Certificates and settings for EvaluateSTIG to send findings to stig-manager

[hearts1137]

Hi,

I recently got an instance deployed of stig-manager using self provided certificates. STIG-Manager is running fine with a domain and valid cert.

What I am now attempting to do is tell EvaluateSTIG to send it's results to my instance. Using the latest version 1.2404.0. There's not a lot of settings to configure for the integration but I can't seem to crack the code for uploads.

This is from the EvaluateSTIG preferences.xml file
<SMImport_API_BASE>https://mysite.com/api</SMImport_API_BASE> <SMImport_AUTHORITY>https://mysite.com/kc/realms/stigman</SMImport_AUTHORITY> <SMImport_COLLECTION Name="collection1"> <SMImport_CLIENT_ID>stig-manager</SMImport_CLIENT_ID> <SMImport_CLIENT_CERT>C:\Users\Admin\Downloads\Evaluate-STIG\Prerequisites\Certificates\localhost.crt</SMImport_CLIENT_CERT> <SMImport_CLIENT_CERT_KEY></SMImport_CLIENT_CERT_KEY> <SMImport_COLLECTION_ID>1</SMImport_COLLECTION_ID> </SMImport_COLLECTION> </STIGManager>

Some of the errors I get are
ERROR: Exception calling "CreateFromPemFile" with "1" argument(s): "The key contents do not contain a PEM, the content is malformed, or the key does not match the certificate.
ERROR: Unable to create Access Request Token. ERROR: Unable to obtain stig, aborting...
2024-05-20 14:09:18,089 WARN [org.keycloak.events] (executor-thread-1) type=CLIENT_LOGIN_ERROR, realmId=stigman, clientId=stig-manager, userId=null, ipAddress=172.19.0.1, error=invalid_client_credentials, grant_type=client_credentials
I saw an error once that said something like the certificate supplied must have a plain text key in it or else the key must be specified and the passphrase.

Given the provided repo here; https://github.com/NUWCDIVNPT/stigman-orchestration/tree/demo-auth-no-CAC what is the right combination of certificates to use and where to put them?

Also, the EvaluateSTIG preferences.xml file asks for the SMImport_COLLECTION_ID and says Required. The collectionID of your desired collection. This can be found by a user with Manage permissions on the collection. After selecting to manage the collection, reference the "ID" value in the Collection Properties window.
I don't see ID anywhere in collections or manage collection.

Thanks!

[csmig]

I'd suggest reaching out to the Evaluate-STIG team for guidance. But from what I can see above, Evaluate-STIG is configured to authenticate using the OIDC Signed JWT method, which requires a private key and, usually, the passphase for that key. It may be that Evaluate-STIG refers to the key as a "cert" (the error message refers to the PEM not containing a key) but now I'm getting beyond my area of knowledge.

[csmig]

Actually, it is clear I'm not an Eval-STIG expert! When I look more closely, it seems the Eval-STIG config file refers to both a CERT and an KEY. The CERT might be the server cert which would be used to validate the TLS session over which a client authentication occurs. The KEY is likely to be the private key used for that authentication. Apologies in advance if I keep getting this wrong because I'm wandering outside the STIG Manager swim lanes...

[hearts1137]

@csmig thanks for jumping in and trying to help. Much appreciated.
https://github.com/NUWCDIVNPT/stigman-orchestration/tree/1edfe662edd301b5d50b2fa2ec24ba4022946f3b/certs/localhost
I am trying to use the local server TLS cert and corresponding private key from the posted repo. Additionally, I have STIG-Manager running in an air-gapped environment with DISA NPE certificates and have the .cer and .key file on the system running EvaluateSTIG. No joy on either system in getting Eval-STIG to send results to STIG-Manager. Looks like I'm headed to the spork for assistance.

