Make sure the distribution is using FIPS providers

Closes #12428
This commit is contained in:
Pedro Igor 2023-02-09 18:32:57 -03:00 committed by Marek Posolda
parent dc2c73bb30
commit 2059ffb219
23 changed files with 200 additions and 87 deletions

View file

@ -2,6 +2,7 @@ package org.keycloak.crypto.fips;
import static org.bouncycastle.crypto.CryptoServicesRegistrar.isInApprovedOnlyMode;
import java.lang.reflect.Method;
import java.security.Provider;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
@ -19,7 +20,11 @@ public class KeycloakFipsSecurityProvider extends Provider {
private final BouncyCastleFipsProvider bcFipsProvider;
public KeycloakFipsSecurityProvider(BouncyCastleFipsProvider bcFipsProvider) {
super("KC(" + bcFipsProvider.toString() + (isInApprovedOnlyMode() ? " Approved Mode" : "") + ")", 1, "Keycloak pseudo provider");
super("KC(" +
bcFipsProvider.toString() +
(isInApprovedOnlyMode() ? " Approved Mode" : "") +
(isSystemFipsEnabled() ? " FIPS-enabled JVM" : "") +
")", 1, "Keycloak pseudo provider");
this.bcFipsProvider = bcFipsProvider;
}
@ -33,4 +38,23 @@ public class KeycloakFipsSecurityProvider extends Provider {
return null;
}
}
private static boolean isSystemFipsEnabled() {
Method isSystemFipsEnabled = null;
try {
Class<?> securityConfigurator = KeycloakFipsSecurityProvider.class.getClassLoader().loadClass("java.security.SystemConfigurator");
isSystemFipsEnabled = securityConfigurator.getDeclaredMethod("isSystemFipsEnabled");
isSystemFipsEnabled.setAccessible(true);
return (boolean) isSystemFipsEnabled.invoke(null);
} catch (Throwable ignore) {
logger.warn("Could not detect if FIPS is enabled from the host");
} finally {
if (isSystemFipsEnabled != null) {
isSystemFipsEnabled.setAccessible(false);
}
}
return false;
}
}

View file

@ -1,6 +1,7 @@
package org.keycloak.config;
import java.io.File;
import org.keycloak.common.crypto.FipsMode;
public class HttpOptions {
@ -79,10 +80,11 @@ public class HttpOptions {
.defaultValue("password")
.build();
public static final Option HTTPS_KEY_STORE_TYPE = new OptionBuilder<>("https-key-store-type", String.class)
public static final Option<String> HTTPS_KEY_STORE_TYPE = new OptionBuilder<>("https-key-store-type", String.class)
.category(OptionCategory.HTTP)
.description("The type of the key store file. " +
"If not given, the type is automatically detected based on the file name.")
"If not given, the type is automatically detected based on the file name. " +
"If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.strict.name() + "' and no value is set, it defaults to 'BCFKS'.")
.build();
public static final Option HTTPS_TRUST_STORE_FILE = new OptionBuilder<>("https-trust-store-file", File.class)

View file

@ -2,7 +2,10 @@ package org.keycloak.quarkus.runtime.configuration.mappers;
import io.smallrye.config.ConfigSourceInterceptorContext;
import io.smallrye.config.ConfigValue;
import org.keycloak.common.crypto.FipsMode;
import org.keycloak.config.HttpOptions;
import org.keycloak.config.SecurityOptions;
import org.keycloak.quarkus.runtime.Environment;
import org.keycloak.quarkus.runtime.Messages;
import org.keycloak.quarkus.runtime.configuration.MicroProfileConfigProvider;
@ -11,6 +14,7 @@ import java.io.File;
import java.nio.file.Paths;
import java.util.Optional;
import static java.util.Optional.empty;
import static java.util.Optional.of;
import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.fromOption;
import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers.getMapper;
@ -79,6 +83,8 @@ final class HttpPropertyMappers {
.build(),
fromOption(HttpOptions.HTTPS_KEY_STORE_TYPE)
.to("quarkus.http.ssl.certificate.key-store-file-type")
.mapFrom(SecurityOptions.FIPS_MODE.getKey())
.transformer(HttpPropertyMappers::resolveKeyStoreType)
.paramLabel("type")
.build(),
fromOption(HttpOptions.HTTPS_TRUST_STORE_FILE)
@ -135,5 +141,18 @@ final class HttpPropertyMappers {
return null;
}
private static Optional<String> resolveKeyStoreType(Optional<String> value,
ConfigSourceInterceptorContext configSourceInterceptorContext) {
if (value.isPresent()) {
try {
if (FipsMode.valueOf(value.get()).equals(FipsMode.strict)) {
return of("BCFKS");
}
return empty();
} catch (IllegalArgumentException ignore) {
}
}
return value;
}
}

