Make sure the distribution is using FIPS providers

Closes #12428

crypto/fips1402/src/main/java/org/keycloak/crypto/fips/KeycloakFipsSecurityProvider.java

@@ -2,6 +2,7 @@ package org.keycloak.crypto.fips;
 
 import static org.bouncycastle.crypto.CryptoServicesRegistrar.isInApprovedOnlyMode;
 
+import java.lang.reflect.Method;
 import java.security.Provider;
 
 import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
@@ -19,7 +20,11 @@ public class KeycloakFipsSecurityProvider extends Provider {
     private final BouncyCastleFipsProvider bcFipsProvider;
 
     public KeycloakFipsSecurityProvider(BouncyCastleFipsProvider bcFipsProvider) {
-        super("KC(" + bcFipsProvider.toString() + (isInApprovedOnlyMode() ? " Approved Mode" : "") + ")", 1, "Keycloak pseudo provider");
+        super("KC(" +
+                bcFipsProvider.toString() +
+                (isInApprovedOnlyMode() ? " Approved Mode" : "") +
+                (isSystemFipsEnabled() ? " FIPS-enabled JVM" : "") +
+                ")", 1, "Keycloak pseudo provider");
         this.bcFipsProvider = bcFipsProvider;
     }
 
@@ -33,4 +38,23 @@ public class KeycloakFipsSecurityProvider extends Provider {
             return null;
         }
     }
+
+    private static boolean isSystemFipsEnabled() {
+        Method isSystemFipsEnabled = null;
+
+        try {
+            Class<?> securityConfigurator = KeycloakFipsSecurityProvider.class.getClassLoader().loadClass("java.security.SystemConfigurator");
+            isSystemFipsEnabled = securityConfigurator.getDeclaredMethod("isSystemFipsEnabled");
+            isSystemFipsEnabled.setAccessible(true);
+            return (boolean) isSystemFipsEnabled.invoke(null);
+        } catch (Throwable ignore) {
+            logger.warn("Could not detect if FIPS is enabled from the host");
+        } finally {
+            if (isSystemFipsEnabled != null) {
+                isSystemFipsEnabled.setAccessible(false);
+            }
+        }
+
+        return false;
+    }
 }

quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java

@@ -1,6 +1,7 @@
 package org.keycloak.config;
 
 import java.io.File;
+import org.keycloak.common.crypto.FipsMode;
 
 public class HttpOptions {
 
@@ -79,10 +80,11 @@ public class HttpOptions {
             .defaultValue("password")
             .build();
 
-    public static final Option HTTPS_KEY_STORE_TYPE = new OptionBuilder<>("https-key-store-type", String.class)
+    public static final Option<String> HTTPS_KEY_STORE_TYPE = new OptionBuilder<>("https-key-store-type", String.class)
             .category(OptionCategory.HTTP)
             .description("The type of the key store file. " +
-                    "If not given, the type is automatically detected based on the file name.")
+                    "If not given, the type is automatically detected based on the file name. " +
+                    "If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.strict.name() + "' and no value is set, it defaults to 'BCFKS'.")
             .build();
 
     public static final Option HTTPS_TRUST_STORE_FILE = new OptionBuilder<>("https-trust-store-file", File.class)

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/HttpPropertyMappers.java

@@ -2,7 +2,10 @@ package org.keycloak.quarkus.runtime.configuration.mappers;
 
 import io.smallrye.config.ConfigSourceInterceptorContext;
 import io.smallrye.config.ConfigValue;
+
+import org.keycloak.common.crypto.FipsMode;
 import org.keycloak.config.HttpOptions;
+import org.keycloak.config.SecurityOptions;
 import org.keycloak.quarkus.runtime.Environment;
 import org.keycloak.quarkus.runtime.Messages;
 import org.keycloak.quarkus.runtime.configuration.MicroProfileConfigProvider;
@@ -11,6 +14,7 @@ import java.io.File;
 import java.nio.file.Paths;
 import java.util.Optional;
 
