Installation and Configuration of Keycloak Server
The Keycloak Server has two downloadable distributions.
keycloak-appliance-dist-all-&project.version;.zip
keycloak-war-dist-all-&project.version;.zip
Appliance Install
The
keycloak-appliance-dist-all-&project.version;.zip
is quite large, but contains a complete server (backed by Wildfly)
that runs out of the box. The only thing you'll have to enable and configure is SSL. Unzipping it, the
directory layout looks
something like this:
keycloak-appliance-dist-all-&project.version;/
keycloak/
bin/
standalone.sh
standalone.bat
standalone/deployments/
auth-server.war/
standalone/configuration/
keycloak-server.json
themes/
adapters/
keycloak-as7-adapter-dist-&project.version;.zip
keycloak-eap6-adapter-dist-&project.version;.zip
keycloak-wildfly-adapter-dist-&project.version;.zip
examples/
docs/
The
standalone.sh
or
standalone.bat
script is used to start the server.
After executing that, log into the admin console at
http://localhost:8080/auth/admin/index.html.
Username: admin
Password: admin. Keycloak will then prompt you to
enter in a new password.
WAR Distribution Installation
The
keycloak-war-dist-all-&project.version;.zip
contains
just the bits you need to install keycloak on your favorite web container. We currently only support
installing it on top of an existing Wildfly 8, JBoss EAP 6.x or JBoss AS 7.1.1 distribution. We may in the
future provide directions on how to install it on another web container like Tomcat or Jetty. If anybody
in the community is interested in pulling this together, please contact us. Its mostly Maven pom work.
The directory structure of this distro looks like this:
keycloak-war-dist-all-&project.version;/
deployments/
auth-server.war/
keycloak-ds.xml
configuration/
keycloak-server.json
themes/
adapters/
keycloak-as7-adapter-dist-&project.version;.zip
keycloak-eap6-adapter-dist-&project.version;.zip
keycloak-wildfly-adapter-dist-&project.version;.zip
examples/
docs/
After unzipping this file, copy everything in deployments directory into the
standalone/deployments of your JBoss or Wildfly distro. Also, copy everything in
configuration directory into the standalone/configuration directory.
$ cd keycloak-war-dist-all-&project.version;
$ cp -r deployments $JBOSS_HOME/standalone
$ cp -r configuration $JBOSS_HOME/standalone
After these steps you should also install the client adapter
as this may contain modules the server needs (like Bouncycastle). You will also need to install the adapter
to run the examples on the same server.
After booting up the JBoss or Wildfly distro, you can then make sure it is installed properly
by logging into the admin console at
http://localhost:8080/auth/admin/index.html.
Username: admin
Password: admin. Keycloak will then prompt you to
enter in a new password.
If you have Keycloak on JBoss AS 7.1.1 these steps.
Subsystem Installation
For WildFly installations, the Keycloak server is not deployed from the /deployments directory. Instead, the Keycloak
subsystem module contains the Keycloak server and it is controlled by the subsystem. If you are using the
appliance install, this subsystem is already present and a Keycloak server is pre-defined in the subsytem declaration.
Configuring the Server
Although the Keycloak Server is designed to run out of the box, there's some things you'll need
to configure before you go into production. Specifically:
Configuring Keycloak to use a production database.
Setting up SSL/HTTPS
Enforcing HTTPS connections
Relational Database Configuration
By default, Keycloak uses a relational database to store Keycloak data. This datasource is the standalone/deployments/keycloak-ds.xml
file of your Keycloak Server installation if you used or in standalone/configuration/standalone.xml
if you used . File keycloak-ds.xml is used in WAR
distribution, so that you have datasource available out of the box and you don't need to edit standalone.xml file.
However a good thing is to always delete the file keycloak-ds.xml and move its configuration text
into the centrally managed standalone.xml file.
This will allow you to manage the database connection pool from the Wildfly/JBoss administration console. Here's what
standalone/configuration/standalone.xml should look like after you've done this:
jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSEh2sasajdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUEh2sasaorg.h2.jdbcx.JdbcDataSource
]]>
Besides moving the database config into the central standalone.xml configuration file
you might want to use a better relational database for Keycloak like PostgreSQL or MySQL. You might also
want to tweak the configuration settings of the datasource. Please see the Wildfly,
JBoss AS7,
or JBoss EAP 6.x documentation on how to do this.
Keycloak also runs on a Hibernate/JPA backend which is configured in the
standalone/configuration/keycloak-server.json.
