Editorial Staff

How to deploy keycloak on ubuntu vpsHere’s a clear and detailed how-to guide for how to deploy Keycloak on Ubuntu VPS. This guide uses Keycloak in standalone mode with PostgreSQL as the database and NGINX as a reverse proxy with SSL.

Table of Contents

What is Keycloak?

Keycloak is an open-source identity and access management (IAM) solution developed by Red Hat. It provides authentication, authorization, and user management features for modern applications and services. Essentially, Keycloak helps developers and organizations manage user identities and secure their applications without having to build these systems from scratch.

Key Features of Keycloak:

  • Single Sign-On (SSO): Users can log in once and access multiple applications.
  • Identity Brokering and Social Login: Integrates with identity providers like Google, Facebook, GitHub, etc.
  • User Federation: Connects to external user databases like LDAP or Active Directory.
  • OAuth2, OpenID Connect, and SAML Support: Standards-based authentication protocols.
  • Multifactor Authentication (MFA): Adds an extra layer of security.
  • Admin Console: Web-based UI for managing realms, users, roles, etc.
  • Customizable Login Pages: Easily branded and themed.
  • Token-based Authentication: Issues JWT tokens for secure communication between services.

Common Use Cases:

  • Centralized authentication across multiple apps and services.
  • Securing REST APIs and microservices.
  • Enabling SSO for enterprise applications.
  • Delegating identity management for mobile and web apps.

🔧 Prerequisites

  • Ubuntu VPS (20.04 or later)
  • Root or sudo access
  • Domain name (e.g., auth.example.com)
  • PostgreSQL installed or access to a PostgreSQL server
  • Open ports: 80, 443

Launch 100% ssd ubuntu vps from $2. 49/mo!

How to Deploy Keycloak on Ubuntu VPS

To deploy Keycloak on Ubuntu VPS, follow the steps below:

  1. 🧱 System Preparation

    Plain text
    Copy to clipboard
    Open code in new window
    EnlighterJS 3 Syntax Highlighter
    sudo apt update && sudo apt upgrade -y sudo apt install -y curl wget unzip gnupg2 software-properties-common
    sudo apt update && sudo apt upgrade -y sudo apt install -y curl wget unzip gnupg2 software-properties-common
    sudo apt update && sudo apt upgrade -y sudo apt install -y curl wget unzip gnupg2 software-properties-common

  2. 🐘 Install and Configure PostgreSQL

    If you don’t have PostgreSQL installed:

    Plain text
    Copy to clipboard
    Open code in new window
    EnlighterJS 3 Syntax Highlighter
    sudo apt install -y postgresql postgresql-contrib
    sudo apt install -y postgresql postgresql-contrib
    sudo apt install -y postgresql postgresql-contrib

    Create Keycloak DB & User

    Plain text
    Copy to clipboard
    Open code in new window
    EnlighterJS 3 Syntax Highlighter
    sudo -u postgres psql
    sudo -u postgres psql
    sudo -u postgres psql
    Plain text
    Copy to clipboard
    Open code in new window
    EnlighterJS 3 Syntax Highlighter
    CREATE DATABASE keycloak; CREATE USER keycloakuser WITH PASSWORD 'your_strong_password'; GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloakuser; \q
    CREATE DATABASE keycloak; CREATE USER keycloakuser WITH PASSWORD 'your_strong_password'; GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloakuser; \q
    CREATE DATABASE keycloak; CREATE USER keycloakuser WITH PASSWORD 'your_strong_password'; GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloakuser; \q

  3. ☕ Install Java (OpenJDK 21)

    Keycloak requires Java 21+.

