FIPS 140-2 experimental support

We are glad to announce that latest Keycloak 20 release contains experimental support for FIPS 140-2!

The FIPS 140-2 standard is a set of requirements for cryptography modules, which needs to be met for the software used by U.S. governments and related parties. The FIPS compliant software should use only secure cryptography algorithms allowed by the FIPS specification and must use them in a secured way. Keycloak does not directly implement any cryptography algorithms, however it internally needs to use lots of cryptography functionalities. For this purpose, Keycloak mostly relies on the Java cryptography SPI and 3rd party libraries for implementing cryptography related functionality - especially the BouncyCastle library.

FIPS support is usually enabled at the OS level. For example, during installation of RHEL 8.6 , you can enable kernel flag during OS installation to make sure that your OS is FIPS compliant. When FIPS is enabled at the OS level, it means that various packages including OpenJDK are also set to be FIPS compliant and are pre-configured to rely on FIPS approved functions. For example java.security configuration file is pre-configured to contain only FIPS compliant security providers.

The FIPS support in Keycloak means that the Keycloak server can run on the FIPS compliant OS with FIPS compliant Java. It also means that the Keycloak server is FIPS compliant and can be used by parties, which strictly require FIPS 140-2 support. Even if you do not use the FIPS enabled OS, you can still try the FIPS enabled Keycloak server by using custom java.security file with only BouncyCastle-FIPS security providers configured as described in the instructions below in the step 4.

Thanks to David Anderson, who contributed parts of this feature. Also, thanks to Sudeep Das and Isaac Jensen for their initial prototype effort, which was used as an inspiration.