Broken OIDC SSO to P1 KeyCloak (TLS certificate error for .mil CA)

Bug

Description

Twistlock OIDC SSO broke for Twistlock (and other P1 apps) after some recent cert changes that were pushed. TLS certificate errors were found that the dso.mil CA is not trusted.

This is the error in the Twistlock logs:

ERRO 2024-12-05T15:43:03.303 route_handler.go:14504 Operation failed: uri=/api/v1/authenticate/identity-redirect-url?type=oidc; error=Get "https://login.dso.mil/auth/realms/baby-yoda/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority

The fix for this is to use a console image with updated DoD certs. Palo Alto builds these images based off of UBI9-minimal from registry1, which is passed through in the twistlock console DockerFile on repo1. It appears that the certs that expired were not updated in v32 like they were for v33.

A brief look at the packages installed on the respective images shows that the ca-certificates are out of date on v32.

Additionally, the contents of the /etc/pki/ca-trust/extracted/pem directory is very different between the versions.

v32 is missing the extracted certs that v33 image has:

The tls bundle at /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem is missing the corresponding certs as well.

Proposed Fix

These are the certs that IB adds to UBI9-minimal (and other base images)

• https://repo1.dso.mil/dsop/redhat/ubi/9.x/ubi9-minimal/-/tree/development/certs?ref_type=heads

They are copied in the Dockerfile and later update-ca-trust commands are run to update the trust store.

• https://repo1.dso.mil/dsop/redhat/ubi/9.x/ubi9-minimal/-/blob/development/Dockerfile?ref_type=heads#L5

I am updating the twistlock-console image to include these certs.

BigBang Version

Can vary, but in this case any images prior to the recent console version 33.01.137 are affected.