OpenJDK 21 support (#28518)
* OpenJDK 21 support Closes #28517 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Signed-off-by: Martin Bartoš <mabartos@redhat.com> * x509 SAN UPN other name is not handled in JDK 21 (#904) closes #29968 Signed-off-by: mposolda <mposolda@gmail.com> --------- Signed-off-by: Martin Bartoš <mabartos@redhat.com> Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Marek Posolda <mposolda@gmail.com>
This commit is contained in:
parent
8fefad5054
commit
262fc09edc
32 changed files with 140 additions and 173 deletions
|
@ -9,7 +9,7 @@ inputs:
|
||||||
jdk-version:
|
jdk-version:
|
||||||
description: JDK version
|
description: JDK version
|
||||||
required: false
|
required: false
|
||||||
default: "17"
|
default: "21"
|
||||||
|
|
||||||
runs:
|
runs:
|
||||||
using: composite
|
using: composite
|
||||||
|
|
2
.github/actions/java-setup/action.yml
vendored
2
.github/actions/java-setup/action.yml
vendored
|
@ -9,7 +9,7 @@ inputs:
|
||||||
java-version:
|
java-version:
|
||||||
description: The Java version that is going to be set up.
|
description: The Java version that is going to be set up.
|
||||||
required: false
|
required: false
|
||||||
default: "17"
|
default: "21"
|
||||||
|
|
||||||
runs:
|
runs:
|
||||||
using: composite
|
using: composite
|
||||||
|
|
|
@ -15,7 +15,7 @@ See `defaults/main.yml` for default values.
|
||||||
### Other
|
### Other
|
||||||
- `update_system_packages`: Whether to update the system packages. Defaults to `no`.
|
- `update_system_packages`: Whether to update the system packages. Defaults to `no`.
|
||||||
- `install_java`: Whether to install OpenJDK on the system. Defaults to `yes`.
|
- `install_java`: Whether to install OpenJDK on the system. Defaults to `yes`.
|
||||||
- `java_version`: Version of OpenJDK to be installed. Defaults to `17`.
|
- `java_version`: Version of OpenJDK to be installed. Defaults to `21`.
|
||||||
|
|
||||||
|
|
||||||
## Example Playbook
|
## Example Playbook
|
||||||
|
|
|
@ -4,4 +4,4 @@ ansible_ssh_user: ec2-user
|
||||||
kc_home: /opt/keycloak
|
kc_home: /opt/keycloak
|
||||||
update_system_packages: no
|
update_system_packages: no
|
||||||
install_java: yes
|
install_java: yes
|
||||||
java_version: 17
|
java_version: 21
|
||||||
|
|
4
.github/scripts/run-fips-it.sh
vendored
4
.github/scripts/run-fips-it.sh
vendored
|
@ -1,6 +1,6 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
dnf install -y java-17-openjdk-devel
|
dnf install -y java-21-openjdk-devel
|
||||||
fips-mode-setup --enable --no-bootcfg
|
fips-mode-setup --enable --no-bootcfg
|
||||||
fips-mode-setup --is-enabled
|
fips-mode-setup --is-enabled
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
|
@ -13,7 +13,7 @@ fi
|
||||||
echo "STRICT_OPTIONS: $STRICT_OPTIONS"
|
echo "STRICT_OPTIONS: $STRICT_OPTIONS"
|
||||||
TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh fips`
|
TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh fips`
|
||||||
echo "Tests: $TESTS"
|
echo "Tests: $TESTS"
|
||||||
export JAVA_HOME=/etc/alternatives/java_sdk_17
|
export JAVA_HOME=/etc/alternatives/java_sdk_21
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
|
|
||||||
# Profile app-server-wildfly needs to be explicitly set for FIPS tests
|
# Profile app-server-wildfly needs to be explicitly set for FIPS tests
|
||||||
|
|
6
.github/scripts/run-fips-ut.sh
vendored
6
.github/scripts/run-fips-ut.sh
vendored
|
@ -1,13 +1,13 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
dnf install -y java-17-openjdk-devel crypto-policies-scripts
|
dnf install -y java-21-openjdk-devel crypto-policies-scripts
|
||||||
fips-mode-setup --enable --no-bootcfg
|
fips-mode-setup --enable --no-bootcfg
|
||||||
fips-mode-setup --is-enabled
|
fips-mode-setup --is-enabled
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
echo "fips.provider.7=XMLDSig" >>/etc/alternatives/java_sdk_17/conf/security/java.security
|
echo "fips.provider.7=XMLDSig" >>/etc/alternatives/java_sdk_21/conf/security/java.security
|
||||||
export JAVA_HOME=/etc/alternatives/java_sdk_17
|
export JAVA_HOME=/etc/alternatives/java_sdk_21
|
||||||
|
|
||||||
# Build all dependent modules
|
# Build all dependent modules
|
||||||
./mvnw install -nsu -B -am -pl crypto/default,crypto/fips1402 -DskipTests
|
./mvnw install -nsu -B -am -pl crypto/default,crypto/fips1402 -DskipTests
|
||||||