By default the setting is like this:
Possible configuration options are:
dataSource
JNDI name of the dataSource
jta
boolean property to specify if datasource is JTA capable
driverDialect
Value of Hibernate dialect. In most cases you don't need to specify this property as dialect will be
autodetected by Hibernate.
databaseSchema
Value of database schema (Hibernate property "hibernate.hbm2ddl.auto" ).
showSql
Specify whether Hibernate should show all SQL commands in the console (false by default)
formatSql
Specify whether Hibernate should format SQL commands (true by default)
unitName
Allow you to specify name of persistence unit if you want to provide your own persistence.xml file for JPA configuration.
If this option is used, then all other configuration options are ignored as you are expected to configure
all JPA/DB properties in your own persistence.xml file. Hence you can remove properties "dataSource" and "databaseSchema" in this case.
For more info about Hibernate properties, see Hibernate and JPA documentation .
Tested databases
Here is list of RDBMS databases and corresponding JDBC drivers, which were tested with Keycloak. Note that Hibernate dialect
is usually set automatically according to your database, but in some cases, you must manually set the proper dialect,
as the default dialect may not work correctly. You can setup dialect by adding property driverDialect
to the keycloak-server.json into connectionsJpa section (see above).
Tested databasesDatabaseJDBC driverHibernate DialectH2 1.3.161H2 1.3.161autoMySQL 5.5MySQL Connector/J 5.1.25autoPostgreSQL 9.2JDBC4 Postgresql Driver, Version 9.3-1100autoOracle 11g R1Oracle JDBC Driver v11.1.0.7autoMicrosoft SQL Server 2012Microsoft SQL Server JDBC Driver 4.0.2206.100org.hibernate.dialect.SQLServer2008DialectSybase ASE 15.7JDBC(TM)/7.07 ESD #5 (Build 26792)/P/EBF20686auto
MongoDB based model
Keycloak provides MongoDB based model implementation, which means that your identity data will be saved
in MongoDB instead of traditional RDBMS. To configure Keycloak to use Mongo open standalone/configuration/keycloak-server.json
in your favourite editor, then change:
to:
And at the end of the file add the snippet like this where you can configure details about your Mongo database:
All configuration options are optional. Default values for host and port are localhost and 27017. Default name of database
is keycloak . You can also specify properties user and password
if you want authenticate against your MongoDB. If user and password are not specified, Keycloak will connect
unauthenticated to your MongoDB.
Finally there is set of optional configuration options, which can be used to specify connection-pooling capabilities of Mongo client. Supported int options are:
connectionsPerHost, threadsAllowedToBlockForConnectionMultiplier, maxWaitTime, connectTimeoutsocketTimeout. Supported boolean options are: socketKeepAlive, autoConnectRetry.
Supported long option is maxAutoConnectRetryTime. See Mongo documentation
for details about those options and their default values.
AS7 specifics
If you have Keycloak on JBoss AS 7.1.1 you need to do few other things in order to have Keycloak up and running. This includes:
Remove or comment the element from file KEYCLOAK_HOME/standalone/deployments/auth-server.war/WEB-INF/jboss-deployment-structure.xml.
]]>
Then either:
Disable webservices extension and subsystem by remove (or comment) both in KEYCLOAK_HOME/standalone/configuration/standalone.xml.
If you want to use webservices subsystem, the alternative is to remove 2 JAR files
KEYCLOAK_HOME/standalone/deployments/auth-server.war/WEB-INF/lib/keycloak-saml-protocol-&project.version;.jar
and KEYCLOAK_HOME/standalone/deployments/auth-server.war/WEB-INF/lib/picketlink-federation-&picketlink.version;.jar
but note that SAML won't work.
AS7/EAP6.x Logging
Accessing the admin console will get these annoying log messages:
WARN [org.jboss.resteasy.core.ResourceLocator] (http-/127.0.0.1:8080-3)
Field providers of subresource xxx will not be injected according to spec
These can be ignored by editing standalone.xml of your jboss installation:
]]>
SSL/HTTPS Requirement/Modes
Keycloak is not set up by default to handle SSL/HTTPS in either the
war distribution or appliance. It is highly recommended that you either enable SSL on the Keycloak server
itself or on a reverse proxy in front of the Keycloak server.
Keycloak can run out of the box without SSL so long as you stick to private IP addresses like
localhost, 127.0.0.1, 10.0.x.x, 192.168.x.x, and 172..16.x.x. If you try to access Keycloak from a
non-IP adress you will get an error.
Keycloak has 3 SSL/HTTPS modes which you can set up in the admin console under the Settings->Login page
and the Require SSL select box. Each adapter config should mirror this server-side
setting. See adapter config section for more details.
external
Keycloak can run out of the box without SSL so long as you stick to private IP addresses like
localhost, 127.0.0.1, 10.0.x.x, 192.168.x.x, and 172..16.x.x. If you try to access Keycloak from a
non-IP adress you will get an error.
none
Keycloak does not require SSL.
all
Keycloak requires SSL for all IP addresses.
