Keycloak bilan Identity Server sozlash
Kirish
Bugungi raqamli landshaftda applicationlar va resurslarga kirishni ta'minlash muhim ahamiyatga ega. Identity and Access Management(IAM) yechimlari foydalanuvchi identifikatorlarini boshqarish, foydalanuvchilarni autentifikatsiya qilish va tashkilot ekotizimidagi turli resurslarga kirishni nazorat qilishda muhim rol o'ynaydi. Keycloak, open source IAM yechimi identifikatsiya va kirishni boshqarishni boshqarish uchun mustahkam va keng qamrovli platformani taklif etadi.
Keycloak foydalanuvchilarga bir marta autentifikatsiya qilish va bir nechta applicationlarga muammosiz kirish imkonini beruvchi single sign-on(SSO) yechimi sifatida xizmat qiladi. Red Hat tomonidan ishlab chiqilgan Keycloak OpenID Connect, OAuth 2.0 va SAML (Security Assertion Markup Language) kabi turli xil autentifikatsiya protokollarini qo'llab-quvvatlaydi, bu uni ko'p qirrali va turli xil foydalanish holatlariga moslashtiradi.
Keycloak-ning asosiy afzalliklaridan biri uning moslashuvchanligi(flexibility) va kengaytirilishidir(extensibility). U LDAP (Lightweight Directory Access Protocol) yoki Active Directory kabi mavjud identity storelari bilan birlashtirilishi mumkin, bu esa tashkilotlarga mavjud user repositoriyalaridan foydalanish imkonini beradi. Bundan tashqari, Keycloak user federation, fine-grained access control, multi-factor authentication va centralized user management kabi boy xususiyatlar to'plamini taklif etadi, bu esa tashkilotlarga xavfsizlik siyosatini samarali qo'llash imkonini beradi.
Ushbu texnik qo'llanma Keycloakni o'rnatish va configuratsiya qilish bo'yicha keng qamrovli ko'rsatmalar berishga qaratilgan. Ushbu qo'llanmaga amal qilish orqali admin/devopslar va dasturchilar o'z applicationlari xavfsizligini oshirish hamda foydalanuvchilari uchun autentifikatsiya va avtorizatsiya jarayonlarini soddalashtirish uchun Keycloak quvvatidan foydalanishlari mumkin.
Ishni boshlash
Ushbu amaliyotni amalga oshirish uchun bizga quyidagi minimum server talablaridagi server kerak bo'ladi.
Minimum Server talabi
OS | RAM | CPU | Xotira | Static IP |
---|---|---|---|---|
Ubuntu 20.04 yoki RockyLinux 8 | 4GB | 2 core | 50GB | Ha kerak |
Keycloak o'rnatish
Keycloak o'rnatishni biz ikki qismga bo'ldik ya'ni keycloak 16chi versiyagacha o'rnatish bosqacha bo'lgan va 17chi versiyadan boshlab o'rnatishdan katta o'zgarishlar bo'lgan shuning uchun biz 16 versiyagacha bo'lgan keycloak uchun alohida va 17dan boshlangan keycloak uchun boshqa o'rnatish qo'llanmasini yozdik. Keycloak versiyani loyihaning talablari yoki boshqa bo'gliklar orqali tanlaysiz.
Keycloakning o'rnatishning quyidagi usullari bor biz bugungi amaliyotda OpenJDK yordamida o'rnatamiz.
16-chi versiyagacha
- Red Hat Based
- Debian Based
1-> Serverni yangilaymiz va kerakli dasturlarni o'rnatib olamiz.
sudo yum update -y
sudo yum install git nano vim zip unzip wget curl gnupg -y
2-> OpenJDK 17'ni o'rnatamiz.
sudo yum install java-17-openjdk java-17-openjdk-devel -y
OpenJDK 17 o'rnatilgani quyidagi buyruq orqali tekshirib ko'rishingiz mumkin.
java -version
Terminalda quyidagi natija chiqishi kerak.
openjdk 17.0.13 2024-10-15 LTS
OpenJDK Runtime Environment (Red_Hat-17.0.13.0.11-1) (build 17.0.13+11-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-17.0.13.0.11-1) (build 17.0.13+11-LTS, mixed mode, sharing)
3-> Ushbu amaliyotda biz source code orqali Keycloak 15.0.0 versiyasini serverga o'rnatamiz. Buning uchun keycloak source kodlarini serverimiz /opt
papkasiga yuklab olamiz va arxivdan chiqaramiz. Rasmiy Keycloak Downloads (opens in a new tab) sahifasi.
cd /opt
sudo wget https://github.com/keycloak/keycloak/releases/download/15.0.0/keycloak-15.0.0.tar.gz
4-> Yuklab olgan keycloak source kodlarni .tar.gz
arxivini arxivdan chiqarib olamiz. Keycloak source kodlarini arxivdan chiqarib olganimizda source kodlar keycloak-15.0.0 papkasida bo'ladi biz uni nomini keycloakga o'zgartiramiz. Biz /opt papkasi ichidamiz.
sudo tar -xvzf keycloak-15.0.0.tar.gz
sudo mv keycloak-15.0.0 /opt/keycloak
5-> Xavfsizlik nuqtai nazaridan Keycloak dasturini root useri bilan ishga tushirmasligimiz kerak. Shuning uchun keycloakga linux user va group yaratib olamiz va keycloak home ishlaydigan directoriyasini /opt/keycloak
qilib qo'yamiz.
sudo groupadd keycloak
sudo useradd -r -g keycloak -d /opt/keycloak -s /sbin/nologin keycloak
6-> Keycloak ishlashi uchun keycloak userga /opt/keycloak directoriyasi ownershiplikni beramiz va /opt/keycloak/bin/ directoriyaga executable permissionlarni beramiz.
cd /opt
sudo chown -R keycloak: keycloak
sudo chmod o+x /opt/keycloak/bin/
7-> Keycloakni SystemD orqali boshqarish uchun /etc directoriyada keycloak uchun konfiguratsiya directoriya ochib olamiz.
cd /etc/
sudo mkdir keycloak
8-> /opt/keycloak/docs/contrib/scripts/systemd/wildfly.conf
directoriyadagi wildfly.conf
faylini keycloak.conf
nomi bilan /etc/keycloak/
directoriyaga ko'chiramiz.
sudo cp /opt/keycloak/docs/contrib/scripts/systemd/wildfly.conf /etc/keycloak/keycloak.conf
9-> Keycloakni ishga tushirish scriptni(launch.sh
) faylini /opt/keycloak/docs/contrib/scripts/systemd/
directoriyadan /opt/keycloak/bin/
directoriyaga ko'chiramiz.
sudo cp /opt/keycloak/docs/contrib/scripts/systemd/launch.sh /opt/keycloak/bin/
Usbu sciptni keycloak user execute qilish uchun keycloak userni owner qilib qo'yamiz.
sudo chown keycloak: /opt/keycloak/bin/launch.sh
10-> launch.sh
sciptda keycloak ishlaydigan directoriyani belgilashimiz kerak.
sudo nano /opt/keycloak/bin/launch.sh
Ya'ni /opt/wildfly
ni /opt/keycloak
ga o'zgartiramiz.
#!/bin/bash
if [ "x$WILDFLY_HOME" = "x" ]; then
WILDFLY_HOME="/opt/keycloak"
fi
if [[ "$1" == "domain" ]]; then
$WILDFLY_HOME/bin/domain.sh -c $2 -b $3
else
$WILDFLY_HOME/bin/standalone.sh -c $2 -b $3
fi
11-> /opt/keycloak/docs/contrib/scripts/systemd/
papkadagi wildfly.service
faylini /etc/systemd/system/
papkaga keycloak.service
nomi bilan nusxalaymiz.
sudo cp /opt/keycloak/docs/contrib/scripts/systemd/wildfly.service /etc/systemd/system/keycloak.service
12-> keycloak.service
faylini nano/vim matn muharrida ochib quyidagicha o'zgartishlar kiritamiz.
