Keycloak
Keycloak is an open-source identity and access management platform for securing modern applications with minimal coding. It offers features like user federation, identity brokering, and social login, supporting protocols like OpenID Connect, OAuth 2.0, and SAML.
The guide explains how to create Keycloak realm signing keys on Luna HSM, which are used for securely signing access tokens and XML documents. Using a Luna HSM for these keys enhances security by providing hardware-level protection, ensuring stronger and more reliable signing for authentication exchanges.
This integration delivers the following benefits:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported Platforms
This integration has been tested and verified on the following platforms:
| HSM Type | Platforms Tested | JDK Version | Keycloak Version |
|---|---|---|---|
| Luna HSM | RHEL 9 | Open JDK 17 | 24.0.8, RHBK-24.0.8 |
| Luna HSM | RHEL 8 | Open JDK 11 | 15.1.0, 15.0.2, 13.0.1 |
| Luna HSM | RHEL 7 | Open JDK 8 | 13.0.1, 12.0.1, 11.0.1, 10.0.1, 9.0.2 |
Here’s a clearer version of the notes:
Luna Client Requirement: Keycloak integration requires Luna Client v10.4 or higher.
Keycloak Luna Plugin: Contact Thales Support to obtain the necessary patch containing the Keycloak Luna plugin, which enables Keycloak to use Luna Keystore and signing keys generated on Luna HSM.
Keycloak Version Reference: The README in the patch may refer to a single Keycloak version; however, check the Certified Platforms table at the start of this section for all Keycloak versions officially certified for this integration.
Prerequisites
The prerequisites for this integration are:
Set up Luna HSM
Follow these steps to set up your on-premise Luna HSM:
Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.
Create a partition that will be later on used by Keycloak.
Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.
Initialize Crypto Officer and Crypto User roles for the registered partition.
Run the following command to verify that the partition has been successfully registered and configured:
C:\Program Files\SafeNet\LunaClient>lunacm.exe
Upon successful execution, you should observe an output similar to the example provided below:
lunacm.exe (64-bit) v10.7.1-125. Copyright (c) 2024 Thales Group. All rights reserved. Available HSMs: Slot Id -> 0 Label -> INTG01 Serial Number -> 1312109861412 Model -> LunaSA 7.7.0 Firmware Version -> 7.7.0 Bootloader Version -> 1.1.2 Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode Slot Description -> Net Token Slot FM HW Status -> Non-FM Current Slot Id: 0
Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.
Control user access to HSM
Applicable only to Linux users.
By default, only the root user can access the HSM. To grant access to non-root users, add them to the hsmusers group, which is created during client software installation. This group persists after uninstalling, allowing easy upgrades without reconfiguration.
Add a user to hsmusers group
Ensure you have sudo privileges.
Add a user:
sudo gpasswd --add [username] hsmusers
Replace [username] with the user's name.
Remove a user from hsmusers group
Ensure sudo privileges.
Remove a user:
sudo gpasswd -d [username] hsmusers
A reboot may be required for changes to take effect. Removed users retain access until the workstation is rebooted.
Setting up Thales Luna HSM High Availability (HA)
For details on configuring high-availability for Luna HSM across Windows or UNIX systems, refer to the Thales Luna Network HSM documentation. Ensure that the HAOnly setting is enabled to allow automatic failover, redirecting calls to a secondary HSM if the primary becomes unavailable.
Enable Luna HSM Keystore for Keycloak with the Luna SPI Patch
Keycloak does not natively support Luna HSM Keystore. However, it allows for the development of a plugin using the Signature Provider Interface (SPI) to enable integration with the Luna HSM Keystore. To obtain the Keycloak Luna plugin, contact Thales Customer Support. They will provide a patch with the Keycloak Luna plugin that enables Keycloak to use the Luna Keystore and access signing keys generated on the Luna HSM.
The README included with the patch specifies a single Keycloak version, but this guide provides the definitive list of supported Keycloak versions.
