diff --git a/docs/documentation/release_notes/topics/22_0_0.adoc b/docs/documentation/release_notes/topics/22_0_0.adoc index d43d5a5b7f..d7e825f171 100644 --- a/docs/documentation/release_notes/topics/22_0_0.adoc +++ b/docs/documentation/release_notes/topics/22_0_0.adoc @@ -76,4 +76,12 @@ If you are extending one of the following SPIs: * `RealmResourceSPI` See the link:{upgradingguide_link}[{upgradingguide_name}] for more details about how to -update your custom providers. \ No newline at end of file +update your custom providers. + += Elytron credential store replacement + +The previous and now removed WildFly distribution provided a built-in vault provider that reads secrets from a keystore-backed Elytron credential store. As this is no longer available, we have added a new implementation of the Keycloak Vault SPI called Keycloak KeyStore Vault. As the name suggests, this implementation reads secrets from a Java keystore file. Such secrets can be then used within multiple places of the Administration Console. For further details, see https://www.keycloak.org/server/vault[our guide] and the latest https://www.keycloak.org/docs/latest/server_admin/index.html#_vault-administration[documentation]. + += KeyStore Config Source added + +In relation to the KeyStore Vault news, we also integrated Quarkus's recently released feature called KeyStore Config Source. This means that among the already existing configuration sources (CLI parameters, environment variables and files), you can now configure your Keycloak server via configuration properties stored in a Java keystore file. You can learn more about this feature in the https://www.keycloak.org/server/configuration[Configuration guide]. \ No newline at end of file diff --git a/docs/guides/server/fips.adoc b/docs/guides/server/fips.adoc index 862f36de64..b856c47964 100644 --- a/docs/guides/server/fips.adoc +++ b/docs/guides/server/fips.adoc @@ -35,7 +35,19 @@ BouncyCastle FIPS can be downloaded from the https://www.bouncycastle.org/fips-j You can create either `pkcs12` or `bcfks` keystore to be used for the Keycloak server SSL. The `pkcs12` works well in BCFIPS non-approved mode. -PKCS12 keystore can be generated with OpenJDK 17 Java on RHEL 9 in the standard way. +PKCS12 keystore can be generated with OpenJDK 17 Java on RHEL 9 in the standard way. Make sure that the system is in FIPS mode, you can check it with the following command: + +```bash +fips-mode-setup --check +``` + +If the system is not in FIPS mode, you can enable it with the following command: + +```bash +fips-mode-setup --enable +``` + +The command changes the default `java.security` file in order to use FIPS enabled security providers, so no additional configuration is needed. Additionally, in PKCS12 keystore you can store PBE (password-based encryption) keys simply via the keytool command, which makes it ideal for using it with Keycloak KeyStore Vault and/or to store configuration properties in the KeyStore Config Source. For more details, see the https://www.keycloak.org/server/configuration[Configuration Guide] and the https://www.keycloak.org/server/vault[Vault Guide]. BCFKS keystore generation requires the use of the BouncyCastle FIPS libraries and a custom security file. @@ -45,7 +57,7 @@ securerandom.strongAlgorithms=PKCS11:SunPKCS11-NSS-FIPS ``` Next enter a command such as the following to generate the keystore: -``` +```bash keytool -keystore $KEYCLOAK_HOME/conf/server.keystore \ -storetype bcfks \ -providername BCFIPS \