Keycloak does not work on systems with FIPS mode enabled

Describe the bug

When system wide crypto policy is set to FIPS there are issues with running Keycloak. This has recently surfaced as RHEL, Fedora, and CentOS has changed the way OpenJDK behaves in this regard. Previously FIPS had to be explicitly enabled for OpenJDK, but is now enabled by default when system-wide policies are configured to conform to FIPS 140-2.

With OpenJDK configured with FIPS conformance there are a number of things not working properly in Keycloak, which is somewhat to be expected as Keycloak has never had official FIPS support.

This issue is limited to ability to run Keycloak on a FIPS enabled system, and not to support FIPS compliance in Keycloak. For FIPS 140-2 support within Keycloak see https://github.com/keycloak/keycloak/issues/9967.

Original JIRA: https://issues.redhat.com/browse/KEYCLOAK-19771

Version

All versions of Keycloak are affected and the issue surfaces rather based on the host system configuration/upgrades.

Container images published to Quay the issue happens in >=15.1.0, but does not happen in <=15.0.2. This is not caused by an issue in Keycloak, but rather the fact that the images <=15.0.2 are not updated with the latest upgrades from RHEL.

Expected behavior

Keycloak is able to run on a FIPS enabled system.

Actual behavior

add-user-keycloak script fails, and Keycloak fails to generate initial certificates. There are probably also further issues, but starting a Keycloak on a FIPS enabled system after the database has been initial at least succeeds.

How to Reproduce?

Enable FIPS mode on a RHEL or Fedora host (fips-mode-setup --enable).

Start Keycloak directly on the host, and you will get the following error:

 Error during startup: org.keycloak.component.ComponentValidationException: Failed to generate keys

Run bin/add-user-keycloak.sh -u admin and you will get the following error:

java.lang.RuntimeException: PBKDF2 algorithm not found

Starting Keycloak as a container with -e KEYCLOAK_USER=user -e KEYCLOAK_PASSWORD=pass results in the PBKDF2 algorithm not found error, while interestingly enough not setting these environment variables the container starts successfully, which is different behaviour to running Keycloak from a ZIP where the failed to generate keys error occurs at startup.

Workaround

Until FIPS is supported by Keycloak, FIPS has to be disabled for Java to make it possible to run Keycloak on systems with FIPS mode enabled.

For bear-metal/ZIP installations use the JAVA_OPTS_APPEND to set -Dcom.redhat.fips=false. For example:

export JAVA_OPTS=-Dcom.redhat.fips=false
bin/kc.sh start-dev

For containers use the JAVA_OPTS_APPEND to set -Dcom.redhat.fips=false. For example:

podman run -p 8080:8080 -e JAVA_OPTS_APPEND="-Dcom.redhat.fips=false" -e KEYCLOAK_ADMIN=<user> -e KEYCLOAK_ADMIN_PASSWORD=<pass> quay.io/keycloak/keycloak