parent
dc2c73bb30
commit
2059ffb219
23 changed files with 200 additions and 87 deletions
|
@ -2,6 +2,7 @@ package org.keycloak.crypto.fips;
|
||||||
|
|
||||||
import static org.bouncycastle.crypto.CryptoServicesRegistrar.isInApprovedOnlyMode;
|
import static org.bouncycastle.crypto.CryptoServicesRegistrar.isInApprovedOnlyMode;
|
||||||
|
|
||||||
|
import java.lang.reflect.Method;
|
||||||
import java.security.Provider;
|
import java.security.Provider;
|
||||||
|
|
||||||
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
|
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
|
||||||
|
@ -19,7 +20,11 @@ public class KeycloakFipsSecurityProvider extends Provider {
|
||||||
private final BouncyCastleFipsProvider bcFipsProvider;
|
private final BouncyCastleFipsProvider bcFipsProvider;
|
||||||
|
|
||||||
public KeycloakFipsSecurityProvider(BouncyCastleFipsProvider bcFipsProvider) {
|
public KeycloakFipsSecurityProvider(BouncyCastleFipsProvider bcFipsProvider) {
|
||||||
super("KC(" + bcFipsProvider.toString() + (isInApprovedOnlyMode() ? " Approved Mode" : "") + ")", 1, "Keycloak pseudo provider");
|
super("KC(" +
|
||||||
|
bcFipsProvider.toString() +
|
||||||
|
(isInApprovedOnlyMode() ? " Approved Mode" : "") +
|
||||||
|
(isSystemFipsEnabled() ? " FIPS-enabled JVM" : "") +
|
||||||
|
")", 1, "Keycloak pseudo provider");
|
||||||
this.bcFipsProvider = bcFipsProvider;
|
this.bcFipsProvider = bcFipsProvider;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -33,4 +38,23 @@ public class KeycloakFipsSecurityProvider extends Provider {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static boolean isSystemFipsEnabled() {
|
||||||
|
Method isSystemFipsEnabled = null;
|
||||||
|
|
||||||
|
try {
|
||||||
|
Class<?> securityConfigurator = KeycloakFipsSecurityProvider.class.getClassLoader().loadClass("java.security.SystemConfigurator");
|
||||||
|
isSystemFipsEnabled = securityConfigurator.getDeclaredMethod("isSystemFipsEnabled");
|
||||||
|
isSystemFipsEnabled.setAccessible(true);
|
||||||
|
return (boolean) isSystemFipsEnabled.invoke(null);
|
||||||
|
} catch (Throwable ignore) {
|
||||||
|
logger.warn("Could not detect if FIPS is enabled from the host");
|
||||||
|
} finally {
|
||||||
|
if (isSystemFipsEnabled != null) {
|
||||||
|
isSystemFipsEnabled.setAccessible(false);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
package org.keycloak.config;
|
package org.keycloak.config;
|
||||||
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
|
import org.keycloak.common.crypto.FipsMode;
|
||||||
|
|
||||||
public class HttpOptions {
|
public class HttpOptions {
|
||||||
|
|
||||||
|
@ -79,10 +80,11 @@ public class HttpOptions {
|
||||||
.defaultValue("password")
|
.defaultValue("password")
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
public static final Option HTTPS_KEY_STORE_TYPE = new OptionBuilder<>("https-key-store-type", String.class)
|
public static final Option<String> HTTPS_KEY_STORE_TYPE = new OptionBuilder<>("https-key-store-type", String.class)
|
||||||
.category(OptionCategory.HTTP)
|
.category(OptionCategory.HTTP)
|
||||||
.description("The type of the key store file. " +
|
.description("The type of the key store file. " +
|
||||||
"If not given, the type is automatically detected based on the file name.")
|
"If not given, the type is automatically detected based on the file name. " +
|
||||||
|
"If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.strict.name() + "' and no value is set, it defaults to 'BCFKS'.")
