Describe the bug
When system wide crypto policy is set to FIPS there are issues with running Keycloak. This has recently surfaced as RHEL, Fedora, and CentOS has changed the way OpenJDK behaves in this regard. Previously FIPS had to be explicitly enabled for OpenJDK, but is now enabled by default when system-wide policies are configured to conform to FIPS 140-2.
With OpenJDK configured with FIPS conformance there are a number of things not working properly in Keycloak, which is somewhat to be expected as Keycloak has never had official FIPS support.
This issue is limited to ability to run Keycloak on a FIPS enabled system, and not to support FIPS compliance in Keycloak. For FIPS 140-2 support within Keycloak see #9967.
Original JIRA: https://issues.redhat.com/browse/KEYCLOAK-19771
Version
All versions of Keycloak are affected and the issue surfaces rather based on the host system configuration/upgrades.
Container images published to Quay the issue happens in >=15.1.0, but does not happen in <=15.0.2. This is not caused by an issue in Keycloak, but rather the fact that the images <=15.0.2 are not updated with the latest upgrades from RHEL.
Expected behavior
Keycloak is able to run on a FIPS enabled system.
Actual behavior
add-user-keycloak script fails, and Keycloak fails to generate initial certificates. There are probably also further issues, but starting a Keycloak on a FIPS enabled system after the database has been initial at least succeeds.
How to Reproduce?
Enable FIPS mode on a RHEL or Fedora host (fips-mode-setup --enable).
Start Keycloak directly on the host, and you will get the following error:
Error during startup: org.keycloak.component.ComponentValidationException: Failed to generate keys
Run bin/add-user-keycloak.sh -u admin and you will get the following error:
java.lang.RuntimeException: PBKDF2 algorithm not found
Starting Keycloak as a container with -e KEYCLOAK_USER=user -e KEYCLOAK_PASSWORD=pass results in the PBKDF2 algorithm not found error, while interestingly enough not setting these environment variables the container starts successfully, which is different behaviour to running Keycloak from a ZIP where the failed to generate keys error occurs at startup.
Workaround
Until FIPS is supported by Keycloak, FIPS has to be disabled for Java to make it possible to run Keycloak on systems with FIPS mode enabled.
For bear-metal/ZIP installations use the JAVA_OPTS_APPEND to set -Dcom.redhat.fips=false. For example:
export JAVA_OPTS=-Dcom.redhat.fips=false
bin/kc.sh start-dev
For containers use the JAVA_OPTS_APPEND to set -Dcom.redhat.fips=false. For example:
podman run -p 8080:8080 -e JAVA_OPTS_APPEND="-Dcom.redhat.fips=false" -e KEYCLOAK_ADMIN=<user> -e KEYCLOAK_ADMIN_PASSWORD=<pass> quay.io/keycloak/keycloak
Describe the bug
When system wide crypto policy is set to FIPS there are issues with running Keycloak. This has recently surfaced as RHEL, Fedora, and CentOS has changed the way OpenJDK behaves in this regard. Previously FIPS had to be explicitly enabled for OpenJDK, but is now enabled by default when system-wide policies are configured to conform to FIPS 140-2.
With OpenJDK configured with FIPS conformance there are a number of things not working properly in Keycloak, which is somewhat to be expected as Keycloak has never had official FIPS support.
This issue is limited to ability to run Keycloak on a FIPS enabled system, and not to support FIPS compliance in Keycloak. For FIPS 140-2 support within Keycloak see #9967.
Original JIRA: https://issues.redhat.com/browse/KEYCLOAK-19771
Version
All versions of Keycloak are affected and the issue surfaces rather based on the host system configuration/upgrades.
Container images published to Quay the issue happens in >=15.1.0, but does not happen in <=15.0.2. This is not caused by an issue in Keycloak, but rather the fact that the images <=15.0.2 are not updated with the latest upgrades from RHEL.
Expected behavior
Keycloak is able to run on a FIPS enabled system.
Actual behavior
add-user-keycloakscript fails, and Keycloak fails to generate initial certificates. There are probably also further issues, but starting a Keycloak on a FIPS enabled system after the database has been initial at least succeeds.How to Reproduce?
Enable FIPS mode on a RHEL or Fedora host (
fips-mode-setup --enable).Start Keycloak directly on the host, and you will get the following error:
Run
bin/add-user-keycloak.sh -u adminand you will get the following error:Starting Keycloak as a container with
-e KEYCLOAK_USER=user -e KEYCLOAK_PASSWORD=passresults in the PBKDF2 algorithm not found error, while interestingly enough not setting these environment variables the container starts successfully, which is different behaviour to running Keycloak from a ZIP where the failed to generate keys error occurs at startup.Workaround
Until FIPS is supported by Keycloak, FIPS has to be disabled for Java to make it possible to run Keycloak on systems with FIPS mode enabled.
For bear-metal/ZIP installations use the
JAVA_OPTS_APPENDto set-Dcom.redhat.fips=false. For example:For containers use the
JAVA_OPTS_APPENDto set-Dcom.redhat.fips=false. For example: