gitlab conversion script
This commit is contained in:
parent
aad8d04f0b
commit
16e4b237f6
39 changed files with 151 additions and 617 deletions
103
gitlab-conversion.py
Executable file
103
gitlab-conversion.py
Executable file
|
@ -0,0 +1,103 @@
|
||||||
|
import sys, os, re, json, shutil, errno
|
||||||
|
|
||||||
|
def transform(root, f, targetdir):
|
||||||
|
full = os.path.join(root, f)
|
||||||
|
print full
|
||||||
|
input = open(full, 'r').read()
|
||||||
|
dir = os.path.join(targetdir, root)
|
||||||
|
if not os.path.exists(dir):
|
||||||
|
os.makedirs(dir)
|
||||||
|
output = open(os.path.join(dir, f), 'w')
|
||||||
|
for variable in re.findall(r"\{\{(.*?)\}\}", input):
|
||||||
|
tmp = variable.replace('.', '_')
|
||||||
|
input = input.replace(variable, tmp)
|
||||||
|
input = input.replace('{{', '{').replace('}}','}')
|
||||||
|
input = re.sub(r"<<fake.+#", "<<", input)
|
||||||
|
for variable in re.findall(r"[ ]*{% if (.*?) %}", input):
|
||||||
|
tmp = variable.replace('.', '_')
|
||||||
|
input = input.replace(variable, tmp)
|
||||||
|
exp = re.compile("[ ]*{% if (.*?) %}(.*?)[ ]*{% endif %}", re.DOTALL)
|
||||||
|
input = re.sub(exp, "ifeval::[{\g<1>}==true]\g<2>endif::[]", input)
|
||||||
|
input = re.sub(r"image:(\.\./)*", "image:", input)
|
||||||
|
output.write(input)
|
||||||
|
|
||||||
|
indir = 'topics'
|
||||||
|
targetdir = 'target'
|
||||||
|
if len(sys.argv) > 1:
|
||||||
|
targetdir = sys.argv[1]
|
||||||
|
|
||||||
|
shutil.rmtree(os.path.join(targetdir, 'images'))
|
||||||
|
shutil.rmtree(os.path.join(targetdir, 'keycloak-images'))
|
||||||
|
shutil.rmtree(os.path.join(targetdir, 'rhsso-images'))
|
||||||
|
shutil.copytree('images',os.path.join(targetdir, 'images'))
|
||||||
|
shutil.copytree('keycloak-images',os.path.join(targetdir, 'keycloak-images'))
|
||||||
|
shutil.copytree('rhsso-images',os.path.join(targetdir, 'rhsso-images'))
|
||||||
|
|
||||||
|
tmp = os.path.join(targetdir, 'topics')
|
||||||
|
if not os.path.exists(tmp):
|
||||||
|
os.makedirs(tmp)
|
||||||
|
|
||||||
|
# transform files
|
||||||
|
for root, dirs, filenames in os.walk(indir):
|
||||||
|
for f in filenames:
|
||||||
|
transform(root,f,targetdir)
|
||||||
|
|
||||||
|
# Create master.doc includes
|
||||||
|
input = open('SUMMARY.adoc', 'r').read()
|
||||||
|
output = open(os.path.join(targetdir, 'master.adoc'), 'w')
|
||||||
|
|
||||||
|
output.write("""
|
||||||
|
:toc:
|
||||||
|
:toclevels: 3
|
||||||
|
:numbered:
|
||||||
|
|
||||||
|
include::document-attributes.adoc[]
|
||||||
|
""")
|
||||||
|
|
||||||
|
input = re.sub(r"[ ]*\.+\s*link:(.*)\[(.*)\]", "include::\g<1>[]", input)
|
||||||
|
for variable in re.findall(r"[ ]*{% if (.*?) %}", input):
|
||||||
|
tmp = variable.replace('.', '_')
|
||||||
|
input = input.replace(variable, tmp)
|
||||||
|
exp = re.compile("[ ]*{% if (.*?) %}(.*?)[ ]*{% endif %}", re.DOTALL)
|
||||||
|
input = re.sub(exp, "ifeval::[{\g<1>}==true]\g<2>endif::[]", input)
|
||||||
|
output.write(input)
|
||||||
|
|
||||||
|
# parse book.json file and create document attributes
|
||||||
|
with open('book.json') as data_file:
|
||||||
|
data = json.load(data_file)
|
||||||
|
|
||||||
|
variables = data['variables']
|
||||||
|
|
||||||
|
def makeAttributes(variables, variable, list):
|
||||||
|
for i in variables.keys():
|
||||||
|
if variable is None:
|
||||||
|
tmp = i
|
||||||
|
else:
|
||||||
|
tmp = variable + '_' + i
|
||||||
|
if isinstance(variables[i],dict):
|
||||||
|
makeAttributes(variables[i], tmp, list)
|
||||||
|
elif isinstance(variables[i],bool):
|
||||||
|
boolval = 'false'
|
||||||
|
if variables[i]:
|
||||||
|
boolval = 'true'
|
||||||
|
list.append({tmp: boolval})
|
||||||
|
else:
|
||||||
|
list.append({tmp: str(variables[i])})
|
||||||
|
|
||||||
|
|
||||||
|
attributeList = []
|
||||||
|
makeAttributes(variables, None, attributeList)
|
||||||
|
|
||||||
|
output = open(os.path.join(targetdir, 'document-attributes.adoc'), 'w')
|
||||||
|
for attribute in attributeList:
|
||||||
|
for k in attribute.keys():
|
||||||
|
output.write(':book_' + k + ": " + attribute[k] + "\n")
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
== Server Cache Configuration
|
== Server Cache Configuration
|
||||||
|
|
||||||
{{book.project.name}} has two types of caches. One type of cache sits in front of the database to decrease load on the DB
|
{{book.project.name}} has two types of caches. One type of cache sits in front of the database to decrease load on the DB
|
||||||
|
|
1
topics/cache/clear.adoc
vendored
1
topics/cache/clear.adoc
vendored
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Clearing Caches at Runtime
|
=== Clearing Caches at Runtime
|
||||||
|
|
||||||
To clear the realm or user cache, go to the {{book.project.name}} admin console Realm Settings->Cache Config page.
