#apt install default-jdk-headless ? # bookworm #apt install openjdk-17-jre-headless ? # trixie apt install openjdk-21-jre-headless
you will also need a database e.g. mariadb
grab latest version
ver=26.5.0 cd /opt/
wget https://github.com/keycloak/keycloak/releases/download/$ver/keycloak-$ver.tar.gz tar xzf keycloak-$ver.tar.gz rm -f keycloak-$ver.tar.gz ln -s keycloak-$ver /opt/keycloak groupadd kc useradd --system -g kc -d /opt/keycloak -s /sbin/nologin kc cd /opt/keycloak/ # note expected user was UID 1001, which is not necessarily what we have ls -lkF mkdir data/ chown -R kc:kc LICENSE.txt README.md bin/ data/ lib/ version.txt cd -
cd /opt/keycloak/bin/ ./kc.sh tools completion > /etc/bash_completion.d/kc-complete.bash source /etc/bash_completion.d/kc-complete.bash
define e.g. mariadb as database vendor so you can use optimized startup thereafter
./kc.sh build --help time ./kc.sh build --db mariadb ./kc.sh show-config # DEV ./kc.sh start-dev --help # PROD ./kc.sh start --help
–either– run it once with those variables defined
export KC_BOOTSTRAP_ADMIN_USERNAME=kc-admin export KC_BOOTSTRAP_ADMIN_PASSWORD=PASSWORD-HERE ./kc.sh start ... (shown below)
–or– as such
./kc.sh start --bootstrap-admin-username kc-admin --bootstrap-admin-password PASSWORD-HERE \ ... (shown below)
–or– start the service right away without an admin and create it locally through tunnel
ssh kc-server -L 8081:localhost:8081 http://localhost:8081
# nothing yet netstat -lntup | grep 8081
start and enable at boot-time
db_user=kc
db_pass=...
# warning - escapes in da place
cat > /etc/systemd/system/kc.service <<EOF
[Unit]
After=network.target
[Service]
User=kc
Group=kc
SuccessExitStatus=143
ExecStart=/opt/keycloak/bin/kc.sh start --optimized \\
--http-enabled true \\
--http-host 127.0.0.1 \\
--http-port 8081 \\
--proxy-headers xforwarded \\
--proxy-trusted-addresses 127.0.0.1/32 \\
--hostname https://kc.nethence.com \\
--db-url-host 127.0.0.1 \\
--db-url-database kc \\
--db-username $db_user \\
--db-password $db_pass
WorkingDirectory=/opt/keycloak
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl restart kc
systemctl enable kc
systemctl status kc
check
netstat -lntup | grep 8081 pgrep -a java
assuming public network, make sure you’ve got the DNS record alright e.g.
remotely
ping kc.nethence.com
eventually incl. DNAT and keycloak-nginx or keycloak-haproxy
remotely
nmap -p 80,443 kc.nethence.com
finally reach the admin UI e.g.
https://kc.nethence.com/admin/master/console/
cd /opt/keycloak/bin/ ./kcadm.sh
more options
--hostname-debug true \
--hostname-admin https://keycloak-admin.nethence.com \
--log console,file --log-file /var/log/keycloak.log --log-file-output json \
--log-level debug
--log-level warn
--proxy-protocol-enabled true \
--https-port 8443 \
--https-certificate-file /root/keycloak.demo.nethence.com/fullchain.pem \
--https-certificate-key-file /root/keycloak.demo.nethence.com/privkey.pem
--spi-sticky-session-encoder-infinispan-should-attach-route=false \
https://www.keycloak.org/getting-started/getting-started-zip
https://keycloak.ch/keycloak-tutorials/tutorial-1-installing-and-running-keycloak/
https://keycloak.org/server/logging
https://www.keycloak.org/server/configuration
https://www.keycloak.org/docs/latest/server_admin/
https://www.keycloak.org/server/bootstrap-admin-recovery
https://gist.github.com/chainhead/923e01e47a518db0f6bf0ce3aa2801ea
FW https://medium.com/@hasnat.saeed/setup-keycloak-server-on-ubuntu-18-04-ed8c7c79a2d9
https://keycloak.discourse.group/t/startup-keycloak-as-a-permanent-runing-service/8206
https://www.keycloak.org/getting-started/getting-started-docker