Install Java Development Kit
Ensure the Java Development Kit (JDK) is installed on your server or local computer. You can run the commands in this guide on any system with the keytool utility available.
Prepare the Keycloak server and admin console access
To access the Keycloak Admin Console, ensure that the Keycloak server is installed and running. Begin by downloading the server from the Keycloak downloads page and follow the instructions in the Keycloak documentation to complete the setup. Additionally, create an initial administrative user if it hasn’t been done already, as this account is required to log in to the Admin Console. For further details on installation and configuration, consult the Keycloak setup guide.
Configure Keycloak to use Luna HSM
This section guides you through integrating Keycloak with Luna HSM to generate signing keys and certificates on the HSM and configure Keycloak to use these keys for token and XML document signing. Follow these steps for a successful Keycloak and Luna HSM integration:
Configure Java for Luna Keystore
Generate signing keys and certificates on the Luna Keystore
Set up the Keycloak Luna Plugin
Configure Keycloak to use signing keys from the Luna Keystore
Configure Java for Luna Keystore
To enable Java to generate signing keys on Luna HSM, configure it to use the Luna Provider. Follow these steps:
Set environment variables for Java. Define JAVA_HOME and update PATH:
export JAVA_HOME=[JDK_installation_directory] export PATH=$JAVA_HOME/bin:$PATH
Copy Required Files. For JDK versions lower than 11, copy libLunaAPI.so and LunaProvider.jar from the <Luna_installation_directory>/jsp/lib directory to <JDK_installation_directory>/jre/lib/ext.
Skip this step if using JDK 11 or higher, as copying the provider is not supported in these versions.
Open the java.security file in the appropriate directory and add the Luna provider entry to the end of the provider list. Use the following paths based on your JDK version:
For JDK 11 or higher: $JAVA_HOME/conf/security/java.security
security.provider.1=SUN security.provider.2=SunEC security.provider.3=SunJSSE security.provider.4=SunJCE security.provider.5=SunJGSS security.provider.6=SunSASL security.provider.7=XMLDSig security.provider.8=SunPCSC security.provider.9=JdkLDAP security.provider.10=JdkSASL security.provider.11=SunPKCS11 security.provider.12=com.safenetinc.luna.provider.LunaProvider security.provider.13=SunRsaSign
For JDK 8: $JAVA_HOME/jre/lib/security/java.security
security.provider.1=sun.security.provider.Sun security.provider.2=sun.security.rsa.SunRsaSign security.provider.3=sun.security.ec.SunEC security.provider.4=com.sun.net.ssl.internal.ssl.Provider security.provider.5=com.sun.crypto.provider.SunJCE security.provider.6=sun.security.jgss.SunProvider security.provider.7=com.sun.security.sasl.Provider security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.9=sun.security.smartcardio.SunPCSC security.provider.10=com.safenetinc.luna.provider.LunaProvider
Save and close the java.security file.
Create the lunastore file. In your working directory (e.g., /opt), create a file named lunastore (or any other name) and add this entry:
tokenlabel:[partition_label]
Replace [partition_label] with the name of the Luna HSM partition.
Save the lunastore file.
Generate signing keys and certificates on the Luna Keystore
The Java keytool utility will be used to generate signing keys and a certificate on the Luna HSM. Follow these steps:
Use the keytool command to generate a key pair in the Luna HSM. This command will store the key in the Luna Keystore.
For JDK 11 or higher:
keytool -genkeypair -alias lunakey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA \ -keypass userpin1 -keystore lunastore -storetype luna -storepass userpin1 \ -providerpath "/usr/safenet/lunaclient/jsp/lib/LunaProvider.jar" \ -providerclass com.safenetinc.luna.provider.LunaProvider \ -J-Djava.library.path=/usr/safenet/lunaclient/jsp/lib/ -J-cp -J/usr/safenet/lunaclient/jsp/lib/LunaProvider.jar
For JDK 8:
keytool -genkeypair -alias lunakey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA \ -keypass userpin1 -keystore lunastore -storetype luna -storepass userpin1
The command uses "userpin1" as both the storepass and keypass, representing the Crypto Officer pin for the partition. Update these values if necessary.