|
To clear the realm or user cache, go to the {{book.project.name}} admin console Realm Settings->Cache Config page.
|
||||||
|
|
1
topics/cache/disable.adoc
vendored
1
topics/cache/disable.adoc
vendored
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Disabling Caching
|
=== Disabling Caching
|
||||||
|
|
||||||
To disable the realm or user cache, you must edit the `keycloak-server.json` file in your distribution. Where
|
To disable the realm or user cache, you must edit the `keycloak-server.json` file in your distribution. Where
|
||||||
|
|
1
topics/cache/eviction.adoc
vendored
1
topics/cache/eviction.adoc
vendored
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Eviction and Expiration
|
=== Eviction and Expiration
|
||||||
|
|
||||||
There are multiple different caches configured for {{book.project.name}}.
|
There are multiple different caches configured for {{book.project.name}}.
|
||||||
|
|
1
topics/cache/replication.adoc
vendored
1
topics/cache/replication.adoc
vendored
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Replication and Failover
|
=== Replication and Failover
|
||||||
|
|
||||||
The `sessions`, `offlineSessions` and `loginFailures` caches are the only caches that may perform replication. Entries are
|
The `sessions`, `offlineSessions` and `loginFailures` caches are the only caches that may perform replication. Entries are
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
[[_clustering]]
|
[[_clustering]]
|
||||||
== Clustering
|
== Clustering
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Booting the Cluster
|
=== Booting the Cluster
|
||||||
|
|
||||||
Booting {{book.project.name}} in a cluster depends on your <<fake/../../operating-mode.adoc#_operating-mode, operating mode>>
|
Booting {{book.project.name}} in a cluster depends on your <<fake/../../operating-mode.adoc#_operating-mode, operating mode>>
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Clustering Example
|
=== Clustering Example
|
||||||
|
|
||||||
{{book.project.name}} does come with an out of the box clustering demo that leverages domain mode. Review the
|
{{book.project.name}} does come with an out of the box clustering demo that leverages domain mode. Review the
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Setting Up a Load Balancer
|
=== Setting Up a Load Balancer
|
||||||
|
|
||||||
This section only covers configuring the built in load balancer that is discussed in the
|
This section only covers configuring the built in load balancer that is discussed in the
|
||||||
|
@ -59,7 +60,7 @@ binding needs to point to the host and port of the new host.
|
||||||
</socket-binding-group>
|
</socket-binding-group>
|
||||||
----
|
----
|
||||||
|
|
||||||
=== Master Bind Addresses
|
==== Master Bind Addresses
|
||||||
|
|
||||||
Next thing you'll have to do is to change the `public` and `management` bind addresses for the master host. Either
|
Next thing you'll have to do is to change the `public` and `management` bind addresses for the master host. Either
|
||||||
edit the _domain.xml_ file as discussed in the <<fake/../../network/bind-address.adoc#_bind-address, Bind Addresses>> chapter
|
edit the _domain.xml_ file as discussed in the <<fake/../../network/bind-address.adoc#_bind-address, Bind Addresses>> chapter
|
||||||
|
@ -70,7 +71,7 @@ or specify these bind addresses on the command line as follows:
|
||||||
$ domain.sh --host-config=host-master.xml -Djboss.bind.address=192.168.0.2 -Djboss.bind.address.management=192.168.0.2
|
$ domain.sh --host-config=host-master.xml -Djboss.bind.address=192.168.0.2 -Djboss.bind.address.management=192.168.0.2
|
||||||
----
|
----
|
||||||
|
|
||||||
=== Host Slave Bind Addresses
|
==== Host Slave Bind Addresses
|
||||||
|
|
||||||
Next you'll have to change the `public`, `management`, and domain controller bind addresses (`jboss.domain.master-address`). Either edit the
|
Next you'll have to change the `public`, `management`, and domain controller bind addresses (`jboss.domain.master-address`). Either edit the
|
||||||
_host-slave.xml_ file or specify them on the command line as follows:
|
_host-slave.xml_ file or specify them on the command line as follows:
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Multicast Network Setup
|
=== Multicast Network Setup
|
||||||
|
|
||||||
Out of the box clustering support has a need to for IP Multicast. Multicast is a network broadcast protocol. This protocol
|
Out of the box clustering support has a need to for IP Multicast. Multicast is a network broadcast protocol. This protocol
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Recommended Network Architecture
|
=== Recommended Network Architecture
|
||||||
|
|
||||||
The recommended network architecture for deploying {{book.project.name}} is to set up an HTTP/HTTPS load balancer on
|
The recommended network architecture for deploying {{book.project.name}} is to set up an HTTP/HTTPS load balancer on
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
[[_clustering_db_lock]]
|
[[_clustering_db_lock]]
|
||||||
=== Serialized Cluster Startup
|
=== Serialized Cluster Startup
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Troubleshooting
|
=== Troubleshooting
|
||||||
|
|
||||||
Note that when you run cluster, you should see message similar to this in the log of both cluster nodes:
|
Note that when you run cluster, you should see message similar to this in the log of both cluster nodes:
|
||||||
|
@ -16,3 +17,6 @@ Default values are UDP port 55200 and multicast port 45688 with multicast addres
|
||||||
Note that you may need more ports opened if you want to enable additional features like diagnostics for your JGroups stack.
|
Note that you may need more ports opened if you want to enable additional features like diagnostics for your JGroups stack.
|
||||||
{{book.project.name}} delegates most of the clustering work to Infinispan/JGroups.
|
{{book.project.name}} delegates most of the clustering work to Infinispan/JGroups.
|
||||||
Please consult the link:{{book.appserver.jgroups.link}}[JGroups] chapter of the {{book.appserver.jgroups.name}}.
|
Please consult the link:{{book.appserver.jgroups.link}}[JGroups] chapter of the {{book.appserver.jgroups.name}}.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== RDBMS Setup Checklist
|
=== RDBMS Setup Checklist
|
||||||
|
|
||||||
These are the steps you will need to perform to get an RDBMS configured for {{book.project.name}}.
|
These are the steps you will need to perform to get an RDBMS configured for {{book.project.name}}.