    Plain text
    Copy to clipboard
    Open code in new window
    EnlighterJS 3 Syntax Highlighter
    sudo apt install -y openjdk-21-jdk java -version
    sudo apt install -y openjdk-21-jdk java -version
    sudo apt install -y openjdk-21-jdk java -version

  4. 📦 Download and Extract Keycloak

    Plain text
    Copy to clipboard
    Open code in new window
    EnlighterJS 3 Syntax Highlighter
    wget https://github.com/keycloak/keycloak/releases/latest/download/keycloak-.zip unzip keycloak-.zip -d /opt/ sudo mv /opt/keycloak- /opt/keycloak cd /opt/keycloak
    wget https://github.com/keycloak/keycloak/releases/latest/download/keycloak-.zip unzip keycloak-.zip -d /opt/ sudo mv /opt/keycloak- /opt/keycloak cd /opt/keycloak
    wget https://github.com/keycloak/keycloak/releases/latest/download/keycloak-.zip unzip keycloak-.zip -d /opt/ sudo mv /opt/keycloak- /opt/keycloak cd /opt/keycloak

    Replace with the latest release tag (e.g., 24.0.1).

  5. ⚙️ Set Up Keycloak Configuration

    1. Create a System User

      Plain text
      Copy to clipboard
      Open code in new window
      EnlighterJS 3 Syntax Highlighter
      sudo useradd -r -d /opt/keycloak -s /sbin/nologin keycloak sudo chown -R keycloak:keycloak /opt/keycloak
      sudo useradd -r -d /opt/keycloak -s /sbin/nologin keycloak sudo chown -R keycloak:keycloak /opt/keycloak
      sudo useradd -r -d /opt/keycloak -s /sbin/nologin keycloak sudo chown -R keycloak:keycloak /opt/keycloak

    2. Create the Admin User

      Plain text
      Copy to clipboard
      Open code in new window
      EnlighterJS 3 Syntax Highlighter
      cd /opt/keycloak/bin sudo -u keycloak ./kc.sh create admin --user admin --password StrongAdminPassword
      cd /opt/keycloak/bin sudo -u keycloak ./kc.sh create admin --user admin --password StrongAdminPassword
      cd /opt/keycloak/bin sudo -u keycloak ./kc.sh create admin --user admin --password StrongAdminPassword

    3. Configure the Database

      Create a file: /opt/keycloak/conf/keycloak.conf

      Plain text
      Copy to clipboard
      Open code in new window
      EnlighterJS 3 Syntax Highlighter
      db=postgres db-url=jdbc:postgresql://localhost/keycloak db-username=keycloakuser db-password=your_strong_password hostname=auth.example.com https-port=8443
      db=postgres db-url=jdbc:postgresql://localhost/keycloak db-username=keycloakuser db-password=your_strong_password hostname=auth.example.com https-port=8443
      db=postgres db-url=jdbc:postgresql://localhost/keycloak db-username=keycloakuser db-password=your_strong_password hostname=auth.example.com https-port=8443

  6. 🚀 Start Keycloak in Production Mode

    Plain text
    Copy to clipboard
    Open code in new window
    EnlighterJS 3 Syntax Highlighter
    cd /opt/keycloak/bin sudo -u keycloak ./kc.sh build sudo -u keycloak ./kc.sh start
    cd /opt/keycloak/bin sudo -u keycloak ./kc.sh build sudo -u keycloak ./kc.sh start
    cd /opt/keycloak/bin sudo -u keycloak ./kc.sh build sudo -u keycloak ./kc.sh start

    At this point, Keycloak will be running on port 8080.

  7. 🌐 Set Up NGINX as Reverse Proxy (with SSL)

    1. Install Nginx

      Plain text
      Copy to clipboard
      Open code in new window
      EnlighterJS 3 Syntax Highlighter
      sudo apt install nginx sudo ufw allow 'Nginx Full'
      sudo apt install nginx sudo ufw allow 'Nginx Full'
      sudo apt install nginx sudo ufw allow 'Nginx Full'

    2. Install Certbot for SSL

      Plain text
      Copy to clipboard
      Open code in new window
      EnlighterJS 3 Syntax Highlighter
      sudo apt install certbot python3-certbot-nginx
      sudo apt install certbot python3-certbot-nginx
      sudo apt install certbot python3-certbot-nginx

