Skip to content

Commit

Permalink
Create KC-BC-FIPS
Browse files Browse the repository at this point in the history
stianst authored Oct 22, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent 110c5a5 commit 873237b
Showing 1 changed file with 28 additions and 0 deletions.
28 changes: 28 additions & 0 deletions docs/KC-BC-FIPS
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
Add the following from https://www.bouncycastle.org/download/bouncy-castle-java-fips/#latest to `$KC_HOME/providers/`:
```
bc-fips-2.0.0.jar
bcpkix-fips-2.0.7.jar
bctls-fips-2.0.19.jar
bcutil-fips-2.0.3.jar
```

Download Java from `https://adoptium.net/` and update `conf/security/java.security` file to have the following providers:

```
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=sun.security.provider.Sun
```

Note: Without `sun.security.provider.Sun` Keycloak doesn't start

Generate a self-signed certificate for Keycloak:
```
cd $KC_HOME/conf
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/CN=localhost"
```

Start Keycloak with:
```
bin/kc.sh start --features=fips --https-certificate-file=conf/cert.pem --https-certificate-key-file=conf/key.pem --hostname-strict=false
```

0 comments on commit 873237b

Please sign in to comment.