Hi everyone,

I’m working on getting keycloak 14 to run in FIPS 140-2 compliance.

We build the server using: mvn -Pdistribution -pl distribution/server-dist -am -Dmaven.test.skip clean install

This creates the distribution/server-dist/target directory which contains the keycloak-14.0.0-SNAPSHOT directory housing the server distribution.

Once the server is built, we go into bin/standalone.conf and append our JAVA_OPTS so that BouncyCastle is running in approvedonly mode, and java is using our custom kc.java.security file which registers our BCFIPS jars as the security providers.

We run the server using: bin/standalone.sh

Immediately after running that the command above, a SHA-1 operation is ran (not FIPS compliant). It seems to be coming from jboss/wildfly, not sure.

Does anyone know where this SHA-1 operation is coming from?? I need to disable/change the algorithm so i can boot up this server in FIPS mode.

Thanks!

My guess: Wildfly/JDK is your problem (it is not clear which versions do you have). See Can wildfly use BCFIPS provider for SSL running with jdk-11? - Ricky's Hodgepodge

Thanks for your response. We’re running openjdk version “11.0.2” 2019-01-15. Going to check out your link and see if i can get anywhere.