Title: WildFly Elytron + Azure Key Vault Integration: “No suitable provider found for type ‘DKS'”

Body:

I’m attempting to integrate WildFly Elytron with the Azure Key Vault JCA provider so that my SSL certificates can be sourced directly from Azure Key Vault. Currently, I’m using WildFly v15 and would prefer not to upgrade if possible but would consider trying if necessary. Under Tomcat, the same configuration works fine using DKS and certificateKeystoreProvider="AzureKeyVault". However, Elytron doesn’t seem to accept my configuration. I’ve been referencing this schema for crafting my standalone.xml.

What I’ve Done So Far:

1. Azure Key Vault JCA Provider Setup:

   • Placed azure-security-keyvault-jca-2.7.1.jar in a WildFly module:

     modules/com/azure/security/keyvault/jca/main/module.xml
     

   • Added -Dazure.keyvault.uri=https://my-keyvault.vault.azure.net/ -Dazure.keyvault.managed-identity=true to standalone.conf.bat.
   • Edited java.security to include security.provider.14=com.azure.security.keyvault.jca.KeyVaultJcaProvider.

2. Elytron Providers Configuration:

   <providers>
     <aggregate-providers name="combined-providers">
       <providers name="elytron"/>
       <providers name="openssl"/>
       <providers name="AzureKeyVault"/>
     </aggregate-providers>
     <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
     <provider-loader name="openssl" module="org.wildfly.openssl"/>
     <provider-loader name="AzureKeyVault" module="com.azure.security.keyvault.jca"/>
   </providers>
   

3. KeyStore and KeyManager Setup

   <tls>
     <key-stores>
       <key-store name="azure-keyvault-keystore">
         <!-- Tried with and without credential-reference, but it's required -->
         <credential-reference clear-text=" "/>
         <!-- Tried type="DKS", "JKS", "AzureKeyVault", "PKCS12" -->
         <!-- Tried adding providers="AzureKeyVault" as well -->
         <implementation type="DKS" provider-name="AzureKeyVault"/>
       </key-store>
     </key-stores>
     <key-managers>
       <key-manager name="azure-keyvault-key-manager" key-store="azure-keyvault-keystore">
         <credential-reference clear-text=" "/>
       </key-manager>
     </key-managers>
     <server-ssl-contexts>
       <server-ssl-context name="https-context" key-manager="azure-keyvault-key-manager"/>
     </server-ssl-contexts>
   </tls>
   

The Error:

During startup:

ERROR [org.wildfly.security.key-store.azure-keyvault-keystore] ... No suitable provider found for type 'DKS'

What I’ve Tried:

• Different type attributes (JKS, PKCS12, AzureKeyVault).
• Ensured the AzureKeyVault provider-loader is in place.
• Verified that the JAR and module load correctly by enabling debug logging.
• Tried without a credential-reference, but Elytron complains if it’s missing.

Under Tomcat, I can just specify:

<Certificate 
  certificateKeyAlias="mycert"
  certificateKeystoreFile=""
  certificateKeystorePassword=""
  certificateKeystoreType="DKS"
  certificateKeystoreProvider="AzureKeyVault" />

…and it works. On WildFly, the Elytron subsystem doesn’t seem to pick up the Key Vault as a valid keystore provider.

Questions:

• Has anyone integrated Elytron with Azure Key Vault JCA without a local key store?
• Is there a known keystore type or provider combination that works out-of-the-box with Elytron?
• Are there any examples of configuring Elytron to use a JCA provider like AzureKeyVault directly?

Environment:

• WildFly 15
• Azure Key Vault JCA 2.7.1
• Java 11

Any guidance or known working config would be greatly appreciated!