[csmig]

The collectionId is the number in parenthesis at the top of this image:

[hearts1137]

Thanks @cd-rite I created a jks file. Installed java to get the keytool application and performed the following;

PS C:\Program Files (x86)\Java\jre-1.8\bin> .\keytool.exe -importkeystore -srckeystore "C:\Users\Admin\Downloads\Evaluate-STIG\Prerequisites\Certificates\keystore.jks" -destkeystore "C:\Users\Admin\Downloads\Evaluate-STIG\Prerequisites\Certificates\keystore.p12" -deststoretype PKCS12
Importing keystore C:\Users\Admin\Downloads\Evaluate-STIG\Prerequisites\Certificates\keystore.jks to C:\Users\Admin\Downloads\Evaluate-STIG\Prerequisites\Certificates\keystore.p12...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias evalstig successfully imported.
Entry for alias stigman successfully imported.
Import command completed: 2 entries successfully imported, 0 entries failed or cancelled
Warning:
uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.

PS C:\Program Files (x86)\Java\jre-1.8\bin> .\keytool.exe -deststoretype PKCS12 -keystore "C:\Users\Admin\Downloads\Evaluate-STIG\Prerequisites\Certificates\keystore.p12" -list
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 2 entries

evalstig, May 27, 2024, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 19:54:FD:BE:04:11:36:DE:13:9B:ED:73:FA:05:86:60:7D:8C:06:13:3D:74:59:7A:6D:4C:F9:0A:D0:ED:61:6A
stigman, May 27, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): 3B:C6:7C:85:36:4F:B8:6D:B3:91:7D:C9:20:04:56:9B:D0:75:D2:56:7D:0D:CF:34:F2:58:BE:75:49:F4:D7:4F
Warning: uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.

openssl pkcs12 -nokeys -in keystore.p12 -out cert.pem
openssl pkcs12 -nocerts -nodes -in keystore.p12 -out keyfile.key

I then updated Preferences.xml for EvaluateSTIG to reference the pem and key file

.\Evaluate-STIG.ps1 -SelectSTIG MSEdge -Output Summary, STIGManager -SMCollection stigman -SMPassphrase password

I am still getting the same error
<![LOG[ERROR: Exception calling "CreateFromEncryptedPemFile" with "3" argument(s): "The key contents do not contain a PEM, the content is malformed, or the key does not match the certificate."]LOG]!>

The PEM file looks like it has two different certificates in it. Not concerned about posting a certificate that is only usable on my localhost. 1) because it isn't working and 2) I will be deleting the certificate entry in keycloak because it isn't working :(

Bag Attributes
friendlyName: evalstig
localKeyID: 54 69 6D 65 20 31 37 31 36 38 34 30 35 37 30 35 37 31
subject=CN=evalstig
issuer=CN=evalstig
-----BEGIN CERTIFICATE-----
MIICnzCCAYcCBgGPu6F1MzANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhldmFs
c3RpZzAeFw0yNDA1MjcxOTU2MTFaFw0zNDA1MjcxOTU3NTFaMBMxETAPBgNVBAMM
CGV2YWxzdGlnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyWEKve0q
/KtULqr9rYaI/dJeO/SiJjOpOt6bwoVVzpuQwCzbV3fqxncjOjYNtXIvjKhqTSWN
YSE7os955/wUCiD0vw+NBtWHM942mS2ITfsXNZ+WorlVn0cSKJkx23wMZ64/hJ3k
64QO8CxCq8zw0utbuvb0y8f3EKrcKcX/nr3LeBfNwkznSMzx8+nIskOkh8VFOAHY
osbP668GqDDZfNnimg05NJoLHW8OvfQgcuKCP0ifFr50IDepDXj30ltp/vByFGWh
ESynDeFkmIbLky+9KN9X+WY+ouT133xYUPHKx/OrF0+yVF3TBf1WfCmZktf0F9MF
Mvuzg5FI4Bvz0QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAEChg7DUt5LYCoZkPB
rsG7lMqXVQSDHFMp9BbjGS6IwfcvGWUgmFl5XsmO5+8nKs9ADcaJf8q0eND85cB5
BfgE1UaBOc8BxDIWpUUcb/Ghw/OKhr80iDz+YFAMmO6hwSBOK9XmCEU8PflzaRfC
V7YAO11lSgk8idUq4c/ynNpMh4rqADwZ7sDd7Jp713Ro/pgZUO4KiRxzCy9foh2e
W8coUNu1FgmHwHxTugZRk1TfACTZKSEAPVt1YSDq0mrlOjmyxgMRADBovOBGFxPA
QAhJj2TJ3w5crhqP7H8nRxToKrjGz5HD25TFwvmYlGUojDMs3ob++EKRljKrJKiy
lAUB
-----END CERTIFICATE-----
Bag Attributes
friendlyName: stigman
Trusted key usage (Oracle): Any Extended Key Usage (2.5.29.37.0)
subject=CN=demo
issuer=CN=demo
-----BEGIN CERTIFICATE-----
MIIBkTCB+wIGAWuJ5WIOMA0GCSqGSIb3DQEBCwUAMA8xDTALBgNVBAMMBGRlbW8w
HhcNMTkwNjI0MTQyODU5WhcNMjkwNjI0MTQzMDM5WjAPMQ0wCwYDVQQDDARkZW1v
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5m
c7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4
kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2
NjsSAVcWEQMVhJ31LwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAJCiHCl/okF0Qg5m
Dtn53EJjRS3+RFgcu2op4mNv2LXyUXi7JXPM1YmzipN/simV69tMr/FfcvmtBfOG
T/f8hd6xFKYGpSXheZcupRhD89nbEe25U5POiIWQNIPwJdxzxG6mERLcHnxv4Ax3
WyIReflvs8Uk/dnk1dV6S622lqYP
-----END CERTIFICATE-----

