How to Setup Keycloak

You will want another machine/VM to host your Keycloak server. It will cause all kinds of problems if you try to set up the Keycloak Server on same machine as the IPA server. So make sure you’re on another machine/VM for this part of the tutorial.

Setup Hostname

So this is the same as the last part except this time our hosntame will be idp.keycloak.test and the IP address is of course the one for this machine.

[$USER@$HOSTNAME ~]$ sudo hostnamectl set-hostname ipa.keycloak.test
[$USER@idp ~]$ sudo echo `$IP_ADDRESS idp.keycloak.test' >> /etc/hosts

Set up FreeIPA Client

Install the FREEIPA Client Software

We are setting up the Keycloak server as an IPA client so it is easier to connect Keycloak to IPA with the SSSD Provider.

[root@idp ~]$ dnf -y install freeipa-client freeipa-admintools
Last metadata expiration check: 2:22:56 ago on Mon 11 Jun 2018 11:07:59 AM EDT.
Package freeipa-client-4.6.3-2.fc27.x86_64 is already installed, skipping.
Package freeipa-client-4.6.3-2.fc27.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.

Install the Client

[root@idp ~]$ ipa-client-install \
> --fixed-primary \
> --server ipa.keycloak.test \
> --domain keycloak.test \
> --principal admin \
> --password PASSWORD \
> --unattended
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Client hostname: idp.keycloak.test
DNS Domain: keycloak.test
IPA Server: ipa.keycloak.test
BaseDN: dc=keycloak,dc=test

Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=KEYCLOAK.TEST
    Issuer:      CN=Certificate Authority,O=KEYCLOAK.TEST
    Valid From:  Mon Jun 11 14:04:18 2018 EST
    Valid Until: Mon Jun 15 14:04:18 2040 EST

Enrolled in IPA realm KEYCLOAK.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm KEYCLOAK.TEST
trying https://ipa.keycloak.test/ipa/json
Forwarding 'ping' to json server 'https://ipa.keycloak.test/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://ipa.keycloak.test/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/
Adding SSH public key from /etc/ssh/
Adding SSH public key from /etc/ssh/
Forwarding 'host_mod' to json server 'https://ipa.keycloak.test/ipa/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring keycloak.test as NIS domain.
Client configuration complete.

Install Java

[root@idp ~]$ dnf -y install java-1.8.0-openjdk
Last metadata expiration check: 2:56:10 ago on Mon 11 Jun 2018 11:07:59 AM EDT.
Package java-1.8.0-openjdk-1: is already installed, skipping.
Dependencies resolved.
Nothing to do.

Install Keycloak Software

I will download Keycloak and unpack it. I will unpack it in /opt/keycloak. I like to make the keycloak home an enviroment variable so I don’t have to keep typing it in or keep re-defining $KEYCLOAK_HOME.

[root@idp ~]$ echo 'KEYCLOAK_HOME=/opt/keycloak/keycloak-3.4.3.Final' >> ~/.bashrc
[root@idp ~]$ . ~/.bashrc

What I am doing there is creating the enviroment variable $KEYCLOAK_HOME and then sourcing the bashrc file. I did this because if I come back after closing my terminal I won’t have to redefine what $KEYCLOAK_HOME is. Now I am going to download and unpack Keycloak.

[root@idp ~]$ mkdir -p  $KEYCLOAK_HOME

[root@idp ~]$ cd /opt/keycloak

[root@idp keycloak]$ wget --no-check-certificate

[root@idp keycloak]$ tar zxvf keycloak-3.4.3.Final.tar.gz

Create Systemd Service

[root@idp keycloak]$ cd $KEYCLOAK_HOME/docs/contrib/scripts/systemd/
[root@idp systemd]$ mkdir /etc/keycloak
[root@idp systemd]$ mkdir /var/run/keycloak
[root@idp systemd]$ sed -e 's/wildfly/keycloak/g' -e 's/WILDFLY/KEYCLOAK/g' \
>     -e "s/KEYCLOAK_BIND=$(hostname -i)/g" wildfly.conf  \
>     > /etc/keycloak/keycloak.conf
[root@idp systemd]$ sed -e 's/wildfly/keycloak/g' -e 's/WILDFLY/KEYCLOAK/g' \
>     > $KEYCLOAK_HOME/bin/
[root@idp systemd]$ chmod 755 $KEYCLOAK_HOME/bin/
[root@idp systemd]$ sed -e 's/User=.*/User=root/g' \
>     -e 's/wildfly/keycloak/g' -e 's/WILDFLY/KEYCLOAK/g' \
>     -e 's/Description=.*/Description=Keycloak Identity Provider/g' \
>     -e "s%/opt/keycloak/bin%$KEYCLOAK_HOME/bin%" wildfly.service \
>     > /etc/systemd/system/keycloak.service
[root@idp systemd]$ cd

If you are using a Centos VM using > may cause some problems and not work with keycloak.conf and keycloak.service.. I have no idea why yet but it does. If you are using Centos copy these to your keycloak.conf and keycloak.service files:



# The mode you want to run

# The address to bind to


Description=Keycloak Identity Provider

ExecStart=/opt/keycloak/keycloak-3.4.3.Final/bin/ $KEYCLOAK_MODE $KEYCLOAK_CONFIG $KEYCLOAK_BIND


Create Admin User

[root@idp ~]$ $KEYCLOAK_HOME/bin/ -r master -u admin -p PASSWORD
Added 'admin' to '/opt//keycloak/keycloak-3.4.3.Final/standalone/configuration/keycloak-add-user.json',
restart server to load user

Start Service

[root@idp ~]$ systemctl start keycloak
[root@idp ~]$ systemctl status keycloak
● keycloak.service - Keycloak Identity Provider
   Loaded: loaded (/etc/systemd/system/keycloak.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2018-05-31 17:18:40 UTC; 1 weeks 4 days ago
 Main PID: 27968 (
   CGroup: /system.slice/keycloak.service
           ├─27968 /bin/bash /usr/local/keycloak/keycloak-3.4.3.Final/bin/ standalone standalone.xml
           ├─27969 /bin/sh /usr/local/keycloak/keycloak-3.4.3.Final/bin/ -c standalone.xml -b
           └─28022 java -D[Standalone] -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headles...

Open Firewall Ports

Keycloak uses both 8080 and 8443 by deafult. 8080 is used for the non SSL Keycloak server and 8443 is used for the SSL and HTTPS one. If you don’t open these you wont be able to access the admin console later and our SP wont be able to communicate with Keycloak.

[root@idp ~]$ for port in 8080 8443; do
> firewalld-cmd --add-port $port/tcp
> done

[root@idp ~]$ firewall-cmd --runtime-to-permanent

Again if you are using sudo with these commands you will have to open each port individually.

Create HTTP Service Principla for Keycloak Server

Since we’ll be using HTTPs, we need to setup the service principal.

[root@idp ~]$ echo PASSWORD|kinit admin

[root@idp ~]$ ipa service-add HTTP/idp.keycloak.test@KEYCLOAK.TEST
Added service "HTTP/idp.keycloak.test@KEYCLOAK.TEST"
  Principal: HTTP/idp.keycloak.test@KEYCLOAK.TEST
  Managed by: idp.keycloak.test
[root@idp ~]$ ipa-getkeytab -s ipa.keycloak.test -p HTTP/idp.keycloak.test@KEYCLOAK.TEST -k /etc/ipa.keytab
Keytab successfully retrieved and stored in: /etc/ipa.keytab

Generate Java Keystore for SSL Certificate

[root@idp ~]$ cd $KEYCLOAK_HOME/standalone/configuration
[root@idp configuration]$ keytool -genkey -alias keycloak.test - keyalg RSA -keystore keycloak.jks -validity 10950
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  idp.keycloak.test
What is the name of your organizational unit?
  [Unknown]:  Keycloak
What is the name of your organization?
  [Unknown]:  Red Hat
What is the name of your City or Locality?
  [Unknown]:  Westford
What is the name of your State or Province?
  [Unknown]:  MA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=idp.keycloak.test, OU=Keycloak, O=Red Hat, L=Westford, ST=MA, C=US correct?
  [no]:  yes

Enter key password for 
    (RETURN if same as keystore password):

Generate Cert Request

We are now going to create the Certificate Signing Request that is sent to IPA so we can get a signed cert for our Keycloak server

[root@idp configuration]$ keytool -certreq -alias keycloak.test -keystore keycloak.jks > keycloak.careq
Enter keystore password: PASSWORD

Sign Certificate with IPA

Now we get the cert signed!

[root@idp configuration]$ ipa cert-request --principal HTTP/idp.keycloak.test@KEYCLOAK.TEST keycloak.careq
  Certificate: MIIEF...Truncated...
  Subject: CN=idp.keycloak.test,O=KEYCLOAK.TEST
  Issuer: CN=Certificate Authority,O=KEYCLOAK.TEST
  Not Before: Mon Jun 11 14:50:00 2018 EST
  Not After: Fri Jun 12 14:50:00 2020 EST
  Fingerprint (MD5): 42:15:93:40:62:2c:4c:6f:56:68:b8:fd:ef:97:84:55
  Fingerprint (SHA1): fc:55:6d:69:4a:f2:a2:e2:7f:2d:8e:f3:22:9e:42:2c:e0:95:04:15
  Serial number: 11
  Serial number (hex): 0xB

Export the Certificate

[root@idp configuration]$ ipa service-show HTTP/idp.keycloak.test --out keycloak.cert
--Truncated the output because its long length--

Import IPA CA certificate to Java Keystore

[root@idp configuration]$ cp -i /etc/ipa/ca.crt .
[root@idp configuration]$ keytool -import -keystore keycloak.jks -file ca.crt -alias root
Enter keystore password:
Owner: CN=Certificate Authority, O=KEYCLOAK.TEST
Issuer: CN=Certificate Authority, O=KEYCLOAK.TEST
Trust this certificate? [no]: yes
Certificate was added to keystore

Import Signed Keycloak Cert to Keystore

[root@idp configuration]$ keytool -import -keystore keycloak.jks -file keycloak.cert -alias keycloak.test
Enter keystore password:
Certificate reply was installed in keystore

Configure Keycloak to use HTTPS

Now this version and newer versions of keycloak have a realm in the standalone.xml file called “application” and it will cause problems with our configuration. We’re not going to get rid of it entirely but just change its name in some places to fit our needs. But first we need to add the “UndertowRealm” to the “security-realms” section of the file:

            <security-realm name="UndertowRealm">
                        <keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="PASSWORD"/>

Now we need to add https-listener for our new realm and change the “http-invoker> security-realm=”ApplicationRealm”/>” to our UndertowRealm. It should look like this after we are done with it:

            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="UndertowRealm"/>

Restart Keycloak

[root@idp configuration]$ systemctl start keycloak

Next and Previous

Next will be connected Keycloak to IPA with the SSSD Federation Provider:

How to Setup Keycloak User Federation


How to Install FreeIPA

Written on June 11, 2018