parent
dc2c73bb30
commit
2059ffb219
23 changed files with 200 additions and 87 deletions
|
@ -2,6 +2,7 @@ package org.keycloak.crypto.fips;
|
|||
|
||||
import static org.bouncycastle.crypto.CryptoServicesRegistrar.isInApprovedOnlyMode;
|
||||
|
||||
import java.lang.reflect.Method;
|
||||
import java.security.Provider;
|
||||
|
||||
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
|
||||
|
@ -19,7 +20,11 @@ public class KeycloakFipsSecurityProvider extends Provider {
|
|||
private final BouncyCastleFipsProvider bcFipsProvider;
|
||||
|
||||
public KeycloakFipsSecurityProvider(BouncyCastleFipsProvider bcFipsProvider) {
|
||||
super("KC(" + bcFipsProvider.toString() + (isInApprovedOnlyMode() ? " Approved Mode" : "") + ")", 1, "Keycloak pseudo provider");
|
||||
super("KC(" +
|
||||
bcFipsProvider.toString() +
|
||||
(isInApprovedOnlyMode() ? " Approved Mode" : "") +
|
||||
(isSystemFipsEnabled() ? " FIPS-enabled JVM" : "") +
|
||||
")", 1, "Keycloak pseudo provider");
|
||||
this.bcFipsProvider = bcFipsProvider;
|
||||
}
|
||||
|
||||
|
@ -33,4 +38,23 @@ public class KeycloakFipsSecurityProvider extends Provider {
|
|||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
private static boolean isSystemFipsEnabled() {
|
||||
Method isSystemFipsEnabled = null;
|
||||
|
||||
try {
|
||||
Class<?> securityConfigurator = KeycloakFipsSecurityProvider.class.getClassLoader().loadClass("java.security.SystemConfigurator");
|
||||
isSystemFipsEnabled = securityConfigurator.getDeclaredMethod("isSystemFipsEnabled");
|
||||
isSystemFipsEnabled.setAccessible(true);
|
||||
return (boolean) isSystemFipsEnabled.invoke(null);
|
||||
} catch (Throwable ignore) {
|
||||
logger.warn("Could not detect if FIPS is enabled from the host");
|
||||
} finally {
|
||||
if (isSystemFipsEnabled != null) {
|
||||
isSystemFipsEnabled.setAccessible(false);
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package org.keycloak.config;
|
||||
|
||||
import java.io.File;
|
||||
import org.keycloak.common.crypto.FipsMode;
|
||||
|
||||
public class HttpOptions {
|
||||
|
||||
|
@ -79,10 +80,11 @@ public class HttpOptions {
|
|||
.defaultValue("password")
|
||||
.build();
|
||||
|
||||
public static final Option HTTPS_KEY_STORE_TYPE = new OptionBuilder<>("https-key-store-type", String.class)
|
||||
public static final Option<String> HTTPS_KEY_STORE_TYPE = new OptionBuilder<>("https-key-store-type", String.class)
|
||||
.category(OptionCategory.HTTP)
|
||||
.description("The type of the key store file. " +
|
||||
"If not given, the type is automatically detected based on the file name.")
|
||||
"If not given, the type is automatically detected based on the file name. " +
|
||||
"If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.strict.name() + "' and no value is set, it defaults to 'BCFKS'.")