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Modify the {{book.project.name}} Datasource
|
=== Modify the {{book.project.name}} Datasource
|
||||||
|
|
||||||
After declaring your JDBC driver, you have to modify the existing datasource configuration that {{book.project.name}} uses
|
After declaring your JDBC driver, you have to modify the existing datasource configuration that {{book.project.name}} uses
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Hibernate Configuration
|
=== Hibernate Configuration
|
||||||
|
|
||||||
The Hibernate persistence API is already pre-configured out of the box and rarely needs to be changed.
|
The Hibernate persistence API is already pre-configured out of the box and rarely needs to be changed.
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Package the JDBC Driver
|
=== Package the JDBC Driver
|
||||||
|
|
||||||
Find and download the JDBC driver JAR for your RDBMS. Before you can use this driver, you must package it up into a module
|
Find and download the JDBC driver JAR for your RDBMS. Before you can use this driver, you must package it up into a module
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
== Installation
|
== Installation
|
||||||
|
|
||||||
Installing {{book.project.name}} is as simple as downloading it and unzipping it. This chapter reviews system requirements
|
Installing {{book.project.name}} is as simple as downloading it and unzipping it. This chapter reviews system requirements
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Distribution Directory Structure
|
=== Distribution Directory Structure
|
||||||
|
|
||||||
This chapter walks you through the directory structure of the server distribution.
|
This chapter walks you through the directory structure of the server distribution.
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Installing Distribution Files
|
=== Installing Distribution Files
|
||||||
|
|
||||||
The Keycloak Server has three downloadable distributions:
|
The Keycloak Server has three downloadable distributions:
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Installing Distribution Files
|
=== Installing Distribution Files
|
||||||
|
|
||||||
The {{book.project.name}} Server is contained in one distribution file:
|
The {{book.project.name}} Server is contained in one distribution file:
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== System Requirements
|
=== System Requirements
|
||||||
|
|
||||||
These are the requirements to run the {{book.project.name}} authentication server:
|
These are the requirements to run the {{book.project.name}} authentication server:
|
||||||
|
|
|
@ -7,7 +7,8 @@ shown how to edit the _standalone.xml_ or _domain.xml_ directly. This must be d
|
||||||
Additionally, you may be shown how to apply config changes on a running server using the app server's command line interface ({{books.appserver.name}} CLI). This chapter discusses
|
Additionally, you may be shown how to apply config changes on a running server using the app server's command line interface ({{books.appserver.name}} CLI). This chapter discusses
|
||||||
how you will do this.
|
how you will do this.
|
||||||
|
|
||||||
=== Start the {{books.appserver.name}} CLI
|
|
||||||
|
=== Start the {{book.appserver.name}} CLI
|
||||||
|
|
||||||
To start the {{books.appserver.name}} CLI, you need to run the `jboss-cli` script.
|
To start the {{books.appserver.name}} CLI, you need to run the `jboss-cli` script.
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
[[_mongo]]
|
[[_mongo]]
|
||||||
|
|
||||||
== Mongo DB Setup
|
== Mongo DB Setup
|
||||||
|
@ -94,6 +95,6 @@ Therefore, a configuration like the following
|
||||||
----
|
----
|
||||||
will authenticate the user against the authentication database, but store all keycloak related data in the keycloak database.
|
will authenticate the user against the authentication database, but store all keycloak related data in the keycloak database.
|
||||||
|
|
||||||
==== MongoDB Replica Sets
|
=== MongoDB Replica Sets
|
||||||
|
|
||||||
In order to use a mongo replica set for Keycloak, one has to use URI based configuration, which supports the definition of replica sets out of the box: `mongodb://host1:27017,host2:27017,host3:27017/`.
|
In order to use a mongo replica set for Keycloak, one has to use URI based configuration, which supports the definition of replica sets out of the box: `mongodb://host1:27017,host2:27017,host3:27017/`.
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
[[_network]]
|
[[_network]]
|
||||||
|
|
||||||
== Network Setup
|
== Network Setup
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
[[_bind-address]]
|
[[_bind-address]]
|
||||||
|
|
||||||
=== Bind Addresses
|
=== Bind Addresses
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Setting up HTTPS/SSL
|
=== Setting up HTTPS/SSL
|
||||||
|
|
||||||
WARNING: {{book.project.name}} is not set up by default to handle SSL/HTTPS.
|
WARNING: {{book.project.name}} is not set up by default to handle SSL/HTTPS.
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Outgoing HTTP Requests
|
=== Outgoing HTTP Requests
|
||||||
|
|
||||||
The {{book.project.name}} server often needs to make non-browser HTTP requests to the applications and services it secures.
|
The {{book.project.name}} server often needs to make non-browser HTTP requests to the applications and services it secures.
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
[[_ports]]
|
[[_ports]]
|
||||||
|
|
||||||
=== Socket Port Bindings
|
=== Socket Port Bindings
|
||||||
|
|
|
@ -1,610 +0,0 @@
|
||||||
[[_server_installation]]
|
|
||||||
|
|
||||||
= Installation and Configuration of Keycloak Server
|
|
||||||
|
|
||||||
== Installation
|
|
||||||
|
|
||||||
Keycloak Server has three downloadable distributions.
|
|
||||||
To run the Keycloak server you need to have Java 8 already installed.
|
|
||||||
|
|
||||||
* keycloak-.[zip|tar.gz]
|
|
||||||
* keycloak-overlay-.[zip|tar.gz]
|
|
||||||
* keycloak-demo-.[zip|tar.gz]
|
|
||||||
|
|
||||||
[[_server_install]]
|
|
||||||
=== Install Standalone Server
|
|
||||||
|
|
||||||
For production and for non-JavaEE developers we recommend using the standalone Keycloak server.
|
|
||||||
All you need to do is to download `keycloak-.zip` or `keycloak-.tar.gz`, unpackage and start to have a Keycloak server up and running.
|
|
||||||
|
|
||||||
To install first download either the zip or tar.gz and extract.
|
|
||||||
Then start by running either:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
keycloak-/bin/standalone.sh
|
|
||||||
----
|
|
||||||
or:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
keycloak-/bin/standalone.bat
|
|
||||||
----
|
|
||||||
|
|
||||||
[[_overlay_install]]
|
|
||||||
=== Install on existing WildFly or JBoss EAP
|
|
||||||
|
|
||||||
Keycloak can be installed into an existing installations of WildFly or JBoss EAP . To do this download `keycloak-overlay-.zip` or `keycloak-overlay-.tar.gz`.
