From 764ef4831a40f7e4e41ee734369ab379c98a4e53 Mon Sep 17 00:00:00 2001 From: rmartinc Date: Fri, 12 Jul 2024 11:04:20 +0200 Subject: [PATCH] Release notes and some notes for JavaKeystoreProvider changes Closes #31226 Signed-off-by: rmartinc --- docs/documentation/release_notes/topics/26_0_0.adoc | 6 ++++++ docs/documentation/server_admin/topics/realms/keys.adoc | 2 +- docs/guides/server/fips.adoc | 4 ++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/documentation/release_notes/topics/26_0_0.adoc b/docs/documentation/release_notes/topics/26_0_0.adoc index ebfea56bec8..1ce30462502 100644 --- a/docs/documentation/release_notes/topics/26_0_0.adoc +++ b/docs/documentation/release_notes/topics/26_0_0.adoc @@ -43,3 +43,9 @@ https://www.keycloak.org/operator/advanced-configuration[Operator Advanced Confi In this release, the LDAP connection pool configuration relies solely on system properties. For more details, see link:{adminguide_link}#_ldap_connection_pool[Configuring the connection pool]. + += The `java-keystore` key provider supports more algorithms and vault secrets + +The `java-keystore` key provider, which allows loading a realm key from an external java keystore file, has been modified to manage all {project_name} algorithms. Besides, the keystore and key secrets, needed to retrieve the actual key from the store, can be configured using the link:{adminguide_link}#_vault-administration[vault]. Therefore a {project_name} realm can externalize any key to the encrypted file without sensitive data stored in the database. + +For more information about this subject, see link:{adminguide_link}#realm_keys[Configuring realm keys]. \ No newline at end of file diff --git a/docs/documentation/server_admin/topics/realms/keys.adoc b/docs/documentation/server_admin/topics/realms/keys.adoc index 2e16d826d76..826e8347b2f 100644 --- a/docs/documentation/server_admin/topics/realms/keys.adoc +++ b/docs/documentation/server_admin/topics/realms/keys.adoc @@ -138,7 +138,7 @@ For the associated certificate chain to be loaded it must be imported to the Jav [WARNING] ==== -Not all the keystore types support all types of keys. `JKS` and `PKCS12` in fips modes (provider `BCFIPS`) cannot store secret key entries. +Not all the keystore types support all types of keys. For example, `JKS` in all modes and `PKCS12` in fips mode (`BCFIPS` provider) cannot store secret key entries. ==== ==== Making keys passive diff --git a/docs/guides/server/fips.adoc b/docs/guides/server/fips.adoc index 20e877b820c..26a5543ba02 100644 --- a/docs/guides/server/fips.adoc +++ b/docs/guides/server/fips.adoc @@ -62,6 +62,8 @@ keytool -genkeypair -sigalg SHA512withRSA -keyalg RSA -storepass passwordpasswor -dname CN=localhost -keypass passwordpassword ---- +The `pkcs12` keystores in FIPS mode *do not* manage secret (symmetric) keys. This limitation is imposed by the `BCFIPS` provider which does not allow this type of keys inside the `pkcs12` keystore type. + When the system is in FIPS mode, the default `java.security` file is changed in order to use FIPS enabled security providers, so no additional configuration is needed. Additionally, in the PKCS12 keystore, you can store PBE (password-based encryption) keys simply by using the keytool command, which makes it ideal for using it with {project_name} KeyStore Vault and/or to store configuration properties in the KeyStore Config Source. For more details, see the <@links.server id="configuration"/> and the <@links.server id="vault"/>. === BCFKS keystore @@ -180,6 +182,8 @@ For Kerberos/SPNEGO, the security provider `SunJGSS` is not yet fully FIPS compl if you want to be FIPS compliant. The `KERBEROS` feature is disabled by default in {project_name} when it is executed on FIPS platform and when security provider is not available. Details are in the https://bugzilla.redhat.com/show_bug.cgi?id=2051628[bugzilla]. +The algorithm `EdDSA` cannot be used in FIPS mode. Although the current `BCFIPS` provider supports `Ed25519` and `Ed448` curves, the resulting keys do not implement the standard JDK interfaces to manage them (`EdECKey`, `EdECPublicKey`, `EdECPrivateKey`,...), and {project_name} cannot use them for signatures. + == Run the CLI on the FIPS host If you want to run Client Registration CLI (`kcreg.sh|bat` script) or Admin CLI (`kcadm.sh|bat` script),