Keycloak configuration
Configure how Keycloak is deployed to your Red Hat® OpenShift® Container Platform cluster (including storage options, deployment size) and how authorization and authentication are handled (including TLS configuration, password handling, and advanced configuration options).
Complete list of topics:
Storage options
Keycloak uses either the default storage class in Red Hat OpenShift Container Platform, or the storage class configured in the IBM Cloud Pak® foundational services custom resource. Before installing instances, do one of the following:
Set a default storage class by adding the
storageclass.kubernetes.io/is-default-class:'true'
annotation in Red Hat OpenShift Container Platform.Specify a storage class name for
spec.storageClass
in theCommonService
resource. For more information, see Configuring the Cloud Pak foundational services.
The following are characteristics of the database that Keycloak uses:
Requires block storage that is configured to use the
XFS
orext4
file system. RWOaccessMode
is required. The file systems (XFS
andext4
) are POSIX-compliant and fully compatible with all supported OpenShift Container Platform releases.Supports a
volumeBindingMode
of eitherImmediate
orWaitForFirstConsumer
to control volume binding and dynamic provisioning.
Backup and restore
You can backup and restore Keycloak data using the export and import features of Keycloak.
For more information, see Importing and exporting realms.
Password policy
The default password policy for Keycloak users in Cloud Pak for Integration is the following:
Must be at least 15 characters long.
Cannot contain the username.
Cannot contain the email address.
To customize the password policy:
Access the Keycloak Administration console. For more information on accessing this Administration console, see Advanced Keycloak administration.
Select
cloudpak
from the realm selector.Click Configure > Authentication.
Click the Policies tab.
Click the Password policy sub-tab.
Update the password policy as needed.
Click Save.
For more information, see Password policy.
Password reset
You can enable Keycloak users to reset their own passwords.
In addition to the steps in this section, make sure to update the email server settings in the "Configuring email" section, so that Keycloak can use a user's email address to reset their password.
Log in to the Platform UI as a user with realm management permissions. For more information, see Cloud Pak for Integration roles and permissions.
In the navigation pane, click Administration > Access control to open the "Access control" console.
Click Configure > Realm settings.
Click the Login tab.
Enable the Forgot password option.
Email verification
There are two options for configuring user email verification in Keycloak:
Enable email verification - Configure Keycloak to send emails that verify those user email addresses.
Disable email verification - Configure Keycloak so that it automatically trusts email addresses discovered by using an identity provider or federated user store. For more information, see the documentation for configuring identity providers or federated user stores in Managing users and groups.
To enable or disable email verification:
Log in to the Platform UI as a user with realm management permissions. For more information, see Cloud Pak for Integration roles and permissions.
In the navigation pane, click Administration > Access control to open the "Access control" console.
Click Configure > Realm settings.
Click the Login tab.
Set the Verify email option to on if you want to enable email verification. To disable email verification, set the option to off.
Configuring email
To configure Keycloak to send email:
Log in to the Platform UI as a user with realm management permissions. For more information, see Cloud Pak for Integration roles and permissions.
In the navigation pane, click Administration > Access control to open the "Access control" console.
Click Configure > Realm settings.
Click the Email tab.
Enter your email server settings.
Click Save.
For more information, see Configuring email for a realm.
Timeouts
You can configure the idle timeout and maximum session length for Cloud Pak for Integration by changing Keycloak realm settings.
Log in to the Platform UI as a user with realm management permissions. For more information, see Cloud Pak for Integration roles and permissions.
In the navigation pane, click Administration > Access control to open the "Access control" console.
Click Configure > Realm settings.
Click the Sessions tab.
Configure timeout on the Sessions page. The SSO Session Idle setting controls how long a user can be idle before they are automatically logged out. The SSO Session Max controls the maximum length of time that a user can be logged in before they have to reauthenticate.
Click Save.
For more information, see User session timeouts.
Keycloak API
Use the Keycloak API to perform identity and access management operations. You get the Keycloak hostname from the URL of the "Access control" console. The Keycloak realm is cloudpak
.