When prompted, enter the certificate details to generate a new key pair on the Luna HSM.
Use the keytool command to create a CSR for the signing key stored in the Luna Keystore.
For JDK 11 or higher:
keytool -certreq -alias lunakey -sigalg SHA256withRSA -file certreq_file \ -keystore lunastore -storetype luna -providerpath "/usr/safenet/lunaclient/jsp/lib/LunaProvider.jar" \ -providerclass com.safenetinc.luna.provider.LunaProvider \ -J-Djava.library.path=/usr/safenet/lunaclient/jsp/lib/ -J-cp -J/usr/safenet/lunaclient/jsp/lib/LunaProvider.jar
For JDK 8:
keytool -certreq -alias lunakey -sigalg SHA256withRSA -file certreq_file \ -keystore lunastore -storetype luna
When prompted, enter the keystore password. This command generates a file named certreq_file in the current directory.
Submit the generated CSR file (certreq_file) to your Certification Authority (CA). The CA will authenticate the request and issue a signed certificate or certificate chain. Save the CA's signed certificate and the root certificate in the current working directory.
Use the following commands to import the CA root certificate and the signed certificate (or certificate chain) into the Luna Keystore.
For JDK 11 or higher:
- Import the CA root certificate:
keytool -trustcacerts -importcert -alias rootca -file root.cer -keystore lunastore -storetype luna \ -providerpath "/usr/safenet/lunaclient/jsp/lib/LunaProvider.jar" \ -providerclass com.safenetinc.luna.provider.LunaProvider \ -J-Djava.library.path=/usr/safenet/lunaclient/jsp/lib/ -J-cp -J/usr/safenet/lunaclient/jsp/lib/LunaProvider.jar
- Import the signed certificate reply or certificate chain:
keytool -importcert -trustcacerts -alias lunakey -file signing.p7b -keystore lunastore -storetype luna \ -providerpath "/usr/safenet/lunaclient/jsp/lib/LunaProvider.jar" \ -providerclass com.safenetinc.luna.provider.LunaProvider \ -J-Djava.library.path=/usr/safenet/lunaclient/jsp/lib/ -J-cp -J/usr/safenet/lunaclient/jsp/lib/LunaProvider.jar
For JDK 8:
- Import the CA root certificate:
keytool -trustcacerts -importcert -alias rootca -file root.cer -keystore lunastore -storetype luna
- Import the signed certificate reply or certificate chain:
keytool -importcert -trustcacerts -alias lunakey -file signing.p7b -keystore lunastore -storetype luna
Where root.cer and signing.p7b are the CA root certificate and the signed certificate chain, respectively. When prompted, enter the keystore password.
Confirm that the certificates have been added correctly by listing the contents of lunastore.
For JDK 11 or higher:
keytool -list -v -keystore lunastore -storetype luna \ -providerpath "/usr/safenet/lunaclient/jsp/lib/LunaProvider.jar" \ -providerclass com.safenetinc.luna.provider.LunaProvider \ -J-Djava.library.path=/usr/safenet/lunaclient/jsp/lib/ -J-cp -J/usr/safenet/lunaclient/jsp/lib/LunaProvider.jar
For JDK 8:
keytool -list -v -keystore lunastore -storetype luna
Set up the Keycloak Luna Plugin
Keycloak does not natively support the Luna HSM Keystore. However, it allows for integration through a custom plugin developed using the Signature Provider Interface (SPI). To enable Keycloak to use the Luna Keystore and signing keys generated on the Luna HSM, contact Thales Customer Support to obtain the necessary patch containing the plugin. Note that earlier versions of Keycloak were based on the WildFly distribution, but the default distribution has since migrated to Quarkus. Follow the appropriate instructions below for configuring the Keycloak Luna Plugin based on your Keycloak distribution.