|
|
6
.github/scripts/run-ipa-tests.sh
vendored
6
.github/scripts/run-ipa-tests.sh
vendored
|
@ -39,9 +39,9 @@ EOF
|
||||||
kdestroy
|
kdestroy
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Installing jdk-17 in the container"
|
echo "Installing jdk-21 in the container"
|
||||||
dnf install -y java-17-openjdk-devel
|
dnf install -y java-21-openjdk-devel
|
||||||
export JAVA_HOME=/etc/alternatives/java_sdk_17
|
export JAVA_HOME=/etc/alternatives/java_sdk_21
|
||||||
|
|
||||||
echo "Building quarkus keyclok server with SSSD integration"
|
echo "Building quarkus keyclok server with SSSD integration"
|
||||||
./mvnw install -nsu -B -e -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus
|
./mvnw install -nsu -B -e -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus
|
||||||
|
|
4
.github/workflows/ci.yml
vendored
4
.github/workflows/ci.yml
vendored
|
@ -272,7 +272,7 @@ jobs:
|
||||||
matrix:
|
matrix:
|
||||||
os: [ubuntu-latest, windows-latest]
|
os: [ubuntu-latest, windows-latest]
|
||||||
dist: [temurin]
|
dist: [temurin]
|
||||||
version: [19]
|
version: [17]
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
steps:
|
steps:
|
||||||
|
@ -605,7 +605,7 @@ jobs:
|
||||||
name: Integration test setup
|
name: Integration test setup
|
||||||
uses: ./.github/actions/integration-test-setup
|
uses: ./.github/actions/integration-test-setup
|
||||||
with:
|
with:
|
||||||
jdk-version: 17
|
jdk-version: 21
|
||||||
|
|
||||||
- name: Build adapter distributions
|
- name: Build adapter distributions
|
||||||
run: ./mvnw install -DskipTests -f distribution/pom.xml
|
run: ./mvnw install -DskipTests -f distribution/pom.xml
|
||||||
|
|
6
.github/workflows/js-ci.yml
vendored
6
.github/workflows/js-ci.yml
vendored
|
@ -47,7 +47,7 @@ jobs:
|
||||||
uses: actions/setup-java@v4
|
uses: actions/setup-java@v4
|
||||||
with:
|
with:
|
||||||
distribution: temurin
|
distribution: temurin
|
||||||
java-version: 17
|
java-version: 21
|
||||||
check-latest: true
|
check-latest: true
|
||||||
cache: maven
|
cache: maven
|
||||||
|
|
||||||
|
@ -167,7 +167,7 @@ jobs:
|
||||||
uses: actions/setup-java@v4
|
uses: actions/setup-java@v4
|
||||||
with:
|
with:
|
||||||
distribution: temurin
|
distribution: temurin
|
||||||
java-version: 17
|
java-version: 21
|
||||||
|
|
||||||
- name: Start Keycloak server
|
- name: Start Keycloak server
|
||||||
run: |
|
run: |
|
||||||
|
@ -263,7 +263,7 @@ jobs:
|
||||||
uses: actions/setup-java@v4
|
uses: actions/setup-java@v4
|
||||||
with:
|
with:
|
||||||
distribution: temurin
|
distribution: temurin
|
||||||
java-version: 17
|
java-version: 21
|
||||||
|
|
||||||
- name: Start Keycloak server
|
- name: Start Keycloak server
|
||||||
run: |
|
run: |
|
||||||
|
|
|
@ -94,7 +94,7 @@
|
||||||
<configuration>
|
<configuration>
|
||||||
<target>
|
<target>
|
||||||
<property name="plugin_classpath" refid="maven.plugin.classpath" />
|
<property name="plugin_classpath" refid="maven.plugin.classpath" />
|
||||||
<java classname="org.eclipse.transformer.jakarta.JakartaTransformer">
|
<java classname="org.eclipse.transformer.cli.JakartaTransformerCLI" fork="true">
|
||||||
<arg value="-o" />
|
<arg value="-o" />
|
||||||
<arg value="${jakarta-transformer-sources}" />
|
<arg value="${jakarta-transformer-sources}" />
|
||||||
<arg value="${jakarta-transformer-target}" />
|
<arg value="${jakarta-transformer-target}" />
|
||||||
|
@ -110,18 +110,12 @@
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.eclipse.transformer</groupId>
|
<groupId>org.eclipse.transformer</groupId>
|
||||||
<artifactId>org.eclipse.transformer.cli</artifactId>
|
<artifactId>org.eclipse.transformer.cli</artifactId>
|
||||||
<version>0.2.0</version>
|
<version>0.5.0</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>ant-contrib</groupId>
|
<groupId>org.apache.ant</groupId>
|
||||||
<artifactId>ant-contrib</artifactId>
|
<artifactId>ant</artifactId>
|
||||||
<version>1.0b3</version>
|
<version>1.10.14</version>
|
||||||
<exclusions>
|
|
||||||
<exclusion>
|
|
||||||
<groupId>ant</groupId>
|
|
||||||
<artifactId>ant</artifactId>
|
|
||||||
</exclusion>
|
|
||||||
</exclusions>
|
|
||||||
</dependency>
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</plugin>
|
</plugin>
|
||||||
|
|
|
@ -104,7 +104,7 @@
|
||||||
<plugins>
|
<plugins>
|
||||||
<plugin>
|
<plugin>
|
||||||