|
||||
.build();
|
||||
|
||||
public static final Option HTTPS_TRUST_STORE_FILE = new OptionBuilder<>("https-trust-store-file", File.class)
|
||||
|
|
|
@ -2,7 +2,10 @@ package org.keycloak.quarkus.runtime.configuration.mappers;
|
|||
|
||||
import io.smallrye.config.ConfigSourceInterceptorContext;
|
||||
import io.smallrye.config.ConfigValue;
|
||||
|
||||
import org.keycloak.common.crypto.FipsMode;
|
||||
import org.keycloak.config.HttpOptions;
|
||||
import org.keycloak.config.SecurityOptions;
|
||||
import org.keycloak.quarkus.runtime.Environment;
|
||||
import org.keycloak.quarkus.runtime.Messages;
|
||||
import org.keycloak.quarkus.runtime.configuration.MicroProfileConfigProvider;
|
||||
|
@ -11,6 +14,7 @@ import java.io.File;
|
|||
import java.nio.file.Paths;
|
||||
import java.util.Optional;
|
||||
|
||||
import static java.util.Optional.empty;
|
||||
import static java.util.Optional.of;
|
||||
import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.fromOption;
|
||||
import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers.getMapper;
|
||||
|
@ -79,6 +83,8 @@ final class HttpPropertyMappers {
|
|||
.build(),
|
||||
fromOption(HttpOptions.HTTPS_KEY_STORE_TYPE)
|
||||
.to("quarkus.http.ssl.certificate.key-store-file-type")
|
||||
.mapFrom(SecurityOptions.FIPS_MODE.getKey())
|
||||
.transformer(HttpPropertyMappers::resolveKeyStoreType)
|
||||
.paramLabel("type")
|
||||
.build(),
|
||||
fromOption(HttpOptions.HTTPS_TRUST_STORE_FILE)
|
||||
|
@ -135,5 +141,18 @@ final class HttpPropertyMappers {
|
|||
return null;
|
||||
}
|
||||
|
||||
private static Optional<String> resolveKeyStoreType(Optional<String> value,
|
||||
ConfigSourceInterceptorContext configSourceInterceptorContext) {
|
||||
if (value.isPresent()) {
|
||||
try {
|
||||
if (FipsMode.valueOf(value.get()).equals(FipsMode.strict)) {
|
||||
return of("BCFKS");
|
||||
}
|
||||
return empty();
|
||||
} catch (IllegalArgumentException ignore) {
|
||||
}
|
||||
}
|
||||
return value;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -233,7 +233,7 @@ public class CLITestExtension extends QuarkusMainTestExtension {
|
|||
}
|
||||
|
||||
private KeycloakDistribution createDistribution(DistributionTest config, LegacyStore legacyStoreConfig, WithDatabase databaseConfig) {
|
||||
return new KeycloakDistributionDecorator(legacyStoreConfig, databaseConfig, DistributionType.getCurrent().orElse(RAW).newInstance(config));
|
||||
return new KeycloakDistributionDecorator(legacyStoreConfig, databaseConfig, config, DistributionType.getCurrent().orElse(RAW).newInstance(config));
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -30,7 +30,6 @@ public @interface DistributionTest {
|
|||
|
||||
boolean debug() default false;
|
||||
boolean keepAlive() default false;
|
||||
boolean createAdminUser() default false;
|
||||
boolean enableTls() default false;
|
||||
|
||||
enum ReInstall {
|
||||
|
|
|
@ -42,8 +42,7 @@ public enum DistributionType {
|
|||
config.keepAlive(),
|
||||
config.enableTls(),
|
||||
!DistributionTest.ReInstall.NEVER.equals(config.reInstall()),
|
||||
config.removeBuildOptionsAfterBuild(),
|
||||
config.createAdminUser());
|
||||
config.removeBuildOptionsAfterBuild());
|
||||
}
|
||||
|
||||
private final Function<DistributionTest, KeycloakDistribution> factory;
|
||||
|
|
|
@ -18,6 +18,7 @@
|
|||
package org.keycloak.it.junit5.extension;
|
||||
|
||||
import java.nio.file.Path;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import org.keycloak.it.utils.KeycloakDistribution;
|
||||
|
||||
|
@ -25,17 +26,24 @@ public class KeycloakDistributionDecorator implements KeycloakDistribution {
|
|||
|
||||
