Keycloak Server
Paquet d’installation silencieuse pour Keycloak Server
26.5.0-9
Security
System and network
Security
System and network
Les paquets PREPROD sont des paquets construits via LUTI.
Ils restent généralement 5 jours en PREPROD, après quoi un deuxième scan VirusTotal est effectué pour vérifier que le status n'a pas changé.
Si le paquet réussit ce dernier contrôle, il est promu en PROD et publié sur le store.
- package: tis-keycloak-server
- name: Keycloak Server
- version: 26.5.0-9
- categories: Security, System and network
- maintainer: Kevin Guerineau,WAPT Team,Tranquil IT
- editor: JBoss Red Hat
- licence: Apache 2.0
- locale: all
- target_os: debian(>=11),ubuntu(>=18)
- impacted_process: java
- architecture: x64
- signature_date:
- size: 164.19 Mo
- homepage : https://www.keycloak.org/
package : tis-keycloak-server
version : 26.5.0-9
architecture : x64
section : base
priority : optional
name : Keycloak Server
categories : Security, System and network
maintainer : Kevin Guerineau,WAPT Team,Tranquil IT
description : Keycloak is an open-source software package that enables a single authentication method to be introduced through identity and access management.
depends :
conflicts :
maturity : PREPROD
locale : all
target_os : debian(>=11),ubuntu(>=18)
min_wapt_version : 2.2
sources :
installed_size :
impacted_process : java
description_fr : Keycloak est un logiciel à code source ouvert permettant d'instaurer une méthode d'authentification unique à travers la gestion par identité et par accès.
description_pl : Keycloak to pakiet oprogramowania typu open-source, który umożliwia wprowadzenie pojedynczej metody uwierzytelniania poprzez zarządzanie tożsamością i dostępem.
description_de : Keycloak ist eine quelloffene Software, mit der Sie eine Single-Sign-On-Methode durch Identitäts- und Zugriffsverwaltung einführen können.
description_es : Keycloak es un paquete de software de código abierto que permite introducir un único método de autenticación mediante la gestión de identidades y accesos.
description_pt : O Keycloak é um pacote de software de código aberto que permite a introdução de um único método de autenticação através da gestão da identidade e do acesso.
description_it : Keycloak è un pacchetto software open-source che consente di introdurre un unico metodo di autenticazione attraverso la gestione delle identità e degli accessi.
description_nl : Keycloak is een open-source softwarepakket waarmee één authenticatiemethode kan worden ingevoerd via identiteits- en toegangsbeheer.
description_ru : Keycloak - это пакет программного обеспечения с открытым исходным кодом, который позволяет внедрить единый метод аутентификации в рамках управления идентификацией и доступом.
audit_schedule :
editor : JBoss Red Hat
keywords :
licence : Apache 2.0
homepage : https://www.keycloak.org/
package_uuid : 76e48e80-0555-40ab-8166-2ffd55bc04ed
valid_from :
valid_until :
forced_install_on :
changelog :
min_os_version :
max_os_version :
icon_sha256sum : f844ec0989ea764ddcbb17e3e0ea7c15aa95e53d6e47d1c4950a1742a15707f5
signer : test
signer_fingerprint: b82fc8ef4a4475c0f69ac168176c2bfc58f572eb716c4eadd65e4785c155dd8e
signature_date : 2026-01-06T08:31:48.000000
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes
signature : c2IyZocAzsXZIC0kCV7VB0huvstc2hOQSOwxjU+cP2pW6sjKntvxDWbZkgQukPTshYCm5OWwNfRiLWzCE2ZnhIQt9rzEXMhV3am6yOUXfkgGgNanfYr82iSuhDJrM04aSv2P2hSaNdZLIOoLhQYhdIjT0FZkEwa3P+oFW5ccAo5pVdnz27D1+NWm0KpHV9ErtN5WGjmPzVrjJjMdrY+VCIEoyoL+OA8cHRcWncOuqDXPlpf53cYMkQ1j+tXzuZlPG+A9RBTKyLH24e277N8ormEVNuOsFcXzFuOan7WxMzX2E5SZwwwuBoZt0qPlqI7ksl+rfQHu8A6lCHzgFvX2jw==# -*- coding: utf-8 -*-
from setuphelpers import *
import string
import random
import jinja2
from waptcrypto import SSLCertificate, SSLPrivateKey
kc_url = 'https://keycloak.mydomain.lan' # Values : URL String
kc_health = 'true' # Values (str) : true / false
kc_metrics = 'false' # Values (str) : true / false
use_apache2 = True # Values : True / False
generate_ssl_cert = True # Values : True / False. Use False if you use commercial, Let's Encrypt or your PKI certificate.
