keycloak15.0.2高可用安装
环境说明
| hostname | IP | OS | CPU | Memory | Disk |
|---|
| kc00.iam.infra.lab.ecnl | 10.0.1.10 | CentOS8 | Intel? Xeon? Gold 6212U CPU @2.40GHZ 36MB | 8G | 160G | | kc01.iam.infra.lab.ecnl | 10.0.1.11 | CentOS8 | Intel? Xeon? Gold 6212U CPU @2.40GHZ 36MB | 8G | 160G | | db00.iam.infra.lab.ecnl | 10.0.1.12 | CentOS8 | Intel? Xeon? Gold 6212U CPU @2.40GHZ 36MB | 8G | 160G |
一、db00安装MySQL8
1、环境检查
检查是否已安装MySQL
$ rpm -qa | grep mysql
查看系统版本
$ cat /etc/redhat-release
CentOS Linux release 8.4.2105
2、准备yum源仓库
在官网下载对应的MySQL仓库文件
$ curl -L -O https://dev.mysql.com/get/mysql80-community-release-el8-1.noarch.rpm
------------------------------------------------------------------------------------------------------------
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0
100 30388 100 30388 0 0 13310 0 0:00:02 0:00:02 --:--:-- 35834
安装yum仓库
$ yum install -y mysql80-community-release-el8-1.noarch.rpm
检查是否安装成功
$ yum repolist enabled | grep "mysql.*-community.*"
mysql-connectors-community MySQL Connectors Community
mysql-tools-community MySQL Tools Community
mysql80-community MySQL 8.0 Community Server
禁用掉EL8系列默认启用的MySQL模块
$ yum module disable mysql
------------------------------------------------------------------------------------------------------------
Last metadata expiration check: 3:18:07 ago on Sat 18 Sep 2021 07:50:36 AM CST.
Dependencies resolved.
============================================================================================================
Package Architecture Version Repository Size
============================================================================================================
Disabling modules:
mysql
Transaction Summary
============================================================================================================
Is this ok [y/N]: y
Complete!
3、安装启动mysql
$ yum install mysql-community-server
查看已安装的MySQL
$ rpm -qa | grep mysql
mysql-community-client-8.0.26-1.el8.x86_64
mysql80-community-release-el8-1.noarch
mysql-community-common-8.0.26-1.el8.x86_64
mysql-community-libs-8.0.26-1.el8.x86_64
mysql-community-server-8.0.26-1.el8.x86_64
mysql-community-client-plugins-8.0.26-1.el8.x86_64
启动mysql服务并设置开机自启
$ systemctl start mysqld
$ systemctl enable mysqld
4、配置mysql
查看随机分配的密码
$ grep 'temporary password' /var/log/mysqld.log
------------------------------------------------------------------------------------------------------------
2021-09-15T09:42:16.146993Z 6 [Note] [MY-010454] [Server] A temporary password is generated for root@localhost: JhF6xIzp7v&i
登录
$ mysql -uroot -pJhF6xIzp7v&i
修改密码
默认密码策略要求密码包含至少一个大写字母、一个小写字母、一个数字和一个特殊字符,并且密码总长度至少为 8 个字符。
mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'Shichw2021!';
Query OK, 0 rows affected (0.01 sec)
5、创建keycloak用户
mysql> CREATE USER 'keycloak'@'%' IDENTIFIED BY 'Shichw2021!';
Query OK, 0 rows affected (0.03 sec)
创建一个keycloak数据表,并为keycloak用户授权该表格
mysql> CREATE DATABASE keycloak CHARACTER SET utf8 COLLATE utf8_unicode_ci;
Query OK, 1 row affected, 2 warnings (0.01 sec)
mysql> GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'%';
Query OK, 0 rows affected (0.01 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
查看数据库
$ mysql> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keycloak |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.01 sec)
登录到keycloak用户,查看数据库
$ mysql -ukeycloak -pShichw2021!
