下载
从https://www.keycloak.org/downloads 获取最新版本
解压到任意工作目录,进入到bin目录下,执行standalone.sh脚本即可启动keycloak。
配置mysql数据源
Keycloak默认使用h2作为数据源,想要数据持久化存储必须先配置mysql作为数据存储方式。
1,创建目录
创建keycloak-13.0.0\modules\system\layers\keycloak\com\mysql\main放入驱动,同时在该目录创建module.xml,内容如下:
<?xml version="1.0" ?><module xmlns="urn:jboss:module:1.3" name="com.mysql">
<resources>
<resource-root path="mysql-connector-java-8.0.13.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
<module name="javax.servlet.api" optional="true"/>
</dependencies></module>
2,修改 standalone-ha.xml
#添加驱动,h2后面添加mysql驱动<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
<driver name="mysql" module="com.mysql">
<xa-datasource-class>com.mysql.cj.jdbc.MysqlXADataSource</xa-datasource-class>
</driver> </drivers>
#创建数据库keycloak,修改数据源配置,用户名密码要正确<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:mysql://localhost:3306/keycloak?useSSL=false&serverTimezone=GMT%2B8&characterEncoding=UTF-8</connection-url>
<driver>mysql</driver>
<security>
<user-name>root</user-name>
<password>root</password>
</security> </datasource>
#注释掉h2数据源配置
<!--
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true">
<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
<driver>h2</driver>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</datasource>
-->
配置集群方式
Keycloak支持多种方式发现节点,其中jdbc_ping的方式使用最广,我们则产业此种方式进行集群。
1,修改standalone-ha.xml
<subsystem xmlns="urn:jboss:domain:jgroups:8.0">
<channels default="ee">
<channel name="ee" stack="tcp" cluster="ejb"/>
</channels>
<stacks>
<stack name="tcp">
<transport type="TCP" socket-binding="jgroups-tcp"/>
<protocol type="JDBC_PING">
<property name="datasource_jndi_name">java:jboss/datasources/KeycloakDS</property>
<property name="initialize_sql">CREATE TABLE IF NOT EXISTS JGROUPSPING (own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, ping_data varbinary(5000) DEFAULT NULL, PRIMARY KEY (own_addr, cluster_name)) ENGINE=InnoDB DEFAULT CHARSET=utf8")</property></protocol>
<protocol type="MERGE3"/>
<socket-protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
<protocol type="FD"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2"/>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS">
<property name="max_join_attempts">5</property></protocol>
<protocol type="MFC"/>
<protocol type="FRAG3"/>
</stack>
</stacks>
</subsystem>
如果启动报找不到table类错误,则可以手动执行xml中的initialize_sql。
- 修改集群内节点数据信息
其中sessions authenticationSessions offlineSessions 等为集群节点实例数。
<cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
<transport lock-timeout="60000"/>
<local-cache name="realms">
<heap-memory size="10000"/>
</local-cache>
<local-cache name="users">
<heap-memory size="10000"/>
</local-cache>
<distributed-cache name="sessions" owners="2"/>
<distributed-cache name="authenticationSessions" owners="2"/>
<distributed-cache name="offlineSessions" owners="2"/>
<distributed-cache name="clientSessions" owners="2"/>
<distributed-cache name="offlineClientSessions" owners="2"/>
<distributed-cache name="loginFailures" owners="2"/>
<local-cache name="authorization">
<heap-memory size="10000"/>
</local-cache>
<replicated-cache name="work"/>
<local-cache name="keys">
<heap-memory size="1000"/>
<expiration max-idle="3600000"/>
</local-cache>
<distributed-cache name="actionTokens" owners="2">
<heap-memory size="-1"/>
<expiration max-idle="-1" interval="300000"/>
</distributed-cache>
</cache-container>
- 修改keycloak服务转发配置
修改standalone\configuration\standalone.xml配置文件中urn:jboss:domain:undertow:中的X-Forwarded-For HTTP Config。将属性proxy-address-forwarding添加到http-listener元素。将值设置为true。
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" proxy-address-forwarding="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" proxy-address-forwarding="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
- 修改nginx代理配置
worker_processes 1;
events {
worker_connections 1024;}
http {
upstream keycloak_servers {
server server1:8080 ;
server server2:8080;
}
server {
listen 80;
location / {
proxy_pass http://keycloak_servers/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
}}
修改IP地址
将jboss绑定地址修改成自己当前物理机活虚拟机的实际ip地址
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:10.4.7.55}"/>
</interface>
<interface name="private">
<inet-address value="${jboss.bind.address.private:10.4.7.55}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:10.4.7.55}"/>
</interface>
</interfaces>
启动
bin/standalone.sh --server-config=standalone-ha.xml -Djboss.bind.address=0.0.0.0 -DJGROUPS_DISCOVERY_EXTERNAL_IP=10.4.7.58 -DJGROUPS_DISCOVERY_PROTOCOL=JDBC_PING -Djboss.node.name=node2
添加初始化用户
#如果是有多台keycloak,则只需要在一台初始化admin用户,重启配置的这台,密码可以复杂点。
./add-user-keycloak.sh -r master -u admin -p admin