|
|
||||||
Once downloaded extract into the root directory of your installation.
|
|
||||||
|
|
||||||
To add Keycloak to existing standalone.xml server config run:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
bin/jboss-cli.sh --file=bin/keycloak-install.cli
|
|
||||||
----
|
|
||||||
To add Keycloak to existing standalone-ha.xml server config run:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
bin/jboss-cli.sh --file=bin/keycloak-install-ha.cli
|
|
||||||
----
|
|
||||||
If you want to add Keycloak to a different server config edit `keycloak-install.cli` or `keycloak-install-ha.cli` and change the name of the server config.
|
|
||||||
|
|
||||||
=== Install Development Bundle
|
|
||||||
|
|
||||||
The demo bundle contains everything you need to get started with Keycloak including documentation and examples.
|
|
||||||
To install it first download `keycloak-demo-.zip` or `keycloak-demo-.tar.gz`.
|
|
||||||
Once downloaded extract it inside `keycloak-demo-` you'll find `keycloak` which contains a full WildFly server with Keycloak Server and Adapters included.
|
|
||||||
You'll also find `docs` and `examples` which contains everything you need to get started developing applications that use Keycloak.
|
|
||||||
|
|
||||||
To start WildFly with Keycloak run:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
keycloak-/bin/standalone.sh
|
|
||||||
----
|
|
||||||
or:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
keycloak-/bin/standalone.bat
|
|
||||||
----
|
|
||||||
|
|
||||||
== Configuring the Server
|
|
||||||
|
|
||||||
Although the Keycloak Server is designed to run out of the box, there's some things you'll need to configure before you go into production.
|
|
||||||
Specifically:
|
|
||||||
|
|
||||||
* Configuring Keycloak to use a production database
|
|
||||||
* Setting up SSL/HTTPS
|
|
||||||
* Enforcing HTTPS connections
|
|
||||||
|
|
||||||
=== Admin User
|
|
||||||
|
|
||||||
To access the admin console to configure Keycloak you need an account to login.
|
|
||||||
There is no built in user, instead you have to first create an admin account.
|
|
||||||
This can done either by opening http://localhost:8080/auth (creating a user through the browser can only be done through localhost) or you can use the add-user script from the command-line.
|
|
||||||
|
|
||||||
The `add-user` script creates a temporary file with the details of the user, which are imported at startup.
|
|
||||||
To add a user with this script run:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
bin/add-user.[sh|bat] -r master -u <username> -p <password>
|
|
||||||
----
|
|
||||||
Then restart the server.
|
|
||||||
For `keycloak-overlay`, please make sure to use:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
bin/add-user-keycloak.[sh|bat] -r master -u <username> -p <password>
|
|
||||||
----
|
|
||||||
|
|
||||||
=== Relational Database Configuration
|
|
||||||
|
|
||||||
You might want to use a better relational database for Keycloak like PostgreSQL or MySQL.
|
|
||||||
You might also want to tweak the configuration settings of the datasource.
|
|
||||||
Please see the https://docs.jboss.org/author/display/WFLY8/DataSource+configuration[Wildfly] documentation on how to do this.
|
|
||||||
|
|
||||||
Keycloak runs on a Hibernate/JPA backend which is configured in the `standalone/configuration/keycloak-server.json`.
|
|
||||||
By default the setting is like this:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
"connectionsJpa": {
|
|
||||||
"default": {
|
|
||||||
"dataSource": "java:jboss/datasources/KeycloakDS",
|
|
||||||
"databaseSchema": "update"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
----
|
|
||||||
Possible configuration options are:
|
|
||||||
|
|
||||||
dataSource::
|
|
||||||
JNDI name of the dataSource
|
|
||||||
|
|
||||||
jta::
|
|
||||||
boolean property to specify if datasource is JTA capable
|
|
||||||
|
|
||||||
driverDialect::
|
|
||||||
Value of Hibernate dialect.
|
|
||||||
In most cases you don't need to specify this property as dialect will be autodetected by Hibernate.
|
|
||||||
|
|
||||||
databaseSchema::
|
|
||||||
Specify if schema should be updated or validated.
|
|
||||||
Valid values are "update" and "validate" ("update is default).
|
|
||||||
|
|
||||||
showSql::
|
|
||||||
Specify whether Hibernate should show all SQL commands in the console (false by default)
|
|
||||||
|
|
||||||
formatSql::
|
|
||||||
Specify whether Hibernate should format SQL commands (true by default)
|
|
||||||
|
|
||||||
globalStatsInterval::
|
|
||||||
Will log global statistics from Hibernate about executed DB queries and other things.
|
|
||||||
Statistics are always reported to server log at specified interval (in seconds) and are cleared after each report.
|
|
||||||
|
|
||||||
schema::
|
|
||||||
Specify the database schema to use
|
|
||||||
|
|
||||||
===== Tested databases
|
|
||||||
|
|
||||||
Here is list of RDBMS databases and corresponding JDBC drivers, which were tested with Keycloak.
|
|
||||||
Note that Hibernate dialect is usually set automatically according to your database, but you have possibility to override if default dialect doesn't work correctly.
|
|
||||||
You can setup dialect by adding property `driverDialect` to the `keycloak-server.json` into `connectionsJpa` section (see above).
|
|
||||||
|
|
||||||
.Tested databases
|
|
||||||
[cols="1,1,1", frame="all", options="header"]
|
|
||||||
|===
|
|
||||||
| Database
|
|
||||||
| JDBC driver
|
|
||||||
| Hibernate Dialect
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|===
|
|
||||||
|
|
||||||
=== MongoDB based model
|
|
||||||
|
|
||||||
Keycloak provides http://www.mongodb.com[MongoDB] based model implementation, which means that your identity data will be saved in MongoDB instead of traditional RDBMS.