...
mysql> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keycloak |
+--------------------+
2 rows in set (0.00 sec)
二、kc00安装keycloak-15.0.2
1、创建用户
$ useradd app
$ passwd app
------------------------------------------------------------------------------------------------------------
Changing password for user app.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
------------------------------------------------------------------------------------------------------------
$ su - app
2、准备keycloak运行环境
下载JDK8
$ curl -L -O https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz
------------------------------------------------------------------------------------------------------------
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 655 100 655 0 0 873 0 --:--:-- --:--:-- --:--:-- 872
100 98.1M 100 98.1M 0 0 21.3M 0 0:00:04 0:00:04 --:--:-- 27.3M
安装JDK8
$ tar xvf OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz
$ vi ~/.bash_profile
------------------------------------------------------------------------------------------------------------
export PATH=$PATH:/home/app/jdk8u302-b08/bin
------------------------------------------------------------------------------------------------------------
$ source ~/.bash_profile
$ java -version
------------------------------------------------------------------------------------------------------------
openjdk version “1.8.0_302”
OpenJDK Runtime Environment (Temurin)(build 1.8.0_302-b08)
OpenJDK 64-Bit Server VM(Temurin)(build 1.8.0_302-b08,mixed mode)
3、配置keycloak连接MySQL
下载keycloak-15.0.2
$ curl -L -O https://github.com/keycloak/keycloak/releases/download/15.0.2/keycloak-15.0.2.tar.gz
------------------------------------------------------------------------------------------------------------
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 628 100 628 0 0 808 0 --:--:-- --:--:-- --:--:-- 807
100 242M 100 242M 0 0 17.4M 0 0:00:13 0:00:13 --:--:-- 18.4M
解压keycloak-15.0.2
$ tar xvf keycloak-15.0.2.tar.gz
下载MySQL驱动
$ curl -L -O https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-8.0.26.tar.gz
------------------------------------------------------------------------------------------------------------
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0
100 4082k 100 4082k 0 0 1141k 0 0:00:03 0:00:03 --:--:-- 1744k
解压MySQL驱动
$ tar xvf mysql-connector-java-8.0.26.tar.gz
在keycloak中加入MySQL驱动程序
$ mkdir -p keycloak-15.0.2/modules/system/layers/keycloak/org/mysql/main
$ cd keycloak-15.0.2/modules/system/layers/keycloak/org/mysql/main
$ cp /home/app/mysql-connector-java-8.0.26/mysql-connector-java-8.0.26.jar .
$ touch module.xml
$ vi module.xml
-------------------------------------------------------------------------
<?xml version="1.0" ?>
<module xmlns="urn:jboss:module:1.3" name="org.mysql">
<resources>
<resource-root path="mysql-connector-java-8.0.26.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
-------------------------------------------------------------------------
配置standalone-ha.xml文件,使keycloak连接到MySQL
$ cd /home/app/keycloak-15.0.2/standalone/configuration/
$ cp standalone-ha.xml standalone-ha.xml.bak
$ vi standalone-ha.xml
------------------------------------------------------------------------------------------------------------
<drivers>
<driver name="mysql" module="org.mysql">
<xa-datasource-class>com.mysql.cj.jdbc.MysqlXADataSource</xa-datasource-class>
</driver>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
</drivers>
------------------------------------------------------------------------------------------------------------
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true">
<connection-url>jdbc:mysql://10.0.1.12:3306/keycloak?useSSL=false&characterEncoding=UTF-8</connection-url>
<driver>mysql</driver>
<pool>
<max-pool-size>20</max-pool-size>
</pool>
<security>
<user-name>keycloak</user-name>
<password>Shichw2021!</password>
</security>
</datasource>
------------------------------------------------------------------------------------------------------------
<spi name="connectionsJpa">
<provider name="default" enabled="true">
<properties>
<property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
<property name="initializeEmpty" value="false"/>
<property name="migrationStrategy" value="manual"/>
<property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
</properties>
</provider>
</spi>
4、修改IP
$ vi standalone-ha.xml
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="private">
<inet-address value="${jboss.bind.address.private:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:10.0.1.10}"/>
</interface>
</interfaces>
5、配置SSL实现HTTPS访问
$ cd keycloak-15.0.2/standalone/configuration/
$ keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity 10950
------------------------------------------------------------------------------------------------------------
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: keycloak
What is the name of your organization?