+import static java.util.Optional.empty;
 import static java.util.Optional.of;
 import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.fromOption;
 import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers.getMapper;
@@ -79,6 +83,8 @@ final class HttpPropertyMappers {
                         .build(),
                 fromOption(HttpOptions.HTTPS_KEY_STORE_TYPE)
                         .to("quarkus.http.ssl.certificate.key-store-file-type")
+                        .mapFrom(SecurityOptions.FIPS_MODE.getKey())
+                        .transformer(HttpPropertyMappers::resolveKeyStoreType)
                         .paramLabel("type")
                         .build(),
                 fromOption(HttpOptions.HTTPS_TRUST_STORE_FILE)
@@ -135,5 +141,18 @@ final class HttpPropertyMappers {
         return null;
     }
 
+    private static Optional<String> resolveKeyStoreType(Optional<String> value,
+            ConfigSourceInterceptorContext configSourceInterceptorContext) {
+        if (value.isPresent()) {
+            try {
+                if (FipsMode.valueOf(value.get()).equals(FipsMode.strict)) {
+                    return of("BCFKS");
+                }
+                return empty();
+            } catch (IllegalArgumentException ignore) {
+            }
+        }
+        return value;
+    }
 }
 

quarkus/tests/integration/src/main/java/org/keycloak/it/junit5/extension/CLITestExtension.java

@@ -233,7 +233,7 @@ public class CLITestExtension extends QuarkusMainTestExtension {
     }
 
     private KeycloakDistribution createDistribution(DistributionTest config, LegacyStore legacyStoreConfig, WithDatabase databaseConfig) {
-        return new KeycloakDistributionDecorator(legacyStoreConfig, databaseConfig, DistributionType.getCurrent().orElse(RAW).newInstance(config));
+        return new KeycloakDistributionDecorator(legacyStoreConfig, databaseConfig, config, DistributionType.getCurrent().orElse(RAW).newInstance(config));
     }
 
     @Override

quarkus/tests/integration/src/main/java/org/keycloak/it/junit5/extension/DistributionTest.java

@@ -30,7 +30,6 @@ public @interface DistributionTest {
 
     boolean debug() default false;
     boolean keepAlive() default false;
-    boolean createAdminUser() default false;
     boolean enableTls() default false;
 
     enum ReInstall {

quarkus/tests/integration/src/main/java/org/keycloak/it/junit5/extension/DistributionType.java

@@ -42,8 +42,7 @@ public enum DistributionType {
                 config.keepAlive(),
                 config.enableTls(),
                 !DistributionTest.ReInstall.NEVER.equals(config.reInstall()),
-                config.removeBuildOptionsAfterBuild(),
+                config.removeBuildOptionsAfterBuild());
-                config.createAdminUser());
     }
 
     private final Function<DistributionTest, KeycloakDistribution> factory;

quarkus/tests/integration/src/main/java/org/keycloak/it/junit5/extension/KeycloakDistributionDecorator.java

@@ -18,6 +18,7 @@
 package org.keycloak.it.junit5.extension;
 
 import java.nio.file.Path;
+import java.util.ArrayList;
 import java.util.List;
 import org.keycloak.it.utils.KeycloakDistribution;
 
@@ -25,17 +26,24 @@ public class KeycloakDistributionDecorator implements KeycloakDistribution {
 
     private LegacyStore legacyStoreConfig;
     private WithDatabase databaseConfig;
+    private DistributionTest config;
     private KeycloakDistribution delegate;
 
-    public KeycloakDistributionDecorator(LegacyStore legacyStoreConfig, WithDatabase databaseConfig, KeycloakDistribution delegate) {
+    public KeycloakDistributionDecorator(LegacyStore legacyStoreConfig, WithDatabase databaseConfig, DistributionTest config,
+            KeycloakDistribution delegate) {
         this.legacyStoreConfig = legacyStoreConfig;
         this.databaseConfig = databaseConfig;
+        this.config = config;
         this.delegate = delegate;
     }
 