<artifactId>maven-antrun-plugin</artifactId>
|
<artifactId>maven-antrun-plugin</artifactId>
|
||||||
<version>3.0.0</version>
|
<version>3.1.0</version>
|
||||||
<executions>
|
<executions>
|
||||||
<execution>
|
<execution>
|
||||||
<id>transform</id>
|
<id>transform</id>
|
||||||
|
@ -115,7 +115,7 @@
|
||||||
<configuration>
|
<configuration>
|
||||||
<target>
|
<target>
|
||||||
<property name="plugin_classpath" refid="maven.plugin.classpath" />
|
<property name="plugin_classpath" refid="maven.plugin.classpath" />
|
||||||
<java classname="org.eclipse.transformer.jakarta.JakartaTransformer">
|
<java classname="org.eclipse.transformer.cli.JakartaTransformerCLI" fork="true">
|
||||||
<arg value="-o" />
|
<arg value="-o" />
|
||||||
<arg value="${jakarta-transformer-sources}" />
|
<arg value="${jakarta-transformer-sources}" />
|
||||||
<arg value="${jakarta-transformer-target}" />
|
<arg value="${jakarta-transformer-target}" />
|
||||||
|
@ -131,18 +131,12 @@
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.eclipse.transformer</groupId>
|
<groupId>org.eclipse.transformer</groupId>
|
||||||
<artifactId>org.eclipse.transformer.cli</artifactId>
|
<artifactId>org.eclipse.transformer.cli</artifactId>
|
||||||
<version>0.2.0</version>
|
<version>0.5.0</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>ant-contrib</groupId>
|
<groupId>org.apache.ant</groupId>
|
||||||
<artifactId>ant-contrib</artifactId>
|
<artifactId>ant</artifactId>
|
||||||
<version>1.0b3</version>
|
<version>1.10.14</version>
|
||||||
<exclusions>
|
|
||||||
<exclusion>
|
|
||||||
<groupId>ant</groupId>
|
|
||||||
<artifactId>ant</artifactId>
|
|
||||||
</exclusion>
|
|
||||||
</exclusions>
|
|
||||||
</dependency>
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</plugin>
|
</plugin>
|
||||||
|
|
|
@ -44,7 +44,7 @@
|
||||||
<plugins>
|
<plugins>
|
||||||
<plugin>
|
<plugin>
|
||||||
<artifactId>maven-antrun-plugin</artifactId>
|
<artifactId>maven-antrun-plugin</artifactId>
|
||||||
<version>3.0.0</version>
|
<version>3.1.0</version>
|
||||||
<executions>
|
<executions>
|
||||||
<execution>
|
<execution>
|
||||||
<id>transform</id>
|
<id>transform</id>
|
||||||
|
@ -55,7 +55,7 @@
|
||||||
<configuration>
|
<configuration>
|
||||||
<target>
|
<target>
|
||||||
<property name="plugin_classpath" refid="maven.plugin.classpath" />
|
<property name="plugin_classpath" refid="maven.plugin.classpath" />
|
||||||
<java classname="org.eclipse.transformer.jakarta.JakartaTransformer">
|
<java classname="org.eclipse.transformer.cli.JakartaTransformerCLI" fork="true">
|
||||||
<arg value="-o" />
|
<arg value="-o" />
|
||||||
<arg value="${jakarta-transformer-sources}" />
|
<arg value="${jakarta-transformer-sources}" />
|
||||||
<arg value="${jakarta-transformer-target}" />
|
<arg value="${jakarta-transformer-target}" />
|
||||||
|
@ -71,18 +71,12 @@
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.eclipse.transformer</groupId>
|
<groupId>org.eclipse.transformer</groupId>
|
||||||
<artifactId>org.eclipse.transformer.cli</artifactId>
|
<artifactId>org.eclipse.transformer.cli</artifactId>
|
||||||
<version>0.2.0</version>
|
<version>0.5.0</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>ant-contrib</groupId>
|
<groupId>org.apache.ant</groupId>
|
||||||
<artifactId>ant-contrib</artifactId>
|
<artifactId>ant</artifactId>
|
||||||
<version>1.0b3</version>
|
<version>1.10.14</version>
|
||||||
<exclusions>
|
|
||||||
<exclusion>
|
|
||||||
<groupId>ant</groupId>
|
|
||||||
<artifactId>ant</artifactId>
|
|
||||||
</exclusion>
|
|
||||||
</exclusions>
|
|
||||||
</dependency>
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</plugin>
|
</plugin>
|
||||||
|
|
|
@ -149,34 +149,41 @@ public class BCUserIdentityExtractorProvider extends UserIdentityExtractorProvi
|
||||||
return obj;
|
return obj;
|
||||||
}
|
}
|
||||||
|
|
||||||
byte[] otherNameBytes = (byte[]) obj;
|
// From Java 21, the 3rd entry can be present with the type-id as String and 4th entry with the value (either in String or byte format).
|
||||||
|
// See javadoc of X509Certificate.getSubjectAlternativeNames in Java 21. For the sake of simplicity, we just ignore those additional String entries and
|
||||||
|
// always parse it from byte (2nd entry) as we still need to support Java 17 and it is not reliable anyway that entries are present in Java 21.