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
public static final Option HTTPS_TRUST_STORE_FILE = new OptionBuilder<>("https-trust-store-file", File.class)
|
public static final Option HTTPS_TRUST_STORE_FILE = new OptionBuilder<>("https-trust-store-file", File.class)
|
||||||
|
|
|
@ -2,7 +2,10 @@ package org.keycloak.quarkus.runtime.configuration.mappers;
|
||||||
|
|
||||||
import io.smallrye.config.ConfigSourceInterceptorContext;
|
import io.smallrye.config.ConfigSourceInterceptorContext;
|
||||||
import io.smallrye.config.ConfigValue;
|
import io.smallrye.config.ConfigValue;
|
||||||
|
|
||||||
|
import org.keycloak.common.crypto.FipsMode;
|
||||||
import org.keycloak.config.HttpOptions;
|
import org.keycloak.config.HttpOptions;
|
||||||
|
import org.keycloak.config.SecurityOptions;
|
||||||
import org.keycloak.quarkus.runtime.Environment;
|
import org.keycloak.quarkus.runtime.Environment;
|
||||||
import org.keycloak.quarkus.runtime.Messages;
|
import org.keycloak.quarkus.runtime.Messages;
|
||||||
import org.keycloak.quarkus.runtime.configuration.MicroProfileConfigProvider;
|
import org.keycloak.quarkus.runtime.configuration.MicroProfileConfigProvider;
|
||||||
|
@ -11,6 +14,7 @@ import java.io.File;
|
||||||
import java.nio.file.Paths;
|
import java.nio.file.Paths;
|
||||||
import java.util.Optional;
|
import java.util.Optional;
|
||||||
|
|
||||||
|
import static java.util.Optional.empty;
|
||||||
import static java.util.Optional.of;
|
import static java.util.Optional.of;
|
||||||
import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.fromOption;
|
import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.fromOption;
|
||||||
import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers.getMapper;
|
import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers.getMapper;
|
||||||
|
@ -79,6 +83,8 @@ final class HttpPropertyMappers {
|
||||||
.build(),
|
.build(),
|
||||||
fromOption(HttpOptions.HTTPS_KEY_STORE_TYPE)
|
fromOption(HttpOptions.HTTPS_KEY_STORE_TYPE)
|
||||||
.to("quarkus.http.ssl.certificate.key-store-file-type")
|
.to("quarkus.http.ssl.certificate.key-store-file-type")
|
||||||
|
.mapFrom(SecurityOptions.FIPS_MODE.getKey())
|
||||||
|
.transformer(HttpPropertyMappers::resolveKeyStoreType)
|
||||||
.paramLabel("type")
|
.paramLabel("type")
|
||||||
.build(),
|
.build(),
|
||||||
fromOption(HttpOptions.HTTPS_TRUST_STORE_FILE)
|
fromOption(HttpOptions.HTTPS_TRUST_STORE_FILE)
|
||||||
|
@ -135,5 +141,18 @@ final class HttpPropertyMappers {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static Optional<String> resolveKeyStoreType(Optional<String> value,
|
||||||
|
ConfigSourceInterceptorContext configSourceInterceptorContext) {
|
||||||
|
if (value.isPresent()) {
|
||||||
|
try {
|
||||||
|
if (FipsMode.valueOf(value.get()).equals(FipsMode.strict)) {
|
||||||
|
return of("BCFKS");
|
||||||
|
}
|
||||||
|
return empty();
|
||||||
|
} catch (IllegalArgumentException ignore) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return value;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -233,7 +233,7 @@ public class CLITestExtension extends QuarkusMainTestExtension {
|
||||||
}
|
}
|
||||||
|
|
||||||
private KeycloakDistribution createDistribution(DistributionTest config, LegacyStore legacyStoreConfig, WithDatabase databaseConfig) {
|
private KeycloakDistribution createDistribution(DistributionTest config, LegacyStore legacyStoreConfig, WithDatabase databaseConfig) {
|
||||||
return new KeycloakDistributionDecorator(legacyStoreConfig, databaseConfig, DistributionType.getCurrent().orElse(RAW).newInstance(config));
|
return new KeycloakDistributionDecorator(legacyStoreConfig, databaseConfig, config, DistributionType.getCurrent().orElse(RAW).newInstance(config));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -30,7 +30,6 @@ public @interface DistributionTest {
|
||||||
|
|
||||||
boolean debug() default false;
|
boolean debug() default false;
|
||||||
boolean keepAlive() default false;
|
boolean keepAlive() default false;
|
||||||
boolean createAdminUser() default false;
|
|
||||||
boolean enableTls() default false;
|
boolean enableTls() default false;
|
||||||
|
|
||||||
enum ReInstall {
|
enum ReInstall {
|
||||||
|
|
|
@ -42,8 +42,7 @@ public enum DistributionType {
|
||||||
config.keepAlive(),
|
config.keepAlive(),
|
||||||
config.enableTls(),
|
config.enableTls(),
|
||||||
!DistributionTest.ReInstall.NEVER.equals(config.reInstall()),
|
!DistributionTest.ReInstall.NEVER.equals(config.reInstall()),
|
||||||
config.removeBuildOptionsAfterBuild(),
|
config.removeBuildOptionsAfterBuild());
|
||||||
config.createAdminUser());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private final Function<DistributionTest, KeycloakDistribution> factory;
|
private final Function<DistributionTest, KeycloakDistribution> factory;
|
||||||
|
|
|
@ -18,6 +18,7 @@
|
||||||
package org.keycloak.it.junit5.extension;
|
package org.keycloak.it.junit5.extension;
|
||||||
|
|
||||||
import java.nio.file.Path;
|
import java.nio.file.Path;
|
||||||
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import org.keycloak.it.utils.KeycloakDistribution;
|
import org.keycloak.it.utils.KeycloakDistribution;
|
||||||
|
|
||||||
|
@ -25,17 +26,24 @@ public class KeycloakDistributionDecorator implements KeycloakDistribution {
