Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

DevServices for Keycloak fails to start on RHEL with enabled FIPS mode

See original GitHub issue

Describe the bug

Method KeycloakDevServicesProcessor.startKeycloakContainer fails, when running on FIPS-enabled machine.

Expected behavior

DevServices for Keycloak should work on FIPS-enabled machine

Actual behavior

No response

How to Reproduce?

Verify, that machine uses FIPS.

$ cat /proc/sys/crypto/fips_enabled
1

Clone Quarkus quickstarts: git@github.com:quarkusio/quarkus-quickstarts.git
Enter the folder cd quarkus-quickstarts/security-keycloak-authorization-quickstart
Run mvn clean verify
We will get an error, when starting container quay.io/keycloak/keycloak:15.0.2:

2022-01-28 13:42:09,087 ERROR [🐳 .io/.0.2]] (build-54) Log output from the failed container:
java.lang.RuntimeException: PBKDF2 algorithm not found

Apache Maven 3.8.3 (ff8e977a158738155dc465c6a97ffaf31982d739) Maven home: /opt/apache-maven-3.8.3 Java version: 11.0.13, vendor: Red Hat, Inc., runtime: /qa/tools/opt/x86_64/openjdk-11.0.13.0.8

Output of `uname -a` or `ver`

4.18.0-305.el8.x86_64

Output of `java -version`

11.0.13, vendor: Red Hat

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.6.3.Final

Build tool (ie. output of `mvnw --version` or `gradlew --version`)

Apache Maven 3.8.3 (ff8e977a158738155dc465c6a97ffaf31982d739)

Additional information

I tried to start different keycloak containers manually, and it looks like docker hub keycloak container works fine:

docker run quay.io/keycloak/keycloak:15.0.2 # fails, but without any mention of PDKF2
docker run jboss/keycloak:15.0.2 # works

Issue Analytics

State:
Created 2 years ago
Comments:13 (12 by maintainers)

Top GitHub Comments

1reaction

sberyozkincommented, Feb 8, 2022

@fedinskiy Please note the documented workaround from Stian in the https://github.com/keycloak/keycloak/issues/9916 description

0reactions

sberyozkincommented, Aug 15, 2022

Closing it as it is a pure Keycloak issue, the same workaround which was implemented at https://github.com/quarkus-qe/quarkus-test-suite/pull/581/files can be support for DevServces for Keycloak with quarkus.keycloak.devservices.java-opts=-Dcom.redhat.fips=false

Top Results From Across the Web

FIPS 140-2 experimental support - Keycloak

When FIPS is enabled at the OS level, it means that various packages including OpenJDK are also set to be FIPS compliant and...

Java application unexpectedly running in FIPS mode and/or ...

Java application unexpectedly running in FIPS mode and/or crypto policies applied on RHEL 8.6. No translations currently exist.

chore(deps): update dependency io.quarkus:quarkus ... - GitLab

An error occurred while retrieving approval data for this merge request. chore(deps): update dependency io.quarkus:quarkus ...

Using Keycloak with a FIPS-compliant JDK - Stack Overflow

dirs in my JAVA_OPTS . Each of these have led to the identical error message: Caused by: java.lang.ClassNotFoundException: org.bouncycastle.

quarkus-universe-bom » 2.6.0.CR1 - Maven Repository

Quarkus Universe platform aggregates extensions from Quarkus Core and those developed by the community into a single compatible and versioned set that ...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

DevServices for Keycloak fails to start on RHEL with enabled FIPS mode

Describe the bug

Expected behavior

Actual behavior

How to Reproduce?

Output of `uname -a` or `ver`

Output of `java -version`

GraalVM version (if different from Java)

Quarkus version or git rev

Build tool (ie. output of `mvnw --version` or `gradlew --version`)

Additional information

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

Hibernate Reactive Session/EntityManager is closed

quarkus-spring-web codestart can't be used with quarkus-resteasy-reactive

DevServices for Keycloak fails to start on RHEL with enabled FIPS mode

Describe the bug

Expected behavior

Actual behavior

How to Reproduce?

Output of uname -a or ver

Output of java -version

GraalVM version (if different from Java)

Quarkus version or git rev

Build tool (ie. output of mvnw --version or gradlew --version)

Additional information

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

Hibernate Reactive Session/EntityManager is closed

quarkus-spring-web codestart can't be used with quarkus-resteasy-reactive

Output of `uname -a` or `ver`

Output of `java -version`

Build tool (ie. output of `mvnw --version` or `gradlew --version`)