Lesson in Brief: Starting Keycloak 17 Including On Boot And Next Steps
We're approaching the finish line with our Keycloak 17 series, with just a couple more things to take care of. In this final article, we'll be getting our Keycloak server up and running, along with getting it to start when the machine reboots, and looking at some port considerations and next steps for integrating with FileMaker. Let's get this finished up!
Starting Keycloak
At the end of the last article, we adjusted the Keycloak configuration file. Everytime that configuration gets changed, you need to execute the command below to rebuild the server configuration - don't forget to do this or you'll either get an error message or your updates just won't show. So, we're going to navigate to the correct folder, build the server, set some environment variables with our initial Keycloak admin username and password (be sure to update the placeholders with your own credentials), then start the server, make sure we can get to it, then kill it... We'll explain why...
cd /opt/keycloak/keycloak-17.0.0
sudo bin/kc.sh build
export KEYCLOAK_ADMIN=username
export KEYCLOAK_ADMIN_PASSWORD=password
sudo -E bin/kc.sh start
Note that the -E attribute is only necessary on the initial boot, in order to load up the environment variables which set the initial admin credentials. Should you have a need to do a manual start again at some point, omit this.
Give it about a minute to get up and running (it needs to create the database schema). Once you see the lines similar to the below, it should be ready (note timestamps have been omitted):
INFO [org.keycloak.services] (main) KC-SERVICES0050: Initializing master realm INFO [org.keycloak.services] (main) KC-SERVICES0009: Added user 'username' to realm 'master' INFO [io.quarkus] (main) Keycloak 17.0.0 on JVM (powered by Quarkus 2.7.0.Final) started in 70.268s. Listening on: https://0.0.0.0:8443 INFO [io.quarkus] (main) Profile prod activated. INFO [io.quarkus] (main) Installed features: [agroal, cdi...
Then in a browser and go to (update to your domain) https://keycloak.mydomain.com:8443. You should see the Welcome to Keycloak page with the Administration Console link available.
Sweet! It'll be tempting to click the admin link and start exploring, but hold your horses there... We ran into some issues when we stopped Keycloak very soon after starting it up, so go grab a coffee or something and leave things as they are for about 5 minutes.
Ok, left it for a while? Great, let's stop Keycloak by hitting Ctrl-Z. Now we'll set up a systemd unit file for it to run when the machine boots.
Configuring Keycloak To Start Up On Boot
Let's just jump in and make a new text file in the correct directory:
sudo nano /etc/systemd/system/keycloak.service
Now, copy and paste the text below into that file - you shouldn't need to make any changes if you've been following along:
# /etc/systemd/system/keycloak.service [Unit] Description=Keycloak Server After=syslog.target network.target mysql.service Before=httpd.service [Service] User=keycloak Group=keycloak
SuccessExitStatus=0 143 ExecStart=!/opt/keycloak/keycloak-17.0.0/bin/kc.sh start [Install] WantedBy=multi-user.target
Again hit Ctrl-O and Enter to save and then Ctrl-X to exit the text editor. Now we'll reload the daemon, enable the service and reboot!
sudo systemctl daemon-reload
sudo systemctl enable keycloak
sudo shutdown -r now
Once the machine has rebooted, give it about 10 seconds and then check to see if Keycloak is running:
sudo systemctl status keycloak
If that shows "active (running)" then you're good and you should be able to access Keycloak using the link above. Hit Ctrl-Z to exit that.
DISCLAIMER: It should be pointed out that the systemd unit file, as it is currently set up, is using elevated privileges to start Keycloak, which is not ideal. However, issues encountered during testing required this and we could find no alternative. We hope at some point these issues can be resolved and we will update this article accordingly when that time comes. While we hope to keep these tutorials as simple as possible for greater adoption, another approach would be to use a reverse proxy to work around this issue.
Port Configuration
Keycloak's default SSL port is 8443. During testing, we found that we needed to add this port number to the hostname in the configuration file. If we didn't, the Welcome To Keycloak page would load (on port 8443) but when clicking the Administration Console link, the address switched to plain https without a port number (essentially port 443). We're not sure if this is a bug or intended but it was one of the things that threw us during our exploration of Keycloak 17.
As we've pointed out in previous articles, currently FileMaker Server only allows for a custom IdP to run on port 443 - we can only hope that at some point this will change. So if you want to run Keycloak for FileMaker, we need to run it on 443. Open the configuration file again, remove the port number from the hostname entry and add the https-port as below:
sudo nano /opt/keycloak/keycloak-17.0.0/conf/keycloak.conf
# Hostname for the Keycloak server. hostname=keycloak.mydomain.com
# Use port 443
https-port=443
Hit Ctrl-O and Enter to save and then Ctrl-X to exit the text editor. Don't forget, you adjusted the Keycloak configuration file so you need to do a build:
cd /opt/keycloak/keycloak-17.0.0
sudo bin/kc.sh build
As we've changed the port we're using from the default Keycloak SSL port to standard SSL, we need to update the firewall rules - we'll delete the 8443 rule and allow 443:
sudo ufw delete allow 8443/tcp
sudo ufw allow 443/tcp
You can always check the status of the firewall by running the command below:
sudo ufw status
Now let's reboot one final time:
sudo shutdown -r now
Next Steps
So, now you have your Keycloak server up and running, what's next? Well, setting up FileMaker to work with it would be a great option!
Configuring Keycloak For FileMaker Server:
- Learn how to set up an instance of FileMaker Server in Keycloak, within the Admin console: Setting Up A Keycloak Server For Authenticating To FileMaker: Part 5: Configuring Keycloak
If you're below FileMaker Server 19.4:
- Consider upgrading!
- Use our guide here to configure FileMaker Server: Setting Up A Keycloak Server For Authenticating To FileMaker: Part 6: Configuring FileMaker
If you're at or above FileMaker Server 19.4:
- Woo hoo, your life just became way easier!
- Use our guide here to configure FileMaker Server: Setting Up A Keycloak Server For Authenticating To FileMaker: Part 9: Custom IdP Options In FileMaker 19.4
And then:
- Set up two-factor authentication: Setting Up A Keycloak Server For Authenticating To FileMaker: Part 7: Configuring Two Factor Authentication
- Set up password-less authentication (very cool!): Setting Up A Keycloak Server For Authenticating To FileMaker: Part 8: Secure Password-Less Authentication
- If you're using, say, Google for authentication but would like to utilize groups, head over to an article by Jason Wood of Define Database for FileMaker group-based authentication with Google and Keycloak.
Finally, there's plenty more to explore with Keycloak, depending on your individual set up and needs. Head over to their:
- Documentation section for an overview
- All configuration options for that super sweet configuration file
- The Keycloak blog for all their latest news
- And there's a pretty active Keycloak forum for questions or browsing what others are having trouble with
Summary
So, that's Keycloak 17 in a nutshell, or less of a nutshell than it used to be. We're excited by the move to Quarkus, and with 17.0.0 being the initial release on the new underlying technology, we can only expect that more improvements, with community feedback, will be forthcoming. If the speed and frequency of previous Keycloak releases are anything to go by, we're in for some treats ahead! But, fundamentally, this is all about securing your FileMaker solutions with the offerings of modern security - two-factor or multi-factor authentication, YubiKeys and so forth. If you have the slightest interest, please give Keycloak a shot, you won't be disappointed. And if you'd like some help, don't hesitate to contact us. Good luck. Stay secure.