[Unknown]: Red Hat
What is the name of your City or Locality?
[Unknown]: Westford
What is the name of your State or Province?
[Unknown]: MA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost, OU=keycloak, O=Red Hat, L=Westford, ST=MA, C=US correct?
[no]: yes
Enter key password for <kc01.iam.infra.lab.ecnl>
(RETURN if same as keystore password):
Re-enter new password:
------------------------------------------------------------------------------------------------------------
$ vi keycloak-15.0.2/standalone/configuration/standalone-ha.xml
------------------------------------------------------------------------------------------------------------
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />
</ssl>
</server-identities>
</security-realm>
------------------------------------------------------------------------------------------------------------
<subsystem xmlns="urn:jboss:domain:undertow:12.0">
<buffer-cache name="default"/>
<server name="default-server">
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
...
</subsystem>
------------------------------------------------------------------------------------------------------------
6、添加管理员用户
$ cd keycloak-15.0.2/bin/
$ ./add-user-keycloak.sh -u admin -p 123456
------------------------------------------------------------------------------------------------------------
Added 'admin' to '/opt/keycloak-15.0.2/standalone/configuration/keycloak-add-user.json', restart server to load user
7、启动keycloak
$ ./standalone.sh --server-config=standalone-ha.xml
$ scp /home/app/keycloak-15.0.2/keycloak-database-update.sql root@10.0.1.12:/root/
8、在db00中执行sql文件
$ mysql -ukeycloak -pShichw2021!
mysql> use keycloak;
mysql> soure /root/keycloak-database-update.sql;
...
mysql> commit;
mysql> show tables;
------------------------------------------------------------------------------------------------------------
+-------------------------------+
| Tables_in_keycloak |
+-------------------------------+
| ADMIN_EVENT_ENTITY |
| ASSOCIATED_POLICY |
| AUTHENTICATION_EXECUTION |
| AUTHENTICATION_FLOW |
| AUTHENTICATOR_CONFIG |
| AUTHENTICATOR_CONFIG_ENTRY |
| BROKER_LINK |
| CLIENT |
| CLIENT_ATTRIBUTES |
| CLIENT_AUTH_FLOW_BINDINGS |
| CLIENT_INITIAL_ACCESS |
| CLIENT_NODE_REGISTRATIONS |
| CLIENT_SCOPE |
| CLIENT_SCOPE_ATTRIBUTES |
| CLIENT_SCOPE_CLIENT |
| CLIENT_SCOPE_ROLE_MAPPING |
| CLIENT_SESSION |
| CLIENT_SESSION_AUTH_STATUS |
| CLIENT_SESSION_NOTE |
| CLIENT_SESSION_PROT_MAPPER |
| CLIENT_SESSION_ROLE |
| CLIENT_USER_SESSION_NOTE |
| COMPONENT |
| COMPONENT_CONFIG |
| COMPOSITE_ROLE |
| CREDENTIAL |
| DATABASECHANGELOG |
| DATABASECHANGELOGLOCK |
| DEFAULT_CLIENT_SCOPE |
| EVENT_ENTITY |
| FEDERATED_IDENTITY |
| FEDERATED_USER |
| FED_USER_ATTRIBUTE |
| FED_USER_CONSENT |
| FED_USER_CONSENT_CL_SCOPE |
| FED_USER_CREDENTIAL |
| FED_USER_GROUP_MEMBERSHIP |
| FED_USER_REQUIRED_ACTION |
| FED_USER_ROLE_MAPPING |
| GROUP_ATTRIBUTE |
| GROUP_ROLE_MAPPING |
| IDENTITY_PROVIDER |
| IDENTITY_PROVIDER_CONFIG |
| IDENTITY_PROVIDER_MAPPER |
| IDP_MAPPER_CONFIG |
| KEYCLOAK_GROUP |
| KEYCLOAK_ROLE |
| MIGRATION_MODEL |
| OFFLINE_CLIENT_SESSION |
| OFFLINE_USER_SESSION |
| POLICY_CONFIG |
| PROTOCOL_MAPPER |
| PROTOCOL_MAPPER_CONFIG |
| REALM |
| REALM_ATTRIBUTE |
| REALM_DEFAULT_GROUPS |
| REALM_ENABLED_EVENT_TYPES |
| REALM_EVENTS_LISTENERS |
| REALM_LOCALIZATIONS |
| REALM_REQUIRED_CREDENTIAL |
| REALM_SMTP_CONFIG |
| REALM_SUPPORTED_LOCALES |
| REDIRECT_URIS |
| REQUIRED_ACTION_CONFIG |
