Skip to content

feat: keycloak fips mode #1469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
slaskawi merged 5 commits into from
Apr 25, 2025
Merged

feat: keycloak fips mode #1469

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0b95c35
Keycloak FIPS support
slaskawi Apr 18, 2025
970af26
Fixed Helm error
slaskawi Apr 18, 2025
5650bb9
More Helm fixes
slaskawi Apr 18, 2025
b8e7fe3
Merge remote-tracking branch 'origin/main' into 36-keycloak_fips
slaskawi Apr 24, 2025
ed1bf33
Merge branch 'main' into 36-keycloak_fips
chance-coleman Apr 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/keycloak/chart/templates/secret-kc-realm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,4 @@ data:
MFA_ENABLED: {{ or .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.WEBAUTHN_ENABLED | toString | b64enc }}
MFA_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.WEBAUTHN_ENABLED) | b64enc }}
ENABLE_REGISTRATION_FIELDS: {{ .Values.themeCustomizations.settings.enableRegistrationFields | toString | b64enc }}
FIPS_ENABLED: {{ .Values.fips | toString | b64enc }}
18 changes: 12 additions & 6 deletions src/keycloak/chart/templates/statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,14 @@ spec:
{{- end }}
# This will only import the realm if it does not exist
- "--import-realm"
# FIPS Mode
{{- if .Values.fips }}
# Full configuration might be found at https://www.keycloak.org/server/fips
- "--features=preview,fips"
- "--fips-mode=strict"
{{- else }}
- "--features=preview"
{{- end }}
- "--proxy-headers=xforwarded"
- "--http-enabled=true"
- "--hostname-strict=false"
Expand Down Expand Up @@ -137,6 +144,11 @@ spec:
value: DEBUG
- name: QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_SERVICES_X509__LEVEL
value: TRACE
# Crypto information, primarily for FIPS debugging
- name: QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_COMMON_CRYPTO__LEVEL
value: TRACE
- name: QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_CRYPTO__LEVEL
value: TRACE
Comment thread
mjnagel marked this conversation as resolved.
# https://github.com/keycloak/keycloak/issues/39046
# Starting from 26.2.0, Keycloak doesn't use password for the internal H2 database.
# This breaks upgrade scenarios, so we need to use the same password as in 26.1.x
Expand Down Expand Up @@ -185,12 +197,6 @@ spec:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-postgresql
key: password
# FIPS Mode
{{- if .Values.fips }}
# https://access.redhat.com/documentation/en-us/openjdk/11/html-single/configuring_openjdk_11_on_rhel_with_fips/index
- name: JAVA_TOOL_OPTIONS
value: "-Dcom.redhat.fips=true"
{{- end }}
Comment on lines -188 to -193
Copy link
Copy Markdown
Contributor

@mjnagel mjnagel Apr 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pending CI testing I think this is fine, just would want to make sure that dropping this/changing the effect of fips value doesn't have any backwards incompatible effects on FIPS or non-fips hosts.

Copy link
Copy Markdown
Contributor Author

@slaskawi slaskawi Apr 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It took me a while but I think I have the answer!

The Red Hat Build of OpenJDK contains OpenJDK bits with an additional FIPS patch. You can download the source from the Red Hat Customer Portal (from here).

The code haven't changed much since JDK11, it looks very similar to this:

+        if (systemSecPropsEnabled) {
+            boolean shouldEnable;
+            String sysProp = System.getProperty("com.redhat.fips");
+            if (sysProp == null) {
+                shouldEnable = true;
+                if (sdebug != null) {
+                    sdebug.println("com.redhat.fips unset, using default value of true");
+                }
+            } else {
+                shouldEnable = Boolean.valueOf(sysProp);
+                if (sdebug != null) {
+                    sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
+                }
+            }
+            if (shouldEnable) {
+                boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
+                if (sdebug != null) {
+                    if (fipsEnabled) {
+                        sdebug.println("FIPS mode support configured and enabled.");
+                    } else {
+                        sdebug.println("FIPS mode support disabled.");
+                    }

Note, that in the absence of com.redhat.fips, the OpenJDK (at least the Red Hat's build of it) tries to enable the FIPS mode by default. The SystemConfigurator.configureFIPS is a JNI (Java Native Interface - calling C from Java).

The other important thing from our angle is the SystemConfigurator.enableFips method that has the following JavaDoc:

+     * OpenJDK FIPS mode will be enabled only if the system is in
+     * FIPS mode.
+     *
+     * Calls to this method only occur if the system property
+     * com.redhat.fips is not set to false.
+     *
+     * There are 2 possible ways in which OpenJDK detects that the system
+     * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
+     * available at OpenJDK's built-time, it is called; 2) otherwise, the
+     * /proc/sys/crypto/fips_enabled file is read.

The NSS is shipped as part of SSSD, which is part of the RHEL authentication stack and is present in the Keycloak image. According to BZ852023, NSS brokers to /proc/sys/crypto/fips_enabled, which is usually what happens in container world (if the host OS uses FIPS mode it sets /proc/sys/crypto/fips_enabled to all containers it runs based on BZ1957310).

To sum it up - I believe it's safe to remove this property and let the Red Hat Build of OpenJDK do the default thing - try to enable FIPS. This will succeed if the underlying Host has FIPS turned on regardless to the distro (although UBI are expected to be more tested than anything else).

{{- end }}
{{- if .Values.insecureAdminPasswordGeneration.enabled }}
- name: KEYCLOAK_ADMIN
Expand Down