|
||||||
|
if (obj instanceof byte[]) {
|
||||||
|
byte[] otherNameBytes = (byte[]) obj;
|
||||||
|
|
||||||
try {
|
try {
|
||||||
ASN1InputStream asn1Stream = new ASN1InputStream(new ByteArrayInputStream(otherNameBytes));
|
ASN1InputStream asn1Stream = new ASN1InputStream(new ByteArrayInputStream(otherNameBytes));
|
||||||
ASN1Encodable asn1otherName = asn1Stream.readObject();
|
ASN1Encodable asn1otherName = asn1Stream.readObject();
|
||||||
asn1otherName = unwrap(asn1otherName);
|
asn1otherName = unwrap(asn1otherName);
|
||||||
|
|
||||||
ASN1Sequence asn1Sequence = ASN1Sequence.getInstance(asn1otherName);
|
ASN1Sequence asn1Sequence = ASN1Sequence.getInstance(asn1otherName);
|
||||||
|
|
||||||
if (asn1Sequence != null) {
|
if (asn1Sequence != null) {
|
||||||
ASN1Encodable encodedOid = asn1Sequence.getObjectAt(0);
|
ASN1Encodable encodedOid = asn1Sequence.getObjectAt(0);
|
||||||
ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(unwrap(encodedOid));
|
ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(unwrap(encodedOid));
|
||||||
tempOid = oid.getId();
|
tempOid = oid.getId();
|
||||||
|
|
||||||
ASN1Encodable principalNameEncoded = asn1Sequence.getObjectAt(1);
|
ASN1Encodable principalNameEncoded = asn1Sequence.getObjectAt(1);
|
||||||
ASN1UTF8String principalName = DERUTF8String.getInstance(unwrap(principalNameEncoded));
|
ASN1UTF8String principalName = DERUTF8String.getInstance(unwrap(principalNameEncoded));
|
||||||
|
|
||||||
tempOtherName = principalName.getString();
|
tempOtherName = principalName.getString();
|
||||||
|
|
||||||
// We found UPN among the 'otherName' principal. We don't need to look other
|
// We found UPN among the 'otherName' principal. We don't need to look other
|
||||||
if (UPN_OID.equals(tempOid)) {
|
if (UPN_OID.equals(tempOid)) {
|
||||||
foundUpn = true;
|
foundUpn = true;
|
||||||
break;
|
break;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
logger.error("Failed to parse subjectAltName", e);
|
logger.error("Failed to parse subjectAltName", e);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
logger.tracef("Ignoring the Subject alternative name entry. Entry number: %d, value: %s", i + 1, obj);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -147,34 +147,41 @@ public class BCFIPSUserIdentityExtractorProvider extends UserIdentityExtractorP
|
||||||
return obj;
|
return obj;
|
||||||
}
|
}
|
||||||
|
|
||||||
byte[] otherNameBytes = (byte[]) obj;
|
// From Java 21, the 3rd entry can be present with the type-id as String and 4th entry with the value (either in String or byte format).
|
||||||
|
// See javadoc of X509Certificate.getSubjectAlternativeNames in Java 21. For the sake of simplicity, we just ignore those additional String entries and
|
||||||
|
// always parse it from byte (2nd entry) as we still need to support Java 17 and it is not reliable anyway that entries are present in Java 21.
|
||||||
|
if (obj instanceof byte[]) {
|
||||||
|
byte[] otherNameBytes = (byte[]) obj;
|
||||||
|
|
||||||
try {
|
try {
|
||||||
ASN1InputStream asn1Stream = new ASN1InputStream(new ByteArrayInputStream(otherNameBytes));
|
ASN1InputStream asn1Stream = new ASN1InputStream(new ByteArrayInputStream(otherNameBytes));
|
||||||
ASN1Encodable asn1otherName = asn1Stream.readObject();
|
ASN1Encodable asn1otherName = asn1Stream.readObject();
|
||||||
asn1otherName = unwrap(asn1otherName);
|
asn1otherName = unwrap(asn1otherName);
|
||||||
|
|
||||||
ASN1Sequence asn1Sequence = ASN1Sequence.getInstance(asn1otherName);
|
ASN1Sequence asn1Sequence = ASN1Sequence.getInstance(asn1otherName);
|
||||||
|
|
||||||
if (asn1Sequence != null) {
|
if (asn1Sequence != null) {
|
||||||
ASN1Encodable encodedOid = asn1Sequence.getObjectAt(0);
|
ASN1Encodable encodedOid = asn1Sequence.getObjectAt(0);
|
||||||
ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(unwrap(encodedOid));
|
ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(unwrap(encodedOid));
|
||||||
tempOid = oid.getId();
|
tempOid = oid.getId();
|
||||||
|
|
||||||
ASN1Encodable principalNameEncoded = asn1Sequence.getObjectAt(1);
|
ASN1Encodable principalNameEncoded = asn1Sequence.getObjectAt(1);
|
||||||
DERUTF8String principalName = DERUTF8String.getInstance(unwrap(principalNameEncoded));
|
DERUTF8String principalName = DERUTF8String.getInstance(unwrap(principalNameEncoded));
|
||||||
|
|
||||||
tempOtherName = principalName.getString();
|
tempOtherName = principalName.getString();
|
||||||
|
|
||||||
// We found UPN among the 'otherName' principal. We don't need to look other
|
// We found UPN among the 'otherName' principal. We don't need to look other
|
||||||
if (UPN_OID.equals(tempOid)) {
|
if (UPN_OID.equals(tempOid)) {
|
||||||
foundUpn = true;
|
foundUpn = true;
|
||||||
break;
|
break;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
logger.error("Failed to parse subjectAltName", e);
|
logger.error("Failed to parse subjectAltName", e);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
logger.tracef("Ignoring the Subject alternative name entry. Entry number: %d, value: %s", i + 1, obj);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
## Building from source
|
## Building from source
|
||||||
|
|
||||||
Ensure you have JDK 17 (or newer) and Git installed
|
Ensure you have JDK 21 (or newer) and Git installed
|
||||||
|
|
||||||
java -version
|
java -version
|
||||||
git --version
|
git --version
|
||||||
|
|
|
@ -2,6 +2,14 @@
|
||||||
|
|
||||||
The Account Console v2 theme has been removed from {project_name}. This theme was deprecated in {project_name} 24 and replaced by the Account Console v3 theme. If you are still using this theme, you should migrate to the Account Console v3 theme.