View file

@ -233,7 +233,7 @@ public class CLITestExtension extends QuarkusMainTestExtension {
}
private KeycloakDistribution createDistribution(DistributionTest config, LegacyStore legacyStoreConfig, WithDatabase databaseConfig) {
return new KeycloakDistributionDecorator(legacyStoreConfig, databaseConfig, DistributionType.getCurrent().orElse(RAW).newInstance(config));
return new KeycloakDistributionDecorator(legacyStoreConfig, databaseConfig, config, DistributionType.getCurrent().orElse(RAW).newInstance(config));
}
@Override

View file

@ -30,7 +30,6 @@ public @interface DistributionTest {
boolean debug() default false;
boolean keepAlive() default false;
boolean createAdminUser() default false;
boolean enableTls() default false;
enum ReInstall {

View file

@ -42,8 +42,7 @@ public enum DistributionType {
config.keepAlive(),
config.enableTls(),
!DistributionTest.ReInstall.NEVER.equals(config.reInstall()),
config.removeBuildOptionsAfterBuild(),
config.createAdminUser());
config.removeBuildOptionsAfterBuild());
}
private final Function<DistributionTest, KeycloakDistribution> factory;

View file

@ -18,6 +18,7 @@
package org.keycloak.it.junit5.extension;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.List;
import org.keycloak.it.utils.KeycloakDistribution;
@ -25,17 +26,24 @@ public class KeycloakDistributionDecorator implements KeycloakDistribution {
private LegacyStore legacyStoreConfig;
private WithDatabase databaseConfig;
private DistributionTest config;
private KeycloakDistribution delegate;
public KeycloakDistributionDecorator(LegacyStore legacyStoreConfig, WithDatabase databaseConfig, KeycloakDistribution delegate) {
public KeycloakDistributionDecorator(LegacyStore legacyStoreConfig, WithDatabase databaseConfig, DistributionTest config,
KeycloakDistribution delegate) {
this.legacyStoreConfig = legacyStoreConfig;
this.databaseConfig = databaseConfig;
this.config = config;
this.delegate = delegate;
}
@Override
public CLIResult run(List<String> arguments) {
return delegate.run(new ServerOptions(legacyStoreConfig, databaseConfig, arguments));
public CLIResult run(List<String> rawArgs) {
List<String> args = new ArrayList<>(rawArgs);
args.addAll(List.of(config.defaultOptions()));
return delegate.run(new ServerOptions(legacyStoreConfig, databaseConfig, args));
}
@Override

View file

@ -91,24 +91,22 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
private boolean inited = false;
private Map<String, String> envVars = new HashMap<>();
public RawKeycloakDistribution(boolean debug, boolean manualStop, boolean enableTls, boolean reCreate, boolean removeBuildOptionsAfterBuild,
boolean createAdminUser) {
public RawKeycloakDistribution(boolean debug, boolean manualStop, boolean enableTls, boolean reCreate, boolean removeBuildOptionsAfterBuild) {
this.debug = debug;
this.manualStop = manualStop;
this.enableTls = enableTls;
this.reCreate = reCreate;
this.removeBuildOptionsAfterBuild = removeBuildOptionsAfterBuild;
this.createAdminUser = createAdminUser;
this.distPath = prepareDistribution();
}
@Override
public CLIResult run(List<String> arguments) {
reset();
stop();
if (manualStop && isRunning()) {
throw new IllegalStateException("Server already running. You should manually stop the server before starting it again.");
}
stop();
reset();
try {
configureServer();
startServer(arguments);
@ -267,6 +265,10 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
"Timeout [" + getStartTimeout() + "] while waiting for Quarkus server");
}
if (!keycloak.isAlive()) {
return;
}
try {
// wait before checking for opening a new connection
if ("https".equals(contextRoot.getProtocol())) {
@ -435,11 +437,6 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
ProcessBuilder pb = new ProcessBuilder(getCliArgs(arguments));
ProcessBuilder builder = pb.directory(distPath.resolve("bin").toFile());
if (createAdminUser) {
builder.environment().put("KEYCLOAK_ADMIN", "admin");
builder.environment().put("KEYCLOAK_ADMIN_PASSWORD", "admin");
}
if (debug) {
builder.environment().put("DEBUG_SUSPEND", "y");
}