and the key file
Bag Attributes
friendlyName: evalstig
localKeyID: 54 69 6D 65 20 31 37 31 36 38 34 30 35 37 30 35 37 31
Key Attributes:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDJYQq97Sr8q1Qu
qv2thoj90l479KImM6k63pvChVXOm5DALNtXd+rGdyM6Ng21ci+MqGpNJY1hITui
z3nn/BQKIPS/D40G1Ycz3jaZLYhN+xc1n5aiuVWfRxIomTHbfAxnrj+EneTrhA7w
LEKrzPDS61u69vTLx/cQqtwpxf+evct4F83CTOdIzPHz6ciyQ6SHxUU4Adiixs/r
rwaoMNl82eKaDTk0mgsdbw699CBy4oI/SJ8WvnQgN6kNePfSW2n+8HIUZaERLKcN
4WSYhsuTL70o31f5Zj6i5PXffFhQ8crH86sXT7JUXdMF/VZ8KZmS1/QX0wUy+7OD
kUjgG/PRAgMBAAECggEALBgRkBC0Tur83dMXBL3mlR1RAPPJ5W9+aKOBm5Ayf7DU
ex/XT0m0oIxJrF9VlRtRigz+abIFSPVL55RibwdlI+qfbI5tJMfweMz5S4UKyXhn
VpiBFVRbiSq4sScKIbMBzFn9En64N1GNK82lM5UGTki2pzOX2l8InB+tYYA3PnyQ
Z7HJuLirK1Ha1El0wMXePufpkc2h4bgdJ6UXiLbUBidSSktAHO5KAmPprN64uAix
iXbGAZp9WMLif31PdMJfxZp32B67kCPGzAwJNFZFB4f7hqrXCsZqX9OeEjQ8JLJj
llbHBpmMTCs1CTskTDSIe5UBJIZnsANGCXMCrR65IQKBgQD8jsCpzQC637gAY6QU
KbsxKjzBRZdKDC32n1i8zJAALWA8PBkaDemByhu8VsPg/GZMT/9CB6Do/NvaJku7
HP+6iOJZsF80ZLMJWDfwwFHG17LJvOSi54pxe38w7+gg+k4BZScXyzajd1TLcvY3
Y5koYhF0Re+MebYralc5H9YZNQKBgQDMH7ZhGoo40769SmgnKtPk/Zai0JIYbfVQ
eMoMGascg1Q/+U9h53Vc9r0cOkvxRpQEOv4pI4PkEI0qhWsfxWq7jpADlEDfgqKG
DqrSWk3Bccq/te+wApj0CkiDkwVimdmxd7yH7TdMWBo9w3oyMjPy4hyCbtCX5my0
70jm5VGfrQKBgB+Owto0yHuRSs+Zo731PPO2wGKyDGZvQSsI3DCzKucqxFSiecx8
oonaND8DZHRvdWThthaNF3klZ19J27qks/ud8RKd7DeCwbBQOqU1ksJS338/wB3u
6qilcs4tnAbK4AZimlDpzoj8dzb4xXVEV7XpEx9BQd5+stmX7xAvPzRlAoGADk1q
igNCDBlKFBlSkuv9TN4339Cda/jIZ4sPHSnvQ2AwVwsw9LszDgB73652A8HePS2l
AVzrsN84BPK0PtWmVN34WUfaA88zdBEzBuos6JEAk847rSmBbhgKXK3Agtgk2Lp7
C0sjxMWnkQxRU5MQ8MPHG5yIIRyUIVli0krfHUECgYEArGxAM307t0puTYJNbYf4
spEY58FZ/hTgTkeLzyZSxFlf/vnW3c+hHss7xSJ/MS+ZJayRPExFEQsuHolzyPp0
2EUUflC9sip64mRIxXWt62cJJIMZdMgOXABYQAsGhhj5v5Hf9VkKJh4iGHeysTLY
+Rf+LG3/E19VvenjBavLjqE=
-----END PRIVATE KEY-----