|
The Account Console v2 theme has been removed from {project_name}. This theme was deprecated in {project_name} 24 and replaced by the Account Console v3 theme. If you are still using this theme, you should migrate to the Account Console v3 theme.
|
||||||
|
|
||||||
|
= Java 21 support
|
||||||
|
|
||||||
|
{project_name} now supports OpenJDK 21, as we want to stick to the latest LTS OpenJDK versions.
|
||||||
|
|
||||||
|
= Java 17 support is deprecated
|
||||||
|
|
||||||
|
OpenJDK 17 support is deprecated in {project_name}, and will be removed in a following release in favor of OpenJDK 21.
|
||||||
|
|
||||||
= Most of Java adapters removed
|
= Most of Java adapters removed
|
||||||
|
|
||||||
As stated in the release notes of previous {project_name} version, the most of Java adapters are now removed from the {project_name} codebase and downloads pages.
|
As stated in the release notes of previous {project_name} version, the most of Java adapters are now removed from the {project_name} codebase and downloads pages.
|
||||||
|
|
|
@ -156,7 +156,7 @@ ipaapi:x:992:988:IPA Framework User:/:/sbin/nologin
|
||||||
|
|
||||||
{project_name} uses https://github.com/hypfvieh/dbus-java[DBus-Java] project to communicate at a low level with D-Bus and https://github.com/java-native-access/jna[JNA] to authenticate via Operating System Pluggable Authentication Modules (PAM).
|
{project_name} uses https://github.com/hypfvieh/dbus-java[DBus-Java] project to communicate at a low level with D-Bus and https://github.com/java-native-access/jna[JNA] to authenticate via Operating System Pluggable Authentication Modules (PAM).
|
||||||
|
|
||||||
Although now {project_name} contains all the needed libraries to run the `SSSD` provider, JDK version 17 is needed. Therefore the `SSSD` provider will only be displayed when the host configuration is correct and JDK 17 is used to run {project_name}.
|
Although now {project_name} contains all the needed libraries to run the `SSSD` provider, JDK version 21 is needed. Therefore the `SSSD` provider will only be displayed when the host configuration is correct and JDK 21 is used to run {project_name}.
|
||||||
|
|
||||||
==== Configuring a federated SSSD store
|
==== Configuring a federated SSSD store
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@ summary="Get started with {project_name} on bare metal">
|
||||||
|
|
||||||
include::templates/hw-requirements.adoc[]
|
include::templates/hw-requirements.adoc[]
|
||||||
|
|
||||||
Make sure you have https://openjdk.java.net/[OpenJDK 17] installed.
|
Make sure you have https://openjdk.java.net/[OpenJDK 21] installed.
|
||||||
|
|
||||||
== Download {project_name}
|
== Download {project_name}
|
||||||
|
|
||||||
|
|
|
@ -52,7 +52,7 @@ You can create either `pkcs12` or `bcfks` keystore to be used for the {project_n
|
||||||
|
|
||||||
The `p12` (or `pkcs12`) keystore (and/or truststore) works well in BCFIPS non-approved mode.
|
The `p12` (or `pkcs12`) keystore (and/or truststore) works well in BCFIPS non-approved mode.
|
||||||
|
|
||||||
PKCS12 keystore can be generated with OpenJDK 17 Java on RHEL 9 in the standard way. For instance, the following command can be used to generate the keystore:
|
PKCS12 keystore can be generated with OpenJDK 21 Java on RHEL 9 in the standard way. For instance, the following command can be used to generate the keystore:
|
||||||
|
|
||||||
[source,bash]
|
[source,bash]
|
||||||
----
|
----
|
||||||
|
@ -269,7 +269,7 @@ the non-RHEL compatible platform or on the non-FIPS enabled platform, the FIPS c
|
||||||
|
|
||||||
If you are still restricted to running {project_name} on such a system, you can at least update your security providers configured in `java.security` file. This update does not amount to FIPS compliance, but
|
If you are still restricted to running {project_name} on such a system, you can at least update your security providers configured in `java.security` file. This update does not amount to FIPS compliance, but
|
||||||
at least the setup is closer to it. It can be done by providing a custom security file with only an overridden list of security providers as described earlier. For a list of recommended providers,
|
at least the setup is closer to it. It can be done by providing a custom security file with only an overridden list of security providers as described earlier. For a list of recommended providers,
|
||||||
see the https://access.redhat.com/documentation/en-us/openjdk/17/html/configuring_openjdk_17_on_rhel_with_fips/openjdk-default-fips-configuration[OpenJDK 17 documentation].
|
see the https://access.redhat.com/documentation/en-us/red_hat_build_of_openjdk/21/html/configuring_red_hat_build_of_openjdk_21_on_rhel_with_fips[OpenJDK 21 documentation].
|
||||||
|
|
||||||
You can check the {project_name} server log at startup to see if the correct security providers are used. TRACE logging should be enabled for crypto-related {project_name} packages as described in the Keycloak startup command earlier.
|
You can check the {project_name} server log at startup to see if the correct security providers are used. TRACE logging should be enabled for crypto-related {project_name} packages as described in the Keycloak startup command earlier.