private LegacyStore legacyStoreConfig;
|
||||
private WithDatabase databaseConfig;
|
||||
private DistributionTest config;
|
||||
private KeycloakDistribution delegate;
|
||||
|
||||
public KeycloakDistributionDecorator(LegacyStore legacyStoreConfig, WithDatabase databaseConfig, KeycloakDistribution delegate) {
|
||||
public KeycloakDistributionDecorator(LegacyStore legacyStoreConfig, WithDatabase databaseConfig, DistributionTest config,
|
||||
KeycloakDistribution delegate) {
|
||||
this.legacyStoreConfig = legacyStoreConfig;
|
||||
this.databaseConfig = databaseConfig;
|
||||
this.config = config;
|
||||
this.delegate = delegate;
|
||||
}
|
||||
|
||||
@Override
|
||||
public CLIResult run(List<String> arguments) {
|
||||
return delegate.run(new ServerOptions(legacyStoreConfig, databaseConfig, arguments));
|
||||
public CLIResult run(List<String> rawArgs) {
|
||||
List<String> args = new ArrayList<>(rawArgs);
|
||||
|
||||
args.addAll(List.of(config.defaultOptions()));
|
||||
|
||||
return delegate.run(new ServerOptions(legacyStoreConfig, databaseConfig, args));
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -91,24 +91,22 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
|
|||
private boolean inited = false;
|
||||
private Map<String, String> envVars = new HashMap<>();
|
||||
|
||||
public RawKeycloakDistribution(boolean debug, boolean manualStop, boolean enableTls, boolean reCreate, boolean removeBuildOptionsAfterBuild,
|
||||
boolean createAdminUser) {
|
||||
public RawKeycloakDistribution(boolean debug, boolean manualStop, boolean enableTls, boolean reCreate, boolean removeBuildOptionsAfterBuild) {
|
||||
this.debug = debug;
|
||||
this.manualStop = manualStop;
|
||||
this.enableTls = enableTls;
|
||||
this.reCreate = reCreate;
|
||||
this.removeBuildOptionsAfterBuild = removeBuildOptionsAfterBuild;
|
||||
this.createAdminUser = createAdminUser;
|
||||
this.distPath = prepareDistribution();
|
||||
}
|
||||
|
||||
@Override
|
||||
public CLIResult run(List<String> arguments) {
|
||||
reset();
|
||||
stop();
|
||||
if (manualStop && isRunning()) {
|
||||
throw new IllegalStateException("Server already running. You should manually stop the server before starting it again.");
|
||||
}
|
||||
stop();
|
||||
reset();
|
||||
try {
|
||||
configureServer();
|
||||
startServer(arguments);
|
||||
|
@ -267,6 +265,10 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
|
|||
"Timeout [" + getStartTimeout() + "] while waiting for Quarkus server");
|
||||
}
|
||||
|
||||
if (!keycloak.isAlive()) {
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
// wait before checking for opening a new connection
|
||||
if ("https".equals(contextRoot.getProtocol())) {
|
||||
|
@ -435,11 +437,6 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
|
|||
ProcessBuilder pb = new ProcessBuilder(getCliArgs(arguments));
|
||||
ProcessBuilder builder = pb.directory(distPath.resolve("bin").toFile());
|
||||
|
||||
if (createAdminUser) {
|
||||
builder.environment().put("KEYCLOAK_ADMIN", "admin");
|
||||
builder.environment().put("KEYCLOAK_ADMIN_PASSWORD", "admin");
|
||||
}
|
||||
|
||||
if (debug) {
|
||||
builder.environment().put("DEBUG_SUSPEND", "y");
|
||||
}
|
||||
|
|
|
@ -17,9 +17,8 @@
|
|||
|
||||
package org.keycloak.it.cli.dist;
|
||||
|
||||
import java.util.function.Consumer;
|
||||
import java.nio.file.Path;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.keycloak.it.junit5.extension.BeforeStartDistribution;
|
||||
import org.keycloak.it.junit5.extension.CLIResult;
|
||||
import org.keycloak.it.junit5.extension.DistributionTest;
|
||||
import org.keycloak.it.junit5.extension.RawDistOnly;
|
||||
