You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Quarkus - validating if Quarkus is FIPS 140-2 compliant
BouncyCastle - leverage BouncyCastle FIPS instead of regular BouncyCastle (see Quarkus documentation)
Additionally when Keycloak is running in FIPS mode all crypto algorithms that are not permitted by FIPS 140-2 should be unavailable. This would require crypto providers in Keycloak to be disabled, rather than simply not working if the underlying security providers do not provide specific algorithms.
In addition to the above where Keycloak should dynamically offer crypto algorithms based on what is provided through underlying security providers (OpenJDK + BouncyCastle) it may be beneficial to make it easy to disable specific providers (for example SHA1 although compliant with FIPS 140-2 could be something that people want to explicitly disable). This should be offered through a Keycloak level configuration rather than requiring deep understanding of OpenJDK.
A relatively straightforward way to enabling a FIPS mode for Keycloak would be to base it on the FIPS mode in RHEL. This can at least serve as a starting point where Keycloak is able to react to being on a RHEL system, and configures itself accordingly (on RHEL OpenJDK is already configured). We may also want to document how to run Keycloak in a FIPS compliant way on non-RHEL systems, and/or configuring the container to run in FIPS mode when not running on a RHEL/Fedora host with FIPS mode enabled.
FIPS 140-2 is a requirement in certain deployments, and can also serve as a better secure by default mode even when not strictly required.
Details
See also #9916, which is covering a workaround to make Keycloak run on RHEL/Fedora systems with FIPS mode enable. Worth highlighting that it is not adding FIPS compliance to Keycloak, but rather just making sure Keycloak can run on a FIPS compliant host.
Description
Make it possible to easily run Keycloak in a mode that is compliant with FIPS 140-2.
This can be broken down into:
Additionally when Keycloak is running in FIPS mode all crypto algorithms that are not permitted by FIPS 140-2 should be unavailable. This would require crypto providers in Keycloak to be disabled, rather than simply not working if the underlying security providers do not provide specific algorithms.
In addition to the above where Keycloak should dynamically offer crypto algorithms based on what is provided through underlying security providers (OpenJDK + BouncyCastle) it may be beneficial to make it easy to disable specific providers (for example SHA1 although compliant with FIPS 140-2 could be something that people want to explicitly disable). This should be offered through a Keycloak level configuration rather than requiring deep understanding of OpenJDK.
A relatively straightforward way to enabling a FIPS mode for Keycloak would be to base it on the FIPS mode in RHEL. This can at least serve as a starting point where Keycloak is able to react to being on a RHEL system, and configures itself accordingly (on RHEL OpenJDK is already configured). We may also want to document how to run Keycloak in a FIPS compliant way on non-RHEL systems, and/or configuring the container to run in FIPS mode when not running on a RHEL/Fedora host with FIPS mode enabled.
Tasks
Tasks for this epic is managed in FIPS 140-2
Motivation
FIPS 140-2 is a requirement in certain deployments, and can also serve as a better secure by default mode even when not strictly required.
Details
See also #9916, which is covering a workaround to make Keycloak run on RHEL/Fedora systems with FIPS mode enable. Worth highlighting that it is not adding FIPS compliance to Keycloak, but rather just making sure Keycloak can run on a FIPS compliant host.