# In this case, please configure "ssl_certificate_path" and "ssl_key_path".
ssl_certificate_path = None # Set None if generate_ssl_cert = True
ssl_key_path = None # Set None if generate_ssl_cert = True
keycloak_installdir = makepath('/opt','keycloak')
keycloak_installdir_bck = makepath('/opt','keycloak.bck')
keytabfile_path = makepath(keycloak_installdir,'conf','http-krb5.keytab')
keytabfile_path_bck = makepath(keycloak_installdir_bck,'conf','http-krb5.keytab')
keycloak_a2site = makepath('/etc','apache2','sites-available','keycloak.conf')
def systemd_enable_start_service(servicename):
return run('LANG=C systemctl enable --now %s' % (servicename))
def install():
print('If upgrade, stop keycloak service')
try:
systemd_stop_service('keycloak.service')
first_install = False
except:
print("It's the first install")
first_install = True
print('Install requirements')
if get_distrib_linux() == 'debian' and Version(get_distrib_version()) >= Version("13"):
install_apt('openjdk-21-jdk')
else:
install_apt('openjdk-17-jdk')
install_apt('postgresql')
if not first_install:
if isdir(keycloak_installdir_bck):
print('Remove old backup dir')
remove_tree(keycloak_installdir_bck)
print('Create backup of old installation.')
copytree2(keycloak_installdir,keycloak_installdir_bck)
remove_tree(keycloak_installdir)
mkdirs(keycloak_installdir)
print('Extract archive')
version = control.version.split('-')[0]
run(f'tar xzf keycloak-{version}.tar.gz -C {keycloak_installdir}')
# Patch to use keycloak folder without version number in directory name.
copytree2(makepath(keycloak_installdir,f'keycloak-{version}'),keycloak_installdir)
remove_tree(makepath(keycloak_installdir,f'keycloak-{version}'))
if first_install:
print('Create group and user')
run('groupadd -r keycloak')
run(f'useradd -r -g keycloak -d {keycloak_installdir} -s /sbin/nologin keycloak')
print('Create Postgresql user and database')
run('sudo -u postgres psql -c "create database keycloak with encoding \'UTF8\';" ')
database_password = ''.join(random.choices(string.ascii_uppercase + string.digits, k = 15))
run(f""" sudo -u postgres psql -c "create user keycloak with password '{database_password}';" """)
run(f""" sudo -u postgres psql -c "grant all ON database keycloak to keycloak;" """)
run(f""" sudo -u postgres psql -d keycloak -c "grant all on schema public to keycloak ;" """)
print('Create service')
service = f"""[Unit]
Description=Keycloak Service
After=network.target syslog.target postgresql.target
[Service]
User=keycloak
Group=keycloak
ExecStart={keycloak_installdir}/bin/kc.sh start
SuccessExitStatus=0 143
WorkingDirectory={keycloak_installdir}
[Install]
WantedBy=multi-user.target
"""
with open('/lib/systemd/system/keycloak.service','w') as service_file:
service_file.write(service)
run('systemctl daemon-reload')
print('Set user rights')
run(f'chown -R keycloak:keycloak {keycloak_installdir}')
if first_install:
if use_apache2:
print('Install Apache2')
install_apt('apache2')
print('Enable Apache2 modules')
run('a2enmod ssl headers proxy proxy_http')
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader('templates'))
template = jinja_env.get_template('apache2.conf.j2')
if generate_ssl_cert:
print('Generate SSL key and certificate')
ap_ssl_dir = makepath('/etc','ssl')
mkdirs(ap_ssl_dir)
key_fn = os.path.join(ap_ssl_dir,'private','keycloak_key.pem')
key = SSLPrivateKey(key_fn)
if not os.path.isfile(key_fn):
print('Create SSL RSA Key %s' % key_fn)
key.create()
key.save_as_pem()
cert_fn = os.path.join(ap_ssl_dir,'certs','keycloak_cert.pem')
if os.path.isfile(cert_fn):
crt = SSLCertificate(cert_fn)
if os.path.isfile(cert_fn):
crt = SSLCertificate(cert_fn)
if crt.cn != get_fqdn():
os.rename(cert_fn,"%s-%s.old" % (cert_fn,'{:%Y%m%d-%Hh%Mm%Ss}'.format(datetime.datetime.now())))
crt = key.build_sign_certificate(cn=get_fqdn(),is_code_signing=False)
print('Create X509 cert %s' % cert_fn)
crt.save_as_pem(cert_fn)
else:
crt = key.build_sign_certificate(cn=get_fqdn(),is_code_signing=False)
print('Create X509 cert %s' % cert_fn)
crt.save_as_pem(cert_fn)
template_variables = {
'kc_url': kc_url.replace('https://','').replace('http://',''),
'ssl_certificate_path': cert_fn.replace('\\','/'),
'ssl_key_path': key_fn.replace('\\','/')
}
else:
template_variables = {
'kc_url': kc_url.replace('https://','').replace('http://',''),
'ssl_certificate_path': ssl_certificate_path,
'ssl_key_path': ssl_key_path
}
print('Write Apache2 site configfile')
config_string = template.render(template_variables)
print(f'Create Apache2 configuration file {keycloak_a2site}')
with open(keycloak_a2site, 'w') as dst_file:
dst_file.write(config_string)
print('Enable keycloak site and disable default site')
run('a2ensite keycloak.conf')
run_notfatal('a2dissite 000-default.conf')
print('Restart apache2 service')
systemd_restart_service('apache2')
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader('templates'))
template = jinja_env.get_template('keycloak.conf.j2')
template_variables = {
'use_apache2': use_apache2,
'pgsql_passwd': database_password,
'kc_health': kc_health,
'kc_metrics': kc_metrics,
'kc_url': kc_url.replace('https://','').replace('http://',''),
}
print('Write Keycloak configuration')
config_string = template.render(template_variables)
print('Create Keycloak configuration file %s' % makepath(keycloak_installdir,'conf/keycloak.conf'))
with open(makepath(keycloak_installdir,'conf/keycloak.conf'), 'w') as dst_file:
dst_file.write(config_string)
print('Start Keycloak Server to create first admin user. Please wait 120 seconds.')
