Skip to content

Keycloak bilan Identity Server sozlash

Kirish

Bugungi raqamli landshaftda applicationlar va resurslarga kirishni ta'minlash muhim ahamiyatga ega. Identity and Access Management(IAM) yechimlari foydalanuvchi identifikatorlarini boshqarish, foydalanuvchilarni autentifikatsiya qilish va tashkilot ekotizimidagi turli resurslarga kirishni nazorat qilishda muhim rol o'ynaydi. Keycloak, open source IAM yechimi identifikatsiya va kirishni boshqarishni boshqarish uchun mustahkam va keng qamrovli platformani taklif etadi.

Keycloak foydalanuvchilarga bir marta autentifikatsiya qilish va bir nechta applicationlarga muammosiz kirish imkonini beruvchi single sign-on(SSO) yechimi sifatida xizmat qiladi. Red Hat tomonidan ishlab chiqilgan Keycloak OpenID Connect, OAuth 2.0 va SAML (Security Assertion Markup Language) kabi turli xil autentifikatsiya protokollarini qo'llab-quvvatlaydi, bu uni ko'p qirrali va turli xil foydalanish holatlariga moslashtiradi.

Keycloak-ning asosiy afzalliklaridan biri uning moslashuvchanligi(flexibility) va kengaytirilishidir(extensibility). U LDAP (Lightweight Directory Access Protocol) yoki Active Directory kabi mavjud identity storelari bilan birlashtirilishi mumkin, bu esa tashkilotlarga mavjud user repositoriyalaridan foydalanish imkonini beradi. Bundan tashqari, Keycloak user federation, fine-grained access control, multi-factor authentication va centralized user management kabi boy xususiyatlar to'plamini taklif etadi, bu esa tashkilotlarga xavfsizlik siyosatini samarali qo'llash imkonini beradi.

Ushbu texnik qo'llanma Keycloakni o'rnatish va configuratsiya qilish bo'yicha keng qamrovli ko'rsatmalar berishga qaratilgan. Ushbu qo'llanmaga amal qilish orqali admin/devopslar va dasturchilar o'z applicationlari xavfsizligini oshirish hamda foydalanuvchilari uchun autentifikatsiya va avtorizatsiya jarayonlarini soddalashtirish uchun Keycloak quvvatidan foydalanishlari mumkin.

Ishni boshlash

Ushbu amaliyotni amalga oshirish uchun bizga quyidagi minimum server talablaridagi server kerak bo'ladi.

Minimum Server talabi

OSRAMCPUXotiraStatic IP
Ubuntu 20.04 yoki RockyLinux 84GB2 core50GBHa kerak

Keycloak o'rnatish

Keycloak o'rnatishni biz ikki qismga bo'ldik ya'ni keycloak 16chi versiyagacha o'rnatish bosqacha bo'lgan va 17chi versiyadan boshlab o'rnatishdan katta o'zgarishlar bo'lgan shuning uchun biz 16 versiyagacha bo'lgan keycloak uchun alohida va 17dan boshlangan keycloak uchun boshqa o'rnatish qo'llanmasini yozdik. Keycloak versiyani loyihaning talablari yoki boshqa bo'gliklar orqali tanlaysiz.

Keycloakning o'rnatishning quyidagi usullari bor biz bugungi amaliyotda OpenJDK yordamida o'rnatamiz.

16-chi versiyagacha

1-> Serverni yangilaymiz va kerakli dasturlarni o'rnatib olamiz.

sudo yum update -y
sudo yum install git nano vim zip unzip wget curl gnupg -y

2-> OpenJDK 17'ni o'rnatamiz.

sudo yum install java-17-openjdk java-17-openjdk-devel -y

OpenJDK 17 o'rnatilgani quyidagi buyruq orqali tekshirib ko'rishingiz mumkin.

java -version

Terminalda quyidagi natija chiqishi kerak.

openjdk 17.0.13 2024-10-15 LTS
OpenJDK Runtime Environment (Red_Hat-17.0.13.0.11-1) (build 17.0.13+11-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-17.0.13.0.11-1) (build 17.0.13+11-LTS, mixed mode, sharing)

