From 491d2c9b2adb96f4be144de50f580d80b77bdcf2 Mon Sep 17 00:00:00 2001 From: AndyMunro Date: Mon, 16 Jun 2025 14:47:18 -0400 Subject: [PATCH 1/2] Clarify FIPS instructions Closes #40533 Signed-off-by: AndyMunro --- docs/guides/server/fips.adoc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/guides/server/fips.adoc b/docs/guides/server/fips.adoc index 44606cde0dbb..9978f7191595 100644 --- a/docs/guides/server/fips.adoc +++ b/docs/guides/server/fips.adoc @@ -118,7 +118,14 @@ Using that option results in stricter security requirements on cryptography and NOTE: In strict mode, the default keystore type (as well as default truststore type) is BCFKS. If you want to use a different keystore type it is required to use the option `--https-key-store-type` with appropriate type. A similar command might be needed for the truststore as well if you want to use it. -When starting the server, you can check that the startup log contains `KC` provider with the note about `Approved Mode` such as the following: +When starting the server, you can include TRACE level in the startup command. For example: + +[source,bash,subs=+attributes] +---- +(--log-level=INFO,org.keycloak.common.crypto.CryptoIntegration:TRACE), +---- + +By using TRACE level, you can check that the startup log contains `KC` provider with the note about `Approved Mode` such as the following: [source] ---- From e3e839f9b77a22dc2e66dc16c68cbab17304dda6 Mon Sep 17 00:00:00 2001 From: Alexander Schwartz Date: Tue, 17 Jun 2025 09:43:36 +0200 Subject: [PATCH 2/2] Update docs/guides/server/fips.adoc Signed-off-by: Alexander Schwartz --- docs/guides/server/fips.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/server/fips.adoc b/docs/guides/server/fips.adoc index 9978f7191595..a2504216cbd7 100644 --- a/docs/guides/server/fips.adoc +++ b/docs/guides/server/fips.adoc @@ -122,7 +122,7 @@ When starting the server, you can include TRACE level in the startup command. Fo [source,bash,subs=+attributes] ---- -(--log-level=INFO,org.keycloak.common.crypto.CryptoIntegration:TRACE), +--log-level=INFO,org.keycloak.common.crypto.CryptoIntegration:TRACE ---- By using TRACE level, you can check that the startup log contains `KC` provider with the note about `Approved Mode` such as the following: