Make sure the distribution is using FIPS providers

Closes #12428
This commit is contained in:
Pedro Igor 2023-02-09 18:32:57 -03:00 committed by Marek Posolda
parent dc2c73bb30
commit 2059ffb219
23 changed files with 200 additions and 87 deletions

View file

@ -2,6 +2,7 @@ package org.keycloak.crypto.fips;
import static org.bouncycastle.crypto.CryptoServicesRegistrar.isInApprovedOnlyMode; import static org.bouncycastle.crypto.CryptoServicesRegistrar.isInApprovedOnlyMode;
import java.lang.reflect.Method;
import java.security.Provider; import java.security.Provider;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
@ -19,7 +20,11 @@ public class KeycloakFipsSecurityProvider extends Provider {
private final BouncyCastleFipsProvider bcFipsProvider; private final BouncyCastleFipsProvider bcFipsProvider;
public KeycloakFipsSecurityProvider(BouncyCastleFipsProvider bcFipsProvider) { public KeycloakFipsSecurityProvider(BouncyCastleFipsProvider bcFipsProvider) {
super("KC(" + bcFipsProvider.toString() + (isInApprovedOnlyMode() ? " Approved Mode" : "") + ")", 1, "Keycloak pseudo provider"); super("KC(" +
bcFipsProvider.toString() +
(isInApprovedOnlyMode() ? " Approved Mode" : "") +
(isSystemFipsEnabled() ? " FIPS-enabled JVM" : "") +
")", 1, "Keycloak pseudo provider");
this.bcFipsProvider = bcFipsProvider; this.bcFipsProvider = bcFipsProvider;
} }
@ -33,4 +38,23 @@ public class KeycloakFipsSecurityProvider extends Provider {
return null; return null;
} }
} }
private static boolean isSystemFipsEnabled() {
Method isSystemFipsEnabled = null;
try {
Class<?> securityConfigurator = KeycloakFipsSecurityProvider.class.getClassLoader().loadClass("java.security.SystemConfigurator");
isSystemFipsEnabled = securityConfigurator.getDeclaredMethod("isSystemFipsEnabled");
isSystemFipsEnabled.setAccessible(true);
return (boolean) isSystemFipsEnabled.invoke(null);
} catch (Throwable ignore) {
logger.warn("Could not detect if FIPS is enabled from the host");
} finally {
if (isSystemFipsEnabled != null) {
isSystemFipsEnabled.setAccessible(false);
}
}
return false;
}
} }

View file

@ -1,6 +1,7 @@
package org.keycloak.config; package org.keycloak.config;
import java.io.File; import java.io.File;
import org.keycloak.common.crypto.FipsMode;
public class HttpOptions { public class HttpOptions {
@ -79,10 +80,11 @@ public class HttpOptions {
.defaultValue("password") .defaultValue("password")
.build(); .build();
public static final Option HTTPS_KEY_STORE_TYPE = new OptionBuilder<>("https-key-store-type", String.class) public static final Option<String> HTTPS_KEY_STORE_TYPE = new OptionBuilder<>("https-key-store-type", String.class)
.category(OptionCategory.HTTP) .category(OptionCategory.HTTP)
.description("The type of the key store file. " + .description("The type of the key store file. " +
"If not given, the type is automatically detected based on the file name.") "If not given, the type is automatically detected based on the file name. " +
"If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.strict.name() + "' and no value is set, it defaults to 'BCFKS'.")
.build(); .build();
public static final Option HTTPS_TRUST_STORE_FILE = new OptionBuilder<>("https-trust-store-file", File.class) public static final Option HTTPS_TRUST_STORE_FILE = new OptionBuilder<>("https-trust-store-file", File.class)

View file

@ -2,7 +2,10 @@ package org.keycloak.quarkus.runtime.configuration.mappers;
import io.smallrye.config.ConfigSourceInterceptorContext; import io.smallrye.config.ConfigSourceInterceptorContext;
import io.smallrye.config.ConfigValue; import io.smallrye.config.ConfigValue;
import org.keycloak.common.crypto.FipsMode;
import org.keycloak.config.HttpOptions; import org.keycloak.config.HttpOptions;
import org.keycloak.config.SecurityOptions;
import org.keycloak.quarkus.runtime.Environment; import org.keycloak.quarkus.runtime.Environment;
import org.keycloak.quarkus.runtime.Messages; import org.keycloak.quarkus.runtime.Messages;
import org.keycloak.quarkus.runtime.configuration.MicroProfileConfigProvider; import org.keycloak.quarkus.runtime.configuration.MicroProfileConfigProvider;
@ -11,6 +14,7 @@ import java.io.File;
import java.nio.file.Paths; import java.nio.file.Paths;
import java.util.Optional; import java.util.Optional;
import static java.util.Optional.empty;
import static java.util.Optional.of; import static java.util.Optional.of;
import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.fromOption; import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.fromOption;
import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers.getMapper; import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers.getMapper;
@ -79,6 +83,8 @@ final class HttpPropertyMappers {
.build(), .build(),
fromOption(HttpOptions.HTTPS_KEY_STORE_TYPE) fromOption(HttpOptions.HTTPS_KEY_STORE_TYPE)
.to("quarkus.http.ssl.certificate.key-store-file-type") .to("quarkus.http.ssl.certificate.key-store-file-type")
.mapFrom(SecurityOptions.FIPS_MODE.getKey())
.transformer(HttpPropertyMappers::resolveKeyStoreType)
.paramLabel("type") .paramLabel("type")
.build(), .build(),
fromOption(HttpOptions.HTTPS_TRUST_STORE_FILE) fromOption(HttpOptions.HTTPS_TRUST_STORE_FILE)
@ -135,5 +141,18 @@ final class HttpPropertyMappers {
return null; return null;
} }
private static Optional<String> resolveKeyStoreType(Optional<String> value,
ConfigSourceInterceptorContext configSourceInterceptorContext) {
if (value.isPresent()) {
try {
if (FipsMode.valueOf(value.get()).equals(FipsMode.strict)) {
return of("BCFKS");
}
return empty();
} catch (IllegalArgumentException ignore) {
}
}
return value;
}
} }

View file

@ -233,7 +233,7 @@ public class CLITestExtension extends QuarkusMainTestExtension {
} }
private KeycloakDistribution createDistribution(DistributionTest config, LegacyStore legacyStoreConfig, WithDatabase databaseConfig) { private KeycloakDistribution createDistribution(DistributionTest config, LegacyStore legacyStoreConfig, WithDatabase databaseConfig) {
return new KeycloakDistributionDecorator(legacyStoreConfig, databaseConfig, DistributionType.getCurrent().orElse(RAW).newInstance(config)); return new KeycloakDistributionDecorator(legacyStoreConfig, databaseConfig, config, DistributionType.getCurrent().orElse(RAW).newInstance(config));
} }
@Override @Override

View file

@ -30,7 +30,6 @@ public @interface DistributionTest {
boolean debug() default false; boolean debug() default false;
boolean keepAlive() default false; boolean keepAlive() default false;
boolean createAdminUser() default false;
boolean enableTls() default false; boolean enableTls() default false;
enum ReInstall { enum ReInstall {

View file

@ -42,8 +42,7 @@ public enum DistributionType {
config.keepAlive(), config.keepAlive(),
config.enableTls(), config.enableTls(),
!DistributionTest.ReInstall.NEVER.equals(config.reInstall()), !DistributionTest.ReInstall.NEVER.equals(config.reInstall()),
config.removeBuildOptionsAfterBuild(), config.removeBuildOptionsAfterBuild());
config.createAdminUser());
} }
private final Function<DistributionTest, KeycloakDistribution> factory; private final Function<DistributionTest, KeycloakDistribution> factory;