|
|
||||||
To configure Keycloak to use Mongo open `standalone/configuration/keycloak-server.json` in your favourite editor, then change:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
"eventsStore": {
|
|
||||||
"provider": "jpa",
|
|
||||||
"jpa": {
|
|
||||||
"exclude-events": [ "REFRESH_TOKEN" ]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
|
|
||||||
"realm": {
|
|
||||||
"provider": "jpa"
|
|
||||||
},
|
|
||||||
|
|
||||||
"user": {
|
|
||||||
"provider": "${keycloak.user.provider:jpa}"
|
|
||||||
},
|
|
||||||
----
|
|
||||||
to:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
"eventsStore": {
|
|
||||||
"provider": "mongo",
|
|
||||||
"mongo": {
|
|
||||||
"exclude-events": [ "REFRESH_TOKEN" ]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
|
|
||||||
"realm": {
|
|
||||||
"provider": "mongo"
|
|
||||||
},
|
|
||||||
|
|
||||||
"user": {
|
|
||||||
"provider": "mongo"
|
|
||||||
},
|
|
||||||
----
|
|
||||||
And at the end of the file add the snippet like this where you can configure details about your Mongo database:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
"connectionsMongo": {
|
|
||||||
"default": {
|
|
||||||
"host": "127.0.0.1",
|
|
||||||
"port": "27017",
|
|
||||||
"db": "keycloak",
|
|
||||||
"connectionsPerHost": 100,
|
|
||||||
"databaseSchema": "update"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
----
|
|
||||||
All configuration options are optional.
|
|
||||||
Default values for host and port are localhost and 27017.
|
|
||||||
Default name of database is `keycloak` . You can also specify properties `user` and `password` if you want authenticate against your MongoDB.
|
|
||||||
If user and password are not specified, Keycloak will connect unauthenticated to your MongoDB.
|
|
||||||
|
|
||||||
Finally there is set of optional configuration options, which can be used to specify connection-pooling capabilities of Mongo client.
|
|
||||||
Supported int options are: `connectionsPerHost`, `threadsAllowedToBlockForConnectionMultiplier`, `maxWaitTime`, `connectTimeout` `socketTimeout`.
|
|
||||||
Supported boolean options are: `socketKeepAlive`, `autoConnectRetry`.
|
|
||||||
Supported long option is `maxAutoConnectRetryTime`.
|
|
||||||
See http://api.mongodb.org/java/2.11.4/com/mongodb/MongoClientOptions.html[Mongo documentation] for details about those options and their default values.
|
|
||||||
|
|
||||||
Alternatively, you can configure MongoDB using a MongoDB http://docs.mongodb.org/manual/reference/connection-string/[connection URI].
|
|
||||||
In this case, you define all information concerning the connection and authentication within the URI, as described in the MongoDB documentation.
|
|
||||||
Please note that the database specified within the URI is only used for authentication.
|
|
||||||
To change the database used by keycloak you have to set `db` property as before.
|
|
||||||
Therefore, a configuration like the following
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
"connectionsMongo": {
|
|
||||||
"default": {
|
|
||||||
"uri": "mongodb://user:password@127.0.0.1/authentication",
|
|
||||||
"db": "keycloak"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
----
|
|
||||||
will authenticate the user against the authentication database, but store all keycloak related data in the keycloak database.
|
|
||||||
|
|
||||||
==== MongoDB Replica Sets
|
|
||||||
|
|
||||||
In order to use a mongo replica set for Keycloak, one has to use URI based configuration, which supports the definition of replica sets out of the box: `mongodb://host1:27017,host2:27017,host3:27017/`.
|
|
||||||
|
|
||||||
=== Outgoing Server HTTP Requests
|
|
||||||
|
|
||||||
Keycloak server needs to invoke on remote HTTP endpoints to do things like backchannel logouts and other management functions.
|
|
||||||
Keycloak maintains a HTTP client connection pool which has various configuration settings you can specify before boot time.
|
|
||||||
This is configured in the `standalone/configuration/keycloak-server.json`.
|
|
||||||
By default the setting is like this:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
"connectionsHttpClient": {
|
|
||||||
"default": {}
|
|
||||||
},
|
|
||||||
----
|
|
||||||
Possible configuration options are:
|
|
||||||
|
|
||||||
establish-connection-timeout-millis::
|
|
||||||
Timeout for establishing a socket connection.
|
|
||||||
|
|
||||||
socket-timeout-millis::
|
|
||||||
If an outgoing request does not receive data for this amount of time, timeout the connection.
|
|
||||||
|
|
||||||
connection-pool-size::
|
|
||||||
How many connections can be in the pool (128 by default).
|
|
||||||
|
|
||||||
max-pooled-per-route::
|
|
||||||
How many connections can be pooled per host (64 by default).
|
|
||||||
|
|
||||||
connection-ttl-millis::
|
|
||||||
Maximum connection time to live in milliseconds.
|
|
||||||
Not set by default.
|
|
||||||
|
|
||||||
max-connection-idle-time-millis::
|
|
||||||
Maximum time the connection might stay idle in the connection pool (900 seconds by default). Will start background cleaner thread of Apache HTTP client.
|
|
||||||
Set to -1 to disable this checking and the background thread.
|
|
||||||
|
|
||||||
disable-cookies::
|
|
||||||
`true` by default.
|
|
||||||
When set to true, this will disable any cookie caching.
|
|
||||||
|
|
||||||
client-keystore::
|
|
||||||
This is the file path to a Java keystore file.
|
|
||||||
This keystore contains client certificate for two-way SSL.
|
|
||||||
|
|
||||||
client-keystore-password::
|
|
||||||
Password for the client keystore.
|
|
||||||
This is _REQUIRED_ if `client-keystore` is set.
|
|
||||||
|
|
||||||
client-key-password::
|
|
||||||
_Not supported yet, but we will support in future versions. Password for the client's key.
|
|
||||||
This is _REQUIRED_ if `client-keystore` is set.
|
|
||||||
|
|
||||||
[[_truststore]]
|
|
||||||
=== Securing Outgoing Server HTTP Requests
|
|
||||||
|
|
||||||
When Keycloak connects out to remote HTTP endpoints over secure https connection, it has to validate the other server's certificate in order to ensure it is connecting to a trusted server.
|
|
||||||
That is necessary in order to prevent man-in-the-middle attacks.
|
|
||||||
|
|
||||||
How certificates are validated is configured in the `standalone/configuration/keycloak-server.json`.