This is really complicated stuff. Certificates always make it complicated.

[cd-rite]

Hi @hearts1137
It may be simpler to just create the keys as .p12 and just using OpenSSL to convert them to .pem, rather than using the java keytool, unless you need to do it that way for some reason.

Beyond that, there's not much we can do to help... I think the Eval-STIG team may be better able to help you.

[hearts1137]

@cd-rite I chose the jks file because I was unable to produce anything with the p12 downloaded from keycloak. I googled and tried different combinations but was unable to make it work.

openssl pkcs12 -nokeys -in keystore.p12 -out cert.pem
C:\Users\Admin\Downloads\Evaluate-STIG\Prerequisites\Certificates>openssl pkcs12 -nokeys -in keystore.p12 -out cert.pem
Enter Import Password:
Error outputting keys and certificates
CC470000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

That bottom error was there in every different combination of openssl commands I tried.

Regarding who should support, that's a tough one. Both programs offer a feature that collaborates with the other. None of it is well documented. I go to EvaluateSTIG and ask for help and they tell me it is a STIG-Manager issue because EvaluateSTIG does not provide or produce keys, STIG-Manager does. I come here for support and get told to go to EvaluateSTIG for support. Both offices have working products so who should lead the effort to document how to make them work together? Why offer it is a feature if nobody can use it?

I'm stuck in the middle with two working applications that I can't figure out how to get to talk to each other. Much like each program's support teams. The last message from EvaluateSTIG was that "I am not a keycloak admin" which I interpret as they can't be bothered to use your non CAC repo and docker, even though I mentioned how easy it is to stand up. And it is, just like using EvaluateSTIG, super easy to use. Why can't it be easy to get them talking to each other?

[cd-rite]

Hi @hearts1137 The error you are receiving tells you there is a problem with your PEM file. Neither team is responsible for this. If you want to use Eval STIG in that way, you'll need to figure that out, but at this point neither STIG Manager nor EvalSTIG is really involved.

If you are having trouble with Eval-STIG importing into STIGMan, why not just use STIGMan Watcher, which supports Client Id/Client Secret authentication?
https://github.com/NUWCDIVNPT/stigman-watcher

[hearts1137]

Hi @hearts1137 The error you are receiving tells you there is a problem with your PEM file. Neither team is responsible for this. If you want to use Eval STIG in that way, you'll need to figure that out, but at this point neither STIG Manager nor EvalSTIG is really involved.

