Release notes and some notes for JavaKeystoreProvider changes

Closes #31226 Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-07-12 11:04:20 +02:00 · 2024-07-12 11:04:20 +02:00 · 764ef4831a
commit 764ef4831a
parent 865c2dabea
3 changed files with 11 additions and 1 deletions
--- a/docs/documentation/release_notes/topics/26_0_0.adoc
+++ b/docs/documentation/release_notes/topics/26_0_0.adoc
@ -43,3 +43,9 @@ https://www.keycloak.org/operator/advanced-configuration[Operator Advanced Confi
 In this release, the LDAP connection pool configuration relies solely on system properties.

 For more details, see link:{adminguide_link}#_ldap_connection_pool[Configuring the connection pool].
+
+= The `java-keystore` key provider supports more algorithms and vault secrets
+
+The `java-keystore` key provider, which allows loading a realm key from an external java keystore file, has been modified to manage all {project_name} algorithms. Besides, the keystore and key secrets, needed to retrieve the actual key from the store, can be configured using the link:{adminguide_link}#_vault-administration[vault]. Therefore a {project_name} realm can externalize any key to the encrypted file without sensitive data stored in the database.
+
+For more information about this subject, see link:{adminguide_link}#realm_keys[Configuring realm keys].
--- a/docs/documentation/server_admin/topics/realms/keys.adoc
+++ b/docs/documentation/server_admin/topics/realms/keys.adoc
@ -138,7 +138,7 @@ For the associated certificate chain to be loaded it must be imported to the Jav

 [WARNING]
 ====
-Not all the keystore types support all types of keys. `JKS` and `PKCS12` in fips modes (provider `BCFIPS`) cannot store secret key entries.
+Not all the keystore types support all types of keys. For example, `JKS` in all modes and `PKCS12` in fips mode (`BCFIPS` provider) cannot store secret key entries.
 ====

 ==== Making keys passive
--- a/docs/guides/server/fips.adoc
+++ b/docs/guides/server/fips.adoc
@ -62,6 +62,8 @@ keytool -genkeypair -sigalg SHA512withRSA -keyalg RSA -storepass passwordpasswor
  -dname CN=localhost -keypass passwordpassword
 ----

+The `pkcs12` keystores in FIPS mode *do not* manage secret (symmetric) keys. This limitation is imposed by the `BCFIPS` provider which does not allow this type of keys inside the `pkcs12` keystore type.
+
 When the system is in FIPS mode, the default `java.security` file is changed in order to use FIPS enabled security providers, so no additional configuration is needed. Additionally, in the PKCS12 keystore, you can store PBE (password-based encryption) keys simply by using the keytool command, which makes it ideal for using it with {project_name} KeyStore Vault and/or to store configuration properties in the KeyStore Config Source. For more details, see the <@links.server id="configuration"/> and the <@links.server id="vault"/>.

 === BCFKS keystore
@ -180,6 +182,8 @@ For Kerberos/SPNEGO, the security provider `SunJGSS` is not yet fully FIPS compl
 if you want to be FIPS compliant. The `KERBEROS` feature is disabled by default in {project_name} when it is executed on FIPS platform and when security provider is not
 available. Details are in the https://bugzilla.redhat.com/show_bug.cgi?id=2051628[bugzilla].

+The algorithm `EdDSA` cannot be used in FIPS mode. Although the current `BCFIPS` provider supports `Ed25519` and `Ed448` curves, the resulting keys do not implement the standard JDK interfaces to manage them (`EdECKey`, `EdECPublicKey`, `EdECPrivateKey`,...), and {project_name} cannot use them for signatures.
+
 == Run the CLI on the FIPS host

 If you want to run Client Registration CLI (`kcreg.sh|bat` script) or Admin CLI (`kcadm.sh|bat` script),