|
@ -29,46 +28,93 @@ import org.keycloak.it.utils.RawKeycloakDistribution;
|
|||
import io.quarkus.test.junit.main.Launch;
|
||||
import io.quarkus.test.junit.main.LaunchResult;
|
||||
|
||||
@DistributionTest(createAdminUser = true)
|
||||
@DistributionTest(keepAlive = true, defaultOptions = { "--http-enabled=true", "--hostname-strict=false", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
|
||||
@RawDistOnly(reason = "Containers are immutable")
|
||||
public class FipsDistTest {
|
||||
|
||||
@Test
|
||||
@Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=enabled", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
|
||||
@BeforeStartDistribution(FipsDistTest.InstallBcFipsDependencies.class)
|
||||
void testFipsNonApprovedMode(LaunchResult result) {
|
||||
CLIResult cliResult = (CLIResult) result;
|
||||
void testFipsNonApprovedMode(KeycloakDistribution dist) {
|
||||
runOnFipsEnabledDistribution(dist, () -> {
|
||||
CLIResult cliResult = dist.run("start", "--fips-mode=enabled");
|
||||
cliResult.assertStarted();
|
||||
cliResult.assertMessage("Java security providers: [ \n"
|
||||
+ " KC(BCFIPS version 1.000203) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
|
||||
});
|
||||
}
|
||||
|
||||
@Test
|
||||
@Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=strict", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
|
||||
@BeforeStartDistribution(FipsDistTest.InstallBcFipsDependencies.class)
|
||||
void testFipsApprovedMode(LaunchResult result) {
|
||||
CLIResult cliResult = (CLIResult) result;
|
||||
void testFipsApprovedMode(KeycloakDistribution dist) {
|
||||
runOnFipsEnabledDistribution(dist, () -> {
|
||||
dist.setEnvVar("KEYCLOAK_ADMIN", "admin");
|
||||
dist.setEnvVar("KEYCLOAK_ADMIN_PASSWORD", "admin");
|
||||
|
||||
CLIResult cliResult = dist.run("start", "--fips-mode=strict");
|
||||
cliResult.assertStarted();
|
||||
cliResult.assertMessage("org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits");
|
||||
cliResult.assertMessage(
|
||||
"org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits");
|
||||
cliResult.assertMessage("Java security providers: [ \n"
|
||||
+ " KC(BCFIPS version 1.000203 Approved Mode) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
|
||||
|
||||
dist.setEnvVar("KEYCLOAK_ADMIN_PASSWORD", "adminadminadmin");
|
||||
cliResult = dist.run("start", "--fips-mode=strict");
|
||||
cliResult.assertStarted();
|
||||
cliResult.assertMessage("Added user 'admin' to realm 'master'");
|
||||
});
|
||||
}
|
||||
|
||||
@Test
|
||||
@Launch({ "start", "--http-enabled=true", "--hostname-strict=false", "--fips-mode=enabled", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
|
||||
@Launch({ "start", "--fips-mode=enabled" })
|
||||
void failStartDueToMissingFipsDependencies(LaunchResult result) {
|
||||
CLIResult cliResult = (CLIResult) result;
|
||||
cliResult.assertError("Failed to configure FIPS. Make sure you have added the Bouncy Castle FIPS dependencies to the 'providers' directory.");
|
||||
}
|
||||
|
||||
public static class InstallBcFipsDependencies implements Consumer<KeycloakDistribution> {
|
||||
@Test
|
||||
void testUnsupportedHttpsJksKeyStoreInStrictMode(KeycloakDistribution dist) {
|
||||
runOnFipsEnabledDistribution(dist, () -> {
|
||||
dist.copyOrReplaceFileFromClasspath("/server.keystore", Path.of("conf", "server.keystore"));
|
||||
CLIResult cliResult = dist.run("start", "--fips-mode=strict");
|
||||
cliResult.assertMessage("ERROR: java.lang.IllegalArgumentException: malformed sequence");
|
||||
});
|
||||
}
|
||||
|
||||
@Override
|
||||
public void accept(KeycloakDistribution distribution) {
|
||||