View file

@ -18,6 +18,7 @@
package org.keycloak.it.junit5.extension; package org.keycloak.it.junit5.extension;
import java.nio.file.Path; import java.nio.file.Path;
import java.util.ArrayList;
import java.util.List; import java.util.List;
import org.keycloak.it.utils.KeycloakDistribution; import org.keycloak.it.utils.KeycloakDistribution;
@ -25,17 +26,24 @@ public class KeycloakDistributionDecorator implements KeycloakDistribution {
private LegacyStore legacyStoreConfig; private LegacyStore legacyStoreConfig;
private WithDatabase databaseConfig; private WithDatabase databaseConfig;
private DistributionTest config;
private KeycloakDistribution delegate; private KeycloakDistribution delegate;
public KeycloakDistributionDecorator(LegacyStore legacyStoreConfig, WithDatabase databaseConfig, KeycloakDistribution delegate) { public KeycloakDistributionDecorator(LegacyStore legacyStoreConfig, WithDatabase databaseConfig, DistributionTest config,
KeycloakDistribution delegate) {
this.legacyStoreConfig = legacyStoreConfig; this.legacyStoreConfig = legacyStoreConfig;
this.databaseConfig = databaseConfig; this.databaseConfig = databaseConfig;
this.config = config;
this.delegate = delegate; this.delegate = delegate;
} }
@Override @Override
public CLIResult run(List<String> arguments) { public CLIResult run(List<String> rawArgs) {
return delegate.run(new ServerOptions(legacyStoreConfig, databaseConfig, arguments)); List<String> args = new ArrayList<>(rawArgs);
args.addAll(List.of(config.defaultOptions()));
return delegate.run(new ServerOptions(legacyStoreConfig, databaseConfig, args));
} }
@Override @Override

View file

@ -91,24 +91,22 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
private boolean inited = false; private boolean inited = false;
private Map<String, String> envVars = new HashMap<>(); private Map<String, String> envVars = new HashMap<>();
public RawKeycloakDistribution(boolean debug, boolean manualStop, boolean enableTls, boolean reCreate, boolean removeBuildOptionsAfterBuild, public RawKeycloakDistribution(boolean debug, boolean manualStop, boolean enableTls, boolean reCreate, boolean removeBuildOptionsAfterBuild) {
boolean createAdminUser) {
this.debug = debug; this.debug = debug;
this.manualStop = manualStop; this.manualStop = manualStop;
this.enableTls = enableTls; this.enableTls = enableTls;
this.reCreate = reCreate; this.reCreate = reCreate;
this.removeBuildOptionsAfterBuild = removeBuildOptionsAfterBuild; this.removeBuildOptionsAfterBuild = removeBuildOptionsAfterBuild;
this.createAdminUser = createAdminUser;
this.distPath = prepareDistribution(); this.distPath = prepareDistribution();
} }
@Override @Override
public CLIResult run(List<String> arguments) { public CLIResult run(List<String> arguments) {
reset(); stop();
if (manualStop && isRunning()) { if (manualStop && isRunning()) {
throw new IllegalStateException("Server already running. You should manually stop the server before starting it again."); throw new IllegalStateException("Server already running. You should manually stop the server before starting it again.");
} }
stop(); reset();
try { try {
configureServer(); configureServer();
startServer(arguments); startServer(arguments);
@ -267,6 +265,10 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
"Timeout [" + getStartTimeout() + "] while waiting for Quarkus server"); "Timeout [" + getStartTimeout() + "] while waiting for Quarkus server");
} }
if (!keycloak.isAlive()) {
return;
}
try { try {
// wait before checking for opening a new connection // wait before checking for opening a new connection
if ("https".equals(contextRoot.getProtocol())) { if ("https".equals(contextRoot.getProtocol())) {
@ -435,11 +437,6 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
ProcessBuilder pb = new ProcessBuilder(getCliArgs(arguments)); ProcessBuilder pb = new ProcessBuilder(getCliArgs(arguments));
ProcessBuilder builder = pb.directory(distPath.resolve("bin").toFile()); ProcessBuilder builder = pb.directory(distPath.resolve("bin").toFile());
if (createAdminUser) {
builder.environment().put("KEYCLOAK_ADMIN", "admin");
builder.environment().put("KEYCLOAK_ADMIN_PASSWORD", "admin");
}
if (debug) { if (debug) {
builder.environment().put("DEBUG_SUSPEND", "y"); builder.environment().put("DEBUG_SUSPEND", "y");
} }