|
||||||
|
|
||||||
private LegacyStore legacyStoreConfig;
|
private LegacyStore legacyStoreConfig;
|
||||||
private WithDatabase databaseConfig;
|
private WithDatabase databaseConfig;
|
||||||
|
private DistributionTest config;
|
||||||
private KeycloakDistribution delegate;
|
private KeycloakDistribution delegate;
|
||||||
|
|
||||||
public KeycloakDistributionDecorator(LegacyStore legacyStoreConfig, WithDatabase databaseConfig, KeycloakDistribution delegate) {
|
public KeycloakDistributionDecorator(LegacyStore legacyStoreConfig, WithDatabase databaseConfig, DistributionTest config,
|
||||||
|
KeycloakDistribution delegate) {
|
||||||
this.legacyStoreConfig = legacyStoreConfig;
|
this.legacyStoreConfig = legacyStoreConfig;
|
||||||
this.databaseConfig = databaseConfig;
|
this.databaseConfig = databaseConfig;
|
||||||
|
this.config = config;
|
||||||
this.delegate = delegate;
|
this.delegate = delegate;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public CLIResult run(List<String> arguments) {
|
public CLIResult run(List<String> rawArgs) {
|
||||||
return delegate.run(new ServerOptions(legacyStoreConfig, databaseConfig, arguments));
|
List<String> args = new ArrayList<>(rawArgs);
|
||||||
|
|
||||||
|
args.addAll(List.of(config.defaultOptions()));
|
||||||
|
|
||||||
|
return delegate.run(new ServerOptions(legacyStoreConfig, databaseConfig, args));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -91,24 +91,22 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
|
||||||
private boolean inited = false;
|
private boolean inited = false;
|
||||||
private Map<String, String> envVars = new HashMap<>();
|
private Map<String, String> envVars = new HashMap<>();
|
||||||
|
|
||||||
public RawKeycloakDistribution(boolean debug, boolean manualStop, boolean enableTls, boolean reCreate, boolean removeBuildOptionsAfterBuild,
|
public RawKeycloakDistribution(boolean debug, boolean manualStop, boolean enableTls, boolean reCreate, boolean removeBuildOptionsAfterBuild) {
|
||||||
boolean createAdminUser) {
|
|
||||||
this.debug = debug;
|
this.debug = debug;
|
||||||
this.manualStop = manualStop;
|
this.manualStop = manualStop;
|
||||||
this.enableTls = enableTls;
|
this.enableTls = enableTls;
|
||||||
this.reCreate = reCreate;
|
this.reCreate = reCreate;
|
||||||
this.removeBuildOptionsAfterBuild = removeBuildOptionsAfterBuild;
|
this.removeBuildOptionsAfterBuild = removeBuildOptionsAfterBuild;
|
||||||
this.createAdminUser = createAdminUser;
|
|
||||||
this.distPath = prepareDistribution();
|
this.distPath = prepareDistribution();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public CLIResult run(List<String> arguments) {
|
public CLIResult run(List<String> arguments) {
|
||||||
reset();
|
stop();
|
||||||
if (manualStop && isRunning()) {
|
if (manualStop && isRunning()) {
|
||||||
throw new IllegalStateException("Server already running. You should manually stop the server before starting it again.");
|
throw new IllegalStateException("Server already running. You should manually stop the server before starting it again.");
|
||||||
}
|
}
|
||||||
stop();
|
reset();
|
||||||
try {
|
try {
|
||||||
configureServer();
|
configureServer();
|
||||||
startServer(arguments);
|
startServer(arguments);
|
||||||
|
@ -267,6 +265,10 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
|
||||||
"Timeout [" + getStartTimeout() + "] while waiting for Quarkus server");
|
"Timeout [" + getStartTimeout() + "] while waiting for Quarkus server");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!keycloak.isAlive()) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
// wait before checking for opening a new connection
|
// wait before checking for opening a new connection
|
||||||
if ("https".equals(contextRoot.getProtocol())) {
|
if ("https".equals(contextRoot.getProtocol())) {
|
||||||
|
@ -435,11 +437,6 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
|
||||||
ProcessBuilder pb = new ProcessBuilder(getCliArgs(arguments));
|
ProcessBuilder pb = new ProcessBuilder(getCliArgs(arguments));
|
||||||
ProcessBuilder builder = pb.directory(distPath.resolve("bin").toFile());
|
ProcessBuilder builder = pb.directory(distPath.resolve("bin").toFile());
|
||||||
|
|
||||||
if (createAdminUser) {
|
|
||||||
builder.environment().put("KEYCLOAK_ADMIN", "admin");
|
|
||||||
builder.environment().put("KEYCLOAK_ADMIN_PASSWORD", "admin");
|
|
||||||
}
|
|
||||||
|
|
||||||
if (debug) {
|
if (debug) {
|
||||||
builder.environment().put("DEBUG_SUSPEND", "y");
|
builder.environment().put("DEBUG_SUSPEND", "y");
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,9 +17,8 @@
|
||||||
|
|
||||||
package org.keycloak.it.cli.dist;
|
package org.keycloak.it.cli.dist;
|
||||||
|
|
||||||
import java.util.function.Consumer;
|
import java.nio.file.Path;
|
||||||
import org.junit.jupiter.api.Test;
|
import org.junit.jupiter.api.Test;
|
||||||
import org.keycloak.it.junit5.extension.BeforeStartDistribution;
|
|
||||||
import org.keycloak.it.junit5.extension.CLIResult;
|
import org.keycloak.it.junit5.extension.CLIResult;
|
||||||
import org.keycloak.it.junit5.extension.DistributionTest;
|
import org.keycloak.it.junit5.extension.DistributionTest;
|
||||||
import org.keycloak.it.junit5.extension.RawDistOnly;
|
import org.keycloak.it.junit5.extension.RawDistOnly;