View file

@ -17,9 +17,8 @@
package org.keycloak.it.cli.dist;
import java.util.function.Consumer;
import java.nio.file.Path;
import org.junit.jupiter.api.Test;
import org.keycloak.it.junit5.extension.BeforeStartDistribution;
import org.keycloak.it.junit5.extension.CLIResult;
import org.keycloak.it.junit5.extension.DistributionTest;
import org.keycloak.it.junit5.extension.RawDistOnly;
@ -29,46 +28,93 @@ import org.keycloak.it.utils.RawKeycloakDistribution;
import io.quarkus.test.junit.main.Launch;
import io.quarkus.test.junit.main.LaunchResult;
@DistributionTest(createAdminUser = true)
@DistributionTest(keepAlive = true, defaultOptions = { "--http-enabled=true", "--hostname-strict=false", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
@RawDistOnly(reason = "Containers are immutable")
public class FipsDistTest {
@Test
@Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=enabled", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
@BeforeStartDistribution(FipsDistTest.InstallBcFipsDependencies.class)
void testFipsNonApprovedMode(LaunchResult result) {
CLIResult cliResult = (CLIResult) result;
cliResult.assertStarted();
cliResult.assertMessage("Java security providers: [ \n"
+ " KC(BCFIPS version 1.000203) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
void testFipsNonApprovedMode(KeycloakDistribution dist) {
runOnFipsEnabledDistribution(dist, () -> {
CLIResult cliResult = dist.run("start", "--fips-mode=enabled");
cliResult.assertStarted();
cliResult.assertMessage("Java security providers: [ \n"
+ " KC(BCFIPS version 1.000203) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
});
}
@Test
@Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=strict", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
@BeforeStartDistribution(FipsDistTest.InstallBcFipsDependencies.class)
void testFipsApprovedMode(LaunchResult result) {
CLIResult cliResult = (CLIResult) result;
cliResult.assertStarted();
cliResult.assertMessage("org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits");
cliResult.assertMessage("Java security providers: [ \n"
+ " KC(BCFIPS version 1.000203 Approved Mode) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
void testFipsApprovedMode(KeycloakDistribution dist) {
runOnFipsEnabledDistribution(dist, () -> {
dist.setEnvVar("KEYCLOAK_ADMIN", "admin");
dist.setEnvVar("KEYCLOAK_ADMIN_PASSWORD", "admin");
CLIResult cliResult = dist.run("start", "--fips-mode=strict");
cliResult.assertStarted();
cliResult.assertMessage(
"org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits");
cliResult.assertMessage("Java security providers: [ \n"
+ " KC(BCFIPS version 1.000203 Approved Mode) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
dist.setEnvVar("KEYCLOAK_ADMIN_PASSWORD", "adminadminadmin");
cliResult = dist.run("start", "--fips-mode=strict");
cliResult.assertStarted();
cliResult.assertMessage("Added user 'admin' to realm 'master'");
});
}
@Test
@Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=enabled", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
@Launch({ "start", "--fips-mode=enabled" })
void failStartDueToMissingFipsDependencies(LaunchResult result) {
CLIResult cliResult = (CLIResult) result;
cliResult.assertError("Failed to configure FIPS. Make sure you have added the Bouncy Castle FIPS dependencies to the 'providers' directory.");
}
public static class InstallBcFipsDependencies implements Consumer<KeycloakDistribution> {
@Override
public void accept(KeycloakDistribution distribution) {
RawKeycloakDistribution rawDist = distribution.unwrap(RawKeycloakDistribution.class);
rawDist.copyProvider("org.bouncycastle", "bc-fips");
rawDist.copyProvider("org.bouncycastle", "bctls-fips");
rawDist.copyProvider("org.bouncycastle", "bcpkix-fips");
}
@Test
void testUnsupportedHttpsJksKeyStoreInStrictMode(KeycloakDistribution dist) {
runOnFipsEnabledDistribution(dist, () -> {
dist.copyOrReplaceFileFromClasspath("/server.keystore", Path.of("conf", "server.keystore"));
CLIResult cliResult = dist.run("start", "--fips-mode=strict");
cliResult.assertMessage("ERROR: java.lang.IllegalArgumentException: malformed sequence");
});
}
@Test
void testHttpsBcfksKeyStoreInStrictMode(KeycloakDistribution dist) {
runOnFipsEnabledDistribution(dist, () -> {
dist.copyOrReplaceFileFromClasspath("/server.keystore.bcfks", Path.of("conf", "server.keystore"));
CLIResult cliResult = dist.run("start", "--fips-mode=strict", "--https-key-store-password=passwordpassword");
cliResult.assertStarted();
});
}
@Test
void testUnsupportedHttpsPkcs12KeyStoreInStrictMode(KeycloakDistribution dist) {
runOnFipsEnabledDistribution(dist, () -> {
dist.copyOrReplaceFileFromClasspath("/server.keystore.pkcs12", Path.of("conf", "server.keystore"));
CLIResult cliResult = dist.run("start", "--fips-mode=strict", "--https-key-store-password=passwordpassword");
cliResult.assertMessage("ERROR: java.lang.IllegalArgumentException: malformed sequence");
});
}
@Test
void testHttpsPkcs12KeyStoreInNonApprovedMode(KeycloakDistribution dist) {
runOnFipsEnabledDistribution(dist, () -> {
dist.copyOrReplaceFileFromClasspath("/server.keystore.pkcs12", Path.of("conf", "server.keystore"));
CLIResult cliResult = dist.run("start", "--fips-mode=enabled", "--https-key-store-password=passwordpassword");
cliResult.assertStarted();
});
}
private void runOnFipsEnabledDistribution(KeycloakDistribution dist, Runnable runnable) {
installBcFips(dist);
runnable.run();
}
private void installBcFips(KeycloakDistribution dist) {
RawKeycloakDistribution rawDist = dist.unwrap(RawKeycloakDistribution.class);
rawDist.copyProvider("org.bouncycastle", "bc-fips");
rawDist.copyProvider("org.bouncycastle", "bctls-fips");
rawDist.copyProvider("org.bouncycastle", "bcpkix-fips");
}
}