View file

@ -17,9 +17,8 @@
package org.keycloak.it.cli.dist; package org.keycloak.it.cli.dist;
import java.util.function.Consumer; import java.nio.file.Path;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.keycloak.it.junit5.extension.BeforeStartDistribution;
import org.keycloak.it.junit5.extension.CLIResult; import org.keycloak.it.junit5.extension.CLIResult;
import org.keycloak.it.junit5.extension.DistributionTest; import org.keycloak.it.junit5.extension.DistributionTest;
import org.keycloak.it.junit5.extension.RawDistOnly; import org.keycloak.it.junit5.extension.RawDistOnly;
@ -29,46 +28,93 @@ import org.keycloak.it.utils.RawKeycloakDistribution;
import io.quarkus.test.junit.main.Launch; import io.quarkus.test.junit.main.Launch;
import io.quarkus.test.junit.main.LaunchResult; import io.quarkus.test.junit.main.LaunchResult;
@DistributionTest(createAdminUser = true) @DistributionTest(keepAlive = true, defaultOptions = { "--http-enabled=true", "--hostname-strict=false", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
@RawDistOnly(reason = "Containers are immutable") @RawDistOnly(reason = "Containers are immutable")
public class FipsDistTest { public class FipsDistTest {
@Test @Test
@Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=enabled", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" }) void testFipsNonApprovedMode(KeycloakDistribution dist) {
@BeforeStartDistribution(FipsDistTest.InstallBcFipsDependencies.class) runOnFipsEnabledDistribution(dist, () -> {
void testFipsNonApprovedMode(LaunchResult result) { CLIResult cliResult = dist.run("start", "--fips-mode=enabled");
CLIResult cliResult = (CLIResult) result; cliResult.assertStarted();
cliResult.assertStarted(); cliResult.assertMessage("Java security providers: [ \n"
cliResult.assertMessage("Java security providers: [ \n" + " KC(BCFIPS version 1.000203) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
+ " KC(BCFIPS version 1.000203) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider"); });
} }
@Test @Test
@Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=strict", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" }) void testFipsApprovedMode(KeycloakDistribution dist) {
@BeforeStartDistribution(FipsDistTest.InstallBcFipsDependencies.class) runOnFipsEnabledDistribution(dist, () -> {
void testFipsApprovedMode(LaunchResult result) { dist.setEnvVar("KEYCLOAK_ADMIN", "admin");
CLIResult cliResult = (CLIResult) result; dist.setEnvVar("KEYCLOAK_ADMIN_PASSWORD", "admin");
cliResult.assertStarted();
cliResult.assertMessage("org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits"); CLIResult cliResult = dist.run("start", "--fips-mode=strict");
cliResult.assertMessage("Java security providers: [ \n" cliResult.assertStarted();
+ " KC(BCFIPS version 1.000203 Approved Mode) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider"); cliResult.assertMessage(
"org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits");
cliResult.assertMessage("Java security providers: [ \n"
+ " KC(BCFIPS version 1.000203 Approved Mode) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
dist.setEnvVar("KEYCLOAK_ADMIN_PASSWORD", "adminadminadmin");
