Skip to main content
Redhat Developers  Logo
  • Products

    Platforms

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat AI
      Red Hat AI
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • View All Red Hat Products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat Developer Hub
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat OpenShift Local
    • Red Hat Developer Sandbox

      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Secure Development & Architectures

      • Security
      • Secure coding
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • Product Documentation
    • API Catalog
    • Legacy Documentation
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Red Hat build of Keycloak provides FIPS-140-2 support

November 21, 2023
Syed M Shaaf
Related topics:
LinuxSecurity
Related products:
Red Hat build of OpenJDKRed Hat Single sign-onRed Hat Enterprise Linux

Share:

    The Federal Information Processing Standard Publication 140-2 (FIPS 140-2) is a U.S. government standard that specifies the security requirements for cryptographic modules protecting sensitive information. The first release of the Red Hat build of Keycloak includes FIPS 140-2 support. Established by the National Institute of Standards and Technology (NIST), FIPS 140-2 aims to standardize the design and implementation of cryptographic software and hardware for more secure usage.

    The standard is widely used in various sectors, including federal agencies, defense, healthcare, and finance, to ensure that cryptographic processes meet a certain level of security. It is also often a requirement for technology products sold to the U.S. government. Products that claim to be FIPS 140-2 compliant usually undergo a rigorous testing process by accredited labs. Once they pass, they are added to the FIPS 140-2 validated products list.

    Running the Red Hat build of Keycloak on a FIPS 140-2 enabled system ensures that the operating system and the Java environment are configured to operate in FIPS mode. When installing Red Hat Enterprise Linux (RHEL), enable FIPS mode. This will configure the system to use only FIPS 140-2 approved cryptographic algorithms. Verify FIPS mode is enabled by checking the system configuration. On RHEL, you can use the following command:

    sysctl crypto.fips_enabled
    • sysctl: Reads and modifies kernel attributes.
    • crypto.fips_enabled: Attribute to enable and disable FIPS at system level.

    The above command should return crypto.fips_enabled = 1 if FIPS is enabled.

    Red Hat Enterprise Linux 9 also contains four predefined cryptographic policies, one of which is FIPS. When the system is in FIPS mode, the Red Hat build of OpenJDK should also automatically switch to FIPS mode. This is the default behavior since RHEL 8.3. However, you might also need to configure the Red Hat Build of OpenJDK to use FIPS-compliant security providers explicitly. Learn more about setting up FIPS with Red Hat build of OpenJDK.

    The Red Hat build of Keycloak supports the FIPS-validated BouncyCastle library. To run in FIPS-compliant mode, download the BouncyCastle-FIPS library and add it to the Keycloak distribution. When it is running in FIPS mode, it will use BouncyCastle. Red Hat build of Keycloak supports pkcs12 and bcfks keystores for use with the Keycloak SSL. For more details on how to set up the host operating system and cryptography, refer to the useful RHEL guide.

    To run the Red Hat build of Keycloak in FIPS mode, use the following command:

    bin/kc.[sh] start --features=fips --hostname=localhost --https-key-store-password=passwordpassword --log-level=INFO,org.keycloak.common.crypto:TRACE,org.keycloak.crypto:TRACE
    • bin/kc.[sh]: The command-line admin utility for Keycloak.
    • Start: Starts the server.
    • --features=fips --hostname=localhost: Enables FIPS on startup.
    • --https-key-store-password=password: Password for the keystore.
    • --log-level=INFO...: Log levels can be set via this parameter.

    Strict mode

    There is the fips-mode option, which is automatically set to non-strict when the FIPS feature is enabled. This means to run BCFIPS in the "non-approved mode". The more secure alternative is to use --features=fips --fips-mode=strict, in which case BouncyCastle FIPS will use "approved mode." Using that option results in stricter security requirements on cryptography and security algorithms.

    When starting the server, you can check that the startup log contains KC provider with the note about Approved Mode such as the following:

    KC(BCFIPS version 1.000203 Approved Mode, FIPS-JVM: enabled) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurity

    Migration from a non-FIPS environment

    It is possible to migrate to a FIPS environment, including current data in use. However, restrictions and considerations exist. The following are considerations for migrations:

    • Make sure all the Keycloak functionality relying on keystores use only supported keystore types. This differs based on whether you use strict or non-strict mode.
    • Kerberos authentication may not work. If the authentication flow uses Kerberos authenticator, this authenticator will be automatically switched to DISABLED when migrated to FIPS environment. It is recommended to remove any Kerberos user storage providers from the realm and disable Kerberos related functionality in LDAP providers before switching to FIPS environment.
    • Ensure that all the Keycloak functionality relying on keys (for example, realm or client keys) use RSA keys of at least 2048 bits.
    • Ensure that clients relying on Signed JWT with Client Secret use at least 14-character secrets (ideally generated secrets).
    • Password length restriction as previously described. If users have shorter passwords, start the server with the maximum padding length set to 14 of PBKDF2 provider. To avoid this option, all user passwords might require reset (i.e., by the forget password link) during the first authentication in the new environment.

    Read the following documentation for more in-depth details on using and preparing for FIPS mode.

    Get support for Red Hat build of Keycloak

    Support is available to Red Hat customers with a subscription. Contact your local Red Hat representative or Red Hat Sales for details on how to enjoy world-class support offered by Red Hat and its worldwide partner network. According to the Red Hat Product Update and Support Lifecycle, customers can expect support for the Red Hat build of Keycloak and other runtimes.

    Ready to get started with Red Hat build of Keycloak? Check out the following links to get you started:

    • ZIP distributions are available through the customer portal.
    • Container distributions and operators are available in the Red Hat Ecosystem Catalog.
    • Product documentation is available on the Red Hat customer portal, including a migration guide to help you migrate your existing single sign-on deployments to the Red Hat build of Keycloak.

    To learn more, visit Red Hat build of Keycloak.

    Related Posts

    • How to restrict user authentication in Keycloak during identity brokering

    • Is your Go application FIPS compliant?

    • What's new in the Red Hat build of Keycloak version 22

    • Go and FIPS 140-2 on Red Hat Enterprise Linux

    • 6 improvements to Red Hat build of Keycloak Admin Console

    Recent Posts

    • Kafka Monthly Digest: September 2025

    • A more secure way to handle secrets in OpenShift

    • How to deploy MCP servers on OpenShift using ToolHive

    • How to change the meaning of python and python3 on RHEL

    • vLLM or llama.cpp: Choosing the right LLM inference engine for your use case

    What’s up next?

    E-book: A developer’s guide to setting supply chain security in DevSecOps

    Read A developer’s guide to setting supply chain security in DevSecOps for an introduction to software supply chain security, including the key principles, tools, and techniques you need to know to better audit and act on vulnerabilities in open source software components.

    Get the e-book
    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Platforms

    • Red Hat AI
    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    • See all products

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue