From 863d28e232bddc1f1623bb8e214bfb8e2fface7a Mon Sep 17 00:00:00 2001 From: mposolda Date: Thu, 6 Apr 2023 13:14:48 +0200 Subject: [PATCH] Promote FIPS 140-2 to supported in Keycloak 22 closes #17234 --- common/src/main/java/org/keycloak/common/Profile.java | 2 +- .../src/test/java/org/keycloak/common/ProfileTest.java | 2 +- docs/documentation/release_notes/index.adoc | 3 +++ docs/documentation/release_notes/topics/21_1_0.adoc | 3 +++ docs/guides/server/fips.adoc | 2 -- .../main/java/org/keycloak/config/OptionCategory.java | 2 +- .../main/java/org/keycloak/config/SecurityOptions.java | 7 +++++-- .../java/org/keycloak/it/cli/dist/FeaturesDistTest.java | 4 +--- .../test/java/org/keycloak/it/cli/dist/FipsDistTest.java | 3 ++- .../HelpCommandDistTest.testBuildHelp.unix.approved.txt | 9 +++++++++ ...elpCommandDistTest.testBuildHelp.windows.approved.txt | 9 +++++++++ ...elpCommandDistTest.testStartDevHelp.unix.approved.txt | 9 +++++++++ ...CommandDistTest.testStartDevHelp.windows.approved.txt | 9 +++++++++ ...CommandDistTest.testStartDevHelpAll.unix.approved.txt | 9 ++++++--- ...mandDistTest.testStartDevHelpAll.windows.approved.txt | 9 ++++++--- .../HelpCommandDistTest.testStartHelp.unix.approved.txt | 9 +++++++++ ...elpCommandDistTest.testStartHelp.windows.approved.txt | 9 +++++++++ ...elpCommandDistTest.testStartHelpAll.unix.approved.txt | 9 ++++++--- ...CommandDistTest.testStartHelpAll.windows.approved.txt | 9 ++++++--- 19 files changed, 95 insertions(+), 23 deletions(-) create mode 100644 docs/documentation/release_notes/topics/21_1_0.adoc diff --git a/common/src/main/java/org/keycloak/common/Profile.java b/common/src/main/java/org/keycloak/common/Profile.java index 89c716cbba..9c5bda8fe6 100755 --- a/common/src/main/java/org/keycloak/common/Profile.java +++ b/common/src/main/java/org/keycloak/common/Profile.java @@ -89,7 +89,7 @@ public class Profile { JS_ADAPTER("Host keycloak.js and keycloak-authz.js through the Keycloak sever", Type.DEFAULT), - FIPS("FIPS 140-2 mode", Type.PREVIEW_DISABLED_BY_DEFAULT); + FIPS("FIPS 140-2 mode", Type.DISABLED_BY_DEFAULT); private final Type type; private String label; diff --git a/common/src/test/java/org/keycloak/common/ProfileTest.java b/common/src/test/java/org/keycloak/common/ProfileTest.java index cf6cbb4148..e4ca836f08 100644 --- a/common/src/test/java/org/keycloak/common/ProfileTest.java +++ b/common/src/test/java/org/keycloak/common/ProfileTest.java @@ -76,7 +76,7 @@ public class ProfileTest { disabledFeatutes.add(Profile.Feature.KERBEROS); } assertEquals(profile.getDisabledFeatures(), disabledFeatutes); - assertEquals(profile.getPreviewFeatures(), Profile.Feature.FIPS, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.RECOVERY_CODES, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.DECLARATIVE_USER_PROFILE, Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.UPDATE_EMAIL); + assertEquals(profile.getPreviewFeatures(), Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.RECOVERY_CODES, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.DECLARATIVE_USER_PROFILE, Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.UPDATE_EMAIL); } @Test diff --git a/docs/documentation/release_notes/index.adoc b/docs/documentation/release_notes/index.adoc index 2e65681580..5a59bb6f35 100644 --- a/docs/documentation/release_notes/index.adoc +++ b/docs/documentation/release_notes/index.adoc @@ -16,6 +16,9 @@ include::topics/templates/release-header.adoc[] == {project_name_full} 22.0.0 include::topics/22_0_0.adoc[leveloffset=2] +== {project_name_full} 21.1.0 +include::topics/21_1_0.adoc[leveloffset=2] + == {project_name_full} 21.0.0 include::topics/21_0_0.adoc[leveloffset=2] diff --git a/docs/documentation/release_notes/topics/21_1_0.adoc b/docs/documentation/release_notes/topics/21_1_0.adoc new file mode 100644 index 0000000000..5df2e28317 --- /dev/null +++ b/docs/documentation/release_notes/topics/21_1_0.adoc @@ -0,0 +1,3 @@ += FIPS 140-2 support + +FIPS 140-2 support in Keycloak, which was preview in the previous release, is now promoted to be officially supported. diff --git a/docs/guides/server/fips.adoc b/docs/guides/server/fips.adoc index 88f1eee9f4..c65708c6e3 100644 --- a/docs/guides/server/fips.adoc +++ b/docs/guides/server/fips.adoc @@ -10,8 +10,6 @@ includedOptions=""> The Federal Information Processing Standard Publication 140-2, (FIPS 140-2), is a U.S. government computer security standard used to approve cryptographic modules. Keycloak supports to run in FIPS 140-2 compliant mode. In this case, Keycloak will use only FIPS approved cryptography algorithms for it's functionality. -NOTE: FIPS 140-2 is supported only as a preview feature in Keycloak for now. - To run in FIPS 140-2, Keycloak should run on a FIPS 140-2 enabled system. This requirement usually assumes RHEL or Fedora where FIPS was enabled during installation. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/security_hardening/index#assembly_installing-the-system-in-fips-mode_security-hardening[RHEL documentation] for the details. When the system is in FIPS mode, it makes sure that the underlying OpenJDK is in FIPS mode as well and would use only diff --git a/quarkus/config-api/src/main/java/org/keycloak/config/OptionCategory.java b/quarkus/config-api/src/main/java/org/keycloak/config/OptionCategory.java index f011c56231..f5d4146f67 100644 --- a/quarkus/config-api/src/main/java/org/keycloak/config/OptionCategory.java +++ b/quarkus/config-api/src/main/java/org/keycloak/config/OptionCategory.java @@ -14,7 +14,7 @@ public enum OptionCategory { PROXY("Proxy", 90, ConfigSupportLevel.SUPPORTED), VAULT("Vault", 100, ConfigSupportLevel.SUPPORTED), LOGGING("Logging", 110, ConfigSupportLevel.SUPPORTED), - SECURITY("Security", 120, ConfigSupportLevel.PREVIEW), + SECURITY("Security", 120, ConfigSupportLevel.SUPPORTED), EXPORT("Export", 130, ConfigSupportLevel.SUPPORTED), IMPORT("Import", 140, ConfigSupportLevel.SUPPORTED), GENERAL("General", 999, ConfigSupportLevel.SUPPORTED); diff --git a/quarkus/config-api/src/main/java/org/keycloak/config/SecurityOptions.java b/quarkus/config-api/src/main/java/org/keycloak/config/SecurityOptions.java index ad3e02a26d..f4a63e39e3 100644 --- a/quarkus/config-api/src/main/java/org/keycloak/config/SecurityOptions.java +++ b/quarkus/config-api/src/main/java/org/keycloak/config/SecurityOptions.java @@ -2,7 +2,8 @@ package org.keycloak.config; import java.util.Arrays; import java.util.List; -import java.util.Optional; + +import org.keycloak.common.Profile; import org.keycloak.common.crypto.FipsMode; public class SecurityOptions { @@ -11,7 +12,9 @@ public class SecurityOptions { .category(OptionCategory.SECURITY) .expectedValues(SecurityOptions::getFipsModeValues) .buildTime(true) - .description("Sets the FIPS mode. If '" + FipsMode.NON_STRICT + "' is set, FIPS is enabled but on non-approved mode. For full FIPS compliance, set '" + FipsMode.STRICT + "' to run on approved mode.") + .description("Sets the FIPS mode. If '" + FipsMode.NON_STRICT + "' is set, FIPS is enabled but on non-approved mode. For full FIPS compliance, set '" + FipsMode.STRICT + "' to run on approved mode. " + + "This option defaults to '" + FipsMode.DISABLED + "' when '" + Profile.Feature.FIPS.getKey() + "' feature is disabled, which is by default. " + + "This option defaults to '" + FipsMode.NON_STRICT + "' when '" + Profile.Feature.FIPS.getKey() + "' feature is enabled.") .defaultValue(FipsMode.DISABLED) .build(); diff --git a/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FeaturesDistTest.java b/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FeaturesDistTest.java index 6dd4f77fc5..b1a75c8471 100644 --- a/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FeaturesDistTest.java +++ b/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FeaturesDistTest.java @@ -55,9 +55,7 @@ public class FeaturesDistTest { public void testEnablePreviewFeaturesAndFips(LaunchResult result) { CLIResult cliResult = (CLIResult) result; - String previewFeaturesWithFipsIncluded = PREVIEW_FEATURES_EXPECTED_LOG.replace("declarative-user-profile", "declarative-user-profile, fips"); - assertThat(result.getOutput(), CoreMatchers.allOf( - containsString(previewFeaturesWithFipsIncluded))); + assertPreviewFeaturesEnabled(cliResult); cliResult.assertError("Failed to configure FIPS."); } diff --git a/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java b/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java index 755529f3ef..3d89da2f4c 100644 --- a/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java +++ b/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java @@ -38,7 +38,8 @@ public class FipsDistTest { runOnFipsEnabledDistribution(dist, () -> { CLIResult cliResult = dist.run("start"); cliResult.assertStarted(); - cliResult.assertMessageWasShownExactlyNumberOfTimes("Preview features enabled: fips", 2); + // Not shown as FIPS is not a preview anymore + cliResult.assertMessageWasShownExactlyNumberOfTimes("Preview features enabled: fips", 0); cliResult.assertMessage("Java security providers: [ \n" + " KC(BCFIPS version 1.000203, FIPS-JVM: " + KeycloakFipsSecurityProvider.isSystemFipsEnabled() + ") version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider"); }); diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt index 5758b9f2b1..4f936315e5 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt @@ -80,6 +80,15 @@ Vault: --vault Enables a vault provider. Possible values are: file. +Security: + +--fips-mode Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on + non-approved mode. For full FIPS compliance, set 'strict' to run on approved + mode. This option defaults to 'disabled' when 'fips' feature is disabled, + which is by default. This option defaults to 'non-strict' when 'fips' + feature is enabled. Possible values are: non-strict, strict. Default: + disabled. + Examples: Change the database vendor: diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.windows.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.windows.approved.txt index 4be146bfbb..fed031b174 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.windows.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.windows.approved.txt @@ -80,6 +80,15 @@ Vault: --vault Enables a vault provider. Possible values are: file. +Security: + +--fips-mode Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on + non-approved mode. For full FIPS compliance, set 'strict' to run on approved + mode. This option defaults to 'disabled' when 'fips' feature is disabled, + which is by default. This option defaults to 'non-strict' when 'fips' + feature is enabled. Possible values are: non-strict, strict. Default: + disabled. + Examples: Change the database vendor: diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt index cb3706d982..fb84206387 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt @@ -222,6 +222,15 @@ Logging: categories and their levels. For the root category, you don't need to specify a category. Default: info. +Security: + +--fips-mode Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on + non-approved mode. For full FIPS compliance, set 'strict' to run on approved + mode. This option defaults to 'disabled' when 'fips' feature is disabled, + which is by default. This option defaults to 'non-strict' when 'fips' + feature is enabled. Possible values are: non-strict, strict. Default: + disabled. + Do NOT start the server using this command when deploying to production. Use 'kc.sh start-dev --help-all' to list all available options, including build diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.windows.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.windows.approved.txt index 98e926ecd9..14a0b06b85 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.windows.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.windows.approved.txt @@ -220,6 +220,15 @@ Logging: categories and their levels. For the root category, you don't need to specify a category. Default: info. +Security: + +--fips-mode Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on + non-approved mode. For full FIPS compliance, set 'strict' to run on approved + mode. This option defaults to 'disabled' when 'fips' feature is disabled, + which is by default. This option defaults to 'non-strict' when 'fips' + feature is enabled. Possible values are: non-strict, strict. Default: + disabled. + Do NOT start the server using this command when deploying to production. Use 'kc.bat start-dev --help-all' to list all available options, including diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt index 601568cfdf..a8302e2d12 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt @@ -285,11 +285,14 @@ Logging: categories and their levels. For the root category, you don't need to specify a category. Default: info. -Security (Preview): +Security: ---fips-mode Preview: Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on +--fips-mode Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on non-approved mode. For full FIPS compliance, set 'strict' to run on approved - mode. Possible values are: non-strict, strict. Default: disabled. + mode. This option defaults to 'disabled' when 'fips' feature is disabled, + which is by default. This option defaults to 'non-strict' when 'fips' + feature is enabled. Possible values are: non-strict, strict. Default: + disabled. Do NOT start the server using this command when deploying to production. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.windows.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.windows.approved.txt index 927218d631..5262732c1c 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.windows.