Author: Patrick Barlow

Patrick is an intelligent and quick-thinking problem solver who thrives under pressure, priding himself on his promptness and analytical skills. He enjoys learning new things and tackling challenges that keep his mind sharp. Outside of work, he values time with family and friends, enjoys playing and watching sports, and is actively involved in his church. With a strategic mindset and a great sense of humor, Patrick prefers the comforts of home, where he can watch a great movie, design and play board games, or take on a challenging jigsaw puzzle.

Installing Local LLM for FileMaker – Made Simple!

Posted on by Patrick Barlow

🚀 Join Us Live! Want to see this setup in action? We’ll be showcasing the full installation and implementation of Local LLM for FileMaker live at our upcoming CFDG meetup. Don’t miss this hands-on session where you can ask questions and see everything in real time.

 

🔗 Reserve your spot here

 
 

1. Create Ubuntu Server

Below are instructions for creating an Ubuntu 24.04 server using AWS EC2. These instructions should be similar for other cloud services like Microsoft Azure.

Launch a New EC2 Instance

  1. In AWS EC2, click Launch Instance
  2. Select the following options
    • AMI – Ubuntu 24.04 (x86)
    • Instance Type – t3a.large (or your preferred size)
    • Key Pair – Select or create a new key pair
    • Subnet – Choose an appropriate subnet (e.g., us-east-1c)
    • Security Groups – Ensure SSH (port 22), HTTP (port 80), and port 8080 are open
    • Storage – ~30GB recommended
    • IAM Role – If you have an instance profile with needed permissions, select it here (optional but recommended)

Create and Associate an Elastic IP

  1. Reserve a new Elastic IP in AWS
  2. Associate it with your new EC2 instance
  3. In your DNS settings, create an A record pointing to the Elastic IP

Connect to the EC2 Instance

Use AWS Systems Manager Session Manager or SSH 
chmod 400 "/local/path/to/keypairfile"
ssh -i "/local/path/to/keypairfile" ubuntu@your-server-ip

2. Update Ubuntu

After connecting, update your instance 
sudo -i
sudo apt update && sudo apt upgrade -y
sudo apt dist-upgrade -y
sudo apt autoremove -y
sudo shutdown -r now
Reconnect after the reboot.

3. Download Open Source LLM Files

📌 Important – If you’ve upgraded from FileMaker Server v20, ensure you have the latest FileMaker Server v21 version of the Open Source LLM files.
🔗 Download Open_Source_LLM.zip
Download directly to your server 
cd ~
sudo apt install zip
sudo wget https://kyologic.com/wp-content/uploads/2025/02/Open_Source_LLM.zip -O /home/ubuntu/Open_Source_LLM.zip
sudo unzip Open_Source_LLM.zip
rm Open_Source_LLM.zip
rm -r __MACOSX
OR
Transfer the files to your server from your computer 
scp -i "/local/path/to/keypairfile" -r /local/path/to/Open_Source_LLM ubuntu@your-server-ip:/home/ubuntu/

4. Install Certbot for SSL

Use Certbot to manage SSL certificates 
cd ~
sudo snap install core && sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo shutdown -r now
Reconnect after the reboot.

5. Configure Firewall

cd ~
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 8080/tcp
sudo ufw enable

6. Obtain an SSL Certificate

Ensure DNS is pointed to your server’s IP before running the following
Note – Replace llm.mydomain.com with your domain name. 
sudo certbot certonly --standalone --preferred-challenges http -d llm.mydomain.com --dry-run
sudo certbot certonly --standalone --preferred-challenges http -d llm.mydomain.com
Enable auto-renewal 
sudo systemctl enable snap.certbot.renew.timer
  Configure Hooks for Auto-Renew
Certbot needs to open port 80 temporarily when renewing.
Create pre- and post-hook scripts 
cd /etc/letsencrypt/renewal-hooks/pre
sudo nano pre-hook.sh
  Contents of pre-hook.sh 
#!/bin/bash
# Open port 80
ufw allow 80/tcp
Save (Ctrl+O, Enter) and exit (Ctrl+X). Then make executable 
sudo chmod +x pre-hook.sh
cd /etc/letsencrypt/renewal-hooks/post
sudo nano post-hook.sh
  Contents of post-hook.sh 
#!/bin/bash
# Close port 80
ufw deny 80/tcp
#Reboot Server
sudo shutdown -r now
Save (Ctrl+O, Enter) and exit (Ctrl+X). Then make executable 
sudo chmod +x post-hook.sh
  Test renewal 
sudo certbot renew --dry-run
This should reboot your server