SSL/HTTPS Setup
First enable SSL on Keycloak or on a reverse proxy in front of Keycloak. Then configure the Keycloak Server to enforce HTTPS connections.
Enable SSL on Keycloak
The following things need to be done
Generate a self signed or third-party signed certificate and import it into a Java keystore
using keytool.
Enable JBoss or Wildfly to use this certificate and turn on SSL/HTTPS.
Creating the Certificate and Java Keystore
In order to allow HTTPS connections, you need to obtain a self signed or third-party signed certificate
and import it into a Java keystore before you can enable HTTPS in the web container you are deploying
the Keycloak Server to.
Self Signed Certificate
In development, you will probably not have a third party signed certificate available to test
a Keycloak deployment so you'll need to generate a self-signed on. Generate one is very easy
to do with the keytool utility that comes with the Java jdk.
$ keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity 10950
Enter keystore password: secret
Re-enter new password: secret
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: Keycloak
What is the name of your organization?
[Unknown]: Red Hat
What is the name of your City or Locality?
[Unknown]: Westford
What is the name of your State or Province?
[Unknown]: MA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost, OU=Keycloak, O=Test, L=Westford, ST=MA, C=US correct?
[no]: yes
You should answer the What is your first and last name? question with
the DNS name of the machine you're installing the server on. For testing purposes,
localhost should be used. After executing this command, the
keycloak.jks file will be generated in the same directory as you executed
the keytool command in.
If you want a third-party signed certificate, but don't have one, you can obtain one for free
at cacert.org. You'll have to do a little set up first
before doing this though.
The first thing to do is generate a Certificate Request:
$ keytool -certreq -alias yourdomain -keystore keycloak.jks > keycloak.careq
Where yourdomain is a DNS name for which this certificate is generated for.
Keytool generates the request:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC2jCCAcICAQAwZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMREwDwYDVQQHEwhXZXN0Zm9y
ZDEQMA4GA1UEChMHUmVkIEhhdDEQMA4GA1UECxMHUmVkIEhhdDESMBAGA1UEAxMJbG9jYWxob3N0
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr7kck2TaavlEOGbcpi9c0rncY4HhdzmY
Ax2nZfq1eZEaIPqI5aTxwQZzzLDK9qbeAd8Ji79HzSqnRDxNYaZu7mAYhFKHgixsolE3o5Yfzbw1
29Rvy+eUVe+WZxv5oo9wolVVpdSINIMEL2LaFhtX/c1dqiqYVpfnvFshZQaIg2nL8juzZcBjj4as
H98gIS7khql/dkZKsw9NLvyxgJvp7PaXurX29fNf3ihG+oFrL22oFyV54BWWxXCKU/GPn61EGZGw
Ft2qSIGLdctpMD1aJR2bcnlhEjZKDksjQZoQ5YMXaAGkcYkG6QkgrocDE2YXDbi7GIdf9MegVJ35
2DQMpwIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNVHQ4EFgQUQwlZJBA+fjiDdiVzaO9vrE/i
n2swDQYJKoZIhvcNAQELBQADggEBAC5FRvMkhal3q86tHPBYWBuTtmcSjs4qUm6V6f63frhveWHf
PzRrI1xH272XUIeBk0gtzWo0nNZnf0mMCtUBbHhhDcG82xolikfqibZijoQZCiGiedVjHJFtniDQ
9bMDUOXEMQ7gHZg5q6mJfNG9MbMpQaUVEEFvfGEQQxbiFK7hRWU8S23/d80e8nExgQxdJWJ6vd0X
MzzFK6j4Dj55bJVuM7GFmfdNC52pNOD5vYe47Aqh8oajHX9XTycVtPXl45rrWAH33ftbrS8SrZ2S
vqIFQeuLL3BaHwpl3t7j2lMWcK1p80laAxEASib/fAwrRHpLHBXRcq6uALUOZl4Alt8=
-----END NEW CERTIFICATE REQUEST-----
Send this ca request to your CA. The CA will issue you a signed certificate and send it to you.
Before you import your new cert, you must obtain and import the root certificate of the CA.
You can download the cert from CA (ie.: root.crt) and import as follows:
$ keytool -import -keystore keycloak.jks -file root.crt -alias root
Last step is import your new CA generated certificate to your keystore:
$ keytool -import -alias yourdomain -keystore keycloak.jks -file your-certificate.cer
Installing the keystore to WildFly
Now that you have a Java keystore with the appropriate certificates, you need to configure your
Wildfly installation to use it. First step is to move the keystore file to a directory
you can reference in configuration. I like to put it in standalone/configuration.