If you are having trouble with Eval-STIG importing into STIGMan, why not just use STIGMan Watcher, which supports Client Id/Client Secret authentication? https://github.com/NUWCDIVNPT/stigman-watcher

Why not use watcher? Feels like giving up. This is a solvable problem and I will solve it, eventually. And I will document it so other dummies like me can get up and running with as little pain as possible.

But specifically, we do not have a central file share in any of our enclaves to drop the Evaluate-STIG results to. With a mix of Windows and RHEL, we schedule the scan to run and want the results saved locally (easy) and also uploaded to STIG-Manager for all to collaborate on (extremely difficult).

I was told by the Evaluate-STIG team that the PEM file I need would be the same one used for watcher. So I found the wiki with steps to create the necessary files. https://github.com/NUWCDIVNPT/stigman-watcher/wiki/Requirements-and-Configuration#signed-jwt-authentication-setup-guide

"This would be the same pem file that would be used for STIGMan Watcher. https://github.com/NUWCDIVNPT/stigman-watcher"

I've tried all the different combinations of the output files and still have no success in uploading scan results to STIG-Manager.

C:\Users\Admin\Downloads\Evaluate-STIG> .\Evaluate-STIG.ps1 -SelectSTIG MSEdge -Output Summary, STIGManager -SMCollection stigman -SMPassphrase password

STIGs to process - 1
Uploading to STIG Manager...
Processing 59 Vulnerabilities...
ERROR: Unable to create Access Request Token.
ERROR: Unable to obtain stig, aborting...

2024-05-28 09:21:16 2024-05-28 14:21:16,714 WARN [org.keycloak.events] (executor-thread-28) type=CLIENT_LOGIN_ERROR, realmId=stigman, clientId=evalstig, userId=d6eb8a12-0a70-4c14-b449-2eb48f5896bd, ipAddress=172.18.0.1, error=invalid_request, grant_type=client_credentials, client_auth_method=client-jwt, username=service-account-evalstig

[randoms7ring]

Joining this thread a bit late, but with a solution! This was a pain and more difficult then it needs to be so hopefully this will help a lot of people. This was all retyped, apologize if there is a typo in one of the longer commmands/code blocks if someone copy pastes and it doesnt work.

The setup this is working on:

RHEL 8.10

• FIPS mode enabled
• Nginx as a front end for STIG-Manager as provided with RHEL
• Mysql as the backend database for keycloak as provided with RHEL
• RH Build of Keycloak, 24.06, also in FIPS mode using bouncycastle (not in strict mode, RH documentation says it may not work with pkcs12 and I didn't want to add yet another variable to troubleshoot...)
• Self signed root CA with openssl that signed the certs for keycloak, stig-manager and nginx, imported into trust store on RHEL and on Windows client host, real certs would be preferred but I work with what I got.

STIG-Manager 1.4.13

• Runs as a container on the above RHEL host with podman
• Mapped Root CA with volumes: and NODE_EXTRA_CA_CERTS= into the stigman container.
• Normal user authentication is username/password in this environment, Evaluate-STIG will use a cert though.

Evaluate-STIG (ES) 2407.0

• This version came with a guide for STIG-Manager, it didn't work for me but did give a good set of configurations to start from and can be followed but modified as described later.

Windows Server 2019

• FIPS enabled, though .NET seems like it needs additional configuration and doesn't follow the system level setting to ensure that it is. The command to check in powershell that should return true. In my case this is currently false.

[System.Security.Cryptography.Cryptoconfig]::AllowOnlyFipsAlgorithms

• Runs ES against targets

Issues Encountered & Resolutions

The ES STIG-Manger guide that was included in the ES 2407.0 has the following issues

• No "-legacy" flag in openssl, don't use that flag
• Must have full path to the key/cert files in preferences.xml
• Signature Algorithm must be RS256 signature (possibly other FIPS compliant one, before Keycloak was in FIPS, i left it at 'any algorithm', openssl on a linux FIPS host could not extract the key/cert due to that - note @hearts1137 that appears what your most recent openssl error is related too, RC2-40-CBC doesn't sounds like a FIPS compliant algorithm and if your openssl was not fips, it did not support that algorithm anyways ) RS512 also does not work, I tried that first.
• Scopes list MUST be
• • stig-manager:stig:read
• • stig-manager:collection
• • stig-manager:user:read (not just user as in the guide)

Following the ES STIG-Manger guide after correcting the first two bullets above you still get this generic error when running ES.

