https://wiki.castanedo.es/index.php?action=history&feed=atom&title=Keycloak
Keycloak - Historial de revisiones
2026-05-10T14:18:23Z
Historial de revisiones de esta página en la wiki
MediaWiki 1.39.8
https://wiki.castanedo.es/index.php?title=Keycloak&diff=203&oldid=prev
Guzman en 22:46 18 abr 2026
2026-04-18T22:46:26Z
<p></p>
<p><b>Página nueva</b></p><div>== Instalación Keycloak en Docker ==<br />
Instalación de [https://hub.docker.com/hardened-images/catalog/dhi/keycloak dhi.io/keycloak] en Docker.<br />
Vamos a usar una imagen "Docker Hardened Image" (imágenes seguras, mínimas y listas para producción).<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
* MariaDB (ver [[MariaDB]])<br />
** Usaremos MariaDB para almacenar los datos. [https://www.keycloak.org/server/db Más información].<br />
* Nginx (ver [[LEMP]])<br />
* Cuenta en Docker Hub<br />
** Necesario para acceder a Docker Hardened Image.<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Login en catálogo DHI ===<br />
<syntaxhighlight lang="Bash">docker login dhi.io</syntaxhighlight><br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (26.5.6). <br />
<syntaxhighlight lang="Bash">docker pull dhi.io/keycloak:26.5</syntaxhighlight><br />
<br />
=== Certificados SSL ===<br />
Para poder arrancar la Keycloak hace falta tener certificados SSL/TLS.<br />
Nombres:<br />
* tls.crt: Certificado Fullchain (X.509 PEM)<br />
* tls.key: Clave RSA (PKCS#8)<br />
'''Nota''': en DEV usaremos auto-firmados y en PRO de Let's Encrypt.<br />
<br />
=== Crear volumen para certificados SSL ===<br />
* Crear volumen "keycloak-certs"<br />
<syntaxhighlight lang="Bash">docker volume create keycloak-certs</syntaxhighlight><br />
<br />
* Copiar certificados en el "keycloak-cert":<br />
<syntaxhighlight lang="Bash"><br />
cd /c/Users/guzman/Desktop/temp<br />
docker create --name temp-copia -v keycloak-certs:/data alpine<br />
docker cp entrardev.culturetas.net-fullchain.crt temp-copia:/data/tls.crt<br />
docker cp entrardev.culturetas.net.key temp-copia:/data/tls.key<br />
docker cp culturetas-root-ca.crt temp-copia:/data/ca.crt<br />
docker rm temp-copia<br />
</syntaxhighlight><br />
<br />
=== Crear base de datos para MariaDB ===<br />
Ver [[MariaDB]] para montar la BD necesaria.<br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run -d --name keycloak \<br />
--hostname entrardev.culturetas.net \<br />
--env KC_BOOTSTRAP_ADMIN_USERNAME=admin \<br />
--env KC_BOOTSTRAP_ADMIN_PASSWORD=admin \<br />
--env KC_HTTP_PORT=9080 \<br />
--env KC_HTTPS_PORT=9443 \<br />
--env KC_HTTPS_CERTIFICATE_FILE=//etc/x509/https/tls.crt \<br />
--env KC_HTTPS_CERTIFICATE_KEY_FILE=//etc/x509/https/tls.key \<br />
--env KC_HOSTNAME=https://localhost:9443/ \<br />
--env KC_DB=mariadb \<br />
--env KC_DB_URL=jdbc:mariadb://172.17.0.2:3306/keycloakdb \<br />
--env KC_DB_USERNAME=keycloak \<br />
--env KC_DB_PASSWORD=keycloak \<br />
-p 127.0.0.1:9443:9443 \<br />
-v keycloak-certs:/etc/x509/https:ro \<br />
dhi.io/keycloak:26.5 start<br />
</syntaxhighlight><br />
<br />
Nota: si se desea usar una DB H2 hay que crear un volumen para guardar persistentemente dicha DB. NO RECOMENDADO PARA PRO.<br />
<syntaxhighlight lang="Bash"><br />
-v keycloak-data:/opt/keycloak/data/ \<br />
</syntaxhighlight><br />
<br />
=== Pruebas ===<br />
Accedemos con un navegador web [https://localhost:9443/ https://localhost:9443/].<br />
[[Archivo:Keycloak-DEV-Accesos.png|border|900px|none]]<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.<br />
<br />
=== Configurar Virtual Host para Keycloak ===<br />
* Añadir Virtual Host:<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/entrar.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
