This is an example orchestration for deploying STIG Manager with support for user authentication incorporating the U.S. Department of Defense Common Access Card (CAC). The example supports connections to and from localhost
only and is NOT intended for production use.
nginx
executes a TLS stack with client certificate verification and listens on a front channel HTTPS port.nginx
proxies traffic tostigman
andkeycloak
which are listening on back channel HTTP ports.stigman
communicates withkeycloak
andmysql
using their back channel ports.browser with CAC
connects tonginx
on the front channel HTTPS port and requests resources fromstigman
andkeycloak
.
This general architecture can be implemented with a wide range of technologies, from bare-metal deployments to complex containerized orchestrations. The example uses a simple docker-compose orchestration.
- Recent Windows, Linux, or macOS
- CAC reader configured for your OS
- docker
- docker-compose
- Chrome, Edge, or Firefox browser
The example uses a server certificate issued to the host localhost
and signed by a CA named demoCA
. For the example to work, you must (temporarily) import trust in your browser for the demoCA
certificate, found at certs/ca/demoCA.crt
.
How you do this varies across operating systems and browsers. For Windows, you import the certificate into "Trusted Root Certification Authorities". You should remove the certificate when finished running the orchestrations.
You have two options:
-
If you have
git
installed, clone this repository. Then change to the newly created directory. -
Download a ZIP of this repository using the green Code button above. Extract the archive to an appropriate directory and change to the newly extracted directory.
docker-compose up
The orchestration's container images will be downloaded if they are not already available on your system. How long this takes depends on your connection speed and registry performance. Once all container images are available, the orchestration will start.
The orchestration has successfully bootstrapped when you see a started
message like this from the STIG Manager API:
{"date":"2022-10-01T18:04:26.734Z","level":3,"component":"index","type":"started","data":{"durationS":21.180474449,"port":54000,"api":"/api","client":"/","documentation":"/docs"}}
Once STIG Manager has started, navigate your browser to:
https://localhost/stigman/
- You are prompted by your browser to select a certificate from your CAC. You may be asked to enter the PIN for your CAC if you have not done so previously.
- The STIG Manager Web App begins to load and redirects your browser to Keycloak for authentication.
- You are prompted by Keycloak to start a Single-Sign On session using your certificate's Common Name (CN) field as the username.
- The STIG Manager Web App finishes loading and uses the OAuth2 token generated by Keycloak to make requests to the STIG Manager API on your behalf.
You can access the Keycloak admin pages by navigating to:
https://localhost/kc/admin
Login with the credentials admin/Pa55w0rd
Type Ctrl-C
to end the orchestration, followed by:
docker-compose down
After using Chrome to HTTPS connect to
https://localhost
, you may find Chrome will no longer make HTTP connections tohttp://localhost:[ANY_PORT]
. Once you're finished with the example, see this note for how to remedy this.
Client certificate authentication is required for access to the Keycloak authorization endpoint. Client certificate authentication is optional for API endpoints since access to the API is controlled by OAuth2 tokens.
Nginx requires a PEM file containing certificates for the DoD Root CA and Intermediate CAs used to sign CAC certificates.
The example provides the file
certs/dod/Certificates_PKCS7_v5.9_DoD.pem.pem
for this purpose, which is mounted to the Nginx container at/etc/nginx/dod-certs.pem
You can review the file nginx/nginx.conf
.
The environment variables STIGMAN_OIDC_PROVIDER
and STIGMAN_CLIENT_OIDC_PROVIDER
are set to the Keycloak back channel and front channel realm URLs, respectively.
The Keycloak Guides provide documentation on configuring Keycloak for many deployment scenarios including this example orchestration.
During startup, Keycloak imports a realm configuration file which includes the X.509 Browser
Authentication Flow to support X.509 certificate mapping. This Keycloak documentation describes how to configure authentication flows to include X.509 client certificates.
The example uses a custom provider modified from this project that extends the built-in X.509 authenticator. The custom provider will create a new user account if a certificate cannot be mapped to an existing account. The provider file is kc/create-x509-user.jar
which is mounted to the Keycloak container at /opt/keycloak/providers
.
Keycloak behind Nginx requires a keystore that contains certificates for the DoD Root CA and Intermediate CAs used to sign CAC certificates.
The example provides the file
certs/dod/Certificates_PKCS7_v5.9_DoD.pem.p12
for this purpose, which is mounted to the Keycloak container at/tmp/truststore.p12
chrome://net-internals/#hsts
- Delete domain security policies
chrome://settings/clearBrowserData
- Cached images and files