Installing Keycloak 26 on Ubuntu 24.04 (AWS)

At Kyo Logic, we specialize in custom software solutions and FileMaker consulting services. During one of our recent internal projects, a team member was experimenting with Keycloak 26 on AWS and decided to create a simple, repeatable guide for future reference. We’d like to thank our friends over at Sound Essentials, who provided instructions for installing Keycloak 17 on Ubuntu 20.04.3 LTS. Our instrcutsions would not be possible without their original guidance, which we’ve modified for our own purposes. We realized it could be helpful to share this process more broadly. Below you’ll find a step-by-step outline of how to get Keycloak 26 up and running on an Ubuntu 24.04 server in AWS, complete with MySQL and SSL certificates managed by Certbot. Please note that Keycloak is not a FileMaker-related tool. However, as consultants who often deal with diverse infrastructure solutions—ranging from identity management to custom app deployments—it’s important for us to have guides like this in our internal knowledge base. If you have any questions about this or about our FileMaker consulting services, reach out here. Keycloak is a powerful open‐source identity and access management solution. In this tutorial, we’ll set up Keycloak 26 on an Ubuntu 24.04 server in AWS, secure it with SSL certificates via Certbot, and configure it to run on port 443. We’ll use MySQL as our database. Note – This guide assumes you have an AWS account and are comfortable with launching EC2 instances and connecting to them. Replace keycloak.mydomain.com with your actual domain name wherever indicated.

---

What You Need To Get Started

• A Linux server running Ubuntu 24.04 (x86) or an account to a server hosting platform such as AWS or Microsoft Azure
• A Fully Qualified Domain Name (FQDN) and access to your domain’s Domain Name System (DNS)

1. Create Ubuntu Server

• Below are instructions for creating a server using AWS EC2. The instructions should be similar for other services.

Launch a New EC2 Instance

1. In AWS EC2, click Launch Instance
   • Select the following options
     1. AMI – Ubuntu 24.04 (x86)
     2. Instance Type – t3a.xlarge (or your preferred size)
     3. Key Pair – Select or create a new key pair
     4. Subnet – Choose an appropriate subnet (e.g., us-east-1c)
     5. Security Groups – Ensure you have rules for SSH (port 22), HTTP (port 80), and HTTPS (port 443 and 8443).
     6. Storage – ~30 GB recommended
     7. IAM Role – If you have an instance profile with needed permissions, select it here (optional but recommended).
2. Create and Associate Elastic IP
   • Reserve a new Elastic IP in AWS
   • Associate it with your new EC2 instance
3. In your DNS, create an A record for the IP Address of your Elastic IP using the subdomain of your choosing.
4. Connect to EC2
   • Use AWS Systems Manager Session Manager or SSH, depending on your preference
     1. If you click on Connect on the Instance, AWS will give you instructions to Connect.

---

2. Update Ubuntu

When first connecting, it’s best practice to update all packages with the following commands

sudo -i

sudo apt update

sudo apt upgrade

sudo apt dist-upgrade

sudo apt autoremove

sudo shutdown -r now

After the reboot, reconnect to your instance.

---

3. Install and Configure MySQL

Keycloak needs a database. Here’s how to install MySQL on Ubuntu

cd ~

sudo apt install mysql-server

sudo mysql

Set the root user’s MySQL password

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'MYSQL_DATABASE_PASSWORD';

Exit;

Secure the MySQL installation

sudo mysql_secure_installation

Follow the prompts (you can answer “Yes” to remove anonymous users, disallow root remote login, etc.). Create the Keycloak database and user

sudo mysql -u root -pMYSQL_DATABASE_PASSWORD

In sql

CREATE DATABASE keycloak CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;

CREATE USER 'keycloak'@'localhost' IDENTIFIED BY 'MYSQL_DATABASE_PASSWORD';

GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'localhost';

FLUSH PRIVILEGES;

exit;

Note – Replace MYSQL_DATABASE_PASSWORD with a strong, unique password.

---

4. Install Certbot (for SSL Certificates)

We’ll use Certbot (via snap) to generate and manage SSL certificates.

cd ~

sudo snap install core

sudo snap refresh core

sudo snap install --classic certbot

sudo ln -s /snap/bin/certbot /usr/bin/certbot

sudo shutdown -r now

After the reboot, reconnect again.

---

5. Configure the Firewall

We’ll open only the necessary ports. Ubuntu’s default firewall tool is ufw

cd ~

sudo ufw allow ssh

sudo ufw allow 80/tcp

sudo ufw allow 8443/tcp

sudo ufw enable

---

6. Obtain an SSL Certificate

Choose your domain nameMake sure your DNS is pointed to the IP address of this instance (e.g., keycloak.mydomain.com). Note – Replace keycloak.mydomain.com with your domain name. Obtain and verify certificate

cd ~

sudo certbot certonly --standalone --preferred-challenges http -d keycloak.mydomain.com --dry-run

If the dry run succeeds, run it again for the actual cert

sudo certbot certonly --standalone --preferred-challenges http -d keycloak.mydomain.com

