Replies: 3 comments 7 replies
-
|
@mposolda @pedroigor FIY |
Beta Was this translation helpful? Give feedback.
-
|
If we ship both artifacts in the distribution it should be possible to have only one of them at runtime. However, this would mean having FIPS as a build option. W.r.t. to #2 do you mean https://quarkus.io/guides/security-customization? And how the store providers are set? |
Beta Was this translation helpful? Give feedback.
-
|
We can also start a PoC around it. I have a feeling that the only thing we need is to wrap the |
Beta Was this translation helpful? Give feedback.
-
I think we can do it and avoid an additional step to copy libraries when doing FIPS. As I mentioned, whe re-aug we should be able to exclude artifacts from the runtime classpath. |
Beta Was this translation helpful? Give feedback.
-
|
@pedroigor I think there may be some reasons why we can't actually distribute the BC FIPS with Keycloak, at least for prod side. So need to check if we even can include BC FIPS libs out of the box. |
Beta Was this translation helpful? Give feedback.
-
I'm thinking if we don't pass anything to Quarkus in this regard it'll just use the security providers in OpenJDK, which will already be FIPS compliant, so no need to make it use BC |
Beta Was this translation helpful? Give feedback.
-
|
By the way one more option could maybe be to eliminate BC altogether. Not sure if that's feasible though. |
Beta Was this translation helpful? Give feedback.
-
|
Another question is (assuming we are still using BouncyCastle) if there are any API difference needed (ideal is if there isn't and the KC code can work with both BC and BC-FIPS) how do we tackle that. The ideal way could be to create a Crypto SPI and Crypto Provider wrapping the BC code. Then we can have a BC and a BC-FIPS provider implementation. This would also allow the module in the codebase to have the correct dependencies so we can make sure the API is compatible. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
To enable FIPS compliance in Keycloak there's 3 things that needs to be configured
With regard to 1 if using RHEL or Fedora this can be achieved by enabling FIPS at the host level, which automatically configures OpenJDK. Ideally we'd detect this in Keycloak and automatically configure FIPS in Keycloak when enabled at the host level. For other distributions we'd need some example/documentation on configuring the security providers in OpenJDK, and potentially a config option to enable FIPS mode in Keycloak.
With regard to 2 it may be sufficient to enable FIPS at the OpenJDK level without any additional configuration of Quarkus. This needs to be investigated though.
The bigger topic as part of this discussion is how we achieve 3. BouncyCastle provides separate JARs for BouncyCastle FIPS, including a different security provider. We'd probably want to distribution the Quarkus distribution both with BouncyCastle and BouncyCastle FIPS, and switch which is used with a config option. Ideal would also be to only load the needed JARs on the classpath.
We'll have separate work to update the code-base to allow FIPS compliance, this discussion is limited to configuration at the Quarkus dist level.
Beta Was this translation helpful? Give feedback.
All reactions