To get the URL of the "Access control" console:
Log in to the Platform UI as a user with realm management permissions. For more information, see Cloud Pak for Integration roles and permissions.
In the navigation pane, click Administration > Access control,
For more information, see API documentation.
Customizing the default hostname and TLS configuration
The Keycloak service has an OpenShift route that uses the OpenShift apps domain and the OpenShift router certificate.
To customize the hostname and certificate, you must be a user with namespace admin permissions. For more information, see OpenShift Roles and permissions.
Generate the following custom certificates in an unencrypted PEM format:
tls.crt
- Contains the certificate, which is valid for the specific custom hostname.tls.key
- Contains the private key of the certificate.ca.crt
- (Optional) You can specify a CA certificate, if needed, to complete the certificate chain.
Identify the namespace that contains the route. For installations using A single namespace of the cluster mode, this is the same namespace where your instances are deployed. For installations using All namespaces on the cluster mode, this is the
servicesNamespace
defined in theCommonService
resource (which isibm-common-services
by default).Set this namespace as an environment variable to use in further commands:
KEYCLOAK_NAMESPACE=<namespace>
Create a secret named
keycloak-custom-tls-secret
by using the custom certificates that you created in the first step:oc create secret generic keycloak-custom-tls-secret --from-file=tls.crt=tls.crt --from-file=tls.key=tls.key -n ${KEYCLOAK_NAMESPACE}
If the optional CA certificate is needed, run the following command:
oc create secret generic keycloak-custom-tls-secret --from-file=ca.crt=ca.crt --from-file=tls.crt=tls.crt --from-file=tls.key=tls.key -n ${KEYCLOAK_NAMESPACE}
To update the hostname, change the
.data.keycloak_route_name
parameter value in theibm-cpp-config
ConfigMap to your custom hostname:kind: ConfigMap apiVersion: v1 metadata: name: ibm-cpp-config namespace: <keycloak-namespace> data: keycloak_route_name: <hostname>
To apply the configuration changes, restart the
operand-deployment-lifecycle-manager
pod in your operator namespace:oc delete pods -l app.kubernetes.io/instance=operand-deployment-lifecycle-manager -n <operator namespace>
Adding certificates to the Keycloak trust store
You can add certificates to the Keycloak trust store so that Keycloak securely connects to services protected by a custom certificate authority.
To add certificates to the Keycloak trust store, you must be a user with namespace admin permissions. For more information, see OpenShift Roles and permissions.
Identify the namespace that contains Keycloak. For installations using A single namespace of the cluster mode, this is the same namespace where your instances are deployed. For installations using All namespaces on the cluster mode, this is the
servicesNamespace
defined in theCommonService
resource (which isibm-common-services
by default).Set this namespace as an environment variable to use in further commands:
KEYCLOAK_NAMESPACE=<namespace>
Create a configmap named
cs-keycloak-ca-certs
with your additional certificates. Use one key for each certificate:oc create configmap cs-keycloak-ca-certs --from-file=cert1.pem --from-file=cert2.pem -n ${KEYCLOAK_NAMESPACE}
To apply the configuration changes, restart the
cs-keycloak
pods:oc rollout restart statefulset/cs-keycloak
Deployment size profiles
By default, Keycloak and the Cloud Native PostgreSQL instances are deployed with the starterset
sizing profile. To configure the size of your Keycloak installation, update the CommonService
custom resource to use a different profile. For more information, including advanced configuration, see Configuring the Cloud Pak foundational services.
Advanced Keycloak administration
Get the
cs-keycloak
Route (which is the URL to access the Administrator console), the username, and the Keycloak administrator password from the secret namedcs-keycloak-initial-admin
. For installations that use A single namespace of the cluster mode, the secret is in the same namespace as your deployed instances. For installations that use All namespaces on the cluster mode, these are in theservicesNamespace
(ibm-common-services
by default) that is defined in theCommonService
resource. For more information, see OpenShift Roles and permissions.After logging in to the Administrator console, select the
cloudpak
realm from the realm selector to manage advanced realm configuration.