DirectorySecurity Advisories
Sign In
Directory
keycloak-bitnami-fips logoFIPS

keycloak-bitnami-fips

Last changed

Sign In for Updates

Get notified of upcoming product changes, critical vulnerability notifications and patches and more.

Sign In
Versions
Overview
Provenance
Specifications
SBOM
Vulnerabilities
Advisories

Chainguard Image for keycloak-bitnami-fips

Chainguard Images are regularly-updated, minimal container images with low-to-zero CVEs.

Download this Image

This image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/keycloak-bitnami-fips:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard registry.

FIPS

This FIPS-compliant Bitnami Keycloak image is a drop-in replacement for the upstream Bitnami Keycloak image. It is intended for deployments that require FIPS compliance.

We had to pass some extra environment variables to image config to enforce FIPS mode:

  • $KEYCLOAK_EXTRA_ARGS=--features=fips --fips-mode=strict
  • $JDK_JAVA_OPTIONS=-Djavax.net.ssl.trustStoreType=FIPS

Prerequisites

  • DB connection password must be at least 112 bits.
  • A keystore file must be provided to enable FIPS mode.
  • Keystore password must be at least 112 bits.

Disclaimer

This image is equipped with the essential components for Keycloak to operate in FIPS mode. However, it's important for users to ensure they use it in line with FIPS compliance standards.

This includes tasks such as keystore generation, configuration, and launching Keycloak with the correct configuration parameters. More guidance is provided in the sections below.

Keystore

Keycloak requires a bcfips-compatible keystore to manage its SSL/TLS certificates.

Although Keycloak supports various keystore types, only BCKFS offers the capability to operate in approved (strict) mode under FIPS standards, ensuring only approved ciphers are used.

BCKFS Keystore creation

To create keystore you can use keytool from this image like so:

kubectl run -q --rm --attach create-keystore \
  --image=cgr.dev/ORGANIZATION/keycloak-bitnami-fips --restart=Never --command -- \
    sh -c ' \
      keytool -v -keystore "/tmp/server.keystore" \
      -storetype bcfks \
      -providername BCFIPS \
      -alias "localhost" \
      -genkeypair -sigalg SHA512withRSA -keyalg RSA \
      -dname CN="localhost" \
      -storepass "<YOUR TLS KEYSTORE PASSWORD>" \
      -keypass "<YOUR TLS KEY PASSWORD, can be the same>"; \
      cat /tmp/server.keystore' > server.keystore

BCKFS Truststore creation

To create a truststore and import and trust an existing CA certifcate you can also use keytool:

docker run -v $(pwd):/tmp/keystore --entrypoint keytool cgr.dev/ORGANIZATION/keycloak-fips \
  -v -keystore /tmp/keystore/truststore.bckfs \
  -storetype bcfks \
  -providername BCFIPS \
  -import -file /tmp/keystore/MyCA.crt \
  -storepass "<YOUR TRUSTSTORE PASSWORD>" \
  -trustcacerts \
  -noprompt

You can similarly use the keycloak container as an init container in your helm values.yaml to import certificates to a BCKFS truststore. When doing this you may need to set the environment of just the init containerJAVA_TOOL_OPTS to set the --module-path init container and configure the truststore for keycloak using the javax.net.ssl properties using JAVA_OPTS. The need for JAVA_TOOL_OPTIONS for Java tooling with the BCFIPS provider is documented in section 2.1.1 in the Bouncy Castle FIPS Java API User Guide:

extraEnvVars:
- name: JAVA_OPTS
  value: "-Djavax.net.ssl.trustStore=/opt/bitnami/keycloak/certs/keycloak.truststore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=FIPS"
  env:
  - name: JAVA_TOOL_OPTIONS
    value: "--module-path=/usr/share/java/bouncycastle-fips -Djava.class.path=/usr/share/java/bouncycastle-fips/bc-fips.jar"

** Note on --truststore-paths **

Currently it is not possible to use the --truststore-paths option when using --features=fips --fips-mode=strict, see this issue

Deployment (Kubernetes)

To deploy Keycloak (Bitnami FIPS) on Kubernetes, you can follow the official Bitnami documentation and also KeyCloak FIPS documentation.

You will need to do all of the prerequisites mentioned above, and then you need to pass the necessary values to the Helm chart.