     @Override
-    public CLIResult run(List<String> arguments) {
+    public CLIResult run(List<String> rawArgs) {
-        return delegate.run(new ServerOptions(legacyStoreConfig, databaseConfig, arguments));
+        List<String> args = new ArrayList<>(rawArgs);
+
+        args.addAll(List.of(config.defaultOptions()));
+
+        return delegate.run(new ServerOptions(legacyStoreConfig, databaseConfig, args));
     }
 
     @Override

quarkus/tests/integration/src/main/java/org/keycloak/it/utils/RawKeycloakDistribution.java

@@ -91,24 +91,22 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
     private boolean inited = false;
     private Map<String, String> envVars = new HashMap<>();
 
-    public RawKeycloakDistribution(boolean debug, boolean manualStop, boolean enableTls, boolean reCreate, boolean removeBuildOptionsAfterBuild,
+    public RawKeycloakDistribution(boolean debug, boolean manualStop, boolean enableTls, boolean reCreate, boolean removeBuildOptionsAfterBuild) {
-            boolean createAdminUser) {
         this.debug = debug;
         this.manualStop = manualStop;
         this.enableTls = enableTls;
         this.reCreate = reCreate;
         this.removeBuildOptionsAfterBuild = removeBuildOptionsAfterBuild;
-        this.createAdminUser = createAdminUser;
         this.distPath = prepareDistribution();
     }
 
     @Override
     public CLIResult run(List<String> arguments) {
-        reset();
+        stop();
         if (manualStop && isRunning()) {
             throw new IllegalStateException("Server already running. You should manually stop the server before starting it again.");
         }
-        stop();
+        reset();
         try {
             configureServer();
             startServer(arguments);
@@ -267,6 +265,10 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
                         "Timeout [" + getStartTimeout() + "] while waiting for Quarkus server");
             }
 
+            if (!keycloak.isAlive()) {
+                return;
+            }
+
             try {
                 // wait before checking for opening a new connection
                 if ("https".equals(contextRoot.getProtocol())) {
@@ -435,11 +437,6 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
         ProcessBuilder pb = new ProcessBuilder(getCliArgs(arguments));
         ProcessBuilder builder = pb.directory(distPath.resolve("bin").toFile());
 
-        if (createAdminUser) {
-            builder.environment().put("KEYCLOAK_ADMIN", "admin");
-            builder.environment().put("KEYCLOAK_ADMIN_PASSWORD", "admin");
-        }
-
         if (debug) {
             builder.environment().put("DEBUG_SUSPEND", "y");
         }

quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java

@@ -17,9 +17,8 @@
 
 package org.keycloak.it.cli.dist;
 
-import java.util.function.Consumer;
+import java.nio.file.Path;
 import org.junit.jupiter.api.Test;
-import org.keycloak.it.junit5.extension.BeforeStartDistribution;
 import org.keycloak.it.junit5.extension.CLIResult;
 import org.keycloak.it.junit5.extension.DistributionTest;
 import org.keycloak.it.junit5.extension.RawDistOnly;
@@ -29,46 +28,93 @@ import org.keycloak.it.utils.RawKeycloakDistribution;
 import io.quarkus.test.junit.main.Launch;
 import io.quarkus.test.junit.main.LaunchResult;
 
-@DistributionTest(createAdminUser = true)
+@DistributionTest(keepAlive = true, defaultOptions = { "--http-enabled=true", "--hostname-strict=false", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
 @RawDistOnly(reason = "Containers are immutable")
 public class FipsDistTest {
 
     @Test
-    @Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=enabled", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
+    void testFipsNonApprovedMode(KeycloakDistribution dist) {
-    @BeforeStartDistribution(FipsDistTest.InstallBcFipsDependencies.class)
+        runOnFipsEnabledDistribution(dist, () -> {
-    void testFipsNonApprovedMode(LaunchResult result) {
+            CLIResult cliResult = dist.run("start", "--fips-mode=enabled");
-        CLIResult cliResult = (CLIResult) result;
             cliResult.assertStarted();
             cliResult.assertMessage("Java security providers: [ \n"
                     + " KC(BCFIPS version 1.000203) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
+        });
     }
 
