Chainguard Container for keycloak-fips

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/keycloak-fips:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Disclaimer

This image is equipped with the essential components for Keycloak to operate in FIPS mode. However, it's important for users to ensure they use it in line with FIPS compliance standards.

This includes tasks such as keystore generation, configuration, and launching Keycloak with the correct configuration parameters. More guidance is provided in the sections below.

Keystore

Keycloak requires a bcfips-compatible keystore to manage its SSL/TLS certificates.

Although Keycloak supports various keystore types, only BCKFS offers the capability to operate in approved (strict) mode under FIPS standards, ensuring only approved ciphers are used.

BCKFS Keystore creation

To create keystore in BCKFS format you can use keytool from this image like so:

docker run -v $(pwd):/tmp/keystore --entrypoint keytool cgr.dev/chainguard-private/keycloak-fips \
  -v -keystore /tmp/keystore/server.keystore \
  -storetype bcfks \
  -providername BCFIPS \
  -alias "localhost" \
  -genkeypair -sigalg SHA512withRSA -keyalg RSA \
  -dname CN="localhost" \
  -storepass "<YOUR TLS KEYSTORE PASSWORD>" \
  -keypass "<YOUR TLS KEY PASSWORD, can be the same>"

To view the keystore

docker run -v $(pwd):/tmp/keystore --entrypoint keytool cgr.dev/chainguard-private/keycloak-fips \
  -v -keystore /tmp/keystore/server.keystore \
  -list \
  -storepass "<YOUR TLS KEYSTORE PASSWORD>"

BCKFS Truststore creation

To create a truststore and import and trust an existing CA certifcate you can also use keytool:

docker run -v $(pwd):/tmp/keystore --entrypoint keytool cgr.dev/chainguard-private/keycloak-fips \
  -v -keystore /tmp/keystore/truststore.bckfs \
  -storetype bcfks \
  -providername BCFIPS \
  -import -file /tmp/keystore/MyCA.crt \
  -storepass "<YOUR TRUSTSTORE PASSWORD>" \
  -trustcacerts \
  -noprompt

When using keytool you may need to set the environment variable JAVA_TOOL_OPTIONS to set the --module-path as documented in section 2.1.1 in the Bouncy Castle FIPS Java API User Guide:

docker run -v $(pwd):/tmp/keystore --entrypoint keytool cgr.dev/chainguard-private/keycloak-fips \
  -e JAVA_TOOL_OPTIONS="--module-path=/usr/share/java/bouncycastle-fips -Djava.class.path=/usr/share/java/bouncycastle-fips/bc-fips.jar" \
  ...

To use a truststore in a keycloak container configure it using javax.net.ssl properties:

JAVA_OPTS="-Djavax.net.ssl.trustStore=/tmp/keycloak.truststore.jks -Djavax.net.ssl.trustStorePassword=<YOURTRUSTSTOREPASSWORD>"

** Note on --truststore-paths **

Currently it is not possible to use the --truststore-paths option when using --features=fips --fips-mode=strict, see this issue

Run image

This image aligns with the original upstream image regarding its entrypoint and command-line arguments. Also see the Keycloak GitHub repository, and the KeyCloak FIPS documentation.

Running in development mode

Example of launching Keycloak in development mode, with HTTP enabled and strict hostname resolution not enforced:

docker run -v $(pwd)/server.keystore:/usr/share/java/keycloak/conf/server.keystore \
  --rm --name local-Keycloak -p 8080:8080 \
  -e KEYCLOAK_ADMIN=admin \
  -e KEYCLOAK_ADMIN_PASSWORD='<PASSWORD-FOR-ADMIN-USER>' \
    <YOUR-REGISTRY>/keycloak-fips:latest \
    start-dev \
      --features=fips \
      --fips-mode=strict \
      --https-key-store-password='<KEYSTORE-PASSWORD>' \
      --hostname=localhost \
      --log-level='INFO,org.keycloak.common.crypto:TRACE,org.keycloak.crypto:TRACE'

In this example, the Keycloak UI is accessible via: http://localhost:8080.

