- package: tis-keycloak-server
- name: Keycloak Server
- version: 26.3.3-9
- categories: Security, System and network
- maintainer: Kevin Guerineau,WAPT Team,Tranquil IT
- editor: JBoss Red Hat
- licence: Apache 2.0
- locale: all
- target_os: debian(>=11),ubuntu(>=18)
- impacted_process: java
- architecture: x64
- signature_date:
- size: 154.41 Mo
- homepage : https://www.keycloak.org/
package : tis-keycloak-server
version : 26.3.3-9
architecture : x64
section : base
priority : optional
name : Keycloak Server
categories : Security, System and network
maintainer : Kevin Guerineau,WAPT Team,Tranquil IT
description : Keycloak is an open-source software package that enables a single authentication method to be introduced through identity and access management.
depends :
conflicts :
maturity : PROD
locale : all
target_os : debian(>=11),ubuntu(>=18)
min_wapt_version : 2.2
sources :
installed_size :
impacted_process : java
description_fr : Keycloak est un logiciel à code source ouvert permettant d'instaurer une méthode d'authentification unique à travers la gestion par identité et par accès.
description_pl : Keycloak to pakiet oprogramowania typu open-source, który umożliwia wprowadzenie pojedynczej metody uwierzytelniania poprzez zarządzanie tożsamością i dostępem.
description_de : Keycloak ist eine quelloffene Software, mit der Sie eine Single-Sign-On-Methode durch Identitäts- und Zugriffsverwaltung einführen können.
description_es : Keycloak es un paquete de software de código abierto que permite introducir un único método de autenticación mediante la gestión de identidades y accesos.
description_pt : O Keycloak é um pacote de software de código aberto que permite a introdução de um único método de autenticação através da gestão da identidade e do acesso.
description_it : Keycloak è un pacchetto software open-source che consente di introdurre un unico metodo di autenticazione attraverso la gestione delle identità e degli accessi.
description_nl : Keycloak is een open-source softwarepakket waarmee één authenticatiemethode kan worden ingevoerd via identiteits- en toegangsbeheer.
description_ru : Keycloak - это пакет программного обеспечения с открытым исходным кодом, который позволяет внедрить единый метод аутентификации в рамках управления идентификацией и доступом.
audit_schedule :
editor : JBoss Red Hat
keywords :
licence : Apache 2.0
homepage : https://www.keycloak.org/
package_uuid : 96273643-7fe3-4bdd-b017-bde313ff3128
valid_from :
valid_until :
forced_install_on :
changelog :
min_os_version :
max_os_version :
icon_sha256sum : f844ec0989ea764ddcbb17e3e0ea7c15aa95e53d6e47d1c4950a1742a15707f5
signer : Tranquil IT
signer_fingerprint: 8c5127a75392be9cc9afd0dbae1222a673072c308c14d88ab246e23832e8c6bb
signature_date : 2025-08-25T11:06:00.000000
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes
signature : exvXO0M+at12ZCV1sfC2ReHNZySaOkFVZztx2nzJkYrFl9rkjDA3lxQtEkv+HeztPyGztylvXOv3TOaayrYTViiWR2zhbK9bF0z1mkE4hjDfTxxcRXvHlwj1vkCzuGoQf76w17rnDmU5Up2EmrjP0m8QPR7sJn8DwvPo6k6LBw2Ja2/kdmBsyyuW/DdZeKvQHNxI5EcDm+u7jr9gJEmwhhCmLHUHMa3DyLtDVpiTBxrjiMekQWsGOG4o4sMU043pETK2nFYub+H6AeMZftDyLxP9CSyELr3ZFtArmv5X5CJocfR6f7JgQymfv3gQL3xoBma71YeD9leuiiERA2VJaQ==# -*- coding: utf-8 -*-
from setuphelpers import *
import string
import random
import jinja2
from waptcrypto import SSLCertificate, SSLPrivateKey
kc_url = 'https://keycloak.mydomain.lan' # Values : URL String
kc_health = 'true' # Values (str) : true / false
kc_metrics = 'false' # Values (str) : true / false
use_apache2 = True # Values : True / False
generate_ssl_cert = True # Values : True / False. Use False if you use commercial, Let's Encrypt or your PKI certificate.
# In this case, please configure "ssl_certificate_path" and "ssl_key_path".
ssl_certificate_path = None # Set None if generate_ssl_cert = True
ssl_key_path = None # Set None if generate_ssl_cert = True
keycloak_installdir = makepath('/opt','keycloak')
keycloak_installdir_bck = makepath('/opt','keycloak.bck')
keytabfile_path = makepath(keycloak_installdir,'conf','http-krb5.keytab')
keytabfile_path_bck = makepath(keycloak_installdir_bck,'conf','http-krb5.keytab')
keycloak_a2site = makepath('/etc','apache2','sites-available','keycloak.conf')
def systemd_enable_start_service(servicename):
return run('LANG=C systemctl enable --now %s' % (servicename))
def install():
print('If upgrade, stop keycloak service')
try:
systemd_stop_service('keycloak.service')
first_install = False
except:
print("It's the first install")
first_install = True
print('Install requirements')
install_apt('openjdk-17-jdk')
install_apt('postgresql')
if not first_install:
if isdir(keycloak_installdir_bck):
print('Remove old backup dir')
remove_tree(keycloak_installdir_bck)
print('Create backup of old installation.')
copytree2(keycloak_installdir,keycloak_installdir_bck)
remove_tree(keycloak_installdir)
mkdirs(keycloak_installdir)
print('Extract archive')
version = control.version.split('-')[0]
run(f'tar xzf keycloak-{version}.tar.gz -C {keycloak_installdir}')
# Patch to use keycloak folder without version number in directory name.
copytree2(makepath(keycloak_installdir,f'keycloak-{version}'),keycloak_installdir)
remove_tree(makepath(keycloak_installdir,f'keycloak-{version}'))
if first_install:
print('Create group and user')
run('groupadd -r keycloak')
run(f'useradd -r -g keycloak -d {keycloak_installdir} -s /sbin/nologin keycloak')
print('Create Postgresql user and database')
run('sudo -u postgres psql -c "create database keycloak with encoding \'UTF8\';" ')
database_password = ''.join(random.choices(string.ascii_uppercase + string.digits, k = 15))
run(f""" sudo -u postgres psql -c "create user keycloak with password '{database_password}';" """)
run(f""" sudo -u postgres psql -c "grant all ON database keycloak to keycloak;" """)
run(f""" sudo -u postgres psql -d keycloak -c "grant all on schema public to keycloak ;" """)
print('Create service')
service = f"""[Unit]
Description=Keycloak Service
After=network.target syslog.target postgresql.target
[Service]
User=keycloak
Group=keycloak
ExecStart={keycloak_installdir}/bin/kc.sh start
SuccessExitStatus=0 143
WorkingDirectory={keycloak_installdir}
[Install]
WantedBy=multi-user.target
"""
with open('/lib/systemd/system/keycloak.service','w') as service_file:
service_file.write(service)
run('systemctl daemon-reload')
print('Set user rights')
run(f'chown -R keycloak:keycloak {keycloak_installdir}')
if first_install:
if use_apache2:
print('Install Apache2')
install_apt('apache2')
print('Enable Apache2 modules')
run('a2enmod ssl headers proxy proxy_http')
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader('templates'))
template = jinja_env.get_template('apache2.conf.j2')
if generate_ssl_cert:
print('Generate SSL key and certificate')
ap_ssl_dir = makepath('/etc','ssl')
mkdirs(ap_ssl_dir)
key_fn = os.path.join(ap_ssl_dir,'private','keycloak_key.pem')
key = SSLPrivateKey(key_fn)
if not os.path.isfile(key_fn):
print('Create SSL RSA Key %s' % key_fn)
key.create()
key.save_as_pem()
cert_fn = os.path.join(ap_ssl_dir,'certs','keycloak_cert.pem')
if os.path.isfile(cert_fn):
crt = SSLCertificate(cert_fn)
if os.path.isfile(cert_fn):
crt = SSLCertificate(cert_fn)
if crt.cn != get_fqdn():
os.rename(cert_fn,"%s-%s.old" % (cert_fn,'{:%Y%m%d-%Hh%Mm%Ss}'.format(datetime.datetime.now())))
crt = key.build_sign_certificate(cn=get_fqdn(),is_code_signing=False)
print('Create X509 cert %s' % cert_fn)
crt.save_as_pem(cert_fn)
else:
crt = key.build_sign_certificate(cn=get_fqdn(),is_code_signing=False)
print('Create X509 cert %s' % cert_fn)
crt.save_as_pem(cert_fn)
template_variables = {
'kc_url': kc_url.replace('https://','').replace('http://',''),
'ssl_certificate_path': cert_fn.replace('\\','/'),
'ssl_key_path': key_fn.replace('\\','/')
}
else:
template_variables = {
'kc_url': kc_url.replace('https://','').replace('http://',''),
'ssl_certificate_path': ssl_certificate_path,
'ssl_key_path': ssl_key_path
}
print('Write Apache2 site configfile')
config_string = template.render(template_variables)
print(f'Create Apache2 configuration file {keycloak_a2site}')
with open(keycloak_a2site, 'w') as dst_file:
dst_file.write(config_string)
print('Enable keycloak site and disable default site')
run('a2ensite keycloak.conf')
run_notfatal('a2dissite 000-default.conf')
print('Restart apache2 service')
systemd_restart_service('apache2')
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader('templates'))
template = jinja_env.get_template('keycloak.conf.j2')
template_variables = {
'use_apache2': use_apache2,
'pgsql_passwd': database_password,
'kc_health': kc_health,
'kc_metrics': kc_metrics,
'kc_url': kc_url.replace('https://','').replace('http://',''),
}
print('Write Keycloak configuration')
config_string = template.render(template_variables)
print('Create Keycloak configuration file %s' % makepath(keycloak_installdir,'conf/keycloak.conf'))
with open(makepath(keycloak_installdir,'conf/keycloak.conf'), 'w') as dst_file:
dst_file.write(config_string)
print('Start Keycloak Server to create first admin user. Please wait 120 seconds.')
run_notfatal('export KEYCLOAK_ADMIN=admin && export KEYCLOAK_ADMIN_PASSWORD=admin && /opt/keycloak/bin/kc.sh start', timeout=120)
if not first_install:
print('Copy old configfile')
filecopyto(makepath(keycloak_installdir_bck,'conf/keycloak.conf'), makepath(keycloak_installdir,'conf','keycloak.conf'))
if isfile(keytabfile_path_bck):
filecopyto(keytabfile_path_bck,keytabfile_path)
print('Build Keycloak for production')
run("/opt/keycloak/bin/kc.sh build")
print('Set user rights')
run(f'chown -R keycloak:keycloak {keycloak_installdir}')
if isdir('/var/log/keycloak'):
run(f'chown -R keycloak:keycloak /var/log/keycloak')
print('Start Keycloak service')
systemd_enable_start_service('keycloak')
def uninstall():
print('Stop keycloak service')
systemd_stop_service('keycloak')
print('Delete Postgresql user and database')
run('sudo -u postgres psql -c "drop database keycloak;" ')
run('sudo -u postgres psql -c "drop user if exists keycloak;" ')
print('Remove keycloak directory')
remove_tree(keycloak_installdir)
print('Disable apache configuration')
run('a2dissite keycloak.conf')
print('Restart apache2 service')
systemd_restart_service('apache2')
print('Uninstall done, but not for postgresql and openjdk-17-jdk')# -*- coding: utf-8 -*-
from setuphelpers import *
import platform
import json
# Declaring specific app values (TO CHANGE)
package_name = "keycloak-server"
def update_package():
print("Download/Update package content from upstream binary sources")
# Getting proxy informations from WAPT settings
proxy = {}
if platform.system() == "Windows" and isfile(makepath(user_local_appdata(), "waptconsole", "waptconsole.ini")):
proxywapt = inifile_readstring(makepath(user_local_appdata(), "waptconsole", "waptconsole.ini"), "global", "http_proxy")
if proxywapt:
proxy = {"http": proxywapt, "https": proxywapt}
# Specific app values
app_name = control.name
git_repo = "keycloak/keycloak"
url_api = "https://api.github.com/repos/%s/releases/latest" % git_repo
# Getting latest informations from Github API
json_load = json.loads(wgets(url_api, proxies=proxy))
for asset in json_load['assets']:
if '.tar.gz' in asset['name']:
url_dl = asset['browser_download_url']
break
version = json_load["tag_name"]
latest_bin = f"keycloak-{version}.tar.gz"
print("Latest " + app_name + " version is: " + version)
print("Download url for APT-based systems is: " + url_dl)
# Downloading latest binaries
if not isfile(latest_bin):
print("Downloading: " + latest_bin)
wget(url_dl, latest_bin, proxies=proxy)
# Changing version of the package
control.version = "%s-%s" % (version, int(control.version.split("-", 1)[1]) + 1)
control.save_control_to_wapt()
print("Changing version to " + control.version + " in WAPT\\control")
else:
print("This package is already up-to-date")
# Deleting outdated binaries
for bin_in_dir in glob.glob("*.deb"):
if bin_in_dir != latest_bin_deb:
print("Outdated binary: " + bin_in_dir + " Deleted")
remove_file(bin_in_dir)
38d056ab130f7bf7c481c12636a4e9959de36561d3dfcbe54c6e3571bc0c1dc3 : WAPT/certificate.crt
2c35d1f8b2bcb4c9ba79a04c1473ef01571e41dee24120aad4fa417b64e6f0d4 : WAPT/control
f844ec0989ea764ddcbb17e3e0ea7c15aa95e53d6e47d1c4950a1742a15707f5 : WAPT/icon.png
9b4185434b8ad3577373a8d806f95dce182bfff8f7c35a8ba959506d94c04420 : keycloak-26.3.3.tar.gz
c501b1658de2d44298a57232bf84df493fe499eec9b1aacaf21990293dd67ecd : luti.json
5c499dbb30b08d808eb3daa0b6ea27034e6a5a8917410262bb06b5a598d16ef2 : setup.py
2e0a83ecaeea7eddbae90b147e96c1fc8c090a1fa2470bdb1379aa2acdae70ac : templates/apache2.conf.j2
bac03e0a77c84f2bc3bc0508fed35776d9f11eb24d74c308de9b4417f92c7b02 : templates/keycloak.conf.j2
ac22e1de3141fa7d3c6084c95e702af4dcc684448335a242a9240c26b1763e8e : update_package.py