cliResult = dist.run("start", "--fips-mode=strict");
cliResult.assertStarted();
cliResult.assertMessage("Added user 'admin' to realm 'master'");
});
} }
@Test @Test
@Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=enabled", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" }) @Launch({ "start", "--fips-mode=enabled" })
void failStartDueToMissingFipsDependencies(LaunchResult result) { void failStartDueToMissingFipsDependencies(LaunchResult result) {
CLIResult cliResult = (CLIResult) result; CLIResult cliResult = (CLIResult) result;
cliResult.assertError("Failed to configure FIPS. Make sure you have added the Bouncy Castle FIPS dependencies to the 'providers' directory."); cliResult.assertError("Failed to configure FIPS. Make sure you have added the Bouncy Castle FIPS dependencies to the 'providers' directory.");
} }
public static class InstallBcFipsDependencies implements Consumer<KeycloakDistribution> { @Test
void testUnsupportedHttpsJksKeyStoreInStrictMode(KeycloakDistribution dist) {
@Override runOnFipsEnabledDistribution(dist, () -> {
public void accept(KeycloakDistribution distribution) { dist.copyOrReplaceFileFromClasspath("/server.keystore", Path.of("conf", "server.keystore"));
RawKeycloakDistribution rawDist = distribution.unwrap(RawKeycloakDistribution.class); CLIResult cliResult = dist.run("start", "--fips-mode=strict");
rawDist.copyProvider("org.bouncycastle", "bc-fips"); cliResult.assertMessage("ERROR: java.lang.IllegalArgumentException: malformed sequence");
rawDist.copyProvider("org.bouncycastle", "bctls-fips"); });
rawDist.copyProvider("org.bouncycastle", "bcpkix-fips");
}
} }
@Test
void testHttpsBcfksKeyStoreInStrictMode(KeycloakDistribution dist) {
runOnFipsEnabledDistribution(dist, () -> {
dist.copyOrReplaceFileFromClasspath("/server.keystore.bcfks", Path.of("conf", "server.keystore"));
CLIResult cliResult = dist.run("start", "--fips-mode=strict", "--https-key-store-password=passwordpassword");
cliResult.assertStarted();
});
}
@Test
void testUnsupportedHttpsPkcs12KeyStoreInStrictMode(KeycloakDistribution dist) {
runOnFipsEnabledDistribution(dist, () -> {
dist.copyOrReplaceFileFromClasspath("/server.keystore.pkcs12", Path.of("conf", "server.keystore"));
CLIResult cliResult = dist.run("start", "--fips-mode=strict", "--https-key-store-password=passwordpassword");
cliResult.assertMessage("ERROR: java.lang.IllegalArgumentException: malformed sequence");
});
}
@Test
void testHttpsPkcs12KeyStoreInNonApprovedMode(KeycloakDistribution dist) {
runOnFipsEnabledDistribution(dist, () -> {
dist.copyOrReplaceFileFromClasspath("/server.keystore.pkcs12", Path.of("conf", "server.keystore"));
CLIResult cliResult = dist.run("start", "--fips-mode=enabled", "--https-key-store-password=passwordpassword");
cliResult.assertStarted();
});
}
private void runOnFipsEnabledDistribution(KeycloakDistribution dist, Runnable runnable) {
installBcFips(dist);
runnable.run();
}
private void installBcFips(KeycloakDistribution dist) {
RawKeycloakDistribution rawDist = dist.unwrap(RawKeycloakDistribution.class);
rawDist.copyProvider("org.bouncycastle", "bc-fips");
rawDist.copyProvider("org.bouncycastle", "bctls-fips");
rawDist.copyProvider("org.bouncycastle", "bcpkix-fips");
}
} }