|
||||||
|
|
||||||
|
|
|
@ -31,8 +31,6 @@
|
||||||
<description/>
|
<description/>
|
||||||
|
|
||||||
<properties>
|
<properties>
|
||||||
<ant.jvm.args>-Dnone</ant.jvm.args>
|
|
||||||
|
|
||||||
<jakarta-transformer-sources>${project.basedir}/../admin-client-jee/src</jakarta-transformer-sources>
|
<jakarta-transformer-sources>${project.basedir}/../admin-client-jee/src</jakarta-transformer-sources>
|
||||||
<jakarta-transformer-target>${project.basedir}/src</jakarta-transformer-target>
|
<jakarta-transformer-target>${project.basedir}/src</jakarta-transformer-target>
|
||||||
</properties>
|
</properties>
|
||||||
|
@ -95,8 +93,7 @@
|
||||||
<configuration>
|
<configuration>
|
||||||
<target>
|
<target>
|
||||||
<property name="plugin_classpath" refid="maven.plugin.classpath"/>
|
<property name="plugin_classpath" refid="maven.plugin.classpath"/>
|
||||||
<java classname="org.eclipse.transformer.jakarta.JakartaTransformer" fork="true">
|
<java classname="org.eclipse.transformer.cli.JakartaTransformerCLI" fork="true">
|
||||||
<jvmarg value="${ant.jvm.args}"/>
|
|
||||||
<arg value="-o"/>
|
<arg value="-o"/>
|
||||||
<arg value="${jakarta-transformer-sources}"/>
|
<arg value="${jakarta-transformer-sources}"/>
|
||||||
<arg value="${jakarta-transformer-target}"/>
|
<arg value="${jakarta-transformer-target}"/>
|
||||||
|
@ -122,18 +119,12 @@
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.eclipse.transformer</groupId>
|
<groupId>org.eclipse.transformer</groupId>
|
||||||
<artifactId>org.eclipse.transformer.cli</artifactId>
|
<artifactId>org.eclipse.transformer.cli</artifactId>
|
||||||
<version>0.2.0</version>
|
<version>0.5.0</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>ant-contrib</groupId>
|
<groupId>org.apache.ant</groupId>
|
||||||
<artifactId>ant-contrib</artifactId>
|
<artifactId>ant</artifactId>
|
||||||
<version>1.0b3</version>
|
<version>1.10.14</version>
|
||||||
<exclusions>
|
|
||||||
<exclusion>
|
|
||||||
<groupId>ant</groupId>
|
|
||||||
<artifactId>ant</artifactId>
|
|
||||||
</exclusion>
|
|
||||||
</exclusions>
|
|
||||||
</dependency>
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</plugin>
|
</plugin>
|
||||||
|
@ -154,17 +145,4 @@
|
||||||
</plugins>
|
</plugins>
|
||||||
</build>
|
</build>
|
||||||
|
|
||||||
<profiles>
|
|
||||||
<profile>
|
|
||||||
<id>jdk17+</id>
|
|
||||||
<activation>
|
|
||||||
<jdk>[17,)</jdk>
|
|
||||||
</activation>
|
|
||||||
<properties>
|
|
||||||
<!--For more information, see https://github.com/apache/ant/pull/200-->
|
|
||||||
<ant.jvm.args>-Djava.security.manager=allow</ant.jvm.args>
|
|
||||||
</properties>
|
|
||||||
</profile>
|
|
||||||
</profiles>
|
|
||||||
|
|
||||||
</project>
|
</project>
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
FROM registry.access.redhat.com/ubi9 AS ubi-micro-build
|
FROM registry.access.redhat.com/ubi9 AS ubi-micro-build
|
||||||
|
|
||||||
ADD target/ubi-null.sh /tmp/
|
ADD target/ubi-null.sh /tmp/
|
||||||
RUN bash /tmp/ubi-null.sh java-17-openjdk-headless glibc-langpack-en
|
RUN bash /tmp/ubi-null.sh java-21-openjdk-headless glibc-langpack-en
|
||||||
|
|
||||||
FROM registry.access.redhat.com/ubi9-micro
|
FROM registry.access.redhat.com/ubi9-micro
|
||||||
ENV LANG en_US.UTF-8
|
ENV LANG en_US.UTF-8
|
||||||
|
|
|
@ -17,7 +17,7 @@ RUN mv /tmp/keycloak/keycloak-* /opt/keycloak && mkdir -p /opt/keycloak/data
|
||||||
RUN chmod -R g+rwX /opt/keycloak
|
RUN chmod -R g+rwX /opt/keycloak
|
||||||
|
|
||||||
ADD ubi-null.sh /tmp/
|
ADD ubi-null.sh /tmp/
|
||||||
RUN bash /tmp/ubi-null.sh java-17-openjdk-headless glibc-langpack-en findutils
|
RUN bash /tmp/ubi-null.sh java-21-openjdk-headless glibc-langpack-en findutils
|
||||||
|
|
||||||
FROM registry.access.redhat.com/ubi9-micro
|
FROM registry.access.redhat.com/ubi9-micro
|
||||||
ENV LANG en_US.UTF-8
|
ENV LANG en_US.UTF-8
|
||||||
|
|
|
@ -50,7 +50,9 @@ public class XPathAttributeMapperTest {
|
||||||
assertThrows(RuntimeException.class, () -> testMapping("<Open>Foo</Close>", "//*"));
|
assertThrows(RuntimeException.class, () -> testMapping("<Open>Foo</Close>", "//*"));
|
||||||
assertThat(actualException.getCause(), instanceOf(ParsingException.class));
|
assertThat(actualException.getCause(), instanceOf(ParsingException.class));
|
||||||
|
|
||||||
assertThrows(RuntimeException.class, () -> testMapping(XML_WITH_NAMESPACE, "//*[local-name()=$street]"));
|
// it seems additional validation is added as 'TransformerException: Prefix must resolve to a namespace: unknownPrefix'
|
||||||
|
// is thrown before the XPath function resolver
|
||||||
|
assertNull(testMapping(XML_WITH_NAMESPACE, "//*[local-name()=$street]"));
