3

I have the requirement to build a Docker image with Keycloak and a FIPS-compliant JDK (based on OpenJDK 8).

My company has an internal FIPS JDK distribution which works somewhat like this:

In a -Djava.endorsed.dirs directory, a security provider is installed, which dispatches all security calls to BouncyCastle. This security provider has dependencies, which I pull in via Maven: several BouncyCastle jars, but also other stuff like Jackson, Scala, Guava, the kitchen sink.

I'm doing mvn dependency:copy-dependencies to copy the BouncyCastle jars to a library folder, and I'm using the Maven Shade Plugin to build an UberJar with everything else, minus what's already present in Keycloak. To prevent conflicts, I apply package shading in this UberJar (package com.foo is moved to myteam.com.foo), except for the public entrypoint referenced by above security provider.

I have a little Java test class that verifies this setup works in FIPS-compatible mode, basically the test is that

MessageDigest.getInstance("SHA-256", "SUN").getProvider().getName()

returns BCFIPS instead of SUN, and this works.

Now my problem is how to get this setup working on Keycloak, given that it runs on JBoss / WildFly, and has its completely own ideas about class loading.

I launch Keycloak with the -Djava.endorsed.dirs parameter in my JAVA_OPTS, which leaves the dependencies to BouncyCastle and the other libraries.

I have tried the following approaches

Approach 1: Declare everything as a module. Inside /opt/jboss/keycloak/modules/system/layers/keycloak (or base, I tried both), declare an org/bouncycastle module with all bc jars and a com/mycompany module with the UberJar. Register both as global modules (KC currently runs on WildFly 18, so the global directories option isn't available yet)

Approach 2: Place all jars in a directory and reference that using -Djava.ext.dirs in my JAVA_OPTS.

Each of these have led to the identical error message:

Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider from [Module "org.jboss.as.server" version 10.0.3.Final from local module loader @52a86356 (finder: local module finder @5ce81285 (roots: /opt/jboss/keycloak/modules, /opt/jboss/keycloak/modules/system/layers/keycloak, /opt/jboss/keycloak/modules/system/layers/base))]

Can anybody point me toward a solution?

Sean Patrick Floyd
  • 292,901
  • 67
  • 465
  • 588

2 Answers2

0

I don't know if there's a canonical answer to this, but I ended up making this work by registering my modules as explicit dependencies of the root module org.jboss.as.server in the file $KEYCLOAK_ROOT/modules/system/layers/base/org/jboss/as/server/main/module.xml.

Sean Patrick Floyd
  • 292,901
  • 67
  • 465
  • 588
0

Sean, running into the exact same issue you did.

Getting NoSuchMethodError on keycloak startup from the server-dist distribution. My keycloak calls isInApprovedOnlyMode() from bc-fips upon startup, and since i dont have the library in my container, i get the NoSuchMethodError. I've included bc-fips,bctls-fips, and bcpkix-fips libraries from BouncyCastle, and now need to get them to work with WildFly/JBoss (never worked with these techs before).

I'm going to try adding these deps explicitly as you did.

isaacjensen
  • 1
  • 1
  • 1
    As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Feb 09 '22 at 06:38