Keycloak on Distributed SQL (CockroachDB) - Part 1/2
With data breaches and cyber attacks becoming increasingly common, modern organisations require a robust security system in place that is also highly available. Keycloak is a popular open-source IAM solution that not only provides robust security features but also high availability between nodes by using a shared cache. It's built to be scalable and fault-tolerant, ensuring that your organisation's authentication and authorization services are always available when you need them. Keycloak can handle large user volumes and can be deployed in a distributed environment, making it suitable for businesses of all sizes.
The data within Keycloak is persisted in a database, however, and if that database does not provide the same level of resilience and availability as Keycloak then this compromises the solution. Traditional database backends such as postgres and MS SQL cannot provide the multi-region, multi-active capabilities and provide a single point of failure.
CockroachDB is a distributed SQL database designed for resilience and scalability. It's built to handle massive amounts of data and provide ACID transactions and distributed SQL for global scale. With CockroachDB, you can ensure that your data is always available, even in the face of network outages or hardware failures. Additionally because cockroach is postgres wire-compatible it is possible to configure Keycloak to connect to a CockroachDB. Below we will provide an example of how to implement Keycloak on a distributed CockroachDB on AWS EC2 instances.
This is the first half of a two-part post. In this post we will cover how to configure Keycloak to store data in Cockroach. In the subsequent post we will configure Keycloak to discover and share caches with other nodes by registering themselves on CockroachDB.
Target Architecture
For this implementation, the target architecture will be as shown below:
In this post we will only be looking at the first region (us-west-1).
The CockroachDB has been set up in advance on c5d.xlarge EC2 nodes with VPC peering used to allow connectivity between cockroach nodes in the disparate regions.
The keycloak nodes will also be c5d.xlarge nodes, with the following prerequisites:
- Openssl installed (sudo apt install openssl)
- Java installed (sudo apt install default-jdk)
- Ports 8080, 8443 and 7800 open between keycloak nodes
- Port 26257 open between keycloak nodes and the internal load balancers
- UDP buffers resized:
Edit /etc/sysctl.com
# Allow a 25MB UDP receive buffer for JGroups
net.core.rmem_max = 26214400
# Allow a 1MB UDP send buffer for JGroups
net.core.wmem_max = 1048576Run the following:
sudo sysctl -p
Additionally, one Keycloak node will also require:
- Postgres database installed (sudo apt install postgresql)
- Links2 browser (or similar) installed (sudo apt install links2)
Basic Keycloak installation (Node1)
The first stage is to download Keycloak to the first node (in us-west-1 in this example):
wget https://github.com/keycloak/keycloak/releases/download/20.0.3/keycloak-20.0.3.tar.gz
gunzip ./keycloak-20.0.3.tar.gz
tar xvf ./keycloak-20.0.3.tarOnce Keycloak is downloaded, we will launch this is “dev” mode to check all is running as expected:
cd keycloak
nohup bin/kc.sh start-dev > keycloak.log 2> keycloak.err &![ubuntu@keycloak01: —Ikeycloak-20.O.3
tail —f keycloak. log
2023-02-17 WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to
aches as no global state enabled
2023-02-17 WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss
d planned for removal
2023-02-17 17:43:50, 647 INFO [org.-infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Startin
span. j boss. marshalli ng. core. JBossUserMarsha11er
2023-02-17 17:43:51, 002 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000128: Infinis
kai dekaphobia' 13.0.10. Final
2023—02—17 17 INFO [org.keycloak.connections.infinispan.Defau1tInfinispanConnectionProv
. node _ 121259, Site name: null
2023—02—17 17 INFO [org. keycloak.broker. der. AbstractldentityProviderMapper] (main)
ak. broker. provi der. mappersync. Confi gSyncEventLi stener
2023—02—17 17:43:52, 058 INFO [io.quarkus] (main) Keycloak 20.0.3 on JVM (powered by Quarkus 2.13.
istening on: http://O.O.O.O:8@80
2023—02—17 17:43:52, 058 INFO [io.quarkus] (main) Profile dev activated.
2023—02—17 17 INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate—orm,
mssql, jdbc—mysql, jdbc—oracle, jdbc—postgresql, keycloak, logging—gelf, narayana—jta, reactive—ro
son, smallrye—health, smallrye—metrics, vault, vertx]
2023—02—17 17 062 WARN [org. keycloak. quarkus. runtime. Keyc10akMain] (main) Running the serve
use this confi guration in production.](https://lh3.googleusercontent.com/TJaF2gNnf1kSfErTITauLwYbp0_1wHShbxgxAH2DOARttdNJlbPTWAV6VuwePXtU-P7um2diUIbbfn19XkQLkmUPv5qyepJDG2Mz9cdHywkmYuaMsbFFANwDLlLjNGzdVmUbvYCwGBNm_k5WAFk0Sw)
Once Keycloak is running in development mode we can then configure admin password using a browser on the local host:
links2 http://localhost:8080![ubuntu@keycloak01: —Ikeycloak-20.O.3
Keycloak
Welcome to Keycloak
Admi nistration Console
Please create an initial admin user to get started.