    3. NGINX Config

      Create /etc/nginx/sites-available/keycloak

      Plain text
      Copy to clipboard
      Open code in new window
      EnlighterJS 3 Syntax Highlighter
      server { listen 80; server_name auth.example.com; location / { proxy_pass http://localhost:8080/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
      server { listen 80; server_name auth.example.com; location / { proxy_pass http://localhost:8080/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
      server { listen 80; server_name auth.example.com; location / { proxy_pass http://localhost:8080/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }

      Enable and test:

      Plain text
      Copy to clipboard
      Open code in new window
      EnlighterJS 3 Syntax Highlighter
      sudo ln -s /etc/nginx/sites-available/keycloak /etc/nginx/sites-enabled/ sudo nginx -t sudo systemctl reload nginx
      sudo ln -s /etc/nginx/sites-available/keycloak /etc/nginx/sites-enabled/ sudo nginx -t sudo systemctl reload nginx
      sudo ln -s /etc/nginx/sites-available/keycloak /etc/nginx/sites-enabled/ sudo nginx -t sudo systemctl reload nginx

    4. Get SSL Certificate

      Plain text
      Copy to clipboard
      Open code in new window
      EnlighterJS 3 Syntax Highlighter
      sudo certbot --nginx -d auth.example.com
      sudo certbot --nginx -d auth.example.com
      sudo certbot --nginx -d auth.example.com

      Certbot will modify your config to use HTTPS.

  8. 🔁 Enable Keycloak as a Service

    Create /etc/systemd/system/keycloak.service

    Plain text
    Copy to clipboard
    Open code in new window
    EnlighterJS 3 Syntax Highlighter
    [Unit] Description=Keycloak Server After=network.target [Service] Type=simple User=keycloak Group=keycloak ExecStart=/opt/keycloak/bin/kc.sh start Restart=on-failure LimitNOFILE=10240 [Install] WantedBy=multi-user.target
    [Unit] Description=Keycloak Server After=network.target [Service] Type=simple User=keycloak Group=keycloak ExecStart=/opt/keycloak/bin/kc.sh start Restart=on-failure LimitNOFILE=10240 [Install] WantedBy=multi-user.target
    [Unit] Description=Keycloak Server After=network.target [Service] Type=simple User=keycloak Group=keycloak ExecStart=/opt/keycloak/bin/kc.sh start Restart=on-failure LimitNOFILE=10240 [Install] WantedBy=multi-user.target
    Plain text
    Copy to clipboard
    Open code in new window
    EnlighterJS 3 Syntax Highlighter
    sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable keycloak sudo systemctl start keycloak
    sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable keycloak sudo systemctl start keycloak
    sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable keycloak sudo systemctl start keycloak

  9. ✅ Access Keycloak

    Go to: https://auth.example.com
    Log in with the admin credentials you set.

  10. 🛡️ (Optional) Secure with Firewall

    Plain text
    Copy to clipboard
    Open code in new window
    EnlighterJS 3 Syntax Highlighter
    sudo ufw allow OpenSSH sudo ufw allow 'Nginx Full' sudo ufw enable
    sudo ufw allow OpenSSH sudo ufw allow 'Nginx Full' sudo ufw enable
    sudo ufw allow OpenSSH sudo ufw allow 'Nginx Full' sudo ufw enable

✅ Final Notes

  • You now have a fully-functional Keycloak instance running behind NGINX with HTTPS.
  • All configuration lives in /opt/keycloak.
  • Consider setting up backups for your PostgreSQL DB and Keycloak config.
  • To upgrade Keycloak, back up data, download the new version, and follow upgrade notes.

Launch 100% ssd ubuntu vps from $2. 49/mo!

Conclusion

You now know how to deploy Keycloak on Ubuntu VPS.

Share this:
Avatar of editorial staff

Editorial Staff

Rad Web Hosting is a leading provider of web hosting, Cloud VPS, and Dedicated Servers in Dallas, TX.
lg