View file

@ -131,7 +131,8 @@ HTTP/TLS:
The password of the key store file. Default: password. The password of the key store file. Default: password.
--https-key-store-type <type> --https-key-store-type <type>
The type of the key store file. If not given, the type is automatically The type of the key store file. If not given, the type is automatically
detected based on the file name. detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443. --https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols> --https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3. The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -131,7 +131,8 @@ HTTP/TLS:
The password of the key store file. Default: password. The password of the key store file. Default: password.
--https-key-store-type <type> --https-key-store-type <type>
The type of the key store file. If not given, the type is automatically The type of the key store file. If not given, the type is automatically
detected based on the file name. detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443. --https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols> --https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3. The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -191,7 +191,8 @@ HTTP/TLS:
The password of the key store file. Default: password. The password of the key store file. Default: password.
--https-key-store-type <type> --https-key-store-type <type>
The type of the key store file. If not given, the type is automatically The type of the key store file. If not given, the type is automatically
detected based on the file name. detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443. --https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols> --https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3. The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -31,52 +31,54 @@ Cache:
Storage (Experimental): Storage (Experimental):
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible --storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
values are: jpa, chm, hotrod. values are: jpa, chm, hotrod, file.
--storage-area-auth-session <type> --storage-area-auth-session <type>
Experimental: Sets a storage mechanism for authentication sessions. Possible Experimental: Sets a storage mechanism for authentication sessions. Possible
values are: jpa, chm, hotrod. values are: jpa, chm, hotrod, file.
--storage-area-authorization <type> --storage-area-authorization <type>
Experimental: Sets a storage mechanism for authorizations. Possible values Experimental: Sets a storage mechanism for authorizations. Possible values
are: jpa, chm, hotrod. are: jpa, chm, hotrod, file.
--storage-area-client <type> --storage-area-client <type>
Experimental: Sets a storage mechanism for clients. Possible values are: jpa, Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
chm, hotrod. chm, hotrod, file.
--storage-area-client-scope <type> --storage-area-client-scope <type>
Experimental: Sets a storage mechanism for client scopes. Possible values are: Experimental: Sets a storage mechanism for client scopes. Possible values are:
jpa, chm, hotrod. jpa, chm, hotrod, file.
--storage-area-event-admin <type> --storage-area-event-admin <type>
Experimental: Sets a storage mechanism for admin events. Possible values are: Experimental: Sets a storage mechanism for admin events. Possible values are:
jpa, chm, hotrod. jpa, chm, hotrod, file.
--storage-area-event-auth <type> --storage-area-event-auth <type>
Experimental: Sets a storage mechanism for authentication and authorization Experimental: Sets a storage mechanism for authentication and authorization
events. Possible values are: jpa, chm, hotrod. events. Possible values are: jpa, chm, hotrod, file.
--storage-area-group <type> --storage-area-group <type>
Experimental: Sets a storage mechanism for groups. Possible values are: jpa, Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
chm, hotrod. chm, hotrod, file.
--storage-area-login-failure <type> --storage-area-login-failure <type>
Experimental: Sets a storage mechanism for login failures. Possible values Experimental: Sets a storage mechanism for login failures. Possible values
are: jpa, chm, hotrod. are: jpa, chm, hotrod, file.
--storage-area-realm <type> --storage-area-realm <type>
Experimental: Sets a storage mechanism for realms. Possible values are: jpa, Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
chm, hotrod. chm, hotrod, file.
--storage-area-role <type> --storage-area-role <type>
Experimental: Sets a storage mechanism for roles. Possible values are: jpa, Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
chm, hotrod. chm, hotrod, file.
--storage-area-single-use-object <type> --storage-area-single-use-object <type>
Experimental: Sets a storage mechanism for single use objects. Possible values Experimental: Sets a storage mechanism for single use objects. Possible values
are: jpa, chm, hotrod. are: jpa, chm, hotrod.
--storage-area-user <type> --storage-area-user <type>
Experimental: Sets a storage mechanism for users. Possible values are: jpa, Experimental: Sets a storage mechanism for users. Possible values are: jpa,
chm, hotrod. chm, hotrod, file.
--storage-area-user-session <type> --storage-area-user-session <type>
Experimental: Sets a storage mechanism for user and client sessions. Possible Experimental: Sets a storage mechanism for user and client sessions. Possible
values are: jpa, chm, hotrod. values are: jpa, chm, hotrod, file.
--storage-deployment-state-version-seed <type> --storage-deployment-state-version-seed <type>
Experimental: Secret that serves as a seed to mask the version number of Experimental: Secret that serves as a seed to mask the version number of
Keycloak in URLs. Need to be identical across all servers in the cluster. Keycloak in URLs. Need to be identical across all servers in the cluster.