###########################<br />
# KEYCLOAK REVERSER PROXY #<br />
###########################<br />
server {<br />
listen 80;<br />
listen [::]:80;<br />
server_name entrar.culturetas.net;<br />
# Redirect HTTP to HTTPS<br />
return 301 https://$host$request_uri;<br />
}<br />
<br />
server {<br />
# SSL configuration<br />
#<br />
listen 443 ssl http2;<br />
listen [::]:443 ssl http2;<br />
ssl_certificate /etc/ssl/certs/selfsigned.crt;<br />
ssl_certificate_key /etc/ssl/private/selfsigned.key;<br />
<br />
# Root directory<br />
root /var/www/entrar.culturetas.net;<br />
<br />
# Add index.php to the list if you are using PHP<br />
index index.php index.html index.htm;<br />
<br />
server_name entrar.culturetas.net;<br />
<br />
access_log /var/log/nginx/entrar.culturetas.net-access.log;<br />
error_log /var/log/nginx/entrar.culturetas.net-error.log;<br />
<br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: reinclude if in a location a header is set<br />
include snippets/hsts.conf;<br />
<br />
# Allow favicon.ico, robots.txt, .well-known/<br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
#include snippets/allowed.conf;<br />
#include snippets/denied.conf;<br />
<br />
location / {<br />
# First attempt to serve request as file, then<br />
# as directory, then fall back to displaying a 404.<br />
#try_files $uri $uri/ =404;<br />
proxy_pass https://127.0.0.1:9443;<br />
}<br />
<br />
location = /robots.txt {<br />
allow all;<br />
}<br />
<br />
location ~* ^/.well-known/ {<br />
allow all;<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
* Crear carpeta para VirtualHost:<br />
<syntaxhighlight lang="Bash">mkdir /var/www/entrar.culturetas.net</syntaxhighlight><br />
<br />
* Activar Virtual Host:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/entrar.culturetas.net /etc/nginx/sites-enabled/entrar.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar certificados Let's Encrypt ===<br />
<syntaxhighlight lang="Bash">certbot --nginx</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
Saving debug log to /var/log/letsencrypt/letsencrypt.log<br />
<br />
Which names would you like to activate HTTPS for?<br />
We recommend selecting either all domains, or all domains in a VirtualHost/server block.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
1: entrar.culturetas.net<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Select the appropriate numbers separated by commas and/or spaces, or leave input<br />
blank to select all options shown (Enter 'c' to cancel): 1<br />
Requesting a certificate for entrar.culturetas.net<br />
<br />
Successfully received certificate.<br />
Certificate is saved at: /etc/letsencrypt/live/entrar.culturetas.net/fullchain.pem<br />
Key is saved at: /etc/letsencrypt/live/entrar.culturetas.net/privkey.pem<br />
This certificate expires on 2026-07-17.<br />
These files will be updated when the certificate renews.<br />
Certbot has set up a scheduled task to automatically renew this certificate in the background.<br />
<br />
Deploying certificate<br />
Successfully deployed certificate for entrar.culturetas.net to /etc/nginx/sites-enabled/entrar.culturetas.net<br />
Congratulations! You have successfully enabled HTTPS on https://entrar.culturetas.net<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
If you like Certbot, please consider supporting our work by:<br />
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate<br />
* Donating to EFF: https://eff.org/donate-le<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
</syntaxhighlight><br />
<br />
=== Crear BD para keycloak (MariaDB) ===<br />
<br />
==== Conectar a la base de datos ====<br />
