keycloak/tests/FIPS_104-2.md

## FIPS 140-2 testing

### Integration tests

On a FIPS enabled platform with FIPS enabled OpenJDK 21, you can run this to test against a Keycloak server with FIPS 140-2 integration enabled.

```
./mvnw clean package -nsu -B -f tests/base/pom.xml \
  -Dcom.redhat.fips=false \
  -Dtest=FipsStrictTestSuite,FipsNonStrictTestSuite
```
FIPS test suite configuration (strict and non-strict):
[FipsStrictTestSuite](./base/src/test/java/org/keycloak/tests/suites/FipsStrictTestSuite.java),
[FipsNonStrictTestSuite](./base/src/test/java/org/keycloak/tests/suites/FipsNonStrictTestSuite.java)

NOTE 1: The property `com.redhat.fips` is required for disabling FIPS in JVM, on a FIPS enabled environment (operating system or container), where the test suite is executed.

NOTE 3: Example of the server startup log, running in an environment (both -> JVM and operating system/container), where FIPS is enabled:
```
2022-10-11 19:34:29,521 DEBUG [org.keycloak.common.crypto.CryptoIntegration] (main) Using the crypto provider: org.keycloak.crypto.fips.FIPS1402Provider
2022-10-11 19:34:31,072 TRACE [org.keycloak.common.crypto.CryptoIntegration] (main) Java security providers: [ 
 KC(BCFIPS version 1.000203, FIPS-JVM: enabled) version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider, 
 BCFIPS version 1.000203 - class org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider, 
 BCJSSE version 1.001202 - class org.bouncycastle.jsse.provider.BouncyCastleJsseProvider,
]
```