Keycloak with TLS Config

keycloak-config.md

Keycloak config

1. Download OpenJDK version from keycloak.org
2. Unpack
3. Test
   1. ./bin/standalone.sh
   2. nc -w1 -i1 -v localhost 8080
4. Config for systemd
   1. create keycloak.service (see sample at end)
   2. sudo cp keycloak.service /usr/lib/systemd/system/
   3. sudo systemctl enable --now keycloak.service
   4. sudo systemctl status keycloak.service
5. Config for TLS
   1. Remove http element from ssl element in configuration/standalone.xml
   2. Create self-signed cert in configuration folder
      1. keytool -genkey -alias server -keyalg RSA -keystore keycloak.jks -keysize 2048
   3. Modify https element in ssl element to reflect self-signed cert
   4. Restart keycloak service and verify TLS on port 8443  (TBD:  change  port?)
      1. timeout 1 openssl s_client -connect $(hostname -f):8443 |& head -22
6. Test from remote system
   1. Modify standalone.sh to listen on all IPs (e.g. SERVER_OPTS=" -b 0.0.0.0 ")
   2. nc -w1 -i1 -v ip-172-31-22-39.us-west-2.compute.internal 8443
   3. Access https://ip-172-31-22-39.us-west-2.compute.internal:8443/ from browser

cat keycloak.service

[Unit]

Description=Keycloak IDp

After=network.target time-sync.target

[Service]

Type=simple

ExecStart=/home/ec2-user/keycloak-10.0.2/bin/standalone.sh

ExecReload=/bin/kill -HUP $MAINPID

KillMode=process

Restart=on-failure

RestartSec=30s

[Install]

WantedBy=multi-user.target

---

After Basic Keycloak service is configured and working add the following via WebUI:

1. Add a Realm
2. Add users to the realm
3. Add an OpenID "Client"
   1. Step through form using mostly defaults
   2. Pick a unique name
   3. Create a secret on Security tab
4. Add a SAML "Client"
   1. Use Hue xml metadata with upload button