7. Generate Admin PKI Keypair & JWT for Authentication

  1. Download Soliant’s SSH Key & JWT Tool
  2. Open in FileMaker
  3. Create a new record
  4. Enter a Name & # of expiration days
  5. Press the Generate Keypair & Generate JWT buttons
Set Read & Write Permissions to letsencrypt directory 
sudo chown -R ubuntu:ubuntu /etc/letsencrypt
sudo chmod -R u+rx /etc/letsencrypt
  Add Admin PKI Public Key file 
mkdir /etc/letsencrypt/auth_key
sudo nano /etc/letsencrypt/auth_key/localllm.key.pub
Copy the Public Key from SSH Keys & JWT to your clipboard. Paste the Public Key in the localllm.key.pub file. Save (Ctrl+O, Enter) and exit (Ctrl+X).   Add Admin PKI Private Key file 
sudo nano /etc/letsencrypt/auth_key/localllm.key
Copy the Private Key from SSH Keys & JWT to your clipboard. Paste the Private Key in the localllm.key file. Save (Ctrl+O, Enter) and exit (Ctrl+X).   Set Read & Write Permissions to letsencrypt directory again 
sudo chown -R ubuntu:ubuntu /etc/letsencrypt
sudo chmod -R u+rx /etc/letsencrypt

8. Install Miniconda & Python Environment

Install Miniconda 
cd /home/ubuntu
mkdir -p ~/miniconda3
sudo wget https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-x86_64.sh -O ~/miniconda3/miniconda.sh
bash ~/miniconda3/miniconda.sh -b -u -p ~/miniconda3
rm ~/miniconda3/miniconda.sh
source ~/miniconda3/bin/activate
conda init --all
Create & activate Python environment 
conda create --name <name>
conda activate <environment name>
conda install python=3.9.18
pip install jwt && pip uninstall PyJWT && pip install PyJWT
conda install -c conda-forge sentence-transformers
Install Open Source LLM dependencies 
pip install -r /home/ubuntu/Open_Source_LLM/requirements.txt
sudo shutdown -r now

9. Run & Test the Local LLM Server

Set environment variables 
export PKI_KEYFILE="/etc/letsencrypt/auth_key/localllm.key.pub"
export CERTFILE="/etc/letsencrypt/live/llm.mydomain.com/fullchain.pem"
export KEYFILE="/etc/letsencrypt/live/llm.mydomain.com/privkey.pem"
conda activate <environment name>
Run python 
python3 /home/ubuntu/Open_Source_LLM/server/fm_LLMOS_StartServer.pyc
📌 Test connection using the Claris Academy AI Fundamentals demo file.
  • Open Meetings_Solution in FileMaker
  • On the initial layout ( Meeting Details), enter Layout Mode and remove the Layout Calculation at the bottom of the page and add the field Details_Embedding to the layout.
  • Open the Script Workspace and find the Configure AI Account script
    • Adjust the Configure AI Account script step
      • Model Provider – Custom
      • Endpoint – https://llm.mydomain.com:8080
      • API key – copy and paste the JWT from SSH Keys & JWT file
  • Now Navigate to the Embedding Details Data script
    • Adjust the Insert Embedding script step
      • Embedding Model – all-MiniLM-L12-v2
  • Clear out the contents of the Details_Embedding field script
  • Run the Embedding Details Data script
  • Check and confirm that there were no errors and you have a new .fve file in the Details_Embedding field.
Keep this file open, we will use it to run a few more tests in the upcoming steps.