|
||||||
assertNull(testMapping(XML_WITH_NAMESPACE, "//*[local-name()=myPrefix:add(1,2)]"));
|
assertNull(testMapping(XML_WITH_NAMESPACE, "//*[local-name()=myPrefix:add(1,2)]"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -786,7 +786,7 @@ mvn clean install -f crypto/fips1402 -Dorg.bouncycastle.fips.approved_only=true
|
||||||
|
|
||||||
### Integration tests
|
### Integration tests
|
||||||
|
|
||||||
On the FIPS enabled platform with FIPS enabled OpenJDK 17, you can run this to test against a Keycloak server on Quarkus
|
On the FIPS enabled platform with FIPS enabled OpenJDK 21, you can run this to test against a Keycloak server on Quarkus
|
||||||
with FIPS 140-2 integration enabled
|
with FIPS 140-2 integration enabled
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
|
@ -57,6 +57,7 @@
|
||||||
<jakarta.persistence-legacy.version>2.2.3</jakarta.persistence-legacy.version>
|
<jakarta.persistence-legacy.version>2.2.3</jakarta.persistence-legacy.version>
|
||||||
<smallrye.jandex.version>3.0.5</smallrye.jandex.version>
|
<smallrye.jandex.version>3.0.5</smallrye.jandex.version>
|
||||||
<commons.validator.version>1.8.0</commons.validator.version>
|
<commons.validator.version>1.8.0</commons.validator.version>
|
||||||
|
<byte-buddy.version>1.14.13</byte-buddy.version>
|
||||||
|
|
||||||
<!--migration properties-->
|
<!--migration properties-->
|
||||||
<migration.70.version>1.9.8.Final</migration.70.version>
|
<migration.70.version>1.9.8.Final</migration.70.version>
|
||||||
|
|
|
@ -81,6 +81,7 @@
|
||||||
<plugins>
|
<plugins>
|
||||||
<plugin>
|
<plugin>
|
||||||
<artifactId>maven-antrun-plugin</artifactId>
|
<artifactId>maven-antrun-plugin</artifactId>
|
||||||
|
<version>3.1.0</version>
|
||||||
<executions>
|
<executions>
|
||||||
<execution>
|
<execution>
|
||||||
<id>transform</id>
|
<id>transform</id>
|
||||||
|
@ -91,8 +92,7 @@
|
||||||
<configuration>
|
<configuration>
|
||||||
<target>
|
<target>
|
||||||
<property name="plugin_classpath" refid="maven.plugin.classpath" />
|
<property name="plugin_classpath" refid="maven.plugin.classpath" />
|
||||||
<java classname="org.eclipse.transformer.jakarta.JakartaTransformer" fork="true">
|
<java classname="org.eclipse.transformer.cli.JakartaTransformerCLI" fork="true">
|
||||||
<jvmarg value="${ant.jvm.args}"/>
|
|
||||||
<arg value="-o" />
|
<arg value="-o" />
|
||||||
<arg value="${jakarta-transformer-sources}" />
|
<arg value="${jakarta-transformer-sources}" />
|
||||||
<arg value="${jakarta-transformer-target}/tmp" />
|
<arg value="${jakarta-transformer-target}/tmp" />
|
||||||
|
@ -115,18 +115,12 @@
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.eclipse.transformer</groupId>
|
<groupId>org.eclipse.transformer</groupId>
|
||||||
<artifactId>org.eclipse.transformer.cli</artifactId>
|
<artifactId>org.eclipse.transformer.cli</artifactId>
|
||||||
<version>0.2.0</version>
|
<version>0.5.0</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>ant-contrib</groupId>
|
<groupId>org.apache.ant</groupId>
|
||||||
<artifactId>ant-contrib</artifactId>
|
<artifactId>ant</artifactId>
|
||||||
<version>1.0b3</version>
|
<version>1.10.14</version>
|
||||||
<exclusions>
|
|
||||||
<exclusion>
|
|
||||||
<groupId>ant</groupId>
|
|
||||||
<artifactId>ant</artifactId>
|
|
||||||
</exclusion>
|
|
||||||
</exclusions>
|
|
||||||
</dependency>
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</plugin>
|
</plugin>
|
||||||
|
|
|
@ -42,6 +42,7 @@
|
||||||
<plugins>
|
<plugins>
|
||||||
<plugin>
|
<plugin>
|
||||||
<artifactId>maven-antrun-plugin</artifactId>
|
<artifactId>maven-antrun-plugin</artifactId>
|
||||||
|
<version>3.1.0</version>
|
||||||
<executions>
|
<executions>
|
||||||
<execution>
|
<execution>
|
||||||
<id>transform</id>
|
<id>transform</id>
|
||||||
|
@ -52,8 +53,7 @@
|
||||||
<configuration>
|
<configuration>
|
||||||
<target>
|
<target>
|
||||||
<property name="plugin_classpath" refid="maven.plugin.classpath" />
|
<property name="plugin_classpath" refid="maven.plugin.classpath" />
|
||||||
<java classname="org.eclipse.transformer.jakarta.JakartaTransformer" fork="true">
|
<java classname="org.eclipse.transformer.cli.JakartaTransformerCLI" fork="true">
|
||||||
<jvmarg value="${ant.jvm.args}"/>
|
|
||||||
<arg value="-o" />
|
<arg value="-o" />
|
||||||
<arg value="${jakarta-transformer-sources}" />
|
<arg value="${jakarta-transformer-sources}" />
|
||||||
<arg value="${jakarta-transformer-target}/tmp" />
|
<arg value="${jakarta-transformer-target}/tmp" />
|
||||||
|
@ -76,18 +76,12 @@
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.eclipse.transformer</groupId>
|