|
|
||||||
By default truststore provider is not configured, and any https connections fall back to standard java truststore configuration as described in https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html[
|
|
||||||
Java's JSSE Reference Guide] - using `javax.net.ssl.trustStore system property`, otherwise `cacerts` file that comes with java is used.
|
|
||||||
|
|
||||||
Truststore is used when connecting securely to identity brokers, LDAP identity providers, when sending emails, and for backchannel communication with client applications.
|
|
||||||
Some of these facilities may - in case when no trusted certificate is found in your configured truststore - fallback to using the JSSE provided truststore.
|
|
||||||
The default JavaMail API implementation used to send out emails behaves in this way, for example.
|
|
||||||
|
|
||||||
You can add your truststore configuration by using the following template:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
"truststore": {
|
|
||||||
"file": {
|
|
||||||
"file": "path to your .jks file containing public certificates",
|
|
||||||
"password": "password",
|
|
||||||
"hostname-verification-policy": "WILDCARD",
|
|
||||||
"disabled": false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
----
|
|
||||||
|
|
||||||
Possible configuration options are:
|
|
||||||
|
|
||||||
file::
|
|
||||||
The value is the file path to a Java keystore file.
|
|
||||||
HTTPS requests need a way to verify the host of the server they are talking to.
|
|
||||||
This is what the trustore does.
|
|
||||||
The keystore contains one or more trusted host certificates or certificate authorities.
|
|
||||||
Truststore file should only contain public certificates of your secured hosts.
|
|
||||||
This is _REQUIRED_ if `disabled` is not true.
|
|
||||||
|
|
||||||
password::
|
|
||||||
Password for the truststore.
|
|
||||||
This is _REQUIRED_ if `disabled` is not true.
|
|
||||||
|
|
||||||
hostname-verification-policy::
|
|
||||||
`WILDCARD` by default.
|
|
||||||
For HTTPS requests, this verifies the hostname of the server's certificate.
|
|
||||||
`ANY` means that the hostname is not verified. `WILDCARD` Allows wildcards in subdomain names i.e.
|
|
||||||
*.foo.com. `STRICT` CN must match hostname exactly.
|
|
||||||
|
|
||||||
disabled::
|
|
||||||
If true (default value), truststore configuration will be ignored, and certificate checking will fall back to JSSE configuration as described.
|
|
||||||
If set to false, you must configure `file`, and `password` for the truststore.
|
|
||||||
|
|
||||||
You can use _keytool_ to create a new truststore file and add trusted host certificates to it:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
$ keytool -import -alias HOSTDOMAIN -keystore truststore.jks -file host-certificate.cer
|
|
||||||
----
|
|
||||||
|
|
||||||
[[_ssl_modes]]
|
|
||||||
=== SSL/HTTPS Requirement/Modes
|
|
||||||
|
|
||||||
WARNING: Keycloak is not set up by default to handle SSL/HTTPS.
|
|
||||||
It is highly recommended that you either enable SSL on the Keycloak server itself or on a reverse proxy in front of the Keycloak server.
|
|
||||||
|
|
||||||
Keycloak can run out of the box without SSL so long as you stick to private IP addresses like localhost, 127.0.0.1, 10.0.x.x, 192.168.x.x, and 172..16.x.x.
|
|
||||||
If you try to access Keycloak from a non-IP adress you will get an error.
|
|
||||||
|
|
||||||
Keycloak has 3 SSL/HTTPS modes which you can set up in the admin console under the Settings->Login page and the `Require SSL` select box.
|
|
||||||
Each adapter config should mirror this server-side setting.
|
|
||||||
See adapter config section for more details.
|
|
||||||
|
|
||||||
external::
|
|
||||||
Keycloak can run out of the box without SSL so long as you stick to private IP addresses like localhost, 127.0.0.1, 10.0.x.x, 192.168.x.x, and 172..16.x.x.
|
|
||||||
If you try to access Keycloak from a non-IP adress you will get an error.
|
|
||||||
|
|
||||||
none::
|
|
||||||
Keycloak does not require SSL.
|
|
||||||
|
|
||||||
all::
|
|
||||||
Keycloak requires SSL for all IP addresses.
|
|
||||||
|
|
||||||
=== SSL/HTTPS Setup
|
|
||||||
|
|
||||||
First enable SSL on Keycloak or on a reverse proxy in front of Keycloak.
|
|
||||||
Then configure the Keycloak Server to enforce HTTPS connections.
|
|
||||||
|
|
||||||
==== Enable SSL on Keycloak
|
|
||||||
|
|
||||||
The following things need to be done
|
|
||||||
|
|
||||||
* keytool
|
|
||||||
* Enable Wildfly to use this certificate and turn on SSL/HTTPS.
|
|
||||||
|
|
||||||
===== Creating the Certificate and Java Keystore
|
|
||||||
|
|
||||||
In order to allow HTTPS connections, you need to obtain a self signed or third-party signed certificate and import it into a Java keystore before you can enable HTTPS in the web container you are deploying the Keycloak Server to.
|
|
||||||
|
|
||||||
====== Self Signed Certificate
|
|
||||||
|
|
||||||
In development, you will probably not have a third party signed certificate available to test a Keycloak deployment so you'll need to generate a self-signed on.
|
|
||||||
Generate one is very easy to do with the `keytool` utility that comes with the Java jdk.
|
|
||||||
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
$ keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity 10950
|
|
||||||
Enter keystore password: secret
|
|
||||||
Re-enter new password: secret
|
|
||||||
What is your first and last name?
|
|
||||||
[Unknown]: localhost
|
|
||||||
What is the name of your organizational unit?
|
|
||||||
[Unknown]: Keycloak
|
|
||||||
What is the name of your organization?
|
|
||||||
[Unknown]: Red Hat
|
|
||||||
What is the name of your City or Locality?
|
|
||||||
[Unknown]: Westford
|
|
||||||
What is the name of your State or Province?
|
|
||||||
[Unknown]: MA
|
|
||||||
What is the two-letter country code for this unit?
|
|
||||||
[Unknown]: US
|
|
||||||
Is CN=localhost, OU=Keycloak, O=Test, L=Westford, ST=MA, C=US correct?
|
|
||||||
[no]: yes
|
|
||||||
----
|
|
||||||
|
|
||||||
You should answer `What is your first and last name ?` question with the DNS name of the machine you're installing the server on.