     @Test
-    @Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=strict", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
+    void testFipsApprovedMode(KeycloakDistribution dist) {
-    @BeforeStartDistribution(FipsDistTest.InstallBcFipsDependencies.class)
+        runOnFipsEnabledDistribution(dist, () -> {
-    void testFipsApprovedMode(LaunchResult result) {
+            dist.setEnvVar("KEYCLOAK_ADMIN", "admin");
-        CLIResult cliResult = (CLIResult) result;
+            dist.setEnvVar("KEYCLOAK_ADMIN_PASSWORD", "admin");
+
+            CLIResult cliResult = dist.run("start", "--fips-mode=strict");
             cliResult.assertStarted();
-        cliResult.assertMessage("org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits");
+            cliResult.assertMessage(
+                    "org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits");
             cliResult.assertMessage("Java security providers: [ \n"
                     + " KC(BCFIPS version 1.000203 Approved Mode) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
+
+            dist.setEnvVar("KEYCLOAK_ADMIN_PASSWORD", "adminadminadmin");
+            cliResult = dist.run("start", "--fips-mode=strict");
+            cliResult.assertStarted();
+            cliResult.assertMessage("Added user 'admin' to realm 'master'");
+        });
     }
 
     @Test
-    @Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=enabled", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
+    @Launch({ "start", "--fips-mode=enabled" })
     void failStartDueToMissingFipsDependencies(LaunchResult result) {
         CLIResult cliResult = (CLIResult) result;
         cliResult.assertError("Failed to configure FIPS. Make sure you have added the Bouncy Castle FIPS dependencies to the 'providers' directory.");
     }
 
-    public static class InstallBcFipsDependencies implements Consumer<KeycloakDistribution> {
+    @Test
+    void testUnsupportedHttpsJksKeyStoreInStrictMode(KeycloakDistribution dist) {
+        runOnFipsEnabledDistribution(dist, () -> {
+            dist.copyOrReplaceFileFromClasspath("/server.keystore", Path.of("conf", "server.keystore"));
+            CLIResult cliResult = dist.run("start", "--fips-mode=strict");
+            cliResult.assertMessage("ERROR: java.lang.IllegalArgumentException: malformed sequence");
+        });
+    }
 
-        @Override
+    @Test
-        public void accept(KeycloakDistribution distribution) {
+    void testHttpsBcfksKeyStoreInStrictMode(KeycloakDistribution dist) {
-            RawKeycloakDistribution rawDist = distribution.unwrap(RawKeycloakDistribution.class);
+        runOnFipsEnabledDistribution(dist, () -> {
+            dist.copyOrReplaceFileFromClasspath("/server.keystore.bcfks", Path.of("conf", "server.keystore"));
+            CLIResult cliResult = dist.run("start", "--fips-mode=strict", "--https-key-store-password=passwordpassword");
+            cliResult.assertStarted();
+        });
+    }
+
+    @Test
+    void testUnsupportedHttpsPkcs12KeyStoreInStrictMode(KeycloakDistribution dist) {
+        runOnFipsEnabledDistribution(dist, () -> {
+            dist.copyOrReplaceFileFromClasspath("/server.keystore.pkcs12", Path.of("conf", "server.keystore"));
+            CLIResult cliResult = dist.run("start", "--fips-mode=strict", "--https-key-store-password=passwordpassword");
+            cliResult.assertMessage("ERROR: java.lang.IllegalArgumentException: malformed sequence");
+        });
+    }
+
+    @Test
+    void testHttpsPkcs12KeyStoreInNonApprovedMode(KeycloakDistribution dist) {
+        runOnFipsEnabledDistribution(dist, () -> {
+            dist.copyOrReplaceFileFromClasspath("/server.keystore.pkcs12", Path.of("conf", "server.keystore"));
+            CLIResult cliResult = dist.run("start", "--fips-mode=enabled", "--https-key-store-password=passwordpassword");
+            cliResult.assertStarted();
+        });
+    }
+
+    private void runOnFipsEnabledDistribution(KeycloakDistribution dist, Runnable runnable) {
+        installBcFips(dist);
+        runnable.run();
+    }
+
+    private void installBcFips(KeycloakDistribution dist) {
+        RawKeycloakDistribution rawDist = dist.unwrap(RawKeycloakDistribution.class);
         rawDist.copyProvider("org.bouncycastle", "bc-fips");
         rawDist.copyProvider("org.bouncycastle", "bctls-fips");
         rawDist.copyProvider("org.bouncycastle", "bcpkix-fips");
     }
-    }
+
 }