sudo nano /etc/systemd/system/keycloak.service
Dastlab keycloak.service
konfiguratsiyamniz quyidagi ko'rinishda bo'ladi
[Unit]
Description=The WildFly Application Server
After=syslog.target network.target
Before=httpd.service
[Service]
Environment=LAUNCH_JBOSS_IN_BACKGROUND=1
EnvironmentFile=-/etc/wildfly/wildfly.conf
User=wildfly
LimitNOFILE=102642
PIDFile=/var/run/wildfly/wildfly.pid
ExecStart=/opt/wildfly/bin/launch.sh $WILDFLY_MODE $WILDFLY_CONFIG $WILDFLY_BIND
StandardOutput=null
[Install]
WantedBy=multi-user.target
Konfiguratsiyamizni yangilab o'zgarishlarni saqlab chiqamiz.
[Unit]
Description=The Keycloak Server
After=syslog.target network.target
Before=httpd.service
[Service]
Environment=LAUNCH_JBOSS_IN_BACKGROUND=1
EnvironmentFile=-/etc/keycloak/keycloak.conf
User=keycloak
Group=keycloak
LimitNOFILE=102642
PIDFile=/var/run/keycloak/keycloak.pid
ExecStart=/opt/keycloak/bin/launch.sh $WILDFLY_MODE $WILDFLY_CONFIG $WILDFLY_BIND
StandardOutput=null
[Install]
WantedBy=multi-user.target
13-> systemd manager orqali daemon-reload berib keycloakni enable qilib qo'yamiz yani server o'chib yonganidan keyin o'chib qolmasdan auto-start bo'lib avtomatik ishga tushishi uchun.
sudo systemctl daemon-reload
sudo systemctl enable keycloak
14-> Keycloakni start berib ishga tushiramiz va statusini ko'ramiz.
sudo systemctl start keycloak
sudo systemctl status keycloak
15-> Keycloakni muvaffaqiyatli ishga tushirganimizdan keyin brauzer orqali serverimiz public IPsi bilan 8080 portiga kirganimizda bizda Keycloak oynasi ochilishi kerak.
Keycloak hech qanday birinchi Administrator user bilan kelmaydi shuning uchun biz uni o'zimiz yaratib olishimiz kerak. Biz hozir localhost:8080
qilib kirmaganimiz uchun UI orqali admin user yarata olmaymiz shuning uchun add-user-keycloak.sh
scripti orqali admin user yarataib olamiz.
sudo /opt/keycloak/bin/add-user-keycloak.sh -r master -u admin -p adminparol239dw2
Keycloak admin user yaratib olganimizdan keyin avtomatik master realm bilan birga keladi.
16-> Keycloakga restart berib brauzer orqali qayta kiramiz.
sudo systemctl restart keycloak
Okey bizda Administration Console ochildi va kirganimizda quyidagi oyna ochilishi kerak
Bizda muammo chiqdi yani biz http bilan kiryapmiz keycloak esa SSL https talab qilyapti, https talab qilishining sababi biz hozirni default holda production modeda ishga tushiryapmiz. Keling birinchisiga development modeda http bilan ishga tushiramiz. Keling keycloakdan SSL verificationni o'chirib qo'yamiz.
sudo /opt/keycloak/bin/kcadm.sh config credentials \
--server http://localhost:8080/auth \
--realm master \
--user admin \
--password adminparol239dw2
sudo /opt/keycloak/bin/kcadm.sh update realms/master -s sslRequired=NONE
Keycloakga restart beramiz.
sudo systemctl restart keycloak
Keycloakga brauzerdan qayta kirib Administration Consolega kirganimzida bizda quyidagi login qilib kirish uchun oyna ochiladi.
Login qilib kiramiz birinchi oyna.
Okey bizda hammasi ishlayapti biz muvaffaqiyatli keycloak 15.0.0
o'rnatdik va dastlabki sozlashni yakunladik.
16-chi versiyadan keyingilar
Ushbu o'rnatish 16-chi versiyadan baland bo'lgan keycloak uchun o'rnatish qo'llanmasi va biz bunda keycloak 26.0.7 latest versiyani o'rnatamiz.
- Red Hat Based
- Debian Based
1-> Serverni yangilaymiz va kerakli dasturlarni o'rnatib olamiz.
sudo dnf update -y
sudo dnf install git nano vim zip unzip wget curl gnupg -y
2-> OpenJDK 17'ni o'rnatamiz.
sudo dnf install java-21-openjdk -y
OpenJDK 21 o'rnatilgani quyidagi buyruq orqali tekshirib ko'rishingiz mumkin.
java -version
Terminalda quyidagi natija chiqishi kerak.
openjdk version "21.0.5" 2024-10-15 LTS
OpenJDK Runtime Environment (Red_Hat-21.0.5.0.10-1) (build 21.0.5+10-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-21.0.5.0.10-1) (build 21.0.5+10-LTS, mixed mode, sharing)
3-> Ushbu amaliyotda biz source code orqali Keycloak 26.0.7 versiyasni o'rnatamiz. Buning uchun keycloak source kodlarini serverimiz /opt
papkasiga yuklab olamiz va arxivdan chiqaramiz. Rasmiy Keycloak Downloads (opens in a new tab) sahifasi.
cd /opt
sudo wget https://github.com/keycloak/keycloak/releases/download/26.0.7/keycloak-26.0.7.tar.gz
4-> Yuklab olgan keycloak source kodlarni .tar.gz
arxivini arxivdan chiqarib olamiz. Keycloak source kodlarini arxivdan chiqarib olganimizda source kodlar keycloak-26.0.7 papkasida bo'ladi biz uni nomini keycloakga o'zgartiramiz. Biz /opt papkasi ichidamiz.
sudo tar -xvzf keycloak-26.0.7.tar.gz
sudo mv keycloak-26.0.7 /opt/keycloak
5-> Xavfsizlik nuqtai nazaridan Keycloak dasturini root useri bilan ishga tushirmasligimiz kerak. Shuning uchun keycloakga linux user va group yaratib olamiz va keycloak home ishlaydigan directoriyasini /opt/keycloak
qilib qo'yamiz.
sudo groupadd keycloak
sudo useradd -r -g keycloak -d /opt/keycloak -s /sbin/nologin keycloak
6-> Keycloak ishlashi uchun keycloak userga /opt/keycloak
directoriyasi ownershiplikni beramiz va /opt/keycloak/bin/
directoriyaga executable permissionlarni beramiz.
cd /opt
sudo chown -R keycloak: keycloak
sudo chmod o+x /opt/keycloak/bin/
7-> Keycloakni SystemD orqali boshqarish uchun /etc
directoriyada keycloak uchun konfiguratsiya directoriya ochib olamiz.
cd /etc/
sudo mkdir keycloak
8-> /opt/keycloak/conf/keycloak.conf
directoriyadagi keycloak.conf
faylini /etc/keycloak/
directoriyaga ko'chiramiz.
sudo cp /opt/keycloak/conf/keycloak.conf /etc/keycloak/keycloak.conf
9-> Keycloakni systemd orqali boshqarish uchun keycloak.service
faylini nano/vim matn muharrida ochib quyidagciha konfig qilamiz.
sudo nano /etc/systemd/system/keycloak.service
keycloak.service
konfiguratsiyamniz quyidagi ko'rinishda bo'ladi.
[Unit]
Description=The Keycloak Server
After=syslog.target network.target
Before=httpd.service
[Service]
EnvironmentFile=-/etc/keycloak/keycloak.conf
Type=idle
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/bin/kc.sh start-dev
StandardOutput=append:/var/log/keycloak.log
StandardError=inherit
RestartSec=2s
Restart=always
AmbientCapabilities=CAP_NET_BIND_SERVICE
LimitNOFILE=102642
[Install]
WantedBy=multi-user.target
13-> systemd manager orqali daemon-reload berib keycloakni enable qilib qo'yamiz yani server o'chib yonganidan keyin auto-start bo'lib avtomatik ishga tushishi uchun.
sudo systemctl daemon-reload
sudo systemctl enable keycloak
14-> Keycloakni start berib ishga tushiramiz va statusini ko'ramiz.
sudo systemctl start keycloak
sudo systemctl status keycloak
15-> Keycloakni muvaffaqiyatli ishga tushirganimizdan keyin brauzer orqali serverimiz public IPsi bilan 8080 portiga kirganimizda bizda Keycloak oynasi ochilishi kerak.
Keycloak hech qanday birinchi Administrator user bilan kelmaydi shuning uchun biz uni o'zimiz yaratib olishimiz kerak. Biz hozir localhost:8080 qilib kirmaganimiz uchun UI orqali admin user yarata olmaymiz shuning uchun kc.sh
scripti orqali admin user yaratib olamiz.
/opt/keycloak/bin/kc.sh bootstrap-admin user --username admin --password adminparol239dw2
Keycloak admin user yaratib olganimizdan keyin avtomatik master realm bilan birga keladi.
16-> Keycloakga restart berib brauzer orqali qayta kiramiz.
sudo systemctl restart keycloak
Okey bizda Administration Console ochildi va kirganimizda quyidagi oyna ochilishi kerak
Bizda muammo chiqdi yani biz http bilan kiryapmiz keycloak esa SSL https talab qilyapti buning sababi biz keyloakni production modedda ishga tushirdik. Keling boshlanishga development modeda http bilan ishga tushiramiz. Keling keycloakdan SSL verificationni o'chirib qo'yamiz.
sudo /opt/keycloak/bin/kcadm.sh config credentials \
--server http://localhost:8080 \
--realm master \
--user admin \
--password adminparol239dw2
sudo /opt/keycloak/bin/kcadm.sh update realms/master -s sslRequired=NONE
Keycloakga restart beramiz.
sudo systemctl restart keycloak
Keycloakga brauzerdan qayta kirib Administration Consolega kirganimzida bizda quyidagi login qilib kirish uchun oyna ochiladi.
Login qilib kiramiz birinchi oyna.
Okey bizda hammasi ishlayapti biz muvaffaqiyatli keycloak 26.0.7 o'rnatdik va development modeda dastlabki sozlashni yakunladik.
16-chi versiyadan keyingilarni production modeda ishga tushirish
Keling endi production modeda ishga tushirib SSL bilan ishlatamiz.
1-> Birinchi navbtada DNS yordamida domainni serverga ulash uchun A record qo'shib serverimiz public IP'sini ulaymiz. Rasmda Ahost DNS orqali A record qo'shish namunasini ko'rsatilgan.
2 Serverga certbot o'rnatamiz va domenimizga SSL sertifikat generatsiya qilib olamiz. Masalan domenimiz auth.helm.uz.
sudo apt install certbot
sudo certbot certonly --standalone -d auth.helm.uz
certbot generatsiya qilgan sertifikatlar quyidagi papkada joylashgan bo'ladi /etc/letcenrypt/live/auth.helm.uz/
3-> Keycloak PKCS12
formatidagi keystore bilan ishlaydi, shuning uchun Let's Encrypt sertifikati mos formatga o'zgartirish kerak bo'ladi. Let's Encrypt sertifikatlari .pem
formatida bo'ladi PKCS12 keystore .pem
formatini kalit (key) va sertifikatni birlashtirib ishlatadi. Quyidagi buyruq bilan sertifikatni PKCS12
formatga o'tkazamiz -passout
ga keystore uchun parol qo'yishimiz kerak bo'ladi.
openssl pkcs12 -export \
-in /etc/letsencrypt/live/auth.helm.uz/fullchain.pem \
-inkey /etc/letsencrypt/live/auth.helm.uz/privkey.pem \
-out /etc/letsencrypt/live/auth.helm.uz/keystore.p12 \
-name keycloak \
-passout pass:adminCH@
4-> Yaratilgan keystore faylni tekshish uchun quyidagi buyruqni ishga tushirib ko'ramiz.