Conectamos como root:<br />
<syntaxhighlight lang="Bash"><br />
mariadb<br />
</syntaxhighlight><br />
<br />
==== Crear base de datos ====<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE DATABASE keycloakdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;<br />
</syntaxhighlight><br />
<br />
==== Crear usuario ====<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE USER keycloak IDENTIFIED BY 'keycloak';<br />
</syntaxhighlight><br />
<br />
==== Dar permisos a usuario en BD ====<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
GRANT ALL PRIVILEGES ON keycloakdb.* TO 'keycloak';<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
<br />
==== Comprobar permisos ====<br />
<syntaxhighlight lang="Bash"><br />
SHOW GRANTS FOR 'keycloak';<br />
</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
+---------------------------------------------------------------------------------------------------------+<br />
| Grants for keycloak@% |<br />
+---------------------------------------------------------------------------------------------------------+<br />
| GRANT USAGE ON *.* TO `keycloak`@`%` IDENTIFIED BY PASSWORD '*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' |<br />
| GRANT ALL PRIVILEGES ON `keycloakdb`.* TO `keycloak`@`%` |<br />
+---------------------------------------------------------------------------------------------------------+<br />
</syntaxhighlight><br />
<br />
==== Habilitar conexiones remotas ====<br />
El necesario que la BD tenga configurada conexiones remotas (no sólo desde localhost).<br />
Ver documento [[LEMP|Configuración MariaDB]].<br />
<br />
Nota: se recomienda NO exponer la base de datos a Internet. Es decir, sí habilitar las conexiones remotas, pero no abrir el puerto en los firewalls.<br />
<br />
=== Crear carpetas para Keycloak ===<br />
<syntaxhighlight lang="Bash">mkdir -p /opt/keycloak/data</syntaxhighlight><br />
<br />
=== Certificados SSL para el contenedor (auto-firmados) ===<br />
Vamos a usar los unos certificados SSL auto-firmados para usar dentro del contenedor.<br />
Aunque estos sean auto-firmados los finales son los que muestra Nginx (Let's Encrypt).<br />
<br />
<syntaxhighlight lang="Bash"><br />
mkdir -p /opt/keycloak/data/ssl<br />
mv /tmp/entrar.culturetas.net* /opt/keycloak/data/ssl/<br />
chown root:root /opt/keycloak/data/ssl/entrar.culturetas.net*<br />
chmod 644 /opt/keycloak/data/ssl/entrar.culturetas.net*<br />
</syntaxhighlight><br />
<br />
Nota: aunque la key no se recomienda 644 (sino 600). Keycloak no es capaz de leerlo con otros permisos.<br />
<br />
=== Login en catálogo DHI ===<br />
* Acceso a Docker Hub: https://app.docker.com/accounts/<user>/settings/personal-access-tokens<br />
<br />
* Generar nuevo token<br />
[[Archivo:Culturetas-access-token.png|border|900px|none]]<br />
<br />
* Guardar token en lugar seguro<br />
<br />
* Acceder a Docker<br />
<syntaxhighlight lang="Bash">docker login -u <user> dhi.io</syntaxhighlight><br />
Nota: las imágenes Hardened son libres pero bajo registro.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (26.5.6). <br />
<syntaxhighlight lang="Bash">docker pull dhi.io/keycloak:26.5</syntaxhighlight><br />
<br />
=== Generar fichero Compose YAML ===<br />
<syntaxhighlight lang="Bash">vi /opt/keycloak/compose.yaml</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
name: keycloak<br />
services:<br />
keycloak:<br />
container_name: keycloak<br />
hostname: entrar.culturetas.net<br />
restart: unless-stopped<br />
environment:<br />
- KC_BOOTSTRAP_ADMIN_USERNAME=admin<br />
- KC_BOOTSTRAP_ADMIN_PASSWORD=admin<br />
- KC_HTTP_PORT=9080<br />
- KC_HTTPS_PORT=9443<br />