Configure the Keycloak Luna Plugin for Quarkus distribution
To configure the Keycloak Luna Plugin for Quarkus distribution, follow these steps:
Extract the patch downloaded from the Thales Support Portal:
tar -xvf 630-000621-001_SW_Patch_keycloak_integration_Custom_Release.tar
Unzip the Keycloak Luna Plugin:
cd 630-000621-001_SW_Patch_keycloak_integration_Custom_Release unzip keycloak-spi-luna-keystore-1.1-assemblyModule.zip
Copy the keycloak-spi-luna-keystore-1.1.jar to the Keycloak providers directory:
cp com/safenetinc/luna/keycloak/provider/keycloak-spi-luna-keystore-1.1.jar /opt/keycloak/providers/
Copy the LunaProvider.jar to the Keycloak providers directory:
cp /usr/safenet/lunaclient/jsp/lib/LunaProvider.jar /opt/keycloak/providers/
Set the LD_LIBRARY_PATH to point to the libLunaAPI.so library, or export the JAVA_OPTS_APPEND:
export LD_LIBRARY_PATH=/usr/safenet/lunaclient/jsp/lib:$LD_LIBRARY_PATH
Or, if using Java options:
export JAVA_OPTS_APPEND="-Djava.library.path=/usr/safenet/lunaclient/jsp/lib/"
Enable the Luna-keystore provider by running the build command from the Keycloak installation directory:
cd /opt/keycloak bin/kc.sh build
Confirm that the Keycloak Luna Plugin is enabled by running the show-config command:
bin/kc.sh show-config
Start the Keycloak server with the following command:
bin/kc.sh start --hostname-strict=false --http-enabled=true
This command is provided for demonstration purposes. For production environments, refer to the Keycloak documentation for proper server setup: Keycloak Server Guide.
Verify that the Keycloak server starts successfully without errors. The logs should show entries similar to the following:
2024-11-06 19:58:18,691 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `JJN4WL3-51787`, physical addresses are `[10.164.78.84:33376]` 2024-11-06 19:58:18,700 WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled 2024-11-06 19:58:19,031 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: JJN4WL3-51787, Site name: null 2024-11-06 19:58:19,305 INFO [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener 2024-11-06 19:58:20,126 INFO [io.quarkus] (main) Keycloak 24.0.8.redhat-00001 on JVM (powered by Quarkus 3.8.5.redhat-00004) started in 7.745s. Listening on: http://0.0.0.0:8080 2024-11-06 19:58:20,127 INFO [io.quarkus] (main) Profile prod activated. 2024-11-06 19:58:20,127 INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, keycloak, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, vertx]
Once the Keycloak server starts successfully, proceed to the next section to configure Keycloak to use signing keys from the Luna Keystore.
Configure the Keycloak Luna Plugin for WildFly distribution
To configure the Keycloak Luna Plugin for WildFly distribution, follow these steps:
Extract the patch and copy the Keycloak Luna Plugin zip file (extracted from the patch) to the Keycloak modules directory:
tar -xvf 630-000621-001_SW_Patch_keycloak_integration_Custom_Release.tar cp 630-000621-001_SW_Patch_keycloak_integration_Custom_Release/keycloak-spi-luna-keystore-1.0-assemblyModule.zip /opt/keycloak/modules/
For Keycloak 15 onwards:
# NOTE: For Keycloak v15.x, ensure that “keycloak-spi-luna-keystore-1.1.jar” is used. cp 630-000621-001_SW_Patch_keycloak_integration_Custom_Release/keycloak-spi-luna-keystore-1.1-assemblyModule.zip /opt/keycloak/modules/
Traverse to the Keycloak modules directory and extract the plugin zip file:
cd /opt/keycloak/modules/ unzip keycloak-spi-luna-keystore-1.0-assemblyModule.zip
For Keycloak 15 onwards:
unzip keycloak-spi-luna-keystore-1.1-assemblyModule.zip
Navigate to the com/safenetinc/luna directory and create a main/lib/linux-x86_64 folder:
cd com/safenetinc/luna/ mkdir -p main/lib/linux-x86_64
Copy the LunaProvider.jar file to the main folder under the com/safenetinc/luna directory:
cp/jsp/lib/LunaProvider.jar main/
Copy the libLunaAPI.so file to the main/lib/linux-x86_64 folder:
cp/jsp/lib/libLunaAPI.so main/lib/linux-x86_64
Create a module.xml file in the main folder and add the following content:
cd main vi module.xml
Add the following content to module.xml:
<module name="com.safenetinc.luna" xmlns="urn:jboss:module:1.9">
<resources>
<resource-root path="LunaProvider.jar"/>
</resources>
<dependencies>
<module name="java.logging"/>
</dependencies>
</module>
Confirm that LunaProvider.jar, module.xml, and lib/linux-x86_64/libLunaAPI.so are in the /opt/keycloak/modules/com/safenetinc/luna/main directory.
