Skip to content

pskopek/keycloak-fips-setup

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
src/main/java/org/keycloak/fips
src/main/java/org/keycloak/fips
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Keycloak Configuration Keystore Setup in FIPS mode using Bouncy Castle

This project illustrates how to create keystore of BCFKS type that can be used to supply secret values to Keycloak Server version 24.

Prerequisites

  1. JDK 17 - use project SDKMAN for easy installation
    • I am using 17.0.11-tem.
  2. Make sure your operating system is configured and is in the FIPS more.
    • Fedora 40 can be checked using command sudo fips-mode-setup --check
  3. Configure JDK to use Bouncy Castle BCFIPS security provider.
    • Do following changes in file $JAVA_HOME/conf/security/java.security
    security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:DEFRND[SHA256];ENABLE{ALL};
security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPS
security.provider.3=sun.security.provider.Sun

...

securerandom.strongAlgorithms=PKCS11:SunPKCS11-NSS-FIPS

Setup

  1. Run mvn clean install to compile this project.
  2. Run mvn exec:exec to create keystore.bcfks keystore.
    • all parameters could be seen in BCImportPass.java
    • all parameters are hardcoded for easy reference
  3. Install Keycloak Server version 24.0.5
  4. Configure database PostgreSQL database for use with Keycloak
    • Do not forget to use password from step 2.
  5. Add following --add-opens argument to server start script 
    --add-opens=java.base/sun.security.provider=ALL-UNNAMED
  6. Set configuration to use keystore. ./bin/kc.sh build --vault=keystore
  7. Run this example to enable FIPS mode for Keycloak 
    ./bin/kc.sh start --hostname localhost --http-host localhost --http-enabled true --hostname-strict-https=false --db-url-host=localhost --db-username=keycloak --vault-file=keycloak-fips-setup/keystore.bcfks --vault-pass=secretPwd1 --vault-type=BCFKS --features=fips
  8. To run the server next time use this command 
    ./bin/kc.sh start --hostname localhost --http-host localhost --http-enabled true --hostname-strict-https=false --db-url-host=localhost --db-username=keycloak --vault-file=keycloak-fips-setup/keystore.bcfks --vault-pass=secretPwd1 --vault-type=BCFKS --optimized
  9. Check if the running Keycloak Server works as expected and is connected to the database.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages