*Keycloak 15.1.1
Software Installation Article | SIA-20220907-TP-02 VDG Sense | Software Installation| Keycloak |
It is recommende to upgrade to Keyloak 15.1.1 due to a security vulnaribility found in versions prior to 15.1.1, Read more: https://www.keycloak.org/2021/12/cve.html
Upgrade from 15.0.2
For a complete guide on how to upgrade read here: https://www.keycloak.org/docs/15.1/upgrading/index.html . Following procedure are the basic steps to do an upgrade
Download Keycloak 15.1.1 from https://www.keycloak.org/archive/downloads-15.1.1.html
Unzip ‘keycloak-15.1.1.zip’ in ‘C:\Program Files\VDG Security\Sense\Software’ folder
Copy folder:
C:\Program Files\VDG Security\Sense\Software\keycloak-15.1.1\docs\contrib\scripts\service to
C:\Program Files\VDG Security\Sense\Software\keycloak-15.1.1\bin
Stop ‘WildFly’ service in windows services
Deinstall current Keycloak wildfly windows service:
As administrator CMD run:
keycloak-15.1.1/bin/service/service.bat uninstall
Copy folder
C:\Program Files\VDG Security\Sense\Software\keycloak-15.0.2\standalone to
C:\Program Files\VDG Security\Sense\Software\keycloak-15.1.1\standalone
overwriting any existing files
Run Keycloak upgrade script:
keycloak-15.1.1/bin/jboss-cli.sh --file=bin/migrate-standalone-ha.cli
Install new Keycloak wildfly windows service:
As administrator CMD run:
keycloak-15.1.1/bin/service/service.bat install
Start ‘WildFly’ service in windows services (database migration is done on startup)
Goto Keycloak web configuration:
User Federation → [AD name] and make sure the ‘Edit Mode’ is set to ‘UNSYNCED’
Clean Installation
Keycloak can be downloaded from the keycloak website. It is recommended to install it on the VDG Sense management server so that keycloak can be configured to block any remote connections. This means the configuration webpage can only be accesed from the local PC.
In case of using Keycloak with Failover functionality it is recommended to install it on the Failover server.
Follow this procedure to install keycloak:
Download Keycloak 15.1.1 from Keycloak - Downloads Archive - 15.1.1 It is the ‘Distribution powered by WildFly’ zip file.
Download OpenJDK 15 here: https://jdk.java.net/archive/
Extract content of zip file to C:\OpenJDK or other preferred location
Assuming it is extracted in C:\OpenJDK add following item to system variables:
Â
Â
Unzip ‘keycloak-15.1.1.zip’ or newer version in ‘C:\Program Files\VDG Security\Sense’ folder
Copy folder C:\Program Files\VDG Security\Sense\keycloak-15.1.1\docs\contrib\scripts\service to C:\Program Files\VDG Security\Sense\keycloak-15.1.1\bin
As administrator CMD run:
keycloak/bin/service/service.bat install
Go to 'computer management'->services
Enable automatic start for service
Wildfly
, this is the keycloak windows service providerStart Wildfly service
Failover
If installed on Failover server or separate server, remote access needs to be enabled to Keycloak service. To this open following file:
C:\Program Files\VDG Security\Sense\Software\keycloak-15.1.1\standalone\configuration\standalone.xml
Lookup following <interfaces> tag and change accordingly:
</profile>
<interfaces>
<interface name="management">
<any-address/>
</interface>
<interface name="public">
<any-address/>
</interface>
</interfaces>
Restart Wildfly service after changing this file to enable remote connection
More information can be found here: http://docs.wildfly.org/23/Admin_Guide.html#Interfaces_and_ports
Configuration
Assuming Keycloak is up and running. Open http://127.0.0.1:8080/auth/.
Keycloak will ask for the admin username and password as this has not been configured. Configure a safe and hard to guess password.
After this user has been created you will be directed to the login page.
Add a realm
Keycloak can be setup to be used by more then one software integration. For each software integration a realm should be setup.
So setup a realm for Sense.
Hover with the mouse over 'Master' in the top-left corner of the screen.
Select 'Add realm' from the popup
Use 'Sense' as realm name
Â
Add a client
The Sense Videomanager needs to request the users from Keycloak. So SenseVideoManager needs to be able to authenticate itself, this is done with a client-grant. The client-grant has to be setup in Keycloak.
Select the ‘Sense’ Realm
Select 'Clients' in the menu on the left-side
Click the 'Create'-button on the right-side above the list.
Use the following:
Client ID: 'sense-client-credentials'
Client Protocol: 'openid-connect'
Root URL: leave empty
If the added item is not yet selected, select the 'Sense-client-credentials' from the list and set it with following settings:
Access Type: confidential
Service Accounts Enabled: ON
Authorization Enabled: ON
Valid Redirect URL: /*
Press ‘Save’ button
The Credentials tab shows the login credentials which need to be used in Sense.
The Client ID (sense-client-credentials) and Client Secret (83089eda-ac37-45e0-aa17-a8f1a2cddfdc) are needed later in the Identity Provider dialog in Sense. You should be able to copy these values from Keycloak. They are unique for each installation.
The client-grant requires access to the users. The video manager only queries the users, it does not add or modify users.
Select the tab 'Service Account Roles'
From the ‘Client Roles'-dropdown select 'realm-management’.
From the 'Available Roles’-list add: ‘query-clients', ‘manage-users’ and ‘view-users’
Â
Active Directory
Add a user provider to Keycloak
Select 'User Federation' from the menu on the left-side
From the ‘Add provider'-dropdown select 'ldap’
The field ‘Username LDAP attribute’ should be set to sAMAccountName.
Setup depending on the Active Directory settings on site
To correctly import the username in the keycloak userlist the following change has to be made in the ‘Mappers’ section:
Click ‘username’ and change the ‘LDAP Attribute’ value from ‘cn’ to 'sAMAccountName':
Â
Go back to ‘Settings’ menu
Test the connection to your AD-server
Test the authentication to your AD-server
If all tests are okay, the user can be synchronized manually:
If required Keycloak can automatically sync new users from Active Directory. Open ‘Sync Settings’ for this:
In this case changed it is checked every 60 seconds.
Check the users
All synchronized users can be viewed after the active directory settings are configured.
Select 'Users' from the menu on the left-side
Click the 'View all users'-button
The result should be a list of all AD-users and the native 'Keycloak'-users.
The users from AD have a field 'Federation link':
Â