Running in production mode

Example of running Keycloak in production mode, enforcing the use of HTTPS and requiring a hostname to be provided:

docker run -v /local/path/to/server.keystore:/usr/share/java/keycloak/conf/server.keystore \
  --rm --name local-Keycloak -p 8443:8443 \
  -e KEYCLOAK_ADMIN=admin \
  -e KEYCLOAK_ADMIN_PASSWORD='<PASSWORD-FOR-ADMIN-USER>' \
  	cgr.dev/chainguard/Keycloak-fips:latest \
  	start \
      --features=fips \
      --fips-mode=strict \
      --https-key-store-password='<KEYSTORE-PASSWORD>' \
      --hostname=localhost \
      --log-level='INFO,org.keycloak.common.crypto:TRACE,org.keycloak.crypto:TRACE'

In this example, the Keycloak UI is accessible via: https://localhost:8443.

FIPS validation

You'll see debug logs such as the below if Keycloak is running in FIPS mode:

KC(BCFIPS version 1.000204 Approved Mode) version 1.0 - class org.Keycloak.crypto.fips.KeycloakFipsSecurityProvider,
 BCFIPS version 1.000204 - class org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

Additionally, you can check bcfips is enforcing minimum password lengths, by running the container with a non-compliant admin password, such as 1234:

Caused by: org.bouncycastle.crypto.fips.FipsUnapprovedOperationError:
password must be at least 112 bits

Customizing the image

Keycloak provides a mechanism to configure and customize the image. This process is outlined in the Keycloak image documentation.

There are subtle differences in the executable paths used in the Chainguard image. Below is the example copied from the documentation, updated with the correct paths:

FROM cgr.dev/chainguard/Keycloak-fips:latest as builder

# Enable health and metrics support
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true

# Configure a database vendor
ENV KC_DB=postgres

WORKDIR /usr/share/java/Keycloak

# for demonstration purposes only, please make sure to use proper certificates in production instead
RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore
RUN /usr/share/java/Keycloak/bin/kc.sh build

FROM cgr.dev/chainguard/Keycloak-fips:latest
COPY --from=builder /usr/share/java/Keycloak/ /usr/share/java/Keycloak/

# change these values to point to a running postgres instance
ENV KC_DB=postgres
ENV KC_DB_URL=<DBURL>
ENV KC_DB_USERNAME=<DBUSERNAME>
ENV KC_DB_PASSWORD=<DBPASSWORD>
ENV KC_HOSTNAME=localhost
ENTRYPOINT ["/usr/share/java/Keycloak/bin/kc.sh"]

Debugging

Invalid Keystore Format with BCFKS in production mode

Error Message:

# kc.sh start --features=fips --hostname=localhost --https-key-store-password='**********'
ERROR: Failed to start server in (production) mode
ERROR: Unable to start HTTP server
ERROR: java.io.IOException: Invalid keystore format

Solution: BCFKS Keystores default to strict mode, and it's likely you omitted --fips-mode=strict in your arguments. If you wish to run in non-strict mode with BCFKS, you need to include --https-key-store-type=bcfks.

This is called out in the official documentation, but perhaps could benefit from additional clarification.

Keystore corrupted error upon launch

Error Message:

ERROR: Unable to start HTTP server
ERROR: java.io.IOException: BCFKS KeyStore corrupted: MAC calculation failed.
ERROR: BCFKS KeyStore corrupted: MAC calculation failed.

Solution: The error indicates that a Keystore was detected, but there was an issue parsing it. Usually this means that the password used to create the keystore does not match what was provided as the --https-key-store-password argument to Keycloak.

Key material not provided error in production mode

Error Message:

ERROR: Failed to start server in (production) mode
ERROR: Key material not provided to setup HTTPS. Please configure your
keys/certificates or start the server in development mode.

Solution: This error usually indicates that a .keystore was not detected in the /usr/share/java/keycloak/conf directory. Ensure you have created a Keystore and it is accessible to the container in the expected directory.

Password must be at least 112 bits

Error Message:

Failed to add user '<admin-user>' to realm 'master': org.keycloak.models.ModelException:
password must be at least 112 bits
FipsUnapprovedOperationError: password must be at least 112 bits

Solution: This is expected whenever Keycloak is running in strict (approved) mode for FIPS. Choose a longer admin password which is compliant. Refer to the Keycloak FIPS documentation for more information.

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.