3-> Ushbu amaliyotda biz source code orqali Keycloak 15.0.0 versiyasini serverga o'rnatamiz. Buning uchun keycloak source kodlarini serverimiz /opt papkasiga yuklab olamiz va arxivdan chiqaramiz. Rasmiy Keycloak Downloads (opens in a new tab) sahifasi.

cd /opt
sudo wget https://github.com/keycloak/keycloak/releases/download/15.0.0/keycloak-15.0.0.tar.gz

4-> Yuklab olgan keycloak source kodlarni .tar.gz arxivini arxivdan chiqarib olamiz. Keycloak source kodlarini arxivdan chiqarib olganimizda source kodlar keycloak-15.0.0 papkasida bo'ladi biz uni nomini keycloakga o'zgartiramiz. Biz /opt papkasi ichidamiz.

sudo tar -xvzf keycloak-15.0.0.tar.gz
sudo mv keycloak-15.0.0 /opt/keycloak

5-> Xavfsizlik nuqtai nazaridan Keycloak dasturini root useri bilan ishga tushirmasligimiz kerak. Shuning uchun keycloakga linux user va group yaratib olamiz va keycloak home ishlaydigan directoriyasini /opt/keycloak qilib qo'yamiz.

sudo groupadd keycloak
sudo useradd -r -g keycloak -d /opt/keycloak -s /sbin/nologin keycloak

6-> Keycloak ishlashi uchun keycloak userga /opt/keycloak directoriyasi ownershiplikni beramiz va /opt/keycloak/bin/ directoriyaga executable permissionlarni beramiz.

cd /opt
sudo chown -R keycloak: keycloak
sudo chmod o+x /opt/keycloak/bin/

7-> Keycloakni SystemD orqali boshqarish uchun /etc directoriyada keycloak uchun konfiguratsiya directoriya ochib olamiz.

cd /etc/
sudo mkdir keycloak

8-> /opt/keycloak/docs/contrib/scripts/systemd/wildfly.conf directoriyadagi wildfly.conf faylini keycloak.conf nomi bilan /etc/keycloak/ directoriyaga ko'chiramiz.

sudo cp /opt/keycloak/docs/contrib/scripts/systemd/wildfly.conf /etc/keycloak/keycloak.conf

9-> Keycloakni ishga tushirish scriptni(launch.sh) faylini /opt/keycloak/docs/contrib/scripts/systemd/ directoriyadan /opt/keycloak/bin/ directoriyaga ko'chiramiz.

sudo cp /opt/keycloak/docs/contrib/scripts/systemd/launch.sh /opt/keycloak/bin/

Usbu sciptni keycloak user execute qilish uchun keycloak userni owner qilib qo'yamiz.

sudo chown keycloak: /opt/keycloak/bin/launch.sh

10-> launch.sh sciptda keycloak ishlaydigan directoriyani belgilashimiz kerak.

sudo nano /opt/keycloak/bin/launch.sh

Ya'ni /opt/wildfly ni /opt/keycloakga o'zgartiramiz.

#!/bin/bash
 
if [ "x$WILDFLY_HOME" = "x" ]; then
    WILDFLY_HOME="/opt/keycloak"
fi
 
if [[ "$1" == "domain" ]]; then
    $WILDFLY_HOME/bin/domain.sh -c $2 -b $3
else
    $WILDFLY_HOME/bin/standalone.sh -c $2 -b $3
fi

11-> /opt/keycloak/docs/contrib/scripts/systemd/ papkadagi wildfly.service faylini /etc/systemd/system/ papkaga keycloak.service nomi bilan nusxalaymiz.

sudo cp /opt/keycloak/docs/contrib/scripts/systemd/wildfly.service /etc/systemd/system/keycloak.service

12-> keycloak.service faylini nano/vim matn muharrida ochib quyidagicha o'zgartishlar kiritamiz.

sudo nano /etc/systemd/system/keycloak.service

Dastlab keycloak.service konfiguratsiyamniz quyidagi ko'rinishda bo'ladi

/etc/systemd/system/keycloak.service
[Unit]
Description=The WildFly Application Server
After=syslog.target network.target
Before=httpd.service
 