Then you need to edit standalone/configuration/standalone.xml to enable SSL/HTTPS.
To the security-realms element add:
]]>
Find the element <server name="default-server"> (it's a child element of <subsystem xmlns="urn:jboss:domain:undertow:1.0">) and add:
]]>
Check the Wildfly Undertow documentation for more information on fine tuning the socket connections.
Installing the keystore to JBoss EAP6/AS7
Now that you have a Java keystore with the appropriate certificates, you need to configure your
JBoss EAP6/AS7 installation to use it. First step is to move the keystore file to a directory
you can reference in configuration. I like to put it in standalone/configuration.
Then you need to edit standalone/configuration/standalone.xml to enable SSL/HTTPS.
...
]]>
Check the JBoss documentation for more information on fine tuning the socket connections.
Enable SSL on a Reverse Proxy
Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak.
It is important that you make sure the web server sets the X-Forwarded-For and
X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable
proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse
proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to.
WildFly
Open standalone/configuration/standalone.xml in your favorite editor.
First add proxy-address-forwarding and redirect-socket to
the http-listener element:
...
...
]]>
Then add a new socket-binding element to the socket-binding-group element:
...
...
]]>
Check the WildFly documentation for more information.
AS7/EAP
Open standalone/configuration/standalone.xml in your favorite editor.
You need to add redirect-port to http connector element and
add the RemoteIpValve valve:
]]>Configuring Servers from the Subsystem
If you are using WildFly, the Keycloak server is deployed and configured from the Keycloak subsystem. This makes provisioning simpler in a domain environment.
It also allows you to create more than one Keycloak server instance inside a single WildFly instance. And, you can upload providers, themes, and
server configurations without disturbing Keycloak's auth-server.war.
Manually Creating A Server
A Keycloak server can be declared by editing standalone.xml or domain.xml.
trueauthfalseauth2
]]>
If you create more than one Keycloak server, you will need to use CLI to fully configure each instance. At the least,
you will need to run the update-server-config operation.
Using CLI and CLI GUI with the Keycloak Subsystem
Servers can also be added/removed or enabled/disabled at runtime using the CLI or
CLI GUI tool. These are tools that ship with WildFly and also with
the Keycloak Appliance installation. See CLI or
CLI GUI documentation to learn more about how to start the tools,
issue commands, and create CLI scripts.
To start CLI with the Keycloak Appliance install:
/keycloak/bin
./jboss-cli.sh --gui
or
./jboss.cli.bat --gui]]>
Your Keycloak server must be running to start in --gui mode.Basic CLI Commands
Command to add a server in CLI:
Because "enabled=true", a new Keycloak server will be immediately deployed. By default "enabled" is set to false.
Command to remove a server in CLI:
The Keycloak server will be immediately deleted and undeployed.
Command to enable or disable a server in CLI:
The Keycloak server will be immediately deployed or undeployed, but not deleted.
Uploading extra configuration using CLI
The WildFly Keycloak subsystem allows you to upload keycloak-server.json, provider jars, and theme jars to a Keycloak server instance. The
CLI operations for this are "update-server-config" and "add-provider". You may use plain or CLI scripts for these operations. The following
examples are shown using CLI GUI for clarity.
To use a new keycloak-server.json file for your server, find your server under the Keycloak subsystem. Then right-click the server,
select "update-server-config", and upload your file.
If you use the update-server-config operation, you should delete or rename <WILDFLY_HOME>/standalone/configuration/keycloak-server.json.
Otherwise, all Keycloak server instances will use this file instead of your uploaded file.
To upload a new provider jar or theme jar to your server, find your server under the Keycloak subsystem. Then right-click the server,
select "add-provider", and upload your file.
Adding a Keycloak server in Domain Mode
In domain mode, you start the server with the "domain" command instead of the "standalone" command. In this case, the Keycloak subsystem is
defined in domain/configuration/domain.xml instead of standalone/configuration.standalone.xml. Inside domain.xml, you will see more than one
profile. A Keycloak subsystem can be defined in zero or more of those profiles.
In the example below, a Keycloak server named "foo" is defined in the "full" profile. The "full" profile is assigned to the "main-server-group".
Every WildFly instance that belongs to "main-server-group" will get an identically configured deployment of the "foo" Keycloak server.
All operations discussed earlier are valid for a Keycloak server in a domain. You can enable/disable, upload new keyclaok-server.json, and add provider jars.
In the following example, any changes that are made to the "foo" server will be automatically propogated to every instance in "main-server-group".