View file

@ -131,7 +131,8 @@ HTTP/TLS:
The password of the key store file. Default: password.
--https-key-store-type <type>
The type of the key store file. If not given, the type is automatically
detected based on the file name.
detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -131,7 +131,8 @@ HTTP/TLS:
The password of the key store file. Default: password.
--https-key-store-type <type>
The type of the key store file. If not given, the type is automatically
detected based on the file name.
detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -191,7 +191,8 @@ HTTP/TLS:
The password of the key store file. Default: password.
--https-key-store-type <type>
The type of the key store file. If not given, the type is automatically
detected based on the file name.
detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -31,52 +31,54 @@ Cache:
Storage (Experimental):
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
values are: jpa, chm, hotrod.
values are: jpa, chm, hotrod, file.
--storage-area-auth-session <type>
Experimental: Sets a storage mechanism for authentication sessions. Possible
values are: jpa, chm, hotrod.
values are: jpa, chm, hotrod, file.
--storage-area-authorization <type>
Experimental: Sets a storage mechanism for authorizations. Possible values
are: jpa, chm, hotrod.
are: jpa, chm, hotrod, file.
--storage-area-client <type>
Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
chm, hotrod.
chm, hotrod, file.
--storage-area-client-scope <type>
Experimental: Sets a storage mechanism for client scopes. Possible values are:
jpa, chm, hotrod.
jpa, chm, hotrod, file.
--storage-area-event-admin <type>
Experimental: Sets a storage mechanism for admin events. Possible values are:
jpa, chm, hotrod.
jpa, chm, hotrod, file.
--storage-area-event-auth <type>
Experimental: Sets a storage mechanism for authentication and authorization
events. Possible values are: jpa, chm, hotrod.
events. Possible values are: jpa, chm, hotrod, file.
--storage-area-group <type>
Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
chm, hotrod.
chm, hotrod, file.
--storage-area-login-failure <type>
Experimental: Sets a storage mechanism for login failures. Possible values
are: jpa, chm, hotrod.
are: jpa, chm, hotrod, file.
--storage-area-realm <type>
Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
chm, hotrod.
chm, hotrod, file.
--storage-area-role <type>
Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
chm, hotrod.
chm, hotrod, file.
--storage-area-single-use-object <type>
Experimental: Sets a storage mechanism for single use objects. Possible values
are: jpa, chm, hotrod.
--storage-area-user <type>
Experimental: Sets a storage mechanism for users. Possible values are: jpa,
chm, hotrod.
chm, hotrod, file.
--storage-area-user-session <type>
Experimental: Sets a storage mechanism for user and client sessions. Possible
values are: jpa, chm, hotrod.
values are: jpa, chm, hotrod, file.
--storage-deployment-state-version-seed <type>
Experimental: Secret that serves as a seed to mask the version number of
Keycloak in URLs. Need to be identical across all servers in the cluster.
Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted.
--storage-file-dir <dir>
Experimental: Root directory for file map store.
--storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password>
@ -189,7 +191,8 @@ HTTP/TLS:
The password of the key store file. Default: password.
--https-key-store-type <type>
The type of the key store file. If not given, the type is automatically
detected based on the file name.
detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -137,7 +137,8 @@ HTTP/TLS:
The password of the key store file. Default: password.
--https-key-store-type <type>
The type of the key store file. If not given, the type is automatically
detected based on the file name.
detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -137,7 +137,8 @@ HTTP/TLS:
The password of the key store file. Default: password.
--https-key-store-type <type>
The type of the key store file. If not given, the type is automatically
detected based on the file name.
detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -197,7 +197,8 @@ HTTP/TLS:
The password of the key store file. Default: password.
--https-key-store-type <type>
The type of the key store file. If not given, the type is automatically
detected based on the file name.
detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -37,52 +37,54 @@ Cache:
Storage (Experimental):
