At Kyo Logic, we specialize in custom software solutions and FileMaker consulting services. During one of our recent internal projects, a team member was experimenting with Keycloak 26 on AWS and decided to create a simple, repeatable guide for future reference. We’d like to thank our friends over at Sound Essentials, who provided instructions for installing Keycloak 17 on Ubuntu 20.04.3 LTS. Our instrcutsions would not be possible without their original guidance, which we’ve modified for our own purposes.
We realized it could be helpful to share this process more broadly. Below you’ll find a step-by-step outline of how to get Keycloak 26 up and running on an Ubuntu 24.04 server in AWS, complete with MySQL and SSL certificates managed by Certbot.
Please note that Keycloak is not a FileMaker-related tool. However, as consultants who often deal with diverse infrastructure solutions—ranging from identity management to custom app deployments—it’s important for us to have guides like this in our internal knowledge base. If you have any questions about this or about our FileMaker consulting services, reach out at www.kyologic.com/contact/.
Keycloak is a powerful open-source identity and access management solution. In this tutorial, we’ll set up Keycloak 26 on an Ubuntu 24.04 server in AWS, secure it with SSL certificates via Certbot, and configure it to run on port 443. We’ll use MySQL as our database.
Note: This guide assumes you have an AWS account and are comfortable with launching EC2 instances and connecting to them. Replace keycloak.mydomain.com with your actual domain name wherever indicated.
What You Need To Get Started
A Linux server running Ubuntu 24.04 (x86) or an account to a server hosting platform such as AWS or Microsoft Azure
A Fully Qualified Domain Name (FQDN) and access to your domain’s Domain Name System (DNS)
1. Create Ubuntu Server
Below are instructions for creating a server using AWS EC2. The instructions should be similar for other services.
Launch a New EC2 Instance
In AWS EC2, click Launch Instance
Select the following options:
AMI: Ubuntu 24.04 (x86)
Instance Type: t3a.xlarge (or your preferred size)
Key Pair: Select or create a new key pair
Subnet: Choose an appropriate subnet (e.g., us-east-1c)
Security Groups: Ensure you have rules for SSH (port 22), HTTP (port 80), and HTTPS (port 443 and 8443).
Storage: ~30 GB recommended
IAM Role: If you have an instance profile with needed permissions, select it here (optional but recommended).
Create and Associate Elastic IP
Reserve a new Elastic IP in AWS
Associate it with your new EC2 instance
In your DNS, create an A record for the IP Address of your Elastic IP using the subdomain of your choosing.
Connect to EC2
Use AWS Systems Manager Session Manager or SSH, depending on your preference
If you click on Connect on the Instance, AWS will give you instructions to Connect.
2. Update Ubuntu
Pro tip: We recommend entering sudo -i to gain root access each time you connect to the server.
When first connecting, it’s best practice to update all packages with the following commands:
bash
CopyEdit
sudo -i # If not already root
sudo apt update
sudo apt upgrade
sudo apt dist-upgrade
sudo apt autoremove
sudo shutdown -r now
After the reboot, reconnect to your instance.
3. Install and Configure MySQL
Keycloak needs a database. Here’s how to install MySQL on Ubuntu:
bash
CopyEdit
cd ~
sudo apt install mysql-server
sudo mysql
Set the root user’s MySQL password:
sql
CopyEdit
ALTER USER ‘root’@’localhost’ IDENTIFIED WITH mysql_native_password BY ‘MYSQL_DATABASE_PASSWORD’;
Exit;
Secure the MySQL installation:
bash
CopyEdit
sudo mysql_secure_installation
Follow the prompts (you can answer “Yes” to remove anonymous users, disallow root remote login, etc.).
Create the Keycloak database and user:
bash
CopyEdit
sudo mysql -u root -pMYSQL_DATABASE_PASSWORD
sql
CopyEdit
CREATE DATABASE keycloak CHARACTER SET utf8 COLLATE utf8_unicode_ci;
CREATE USER ‘keycloak’@’localhost’IDENTIFIED BY ‘MYSQL_DATABASE_PASSWORD’;
GRANT ALL PRIVILEGES ON keycloak.* TO ‘keycloak’@’localhost’;
FLUSH PRIVILEGES;
exit;
Note: Replace MYSQL_DATABASE_PASSWORD with a strong, unique password.
4. Install Certbot (for SSL Certificates)
We’ll use Certbot (via snap) to generate and manage SSL certificates.
bash
CopyEdit
cd ~
sudo snap install core
sudo snap refresh core
sudo snap install –classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo shutdown -r now
After the reboot, reconnect again.
5. Configure the Firewall
We’ll open only the necessary ports. Ubuntu’s default firewall tool is ufw:
bash
CopyEdit
cd ~
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 8443/tcp
sudo ufw enable
6. Obtain an SSL Certificate
Choose your domain name
Make sure your DNS is pointed to the IP address of this instance (e.g., keycloak.mydomain.com).
Note: Replace keycloak.mydomain.com with your domain name.