Once you create your server.keystore using the BCFIPS provider, create a Secret object in your Kubernetes cluster to mount it into the Keycloak container later on:

kubectl create secret generic keycloak-keystore --from-file=server.keystore

Set the values to override the necessary fields:

cat <<EOF > keycloak_values.yaml
extraVolumes:
  - name: "keycloak-keystore"
    secret:
      secretName: "keycloak-keystore"
      items:
        - key: "server.keystore"
          path: "server.keystore"
extraVolumeMounts:
  - name: "keycloak-keystore"
    mountPath: "/usr/share/java/keycloak/conf"
    readOnly: true
auth:
  adminUser: "<ADMIN_USER>"
  adminPassword: "<ADMIN_PASSWORD>"
image:
  registry: cgr.dev
  repository: ORGANIZATION/keycloak-bitnami-fips
  tag: latest
extraStartupArgs: "--features=fips --fips-mode=strict --https-key-store-password=<KEYSTORE_PASSWORD>"
# If using the chart's postgres, set a long password
postgresql:
  auth:
    password: <LONG_DATABASE_PASSWORD>
EOF

Then run the following Helm command to deploy:

helm install keycloak oci://registry-1.docker.io/bitnamicharts/keycloak \
  --namespace keycloak \
  --create-namespace \
  --values keycloak_values.yaml

FIPS validation

If you want to validate the FIPS mode as we did in image tests, you can increase the log level to TRACE. You'll see debug logs such as the below if Keycloak is running in FIPS mode:

--log-level='INFO,org.keycloak.common.crypto:TRACE,org.keycloak.crypto:TRACE'

Then you will see the following logs:

trustStoreType: FIPS
FIPS-JVM: enabled
Approved Mode
BouncyCastleFipsProvider

Debugging

Invalid Keystore Format with BCFKS in production mode

Error Message:

# kc.sh start --features=fips --hostname=localhost --https-key-store-password='**********'
ERROR: Failed to start server in (production) mode
ERROR: Unable to start HTTP server
ERROR: java.io.IOException: Invalid keystore format

Solution: BCFKS Keystores default to strict mode, and it's likely you omitted --fips-mode=strict in your arguments. If you wish to run in non-strict mode with BCFKS, you need to include --https-key-store-type=bcfks.

This is called out in the official documentation, but perhaps could benefit from additional clarification.

Keystore corrupted error upon launch

Error Message:

ERROR: Unable to start HTTP server
ERROR: java.io.IOException: BCFKS KeyStore corrupted: MAC calculation failed.
ERROR: BCFKS KeyStore corrupted: MAC calculation failed.

Solution: The error indicates that a Keystore was detected, but there was an issue parsing it. Usually this means that the password used to create the keystore does not match what was provided as the --https-key-store-password argument to Keycloak.

Key material not provided error in production mode

Error Message:

ERROR: Failed to start server in (production) mode
ERROR: Key material not provided to setup HTTPS. Please configure your
keys/certificates or start the server in development mode.

Solution: This error usually indicates that a .keystore was not detected in the /usr/share/java/keycloak/conf directory. Ensure you have created a Keystore and it is accessible to the container in the expected directory.

Password must be at least 112 bits

Error Message:

Failed to add user '<admin-user>' to realm 'master': org.keycloak.models.ModelException:
password must be at least 112 bits
FipsUnapprovedOperationError: password must be at least 112 bits

Solution: This is expected whenever Keycloak is running in strict (approved) mode for FIPS. Choose a longer admin password which is compliant. Refer to the Keycloak FIPS documentation for more information.

Contact Support

If you have a Zendesk account (typically set up for you by your Customer Success Manager) you can reach out to Chainguard's Customer Success team through our Zendesk portal.

What are Chainguard Images?

Chainguard Images are a collection of container images designed for security and minimalism.

Many Chainguard Images are distroless; they contain only an open-source application and its runtime dependencies. These images do not even contain a shell or package manager. Chainguard Images are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a secure software supply chain.

The main features of Chainguard Images include:

-dev Variants

As mentioned previously, Chainguard’s distroless Images have no shell or package manager by default. This is great for security, but sometimes you need these things, especially in builder images. For those cases, most (but not all) Chainguard Images come paired with a -dev variant which does include a shell and package manager.

Although the -dev image variants have similar security features as their distroless versions, such as complete SBOMs and signatures, they feature additional software that is typically not necessary in production environments. The general recommendation is to use the -dev variants only to build the application and then copy all application artifacts into a distroless image, which will result in a final container image that has a minimal attack surface and won’t allow package installations or logins.

That being said, it’s worth noting that -dev variants of Chainguard Images are completely fine to run in production environments. After all, the -dev variants are still more secure than many popular container images based on fully-featured operating systems such as Debian and Ubuntu since they carry less software, follow a more frequent patch cadence, and offer attestations for what they include.

Learn More

To better understand how to work with Chainguard Images, we encourage you to visit Chainguard Academy, our documentation and education platform.

Licenses

Chainguard Images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" version of this image:

  • Apache-2.0

  • BSD-3-Clause

  • Bitstream-Vera

  • FTL

  • GCC-exception-3.1

  • GPL-2.0-only

  • GPL-2.0-or-later

For a complete list of licenses, please refer to this Image's SBOM.

Software license agreement

Compliance

This is a FIPS validated image for FedRAMP compliance.

This image is STIG hardened and scanned against the DISA General Purpose Operating System SRG with reports available.

Learn more about STIGsGet started with STIGs

Related images

Category
FIPS
STIG
application

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images