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
values are: jpa, chm, hotrod.
values are: jpa, chm, hotrod, file.
--storage-area-auth-session <type>
Experimental: Sets a storage mechanism for authentication sessions. Possible
values are: jpa, chm, hotrod.
values are: jpa, chm, hotrod, file.
--storage-area-authorization <type>
Experimental: Sets a storage mechanism for authorizations. Possible values
are: jpa, chm, hotrod.
are: jpa, chm, hotrod, file.
--storage-area-client <type>
Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
chm, hotrod.
chm, hotrod, file.
--storage-area-client-scope <type>
Experimental: Sets a storage mechanism for client scopes. Possible values are:
jpa, chm, hotrod.
jpa, chm, hotrod, file.
--storage-area-event-admin <type>
Experimental: Sets a storage mechanism for admin events. Possible values are:
jpa, chm, hotrod.
jpa, chm, hotrod, file.
--storage-area-event-auth <type>
Experimental: Sets a storage mechanism for authentication and authorization
events. Possible values are: jpa, chm, hotrod.
events. Possible values are: jpa, chm, hotrod, file.
--storage-area-group <type>
Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
chm, hotrod.
chm, hotrod, file.
--storage-area-login-failure <type>
Experimental: Sets a storage mechanism for login failures. Possible values
are: jpa, chm, hotrod.
are: jpa, chm, hotrod, file.
--storage-area-realm <type>
Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
chm, hotrod.
chm, hotrod, file.
--storage-area-role <type>
Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
chm, hotrod.
chm, hotrod, file.
--storage-area-single-use-object <type>
Experimental: Sets a storage mechanism for single use objects. Possible values
are: jpa, chm, hotrod.
--storage-area-user <type>
Experimental: Sets a storage mechanism for users. Possible values are: jpa,
chm, hotrod.
chm, hotrod, file.
--storage-area-user-session <type>
Experimental: Sets a storage mechanism for user and client sessions. Possible
values are: jpa, chm, hotrod.
values are: jpa, chm, hotrod, file.
--storage-deployment-state-version-seed <type>
Experimental: Secret that serves as a seed to mask the version number of
Keycloak in URLs. Need to be identical across all servers in the cluster.
Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted.
--storage-file-dir <dir>
Experimental: Root directory for file map store.
--storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password>
@ -195,7 +197,8 @@ HTTP/TLS:
The password of the key store file. Default: password.
--https-key-store-type <type>
The type of the key store file. If not given, the type is automatically
detected based on the file name.
detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -96,7 +96,8 @@ HTTP/TLS:
The password of the key store file. Default: password.
--https-key-store-type <type>
The type of the key store file. If not given, the type is automatically
detected based on the file name.
detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -57,7 +57,8 @@ Hostname:
are exposing the administration console using a hostname other than the
value set to the 'hostname' option.
--hostname-admin-url <url>
Set the base URL for accessing the administration console.
Set the base URL for accessing the administration console, including scheme,
host, port and path
--hostname-path <path>
This should be set if proxy uses a different context-path for Keycloak.
--hostname-port <port>
@ -95,7 +96,8 @@ HTTP/TLS:
The password of the key store file. Default: password.
--https-key-store-type <type>
The type of the key store file. If not given, the type is automatically
detected based on the file name.
detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -115,7 +115,8 @@ HTTP/TLS:
The password of the key store file. Default: password.
--https-key-store-type <type>
The type of the key store file. If not given, the type is automatically
detected based on the file name.
detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -28,6 +28,8 @@ Storage (Experimental):
Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted.
--storage-file-dir <dir>
Experimental: Root directory for file map store.
--storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password>
@ -113,7 +115,8 @@ HTTP/TLS:
The password of the key store file. Default: password.
--https-key-store-type <type>
The type of the key store file. If not given, the type is automatically
detected based on the file name.
detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3.