[KEYCLOAK-7] Troubleshoot running Keycloak in FIPS mode Created: 05/Feb/24  Updated: 07/Feb/24  Resolved: 07/Feb/24

Status: Closed
Project: folio-keycloak
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P1
Reporter: Craig McNally Assignee: Taras Spashchenko
Resolution: Done Votes: 0
Labels: back-end, epam-eureka, eureka-phase4
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Defines
defines UXPROD-4605 Component Ownership In Progress
Sprint: Eureka Sprint 45
Story Points: 3
Development Team: Eureka
RCA Group: TBD

 Description   

Overview

Work with FSE (Maksym Sinichenkom) to troubleshoot running Keycloak in FIPS mode.

Scope

Collaborate/brainstorm with Eureka and DevOps to get Keycloak stable in FIPS mode.

Notes

Keycloak FIPS 140-2 support: https://www.keycloak.org/server/fips#_keycloak_server_in_fips_mode_in_containers

Work done by Oleksandr Oliinyk to enable FIPS: https://github.com/folio-org/folio-keycloak/pull/3

Conversation in Teams

See also: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies

 Acceptance Criteria

  • FSE is able to successfully deploy Keycloak running in FIPS mode in the cloud (on the hardened AMI)


 Comments   
Comment by Maksym Sinichenkom [ 06/Feb/24 ]

Used same docker image - form folio-keycloak master branch. For regular deployment (evrk) it works fine but for Hardened image used for LoC getting an error during keystore generation

Exception in thread "main" java.lang.IllegalAccessError: class org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom (in unnamed module @0x1b1f5012) cannot access class sun.security.provider.SecureRandom (in module java.base) because module java.base does not export sun.security.provider to unnamed module @0x1b1f5012
Generated at Thu Feb 08 22:32:26 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.