10. Automate the LLM Server with PM2

Create a pm2.io account.
Enter a Bucket Name You should now see this screen
Install PM2 and link to your account
If you are still in the conda command, enter ^C to exit. 
sudo shutdown -r now
sudo -i
sudo apt install npm -y
npm install -g pm2
pm2 link [[Keys from PM2 Website]]
You should now see a new message on the PM2 web page saying you are linked Assign proper permissions 
cd /home/ubuntu
sudo chown ubuntu:ubuntu /home/ubuntu/
chmod -R +x .
shutdown -r now
Start the server process with PM2 
conda activate <environment name>
CERTFILE="/etc/letsencrypt/live/llm.mydomain.com/fullchain.pem" KEYFILE="/etc/letsencrypt/live/llm.mydomain.com/privkey.pem" PKI_KEYFILE="/etc/letsencrypt/auth_key/localllm.key.pub" pm2 start python3 --name <environment name> -- /home/ubuntu/Open_Source_LLM/server/fm_LLMOS_StartServer.pyc
  Test
Go to FileMaker, clear Details_Embedding field
Run the Embedding Details Data script
Verify a new .fve file in the Details_Embedding field.
Save the process & enable auto-start 
pm2 save
pm2 startup
It will return a command looking something like this: sudo env PATH=$PATH:/usr/bin /usr/local/lib/node_modules/pm2/bin/pm2 startup systemd -u ubuntu –hp /home/ubuntu
Copy and paste the command and press Enter 
sudo shutdown -r now
  Final Test
Go to FileMaker, clear Details_Embedding field
Run the Embedding Details Data script
Verify a new .fve file is created
🎉 Success! Your Local LLM Server is now running on Ubuntu 24.04 with automated startup.
🚀 See This in Action!
Want a live walkthrough of setting up Local LLM for FileMaker on Ubuntu? Join our Connecticut FileMaker Developers Group (CFDG) meetup where we’ll demo this setup step by step and answer all your questions!
🔗 Register here

Installing Keycloak 26 on Ubuntu 24.04 (AWS)

Posted on by Patrick Barlow

At Kyo Logic, we specialize in custom software solutions and FileMaker consulting services. During one of our recent internal projects, a team member was experimenting with Keycloak 26 on AWS and decided to create a simple, repeatable guide for future reference. We’d like to thank our friends over at Sound Essentials, who provided instructions for installing Keycloak 17 on Ubuntu 20.04.3 LTS. Our instrcutsions would not be possible without their original guidance, which we’ve modified for our own purposes.

 

We realized it could be helpful to share this process more broadly. Below you’ll find a step-by-step outline of how to get Keycloak 26 up and running on an Ubuntu 24.04 server in AWS, complete with MySQL and SSL certificates managed by Certbot.

 

Please note that Keycloak is not a FileMaker-related tool. However, as consultants who often deal with diverse infrastructure solutions—ranging from identity management to custom app deployments—it’s important for us to have guides like this in our internal knowledge base. If you have any questions about this or about our FileMaker consulting services,  reach out at www.kyologic.com/contact/.

 

Keycloak is a powerful open‐source identity and access management solution. In this tutorial, we’ll set up Keycloak 26 on an Ubuntu 24.04 server in AWS, secure it with SSL certificates via Certbot, and configure it to run on port 443. We’ll use MySQL as our database.

 

Note –  This guide assumes you have an AWS account and are comfortable with launching EC2 instances and connecting to them. Replace keycloak.mydomain.com with your actual domain name wherever indicated.

 
 

What You Need To Get Started

  • A Linux server running Ubuntu 24.04 (x86) or an account to a server hosting platform such as AWS or Microsoft Azure
  • A Fully Qualified Domain Name (FQDN) and access to your domain’s Domain Name System (DNS)

1. Create Ubuntu Server

  • Below are instructions for creating a server using AWS EC2. The instructions should be similar for other services.

Launch a New EC2 Instance

  1. In AWS EC2, click Launch Instance
    • Select the following options
      1. AMI – Ubuntu 24.04 (x86)
      2. Instance Type – t3a.xlarge (or your preferred size)
      3. Key Pair – Select or create a new key pair
      4. Subnet – Choose an appropriate subnet (e.g., us-east-1c)
      5. Security Groups – Ensure you have rules for SSH (port 22), HTTP (port 80), and HTTPS (port 443 and 8443).
      6. Storage – ~30 GB recommended
      7. IAM Role – If you have an instance profile with needed permissions, select it here (optional but recommended).
  2. Create and Associate Elastic IP
    • Reserve a new Elastic IP in AWS
    • Associate it with your new EC2 instance
  3. In your DNS, create an A record for the IP Address of your Elastic IP using the subdomain of your choosing.
  4. Connect to EC2
    • Use AWS Systems Manager Session Manager or SSH, depending on your preference
      1. If you click on Connect on the Instance, AWS will give you instructions to Connect.
 