[Service]
Environment=LAUNCH_JBOSS_IN_BACKGROUND=1
EnvironmentFile=-/etc/wildfly/wildfly.conf
User=wildfly
LimitNOFILE=102642
PIDFile=/var/run/wildfly/wildfly.pid
ExecStart=/opt/wildfly/bin/launch.sh $WILDFLY_MODE $WILDFLY_CONFIG $WILDFLY_BIND
StandardOutput=null
 
[Install]
WantedBy=multi-user.target

Konfiguratsiyamizni yangilab o'zgarishlarni saqlab chiqamiz.

/etc/systemd/system/keycloak.service
[Unit]
Description=The Keycloak Server
After=syslog.target network.target
Before=httpd.service
 
[Service]
Environment=LAUNCH_JBOSS_IN_BACKGROUND=1
EnvironmentFile=-/etc/keycloak/keycloak.conf
User=keycloak
Group=keycloak
LimitNOFILE=102642
PIDFile=/var/run/keycloak/keycloak.pid
ExecStart=/opt/keycloak/bin/launch.sh $WILDFLY_MODE $WILDFLY_CONFIG $WILDFLY_BIND
StandardOutput=null
 
[Install]
WantedBy=multi-user.target

13-> systemd manager orqali daemon-reload berib keycloakni enable qilib qo'yamiz yani server o'chib yonganidan keyin o'chib qolmasdan auto-start bo'lib avtomatik ishga tushishi uchun.

sudo systemctl daemon-reload
sudo systemctl enable keycloak

14-> Keycloakni start berib ishga tushiramiz va statusini ko'ramiz.

sudo systemctl start keycloak
sudo systemctl status keycloak

15-> Keycloakni muvaffaqiyatli ishga tushirganimizdan keyin brauzer orqali serverimiz public IPsi bilan 8080 portiga kirganimizda bizda Keycloak oynasi ochilishi kerak.

http://0.0.0.0:8080/auth/

Keycloak hech qanday birinchi Administrator user bilan kelmaydi shuning uchun biz uni o'zimiz yaratib olishimiz kerak. Biz hozir localhost:8080 qilib kirmaganimiz uchun UI orqali admin user yarata olmaymiz shuning uchun add-user-keycloak.sh scripti orqali admin user yarataib olamiz.

sudo /opt/keycloak/bin/add-user-keycloak.sh -r master -u admin -p adminparol239dw2

Keycloak admin user yaratib olganimizdan keyin avtomatik master realm bilan birga keladi.

16-> Keycloakga restart berib brauzer orqali qayta kiramiz.

sudo systemctl restart keycloak

Okey bizda Administration Console ochildi va kirganimizda quyidagi oyna ochilishi kerak

Bizda muammo chiqdi yani biz http bilan kiryapmiz keycloak esa SSL https talab qilyapti, https talab qilishining sababi biz hozirni default holda production modeda ishga tushiryapmiz. Keling birinchisiga development modeda http bilan ishga tushiramiz. Keling keycloakdan SSL verificationni o'chirib qo'yamiz.

sudo /opt/keycloak/bin/kcadm.sh config credentials \
    --server http://localhost:8080/auth \
    --realm master \
    --user admin \
    --password adminparol239dw2
sudo /opt/keycloak/bin/kcadm.sh update realms/master -s sslRequired=NONE

Keycloakga restart beramiz.

sudo systemctl restart keycloak

Keycloakga brauzerdan qayta kirib Administration Consolega kirganimzida bizda quyidagi login qilib kirish uchun oyna ochiladi.

Login qilib kiramiz birinchi oyna.

Okey bizda hammasi ishlayapti biz muvaffaqiyatli keycloak 15.0.0 o'rnatdik va dastlabki sozlashni yakunladik.

16-chi versiyadan keyingilar

Ushbu o'rnatish 16-chi versiyadan baland bo'lgan keycloak uchun o'rnatish qo'llanmasi va biz bunda keycloak 26.0.7 latest versiyani o'rnatamiz.