Navigate to the com/safenetinc/luna/keycloak/provider directory within the Keycloak modules directory:
cd /opt/keycloak/modules/com/safenetinc/luna/keycloak/provider/
Create a main folder under the com/safenetinc/luna/keycloak/provider directory:
mkdir main
Move the keycloak-spi-luna-keystore-1.0.jar and module.xml files to the main directory:
mv keycloak-spi-luna-keystore-1.0.jar module.xml main/
For Keycloak 15 onwards:
mv keycloak-spi-luna-keystore-1.1.jar module.xml main/
Confirm that the keycloak-spi-luna-keystore-x.x.jar and module.xml files are present in the /opt/keycloak/modules/com/safenetinc/luna/keycloak/provider/main directory. Replace x.x with the appropriate version depending on your Keycloak version.
Verify that the module.xml file contains the following content, and that the correct version of the Plugin jar file is specified. For Keycloak v15.x and later, ensure keycloak-spi-luna-keystore-1.1.jar is used.
Edit the standalone.xml file to add the Provider and SPI details:
vi /opt/keycloak/standalone/configuration/standalone.xml
Add the following to the file:
provider: module: com.safenetinc.luna.keycloak.provider ... spi name="keys": provider name="luna-keystore" enabled="true"
Ensure that the luna-keystore SPI is listed first in the list of SPI providers.
Save and close the standalone.xml file. If the Keycloak server is running, stop it and then restart it with the following command:
/opt/keycloak/bin/standalone.sh
Upon server startup, the following log entries should appear:
22:27:29,211 INFO [org.keycloak.services] (ServerService Thread Pool --62) KC-SERVICES0001: Loading config from standalone.xml or domain.xml 22:27:29,928 WARN [org.keycloak.services] (ServerService Thread Pool -- 62) KC-SERVICES0047: luna-keystore (com.safenetinc.luna.keycloak.provider.LunaKeystoreProviderFactory) is implementing the internal SPI keys. This SPI is internal and may change without notice 22:27:30,326 INFO [org.keycloak.url.DefaultHostnameProviderFactory] (ServerService Thread Pool -- 62) Frontend:, Admin: , Backend:
Configure Keycloak to use signing keys from the Luna Keystore
To enable Keycloak to use keys generated on the Luna HSM, log in to the Keycloak Admin Console and configure the Luna Keystore as follows:
Log in to the Keycloak Admin Console and navigate to Realm Settings > Keys.
Locate the rsa-generated key in the Provider column. Change the Priority value from 100 to 0, then click Save.
Go to Realm Settings > Keys and select Providers or Add Provider. Click Add keystore… and choose luna-keystore from the list.
Set the following values, then click Save:
-
Priority: 100
-
Keystore: Path to the
lunastorefile -
Keystore Password: CO password for the partition
-
Key Alias: Label of the key generated on Luna HSM
-
Key Password: Password used when generating the key pair
Once completed, a confirmation message will indicate that the provider has been successfully created.
In the Realm Settings > Keys section, confirm that the luna-keystore Provider key is listed with the highest priority (100).