<groupId>org.eclipse.transformer</groupId>
|
||||||
<artifactId>org.eclipse.transformer.cli</artifactId>
|
<artifactId>org.eclipse.transformer.cli</artifactId>
|
||||||
<version>0.2.0</version>
|
<version>0.5.0</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>ant-contrib</groupId>
|
<groupId>org.apache.ant</groupId>
|
||||||
<artifactId>ant-contrib</artifactId>
|
<artifactId>ant</artifactId>
|
||||||
<version>1.0b3</version>
|
<version>1.10.14</version>
|
||||||
<exclusions>
|
|
||||||
<exclusion>
|
|
||||||
<groupId>ant</groupId>
|
|
||||||
<artifactId>ant</artifactId>
|
|
||||||
</exclusion>
|
|
||||||
</exclusions>
|
|
||||||
</dependency>
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</plugin>
|
</plugin>
|
||||||
|
|
|
@ -96,7 +96,7 @@
|
||||||
<configuration>
|
<configuration>
|
||||||
<target>
|
<target>
|
||||||
<property name="plugin_classpath" refid="maven.plugin.classpath"/>
|
<property name="plugin_classpath" refid="maven.plugin.classpath"/>
|
||||||
<java classname="org.eclipse.transformer.jakarta.JakartaTransformer" fork="true">
|
<java classname="org.eclipse.transformer.cli.JakartaTransformerCLI" fork="true">
|
||||||
<arg value="-o"/>
|
<arg value="-o"/>
|
||||||
<arg value="${jakarta-transformer-sources}"/>
|
<arg value="${jakarta-transformer-sources}"/>
|
||||||
<arg value="${jakarta-transformer-target}/tmp"/>
|
<arg value="${jakarta-transformer-target}/tmp"/>
|
||||||
|
@ -119,18 +119,12 @@
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.eclipse.transformer</groupId>
|
<groupId>org.eclipse.transformer</groupId>
|
||||||
<artifactId>org.eclipse.transformer.cli</artifactId>
|
<artifactId>org.eclipse.transformer.cli</artifactId>
|
||||||
<version>0.2.0</version>
|
<version>0.5.0</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>ant-contrib</groupId>
|
<groupId>org.apache.ant</groupId>
|
||||||
<artifactId>ant-contrib</artifactId>
|
<artifactId>ant</artifactId>
|
||||||
<version>1.0b3</version>
|
<version>1.10.14</version>
|
||||||
<exclusions>
|
|
||||||
<exclusion>
|
|
||||||
<groupId>ant</groupId>
|
|
||||||
<artifactId>ant</artifactId>
|
|
||||||
</exclusion>
|
|
||||||
</exclusions>
|
|
||||||
</dependency>
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</plugin>
|
</plugin>
|
||||||
|
|
|
@ -797,7 +797,7 @@
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>net.bytebuddy</groupId>
|
<groupId>net.bytebuddy</groupId>
|
||||||
<artifactId>byte-buddy</artifactId>
|
<artifactId>byte-buddy</artifactId>
|
||||||
<version>1.12.18</version>
|
<version>{byte-buddy.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</profile>
|
</profile>
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
*/
|
*/
|
||||||
package org.keycloak.testsuite.pages;
|
package org.keycloak.testsuite.pages;
|
||||||
|
|
||||||
|
import java.util.ArrayList;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.LinkedList;
|
import java.util.LinkedList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
@ -64,7 +65,7 @@ public class OAuthGrantPage extends LanguageComboboxAwarePage {
|
||||||
}
|
}
|
||||||
|
|
||||||
public List<String> getDisplayedGrants() {
|
public List<String> getDisplayedGrants() {
|
||||||
List<String> table = new LinkedList<>();
|
List<String> table = new ArrayList<>();
|
||||||
WebElement divKcOauth = driver.findElement(By.id("kc-oauth"));
|
WebElement divKcOauth = driver.findElement(By.id("kc-oauth"));
|
||||||
for (WebElement li : divKcOauth.findElements(By.tagName("li"))) {
|
for (WebElement li : divKcOauth.findElements(By.tagName("li"))) {
|
||||||
WebElement span = li.findElement(By.tagName("span"));
|
WebElement span = li.findElement(By.tagName("span"));
|
||||||
|
|
|
@ -20,7 +20,6 @@ package org.keycloak.testsuite.x509;
|
||||||
import org.jboss.arquillian.drone.api.annotation.Drone;
|
import org.jboss.arquillian.drone.api.annotation.Drone;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
import org.junit.BeforeClass;
|
import org.junit.BeforeClass;
|
||||||
import org.junit.Ignore;
|
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.keycloak.testsuite.util.HtmlUnitBrowser;
|
import org.keycloak.testsuite.util.HtmlUnitBrowser;
|
||||||
import org.openqa.selenium.WebDriver;
|
import org.openqa.selenium.WebDriver;
|
||||||
|
|
|
@ -1608,7 +1608,7 @@
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>net.bytebuddy</groupId>
|
<groupId>net.bytebuddy</groupId>
|
||||||
<artifactId>byte-buddy</artifactId>
|
<artifactId>byte-buddy</artifactId>
|
||||||
<version>1.12.18</version>
|
<version>${byte-buddy.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
|
||||||
<dependency>
|
<dependency>
|
||||||
|
|
Loading…
Reference in a new issue