|
|
||||||
For testing purposes, `localhost` should be used.
|
|
||||||
After executing this command, the `keycloak.jks` file will be generated in the same directory as you executed the `keytool` command in.
|
|
||||||
|
|
||||||
If you want a third-party signed certificate, but don't have one, you can obtain one for free at http://cacert.org[cacert.org].
|
|
||||||
You'll have to do a little set up first before doing this though.
|
|
||||||
|
|
||||||
The first thing to do is generate a Certificate Request:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
$ keytool -certreq -alias yourdomain -keystore keycloak.jks > keycloak.careq
|
|
||||||
----
|
|
||||||
|
|
||||||
Where `yourdomain` is a DNS name for which this certificate is generated for.
|
|
||||||
Keytool generates the request:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
-----BEGIN NEW CERTIFICATE REQUEST-----
|
|
||||||
MIIC2jCCAcICAQAwZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMREwDwYDVQQHEwhXZXN0Zm9y
|
|
||||||
ZDEQMA4GA1UEChMHUmVkIEhhdDEQMA4GA1UECxMHUmVkIEhhdDESMBAGA1UEAxMJbG9jYWxob3N0
|
|
||||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr7kck2TaavlEOGbcpi9c0rncY4HhdzmY
|
|
||||||
Ax2nZfq1eZEaIPqI5aTxwQZzzLDK9qbeAd8Ji79HzSqnRDxNYaZu7mAYhFKHgixsolE3o5Yfzbw1
|
|
||||||
29Rvy+eUVe+WZxv5oo9wolVVpdSINIMEL2LaFhtX/c1dqiqYVpfnvFshZQaIg2nL8juzZcBjj4as
|
|
||||||
H98gIS7khql/dkZKsw9NLvyxgJvp7PaXurX29fNf3ihG+oFrL22oFyV54BWWxXCKU/GPn61EGZGw
|
|
||||||
Ft2qSIGLdctpMD1aJR2bcnlhEjZKDksjQZoQ5YMXaAGkcYkG6QkgrocDE2YXDbi7GIdf9MegVJ35
|
|
||||||
2DQMpwIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNVHQ4EFgQUQwlZJBA+fjiDdiVzaO9vrE/i
|
|
||||||
n2swDQYJKoZIhvcNAQELBQADggEBAC5FRvMkhal3q86tHPBYWBuTtmcSjs4qUm6V6f63frhveWHf
|
|
||||||
PzRrI1xH272XUIeBk0gtzWo0nNZnf0mMCtUBbHhhDcG82xolikfqibZijoQZCiGiedVjHJFtniDQ
|
|
||||||
9bMDUOXEMQ7gHZg5q6mJfNG9MbMpQaUVEEFvfGEQQxbiFK7hRWU8S23/d80e8nExgQxdJWJ6vd0X
|
|
||||||
MzzFK6j4Dj55bJVuM7GFmfdNC52pNOD5vYe47Aqh8oajHX9XTycVtPXl45rrWAH33ftbrS8SrZ2S
|
|
||||||
vqIFQeuLL3BaHwpl3t7j2lMWcK1p80laAxEASib/fAwrRHpLHBXRcq6uALUOZl4Alt8=
|
|
||||||
-----END NEW CERTIFICATE REQUEST-----
|
|
||||||
----
|
|
||||||
|
|
||||||
Send this ca request to your CA.
|
|
||||||
The CA will issue you a signed certificate and send it to you.
|
|
||||||
Before you import your new cert, you must obtain and import the root certificate of the CA.
|
|
||||||
You can download the cert from CA (ie.: root.crt) and import as follows:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
$ keytool -import -keystore keycloak.jks -file root.crt -alias root
|
|
||||||
----
|
|
||||||
|
|
||||||
Last step is import your new CA generated certificate to your keystore:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
$ keytool -import -alias yourdomain -keystore keycloak.jks -file your-certificate.cer
|
|
||||||
----
|
|
||||||
|
|
||||||
===== Installing the keystore to WildFly
|
|
||||||
|
|
||||||
Now that you have a Java keystore with the appropriate certificates, you need to configure your Wildfly installation to use it.
|
|
||||||
First step is to move the keystore file to a directory you can reference in configuration.
|
|
||||||
I like to put it in `standalone/configuration`.
|
|
||||||
Then you need to edit `standalone/configuration/standalone.xml` to enable SSL/HTTPS.
|
|
||||||
|
|
||||||
To the `security-realms` element add:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
<security-realm name="UndertowRealm">
|
|
||||||
<server-identities>
|
|
||||||
<ssl>
|
|
||||||
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />
|
|
||||||
</ssl>
|
|
||||||
</server-identities>
|
|
||||||
</security-realm>
|
|
||||||
----
|
|
||||||
|
|
||||||
Find the element `server name="default-server"` (it's a child element of `subsystem xmlns="urn:jboss:domain:undertow:1.0"`) and add:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
|
|
||||||
----
|
|
||||||
|
|
||||||
Check the https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration[Wildfly Undertow] documentation for more information on fine tuning the socket connections.
|
|
||||||
|
|
||||||
==== Enable SSL on a Reverse Proxy
|
|
||||||
|
|
||||||
Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak.
|
|
||||||
It is important that you make sure the web server sets the `X-Forwarded-For` and `X-Forwarded-Proto` headers on the requests made to Keycloak.
|
|
||||||
Next you need to enable `proxy-address-forwarding` on the Keycloak http connector.
|
|
||||||
Assuming that your reverse proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to.
|
|
||||||
|
|
||||||
===== Configure WildFly
|
|
||||||
|
|
||||||
. Open `standalone/configuration/standalone.xml` in your favorite editor.
|
|
||||||
|
|
||||||
. First add `proxy-address-forwarding` and `redirect-socket` to the `http-listener` element:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
|
|
||||||
...
|
|
||||||
<http-listener name="default" socket-binding="http"
|
|
||||||
proxy-address-forwarding="true" redirect-socket="proxy-https"/>
|
|
||||||
...
|
|
||||||
</subsystem>
|
|
||||||
----
|
|
||||||
|
|
||||||
Then add a new `socket-binding` element to the `socket-binding-group` element:
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
<socket-binding-group name="standard-sockets" default-interface="public"
|
|
||||||
port-offset="${jboss.socket.binding.port-offset:0}">
|
|
||||||
...
