FIPS 140-2 experimental support

November 16 2022 by Marek Posolda

We are glad to announce that latest Keycloak 20 release contains experimental support for FIPS 140-2!

The FIPS 140-2 standard is a set of requirements for cryptography modules, which needs to be met for the software used by U.S. governments and related parties. The FIPS compliant software should use only secure cryptography algorithms allowed by the FIPS specification and must use them in a secured way. Keycloak does not directly implement any cryptography algorithms, however it internally needs to use lots of cryptography functionalities. For this purpose, Keycloak mostly relies on the Java cryptography SPI and 3rd party libraries for implementing cryptography related functionality - especially the BouncyCastle library.

FIPS support is usually enabled at the OS level. For example, during installation of RHEL 8.6 , you can enable kernel flag during OS installation to make sure that your OS is FIPS compliant. When FIPS is enabled at the OS level, it means that various packages including OpenJDK are also set to be FIPS compliant and are pre-configured to rely on FIPS approved functions. For example java.security configuration file is pre-configured to contain only FIPS compliant security providers.

The FIPS support in Keycloak means that the Keycloak server can run on the FIPS compliant OS with FIPS compliant Java. It also means that the Keycloak server is FIPS compliant and can be used by parties, which strictly require FIPS 140-2 support. Even if you do not use the FIPS enabled OS, you can still try the FIPS enabled Keycloak server by using custom java.security file with only BouncyCastle-FIPS security providers configured as described in the instructions below in the step 4.

Thanks to David Anderson, who contributed parts of this feature. Also, thanks to Sudeep Das and Isaac Jensen for their initial prototype effort, which was used as an inspiration.

Instructions

Instructions for how to try FIPS support in Keycloak are here.

Conclusion

We will be happy for you to try Keycloak FIPS integration and share your feedback! Also you can report any bugs.

The known limitation in the BCFIPS non-approved mode include:

  • Possible issues when using SAML clients and SAML Identity providers

  • Kerberos/SPNEGO authenticator does not work

  • X.509 client certificate authentication may not work for both users and clients

In BCFIPS approved mode (more strict mode), more limitations exist such as:

  • User passwords must be at least 14 characters long. You should set a password policy for your realm to be 14 characters to avoid issues during registration/authentication of users

  • Keystore/truststore must be of type bcfks because neither jks and `pkcs12`work. This is a restriction of BCFIPS approved mode

  • Some warnings in the server.log at startup