keytool -list -keystore /etc/letsencrypt/live/auth.helm.uz/keystore.p12 -storepass adminCH@
5-> Biz Keycloakni systemd bilan keycloak
user bilan ishga tushiramiz shuning uchun keycloak
userga keystore fayliga kirish permissionlarni berishimiz kerak bo'ladi.
sudo chown keycloak:keycloak /etc/letsencrypt/live/auth.helm.uz/keystore.p12
sudo chmod 640 /etc/letsencrypt/live/auth.helm.uz/keystore.p12
File permissionlarni tekshiramiz.
sudo ls -l /etc/letsencrypt/live/auth.helm.uz/keystore.p12
6-> Keycloakni production modeda ishga tushirishi uchun /etc/systemd/system/keycloak.service
faylini quyidagi o'zgartirishlarni kiritamiz.
[Unit]
Description=The Keycloak Server
After=syslog.target network.target
Before=httpd.service
[Service]
EnvironmentFile=-/etc/keycloak/keycloak.conf
Type=idle
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/bin/kc.sh start --optimized \
--https-key-store-file=/etc/letsencrypt/live/auth.helm.uz/keystore.p12 \
--https-key-store-password=adminCH@ \
--hostname=auth.helm.uz \
--https-port=443 \
--hostname-strict=false
StandardOutput=append:/var/log/keycloak.log
StandardError=inherit
RestartSec=2s
Restart=always
AmbientCapabilities=CAP_NET_BIND_SERVICE
LimitNOFILE=102642
[Install]
WantedBy=multi-user.target
Systemd konfiguratsiyasini yangilaymiz va restart beramiz.
sudo systemctl daemon-reload
sudo systemctl restart keycloak
7-> Keycloak statusini tekshiramiz.
sudo systemctl status keycloak
Loglarni kuzatamiz.
sudo tail -f /var/log/keycloak.log
Brauzer orqali https://auth.helm.uz
addresga kirganimizda keycloak SSL bilan ishlab turgan bo'lishi kerak.
Okey biz Keycloak 26.0.7
versiyasini muvaffaqiyatli production modeda ishga tushirdik tabriklayman.
Keycloakni PostgeSQL'ga ulash
Keycloak asosan foydalanuvchi ma'lumotlarini(user data) va konfiguratsiyani saqlash uchun ma'lumotlar bazasidan foydalanadi. Standart o'rnatishda Keycloak ichki H2 ma'lumotlar bazasi(embedded H2 database) bilan birga keladi, lekin bu faqat test qilish va development uchun tavsiya etiladi, chunkki u: memory-based va production environment uchun ishonchli emas, klasterlash va multiple instance'lar o'rtasida data sharing qo'llab quvvatlamaydi.
Keycloak quyidagi ma'lumotlarni databazaga yozadi:
- user data-> loginlar, profillar va parollar.
- authentication data-> sessionlar, tokenlar va authorization rulelar.
- configuration data-> realmslar(domain-like segments), clientlar, user rolelar va permissionlar.
Keycloak latest versiyasi quyidagi databaselarni qo'llab quvvatlaydi.
Database | Option value | Tested Versions |
---|---|---|
MariaDB Server | mariadb | 10.11 |
Microsoft SQL Server | mssql | 2022 |
MySQL | mysql | 8.0 |
Oracle Database | oracle | 19.3 |
PostgreSQL | postgres | 16 |
Amazon Aurora PostgeSQL | postgres | 16.1 |
Biz bu amaliyotda eng mashhur open source relational database management system bo'lgan PostgreSQLni Keycloak uchun sozlaymiz.
Sizda PostgreSQL o'rnatilgan va configuratsiya qilingan bo'lishi kerak quyidagi qo'llanmadan foydalanishingiz mumkin - Linux Serverlarga Postgresql o'rnatish (opens in a new tab)
16 - versiydan keyingi Keycloak
Bu bosqichda biz keycloak 16 versiyadan yuqori bo'lgan keyclok uchun databaza integratsiyasini ko'rib chiqamiz.
