Release notes and some notes for JavaKeystoreProvider changes
Closes #31226 Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
parent
865c2dabea
commit
764ef4831a
3 changed files with 11 additions and 1 deletions
|
@ -43,3 +43,9 @@ https://www.keycloak.org/operator/advanced-configuration[Operator Advanced Confi
|
|||
In this release, the LDAP connection pool configuration relies solely on system properties.
|
||||
|
||||
For more details, see link:{adminguide_link}#_ldap_connection_pool[Configuring the connection pool].
|
||||
|
||||
= The `java-keystore` key provider supports more algorithms and vault secrets
|
||||
|
||||
The `java-keystore` key provider, which allows loading a realm key from an external java keystore file, has been modified to manage all {project_name} algorithms. Besides, the keystore and key secrets, needed to retrieve the actual key from the store, can be configured using the link:{adminguide_link}#_vault-administration[vault]. Therefore a {project_name} realm can externalize any key to the encrypted file without sensitive data stored in the database.
|
||||
|
||||
For more information about this subject, see link:{adminguide_link}#realm_keys[Configuring realm keys].
|
|
@ -138,7 +138,7 @@ For the associated certificate chain to be loaded it must be imported to the Jav
|
|||
|
||||
[WARNING]
|
||||
====
|
||||
Not all the keystore types support all types of keys. `JKS` and `PKCS12` in fips modes (provider `BCFIPS`) cannot store secret key entries.
|
||||
Not all the keystore types support all types of keys. For example, `JKS` in all modes and `PKCS12` in fips mode (`BCFIPS` provider) cannot store secret key entries.
|
||||
====
|
||||
|
||||
==== Making keys passive
|
||||
|
|
|
@ -62,6 +62,8 @@ keytool -genkeypair -sigalg SHA512withRSA -keyalg RSA -storepass passwordpasswor
|
|||
-dname CN=localhost -keypass passwordpassword
|
||||
----
|
||||
|
||||
The `pkcs12` keystores in FIPS mode *do not* manage secret (symmetric) keys. This limitation is imposed by the `BCFIPS` provider which does not allow this type of keys inside the `pkcs12` keystore type.
|
||||
|
||||
When the system is in FIPS mode, the default `java.security` file is changed in order to use FIPS enabled security providers, so no additional configuration is needed. Additionally, in the PKCS12 keystore, you can store PBE (password-based encryption) keys simply by using the keytool command, which makes it ideal for using it with {project_name} KeyStore Vault and/or to store configuration properties in the KeyStore Config Source. For more details, see the <@links.server id="configuration"/> and the <@links.server id="vault"/>.
|
||||
|
||||
=== BCFKS keystore
|
||||
|
@ -180,6 +182,8 @@ For Kerberos/SPNEGO, the security provider `SunJGSS` is not yet fully FIPS compl
|
|||
if you want to be FIPS compliant. The `KERBEROS` feature is disabled by default in {project_name} when it is executed on FIPS platform and when security provider is not
|
||||
available. Details are in the https://bugzilla.redhat.com/show_bug.cgi?id=2051628[bugzilla].
|
||||
|
||||
The algorithm `EdDSA` cannot be used in FIPS mode. Although the current `BCFIPS` provider supports `Ed25519` and `Ed448` curves, the resulting keys do not implement the standard JDK interfaces to manage them (`EdECKey`, `EdECPublicKey`, `EdECPrivateKey`,...), and {project_name} cannot use them for signatures.
|
||||
|
||||
== Run the CLI on the FIPS host
|
||||
|
||||
If you want to run Client Registration CLI (`kcreg.sh|bat` script) or Admin CLI (`kcadm.sh|bat` script),
|
||||
|
|
Loading…
Reference in a new issue