Username admin
Password
Password confi rmation
Create
[IMG]Administration Console
Centrally manage all aspects of the Keycloak server
[ING] Documentati on
User Guide, Admin REST API and Javadocs
[ING] Keycloak Project](https://lh6.googleusercontent.com/K3NebowN2ZjftarWuMbeAJtcvtP1ye5pf2VvI-PeFBjl6ySaqB2SdW6LRjDagl0qwTfjvXVFDrIQzSHtbw_4kKzvuOeA78gni95ewK5HhK8V_GGnXprNd2trAbjq0jCYkReHCuPa4xXHRYwNdeLbXQ)
![ubuntu@keycloak01: —Ikeycloak-20.O.3
eycloak
Welcome to Keycloak
User created
[IMG]Administration Console
Centrally manage all aspects of the Keycloak server
[ING] Documentati on
User Guide, Admin REST API and Javadocs
[ING] Keycloak Project
[IMG]Mai1ing List
[ING] Report an issue](https://lh4.googleusercontent.com/LzngNY-GQUS4nDZvHKkmFEw_CPM2syB0uWaw2O21qVDxrxs2ySntUiimsVvjPBevH2BdGQdpeq6E2-YTnRWuVKavrHIsUUQix_Vo8tSF_PsSVeqOfizmLpInyh-jcg93zoVojntOZQsluicTgsa9Og)
The Keycloak Admin console can now be accessed:
This verifies the Keycloak server is functioning. We will now configure the server to be ready for production.
Configure Node1 for Production
The first stage will be to secure the interface with SSL, we will then configure Keycloak to use postgres as an interim step. Finally, we will configure Keycloak to connect to a CockroachDB. We require the interim step of using postgres to generate the schema as this cannot currently be generated directly in cockroach from Keycloak.
First off, we stop the running keycloak server.
To generate self-signed certificates, in the keycloak directory run the following commands:
mkdir ssl_certs
cd ssl_certs
openssl req -new > cert.csr
openssl rsa -in privkey.pem -out key.pem
openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 3650
cat key.pem>>cert.pem
We now change the Keycloak server to use https, edit conf/keycloak.conf to include the following values for:
# If the server should expose healthcheck endpoints.
health-enabled=true
# If the server should expose metrics endpoints.
metrics-enabled=true
# HTTP
# The file path to a server certificate or certificate chain in PEM format.
https-certificate-file=${kc.home.dir}/ssl_certs/cert.pem
# The file path to a private key in PEM format.
https-certificate-key-file=${kc.home.dir}/ssl_certs/key.pem
# Hostname for the Keycloak server.
hostname=keycloak01Once this has been done, we build and run the keycloak server again:
bin/kc.sh build
nohup bin/kc.sh start > keycloak.log 2>keycloak.err &![ubuntu@keycloak01: —Ikeycloak-20.O.3
tail —f keycloak. log
2023—02—17 18:34:59, 688 INFO [org. keycloak.quarkus. runtime. hostname. DefaultHostnameProvider] (mai
L: <unset>, Hostname: keycIoak01, Strict HTTPS: true, Path: <request>, Strict BackChanneI: false,
equest>, Port: —1, Proxied: false
2023—02—17 18:35:01, 030 WARN [io.quarkus.agroal. runtime. DataSources] (main) Datasource <default>
covery is not enabled. Please enable transaction recovery by setting quarkus.transaction—manager.e
e data may be lost if the application is terminated abruptly
2023-02-17 WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss
d planned for removal
2023-02-17 WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to
aches as no global state enabled
2023-02-17 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Startin
span. j boss. marshalli ng. core. JBossUserMarsha11er
2023-02-17 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000128: Infinis
kai dekaphobia' 13.0.10. Final
2023-02-17 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting
2023-02-17 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to
n mechanisms provided in properties { } . Using default JGroups confi guration!