- KC_HTTPS_CERTIFICATE_FILE=/etc/x509/https/tls.crt<br />
- KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/x509/https/tls.key<br />
- KC_HOSTNAME=https://entrar.culturetas.net/<br />
- KC_DB=mariadb<br />
- KC_DB_URL=jdbc:mariadb://135.125.179.32:3306/keycloakdb<br />
- KC_DB_USERNAME=keycloak<br />
- KC_DB_PASSWORD=keycloak<br />
ports:<br />
- 127.0.0.1:9443:9443<br />
volumes:<br />
- /opt/keycloak/data/ssl/entrar.culturetas.net-fullchain.crt:/etc/x509/https/tls.crt:ro<br />
- /opt/keycloak/data/ssl/entrar.culturetas.net.key:/etc/x509/https/tls.key:ro<br />
image: dhi.io/keycloak:26.5<br />
command: start<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod 640 /opt/keycloak/compose.yaml</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/keycloak</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose up -d</syntaxhighlight><br />
<br />
=== Parar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/keycloak</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose down</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (con SystemD) ===<br />
* Crear fichero SystemD<br />
<syntaxhighlight lang="Bash">vi /etc/systemd/system/keycloak.service</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[Unit]<br />
Description=KeyCloak (Docker Compose)<br />
After=docker.service mariadb.service network-online.target<br />
Requires=docker.service mariadb.service<br />
Wants=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
WorkingDirectory=/opt/keycloak<br />
ExecStart=/usr/bin/docker compose up --detach --remove-orphans --quiet-pull<br />
ExecStop=/usr/bin/docker compose down --remove-orphans --volumes --timeout 30<br />
TimeoutStartSec=180<br />
TimeoutStopSec=120<br />
Restart=on-failure<br />
RestartSec=7<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</syntaxhighlight><br />
<br />
* Arrancar y habilitar<br />
<syntaxhighlight lang="Bash">systemctl daemon-reload</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start keycloak</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable keycloak</syntaxhighlight><br />
<br />
== Configuración KeyCloak ==<br />
=== Editar Realm (master) ===<br />
* Acceder a KeyCloak con usuario admin.<br />
* Pulsar en "Realm settings".<br />
* Pulsar en "General".<br />
** Display name: culturetas.net<br />
* Pulsar en "Email".<br />
** From: hola@culturetas.net<br />
** From display name: Hola Cultureta<br />
** Host: smtp.culturetas.net<br />
** Port: 587<br />
** Enable StartTLS: Sí<br />
** Authentication: Sí<br />
** Username: hola@culturetas.net<br />
** Password<br />
<br />
=== Crear usuario ===<br />
* Comprobar que estás en el realm "master".<br />
* Pulsar en "Users" -> "Create new user".<br />
** Username<br />
** Email<br />
** First name<br />
** Last name<br />
* Pulser en "Credentials" -> "Set password".<br />
** Password<br />
** Password confirmation<br />
** Temporary: Off<br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/hardened-images/catalog/dhi/keycloak https://hub.docker.com/hardened-images/catalog/dhi/keycloak]<br />
* [https://www.keycloak.org/guides https://www.keycloak.org/guides]<br />
* [https://www.keycloak.org/getting-started/getting-started-docker https://www.keycloak.org/getting-started/getting-started-docker]<br />
* [https://www.keycloak.org/server/db https://www.keycloak.org/server/db]<br />
* [https://www.keycloak.org/server/configuration-production https://www.keycloak.org/server/configuration-production]<br />
* [https://www.keycloak.org/server/hostname https://www.keycloak.org/server/hostname]<br />
* [https://www.keycloak.org/server/reverseproxy https://www.keycloak.org/server/reverseproxy]<br />
<br />
[[Categoría:Notas]]</div>
Guzman