1-> Serverni yangilaymiz va kerakli dasturlarni o'rnatib olamiz.

sudo dnf update -y
sudo dnf install git nano vim zip unzip wget curl gnupg -y

2-> OpenJDK 17'ni o'rnatamiz.

sudo dnf install java-21-openjdk -y

OpenJDK 21 o'rnatilgani quyidagi buyruq orqali tekshirib ko'rishingiz mumkin.

java -version

Terminalda quyidagi natija chiqishi kerak.

openjdk version "21.0.5" 2024-10-15 LTS
OpenJDK Runtime Environment (Red_Hat-21.0.5.0.10-1) (build 21.0.5+10-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-21.0.5.0.10-1) (build 21.0.5+10-LTS, mixed mode, sharing)

3-> Ushbu amaliyotda biz source code orqali Keycloak 26.0.7 versiyasni o'rnatamiz. Buning uchun keycloak source kodlarini serverimiz /opt papkasiga yuklab olamiz va arxivdan chiqaramiz. Rasmiy Keycloak Downloads (opens in a new tab) sahifasi.

cd /opt
sudo wget https://github.com/keycloak/keycloak/releases/download/26.0.7/keycloak-26.0.7.tar.gz

4-> Yuklab olgan keycloak source kodlarni .tar.gz arxivini arxivdan chiqarib olamiz. Keycloak source kodlarini arxivdan chiqarib olganimizda source kodlar keycloak-26.0.7 papkasida bo'ladi biz uni nomini keycloakga o'zgartiramiz. Biz /opt papkasi ichidamiz.

sudo tar -xvzf keycloak-26.0.7.tar.gz
sudo mv keycloak-26.0.7 /opt/keycloak

5-> Xavfsizlik nuqtai nazaridan Keycloak dasturini root useri bilan ishga tushirmasligimiz kerak. Shuning uchun keycloakga linux user va group yaratib olamiz va keycloak home ishlaydigan directoriyasini /opt/keycloak qilib qo'yamiz.

sudo groupadd keycloak
sudo useradd -r -g keycloak -d /opt/keycloak -s /sbin/nologin keycloak

6-> Keycloak ishlashi uchun keycloak userga /opt/keycloak directoriyasi ownershiplikni beramiz va /opt/keycloak/bin/ directoriyaga executable permissionlarni beramiz.

cd /opt
sudo chown -R keycloak: keycloak
sudo chmod o+x /opt/keycloak/bin/

7-> Keycloakni SystemD orqali boshqarish uchun /etc directoriyada keycloak uchun konfiguratsiya directoriya ochib olamiz.

cd /etc/
sudo mkdir keycloak

8-> /opt/keycloak/conf/keycloak.conf directoriyadagi keycloak.conf faylini /etc/keycloak/ directoriyaga ko'chiramiz.

sudo cp /opt/keycloak/conf/keycloak.conf /etc/keycloak/keycloak.conf

9-> Keycloakni systemd orqali boshqarish uchun keycloak.service faylini nano/vim matn muharrida ochib quyidagciha konfig qilamiz.

sudo nano /etc/systemd/system/keycloak.service

keycloak.service konfiguratsiyamniz quyidagi ko'rinishda bo'ladi.

/etc/systemd/system/keycloak.service
[Unit]
Description=The Keycloak Server
After=syslog.target network.target
Before=httpd.service
 
[Service]
EnvironmentFile=-/etc/keycloak/keycloak.conf
Type=idle
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/bin/kc.sh start-dev
StandardOutput=append:/var/log/keycloak.log
StandardError=inherit
RestartSec=2s
Restart=always
AmbientCapabilities=CAP_NET_BIND_SERVICE
LimitNOFILE=102642
 
[Install]
WantedBy=multi-user.target

13-> systemd manager orqali daemon-reload berib keycloakni enable qilib qo'yamiz yani server o'chib yonganidan keyin auto-start bo'lib avtomatik ishga tushishi uchun.

sudo systemctl daemon-reload
sudo systemctl enable keycloak

14-> Keycloakni start berib ishga tushiramiz va statusini ko'ramiz.

sudo systemctl start keycloak
sudo systemctl status keycloak

15-> Keycloakni muvaffaqiyatli ishga tushirganimizdan keyin brauzer orqali serverimiz public IPsi bilan 8080 portiga kirganimizda bizda Keycloak oynasi ochilishi kerak.

http://0.0.0.0:8080

Keycloak hech qanday birinchi Administrator user bilan kelmaydi shuning uchun biz uni o'zimiz yaratib olishimiz kerak. Biz hozir localhost:8080 qilib kirmaganimiz uchun UI orqali admin user yarata olmaymiz shuning uchun kc.sh scripti orqali admin user yaratib olamiz.

/opt/keycloak/bin/kc.sh bootstrap-admin user --username admin --password adminparol239dw2

Keycloak admin user yaratib olganimizdan keyin avtomatik master realm bilan birga keladi.

16-> Keycloakga restart berib brauzer orqali qayta kiramiz.

sudo systemctl restart keycloak

Okey bizda Administration Console ochildi va kirganimizda quyidagi oyna ochilishi kerak

Bizda muammo chiqdi yani biz http bilan kiryapmiz keycloak esa SSL https talab qilyapti buning sababi biz keyloakni production modedda ishga tushirdik. Keling boshlanishga development modeda http bilan ishga tushiramiz. Keling keycloakdan SSL verificationni o'chirib qo'yamiz.

sudo /opt/keycloak/bin/kcadm.sh config credentials \
    --server http://localhost:8080 \
    --realm master \
    --user admin \
    --password adminparol239dw2

sudo /opt/keycloak/bin/kcadm.sh update realms/master -s sslRequired=NONE

Keycloakga restart beramiz.

sudo systemctl restart keycloak

Keycloakga brauzerdan qayta kirib Administration Consolega kirganimzida bizda quyidagi login qilib kirish uchun oyna ochiladi.

Login qilib kiramiz birinchi oyna.

Okey bizda hammasi ishlayapti biz muvaffaqiyatli keycloak 26.0.7 o'rnatdik va development modeda dastlabki sozlashni yakunladik.

16-chi versiyadan keyingilarni production modeda ishga tushirish

Keling endi production modeda ishga tushirib SSL bilan ishlatamiz.

1-> Birinchi navbtada DNS yordamida domainni serverga ulash uchun A record qo'shib serverimiz public IP'sini ulaymiz. Rasmda Ahost DNS orqali A record qo'shish namunasini ko'rsatilgan.

2 Serverga certbot o'rnatamiz va domenimizga SSL sertifikat generatsiya qilib olamiz. Masalan domenimiz auth.helm.uz.

sudo apt install certbot
sudo certbot certonly --standalone -d auth.helm.uz

certbot generatsiya qilgan sertifikatlar quyidagi papkada joylashgan bo'ladi /etc/letcenrypt/live/auth.helm.uz/

3-> Keycloak PKCS12 formatidagi keystore bilan ishlaydi, shuning uchun Let's Encrypt sertifikati mos formatga o'zgartirish kerak bo'ladi. Let's Encrypt sertifikatlari .pem formatida bo'ladi PKCS12 keystore .pem formatini kalit (key) va sertifikatni birlashtirib ishlatadi. Quyidagi buyruq bilan sertifikatni PKCS12 formatga o'tkazamiz -passoutga keystore uchun parol qo'yishimiz kerak bo'ladi.

openssl pkcs12 -export \
  -in /etc/letsencrypt/live/auth.helm.uz/fullchain.pem \
  -inkey /etc/letsencrypt/live/auth.helm.uz/privkey.pem \
  -out /etc/letsencrypt/live/auth.helm.uz/keystore.p12 \
  -name keycloak \
  -passout pass:adminCH@

4-> Yaratilgan keystore faylni tekshish uchun quyidagi buyruqni ishga tushirib ko'ramiz.

keytool -list -keystore /etc/letsencrypt/live/auth.helm.uz/keystore.p12 -storepass adminCH@

5-> Biz Keycloakni systemd bilan keycloak user bilan ishga tushiramiz shuning uchun keycloak userga keystore fayliga kirish permissionlarni berishimiz kerak bo'ladi.

sudo chown keycloak:keycloak /etc/letsencrypt/live/auth.helm.uz/keystore.p12
sudo chmod 640 /etc/letsencrypt/live/auth.helm.uz/keystore.p12

File permissionlarni tekshiramiz.

sudo ls -l /etc/letsencrypt/live/auth.helm.uz/keystore.p12

6-> Keycloakni production modeda ishga tushirishi uchun /etc/systemd/system/keycloak.service faylini quyidagi o'zgartirishlarni kiritamiz.