ERROR: Unable to create Access Request Token

By default Keycloak also doesn't log events, so if you enable event logging in the realm you would see another error, CLIENT_LOGIN_ERROR that looks like the below for the client evaluatestig.

grant_type client_credentials
client_auth_method client-jwt
username service-account-evaluatestig
error invalid_request

*Note "service-account-evaluatestig" is not the grant name to provision in STIG-manager, it is the clientID configured in Keycloak, which in my case is "evaluatestig"

After a lot of Duck Duck Go to no avail, I decided to look at how ES interacts with STIG-manager, all of the relevant code is in Modules\Master_Functiuons\STIGManager\STIGManager.psm1. There is a try/catch block in there that hides the true error and outputs the generic error stated above. Ripping all of this out into a new powershell script and modifying the variables so it just tries to read the cert/key, get a token directly without doing anything else and getting rid of the try/catch yielded:

$cert = [system.security.Cryptography.X509Certificates.X509Certificate2]::CreateFromEncryptedPemFile($SMImport_CLIENT_CERT, $SMImport_PASSPHRASE, $SMImport_CLIENT_CERT_KEY)
Exception calling "CreateFromEncryptedPemFile with "3" arguument(s): "The EncryptedPrivateKeyInfo structure was decoded but was not successfully interpreted, the password may be incorrect."

As that failed the follow on code that tried to create a JWT and get a token via Keycloak would fail, and that caused the the logs/events present in Keycloak as described above.

My certificate was not incorrect, and the password is correct, openssl decodes it just fine and you can validate your certs with

openssl pkey -in evaluatestig.key.pem --check

So that's a bummer, some more Duck Duck Go but nothing caught my eye but ES also lets you just give it a cert with an unencrypted key in it, so lets try that! In a lot of cases it is probably some person running ES and typing in the passphrase on the terminal anyways but if someone can get around the issue with the Crypto call in powershell then you could go back to an encrypted key.

openssl pkcs12 -nodes -in keystore.p12 -out evaluatestig.pem
openssl pkey -in evaluatestig.pem --check

The preferences.xml file should now look like this:

<STIGManager>
  <SMImport_API_BASE>https://stigman-fqdn/api</SMImport_API_BASE>
  <SMImport_AUTHORITY>https://keycloak-fqdn/realms/stigman<SMImport_AUTHORITY>
  <SMImport_COLLECTION Name="Whatever-it-is">
    <SMImport_CLIENT_ID>evaluatestig</SMImport_CLIENT_ID>
    <SMImport_CLIENT_CERT>C:\path\to\evaluatestig.pem</SMImport_CLIENT_CERT>
    <SMImport_CLIENT_CERT_KEY></SMImport_CLIENT_CERT_KEY>
    <SMImport_COLLECTION_ID>$The_ID_Number</SMImport_COLLECTION_ID>
  </SMImport_COLLECTION>
</STIGManager>

Once that was fixed, it still did not work and I received a new error message in my powershell script at the Invoke-RestMethod section

{ "error": "invalid_client", "error_description": "invalid signature algorithm" }

As stated in bullet # 3 of the ES issues, RS256 works, RS512 does not, unknown if anything else other then RS256 will work. Regenerating the evaluatestig clientID pkcs12 file with RS256 and exporting the new cert solved this issue.

And running it again now produced the last error which was

{ "error": "invalid_scope", "error_description": "invalid scopes: stig-manager:stig:read stig-manager:collection stig-manager:user:read" }

Changing the client scopes in Keycloak to match what ES is sending as stated in bullet # 4 of the ES issues fixed that.

And now your ES instance should be able to send to STIG-Manger automatically, when you run ES, you should no longer get an generic error and instead at the end of the scan see

Attempting upload of $some_number Reviews...

