R40 Keycloak Based on Quarkus
In R40, we are migrating to a new generation of Keycloak. This new generation, starting with version 20 (for us, at least; the project migrated in v18), introduces several major changes compared with the older generation.
First, there is no longer a dedicated application server running the application itself. Everything is handled by the Quarkus engine directly. The idea is similar to the migration from Spring+Tomcat to the new generation of IBM Manta Data Lineage based on SpringBoot.
For Manta Data Lineage, those changes are quite small, fortunately. This new generation offers faster startup, simpler configuration, and new features that we will need, namely, support for running in FIPS environments.
Major Changes
New Application URL
The Keycloak team has decided to get rid of the /auth
suffix in their URL. This means Keycloak, by default, will be available at
http://localhost:9090/
. During clean installations this is handled automatically.
During upgrades, any existing bookmarks, documentation, links, and most crucially, load-balancers and proxy servers need to be reconfigured.
New Application Ports
The new Keycloak no longer uses two ports. From now on, Keycloak only needs the port the application is available on. The control port is no longer available.
- Healthpoint URL —
http://localhost:${keycloakserverport}/health
New Directory Structure
The Keycloak directory structure has changed. The only relevant changes for Manta Data Lineage are the locations of the configuration files and the logs (see below). The data is available in Manta Launcher, if needed.
-
Configuration directory —
${installdir}/keycloak/conf
-
Log directory —
${installdir}/keycloak/log
New Configuration
The configuration of Keycloak has been greatly simplified. The dreaded
standalone.xml
is gone, and the whole configuration uses simple properties like the configuration file.
All configuration options are documented in https://www.keycloak.org/server/all-config.
Theme Support Removed
Keycloak no longer supports custom themes (look-and-feel, design, colors) for the admin console available at
http://localhost:9090/admin/manta/console/
.
Everything still works the same; we just lost our branding there. The login page is still the same.
New HTTPS Configuration
To set up HTTPS for Keycloak Quarkus as of R40, edit
<mantaflow>/keycloak/conf/manta.conf
and apply the following changes.
-
Change
http-enabled
fromtrue
tofalse
. -
Remove the line
http-port=9090
. -
Add a new line:
https-port=<your HTTPS port>
. -
Add two new lines:
-
https-key-store-file=<full path to keystore>
-
https-key-store-password=<keystore password>
-
-
If the value
hostname-url
is present, change its value fromhttp\://...
tohttps\://...
and rewrite the port number accordingly.
Known Issues
Keycloak Is Not Starting
We have discovered that the current version of Keycloak contains a bug which prevents it from starting. This bug occurs almost exclusively on Windows with Java 18. Other OS types and lower JDK versions seem fine. This bug is tracked by the Keycloak team here.