|
||||||
|
@ -29,46 +28,93 @@ import org.keycloak.it.utils.RawKeycloakDistribution;
|
||||||
import io.quarkus.test.junit.main.Launch;
|
import io.quarkus.test.junit.main.Launch;
|
||||||
import io.quarkus.test.junit.main.LaunchResult;
|
import io.quarkus.test.junit.main.LaunchResult;
|
||||||
|
|
||||||
@DistributionTest(createAdminUser = true)
|
@DistributionTest(keepAlive = true, defaultOptions = { "--http-enabled=true", "--hostname-strict=false", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
|
||||||
@RawDistOnly(reason = "Containers are immutable")
|
@RawDistOnly(reason = "Containers are immutable")
|
||||||
public class FipsDistTest {
|
public class FipsDistTest {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=enabled", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
|
void testFipsNonApprovedMode(KeycloakDistribution dist) {
|
||||||
@BeforeStartDistribution(FipsDistTest.InstallBcFipsDependencies.class)
|
runOnFipsEnabledDistribution(dist, () -> {
|
||||||
void testFipsNonApprovedMode(LaunchResult result) {
|
CLIResult cliResult = dist.run("start", "--fips-mode=enabled");
|
||||||
CLIResult cliResult = (CLIResult) result;
|
cliResult.assertStarted();
|
||||||
cliResult.assertStarted();
|
cliResult.assertMessage("Java security providers: [ \n"
|
||||||
cliResult.assertMessage("Java security providers: [ \n"
|
+ " KC(BCFIPS version 1.000203) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
|
||||||
+ " KC(BCFIPS version 1.000203) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=strict", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
|
void testFipsApprovedMode(KeycloakDistribution dist) {
|
||||||
@BeforeStartDistribution(FipsDistTest.InstallBcFipsDependencies.class)
|
runOnFipsEnabledDistribution(dist, () -> {
|
||||||
void testFipsApprovedMode(LaunchResult result) {
|
dist.setEnvVar("KEYCLOAK_ADMIN", "admin");
|
||||||
CLIResult cliResult = (CLIResult) result;
|
dist.setEnvVar("KEYCLOAK_ADMIN_PASSWORD", "admin");
|
||||||
cliResult.assertStarted();
|
|
||||||
cliResult.assertMessage("org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits");
|
CLIResult cliResult = dist.run("start", "--fips-mode=strict");
|
||||||
cliResult.assertMessage("Java security providers: [ \n"
|
cliResult.assertStarted();
|
||||||
+ " KC(BCFIPS version 1.000203 Approved Mode) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
|
cliResult.assertMessage(
|
||||||
|
"org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits");
|
||||||
|
cliResult.assertMessage("Java security providers: [ \n"
|
||||||
|
+ " KC(BCFIPS version 1.000203 Approved Mode) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
|
||||||
|
|
||||||
|
dist.setEnvVar("KEYCLOAK_ADMIN_PASSWORD", "adminadminadmin");
|
||||||
|
cliResult = dist.run("start", "--fips-mode=strict");
|
||||||
|
cliResult.assertStarted();
|
||||||
|
cliResult.assertMessage("Added user 'admin' to realm 'master'");
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=enabled", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
|
@Launch({ "start", "--fips-mode=enabled" })
|
||||||
void failStartDueToMissingFipsDependencies(LaunchResult result) {
|
void failStartDueToMissingFipsDependencies(LaunchResult result) {
|
||||||
CLIResult cliResult = (CLIResult) result;
|
CLIResult cliResult = (CLIResult) result;
|
||||||
cliResult.assertError("Failed to configure FIPS. Make sure you have added the Bouncy Castle FIPS dependencies to the 'providers' directory.");
|
cliResult.assertError("Failed to configure FIPS. Make sure you have added the Bouncy Castle FIPS dependencies to the 'providers' directory.");
|
||||||
}
|
}
|
||||||
|
|
||||||
public static class InstallBcFipsDependencies implements Consumer<KeycloakDistribution> {
|
@Test
|
||||||
|
void testUnsupportedHttpsJksKeyStoreInStrictMode(KeycloakDistribution dist) {
|
||||||
@Override
|
runOnFipsEnabledDistribution(dist, () -> {
|
||||||
public void accept(KeycloakDistribution distribution) {
|
dist.copyOrReplaceFileFromClasspath("/server.keystore", Path.of("conf", "server.keystore"));
|
||||||
RawKeycloakDistribution rawDist = distribution.unwrap(RawKeycloakDistribution.class);
|
CLIResult cliResult = dist.run("start", "--fips-mode=strict");
|
||||||
rawDist.copyProvider("org.bouncycastle", "bc-fips");
|
cliResult.assertMessage("ERROR: java.lang.IllegalArgumentException: malformed sequence");
|
||||||
rawDist.copyProvider("org.bouncycastle", "bctls-fips");
|
});
|
||||||
rawDist.copyProvider("org.bouncycastle", "bcpkix-fips");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void testHttpsBcfksKeyStoreInStrictMode(KeycloakDistribution dist) {
|
||||||
|
runOnFipsEnabledDistribution(dist, () -> {
|
||||||
|
dist.copyOrReplaceFileFromClasspath("/server.keystore.bcfks", Path.of("conf", "server.keystore"));
|
||||||
|
CLIResult cliResult = dist.run("start", "--fips-mode=strict", "--https-key-store-password=passwordpassword");
|
||||||
|
cliResult.assertStarted();
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void testUnsupportedHttpsPkcs12KeyStoreInStrictMode(KeycloakDistribution dist) {
|
||||||
|
runOnFipsEnabledDistribution(dist, () -> {
|
||||||
|
dist.copyOrReplaceFileFromClasspath("/server.keystore.pkcs12", Path.of("conf", "server.keystore"));
|
||||||
|
