Last changed
Get notified of upcoming product changes, critical vulnerability notifications and patches and more.
Sign InMinimalist Wolfi-based Keycloak-Bitnami (FIPS) image for identity and access management.
This image is intended to be a drop in replacement for deployments that require Bitnami compatibility and FIPS compliance.
The image is available on cgr.dev
:
This FIPS-compliant Bitnami Keycloak image is a drop-in replacement for the upstream Bitnami Keycloak image. It is intended for deployments that require FIPS compliance.
We had to pass some extra environment variables to image config to enforce FIPS mode:
$KEYCLOAK_EXTRA_ARGS=--features=fips --fips-mode=strict
$JDK_JAVA_OPTIONS=-Djavax.net.ssl.trustStoreType=FIPS
This image is equipped with the essential components for Keycloak to operate in FIPS mode. However, it's important for users to ensure they use it in line with FIPS compliance standards.
This includes tasks such as keystore generation, configuration, and launching Keycloak with the correct configuration parameters. More guidance is provided in the sections below.
Keycloak requires a bcfips-compatible keystore to manage its SSL/TLS certificates.
Although Keycloak supports various keystore types, only BCKFS offers the capability to operate in approved (strict) mode under FIPS standards, ensuring only approved ciphers are used.
To create keystore you can use keytool from this image like so:
To create a truststore and import and trust an existing CA certifcate you can also use keytool:
You can similarly use the keycloak container as an init container in your helm
values.yaml
to import certificates to a BCKFS truststore. When doing this you
may need to set the environment of just the init containerJAVA_TOOL_OPTS
to
set the --module-path
init container and configure the truststore for
keycloak using the javax.net.ssl
properties using JAVA_OPTS. The need for
JAVA_TOOL_OPTIONS for Java tooling with the BCFIPS provider is documented in
section 2.1.1 in the Bouncy Castle FIPS Java API User Guide:
** Note on --truststore-paths
**
Currently it is not possible to use the --truststore-paths
option when using --features=fips --fips-mode=strict
, see this issue
To deploy Keycloak (Bitnami FIPS) on Kubernetes, you can follow the official Bitnami documentation and also KeyCloak FIPS documentation.
You will need to do all of the prerequisites mentioned above, and then you need to pass the necessary values to the Helm chart.
Once you create your server.keystore
using the BCFIPS
provider, create a Secret object in your Kubernetes cluster to mount it into the Keycloak container later on:
Set the values to override the necessary fields:
Then run the following Helm command to deploy:
If you want to validate the FIPS mode as we did in image tests, you can increase the log level to TRACE
. You'll see debug logs such as the below if Keycloak is running in FIPS mode:
Then you will see the following logs:
production
modeError Message:
Solution:
BCFKS Keystores default to strict mode, and it's likely you omitted
--fips-mode=strict
in your arguments. If you wish to run in non-strict mode
with BCFKS, you need to include --https-key-store-type=bcfks
.
This is called out in the official documentation, but perhaps could benefit from additional clarification.
Error Message:
Solution:
The error indicates that a Keystore was detected, but there was an issue
parsing it. Usually this means that the password used to create the keystore
does not match what was provided as the --https-key-store-password
argument
to Keycloak.
production
modeError Message:
Solution:
This error usually indicates that a .keystore
was not detected in the
/usr/share/java/keycloak/conf
directory. Ensure you have created a Keystore
and it is accessible to the container in the expected directory.
Error Message:
Solution:
This is expected whenever Keycloak is running in strict
(approved) mode for
FIPS. Choose a longer admin password which is compliant. Refer to the Keycloak
FIPS documentation for more information.
Chainguard Images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" version of this image:
Apache-2.0
BSD-3-Clause
FTL
GCC-exception-3.1
GPL-2.0-only
GPL-2.0-or-later
GPL-3.0-or-later
For a complete list of licenses, please refer to this Image's SBOM.
Software license agreementThis is a FIPS validated image for FedRAMP compliance.
This image is STIG hardened and scanned against the DISA General Purpose Operating System SRG with reports available.
Learn more about STIGsGet started with STIGs