Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Installer Keycloak

liberodark

Bonjour,

Voici comment installer Keycloak sur RHEL.

Installer les dépendances :

yum install -y java-11-openjdk nginx mariadb-server wget
systemctl enable --now nginx mariadb

Configurer MariaDB :

mysql_secure_installation

mysql -u root -p
CREATE DATABASE keycloak CHARACTER SET utf8mb4 COLLATE utf8mb4_bin;
CREATE USER 'keycloak'@localhost IDENTIFIED BY 'my_password';
GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@localhost IDENTIFIED BY 'my_password';
FLUSH PRIVILEGES;
EXIT

Installer Keycloak :

mkdir -p /opt/keycloak
wget -O /opt/keycloak/keycloak.tar.gz https://github.com/keycloak/keycloak/releases/download/19.0.3/keycloak-19.0.3.tar.gz
cd /opt/keycloak && tar -xvf keycloak.tar.gz && rm -f keycloak.tar.gz
mv keycloak-* keycloak
mkdir -p /root/.ssl

Créer un utilisateur dédié :

groupadd -r keycloak
useradd -r -g keycloak -d /opt/keycloak -s /sbin/nologin keycloak
chown -R keycloak: /opt/keycloak
touch /var/log/keycloak.log
chown -R keycloak: /var/log/keycloak.log

Configurer Keycloak :

Créer le service :
nano /etc/systemd/system/keycloak.service

[Unit]
Description=Keycloak
After=network.target

[Service]
Type=simple

User=keycloak
Group=keycloak

Environment="KC_DB=mariadb"
Environment="KC_DB_URL=jdbc:mariadb://localhost/keycloak"
Environment="KC_DB_USERNAME=keycloak"
Environment="KC_DB_PASSWORD=Password"

Environment="KC_HOSTNAME=keycloak.my_domain.com"
Environment="KC_HOSTNAME_ADMIN=keycloak.my_domain.com"
Environment="KC_HTTP_ENABLED=true"
Environment="KC_HTTP_HOST=0.0.0.0"
Environment="KC_HTTP_PORT=8080"
Environment="KC_PROXY=edge"

Environment="KEYCLOAK_ADMIN=admin"
Environment="KEYCLOAK_ADMIN_PASSWORD=Password"

Environment="KC_LOG=file"
Environment="KC_LOG_CONSOLE_OUTPUT=default"
Environment="KC_LOG_FILE=/var/log/keycloak.log"

TimeoutStopSec=0
KillSignal=SIGTERM
KillMode=process
SuccessExitStatus=143
LimitMEMLOCK=infinity
SendSIGKILL=no
WorkingDirectory=/opt/keycloak/keycloak

ExecStart=/opt/keycloak/keycloak/bin/kc.sh start --optimized

[Install]
WantedBy=multi-user.target

Build vos configurations :

nano /opt/keycloak/keycloak/bin/run.sh

#!/bin/bash
#
# About: Keycloak Script automatically
# Author: liberodark
# Thanks : 
# License: GPLv3

version="0.0.1"

echo "Keycloak use Script $version"

#=================================================
# RETRIEVE ARGUMENTS FROM THE MANIFEST AND VAR
#=================================================

# DB
export KC_DB=mariadb
export KC_DB_URL=jdbc:mariadb://localhost/keycloak
export KC_DB_USERNAME=keycloak
export KC_DB_PASSWORD=Password

# Hostname
export KC_HOSTNAME=keycloak.my_domain.com

# Server
export KC_HOSTNAME_ADMIN=keycloak.my_domain.com
export KC_HTTP_ENABLED=true
export KC_HTTP_HOST=0.0.0.0
export KC_HTTP_PORT=8080
export KC_PROXY=edge

# Admin
export KEYCLOAK_ADMIN=admin
export KEYCLOAK_ADMIN_PASSWORD=Pa55w0rd

# Log
export KC_LOG=file
export KC_LOG_CONSOLE_OUTPUT=default
export KC_LOG_FILE=/var/log/keycloak.log
KEYCLOAK_DIR="/opt/keycloak/keycloak"

bash kc.sh build

Build Configuration :

cd /opt/keycloak/keycloak/bin/
chmod +x ./run.sh
sudo -u keycloak ./run.sh

Configurer Nginx :

nano /etc/nginx/conf.d/keycloak.conf

server {
    listen 80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name keycloak.my_domain.com;

    access_log /var/log/nginx/keycloak-access.log;
    error_log  /var/log/nginx/keycloak-error.log error;

    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
    client_max_body_size 200M;

    # SSL Configuration
    ssl_certificate /root/.ssl/keycloak.my_domain.com.crt;
    ssl_certificate_key /root/.ssl/keycloak.my_domain.com.key;
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
    ssl_prefer_server_ciphers on;

    # See https://hstspreload.org/ before uncommenting the line below.
    # add_header Strict-Transport-Security "max-age=15768000; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header Content-Security-Policy "frame-ancestors 'self'";
    add_header X-Frame-Options DENY;
    add_header Referrer-Policy same-origin;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_buffering  off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
}

systemctl restart nginx