Install java (java-8-openjdk) in all the machines in the cluster and setup the JAVA_HOME environment variable for the same.
sudo yum install java-1.8.0-openjdk-devel
Get your Java installation path.
update-alternatives --display java
Take the value of the current link and remove the trailing /bin/java. For example, on RHEL 7, the link is /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/bin/java, So, JAVA_HOME should be /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre.
Edit ~/bashrc.sh:
Export JAVA_HOME={path-tojava} with your actual java installation path. For example on a Debian with open-jdk-8:
sudo wget "https://downloads.jboss.org/keycloak/6.0.1/keycloak-6.0.1.tar.gz"
sudo tar xzf keycloak-6.0.1.tar.gz
Install a database supported by keycloak
We have installed postgres as the database for keycloak; you can use any database supported by Keycloak.
Within the …​/modules/ directory of your Keycloak distribution, you need to create a directory structure to hold your module definition. The convention is use the Java package name of the JDBC driver for the name of the directory structure. For PostgreSQL, create the directory org/postgresql/main. Copy your database driver JAR into this directory and create an empty module.xml file within it too.
Module Directory
After you have done this, open up the module.xml file and create the following XML:
The module name should match the directory structure of your module. So, org/postgresql maps to org.postgresql. The resource-root path attribute should specify the JAR filename of the driver. The rest are just the normal dependencies that any JDBC driver JAR would have.
Adding a SSL certificate to Keycloak Here we will give the keystore we created to keycloak
<ssl>
<keystore path="your key store pass relative to the next property" relative-to="jboss.server.config.dir" keystore-password="yourpassword" alias="your alias"/>
</ssl>
Add keycloak admin user
Add Keycload admin user from keycloak bin directory run
Create clients for every module (i.e. ida, pre-registration, registration-processor, registration-client, auth, resident, mosip-client).
Enable authorization and service account for every client and provide valid redirect uri. These clients will be used by all modules to get client tokens.
Configure User Federation
For this example we will be configuring LDAP as user federation
Go to "User Federation".
Create a new User Federation for LDAP.
Make Edit Mode Writable.
Configure field based on your LDAP(There are many vendors for ldap you can connect to any ldap vendor based on configurations).
Go to Mappers and Create mappers for each field you want keycloak to take from LDAP.
isActive : user-attribute-ldap-mapper
username : user-attribute-ldap-mapper
rid : user-attribute-ldap-mapper
creation date : user-attribute-ldap-mapper
roles : role-ldap-mapper
last name : user-attribute-ldap-mapper
userPassword : user-attribute-ldap-mapper
mobile : user-attribute-ldap-mapper
dob : user-attribute-ldap-mapper
first name : user-attribute-ldap-mapper
email : user-attribute-ldap-mapper
Sync Users and Roles from LDAP .
Create INDIVIDUAL, RESIDENT Role from Keycloak in Realm Roles
Assign Roles from LDAP and Keycloak to All Clients
If you find that a particular service will take more time to complete the process within stipulated time period, your token perhaps will get invalidated. Use refresh token mechanism to get latest token or if that is not implemented you can increase the access token lifespan at client level or realm level.
SSL enable at keycloak
SSL in keycloak is enabled by default but it can be toggled for all request, external request, and none.
Update of configuration for keycloak
<> is for variable properties with this sign need to be updated.
mosip.keycloak.base-url=https://<keycloak.domain>
mosip.kernel.realm-id=<Mosip realm id> (EX mosip, should always be in lowercase)
mosip.kernel.open-id-url=${mosip.keycloak.base-url}/auth/realms/{realmId}/protocol/openid-connect/
mosip.kernel.base-url=${mosip.keycloak.base-url}/auth/realms/{realmId}
mosip.kernel.admin-url=${mosip.keycloak.base-url}/auth/admin/
mosip.kernel.roles-url=realms/mosip/roles
mosip.kernel.users-url=realms/mosip/users
mosip.kernel.role-user-mapping-url=/{userId}/role-mappings/realm
`#Domain should be updated
mosip.authmanager.base-url=https://<domain>/v1/authmanager
mosip.keycloak.authorization_endpoint=${mosip.keycloak.base-url}/auth/realms/mosip/protocol/openid-connect/auth
mosip.keycloak.token_endpoint=${mosip.keycloak.base-url}/auth/realms/mosip/protocol/openid-connect/token
mosip.admin.login_flow.name=authorization_code
mosip.admin.login_flow.response_type=code
mosip.admin.login_flow.scope=cls
mosip.admin.clientid=mosip-client
mosip.admin.clientsecret=<client secret of mosip client>
mosip.admin.redirecturi=${mosip.authmanager.base-url}/login-redirect/
mosip.admin_realm_id=<Mosip realm id> (EX mosip)
mosip.master.realm-id=master
`#Go to Mosip realm -> Go to Roles -> select INDIVIDUAL ROLE you will find hyperlink in tab will have a id after roles-> /realms/mosip/roles/[e3bb3344-6445-4f6f-9e33-d5ec0d231327]
mosip.admin.individual_role_id=<role if of individual>
mosip.admin.pre-reg_user_password=mosip
db_3_DS.keycloak.ipaddress=<keycloak db url>
db_3_DS.keycloak.port=<keycloak db port>
db_3_DS.keycloak.username=<keycloak db username>
db_3_DS.keycloak.password=<keycloak db password>
db_3_DS.keycloak.driverClassName=<keycloak db driver class name>
mosip.keycloak.admin.client.id=admin-cli
`#First user we create when we started keycloak
mosip.keycloak.admin.user.id=<admin user name>
`#First user we create when we started keycloak
mosip.keycloak.admin.secret.key=<admin user password>
mosip.kernel.auth.client.id=<Auth Client id>
mosip.kernel.auth.secret.key=<Auth Secret id>
mosip.kernel.ida.client.id=<Ida Client id>
mosip.kernel.ida.secret.key=<Ida Secret id>