 

2. Update Ubuntu

When first connecting, it’s best practice to update all packages with the following commands

sudo -i
sudo apt update
sudo apt upgrade
sudo apt dist-upgrade
sudo apt autoremove
sudo shutdown -r now

After the reboot, reconnect to your instance.

 
 

3. Install and Configure MySQL

Keycloak needs a database. Here’s how to install MySQL on Ubuntu

cd ~
sudo apt install mysql-server
sudo mysql

Set the root user’s MySQL password

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'MYSQL_DATABASE_PASSWORD';
Exit;

Secure the MySQL installation

sudo mysql_secure_installation

Follow the prompts (you can answer “Yes” to remove anonymous users, disallow root remote login, etc.).

 

Create the Keycloak database and user

sudo mysql -u root -pMYSQL_DATABASE_PASSWORD

In sql

CREATE DATABASE keycloak CHARACTER SET utf8 COLLATE utf8_unicode_ci;
CREATE USER 'keycloak'@'localhost' IDENTIFIED BY 'MYSQL_DATABASE_PASSWORD';
GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'localhost';
FLUSH PRIVILEGES;
exit;
 

Note – Replace MYSQL_DATABASE_PASSWORD with a strong, unique password.

 
 

4. Install Certbot (for SSL Certificates)

We’ll use Certbot (via snap) to generate and manage SSL certificates.

cd ~
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo shutdown -r now

After the reboot, reconnect again.

 
 

5. Configure the Firewall

We’ll open only the necessary ports. Ubuntu’s default firewall tool is ufw

cd ~
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 8443/tcp
sudo ufw enable
 
 

6. Obtain an SSL Certificate

Choose your domain nameMake sure your DNS is pointed to the IP address of this instance (e.g., keycloak.mydomain.com).

 

Note – Replace keycloak.mydomain.com with your domain name.
Obtain and verify certificate

cd ~
sudo certbot certonly --standalone --preferred-challenges http -d keycloak.mydomain.com --dry-run

If the dry run succeeds, run it again for the actual cert

sudo certbot certonly --standalone --preferred-challenges http -d keycloak.mydomain.com
 

Deny HTTP traffic (if desired)

sudo ufw deny 80/tcp
 

Enable auto-renewal

sudo systemctl list-units --type timer
sudo systemctl enable snap.certbot.renew.timer
sudo systemctl status snap.certbot.renew.timer
 

Configure Hooks for Auto-Renew

 

Certbot needs to open port 80 temporarily when renewing. Create pre- and post-hook scripts

cd /etc/letsencrypt/renewal-hooks/pre
sudo nano pre-hook.sh
 

Contents of pre-hook.sh

# Open port 80
ufw allow 80/tcp

Save (Ctrl+O, Enter) and exit (Ctrl+X). Then make executable

sudo chmod +x pre-hook.sh
cd /etc/letsencrypt/renewal-hooks/post
sudo nano post-hook.sh
 

Contents of post-hook.sh

# Close port 80
ufw deny 80/tcp
#Reboot Server
sudo shutdown -r now

Save and exit, then make executable

sudo chmod +x post-hook.sh
 

Test renewal

sudo certbot renew --dry-run

This should restart your server

 
 

7. Install Java & Other Dependencies

Keycloak 26 requires Java 17 or later. Let’s install OpenJDK 21

sudo apt install openjdk-21-jdk
 
 

8. Download and Prepare Keycloak

sudo apt install zip
 

Create a directory and download Keycloak

sudo mkdir -p /opt/keycloak
cd /opt/keycloak
sudo wget https://github.com/keycloak/keycloak/releases/download/26.1.0/keycloak-26.1.0.zip
sudo unzip keycloak-26.1.0.zip -d /opt/keycloak
sudo rm keycloak-26.1.0.zip
 