Keycloak events should also show successful CLIENT_LOGIN events for the client evaluatestig that look like:

token_id    $THE_TOKEN
grant type  client_credentials
scope stig-manager:stig:read stig-manager:collection stig-manager:user:read
client_auth_method  client-jwt
username service-account-evaluatestig

Hope this is of use to others out there!

[hearts1137]

@randoms7ring Thanks for the write up. It's not clear if you are using the https://github.com/NUWCDIVNPT/stigman-orchestration/tree/demo-auth-no-CAC official repo or if you built a RHEL 8 box from scratch and configure everything manually. Some insight into how you configured certificates for everything would illuminate things because as of now, it's hard to tell how your system is setup.

If you used docker, did you create a modified docker-compose file?

I tried your suggestions, which I think only differ from the official guide when it comes to the keycloak realm stigman - clients - evaulatestig - credentials - RS256 (vs any algorithm) and the method to which the .pem file is created.

Errors I got when trying your openssl command
[nessus@nessus8 ~]$ openssl pkcs12 -nodes -in keystore.p12 -out evaluatestig.pem Enter Import Password: Error outputting keys and certificates 140511723050816:error:0607B0C8:digital envelope routines:EVP_CipherInit_ex:disabled for FIPS:crypto/evp/evp_enc.c:227: 140511723050816:error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure:crypto/evp/evp_pbe.c:131: 140511723050816:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:crypto/pkcs12/p12_decr.c:41: 140511723050816:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:94: [nessus@nessus8 ~]$ cat /etc/redhat-release Red Hat Enterprise Linux release 8.10 (Ootpa) [nessus@nessus8 ~]$ openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021 [nessus@nessus8 ~]$ update-crypto-policies --show FIPS

Ran the same command on a debian box with no errors. Attempted to use the pem file in the preferences.xml and running
.\Evaluate-STIG.ps1 -SelectSTIG MSEdge -Output STIGManager -SMCollection collection and received the error
STIGs to process - 1 Uploading to STIG Manager... Processing 59 Vulnerabilities... ERROR: Unable to create Access Request Token. ERROR: Unable to obtain stig, aborting... Done! Total Time : 00:00:07.3353773

Here is my preferences.xml file
<STIGManager> <SMImport_API_BASE>https://localhost/api</SMImport_API_BASE> <SMImport_AUTHORITY>https://localhost/realms/stigman</SMImport_AUTHORITY> <SMImport_COLLECTION Name="collection"> <SMImport_CLIENT_ID>evaluatestig</SMImport_CLIENT_ID> <SMImport_CLIENT_CERT>D:\Downloads\stigman-orchestration-demo-auth-no-CAC\evaluatestig.pem</SMImport_CLIENT_CERT> <SMImport_CLIENT_CERT_KEY></SMImport_CLIENT_CERT_KEY> <SMImport_COLLECTION_ID>1</SMImport_COLLECTION_ID> </SMImport_COLLECTION> </STIGManager>

Here is the error from keycloak running in docker
2024-09-01 18:50:01 2024-09-01 23:50:01,224 WARN [org.keycloak.events] (executor-thread-10) type=LOGIN_ERROR, realmId=stigman, clientId=stig-manager, userId=bf87a16f-39e6-46d9-8971-f0ef51dd3f85, ipAddress=172.18.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://localhost/stigman/, code_id=cd737427-46d7-42f2-bd5e-0c0a1cf35404, username=admin

Any help would be appreciated and thanks again for offering to help out with the collaboration between STIG-Manager and Evaluate-STIG.

[randoms7ring]

@hearts1137 The only container I am using is the stig-manager application (using podman not docker, since podman is included with RHEL negating needing to manage yet another piece of software outside dnf), not the Iron Bank version, though using that should be no issues. I attempted to start with the orchestration-no-cac at the start but while it was a good starting point to see what is needed and how pieces interact I found it not ideal, so I de-dockerized the setup.

