Update the docs

* updated the release notes
* updated the FIPS guide

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
This commit is contained in:
Peter Zaoral 2023-05-23 19:20:49 +02:00 committed by Pedro Igor
parent 7e56938b74
commit f4cc6d7b76
2 changed files with 23 additions and 3 deletions

View file

@ -76,4 +76,12 @@ If you are extending one of the following SPIs:
* `RealmResourceSPI`
See the link:{upgradingguide_link}[{upgradingguide_name}] for more details about how to
update your custom providers.
update your custom providers.
= Elytron credential store replacement
The previous and now removed WildFly distribution provided a built-in vault provider that reads secrets from a keystore-backed Elytron credential store. As this is no longer available, we have added a new implementation of the Keycloak Vault SPI called Keycloak KeyStore Vault. As the name suggests, this implementation reads secrets from a Java keystore file. Such secrets can be then used within multiple places of the Administration Console. For further details, see https://www.keycloak.org/server/vault[our guide] and the latest https://www.keycloak.org/docs/latest/server_admin/index.html#_vault-administration[documentation].
= KeyStore Config Source added
In relation to the KeyStore Vault news, we also integrated Quarkus's recently released feature called KeyStore Config Source. This means that among the already existing configuration sources (CLI parameters, environment variables and files), you can now configure your Keycloak server via configuration properties stored in a Java keystore file. You can learn more about this feature in the https://www.keycloak.org/server/configuration[Configuration guide].

View file

@ -35,7 +35,19 @@ BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/fips-j
You can create either `pkcs12` or `bcfks` keystore to be used for the Keycloak server SSL. The `pkcs12` works well in BCFIPS non-approved mode.
PKCS12 keystore can be generated with OpenJDK 17 Java on RHEL 9 in the standard way.
PKCS12 keystore can be generated with OpenJDK 17 Java on RHEL 9 in the standard way. Make sure that the system is in FIPS mode, you can check it with the following command:
```bash
fips-mode-setup --check
```
If the system is not in FIPS mode, you can enable it with the following command:
```bash
fips-mode-setup --enable
```
The command changes the default `java.security` file in order to use FIPS enabled security providers, so no additional configuration is needed. Additionally, in PKCS12 keystore you can store PBE (password-based encryption) keys simply via the keytool command, which makes it ideal for using it with Keycloak KeyStore Vault and/or to store configuration properties in the KeyStore Config Source. For more details, see the https://www.keycloak.org/server/configuration[Configuration Guide] and the https://www.keycloak.org/server/vault[Vault Guide].
BCFKS keystore generation requires the use of the BouncyCastle FIPS libraries and a custom security file.
@ -45,7 +57,7 @@ securerandom.strongAlgorithms=PKCS11:SunPKCS11-NSS-FIPS
```
Next enter a command such as the following to generate the keystore:
```
```bash
keytool -keystore $KEYCLOAK_HOME/conf/server.keystore \
-storetype bcfks \
-providername BCFIPS \