Create Keycloak user and group

sudo groupadd -r keycloak
sudo useradd -r -g keycloak -d /opt/keycloak -s /sbin/nologin keycloak
 

Give keycloak user ownership and privileges to keycloak and letsencrypt

cd /opt
sudo chown -R keycloak: keycloak
sudo chmod -R 755 /opt/keycloak/keycloak-26.1.0/bin/
sudo chown -R keycloak:keycloak /etc/letsencrypt
 
sudo chmod -R 755 /etc/letsencrypt
 
 

9. Configure Keycloak

Edit Keycloak configuration

sudo nano /opt/keycloak/keycloak-26.1.0/conf/keycloak.conf
 

Insert/Update

db=mysql
db-username=keycloak
db-password=MYSQL_DATABASE_PASSWORD

Note – (This is the password from above)

https-certificate-file=/etc/letsencrypt/live/keycloak.mydomain.com/fullchain.pem
https-certificate-key-file=/etc/letsencrypt/live/keycloak.mydomain.com/privkey.pem
hostname=keycloak.mydomain.com

Note – (Replace keycloak.mydomain.com with your domain name)

https-port=8443
 

Build and start Keycloak

cd /opt/keycloak/keycloak-26.1.0
sudo bin/kc.sh build
sudo -E bin/kc.sh bootstrap-admin user

Note – This is to create a temporary user for access to keycloak. Once in keycloak, it is recommended that a permanent user be created and this temporary user deleted.

sudo -E bin/kc.sh start

Keycloak should now be running on https://keycloak.mydomain.com:8443/.
Log into keycloak using the account created above and create a new user. Make sure to give this new user all available roles.

 
 

10. Configure Keycloak to Start Automatically

Press Ctrl+C to stop Keycloak, then create a systemd service

 

Create systemd unit file

sudo nano /etc/systemd/system/keycloak.service
 

Sample Contents (adjust as needed)

[Unit]
Description=Keycloak Service
After=network.target

[Service]
User=keycloak
Group=keycloak
WorkingDirectory=/opt/keycloak/keycloak-26.1.0
ExecStart=/opt/keycloak/keycloak-26.1.0/bin/kc.sh start
ExecStop=/opt/keycloak/keycloak-26.1.0/bin/kc.sh stop
Restart=on-failure

[Install]
WantedBy=multi-user.target
 

Enable and Reboot

sudo systemctl daemon-reload
sudo systemctl enable keycloak
sudo shutdown -r now
sudo systemctl status keycloak

Keycloak should now run automatically on system boot.

 
 

11. Changing to Port 443

Adjust keycloak.conf

sudo nano /opt/keycloak/keycloak-26.1.0/conf/keycloak.conf
 

Change (or add)

https-port=443
 

Rebuild Keycloak

cd /opt/keycloak/keycloak-26.1.0
sudo bin/kc.sh build
 

Update Firewall Rules

sudo ufw delete allow 8443/tcp
sudo ufw allow 443/tcp
sudo shutdown -r now
 

Keycloak will now listen on standard HTTPS port 443, accessible at https://keycloak.mydomain.com.

 

You’ve successfully installed Keycloak 26 on an Ubuntu 24.04 EC2 instance, configured MySQL as the backend, and secured Keycloak with a valid SSL certificate using Certbot. You also set up systemd to ensure Keycloak starts automatically on reboot and moved it to port 443 for a cleaner URL.

 

Next Steps

 

Log in to your Keycloak admin console at https://keycloak.mydomain.com using the admin username/password you created.

 

Configure your realms, clients, and identity providers as needed.

 

Review Keycloak logs and manage system resources to ensure optimal performance.

 
 

For more instructions on how to configure your keycloak account, you can follow the instructions from our CFDG presentation on the topic here – https://youtu.be/-bqww9ggDjA

 

With your identity and access management solution in place, you can focus on integrating Keycloak into your applications and services! If you have any questions or run into issues, consult the official Keycloak documentation or your AWS documentation for further guidance.

 

That’s it! You now have a working Keycloak 26 setup in AWS. If you have any questions—or if you’d like to learn more about our FileMaker consulting services—visit us here.