Stop and then restart the Keycloak server to apply changes:
/opt/keycloak/bin/standalone.sh
(for WildFly distribution)
/opt/keycloak/bin/kc.sh start --hostname-strict=false --http-enabled=true
(for Quarkus distribution)
The start command provided here is for integration demonstration. Refer to the Keycloak production setup guide for best practices.
Once the Keycloak server is running, every login session will have its token signed by the key generated on the Luna HSM. You can now create users, roles, and clients. When an authentication token is generated, it will be signed using the Luna HSM's Realm Signing Key.
If the Luna HSM is unavailable or the NTLS connection is not active, access to the Keycloak Admin Console will be restricted, as Keycloak requires the signing keys from the Luna HSM.
Configure Keycloak Container to use Luna HSM
This section provides a detailed guide on generating signing keys and certificates on Luna HSM and configuring the Keycloak container to utilize these keys for token signing and XML document signing. Before proceeding, ensure the Luna Client is installed and properly configured to access the Luna HSM partition on the system where the Keycloak container will be set up.
The configuration involves the following steps:
Set up the Docker environment
To prepare the Docker environment for running the Keycloak container, follow these steps:
Download and install Docker and Docker Compose on the host system by referring to the official documentation:
Add your user to the Docker group to eliminate the need for sudo when running Docker commands:
sudo gpasswd -a $USER docker addgroup docker
Configure Java for Luna Keystore integration
To configure Java for Luna Keystore, follow these steps: Configure Java for Luna Keystore
Generate signing keys and certificates on the Luna Keystore
Use the following steps to generate signing keys and a certificate on Luna Keystore: Generate signing keys and certificates on the Luna Keystore
Configure the Keycloak container to use the keys generated on Luna HSM
Keycloak provides container images that can be configured to access signing keys stored on Luna HSM via the Luna Provider and Keycloak Luna Plugin. Use the steps below on a host system with Docker and the Luna Client already set up to access the HSM partition.
Create a directory on the host system to store the configuration files required for running the Keycloak container with Luna HSM:
mkdir /luna-docker cd /luna-docker
Fetch the official Keycloak image from the Docker registry or any other trusted registry:
docker pull jboss/keycloak:15.0.2
Launch the Keycloak container in standalone mode using the following command:
docker run --name myKeyCloak -e DB_VENDOR=h2 -d jboss/keycloak:15.0.2
Launch a shell within the running Keycloak container to collect the required configuration details:
docker exec -it myKeyCloak bash
Identify the following:
-
Java Version: JDK11 (or another version installed in the container).
-
Path to
java.security:/usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.el8_4.x86_64/conf/security/ -
Path to
standalone-ha.xml:/opt/jboss/keycloak/standalone/configuration/standalone-ha.xml(default for the container). -
Path to Keycloak Modules Directory:
/opt/jboss/keycloak/modules/
Exit the container and transfer the required configuration files to the /luna-docker directory on the host. Use the absolute paths obtained in the previous step:
docker cp myKeyCloak:/usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.el8_4.x86_64/conf/security/java.security /luna-docker/ docker cp myKeyCloak:/opt/jboss/keycloak/standalone/configuration/standalone-ha.xml /luna-docker/
Edit the java.security file copied from the container and update the provider list according to the JDK version used in the container:
vi /luna-docker/java.security
- For JDK 11:
security.provider.1=SUN security.provider.2=SunEC security.provider.3=SunJSSE security.provider.4=SunJCE security.provider.5=SunJGSS security.provider.6=SunSASL security.provider.7=XMLDSig security.provider.8=SunPCSC security.provider.9=JdkLDAP security.provider.10=JdkSASL security.provider.11=SunPKCS11 security.provider.12=com.safenetinc.luna.provider.LunaProvider security.provider.13=SunRsaSign
- For JDK 8:
security.provider.1=sun.security.provider.Sun security.provider.2=sun.security.rsa.SunRsaSign security.provider.3=sun.security.ec.SunEC security.provider.4=com.sun.net.ssl.internal.ssl.Provider security.provider.5=com.sun.crypto.provider.SunJCE security.provider.6=sun.security.jgss.SunProvider security.provider.7=com.sun.security.sasl.Provider security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.9=sun.security.smartcardio.SunPCSC security.provider.10=com.safenetinc.luna.provider.LunaProvider
Save the file after making the updates.