Will default to a random number generated when starting the server which is Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted. is used or nodes are restarted.
--storage-file-dir <dir>
Experimental: Root directory for file map store.
--storage-hotrod-host <host> --storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server. Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password> --storage-hotrod-password <password>
@ -189,7 +191,8 @@ HTTP/TLS:
The password of the key store file. Default: password. The password of the key store file. Default: password.
--https-key-store-type <type> --https-key-store-type <type>
The type of the key store file. If not given, the type is automatically The type of the key store file. If not given, the type is automatically
detected based on the file name. detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443. --https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols> --https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3. The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -137,7 +137,8 @@ HTTP/TLS:
The password of the key store file. Default: password. The password of the key store file. Default: password.
--https-key-store-type <type> --https-key-store-type <type>
The type of the key store file. If not given, the type is automatically The type of the key store file. If not given, the type is automatically
detected based on the file name. detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443. --https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols> --https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3. The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -137,7 +137,8 @@ HTTP/TLS:
The password of the key store file. Default: password. The password of the key store file. Default: password.
--https-key-store-type <type> --https-key-store-type <type>
The type of the key store file. If not given, the type is automatically The type of the key store file. If not given, the type is automatically
detected based on the file name. detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443. --https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols> --https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3. The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -197,7 +197,8 @@ HTTP/TLS:
The password of the key store file. Default: password. The password of the key store file. Default: password.
--https-key-store-type <type> --https-key-store-type <type>
The type of the key store file. If not given, the type is automatically The type of the key store file. If not given, the type is automatically
detected based on the file name. detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443. --https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols> --https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3. The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -37,52 +37,54 @@ Cache:
Storage (Experimental): Storage (Experimental):
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible --storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
values are: jpa, chm, hotrod. values are: jpa, chm, hotrod, file.
--storage-area-auth-session <type> --storage-area-auth-session <type>
Experimental: Sets a storage mechanism for authentication sessions. Possible Experimental: Sets a storage mechanism for authentication sessions. Possible
values are: jpa, chm, hotrod. values are: jpa, chm, hotrod, file.
--storage-area-authorization <type> --storage-area-authorization <type>
Experimental: Sets a storage mechanism for authorizations. Possible values Experimental: Sets a storage mechanism for authorizations. Possible values
are: jpa, chm, hotrod. are: jpa, chm, hotrod, file.
--storage-area-client <type> --storage-area-client <type>
Experimental: Sets a storage mechanism for clients. Possible values are: jpa, Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
chm, hotrod. chm, hotrod, file.
--storage-area-client-scope <type> --storage-area-client-scope <type>
Experimental: Sets a storage mechanism for client scopes. Possible values are: Experimental: Sets a storage mechanism for client scopes. Possible values are:
jpa, chm, hotrod. jpa, chm, hotrod, file.
--storage-area-event-admin <type> --storage-area-event-admin <type>
Experimental: Sets a storage mechanism for admin events. Possible values are: Experimental: Sets a storage mechanism for admin events. Possible values are:
jpa, chm, hotrod. jpa, chm, hotrod, file.
--storage-area-event-auth <type> --storage-area-event-auth <type>
Experimental: Sets a storage mechanism for authentication and authorization Experimental: Sets a storage mechanism for authentication and authorization
events. Possible values are: jpa, chm, hotrod. events. Possible values are: jpa, chm, hotrod, file.
--storage-area-group <type> --storage-area-group <type>
Experimental: Sets a storage mechanism for groups. Possible values are: jpa, Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
chm, hotrod. chm, hotrod, file.
--storage-area-login-failure <type> --storage-area-login-failure <type>
Experimental: Sets a storage mechanism for login failures. Possible values Experimental: Sets a storage mechanism for login failures. Possible values
are: jpa, chm, hotrod. are: jpa, chm, hotrod, file.
--storage-area-realm <type> --storage-area-realm <type>
Experimental: Sets a storage mechanism for realms. Possible values are: jpa, Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
chm, hotrod. chm, hotrod, file.
--storage-area-role <type> --storage-area-role <type>
Experimental: Sets a storage mechanism for roles. Possible values are: jpa, Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
chm, hotrod. chm, hotrod, file.
--storage-area-single-use-object <type> --storage-area-single-use-object <type>
