420.2 Keycloak and ABP framework applications - chempkovsky/CS82ANGULAR GitHub Wiki

Notes

Intranetwork

openjdk 21

Keycloak

service keycloak

Https

Memory

Notes

• First, we will describe the steps for installing Keycloak. The steps include:
  • Instaling PostgreSql
  • Installing Keycloak
  • Installing Infinispan
  • Integrating Keycloak and Infinispan
• Each node will be installed in the separate virtual machine.
• Ubuntu 24.04 LTS will be used as the operating system for each node.
• We are not going to use clusters for now
• In this article we will describe the steps for installing Keycloak.

Intranetwork

• Suppose our Intranetwork is 10.183.96.0/19
  • Suppose the IP of the virtual machine = 10.183.97.11

openjdk 21

• run the commands

sudo apt update
sudo apt upgrade
sudo apt install openjdk-21-jdk
java -version

• here is a response of the last command

openjdk version "21.0.7" 2025-04-15
OpenJDK Runtime Environment (build 21.0.7+6-Ubuntu-0ubuntu124.04)
OpenJDK 64-Bit Server VM (build 21.0.7+6-Ubuntu-0ubuntu124.04, mixed mode, sharing)

Keycloak

• download installation archive

wget https://github.com/keycloak/keycloak/releases/download/26.3.0/keycloak-26.3.0.tar.gz

• unzipt the archive

sudo tar -xvzf keycloak-26.3.0.tar.gz -C /opt/

• create keycloak-group, keycloak-user with password keycloak and add folder permissions:

sudo groupadd keycloak
sudo useradd -r -g keycloak -d  /opt/keycloak-26.3.0 -s /sbin/nologin keycloak
sudo chown -R keycloak:keycloak /opt/keycloak-26.3.0
sudo find /opt/keycloak-26.3.0 -type f -exec chmod 755 {} \;
sudo find /opt/keycloak-26.3.0 -type d -exec chmod 755 {} \;

• modify the file with the command sudo nano /opt/keycloak-26.3.0/conf/keycloak.conf
  • add the following content

# The database vendor.
db=postgres

# The username of the database user.
db-username=keycloak

# The password of the database user.
db-password=keycloak

# The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor.
# db-url=jdbc:postgresql://host:port/database
db-url=jdbc:postgresql://10.183.97.10:5432/keycloakdb

# HTTP
# temporarily !!!!!!!!!
http-host=0.0.0.0
http-port=8080
hostname=10.183.97.11
http-enabled=true
# temporarily !!!!!!!!!

• test and build

/opt/keycloak-26.3.0/bin/kc.sh show-config
sudo /opt/keycloak-26.3.0/bin/kc.sh build

• temporarily modify the global environment with a command sudo nano /etc/environment and content:

KC_BOOTSTRAP_ADMIN_USERNAME="admin"
KC_BOOTSTRAP_ADMIN_PASSWORD="admin"

• run keycloak (temporaty)

sudo /opt/keycloak-26.3.0/bin/kc.sh start --optimized

• and outside the virtual machine goto http://10.183.97.11:8080/admin
• using keycloak UI we create permanent user with ADMIN role on the master-realm
• stop keycloak
• with a command sudo nano /etc/environment remove the content

KC_BOOTSTRAP_ADMIN_USERNAME="admin"
KC_BOOTSTRAP_ADMIN_PASSWORD="admin"

service keycloak

• create the file with the command sudo nano /etc/systemd/system/keycloak.service
  • add the content

[Unit]
Description=Keycloak
After=syslog.target network.target

[Service]
# Delays the service’s start until all jobs are dispatched
Type=idle
# specifies the user and group under which the service will run
User=keycloak
Group=keycloak
# Command to start the service
ExecStart=/opt/keycloak-26.3.0/bin/kc.sh start --optimized
# Considers these exit codes as successful service termination
SuccessExitStatus=143
# Time to wait for service to stop before forcible terminating it
TimeoutStopSec=10
# Service is restarted if it fails
Restart=on-failure
# Wait time before restarting the service after a failure
RestartSec=30

[Install]
WantedBy=multi-user.target

• run the servive

sudo systemctl daemon-reload
sudo systemctl enable keycloak.service
sudo systemctl start keycloak.service
sudo systemctl status keycloak.service
sudo journalctl -u keycloak.service

• reminder

sudo systemctl restart keycloak.service

sudo systemctl stop keycloak.service
sudo systemctl start keycloak.service

• outside the virtual machine goto http://10.183.97.11:8080/admin

Https

• some advice

  • https://kaeruct.github.io/posts/2023/01/04/how-to-use-lets-encrypt-certificates-with-keycloak/
  • https://community.elma365.com/ru/threads/134/
  • https://eff-certbot.readthedocs.io/en/latest/using.html#certbot-command-line-options

• install Let's Encrypt

sudo apt install certbot

• on the internet firewall temporarily open the port=80
• suppose we have registered kc.rupbes.by domain name
• run the command

certbot certonly --standalone --preferred-challenges http -d kc.rupbes.by

• change folder access

sudo chmod -R 0755 /etc/letsencrypt/live
sudo chmod -R 0755 /etc/letsencrypt/archive

• modify the file with the command sudo nano /opt/keycloak-26.3.0/conf/keycloak.conf

# temporarily !!!!!!
# http-host=0.0.0.0
# http-port=8080
# hostname=10.183.97.11
# http-enabled=true
# temporarily !!!!!!!!!