Open the standalone-ha.xml file located in the /luna-docker directory using a text editor (e.g., vi):
vi /luna-docker/standalone-ha.xml
Within the file, locate the Provider and SPI sections, then add the following entries:
<provider> module:com.safenetinc.luna.keycloak.provider </provider> . . <spi name="keys"> <provider name="luna-keystore" enabled="true"/> </spi>
Ensure luna-keystore is listed as the first SPI in the keys section.
Modify the ownership of Luna Client files on the host system to make them compatible with the Keycloak container, as the container runs as a non-root user and does not have an hsmusers group.
chown -R root:root /etc/Chrystoki.conf chown -R root:root /usr/safenet/lunaclient/cert chown -R root:root /usr/safenet/lunaclient/data chown -R root:root /usr/safenet/lunaclient/configData
Extract the Keycloak Luna Plugin patch and copy the plugin zip file to the /luna-docker directory.
tar -xvf 630-000621-001_SW_Patch_keycloak_integration_Custom_Release.tar cp 630-000621-001_SW_Patch_keycloak_integration_Custom_Release/keycloak-spi-luna-keystore-1.0-assemblyModule.zip /luna-docker/
For Keycloak 15 and later, use this command instead:
cp 630-000621-001_SW_Patch_keycloak_integration_Custom_Release/keycloak-spi-luna-keystore-1.1-assemblyModule.zip /luna-docker/
Navigate to the /luna-docker directory and extract the contents of the Luna Plugin zip file.
cd /luna-docker unzip keycloak-spi-luna-keystore-1.0-assemblyModule.zip
For Keycloak 15 and later, use the appropriate command:
unzip keycloak-spi-luna-keystore-1.1-assemblyModule.zip
Inside the extracted plugin directory, create the main/lib/linux-x86_64 folder structure as needed for the Luna integration.
cd com/safenetinc/luna/ mkdir -p main/lib/linux-x86_64
Copy the LunaProvider.jar from the Luna installation directory to the main folder created earlier.
cp/jsp/lib/LunaProvider.jar main/
Copy the libLunaAPI.so file from the Luna installation directory to the main/lib/linux-x86_64 folder.
cp/jsp/lib/libLunaAPI.so main/lib/linux-x86_64
In the main directory, create a module.xml file and add the necessary configuration.
cd main vi module.xml
Add the following content to the module.xml file:
<module name="com.safenetinc.luna" xmlns="urn:jboss:module:1.9">
<resources>
<resource-root path="LunaProvider.jar"/>
</resources>
<dependencies>
<module name="java.logging"/>
</dependencies>
</module>
Ensure the following files are present in the /luna-docker/com/safenetinc/luna/main directory:
-
LunaProvider.jar -
module.xml -
lib/linux-x86_64/libLunaAPI.so
Change to the com/safenetinc/luna/keycloak/provider directory created earlier in the /luna-docker directory.
cd /luna-docker/com/safenetinc/luna/keycloak/provider/
Under the com/safenetinc/luna/keycloak/provider directory, create a main directory.
mkdir main
Move the keycloak-spi-luna-keystore-1.0.jar and module.xml files to the newly created main directory.
mv keycloak-spi-luna-keystore-1.0.jar module.xml main/
For Keycloak 15 and later, use the following command:
mv keycloak-spi-luna-keystore-1.1.jar module.xml main/
Ensure that the keycloak-spi-luna-keystore-x.x.jar (where x.x corresponds to the Keycloak version) and module.xml files are correctly placed in the /luna-docker/com/safenetinc/luna/keycloak/provider/main directory.
Make sure the module.xml file contains the correct content, including the name of the Plugin jar file.