Experimental: Sets a storage mechanism for single use objects. Possible values Experimental: Sets a storage mechanism for single use objects. Possible values
are: jpa, chm, hotrod. are: jpa, chm, hotrod.
--storage-area-user <type> --storage-area-user <type>
Experimental: Sets a storage mechanism for users. Possible values are: jpa, Experimental: Sets a storage mechanism for users. Possible values are: jpa,
chm, hotrod. chm, hotrod, file.
--storage-area-user-session <type> --storage-area-user-session <type>
Experimental: Sets a storage mechanism for user and client sessions. Possible Experimental: Sets a storage mechanism for user and client sessions. Possible
values are: jpa, chm, hotrod. values are: jpa, chm, hotrod, file.
--storage-deployment-state-version-seed <type> --storage-deployment-state-version-seed <type>
Experimental: Secret that serves as a seed to mask the version number of Experimental: Secret that serves as a seed to mask the version number of
Keycloak in URLs. Need to be identical across all servers in the cluster. Keycloak in URLs. Need to be identical across all servers in the cluster.
Will default to a random number generated when starting the server which is Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted. is used or nodes are restarted.
--storage-file-dir <dir>
Experimental: Root directory for file map store.
--storage-hotrod-host <host> --storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server. Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password> --storage-hotrod-password <password>
@ -195,7 +197,8 @@ HTTP/TLS:
The password of the key store file. Default: password. The password of the key store file. Default: password.
--https-key-store-type <type> --https-key-store-type <type>
The type of the key store file. If not given, the type is automatically The type of the key store file. If not given, the type is automatically
detected based on the file name. detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443. --https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols> --https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3. The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -96,7 +96,8 @@ HTTP/TLS:
The password of the key store file. Default: password. The password of the key store file. Default: password.
--https-key-store-type <type> --https-key-store-type <type>
The type of the key store file. If not given, the type is automatically The type of the key store file. If not given, the type is automatically
detected based on the file name. detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443. --https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols> --https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3. The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -57,7 +57,8 @@ Hostname:
are exposing the administration console using a hostname other than the are exposing the administration console using a hostname other than the
value set to the 'hostname' option. value set to the 'hostname' option.
--hostname-admin-url <url> --hostname-admin-url <url>
Set the base URL for accessing the administration console. Set the base URL for accessing the administration console, including scheme,
host, port and path
--hostname-path <path> --hostname-path <path>
This should be set if proxy uses a different context-path for Keycloak. This should be set if proxy uses a different context-path for Keycloak.
--hostname-port <port> --hostname-port <port>
@ -95,7 +96,8 @@ HTTP/TLS:
The password of the key store file. Default: password. The password of the key store file. Default: password.
--https-key-store-type <type> --https-key-store-type <type>
The type of the key store file. If not given, the type is automatically The type of the key store file. If not given, the type is automatically
detected based on the file name. detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443. --https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols> --https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3. The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -115,7 +115,8 @@ HTTP/TLS:
The password of the key store file. Default: password. The password of the key store file. Default: password.
--https-key-store-type <type> --https-key-store-type <type>
The type of the key store file. If not given, the type is automatically The type of the key store file. If not given, the type is automatically
detected based on the file name. detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443. --https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols> --https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3. The list of protocols to explicitly enable. Default: TLSv1.3.

View file

@ -28,6 +28,8 @@ Storage (Experimental):
Will default to a random number generated when starting the server which is Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted. is used or nodes are restarted.
--storage-file-dir <dir>
Experimental: Root directory for file map store.
--storage-hotrod-host <host> --storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server. Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password> --storage-hotrod-password <password>
@ -113,7 +115,8 @@ HTTP/TLS:
The password of the key store file. Default: password. The password of the key store file. Default: password.
--https-key-store-type <type> --https-key-store-type <type>
The type of the key store file. If not given, the type is automatically The type of the key store file. If not given, the type is automatically
detected based on the file name. detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'.
--https-port <port> The used HTTPS port. Default: 8443. --https-port <port> The used HTTPS port. Default: 8443.
--https-protocols <protocols> --https-protocols <protocols>
The list of protocols to explicitly enable. Default: TLSv1.3. The list of protocols to explicitly enable. Default: TLSv1.3.