RawKeycloakDistribution rawDist = distribution.unwrap(RawKeycloakDistribution.class);
|
||||
@Test
|
||||
void testHttpsBcfksKeyStoreInStrictMode(KeycloakDistribution dist) {
|
||||
runOnFipsEnabledDistribution(dist, () -> {
|
||||
dist.copyOrReplaceFileFromClasspath("/server.keystore.bcfks", Path.of("conf", "server.keystore"));
|
||||
CLIResult cliResult = dist.run("start", "--fips-mode=strict", "--https-key-store-password=passwordpassword");
|
||||
cliResult.assertStarted();
|
||||
});
|
||||
}
|
||||
|
||||
@Test
|
||||
void testUnsupportedHttpsPkcs12KeyStoreInStrictMode(KeycloakDistribution dist) {
|
||||
runOnFipsEnabledDistribution(dist, () -> {
|
||||
dist.copyOrReplaceFileFromClasspath("/server.keystore.pkcs12", Path.of("conf", "server.keystore"));
|
||||
CLIResult cliResult = dist.run("start", "--fips-mode=strict", "--https-key-store-password=passwordpassword");
|
||||
cliResult.assertMessage("ERROR: java.lang.IllegalArgumentException: malformed sequence");
|
||||
});
|
||||
}
|
||||
|
||||
@Test
|
||||
void testHttpsPkcs12KeyStoreInNonApprovedMode(KeycloakDistribution dist) {
|
||||
runOnFipsEnabledDistribution(dist, () -> {
|
||||
dist.copyOrReplaceFileFromClasspath("/server.keystore.pkcs12", Path.of("conf", "server.keystore"));
|
||||
CLIResult cliResult = dist.run("start", "--fips-mode=enabled", "--https-key-store-password=passwordpassword");
|
||||
cliResult.assertStarted();
|
||||
});
|
||||
}
|
||||
|
||||
private void runOnFipsEnabledDistribution(KeycloakDistribution dist, Runnable runnable) {
|
||||
installBcFips(dist);
|
||||
runnable.run();
|
||||
}
|
||||
|
||||
private void installBcFips(KeycloakDistribution dist) {
|
||||
RawKeycloakDistribution rawDist = dist.unwrap(RawKeycloakDistribution.class);
|
||||
rawDist.copyProvider("org.bouncycastle", "bc-fips");
|
||||
rawDist.copyProvider("org.bouncycastle", "bctls-fips");
|
||||
rawDist.copyProvider("org.bouncycastle", "bcpkix-fips");
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -131,7 +131,8 @@ HTTP/TLS:
|
|||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||
value is set, it defaults to 'BCFKS'.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||
|
|
|
@ -131,7 +131,8 @@ HTTP/TLS:
|
|||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||
value is set, it defaults to 'BCFKS'.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||
|
|
|
@ -191,7 +191,8 @@ HTTP/TLS:
|
|||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||
value is set, it defaults to 'BCFKS'.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||
|
|
|
@ -31,52 +31,54 @@ Cache:
|
|||
Storage (Experimental):
|
||||
|
||||
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
|
||||
values are: jpa, chm, hotrod.
|
||||
values are: jpa, chm, hotrod, file.
|
||||
--storage-area-auth-session <type>
|
||||
Experimental: Sets a storage mechanism for authentication sessions. Possible
|
||||
values are: jpa, chm, hotrod.
|
||||
values are: jpa, chm, hotrod, file.
|
||||
--storage-area-authorization <type>
|
||||
Experimental: Sets a storage mechanism for authorizations. Possible values
|
||||
are: jpa, chm, hotrod.
|
||||
are: jpa, chm, hotrod, file.
|
||||
--storage-area-client <type>
|
||||
Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
|
||||
chm, hotrod.
|
||||
chm, hotrod, file.
|
||||
--storage-area-client-scope <type>
|
||||
Experimental: Sets a storage mechanism for client scopes. Possible values are:
|
||||
jpa, chm, hotrod.
|
||||
jpa, chm, hotrod, file.
|
||||
--storage-area-event-admin <type>
|
||||
Experimental: Sets a storage mechanism for admin events. Possible values are:
|
||||
jpa, chm, hotrod.
|
||||
jpa, chm, hotrod, file.