Everything else is running direct on RHEL 8.10 provided by/managed by dnf except keycloak, which is downloaded from Red Hat, unziped configured and 'built' (kc.sh build) so it can then be ran optimized at startup. Much easier to both fiddle with settings and use specific/latest versions to get it all working this way for me.

Your openssl issue looks to be a FIPS one still, whatever instance of keycloak you are generating the pkcs12 file on is using algorithms that are not FIPS compliant. This part of the error tells you that when you try to extract the cert from the exported pkcs12 keystore:

digital envelope routines:EVP_CipherInit_ex:disabled for FIPS:crypto/evp/evp_enc.c:227

Although the container may be running on a FIPS enabled host, that does not automatically mean operations in it are FIPS compliant or respecting the underlying OS setting. Keycloak itself by default is not FIPS enabled. When you use a openssl as installed direct on your RHEL 8.10 FIPS enabled host to extract the cert from it it fails. When you used debian it worked because openssl as included with debian by default does not enforce FIPS. While I didn't inspect the orchestration container it is super old at keycloak 19 (unless you manually changed it) and I very much doubt keycloak is FIPS enabled in it.

My guess is that it still doesn't work even after you use debian to extract it because you are running ES on a host with FIPS enabled so that can't process the extracted file either.

I'll try to do a write up to create the entire environment from scratch, including the certificate setup so remote clients can access stig-manager (I can't do CAC/NSS token auth as I have no access to get NPE certs so that exercise is left to someone else to validate) , but it may take a week or two for me to get around to it.

[hearts1137]

Interesting. I didn't know keycloak could be enabled to FIPS only mode like Windows and Linux. That's so cool! /s

Am I correct in understanding that Evaluate-STIG is the application that is requiring the use of FIPS mode? Obviously our host system that serves up keycloak and nginx can be in non FIPS mode, as are the clients Evaluate-STIG scans, and keycloak itself. But when it comes time to upload to STIG-Manager, it has to use FIPS mode and keycloak needs to also be in FIPS mode

You're correct, my Windows 11 host is using FIPS compliant algorithms per the STIG and your command in the original post returned a value of True for me
PS C:\WINDOWS\system32> [System.Security.Cryptography.Cryptoconfig]::AllowOnlyFipsAlgorithms True

Logs from the keycloak startup where I would have assumed something about FIPS mode would be mentioned;
2024-09-02 16:06:56 2024-09-02 21:06:56,984 INFO [io.quarkus] (main) Keycloak 23.0.1 on JVM (powered by Quarkus 3.2.9.Final) started in 5.589s. Listening on: http://0.0.0.0:8080 2024-09-02 16:06:56 2024-09-02 21:06:56,984 INFO [io.quarkus] (main) Profile prod activated. 2024-09-02 16:06:56 2024-09-02 21:06:56,984 INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, smallrye-health, vertx]

Checking to see if the container from the official repo is FIPS enabled by default using this guide

sh-5.1$ fips-mode-setup --check Installation of FIPS modules is not completed. cat: /proc/sys/crypto/fips_enabled: No such file or directory FIPS mode is .

Container host is not in FIPS mode and neither is keycloak (stig-manager-auth).

In my experience in managing a kubernetes cluster in an air-gapped network, certificates are always the real PITA. We struggled to get our cluster to accept DISA NPE certs across all our pods. It matters what format the certificate, full chain and trust store are in, how they are generated and where they go. It was quite an ordeal moving from internet connected let's encrypt/ignore certificate warnings to DISA NPE across all our web apps.

I say all that to say, if you could help us all out and document how you got everything to play nice with each other, we would be very grateful. Thanks for coming back to the thread and your continued support.

[randoms7ring]

@hearts1137 I don't believe Evaluate-STIG and STIG-Manager/Keycloak need to be in FIPS but when you start mixing and matching with some enabled and others not, depending on where the certs are generated and used it could be a problem.

Hopefully this works for you (and others), and if you are deploying some of the apps within k8s are able to rebuild your containers with similar settings. I deployed this one on RHEL9.4 and discovered yet another FIPS issue, fun!

https://github.com/randoms7ring/stig-manager-with-evaluate-stig/