Keycloak server running SHA-1 operation

Hi everyone,

I’m working on getting keycloak 14 to run in FIPS 140-2 compliance.

We build the server using: mvn -Pdistribution -pl distribution/server-dist -am -Dmaven.test.skip clean install

This creates the distribution/server-dist/target directory which contains the keycloak-14.0.0-SNAPSHOT directory housing the server distribution.

Once the server is built, we go into bin/standalone.conf and append our JAVA_OPTS so that BouncyCastle is running in approvedonly mode, and java is using our custom file which registers our BCFIPS jars as the security providers.

We run the server using: bin/

Immediately after running that the command above, a SHA-1 operation is ran (not FIPS compliant). It seems to be coming from jboss/wildfly, not sure.

Does anyone know where this SHA-1 operation is coming from?? I need to disable/change the algorithm so i can boot up this server in FIPS mode.


My guess: Wildfly/JDK is your problem (it is not clear which versions do you have). See Can wildfly use BCFIPS provider for SSL running with jdk-11? - Ricky's Hodgepodge

Thanks for your response. We’re running openjdk version “11.0.2” 2019-01-15. Going to check out your link and see if i can get anywhere.