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.windows.approved.txt @@ -283,11 +283,14 @@ Logging: categories and their levels. For the root category, you don't need to specify a category. Default: info. -Security (Preview): +Security: ---fips-mode Preview: Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on +--fips-mode Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on non-approved mode. For full FIPS compliance, set 'strict' to run on approved - mode. Possible values are: non-strict, strict. Default: disabled. + mode. This option defaults to 'disabled' when 'fips' feature is disabled, + which is by default. This option defaults to 'non-strict' when 'fips' + feature is enabled. Possible values are: non-strict, strict. Default: + disabled. Do NOT start the server using this command when deploying to production. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt index a26e31de98..d54d1d9728 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt @@ -228,6 +228,15 @@ Logging: categories and their levels. For the root category, you don't need to specify a category. Default: info. +Security: + +--fips-mode Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on + non-approved mode. For full FIPS compliance, set 'strict' to run on approved + mode. This option defaults to 'disabled' when 'fips' feature is disabled, + which is by default. This option defaults to 'non-strict' when 'fips' + feature is enabled. Possible values are: non-strict, strict. Default: + disabled. + By default, this command tries to update the server configuration by running a 'build' before starting the server. You can disable this behavior by using the '--optimized' option: diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.windows.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.windows.approved.txt index 8980ff8dab..92f4b723c8 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.windows.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.windows.approved.txt @@ -226,6 +226,15 @@ Logging: categories and their levels. For the root category, you don't need to specify a category. Default: info. +Security: + +--fips-mode Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on + non-approved mode. For full FIPS compliance, set 'strict' to run on approved + mode. This option defaults to 'disabled' when 'fips' feature is disabled, + which is by default. This option defaults to 'non-strict' when 'fips' + feature is enabled. Possible values are: non-strict, strict. Default: + disabled. + By default, this command tries to update the server configuration by running a 'build' before starting the server. You can disable this behavior by using the '--optimized' option: diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt index dbda02ff66..3596cbf5f8 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt @@ -291,11 +291,14 @@ Logging: categories and their levels. For the root category, you don't need to specify a category. Default: info. -Security (Preview): +Security: ---fips-mode Preview: Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on +--fips-mode Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on non-approved mode. For full FIPS compliance, set 'strict' to run on approved - mode. Possible values are: non-strict, strict. Default: disabled. + mode. This option defaults to 'disabled' when 'fips' feature is disabled, + which is by default. This option defaults to 'non-strict' when 'fips' + feature is enabled. Possible values are: non-strict, strict. Default: + disabled. By default, this command tries to update the server configuration by running a 'build' before starting the server. You can disable this behavior by using the diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.windows.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.windows.approved.txt index d6a74b7a30..e881bef456 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.windows.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.windows.approved.txt @@ -289,11 +289,14 @@ Logging: categories and their levels. For the root category, you don't need to specify a category. Default: info. -Security (Preview): +Security: ---fips-mode Preview: Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on +--fips-mode Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on non-approved mode. For full FIPS compliance, set 'strict' to run on approved - mode. Possible values are: non-strict, strict. Default: disabled. + mode. This option defaults to 'disabled' when 'fips' feature is disabled, + which is by default. This option defaults to 'non-strict' when 'fips' + feature is enabled. Possible values are: non-strict, strict. Default: + disabled. By default, this command tries to update the server configuration by running a 'build' before starting the server. You can disable this behavior by using the