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt

@@ -131,7 +131,8 @@ HTTP/TLS:
                      The password of the key store file. Default: password.
 --https-key-store-type <type>
                      The type of the key store file. If not given, the type is automatically
-                       detected based on the file name.
+                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
+                       value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
                      The list of protocols to explicitly enable. Default: TLSv1.3.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.windows.approved.txt

@@ -131,7 +131,8 @@ HTTP/TLS:
                      The password of the key store file. Default: password.
 --https-key-store-type <type>
                      The type of the key store file. If not given, the type is automatically
-                       detected based on the file name.
+                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
+                       value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
                      The list of protocols to explicitly enable. Default: TLSv1.3.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt

@@ -191,7 +191,8 @@ HTTP/TLS:
                      The password of the key store file. Default: password.
 --https-key-store-type <type>
                      The type of the key store file. If not given, the type is automatically
-                       detected based on the file name.
+                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
+                       value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
                      The list of protocols to explicitly enable. Default: TLSv1.3.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.windows.approved.txt

@@ -31,52 +31,54 @@ Cache:
 Storage (Experimental):
 
 --storage <type>     Experimental: Sets the default storage mechanism for all areas. Possible
-                       values are: jpa, chm, hotrod.
+                       values are: jpa, chm, hotrod, file.
 --storage-area-auth-session <type>
                      Experimental: Sets a storage mechanism for authentication sessions. Possible
-                       values are: jpa, chm, hotrod.
+                       values are: jpa, chm, hotrod, file.
 --storage-area-authorization <type>
                      Experimental: Sets a storage mechanism for authorizations. Possible values
-                       are: jpa, chm, hotrod.
+                       are: jpa, chm, hotrod, file.
 --storage-area-client <type>
                      Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
-                       chm, hotrod.
+                       chm, hotrod, file.
 --storage-area-client-scope <type>
                      Experimental: Sets a storage mechanism for client scopes. Possible values are:
-                       jpa, chm, hotrod.
+                       jpa, chm, hotrod, file.
 --storage-area-event-admin <type>
                      Experimental: Sets a storage mechanism for admin events. Possible values are:
-                       jpa, chm, hotrod.
+                       jpa, chm, hotrod, file.
 --storage-area-event-auth <type>
                      Experimental: Sets a storage mechanism for authentication and authorization
-                       events. Possible values are: jpa, chm, hotrod.
+                       events. Possible values are: jpa, chm, hotrod, file.
 --storage-area-group <type>
                      Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
-                       chm, hotrod.
+                       chm, hotrod, file.
 --storage-area-login-failure <type>
                      Experimental: Sets a storage mechanism for login failures. Possible values
-                       are: jpa, chm, hotrod.
+                       are: jpa, chm, hotrod, file.
 --storage-area-realm <type>
                      Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
-                       chm, hotrod.
+                       chm, hotrod, file.
 --storage-area-role <type>
                      Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
-                       chm, hotrod.
+                       chm, hotrod, file.
 --storage-area-single-use-object <type>
                      Experimental: Sets a storage mechanism for single use objects. Possible values
                        are: jpa, chm, hotrod.
 --storage-area-user <type>
                      Experimental: Sets a storage mechanism for users. Possible values are: jpa,
-                       chm, hotrod.
+                       chm, hotrod, file.
 --storage-area-user-session <type>
                      Experimental: Sets a storage mechanism for user and client sessions. Possible
-                       values are: jpa, chm, hotrod.
+                       values are: jpa, chm, hotrod, file.
 --storage-deployment-state-version-seed <type>
                      Experimental: Secret that serves as a seed to mask the version number of
                        Keycloak in URLs. Need to be identical across all servers in the cluster.
                        Will default to a random number generated when starting the server which is
                        secure but will lead to problems when a loadbalancer without sticky sessions
                        is used or nodes are restarted.
+--storage-file-dir <dir>
+                     Experimental: Root directory for file map store.
 --storage-hotrod-host <host>
                      Experimental: Sets the host of the Infinispan server.
 --storage-hotrod-password <password>
@@ -189,7 +191,8 @@ HTTP/TLS:
                      The password of the key store file. Default: password.
 --https-key-store-type <type>
                      The type of the key store file. If not given, the type is automatically
-                       detected based on the file name.
+                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
+                       value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
                      The list of protocols to explicitly enable. Default: TLSv1.3.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt

@@ -137,7 +137,8 @@ HTTP/TLS:
                      The password of the key store file. Default: password.
 --https-key-store-type <type>
                      The type of the key store file. If not given, the type is automatically
-                       detected based on the file name.
+                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
+                       value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
                      The list of protocols to explicitly enable. Default: TLSv1.3.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.windows.approved.txt

@@ -137,7 +137,8 @@ HTTP/TLS:
                      The password of the key store file. Default: password.
 --https-key-store-type <type>
                      The type of the key store file. If not given, the type is automatically
-                       detected based on the file name.
+                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
+                       value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
                      The list of protocols to explicitly enable. Default: TLSv1.3.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt

@@ -197,7 +197,8 @@ HTTP/TLS:
                      The password of the key store file. Default: password.
 --https-key-store-type <type>
                      The type of the key store file. If not given, the type is automatically
-                       detected based on the file name.
+                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
+                       value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
                      The list of protocols to explicitly enable. Default: TLSv1.3.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.windows.approved.txt

@@ -37,52 +37,54 @@ Cache:
 Storage (Experimental):
 
 --storage <type>     Experimental: Sets the default storage mechanism for all areas. Possible
-                       values are: jpa, chm, hotrod.
+                       values are: jpa, chm, hotrod, file.
 --storage-area-auth-session <type>
                      Experimental: Sets a storage mechanism for authentication sessions. Possible
-                       values are: jpa, chm, hotrod.
+                       values are: jpa, chm, hotrod, file.
 --storage-area-authorization <type>
                      Experimental: Sets a storage mechanism for authorizations. Possible values
-                       are: jpa, chm, hotrod.
+                       are: jpa, chm, hotrod, file.
 --storage-area-client <type>
                      Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
-                       chm, hotrod.
+                       chm, hotrod, file.
 --storage-area-client-scope <type>
                      Experimental: Sets a storage mechanism for client scopes. Possible values are:
-                       jpa, chm, hotrod.
+                       jpa, chm, hotrod, file.
 --storage-area-event-admin <type>
                      Experimental: Sets a storage mechanism for admin events. Possible values are:
-                       jpa, chm, hotrod.
+                       jpa, chm, hotrod, file.
 --storage-area-event-auth <type>
                      Experimental: Sets a storage mechanism for authentication and authorization
-                       events. Possible values are: jpa, chm, hotrod.
+                       events. Possible values are: jpa, chm, hotrod, file.
 --storage-area-group <type>
                      Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
-                       chm, hotrod.
+                       chm, hotrod, file.
 --storage-area-login-failure <type>
                      Experimental: Sets a storage mechanism for login failures. Possible values
-                       are: jpa, chm, hotrod.
+                       are: jpa, chm, hotrod, file.
 --storage-area-realm <type>
                      Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
-                       chm, hotrod.
+                       chm, hotrod, file.
 --storage-area-role <type>
                      Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
-                       chm, hotrod.
+                       chm, hotrod, file.
 --storage-area-single-use-object <type>
                      Experimental: Sets a storage mechanism for single use objects. Possible values
                        are: jpa, chm, hotrod.
 --storage-area-user <type>
                      Experimental: Sets a storage mechanism for users. Possible values are: jpa,
-                       chm, hotrod.
+                       chm, hotrod, file.
 --storage-area-user-session <type>
                      Experimental: Sets a storage mechanism for user and client sessions. Possible
-                       values are: jpa, chm, hotrod.