/etc/systemd/system/keycloak.service
[Unit]
Description=The Keycloak Server
After=syslog.target network.target
Before=httpd.service
 
[Service]
EnvironmentFile=-/etc/keycloak/keycloak.conf
Type=idle
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/bin/kc.sh start --optimized \
  --https-key-store-file=/etc/letsencrypt/live/auth.helm.uz/keystore.p12 \
  --https-key-store-password=adminCH@ \
  --hostname=auth.helm.uz \
  --https-port=443 \
  --hostname-strict=false
StandardOutput=append:/var/log/keycloak.log
StandardError=inherit
RestartSec=2s
Restart=always
AmbientCapabilities=CAP_NET_BIND_SERVICE
LimitNOFILE=102642
 
[Install]
WantedBy=multi-user.target

Systemd konfiguratsiyasini yangilaymiz va restart beramiz.

sudo systemctl daemon-reload
sudo systemctl restart keycloak

7-> Keycloak statusini tekshiramiz.

sudo systemctl status keycloak

Loglarni kuzatamiz.

sudo tail -f /var/log/keycloak.log

Brauzer orqali https://auth.helm.uz addresga kirganimizda keycloak SSL bilan ishlab turgan bo'lishi kerak.

Okey biz Keycloak 26.0.7 versiyasini muvaffaqiyatli production modeda ishga tushirdik tabriklayman.

Keycloakni PostgeSQL'ga ulash

Keycloak asosan foydalanuvchi ma'lumotlarini(user data) va konfiguratsiyani saqlash uchun ma'lumotlar bazasidan foydalanadi. Standart o'rnatishda Keycloak ichki H2 ma'lumotlar bazasi(embedded H2 database) bilan birga keladi, lekin bu faqat test qilish va development uchun tavsiya etiladi, chunkki u: memory-based va production environment uchun ishonchli emas, klasterlash va multiple instance'lar o'rtasida data sharing qo'llab quvvatlamaydi.

Keycloak quyidagi ma'lumotlarni databazaga yozadi:

  • user data-> loginlar, profillar va parollar.
  • authentication data-> sessionlar, tokenlar va authorization rulelar.
  • configuration data-> realmslar(domain-like segments), clientlar, user rolelar va permissionlar.

Keycloak latest versiyasi quyidagi databaselarni qo'llab quvvatlaydi.

DatabaseOption valueTested Versions
MariaDB Servermariadb10.11
Microsoft SQL Servermssql2022
MySQLmysql8.0
Oracle Databaseoracle19.3
PostgreSQLpostgres16
Amazon Aurora PostgeSQLpostgres16.1

Biz bu amaliyotda eng mashhur open source relational database management system bo'lgan PostgreSQLni Keycloak uchun sozlaymiz.

Sizda PostgreSQL o'rnatilgan va configuratsiya qilingan bo'lishi kerak quyidagi qo'llanmadan foydalanishingiz mumkin - Linux Serverlarga Postgresql o'rnatish (opens in a new tab)

16 - versiydan keyingi Keycloak

Bu bosqichda biz keycloak 16 versiyadan yuqori bo'lgan keyclok uchun databaza integratsiyasini ko'rib chiqamiz.