1-> PostgreSQL'da keycloak
databaza va keycloak_user
yaratib olishimiz kerak bo'ladi.
sudo -u postgres psql
CREATE DATABASE keycloak;
CREATE USER keycloak_user WITH PASSWORD 'kEyCl0@k';
GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak_user;
ALTER DATABASE keycloak OWNER TO keycloak_user;
Keling tekshiramiz.
postgres=# \l
2-> Keycloak /etc/systemd/system/keycloak.service
si databazaga ulanish uchun quyidagicha o'zgartirishlar kiritamiz.
sudo nano /etc/systemd/system/keycloak.service
[Unit]
Description=The Keycloak Server
After=syslog.target network.target
Before=httpd.service
[Service]
EnvironmentFile=-/etc/keycloak/keycloak.conf
Type=idle
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/bin/kc.sh start --optimized \
--https-key-store-file=/etc/letsencrypt/live/auth.helm.uz/keystore.p12 \
--https-key-store-password=adminCH@ \
--hostname=auth.helm.uz \
--https-port=443 \
--hostname-strict=false \
--db-url=jdbc:postgresql://127.0.0.1:5432/keycloak \
--db-username=keycloak_user \
--db-password=kEyCl0@k
StandardOutput=append:/var/log/keycloak.log
StandardError=inherit
RestartSec=2s
Restart=always
AmbientCapabilities=CAP_NET_BIND_SERVICE
LimitNOFILE=102642
[Install]
WantedBy=multi-user.target
export KC_DB=postgres
echo $KC_DB
/opt/keycloak/bin/kc.sh build --db=postgres
3-> daemon-reload berib keyclok servicega restart beramiz va statusini tekshiramiz.
sudo systemctl daemon-reload
sudo systemctl restart keycloak
sudo systemctl status keycloak
keycloak
bazaga ulanib tablelarni ko'rsak keycloak tablelari chiqishi kerak.
4-> keycloak databazaga ulaganimizdan keyin admin user parolini yangilaymiz sababi Keycloak H2 databazasida admin user/parol yaratgandik va biz PostgreSQL bazag o'tdik admin user o'chib ketgan bo'lishi mumkin.
sudo systemctl stop keycloak
/opt/keycloak/bin/kc.sh bootstrap-admin user \
--bootstrap-admin-username admin \
--bootstrap-admin-password mEnlngP@s$W0rdlm \
--db=postgres \
--db-url=jdbc:postgresql://127.0.0.1:5432/keycloak \
--db-username=keycloak_user \
--db-password=kEyCl0@k
Buyruqni ishga tushirganingizdan keyin sizdan admin user va uning paroli so'raladi.
sudo systemctl daemon-reload
sudo systemctl restart keycloak
sudo systemctl status keycloak
Brauzer orqali https://auth.helm.uz
addresga kirganimizda keycloak https bilan ochilib admin/login page ochilishi kerak va yangi admin/passwordni kiritib login qilsak ishlashi kerak.
16 - versiyadan kichik
Bu bosqichda biz keycloak 16 versiyadan past bo'lgan keyclok uchun databaza integratsiyasini ko'rib chiqamiz.
1-> PostgreSQL'da keycloak
databaza va keycloak_user
yaratib olishimiz kerak bo'ladi.
sudo -u postgres psql
CREATE DATABASE keycloak;
CREATE USER keycloak_user WITH PASSWORD 'kEyCl0@k';
GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak_user;
ALTER DATABASE keycloak OWNER TO keycloak_user;
Keling tekshiramiz.
postgres=# \l
2-> Keycloak PostgreSQL databazaga ulana olishi uchun PostgreSQl JDBC driveri kerak bo'ladi uni yuklab olamiz Java 17 uchun postgresql-42.7.3.jar
to'gri keladi yuklab olish sahifasi - PostgreSQL JDBC Driver (opens in a new tab)
cd /opt/keycloak/standalone/deployments/
wget https://jdbc.postgresql.org/download/postgresql-42.7.3.jar
3-> PostgeSQL JDBC driverini Keycloak'ning WildFly serverida ishlashi uchun modul qilib sozlashimiz kerak bo'ladi. PostgreSQL modul uchun directoriya yaratib olib unga JDBC driverni ko'chiramiz.