CLIResult cliResult = dist.run("start", "--fips-mode=strict", "--https-key-store-password=passwordpassword");
|
||||||
|
cliResult.assertMessage("ERROR: java.lang.IllegalArgumentException: malformed sequence");
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
void testHttpsPkcs12KeyStoreInNonApprovedMode(KeycloakDistribution dist) {
|
||||||
|
runOnFipsEnabledDistribution(dist, () -> {
|
||||||
|
dist.copyOrReplaceFileFromClasspath("/server.keystore.pkcs12", Path.of("conf", "server.keystore"));
|
||||||
|
CLIResult cliResult = dist.run("start", "--fips-mode=enabled", "--https-key-store-password=passwordpassword");
|
||||||
|
cliResult.assertStarted();
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
private void runOnFipsEnabledDistribution(KeycloakDistribution dist, Runnable runnable) {
|
||||||
|
installBcFips(dist);
|
||||||
|
runnable.run();
|
||||||
|
}
|
||||||
|
|
||||||
|
private void installBcFips(KeycloakDistribution dist) {
|
||||||
|
RawKeycloakDistribution rawDist = dist.unwrap(RawKeycloakDistribution.class);
|
||||||
|
rawDist.copyProvider("org.bouncycastle", "bc-fips");
|
||||||
|
rawDist.copyProvider("org.bouncycastle", "bctls-fips");
|
||||||
|
rawDist.copyProvider("org.bouncycastle", "bcpkix-fips");
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -131,7 +131,8 @@ HTTP/TLS:
|
||||||
The password of the key store file. Default: password.
|
The password of the key store file. Default: password.
|
||||||
--https-key-store-type <type>
|
--https-key-store-type <type>
|
||||||
The type of the key store file. If not given, the type is automatically
|
The type of the key store file. If not given, the type is automatically
|
||||||
detected based on the file name.
|
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||||
|
value is set, it defaults to 'BCFKS'.
|
||||||
--https-port <port> The used HTTPS port. Default: 8443.
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
--https-protocols <protocols>
|
--https-protocols <protocols>
|
||||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||||
|
|
|
@ -131,7 +131,8 @@ HTTP/TLS:
|
||||||
The password of the key store file. Default: password.
|
The password of the key store file. Default: password.
|
||||||
--https-key-store-type <type>
|
--https-key-store-type <type>
|
||||||
The type of the key store file. If not given, the type is automatically
|
The type of the key store file. If not given, the type is automatically
|
||||||
detected based on the file name.
|
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||||
|
value is set, it defaults to 'BCFKS'.
|
||||||
--https-port <port> The used HTTPS port. Default: 8443.
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
--https-protocols <protocols>
|
--https-protocols <protocols>
|
||||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||||
|
|
|
@ -191,7 +191,8 @@ HTTP/TLS:
|
||||||
The password of the key store file. Default: password.
|
The password of the key store file. Default: password.
|
||||||
--https-key-store-type <type>
|
--https-key-store-type <type>
|
||||||
The type of the key store file. If not given, the type is automatically
|
The type of the key store file. If not given, the type is automatically
|
||||||
detected based on the file name.
|
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||||
|
value is set, it defaults to 'BCFKS'.
|
||||||
--https-port <port> The used HTTPS port. Default: 8443.
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
--https-protocols <protocols>
|
--https-protocols <protocols>
|
||||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||||
|
|
|
@ -31,52 +31,54 @@ Cache:
|
||||||
Storage (Experimental):
|
Storage (Experimental):
|
||||||
|
|
||||||
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
|
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
|
||||||
values are: jpa, chm, hotrod.
|
values are: jpa, chm, hotrod, file.
|
||||||
--storage-area-auth-session <type>
|
--storage-area-auth-session <type>
|
||||||
Experimental: Sets a storage mechanism for authentication sessions. Possible
|
Experimental: Sets a storage mechanism for authentication sessions. Possible
|
||||||
values are: jpa, chm, hotrod.
|
values are: jpa, chm, hotrod, file.
|
||||||
--storage-area-authorization <type>
|
--storage-area-authorization <type>
|
||||||
Experimental: Sets a storage mechanism for authorizations. Possible values
|
Experimental: Sets a storage mechanism for authorizations. Possible values
|
||||||
are: jpa, chm, hotrod.
|
are: jpa, chm, hotrod, file.
|
||||||
--storage-area-client <type>
|
--storage-area-client <type>
|
||||||
Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
|
Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
|
||||||
chm, hotrod.
|
chm, hotrod, file.
|
||||||
--storage-area-client-scope <type>
|
--storage-area-client-scope <type>
|
||||||
Experimental: Sets a storage mechanism for client scopes. Possible values are:
|
Experimental: Sets a storage mechanism for client scopes. Possible values are:
|
||||||
jpa, chm, hotrod.
|
jpa, chm, hotrod, file.
|
||||||
--storage-area-event-admin <type>
|
--storage-area-event-admin <type>
|
||||||
Experimental: Sets a storage mechanism for admin events. Possible values are:
|
Experimental: Sets a storage mechanism for admin events. Possible values are:
|
||||||
jpa, chm, hotrod.