1-> PostgreSQL'da keycloak databaza va keycloak_user yaratib olishimiz kerak bo'ladi.

sudo -u postgres psql
CREATE DATABASE keycloak;
CREATE USER keycloak_user WITH PASSWORD 'kEyCl0@k';
GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak_user;
ALTER DATABASE keycloak OWNER TO keycloak_user;

Keling tekshiramiz.

postgres=# \l

2-> Keycloak /etc/systemd/system/keycloak.servicesi databazaga ulanish uchun quyidagicha o'zgartirishlar kiritamiz.

sudo nano /etc/systemd/system/keycloak.service
/etc/systemd/system/keycloak.service
[Unit]
Description=The Keycloak Server
After=syslog.target network.target
Before=httpd.service
 
[Service]
EnvironmentFile=-/etc/keycloak/keycloak.conf
Type=idle
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/bin/kc.sh start --optimized \
  --https-key-store-file=/etc/letsencrypt/live/auth.helm.uz/keystore.p12 \
  --https-key-store-password=adminCH@ \
  --hostname=auth.helm.uz \
  --https-port=443 \
  --hostname-strict=false \
  --db-url=jdbc:postgresql://127.0.0.1:5432/keycloak \
  --db-username=keycloak_user \
  --db-password=kEyCl0@k
StandardOutput=append:/var/log/keycloak.log
StandardError=inherit
RestartSec=2s
Restart=always
AmbientCapabilities=CAP_NET_BIND_SERVICE
LimitNOFILE=102642
 
[Install]
WantedBy=multi-user.target
export KC_DB=postgres
echo $KC_DB
/opt/keycloak/bin/kc.sh build --db=postgres

3-> daemon-reload berib keyclok servicega restart beramiz va statusini tekshiramiz.

sudo systemctl daemon-reload
sudo systemctl restart keycloak
sudo systemctl status keycloak

keycloak bazaga ulanib tablelarni ko'rsak keycloak tablelari chiqishi kerak.

4-> keycloak databazaga ulaganimizdan keyin admin user parolini yangilaymiz sababi Keycloak H2 databazasida admin user/parol yaratgandik va biz PostgreSQL bazag o'tdik admin user o'chib ketgan bo'lishi mumkin.

sudo systemctl stop keycloak
/opt/keycloak/bin/kc.sh bootstrap-admin user \
  --bootstrap-admin-username admin \
  --bootstrap-admin-password mEnlngP@s$W0rdlm \
  --db=postgres \
  --db-url=jdbc:postgresql://127.0.0.1:5432/keycloak \
  --db-username=keycloak_user \
  --db-password=kEyCl0@k

Buyruqni ishga tushirganingizdan keyin sizdan admin user va uning paroli so'raladi.

sudo systemctl daemon-reload
sudo systemctl restart keycloak
sudo systemctl status keycloak

Brauzer orqali https://auth.helm.uz addresga kirganimizda keycloak https bilan ochilib admin/login page ochilishi kerak va yangi admin/passwordni kiritib login qilsak ishlashi kerak.

16 - versiyadan kichik

Bu bosqichda biz keycloak 16 versiyadan past bo'lgan keyclok uchun databaza integratsiyasini ko'rib chiqamiz.

1-> PostgreSQL'da keycloak databaza va keycloak_user yaratib olishimiz kerak bo'ladi.

sudo -u postgres psql
CREATE DATABASE keycloak;
CREATE USER keycloak_user WITH PASSWORD 'kEyCl0@k';
GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak_user;
ALTER DATABASE keycloak OWNER TO keycloak_user;

Keling tekshiramiz.

postgres=# \l

2-> Keycloak PostgreSQL databazaga ulana olishi uchun PostgreSQl JDBC driveri kerak bo'ladi uni yuklab olamiz Java 17 uchun postgresql-42.7.3.jar to'gri keladi yuklab olish sahifasi - PostgreSQL JDBC Driver (opens in a new tab)

cd /opt/keycloak/standalone/deployments/
wget https://jdbc.postgresql.org/download/postgresql-42.7.3.jar

3-> PostgeSQL JDBC driverini Keycloak'ning WildFly serverida ishlashi uchun modul qilib sozlashimiz kerak bo'ladi. PostgreSQL modul uchun directoriya yaratib olib unga JDBC driverni ko'chiramiz.

mkdir -p /opt/keycloak/modules/system/layers/base/org/postgresql/main
cp -r /opt/keycloak/standalone/deployments/postgresql-42.7.3.jar /opt/keycloak/modules/system/layers/base/org/postgresql/main/

module.xml faylini yaratib olishimiz kerak bo'ladi.

sudo nano /opt/keycloak/modules/system/layers/base/org/postgresql/main/module.xml
/opt/keycloak/modules/system/layers/base/org/postgresql/main/module.xml
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="org.postgresql">
    <resources>
        <resource-root path="postgresql-42.7.3.jar"/>
    </resources>
    <dependencies>
        <module name="javax.api"/>
        <module name="javax.transaction.api"/>
    </dependencies>
</module>

Bu fayl WildFly serveriga PostgreSQL drayveridan qanday foydalanishni aytadi.

