keycloak-scim/testsuite/integration-arquillian/servers/auth-server/common/fips/README-keystores-format-conversion.md

How to convert keystores and truststores
----------------------------------------
Magic command to import PKCS12 keystore to BCFKS

```
keytool -importkeystore -srckeystore keycloak-fips.keystore.pkcs12 -destkeystore keycloak-fips.keystore.bcfks \
    -srcstoretype PKCS12 -deststoretype BCFKS -deststorepass passwordpassword \
    -providername BCFIPS \
    -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
    -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
    -providerpath $MAVEN_REPO_HOME/org/bouncycastle/bc-fips/1.0.2.5/bc-fips-1.0.2.5.jar \
    -J-Djava.security.properties=$KEYCLOAK_SOURCES/testsuite/integration-arquillian/servers/auth-server/common/fips/kc.keystore-create.java.security
```
Default password is `passwordpassword`.

When converting from `JKS` to `PKCS12` on non-FIPS host, only first 2 lines from this command are needed (no need to use BCFIPS provider).
Original JKS keystore, which was used to create `PKCS12` (and transitively also `BCFKS`) keystore is [keycloak.jks](../keystore/keycloak.jks).
Original JKS truststore is [keycloak.truststore](../keystore/keycloak.truststore).
Initial support for running testsuite in BCFIPS approved mode Closes #16429 2023-01-12 17:24:23 +00:00			`How to convert keystores and truststores`
			`----------------------------------------`
			`Magic command to import PKCS12 keystore to BCFKS`

			```
			`keytool -importkeystore -srckeystore keycloak-fips.keystore.pkcs12 -destkeystore keycloak-fips.keystore.bcfks \`
			`-srcstoretype PKCS12 -deststoretype BCFKS -deststorepass passwordpassword \`
			`-providername BCFIPS \`
			`-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \`
			`-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \`
Issue: 26568 - bcfips version bump and fixes * bump BCFIPS to 1.0.2.5 * fix bc-fips related test error * remove unused imports Closes: #26568 Signed-off-by: Andre F de M <trixpan@users.noreply.github.com> 2024-05-19 02:18:40 +00:00			`-providerpath $MAVEN_REPO_HOME/org/bouncycastle/bc-fips/1.0.2.5/bc-fips-1.0.2.5.jar \`
Initial support for running testsuite in BCFIPS approved mode Closes #16429 2023-01-12 17:24:23 +00:00			`-J-Djava.security.properties=$KEYCLOAK_SOURCES/testsuite/integration-arquillian/servers/auth-server/common/fips/kc.keystore-create.java.security`
			```
			Default password is `passwordpassword`.

			When converting from `JKS` to `PKCS12` on non-FIPS host, only first 2 lines from this command are needed (no need to use BCFIPS provider).
			Original JKS keystore, which was used to create `PKCS12` (and transitively also `BCFKS`) keystore is [keycloak.jks](../keystore/keycloak.jks).
			`Original JKS truststore is [keycloak.truststore](../keystore/keycloak.truststore).`