| REQUIRED_ACTION_PROVIDER |
| RESOURCE_ATTRIBUTE |
| RESOURCE_POLICY |
| RESOURCE_SCOPE |
| RESOURCE_SERVER |
| RESOURCE_SERVER_PERM_TICKET |
| RESOURCE_SERVER_POLICY |
| RESOURCE_SERVER_RESOURCE |
| RESOURCE_SERVER_SCOPE |
| RESOURCE_URIS |
| ROLE_ATTRIBUTE |
| SCOPE_MAPPING |
| SCOPE_POLICY |
| USERNAME_LOGIN_FAILURE |
| USER_ATTRIBUTE |
| USER_CONSENT |
| USER_CONSENT_CLIENT_SCOPE |
| USER_ENTITY |
| USER_FEDERATION_CONFIG |
| USER_FEDERATION_MAPPER |
| USER_FEDERATION_MAPPER_CONFIG |
| USER_FEDERATION_PROVIDER |
| USER_GROUP_MEMBERSHIP |
| USER_REQUIRED_ACTION |
| USER_ROLE_MAPPING |
| USER_SESSION |
| USER_SESSION_NOTE |
| WEB_ORIGINS |
+-------------------------------+
92 rows in set (0.00 sec)
9、再次启动keycloak
$ ./standalone.sh --server-config=standalone-ha.xml
--------------------------------------------------------------------------------------------------
18:07:55,645 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
https://10.0.1.10:8443/auth/
http://10.0.1.10:8080/auth/
三、kc01安装keycloak-15.0.2
1、创建用户
$ useradd app
$ passwd app
------------------------------------------------------------------------------------------------------------
Changing password for user app.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
------------------------------------------------------------------------------------------------------------
$ su - app
2、准备keycloak运行环境
下载JDK8
$ curl -L -O https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz
------------------------------------------------------------------------------------------------------------
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 655 100 655 0 0 873 0 --:--:-- --:--:-- --:--:-- 872
100 98.1M 100 98.1M 0 0 21.3M 0 0:00:04 0:00:04 --:--:-- 27.3M
安装JDK8
$ tar xvf OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz
$ vi ~/.bash_profile
------------------------------------------------------------------------------------------------------------
export PATH=$PATH:/home/app/jdk8u302-b08/bin
------------------------------------------------------------------------------------------------------------
$ source ~/.bash_profile
$ java -version
------------------------------------------------------------------------------------------------------------
openjdk version “1.8.0_302”
OpenJDK Runtime Environment (Temurin)(build 1.8.0_302-b08)
OpenJDK 64-Bit Server VM(Temurin)(build 1.8.0_302-b08,mixed mode)
3、配置keycloak连接MySQL
下载keycloak-15.0.2
$ curl -L -O https://github.com/keycloak/keycloak/releases/download/15.0.2/keycloak-15.0.2.tar.gz
------------------------------------------------------------------------------------------------------------
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 628 100 628 0 0 808 0 --:--:-- --:--:-- --:--:-- 807
100 242M 100 242M 0 0 17.4M 0 0:00:13 0:00:13 --:--:-- 18.4M
解压keycloak-15.0.2
$ tar xvf keycloak-15.0.2.tar.gz
下载MySQL驱动
$ curl -L -O https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-8.0.26.tar.gz
------------------------------------------------------------------------------------------------------------
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0
100 4082k 100 4082k 0 0 1141k 0 0:00:03 0:00:03 --:--:-- 1744k
解压MySQL驱动
$ tar xvf mysql-connector-java-8.0.26.tar.gz
在keycloak中加入MySQL驱动程序
$ mkdir -p keycloak-15.0.2/modules/system/layers/keycloak/org/mysql/main
$ cd keycloak-15.0.2/modules/system/layers/keycloak/org/mysql/main
$ cp /home/app/mysql-connector-java-8.0.26/mysql-connector-java-8.0.26.jar .