2023—02—17 , 604 INFO [org.jgroups.protocols.pbcast. GMS] keyc10ak01-
after 2005 ms: creating cluster as coordinator
2023-02-17 INFO [org.-infinispan.CLUSTER] (keycloak-cache--in-it) ISPN000094: Received
ISPN: [keyc10ak01-6251910] (1) [keyc10ak01-62519]
2023-02-17 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel
oak01-62519S
, physical addresses are
2023—02—17 18:35:05, 016 INFO [org. keycloak. connections. infinispan.Defau1tInfinispanConnectionProv
keyc10ak01—62519, Site name: null
2023—02—17 024 INFO [org. keycloak.broker. provider. AbstractldentityProviderMapper] (main)
ak. broker. provi der. mappersync. Confi gSyncEventLi stener
2023—02—17 18:35:05, 625 INFO [io.quarkus] (main) Keycloak 20.0.3 on JVM (powered by Quarkus 2.13.
istening on: https://O.O.O.O:8443
2023—02—17 18:35:05, 625 INFO [io.quarkus] (main) Profile prod activated.
2023—02—17 625 INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate—orm,
mssql, jdbc—mysql, jdbc—oracle, jdbc—postgresql, keycloak, logging—gelf, narayana—jta, reactive—ro](https://lh4.googleusercontent.com/-duwLp9QD0-D4u2W4Fzti3cEdoIZbL_EcEjjSEmS8DuhGHD7BVwG9V0kCLTTR9_ZsV1ZeXd-HeCOhbq8kzGqRS77FMAB-n8JZke_gZYeXt6XcUwFT7E2jFsWElItoG2N1et61lXhJN4SPxKoLvRB0w)
Ensure port 8443 is open between the browser and the Keycloak node, and connect to the admin interface.
Now we have an encrypted connection to keycloak, we can configure the database backend.
stop keycloak and then setup the postgres databases and user:
sudo su postgres
psql
postgres=# create database keycloak;
postgres=# create user keycloak with password 'keycloak';
postgres=# grant all on database keycloak to keycloak;
postgres=# create database jgroups;
postgres=# grant all on database jgroups to keycloak;
Confirm can log on from keycloak user to both dbs:
Now we change the database backend to postgres. Again edit the conf/keycloak.conf file and ensure the following values are set:
# The database vendor.
db=postgres
# The username of the database user.
db-username=keycloak
# The password of the database user.
db-password=keycloak
# The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor.
db-url=jdbc:postgresql://localhost/keycloakAgain build the Keycloak configuration and start the server. Once this has been done check to confirm database created.
As per the Keycloak documentation (https://www.keycloak.org/getting-started/getting-started-zip) we will create a new realm and a new user to ensure the database is being populated.
Setting the new users password:
Once this has been done, we can test we can log in with the new user:
We then confirm that the data is being created in the database. This can be done via the psql command line tool:
psql –host=localhost -U keycloak -d keycloak
postgres=# select from realm;
postgres=# select * from user_entity;
Now to change the connection to use the Cockroach Distributed database, we first need to stop keycloak and then use pg_dump to extract the data from postgres:
pg_dump –host=localhost -U keycloak -d keycloak > keycloak.dmpOnce we have the output we can put this into cockroach. We first need to create the databases and the user. Using your preferred sql client (in this example I am using the cockroach sql command from the database node), connect to CockroachDB and issue the following commands:
create user keycloak with password 'keycloak';
create database keycloak;
create database jgroups;
grant all on database keycloak to keycloak;
grant all on database jgroups to keycloak;
We then verify that we can connect as the newly created user:
We now populate the Cockroach database from pg_dump output.
cockroach sql --host=ajs-db01:26257 --certs-dir=certs -d keycloak -u keycloak -f keycloak.dmpVerify data has been created by querying the “realm” and “user_entity_ tables.
We now need to put the Cockroach DB ca.crt file on the keycloak node as cockroach requires ssl secured communications.
We stop Keycloak server and configure keycloak to connect to the CockroachDB by editing conf/keycloak.conf to edit the database url and disable XA transactions as Cockroach does not support XA transactions. Include the following lines:
# The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor.
# db-url=jdbc:postgresql://localhost/keycloak
db-url=jdbc:postgresql://ajs-db-demo-int-1b85bcdea0b73e74.elb.us-west-1.amazonaws.com:26257/keycloak?sslmode=require&sslrootcert=${kc.home.dir}/crdb_certs/ca.crt
# disable XA transactions
transaction-xa-enabled=falseWe can now start keycloak again and confirm login and data being created by creating a new user and checking the “user_entity” table in CockroachDB.
In part 2 we will cover how to add more nodes to the cluster and ensure that the keycloak nodes are able to register themselves on CockroachDB which, then allows Keycloak to share cache information.