Deny HTTP traffic (if desired)

sudo ufw deny 80/tcp

Enable auto-renewal

sudo systemctl list-units --type timer

sudo systemctl enable snap.certbot.renew.timer

sudo systemctl status snap.certbot.renew.timer

Configure Hooks for Auto-Renew Certbot needs to open port 80 temporarily when renewing. Create pre- and post-hook scripts

cd /etc/letsencrypt/renewal-hooks/pre

sudo nano pre-hook.sh

Contents of pre-hook.sh

# Open port 80
ufw allow 80/tcp

Save (Ctrl+O, Enter) and exit (Ctrl+X). Then make executable

sudo chmod +x pre-hook.sh

cd /etc/letsencrypt/renewal-hooks/post

sudo nano post-hook.sh

Contents of post-hook.sh

# Close port 80
ufw deny 80/tcp
#Reboot Server
sudo shutdown -r now

Save and exit, then make executable

sudo chmod +x post-hook.sh

Test renewal

sudo certbot renew --dry-run

This should restart your server

---

7. Install Java & Other Dependencies

Keycloak 26 requires Java 17 or later. Let’s install OpenJDK 21

sudo apt install openjdk-21-jdk

---

8. Download and Prepare Keycloak

sudo apt install zip

Create a directory and download Keycloak

sudo mkdir -p /opt/keycloak

cd /opt/keycloak

sudo wget https://github.com/keycloak/keycloak/releases/download/26.1.0/keycloak-26.1.0.zip

sudo unzip keycloak-26.1.0.zip -d /opt/keycloak

sudo rm keycloak-26.1.0.zip

Create Keycloak user and group

sudo groupadd -r keycloak

sudo useradd -r -g keycloak -d /opt/keycloak -s /sbin/nologin keycloak

Give keycloak user ownership and privileges to keycloak and letsencrypt

cd /opt

sudo chown -R keycloak: keycloak

sudo chmod -R 755 /opt/keycloak/keycloak-26.1.0/bin/

sudo chmod -R 755 /etc/letsencrypt

---

9. Configure Keycloak

Edit Keycloak configuration

sudo nano /opt/keycloak/keycloak-26.1.0/conf/keycloak.conf

Insert/Update

db=mysql

db-username=keycloak

db-password=MYSQL_DATABASE_PASSWORD

Note – (This is the password from above)

https-certificate-file=/etc/letsencrypt/live/keycloak.mydomain.com/fullchain.pem

https-certificate-key-file=/etc/letsencrypt/live/keycloak.mydomain.com/privkey.pem

hostname=keycloak.mydomain.com

Note – (Replace keycloak.mydomain.com with your domain name)

https-port=8443

Build and start Keycloak

cd /opt/keycloak/keycloak-26.1.0

sudo bin/kc.sh build

sudo -E bin/kc.sh bootstrap-admin user

Note – This is to create a temporary user for access to keycloak. Once in keycloak, it is recommended that a permanent user be created and this temporary user deleted.

sudo -E bin/kc.sh start

Keycloak should now be running on https://keycloak.mydomain.com:8443/. Log into keycloak using the account created above and create a new user. Make sure to give this new user all available roles.

---

10. Configure Keycloak to Start Automatically

Press Ctrl+C to stop Keycloak, then create a systemd service Create systemd unit file

sudo nano /etc/systemd/system/keycloak.service

Sample Contents (adjust as needed)

# /etc/systemd/system/keycloak.service
[Unit]
Description=Keycloak Server
After=syslog.target network.target mysql.service
Before=httpd.service

[Service]
User=keycloak
Group=keycloak
SuccessExitStatus=0 143
ExecStart=!/opt/keycloak/keycloak-26.1.0/bin/kc.sh start

[Install]
WantedBy=multi-user.target

Enable and Reboot

sudo systemctl daemon-reload

sudo systemctl enable keycloak

sudo shutdown -r now

sudo systemctl status keycloak

Keycloak should now run automatically on system boot.

---

11. Changing to Port 443

Adjust keycloak.conf

sudo nano /opt/keycloak/keycloak-26.1.0/conf/keycloak.conf

Change (or add)

https-port=443

Rebuild Keycloak

cd /opt/keycloak/keycloak-26.1.0

sudo bin/kc.sh build

Update Firewall Rules

sudo ufw delete allow 8443/tcp

sudo ufw allow 443/tcp

sudo shutdown -r now

Keycloak will now listen on standard HTTPS port 443, accessible at https://keycloak.mydomain.com. You’ve successfully installed Keycloak 26 on an Ubuntu 24.04 EC2 instance, configured MySQL as the backend, and secured Keycloak with a valid SSL certificate using Certbot. You also set up systemd to ensure Keycloak starts automatically on reboot and moved it to port 443 for a cleaner URL. Next Steps Log in to your Keycloak admin console at https://keycloak.mydomain.com using the admin username/password you created. Configure your realms, clients, and identity providers as needed. Review Keycloak logs and manage system resources to ensure optimal performance. For more instructions on how to configure your keycloak account, you can follow the instructions from our CFDG presentation on the topic here – https://youtu.be/-bqww9ggDjA With your identity and access management solution in place, you can focus on integrating Keycloak into your applications and services! If you have any questions or run into issues, consult the official Keycloak documentation or your AWS documentation for further guidance. That’s it! You now have a working Keycloak 26 setup in AWS. If you have any questions—or if you’d like to learn more about our FileMaker consulting services—visit us here.