|
||||
--storage-area-event-auth <type>
|
||||
Experimental: Sets a storage mechanism for authentication and authorization
|
||||
events. Possible values are: jpa, chm, hotrod.
|
||||
events. Possible values are: jpa, chm, hotrod, file.
|
||||
--storage-area-group <type>
|
||||
Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
|
||||
chm, hotrod.
|
||||
chm, hotrod, file.
|
||||
--storage-area-login-failure <type>
|
||||
Experimental: Sets a storage mechanism for login failures. Possible values
|
||||
are: jpa, chm, hotrod.
|
||||
are: jpa, chm, hotrod, file.
|
||||
--storage-area-realm <type>
|
||||
Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
|
||||
chm, hotrod.
|
||||
chm, hotrod, file.
|
||||
--storage-area-role <type>
|
||||
Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
|
||||
chm, hotrod.
|
||||
chm, hotrod, file.
|
||||
--storage-area-single-use-object <type>
|
||||
Experimental: Sets a storage mechanism for single use objects. Possible values
|
||||
are: jpa, chm, hotrod.
|
||||
--storage-area-user <type>
|
||||
Experimental: Sets a storage mechanism for users. Possible values are: jpa,
|
||||
chm, hotrod.
|
||||
chm, hotrod, file.
|
||||
--storage-area-user-session <type>
|
||||
Experimental: Sets a storage mechanism for user and client sessions. Possible
|
||||
values are: jpa, chm, hotrod.
|
||||
values are: jpa, chm, hotrod, file.
|
||||
--storage-deployment-state-version-seed <type>
|
||||
Experimental: Secret that serves as a seed to mask the version number of
|
||||
Keycloak in URLs. Need to be identical across all servers in the cluster.
|
||||
Will default to a random number generated when starting the server which is
|
||||
secure but will lead to problems when a loadbalancer without sticky sessions
|
||||
is used or nodes are restarted.
|
||||
--storage-file-dir <dir>
|
||||
Experimental: Root directory for file map store.
|
||||
--storage-hotrod-host <host>
|
||||
Experimental: Sets the host of the Infinispan server.
|
||||
--storage-hotrod-password <password>
|
||||
|
@ -189,7 +191,8 @@ HTTP/TLS:
|
|||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||
value is set, it defaults to 'BCFKS'.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||
|
|
|
@ -137,7 +137,8 @@ HTTP/TLS:
|
|||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||
value is set, it defaults to 'BCFKS'.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||
|
|
|
@ -137,7 +137,8 @@ HTTP/TLS:
|
|||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||
value is set, it defaults to 'BCFKS'.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||
|
|
|
@ -197,7 +197,8 @@ HTTP/TLS:
|
|||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||
value is set, it defaults to 'BCFKS'.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||
|
|
|
@ -37,52 +37,54 @@ Cache:
|
|||
Storage (Experimental):
|
||||
|
||||
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
|
||||
values are: jpa, chm, hotrod.
|
||||
values are: jpa, chm, hotrod, file.
|
||||
--storage-area-auth-session <type>
|
||||
Experimental: Sets a storage mechanism for authentication sessions. Possible
|
||||
values are: jpa, chm, hotrod.
|
||||
values are: jpa, chm, hotrod, file.
|
||||
--storage-area-authorization <type>
|
||||
Experimental: Sets a storage mechanism for authorizations. Possible values
|
||||
are: jpa, chm, hotrod.
|
||||
are: jpa, chm, hotrod, file.
|
||||
--storage-area-client <type>
|
||||
Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
|
||||
chm, hotrod.
|
||||
chm, hotrod, file.
|
||||
--storage-area-client-scope <type>
|
||||
Experimental: Sets a storage mechanism for client scopes. Possible values are:
|
||||
jpa, chm, hotrod.
|
||||
jpa, chm, hotrod, file.
|
||||
--storage-area-event-admin <type>
|
||||
Experimental: Sets a storage mechanism for admin events. Possible values are:
|
||||
jpa, chm, hotrod.
|
||||
jpa, chm, hotrod, file.
|
||||
--storage-area-event-auth <type>
|
||||
Experimental: Sets a storage mechanism for authentication and authorization
|
||||
events. Possible values are: jpa, chm, hotrod.
|
||||
events. Possible values are: jpa, chm, hotrod, file.
|
||||
--storage-area-group <type>
|
||||
Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
|
||||
chm, hotrod.
|
||||
chm, hotrod, file.
|
||||
--storage-area-login-failure <type>
|
||||
Experimental: Sets a storage mechanism for login failures. Possible values
|
||||
are: jpa, chm, hotrod.
|
||||
are: jpa, chm, hotrod, file.
|
||||
--storage-area-realm <type>
|
||||
Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
|
||||
chm, hotrod.
|
||||
chm, hotrod, file.
|
||||
--storage-area-role <type>
|
||||
Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
|
||||
chm, hotrod.
|
||||
chm, hotrod, file.
|
||||
--storage-area-single-use-object <type>
|
||||
Experimental: Sets a storage mechanism for single use objects. Possible values
|
||||
are: jpa, chm, hotrod.
|
||||
--storage-area-user <type>
|
||||
Experimental: Sets a storage mechanism for users. Possible values are: jpa,
|
||||
chm, hotrod.
|
||||
chm, hotrod, file.
|
||||
--storage-area-user-session <type>
|
||||
Experimental: Sets a storage mechanism for user and client sessions. Possible
|
||||
values are: jpa, chm, hotrod.
|
||||
values are: jpa, chm, hotrod, file.
|
||||
--storage-deployment-state-version-seed <type>
|
||||
Experimental: Secret that serves as a seed to mask the version number of
|
||||
Keycloak in URLs. Need to be identical across all servers in the cluster.
|
||||
Will default to a random number generated when starting the server which is
|
||||
secure but will lead to problems when a loadbalancer without sticky sessions
|
||||
is used or nodes are restarted.
|
||||
--storage-file-dir <dir>
|
||||
Experimental: Root directory for file map store.
|
||||
--storage-hotrod-host <host>
|
||||
Experimental: Sets the host of the Infinispan server.
|
||||
--storage-hotrod-password <password>
|
||||
|
@ -195,7 +197,8 @@ HTTP/TLS:
|
|||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||
value is set, it defaults to 'BCFKS'.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||
|
|
|
@ -96,7 +96,8 @@ HTTP/TLS:
|
|||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||
value is set, it defaults to 'BCFKS'.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||
|
|
|
@ -57,7 +57,8 @@ Hostname:
|
|||
are exposing the administration console using a hostname other than the
|
||||
value set to the 'hostname' option.
|
||||
--hostname-admin-url <url>
|
||||
Set the base URL for accessing the administration console.
|
||||
Set the base URL for accessing the administration console, including scheme,
|
||||
host, port and path
|
||||
--hostname-path <path>
|
||||
This should be set if proxy uses a different context-path for Keycloak.
|
||||
--hostname-port <port>
|
||||
|
@ -95,7 +96,8 @@ HTTP/TLS:
|
|||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||
value is set, it defaults to 'BCFKS'.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||
|
|
|
@ -115,7 +115,8 @@ HTTP/TLS:
|
|||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||
value is set, it defaults to 'BCFKS'.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||
|
|
|
@ -28,6 +28,8 @@ Storage (Experimental):
|
|||
Will default to a random number generated when starting the server which is
|
||||
secure but will lead to problems when a loadbalancer without sticky sessions
|
||||
is used or nodes are restarted.
|
||||
--storage-file-dir <dir>
|
||||
Experimental: Root directory for file map store.
|
||||
--storage-hotrod-host <host>
|
||||
Experimental: Sets the host of the Infinispan server.
|
||||
--storage-hotrod-password <password>
|
||||
|
@ -113,7 +115,8 @@ HTTP/TLS:
|
|||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
detected based on the file name. If 'fips-mode' is set to 'strict' and no
|
||||
value is set, it defaults to 'BCFKS'.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable. Default: TLSv1.3.
|
||||
|
|
Binary file not shown.
Binary file not shown.
Loading…
Reference in a new issue