Obtain and verify certificate
bash
CopyEdit
cd ~
sudo certbot certonly –standalone –preferred-challenges http -d keycloak.mydomain.com –dry-run
If the dry run succeeds, run it again for the actual cert:
bash
CopyEdit
sudo certbot certonly –standalone –preferred-challenges http -d keycloak.mydomain.com
Deny HTTP traffic (if desired)
bash
CopyEdit
sudo ufw deny 80/tcp
Enable auto-renewal
bash
CopyEdit
sudo systemctl list-units –type timer
sudo systemctl enable snap.certbot.renew.timer
sudo systemctl status snap.certbot.renew.timer
Configure Hooks for Auto-Renew
Certbot needs to open port 80 temporarily when renewing. Create pre- and post-hook scripts:
bash
CopyEdit
cd /etc/letsencrypt/renewal-hooks/pre
sudo nano pre-hook.sh
Contents of pre-hook.sh:
bash
CopyEdit
#!/bin/bash
# Open port 80
ufw allow 80/tcp
Save (Ctrl+O, Enter) and exit (Ctrl+X). Then make executable:
bash
CopyEdit
sudo chmod +x pre-hook.sh
bash
CopyEdit
cd /etc/letsencrypt/renewal-hooks/post
sudo nano post-hook.sh
Contents of post-hook.sh:
bash
CopyEdit
#!/bin/bash
# Close port 80
ufw deny 80/tcp
#Reboot Server
sudo shutdown -r now
Save and exit, then make executable:
bash
CopyEdit
sudo chmod +x post-hook.sh
Test renewal
bash
CopyEdit
sudo certbot renew –dry-run
This should restart your server
7. Install Java & Other Dependencies
Keycloak 26 requires Java 17 or later. Let’s install OpenJDK 21:
bash
CopyEdit
sudo apt install openjdk-21-jdk
8. Download and Prepare Keycloak
bash
CopyEdit
sudo apt install zip
Create a directory and download Keycloak:
bash
CopyEdit
sudo mkdir -p /opt/keycloak
cd /opt/keycloak
sudo wget https://github.com/keycloak/keycloak/releases/download/26.1.0/keycloak-26.1.0.zip
sudo unzip keycloak-26.1.0.zip -d /opt/keycloak
sudo rm keycloak-26.1.0.zip
Create Keycloak user and group:
bash
CopyEdit
sudo groupadd -r keycloak
sudo useradd -r -g keycloak -d /opt/keycloak -s /sbin/nologin keycloak
cd /opt
sudo chown -R keycloak: keycloak
sudo chmod o+x /opt/keycloak/keycloak-26.1.0/bin/
9. Configure Keycloak
Edit Keycloak configuration:
bash
CopyEdit
sudo nano /opt/keycloak/keycloak-26.1.0/conf/keycloak.conf
Insert/Update:
javascript
CopyEdit
db=mysql
db-username=keycloak
db-password=MYSQL_DATABASE_PASSWORD
Note: (This is the password from above)
https-certificate-file=/etc/letsencrypt/live/keycloak.mydomain.com/fullchain.pem
https-certificate-key-file=/etc/letsencrypt/live/keycloak.mydomain.com/privkey.pem
hostname=keycloak.mydomain.com
Note: (Replace keycloak.mydomain.com with your domain name)
https-port=8443
Build and start Keycloak:
bash
CopyEdit
cd /opt/keycloak/keycloak-26.1.0
sudo bin/kc.sh build
sudo -E bin/kc.sh bootstrap-admin user
Note: This is to create a temporary user for access to keycloak. Once in keycloak, it is recommended that a permanent user be created and this temporary user deleted.
sudo -E bin/kc.sh start
Keycloak should now be running on https://keycloak.mydomain.com:8443/.
Log into keycloak using the account created above and create a new user. Make sure to give this new user all available roles.
10. Configure Keycloak to Start Automatically
Press Ctrl+C to stop Keycloak, then create a systemd service:
Create systemd unit file:
bash
CopyEdit
sudo nano /etc/systemd/system/keycloak.service
Sample Contents (adjust as needed):
ini
CopyEdit
[Unit]
Description=Keycloak Service
After=network.target
[Service]
User=keycloak
Group=keycloak
WorkingDirectory=/opt/keycloak/keycloak-26.1.0
ExecStart=/opt/keycloak/keycloak-26.1.0/bin/kc.sh start
ExecStop=/opt/keycloak/keycloak-26.1.0/bin/kc.sh stop
Restart=on-failure
[Install]
WantedBy=multi-user.target
Enable and reboot:
bash
CopyEdit
sudo systemctl daemon-reload
sudo systemctl enable keycloak
sudo shutdown -r now
sudo systemctl status keycloak
Keycloak should now run automatically on system boot.
11. Changing to Port 443
Adjust keycloak.conf:
bash
CopyEdit
sudo nano /opt/keycloak/keycloak-26.1.0/conf/keycloak.conf
Change (or add):
makefile
CopyEdit
hostname=keycloak.mydomain.com
https-port=443
Rebuild Keycloak:
bash
CopyEdit
cd /opt/keycloak/keycloak-26.1.0
sudo bin/kc.sh build
Update Firewall Rules:
bash
CopyEdit
sudo ufw delete allow 8443/tcp
sudo ufw allow 443/tcp
sudo shutdown -r now
Keycloak will now listen on standard HTTPS port 443, accessible at https://keycloak.mydomain.com/.
You’ve successfully installed Keycloak 26 on an Ubuntu 24.04 EC2 instance, configured MySQL as the backend, and secured Keycloak with a valid SSL certificate using Certbot. You also set up systemd to ensure Keycloak starts automatically on reboot and moved it to port 443 for a cleaner URL.
Next Steps:
Log in to your Keycloak admin console at https://keycloak.mydomain.com/ using the admin username/password you created.
Configure your realms, clients, and identity providers as needed.
Review Keycloak logs and manage system resources to ensure optimal performance.
For more instructions on how to configure your keycloak account, you can follow the instructions from our CFDG presentation on the topic here: https://youtu.be/-bqww9ggDjA
With your identity and access management solution in place, you can focus on integrating Keycloak into your applications and services! If you have any questions or run into issues, consult the official Keycloak documentation or your AWS documentation for further guidance.
That’s it! You now have a working Keycloak 26 setup in AWS. If you have any questions—or if you’d like to learn more about our FileMaker consulting services—visit us here.