4-> Keycloak PostgreSQL databazaga ulanishni uchun standalone.xml faylini datasources va drivers qismlarini o'zgartirishimiz kerak.

sudo nano /opt/keycloak/standalone/configuration/standalone.xml

standalone.xmlga quyidagcha o'zgatirish kiritamiz.

Maslahat: cat orqali standalone.xml faylini ochib copy qilib birorta editorda ochib to'gri sintaksis bilan config qiling masalan VSCode, agar vim va nanoda yaxshi ishlashni bilmasangiz .xml config qilishda sintaksis xatolar ko'p qilishingiz mumkin.

/opt/keycloak/standalone/configuration/standalone.xml
<datasources>
    <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
        <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
        <driver>h2</driver>
        <security>
            <user-name>sa</user-name>
            <password>sa</password>
        </security>
    </datasource>
    <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
        <connection-url>jdbc:postgresql://127.0.0.1:5432/keycloak</connection-url>
        <driver>postgresql</driver>
        <security>
            <user-name>keycloak_user</user-name>
            <password>kEyCl0@k</password>
        </security>
    </datasource>
    <drivers>
        <driver name="h2" module="com.h2database.h2">
            <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
        </driver>
        <driver name="postgresql" module="org.postgresql">
            <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
        </driver>
    </drivers>
</datasources>

5-> Keycloakni restart qilib qayta ishga tushiramiz.

sudo systemctl daemon-reload
sudo systemctl restart keycloak
sudo systemctl status keycloak

6-> Keycloak birinchi o'rnatganimizda unda H2 bazasida admin user yaratgandik PostgreSQL bazasiga o'tganimizda user o'chib ketadi qaytadan admin user yaratishimiz kerak bo'ladi.

sudo /opt/keycloak/bin/add-user-keycloak.sh -r master -u admin -p adminparol239dw2

development mode uchun SSL verificationni o'chiramiz.

sudo /opt/keycloak/bin/kcadm.sh config credentials \
    --server http://localhost:8080/auth \
    --realm master \
    --user admin \
    --password adminparol239dw2
sudo /opt/keycloak/bin/kcadm.sh update realms/master -s sslRequired=NONE

Restart berib qayta ishga tushiramiz.

sudo systemctl daemon-reload
sudo systemctl restart keycloak 

7 Keycloak statusini va PostgreSQl databazani tekshiramiz.

sudo systemctl status keycloak

PostgreSQL keycloak databazasiga ulanib tablelarni ko'rsak keycloak tablelari chiqishi kerak.

Brauzer orqali http://0.0.0.0/auth addresga kirganimizda keycloak admin/login page ochilishi kerak va admin/passwordni kiritib login qilsak ishlashi kerak.

Nihoyat biz gemaroy Keycloakni OpenJDK bilan eski va yangi versiyalarni o'rnatib basic config qilishni va PostgreSQL databaza ulashni va keycloak 16 versiyadan keyingi versiyadagi keycloaklarni production modeda ishga tushirishni ko'rib chiqdik. Bilaman sizlarga bu bilan oson lekin yozgunimcha....

Keyingi qismlar Kubernetes/Docker orqali o'rnatib/sozlash va Keycloakni boshqa dasturlar bilan integratsiya qilishni ko'rib chiqamiz.

Sana: 2024.12.22(2024-yil 22-dekabr)

Oxirgi yangilanish: 2024.12.24(2024-yil 24-dekabr)

Muallif: Otabek Ismoilov

Telegram (opens in a new tab)GitHub (opens in a new tab)LinkedIn (opens in a new tab)