$ touch module.xml
$ vi module.xml
-------------------------------------------------------------------------
<?xml version="1.0" ?>
<module xmlns="urn:jboss:module:1.3" name="org.mysql">
<resources>
<resource-root path="mysql-connector-java-8.0.26.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
-------------------------------------------------------------------------
配置standalone-ha.xml文件,使keycloak连接到MySQL
$ cd /home/app/keycloak-15.0.2/standalone/configuration/
$ cp standalone-ha.xml standalone-ha.xml.bak
$ vi standalone-ha.xml
------------------------------------------------------------------------------------------------------------
<drivers>
<driver name="mysql" module="org.mysql">
<xa-datasource-class>com.mysql.cj.jdbc.MysqlXADataSource</xa-datasource-class>
</driver>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
</drivers>
------------------------------------------------------------------------------------------------------------
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true">
<connection-url>jdbc:mysql://10.0.1.12:3306/keycloak?useSSL=false&characterEncoding=UTF-8</connection-url>
<driver>mysql</driver>
<pool>
<max-pool-size>20</max-pool-size>
</pool>
<security>
<user-name>keycloak</user-name>
<password>Shichw2021!</password>
</security>
</datasource>
------------------------------------------------------------------------------------------------------------
<spi name="connectionsJpa">
<provider name="default" enabled="true">
<properties>
<property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
<property name="initializeEmpty" value="false"/>
<property name="migrationStrategy" value="manual"/>
<property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
</properties>
</provider>
</spi>
4、修改IP
$ vi standalone-ha.xml
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="private">
<inet-address value="${jboss.bind.address.private:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:10.0.1.11}"/>
</interface>
</interfaces>
5、配置SSL实现HTTPS访问
$ cd keycloak-15.0.2/standalone/configuration/
$ keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity 10950
------------------------------------------------------------------------------------------------------------
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: keycloak
What is the name of your organization?
[Unknown]: Red Hat
What is the name of your City or Locality?
[Unknown]: Westford
What is the name of your State or Province?
[Unknown]: MA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost, OU=keycloak, O=Red Hat, L=Westford, ST=MA, C=US correct?
[no]: yes
Enter key password for <kc01.iam.infra.lab.ecnl>
(RETURN if same as keystore password):
Re-enter new password:
------------------------------------------------------------------------------------------------------------
$ vi keycloak-15.0.2/standalone/configuration/standalone-ha.xml
------------------------------------------------------------------------------------------------------------
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />
</ssl>
</server-identities>
</security-realm>
------------------------------------------------------------------------------------------------------------
<subsystem xmlns="urn:jboss:domain:undertow:12.0">
<buffer-cache name="default"/>
<server name="default-server">
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
...
</subsystem>
------------------------------------------------------------------------------------------------------------
6、启动keycloak
$ ./standalone.sh --server-config=standalone-ha.xml
18:07:55,645 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
https://10.0.1.11:8443/auth/
http://10.0.1.11:8080/auth/
|