For Keycloak v15.x and later, ensure that the file refers to keycloak-spi-luna-keystore-1.1.jar.
Navigate to the /luna-docker directory and verify that it contains the following files and directories:
-
java.security -
standalone-ha.xml -
lunastorefiles -
comdirectory
cd /luna-docker && ls -ltr
Before proceeding, ensure the myKeyCloak container is not running. If it is, stop and remove the container. You can also choose to run the container with a different name if you prefer not to stop and remove the existing one.
# docker ps -a # docker stop myKeyCloak # docker rm myKeyCloak
Configure the container to use Luna HSM:
-
LunaClient – Mount the Luna Client folder.
-
Chrystoki.conf – Mount the Luna Client configuration file.
-
lunastore – Mount the Luna keystore file containing the Luna HSM partition.
-
java.security – Mount the Java configuration file with the Luna Provider enabled.
-
standalone-ha.xml – Mount the Keycloak configuration file with Luna Provider and SPI enabled.
-
Luna Keycloak Plugin – Mount the
comfolder containing the Luna Keycloak plugin, which was configured as a Keycloak module.
Ensure that the java.security and standalone-ha.xml files are mounted to their exact locations inside the Keycloak container (as detailed in Step 4). Also, mount the Luna Keycloak Plugin to the Keycloak modules directory.
Run the container using either the Docker command-line or a Docker Compose YAML file:
Option 1: Run the container using the Docker command:
docker run --name myKeyCloak -p 8443:8443 -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e DB_VENDOR=h2 -v /usr/safenet/lunaclient:/usr/safenet/lunaclient -v /etc/Chrystoki.conf:/etc/Chrystoki.conf -v /luna-docker/lunastore:/opt/lunastore -v /luna-docker/java.security:/usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.el8_4.x86_64/conf/security/java.security -v /luna-docker/standalone-ha.xml:/opt/jboss/keycloak/standalone/configuration/standalone-ha.xml -v /luna-docker/com:/opt/jboss/keycloak/modules/com -d jboss/keycloak:15.0.2
In the above command, port 8080 is for HTTP and port 8443 is for HTTPS. Admin credentials are provided through the KEYCLOAK_USER and KEYCLOAK_PASSWORD environment variables.
Option 2: Run the container using a Docker Compose YAML file:
docker-compose up &
The compose.yaml file should have the following content:
services:
myKeyCloak:
container_name: myKeyCloak
image: jboss/keycloak:15.0.2
ports:
- "8080:8080"
- "8443:8443"
environment:
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=admin
- DB_VENDOR=h2
volumes:
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- /luna-docker/lunastore:/opt/lunastore
- /luna-docker/com:/opt/jboss/keycloak/modules/com
- /luna-docker/java.security:/usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.el8_4.x86_64/conf/security/java.security
- /luna-docker/standalone-ha.xml:/opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
Once the container is running, check the logs to ensure that the Keycloak service is running with the Luna Keystore and SPI enabled, as specified in the standalone-ha.xml file.
docker logs myKeyCloak | grep luna
You should see a message similar to:
07:31:52,410 WARN [org.keycloak.services] (ServerService Thread Pool --62) KC-SERVICES0047: luna-keystore (com.safenetinc.luna.keycloak.provider.LunaKeystoreProviderFactory) is implementing the internal SPI keys. This SPI is internal and may change without notice
Access the Keycloak Admin Console using the URL that maps to the port you assigned for HTTPS (8443):
https://[hostname_or_ip]:8443
Follow the instructions in the Admin Console to configure Keycloak to use the signing keys stored in the Luna Keystore
After configuring the Keycloak container to use Luna HSM-generated keys, restart the container to apply the changes.
If using the command-line:
docker stop myKeyCloak docker start myKeyCloak
If using the YAML file:
docker-compose restart &
Upon restarting the container, Keycloak will securely utilize the cryptographic keys stored and managed within the Luna HSM, ensuring enhanced security and compliance.