|
jpa, chm, hotrod, file.
|
||||||
--storage-area-event-auth <type>
|
--storage-area-event-auth <type>
|
||||||
Experimental: Sets a storage mechanism for authentication and authorization
|
Experimental: Sets a storage mechanism for authentication and authorization
|
||||||
events. Possible values are: jpa, chm, hotrod.
|
events. Possible values are: jpa, chm, hotrod, file.
|
||||||
--storage-area-group <type>
|
--storage-area-group <type>
|
||||||
Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
|
Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
|
||||||
chm, hotrod.
|
chm, hotrod, file.
|
||||||
--storage-area-login-failure <type>
|
--storage-area-login-failure <type>
|
||||||
Experimental: Sets a storage mechanism for login failures. Possible values
|
Experimental: Sets a storage mechanism for login failures. Possible values
|
||||||
are: jpa, chm, hotrod.
|
are: jpa, chm, hotrod, file.
|
||||||
--storage-area-realm <type>
|
--storage-area-realm <type>
|
||||||
Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
|
Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
|
||||||
chm, hotrod.
|
chm, hotrod, file.
|
||||||
--storage-area-role <type>
|
--storage-area-role <type>
|
||||||
Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
|
Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
|
||||||
chm, hotrod.
|
chm, hotrod, file.
|
||||||
--storage-area-single-use-object <type>
|
--storage-area-single-use-object <type>
|
||||||
Experimental: Sets a storage mechanism for single use objects. Possible values
|
Experimental: Sets a storage mechanism for single use objects. Possible values
|
||||||
are: jpa, chm, hotrod.
|
are: jpa, chm, hotrod.
|
||||||
--storage-area-user <type>
|
--storage-area-user <type>
|
||||||
Experimental: Sets a storage mechanism for users. Possible values are: jpa,
|
Experimental: Sets a storage mechanism for users. Possible values are: jpa,
|
||||||
chm, hotrod.
|
chm, hotrod, file.
|
||||||
--storage-area-user-session <type>
|
--storage-area-user-session <type>
|
||||||
Experimental: Sets a storage mechanism for user and client sessions. Possible
|
Experimental: Sets a storage mechanism for user and client sessions. Possible
|
||||||
values are: jpa, chm, hotrod.
|
values are: jpa, chm, hotrod, file.
|
||||||
--storage-deployment-state-version-seed <type>
|
--storage-deployment-state-version-seed <type>
|
||||||
Experimental: Secret that serves as a seed to mask the version number of
|
Experimental: Secret that serves as a seed to mask the version number of
|
||||||
Keycloak in URLs. Need to be identical across all servers in the cluster.
|
Keycloak in URLs. Need to be identical across all servers in the cluster.
|
||||||
Will default to a random number generated when starting the server which is
|
Will default to a random number generated when starting the server which is
|
||||||
secure but will lead to problems when a loadbalancer without sticky sessions
|
secure but will lead to problems when a loadbalancer without sticky sessions
|
||||||
is used or nodes are restarted.
|
is used or nodes are restarted.
|
||||||
|
--storage-file-dir <dir>
|
||||||
|
Experimental: Root directory for file map store.
|
||||||
--storage-hotrod-host <host>
|
--storage-hotrod-host <host>
|
||||||
Experimental: Sets the host of the Infinispan server.
|
Experimental: Sets the host of the Infinispan server.
|
||||||
--storage-hotrod-password <password>
|
--storage-hotrod-password <password>
|
||||||
|
@ -189,7 +191,8 @@ HTTP/TLS:
|
||||||
The password of the key store file. Default: password.
|
The password of the key store file. Default: password.
|
||||||
--https-key-store-type <type>
|
--https-key-store-type <type>
|
||||||
The type of the key store file. If not given, the type is automatically
|
The type of the key store file. If not given, the type is automatically
|
||||||
detected based on the file name.
|
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||||
|
value is set, it defaults to 'BCFKS'.
|
||||||
--https-port <port> The used HTTPS port. Default: 8443.
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
--https-protocols <protocols>
|
--https-protocols <protocols>
|
||||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||||
|
|
|
@ -137,7 +137,8 @@ HTTP/TLS:
|
||||||
The password of the key store file. Default: password.
|
The password of the key store file. Default: password.
|
||||||
--https-key-store-type <type>
|
--https-key-store-type <type>
|
||||||
The type of the key store file. If not given, the type is automatically
|
The type of the key store file. If not given, the type is automatically
|
||||||
detected based on the file name.
|
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||||
|
value is set, it defaults to 'BCFKS'.
|
||||||
--https-port <port> The used HTTPS port. Default: 8443.
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
--https-protocols <protocols>
|
--https-protocols <protocols>
|
||||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||||
|
|
|
@ -137,7 +137,8 @@ HTTP/TLS:
|
||||||
The password of the key store file. Default: password.
|
The password of the key store file. Default: password.
|
||||||
--https-key-store-type <type>
|
--https-key-store-type <type>
|
||||||
The type of the key store file. If not given, the type is automatically
|
The type of the key store file. If not given, the type is automatically
|
||||||
detected based on the file name.
|
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||||
|
value is set, it defaults to 'BCFKS'.
|
||||||
--https-port <port> The used HTTPS port. Default: 8443.
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
--https-protocols <protocols>
|
--https-protocols <protocols>
|
||||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||||
|
|
|
@ -197,7 +197,8 @@ HTTP/TLS:
|
||||||
The password of the key store file. Default: password.
|
The password of the key store file. Default: password.
|
||||||
--https-key-store-type <type>
|
--https-key-store-type <type>
|
||||||
The type of the key store file. If not given, the type is automatically
|
The type of the key store file. If not given, the type is automatically
|
||||||
detected based on the file name.
|
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||||
|
value is set, it defaults to 'BCFKS'.
|
||||||
--https-port <port> The used HTTPS port. Default: 8443.
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
--https-protocols <protocols>
|
--https-protocols <protocols>
|
||||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||||
|
|
|
@ -37,52 +37,54 @@ Cache:
|
||||||
Storage (Experimental):
|
Storage (Experimental):
|
||||||
|
|
||||||
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
|
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
|
||||||
values are: jpa, chm, hotrod.
|
values are: jpa, chm, hotrod, file.
|
||||||
--storage-area-auth-session <type>
|
--storage-area-auth-session <type>
|
||||||
Experimental: Sets a storage mechanism for authentication sessions. Possible
|
Experimental: Sets a storage mechanism for authentication sessions. Possible
|
||||||
values are: jpa, chm, hotrod.
|
values are: jpa, chm, hotrod, file.
|
||||||
--storage-area-authorization <type>
|
--storage-area-authorization <type>
|
||||||
Experimental: Sets a storage mechanism for authorizations. Possible values
|
Experimental: Sets a storage mechanism for authorizations. Possible values
|
||||||
are: jpa, chm, hotrod.
|
are: jpa, chm, hotrod, file.
|
||||||
--storage-area-client <type>
|
--storage-area-client <type>
|
||||||
Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
|
Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
|
||||||
chm, hotrod.
|
chm, hotrod, file.
|
||||||
--storage-area-client-scope <type>
|
--storage-area-client-scope <type>
|
||||||
Experimental: Sets a storage mechanism for client scopes. Possible values are:
|
Experimental: Sets a storage mechanism for client scopes. Possible values are:
|
||||||
jpa, chm, hotrod.
|
jpa, chm, hotrod, file.
|
||||||
--storage-area-event-admin <type>
|
--storage-area-event-admin <type>
|
||||||
Experimental: Sets a storage mechanism for admin events. Possible values are:
|
Experimental: Sets a storage mechanism for admin events. Possible values are:
|
||||||
jpa, chm, hotrod.
|
jpa, chm, hotrod, file.
|
||||||
--storage-area-event-auth <type>
|
--storage-area-event-auth <type>
|
||||||
Experimental: Sets a storage mechanism for authentication and authorization
|
Experimental: Sets a storage mechanism for authentication and authorization
|
||||||
events. Possible values are: jpa, chm, hotrod.
|
events. Possible values are: jpa, chm, hotrod, file.
|
||||||
--storage-area-group <type>
|
--storage-area-group <type>
|
||||||
Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
|
Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
|
||||||
chm, hotrod.
|
chm, hotrod, file.
|
||||||
--storage-area-login-failure <type>
|
--storage-area-login-failure <type>
|
||||||
Experimental: Sets a storage mechanism for login failures. Possible values
|
Experimental: Sets a storage mechanism for login failures. Possible values
|
||||||
are: jpa, chm, hotrod.
|
are: jpa, chm, hotrod, file.
|
||||||
--storage-area-realm <type>
|
--storage-area-realm <type>
|
||||||
Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
|
Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
|
||||||
chm, hotrod.
|
chm, hotrod, file.
|
||||||
--storage-area-role <type>
|
--storage-area-role <type>
|
||||||
Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
|
Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
|
||||||
chm, hotrod.
|
chm, hotrod, file.
|
||||||
--storage-area-single-use-object <type>
|
--storage-area-single-use-object <type>
|
||||||
Experimental: Sets a storage mechanism for single use objects. Possible values
|
Experimental: Sets a storage mechanism for single use objects. Possible values
|
||||||
are: jpa, chm, hotrod.
|
are: jpa, chm, hotrod.
|
||||||
--storage-area-user <type>
|
--storage-area-user <type>
|
||||||
Experimental: Sets a storage mechanism for users. Possible values are: jpa,
|
Experimental: Sets a storage mechanism for users. Possible values are: jpa,
|
||||||
chm, hotrod.
|
chm, hotrod, file.
|
||||||
--storage-area-user-session <type>
|
--storage-area-user-session <type>
|
||||||
Experimental: Sets a storage mechanism for user and client sessions. Possible
|
Experimental: Sets a storage mechanism for user and client sessions. Possible
|
||||||
values are: jpa, chm, hotrod.
|
values are: jpa, chm, hotrod, file.
|
||||||
--storage-deployment-state-version-seed <type>
|
--storage-deployment-state-version-seed <type>
|
||||||
Experimental: Secret that serves as a seed to mask the version number of
|
Experimental: Secret that serves as a seed to mask the version number of
|
||||||
Keycloak in URLs. Need to be identical across all servers in the cluster.
|
Keycloak in URLs. Need to be identical across all servers in the cluster.
|
||||||
Will default to a random number generated when starting the server which is
|
Will default to a random number generated when starting the server which is
|
||||||
secure but will lead to problems when a loadbalancer without sticky sessions
|
secure but will lead to problems when a loadbalancer without sticky sessions
|
||||||
is used or nodes are restarted.
|
is used or nodes are restarted.
|
||||||
|
--storage-file-dir <dir>
|
||||||
|
Experimental: Root directory for file map store.
|
||||||
--storage-hotrod-host <host>
|
--storage-hotrod-host <host>
|
||||||
Experimental: Sets the host of the Infinispan server.
|
Experimental: Sets the host of the Infinispan server.
|
||||||
--storage-hotrod-password <password>
|
--storage-hotrod-password <password>
|
||||||
|
@ -195,7 +197,8 @@ HTTP/TLS:
|
||||||
The password of the key store file. Default: password.
|
The password of the key store file. Default: password.
|
||||||
--https-key-store-type <type>
|
--https-key-store-type <type>
|
||||||
The type of the key store file. If not given, the type is automatically
|
The type of the key store file. If not given, the type is automatically
|
||||||
detected based on the file name.
|
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||||
|
value is set, it defaults to 'BCFKS'.
|
||||||
--https-port <port> The used HTTPS port. Default: 8443.
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
--https-protocols <protocols>
|
--https-protocols <protocols>
|
||||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||||
|
|
|
@ -96,7 +96,8 @@ HTTP/TLS:
|
||||||
The password of the key store file. Default: password.
|
The password of the key store file. Default: password.
|
||||||
--https-key-store-type <type>
|
--https-key-store-type <type>
|
||||||
The type of the key store file. If not given, the type is automatically
|
The type of the key store file. If not given, the type is automatically
|
||||||
detected based on the file name.
|
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||||
|
value is set, it defaults to 'BCFKS'.
|
||||||
--https-port <port> The used HTTPS port. Default: 8443.
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
--https-protocols <protocols>
|
--https-protocols <protocols>
|
||||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||||
|
|
|
@ -57,7 +57,8 @@ Hostname:
|
||||||
are exposing the administration console using a hostname other than the
|
are exposing the administration console using a hostname other than the
|
||||||
value set to the 'hostname' option.
|
value set to the 'hostname' option.
|
||||||
--hostname-admin-url <url>
|
--hostname-admin-url <url>
|
||||||
Set the base URL for accessing the administration console.
|
Set the base URL for accessing the administration console, including scheme,
|
||||||
|
host, port and path
|
||||||
--hostname-path <path>
|
--hostname-path <path>
|
||||||
This should be set if proxy uses a different context-path for Keycloak.
|
This should be set if proxy uses a different context-path for Keycloak.
|
||||||
--hostname-port <port>
|
--hostname-port <port>
|
||||||
|
@ -95,7 +96,8 @@ HTTP/TLS:
|
||||||
The password of the key store file. Default: password.
|
The password of the key store file. Default: password.
|
||||||
--https-key-store-type <type>
|
--https-key-store-type <type>
|
||||||
The type of the key store file. If not given, the type is automatically
|
The type of the key store file. If not given, the type is automatically
|
||||||
detected based on the file name.
|
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||||
|
value is set, it defaults to 'BCFKS'.
|
||||||
--https-port <port> The used HTTPS port. Default: 8443.
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
--https-protocols <protocols>
|
--https-protocols <protocols>
|
||||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||||
|
|
|
@ -115,7 +115,8 @@ HTTP/TLS:
|
||||||
The password of the key store file. Default: password.
|
The password of the key store file. Default: password.
|
||||||
--https-key-store-type <type>
|
--https-key-store-type <type>
|
||||||
The type of the key store file. If not given, the type is automatically
|
The type of the key store file. If not given, the type is automatically
|
||||||
detected based on the file name.
|
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||||
|
value is set, it defaults to 'BCFKS'.
|
||||||
--https-port <port> The used HTTPS port. Default: 8443.
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
--https-protocols <protocols>
|
--https-protocols <protocols>
|
||||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||||
|
|
|
@ -28,6 +28,8 @@ Storage (Experimental):
|
||||||
Will default to a random number generated when starting the server which is
|
Will default to a random number generated when starting the server which is
|
||||||
secure but will lead to problems when a loadbalancer without sticky sessions
|
secure but will lead to problems when a loadbalancer without sticky sessions
|
||||||
is used or nodes are restarted.
|
is used or nodes are restarted.
|
||||||
|
--storage-file-dir <dir>
|
||||||
|
Experimental: Root directory for file map store.
|
||||||
--storage-hotrod-host <host>
|
--storage-hotrod-host <host>
|
||||||
Experimental: Sets the host of the Infinispan server.
|
Experimental: Sets the host of the Infinispan server.
|
||||||
--storage-hotrod-password <password>
|
--storage-hotrod-password <password>
|
||||||
|
@ -113,7 +115,8 @@ HTTP/TLS:
|
||||||
The password of the key store file. Default: password.
|
The password of the key store file. Default: password.
|
||||||
--https-key-store-type <type>
|
--https-key-store-type <type>
|
||||||
The type of the key store file. If not given, the type is automatically
|
The type of the key store file. If not given, the type is automatically
|
||||||
detected based on the file name.
|
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||||
|
value is set, it defaults to 'BCFKS'.
|
||||||
--https-port <port> The used HTTPS port. Default: 8443.
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
--https-protocols <protocols>
|
--https-protocols <protocols>
|
||||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||||
|
|
Binary file not shown.
Binary file not shown.
Loading…
Reference in a new issue