mkdir -p /opt/keycloak/modules/system/layers/base/org/postgresql/main
cp -r /opt/keycloak/standalone/deployments/postgresql-42.7.3.jar /opt/keycloak/modules/system/layers/base/org/postgresql/main/
module.xml
faylini yaratib olishimiz kerak bo'ladi.
sudo nano /opt/keycloak/modules/system/layers/base/org/postgresql/main/module.xml
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="org.postgresql">
<resources>
<resource-root path="postgresql-42.7.3.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
Bu fayl WildFly serveriga PostgreSQL drayveridan qanday foydalanishni aytadi.
4-> Keycloak PostgreSQL databazaga ulanishni uchun standalone.xml
faylini datasources
va drivers
qismlarini o'zgartirishimiz kerak.
sudo nano /opt/keycloak/standalone/configuration/standalone.xml
standalone.xml
ga quyidagcha o'zgatirish kiritamiz.
Maslahat: cat orqali standalone.xml
faylini ochib copy qilib birorta editorda ochib to'gri sintaksis bilan config qiling masalan VSCode, agar vim va nanoda yaxshi ishlashni bilmasangiz .xml
config qilishda sintaksis xatolar ko'p qilishingiz mumkin.
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
<driver>h2</driver>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</datasource>
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:postgresql://127.0.0.1:5432/keycloak</connection-url>
<driver>postgresql</driver>
<security>
<user-name>keycloak_user</user-name>
<password>kEyCl0@k</password>
</security>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
<driver name="postgresql" module="org.postgresql">
<xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
5-> Keycloakni restart qilib qayta ishga tushiramiz.
sudo systemctl daemon-reload
sudo systemctl restart keycloak
sudo systemctl status keycloak
6-> Keycloak birinchi o'rnatganimizda unda H2 bazasida admin user yaratgandik PostgreSQL bazasiga o'tganimizda user o'chib ketadi qaytadan admin user yaratishimiz kerak bo'ladi.
sudo /opt/keycloak/bin/add-user-keycloak.sh -r master -u admin -p adminparol239dw2
development mode uchun SSL verificationni o'chiramiz.
sudo /opt/keycloak/bin/kcadm.sh config credentials \
--server http://localhost:8080/auth \
--realm master \
--user admin \
--password adminparol239dw2
sudo /opt/keycloak/bin/kcadm.sh update realms/master -s sslRequired=NONE
Restart berib qayta ishga tushiramiz.
sudo systemctl daemon-reload
sudo systemctl restart keycloak
7 Keycloak statusini va PostgreSQl databazani tekshiramiz.
sudo systemctl status keycloak
PostgreSQL keycloak
databazasiga ulanib tablelarni ko'rsak keycloak tablelari chiqishi kerak.
Brauzer orqali http://0.0.0.0/auth
addresga kirganimizda keycloak admin/login page ochilishi kerak va admin/passwordni kiritib login qilsak ishlashi kerak.
Nihoyat biz gemaroy Keycloakni OpenJDK bilan eski va yangi versiyalarni o'rnatib basic config qilishni va PostgreSQL databaza ulashni va keycloak 16 versiyadan keyingi versiyadagi keycloaklarni production modeda ishga tushirishni ko'rib chiqdik. Bilaman sizlarga bu bilan oson lekin yozgunimcha....
Keyingi qismlar Kubernetes/Docker orqali o'rnatib/sozlash va Keycloakni boshqa dasturlar bilan integratsiya qilishni ko'rib chiqamiz.
Sana: 2024.12.22(2024-yil 22-dekabr)
Oxirgi yangilanish: 2024.12.24(2024-yil 24-dekabr)
Muallif: Otabek Ismoilov
Telegram (opens in a new tab) | GitHub (opens in a new tab) | LinkedIn (opens in a new tab) |
---|