+                       values are: jpa, chm, hotrod, file.
 --storage-deployment-state-version-seed <type>
                      Experimental: Secret that serves as a seed to mask the version number of
                        Keycloak in URLs. Need to be identical across all servers in the cluster.
                        Will default to a random number generated when starting the server which is
                        secure but will lead to problems when a loadbalancer without sticky sessions
                        is used or nodes are restarted.
+--storage-file-dir <dir>
+                     Experimental: Root directory for file map store.
 --storage-hotrod-host <host>
                      Experimental: Sets the host of the Infinispan server.
 --storage-hotrod-password <password>
@@ -195,7 +197,8 @@ HTTP/TLS:
                      The password of the key store file. Default: password.
 --https-key-store-type <type>
                      The type of the key store file. If not given, the type is automatically
-                       detected based on the file name.
+                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
+                       value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
                      The list of protocols to explicitly enable. Default: TLSv1.3.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.unix.approved.txt

@@ -96,7 +96,8 @@ HTTP/TLS:
                      The password of the key store file. Default: password.
 --https-key-store-type <type>
                      The type of the key store file. If not given, the type is automatically
-                       detected based on the file name.
+                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
+                       value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
                      The list of protocols to explicitly enable. Default: TLSv1.3.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.windows.approved.txt

@@ -57,7 +57,8 @@ Hostname:
                        are exposing the administration console using a hostname other than the
                        value set to the 'hostname' option.
 --hostname-admin-url <url>
-                     Set the base URL for accessing the administration console.
+                     Set the base URL for accessing the administration console, including scheme,
+                       host, port and path
 --hostname-path <path>
                      This should be set if proxy uses a different context-path for Keycloak.
 --hostname-port <port>
@@ -95,7 +96,8 @@ HTTP/TLS:
                      The password of the key store file. Default: password.
 --https-key-store-type <type>
                      The type of the key store file. If not given, the type is automatically
-                       detected based on the file name.
+                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
+                       value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
                      The list of protocols to explicitly enable. Default: TLSv1.3.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.unix.approved.txt

@@ -115,7 +115,8 @@ HTTP/TLS:
                      The password of the key store file. Default: password.
 --https-key-store-type <type>
                      The type of the key store file. If not given, the type is automatically
-                       detected based on the file name.
+                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
+                       value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
                      The list of protocols to explicitly enable. Default: TLSv1.3.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.windows.approved.txt

@@ -28,6 +28,8 @@ Storage (Experimental):
                        Will default to a random number generated when starting the server which is
                        secure but will lead to problems when a loadbalancer without sticky sessions
                        is used or nodes are restarted.
+--storage-file-dir <dir>
+                     Experimental: Root directory for file map store.
 --storage-hotrod-host <host>
                      Experimental: Sets the host of the Infinispan server.
 --storage-hotrod-password <password>
@@ -113,7 +115,8 @@ HTTP/TLS:
                      The password of the key store file. Default: password.
 --https-key-store-type <type>
                      The type of the key store file. If not given, the type is automatically
-                       detected based on the file name.
+                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
+                       value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
                      The list of protocols to explicitly enable. Default: TLSv1.3.