# features=hostname:v2 is required since it is used by the 'hostname' in the form: https:// host : port
features=quick-theme,hostname:v2
https-certificate-file=/etc/letsencrypt/live/kc.rupbes.by/cert.pem
https-certificate-key-file=/etc/letsencrypt/live/kc.rupbes.by/privkey.pem
# https-port is required by the Nat-translation. If it is not set, the server will listen the port 8443
https-port=8445
# hostname-admin is used only with reverse proxy. So do not use it.
# hostname-admin=https://kc.rupbes.by:8446
hostname=https://kc.rupbes.by:8445

• rebuild, test and restart the srvice

sudo systemctl stop keycloak.service
sudo systemctl status keycloak.service
sudo /opt/keycloak-26.3.0/bin/kc.sh build

sudo -u keycloak /opt/keycloak-26.3.0/bin/kc.sh start --optimized

sudo systemctl start keycloak.service
sudo systemctl status keycloak.service
sudo journalctl -u keycloak.service

Memory

• open the file with the command sudo nano /opt/keycloak-26.3.0/bin/kc.sh
  • here the fragment of code

if [ -z "$JAVA_OPTS_KC_HEAP" ]; then
      if [ "$KC_RUN_IN_CONTAINER" = "true" ]; then
         # Maximum utilization of the heap is set to 70% of the total container memory
         # Initial heap size is set to 50% of the total container memory in order to reduce GC executions
         JAVA_OPTS_KC_HEAP="-XX:MaxRAMPercentage=70 -XX:MinRAMPercentage=70 -XX:InitialRAMPercentage=50"
      else
         JAVA_OPTS_KC_HEAP="-Xms64m -Xmx512m"
      fi
   else
      echo "JAVA_OPTS_KC_HEAP already set in environment; overriding default settings"
   fi

   JAVA_OPTS="$JAVA_OPTS $JAVA_OPTS_KC_HEAP"

...

if [ "$PRINT_ENV" = "true" ]; then
  echo "Using JAVA_OPTS: $JAVA_OPTS"
  echo "Using JAVA_RUN_OPTS: $JAVA_RUN_OPTS"
fi

• for running in the container they recommend "-XX:MaxRAMPercentage=70 -XX:MinRAMPercentage=70 -XX:InitialRAMPercentage=50"
• modify the file sudo nano /etc/systemd/system/keycloak.service
  • add two lines Environment="JAVA_OPTS_KC_HEAP=-Xms6000m -Xmx9000m" Environment="PRINT_ENV=true"

[Unit]
Description=Keycloak
After=syslog.target network.target

[Service]
Environment="JAVA_OPTS_KC_HEAP=-Xms6000m -Xmx9000m"
Environment="PRINT_ENV=true"

# Delays the service’s start until all jobs are dispatched
Type=idle
# specifies the user and group under which the service will run
User=keycloak
Group=keycloak
# Command to start the service
ExecStart=/opt/keycloak-26.3.0/bin/kc.sh start --optimized
# Considers these exit codes as successful service termination
SuccessExitStatus=143
# Time to wait for service to stop before forcible terminating it
TimeoutStopSec=10
# Service is restarted if it fails
Restart=on-failure
# Wait time before restarting the service after a failure
RestartSec=30

[Install]
WantedBy=multi-user.target

• run the commands

sudo systemctl stop keycloak.service
sudo systemctl disable keycloak.service
sudo systemctl daemon-reload

sudo systemctl enable keycloak.service
sudo systemctl start keycloak.service

sudo systemctl status keycloak.service
sudo journalctl -u keycloak.service

• now it prints:

JAVA_OPTS_KC_HEAP already set in environment; overriding default settings
Using JAVA_OPTS: -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encodi
...
-XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseG1GC -XX:FlightRecorderOptions=stackdepth=512 -Xms6000m -Xmx9000m --add-opens=java.base/java.util=ALL-UNNAMED --add-opens
...
Using JAVA_RUN_OPTS: -Djava.util.concurrent.ForkJoinPool.common.threadFactory=io.quarkus.bootstrap.forkjoin.QuarkusForkJoinWorkerThreadFactory '-XX:MetaspaceSize=96M' '-XX:MaxMeta
...
-XX:FlightRecorderOptions=stackdepth=512' '-Xms6000m' '-Xmx9000m' '--add-opens=java.ba…

• On the internet firewall we configure nat-translation (for port=8445)
  • outside the intranet we can test

https://kc.rupbes.by:8445/realms/master/.well-known/openid-configuration