From a9ec8d4e531dc0dcec422332f9a1ee4d716a1104 Mon Sep 17 00:00:00 2001
From: eugen-keeper <ehartmann@keepersecurity.com>
Date: Fri, 13 Dec 2024 16:58:41 +0000
Subject: [PATCH] GUACAMOLE-2004: Fix KSM integration for RHEL systems with
 FIPS mode enabled

---
 .../vault/ksm/KsmAuthenticationProviderModule.java  | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/KsmAuthenticationProviderModule.java b/extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/KsmAuthenticationProviderModule.java
index b9d38da934..caf8cd54b5 100644
--- a/extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/KsmAuthenticationProviderModule.java
+++ b/extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/KsmAuthenticationProviderModule.java
@@ -19,6 +19,8 @@
 
 package org.apache.guacamole.vault.ksm;
 
+import java.security.Security;
+
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.vault.VaultAuthenticationProviderModule;
 import org.apache.guacamole.vault.ksm.conf.KsmAttributeService;
@@ -36,6 +38,8 @@
 import org.apache.guacamole.vault.secret.VaultSecretService;
 import org.apache.guacamole.vault.user.VaultDirectoryService;
 
+import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
+
 import com.google.inject.assistedinject.FactoryModuleBuilder;
 
 /**
@@ -53,7 +57,14 @@ public class KsmAuthenticationProviderModule
      * @throws GuacamoleException
      *     If configuration details in guacamole.properties cannot be parsed.
      */
-    public KsmAuthenticationProviderModule() throws GuacamoleException {}
+    public KsmAuthenticationProviderModule() throws GuacamoleException {
+        // KSM recommends using BouncyCastleFipsProvider to avoid potential
+        // issues (for example with FIPS enabled RHEL).
+        // https://docs.keeper.io/en/secrets-manager/secrets-manager/developer-sdk-library/java-sdk
+        // The addProvider method checks for duplications internally,
+        // so it is safe to add the same provider multiple times.
+        Security.addProvider(new BouncyCastleFipsProvider());
+    }
 
     @Override
     protected void configureVault() {