|
|
||||||
<socket-binding name="proxy-https" port="443"/>
|
|
||||||
...
|
|
||||||
</socket-binding-group>
|
|
||||||
----
|
|
||||||
|
|
||||||
Check the https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration[WildFly] documentation for more information.
|
|
||||||
|
|
||||||
== Keycloak server in Domain Mode
|
|
||||||
|
|
||||||
In domain mode, you start the server with the "domain" command instead of the "standalone" command.
|
|
||||||
In this case, the Keycloak subsystem is defined in domain/configuration/domain.xml instead of standalone/configuration.standalone.xml.
|
|
||||||
Inside domain.xml, you will see more than one profile.
|
|
||||||
The Keycloak subsystem is defined for all initial profiles.
|
|
||||||
|
|
||||||
THe server is also added to server profiles.
|
|
||||||
By default two servers are started in the main-server-group which uses the full profile.
|
|
||||||
|
|
||||||
You need to make sure `domain/servers/SERVER NAME/configuration` is identical for all servers in a group.
|
|
||||||
|
|
||||||
To deploy custom providers and themes you should deploys these as modules and make sure the modules are available to all servers in the group.
|
|
||||||
See <<_providers,Providers>> and <<_themes,Themes>> sections for more information on how to do this.
|
|
||||||
|
|
||||||
== Installing Keycloak Server as Root Context
|
|
||||||
|
|
||||||
The Keycloak server can be installed as the default web application.
|
|
||||||
In doing so, the server can be referenced at `http://mydomain.com/` instead of `http://mydomain.com/auth`.
|
|
||||||
|
|
||||||
To do this, add the `default-web-module` attribute in the Undertow subystem in standalone.xml.
|
|
||||||
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
|
|
||||||
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
|
|
||||||
<server name="default-server">
|
|
||||||
<host name="default-host" alias="localhost" default-web-module="keycloak-server.war">
|
|
||||||
<location name="/" handler="welcome-content"/>
|
|
||||||
</host>
|
|
||||||
----
|
|
||||||
|
|
||||||
`keycloak-server.war` is the runtime name of the Keycloak server application.
|
|
||||||
Note that the WAR file does not exist as a file.
|
|
||||||
If its name changes (ie. `keycloak-server.war`) in the future, find its new name from the Keycloak log entry with `runtime-name:`.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
NOTE: If you have run your server before altering the root context, your database will contain references to the old /auth context. Your clients may also have incorrect references.
|
|
||||||
To fix this on the server side, you will need to export your database to json, make corrections, and then import.
|
|
||||||
Client-side `keycloak.json` files will need to be updated manually as well.
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
[[_openshift]]
|
[[_openshift]]
|
||||||
|
|
||||||
== Running Keycloak Server on OpenShift
|
== Running Keycloak Server on OpenShift
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
[[_operating_mode]]
|
[[_operating_mode]]
|
||||||
|
|
||||||
== Choosing an Operating Mode
|
== Choosing an Operating Mode
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
[[_domain-mode]]
|
[[_domain-mode]]
|
||||||
=== Domain Clustered Mode
|
=== Domain Clustered Mode
|
||||||
|
|
||||||
|
@ -72,7 +73,7 @@ The `auth-server-standalone` profile is a non-clustered setup. The `auth-server
|
||||||
|
|
||||||
If you scroll down further, you'll see various `socket-binding-groups` defined.
|
If you scroll down further, you'll see various `socket-binding-groups` defined.
|
||||||
|
|
||||||
.socket-binding-grous
|
.socket-binding-groups
|
||||||
[source,xml]
|
[source,xml]
|
||||||
----
|
----
|
||||||
<socket-binding-groups>
|
<socket-binding-groups>
|
||||||
|
@ -86,7 +87,8 @@ If you scroll down further, you'll see various `socket-binding-groups` defined.
|
||||||
<socket-binding-group name="load-balancer-sockets" default-interface="public">
|
<socket-binding-group name="load-balancer-sockets" default-interface="public">
|
||||||
...
|
...
|
||||||
</socket-binding-group>
|
</socket-binding-group>
|
||||||
</socket-binding-groups>----
|
</socket-binding-groups>
|
||||||
|
----
|
||||||
|
|
||||||
|
|
||||||
This config defines the default port mappings for various connectors that are opened with each
|
This config defines the default port mappings for various connectors that are opened with each
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
[[_standalone-ha-mode]]
|
[[_standalone-ha-mode]]
|
||||||
|
|
||||||
=== Standalone Clustered Mode
|
=== Standalone Clustered Mode
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
[[_standalone-mode]]
|
[[_standalone-mode]]
|
||||||
=== Standalone Mode
|
=== Standalone Mode
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
== Guide Overview
|
== Guide Overview
|
||||||
|
|
||||||
The purpose of this guide is to walk through the steps that need to be completed prior to booting up the
|
The purpose of this guide is to walk through the steps that need to be completed prior to booting up the
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
=== Recommended Additional External Documentation
|
=== Recommended Additional External Documentation
|
||||||
|
|
||||||
{{book.project.name}} is built upon a derivative of the {{book.appserver.name}} Application Server and projects embedded
|
{{book.project.name}} is built upon a derivative of the {{book.appserver.name}} Application Server and projects embedded
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
[[_proxy]]
|
[[_proxy]]
|
||||||
== Keycloak Security Proxy
|
== Keycloak Security Proxy
|
||||||
|
|
||||||
|
@ -147,7 +148,7 @@ adapter-config::
|
||||||
Same configuration as any other keycloak adapter.
|
Same configuration as any other keycloak adapter.
|
||||||
See <<_adapter_config,Adapter Config>>
|
See <<_adapter_config,Adapter Config>>
|
||||||
|
|
||||||
===== Constraint Config
|
==== Constraint Config
|
||||||
|
|
||||||
Next under each application you can define one or more constraints in the `constraints` array attribute.
|
Next under each application you can define one or more constraints in the `constraints` array attribute.
|
||||||
A constraint defines a URL pattern relative to the base-path.
|
A constraint defines a URL pattern relative to the base-path.
|
||||||
|
|
Loading…
Reference in a new issue