV2VzdGZv
cmQxETAPBgNVBAsTCEtleWNsb2FrMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQPURwdreViAQX7dDxszM+S3sehEnQ
l5OIo9BWO1mkwgS3aDZlec4cEkvK/6RN8cPENXXwrrcipN7GvDzTFquQkOJFF1D6
C09abSvHZP7LK+lP81EnY4BvpZK3WEA4qY1eWm/yMfd5eoTxyOm9KKsPzcwHcGl5
ycvkPvse8T/1hs5jZF89hgbOD9M5BqY8eAvo4axKluBcY0qb4dFjKgY2KRIR13Pp
RuBT22iEBBdqJH7HbeCry5GC6gzzrI01supNotrUf6QsxaxXcqG4ED9V/RUEWA1f
c3AV7ZSFqw8lPepWCL1ieteziL58NxflFweCD4qtzv7V734aJy5/iemrAgMBAAEw
DQYJKoZIhvcNAQELBQADggEBAAQKa5axtUBAPCj7q9DxKIg68tZDVKjrLwMukyyb
qso4w1uqCsoya8JK9AI/YK8t5oKhlltDLGTkBpSLw4mgGI5qQ0kYl0QQdD0fXbiZ
rqNS3HOOkvcW0u1nCk5Rq6V+xcEuQxD9PQzgQfoeSrB6shpYbuqdaasjKqcY8KIm
CX7Ue65QAVEmkS66wAzIN87gFr3Ax49esH/E0+RqkWnoMyHytrdV85H6Eo0fgfc7
tAlBQxQaKpZ+1/KVra4n+LyTdLvLVMNbqQandebPMTukdNi63TtUcjhHXQ4iKQM9
LFQkoWgcH31HsFmEfN7ubLUGLvRAa2gF+h3Gs6FJEZ/UDo8=
-----END CERTIFICATE-----
subject=C = US, ST = US, L = MA, O = Westford, OU = Keycloak, CN = localhost

issuer=C = US, ST = Carolina, L = Raleigh, O = Red Hat, OU = Support, CN = rootCA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2335 bytes and written 369 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 771B811F7A17BC1A7E45E4466E8279A9BE462F1E745EA8CFC399AC9B5F506E2B
    Session-ID-ctx: 
    Resumption PSK: F78BCECB47CF1DAA971A54D1E1BAAC8EA93C0469A59B486567924FC6659CA7079F41E882EEBC75D8C34219FF7E3658D0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 86 c0 38 e6 d2 80 9a 58-35 80 6f 17 0c b2 fd 55   ..8....X5.o....U
    0010 - 91 82 4d 17 d3 4d 81 ee-22 9f 71 a5 30 71 32 c5   ..M..M..".q.0q2.

    Start Time: 1669731596
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
read:errno=0

4. Misc / Debugging tips

If you need to debug your SSL connection, you need to start RH-SSO with the following:

$ sh standalone.sh -Djavax.net.debug=ssl,handshake
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.