run_notfatal('export KEYCLOAK_ADMIN=admin && export KEYCLOAK_ADMIN_PASSWORD=admin && /opt/keycloak/bin/kc.sh start', timeout=120)
if not first_install:
print('Copy old configfile')
filecopyto(makepath(keycloak_installdir_bck,'conf/keycloak.conf'), makepath(keycloak_installdir,'conf','keycloak.conf'))
if isfile(keytabfile_path_bck):
filecopyto(keytabfile_path_bck,keytabfile_path)
print('Build Keycloak for production')
run("/opt/keycloak/bin/kc.sh build")
print('Set user rights')
run(f'chown -R keycloak:keycloak {keycloak_installdir}')
if isdir('/var/log/keycloak'):
run(f'chown -R keycloak:keycloak /var/log/keycloak')
print('Start Keycloak service')
systemd_enable_start_service('keycloak')
def uninstall():
print('Stop keycloak service')
systemd_stop_service('keycloak')
print('Delete Postgresql user and database')
run('sudo -u postgres psql -c "drop database keycloak;" ')
run('sudo -u postgres psql -c "drop user if exists keycloak;" ')
print('Remove keycloak directory')
remove_tree(keycloak_installdir)
print('Disable apache configuration')
run('a2dissite keycloak.conf')
print('Restart apache2 service')
systemd_restart_service('apache2')
print('Uninstall done, but not for postgresql and openjdk-25-jdk')# -*- coding: utf-8 -*-
from setuphelpers import *
import platform
import json
# Declaring specific app values (TO CHANGE)
package_name = "keycloak-server"
def update_package():
print("Download/Update package content from upstream binary sources")
# Getting proxy informations from WAPT settings
proxy = {}
if platform.system() == "Windows" and isfile(makepath(user_local_appdata(), "waptconsole", "waptconsole.ini")):
proxywapt = inifile_readstring(makepath(user_local_appdata(), "waptconsole", "waptconsole.ini"), "global", "http_proxy")
if proxywapt:
proxy = {"http": proxywapt, "https": proxywapt}
# Specific app values
app_name = control.name
git_repo = "keycloak/keycloak"
url_api = "https://api.github.com/repos/%s/releases/latest" % git_repo
# Getting latest informations from Github API
json_load = json.loads(wgets(url_api, proxies=proxy))
for asset in json_load['assets']:
if '.tar.gz' in asset['name']:
url_dl = asset['browser_download_url']
break
version = json_load["tag_name"]
latest_bin = f"keycloak-{version}.tar.gz"
print("Latest " + app_name + " version is: " + version)
print("Download url for APT-based systems is: " + url_dl)
# Downloading latest binaries
if not isfile(latest_bin):
print("Downloading: " + latest_bin)
wget(url_dl, latest_bin, proxies=proxy)
# Changing version of the package
control.version = "%s-%s" % (version, int(control.version.split("-", 1)[1]) + 1)
control.save_control_to_wapt()
print("Changing version to " + control.version + " in WAPT\\control")
else:
print("This package is already up-to-date")
# Deleting outdated binaries
for bin_in_dir in glob.glob("*.deb"):
if bin_in_dir != latest_bin_deb:
print("Outdated binary: " + bin_in_dir + " Deleted")
remove_file(bin_in_dir)
01ca7fe94636e5a08fcb73849d3b5df25d51e2c82f4dd1a08f01798b25899819 : WAPT/certificate.crt
a10fdaf2bb065f266a4267d3452da6ee00b62ba196d4b1b59672b699ff22203a : WAPT/control
f844ec0989ea764ddcbb17e3e0ea7c15aa95e53d6e47d1c4950a1742a15707f5 : WAPT/icon.png
76e2cd7c33abfcbb9058ea7ff28fee02f3ae9599633f96855e1734570f44daf0 : keycloak-26.5.0.tar.gz
6cef01409ddebe2cc8b0b1ff4e959bad6dde3fed4ba22bc1957c92a7c805afb7 : luti.json
6e0bf6f96e00f7f74b66d1865692babbbdaa258060d8db1724076ef5b86ac380 : setup.py
2e0a83ecaeea7eddbae90b147e96c1fc8c090a1fa2470bdb1379aa2acdae70ac : templates/apache2.conf.j2
bac03e0a77c84f2bc3bc0508fed35776d9f11eb24d74c308de9b4417f92c7b02 : templates/keycloak.conf.j2
ac22e1de3141fa7d3c6084c95e702af4dcc684448335a242a9240c26b1763e8e : update_package.py