Red Hat SummitUpgrading Guide
Abstract
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Chapter 1. Upgrading Red Hat build of Keycloak
Red Hat build of Keycloak is based on the Keycloak project, which enables you to secure your web applications by providing Web SSO capabilities based on popular standards such as OpenID Connect, OAuth 2.0, and SAML 2.0. The Red Hat build of Keycloak server acts as an OpenID Connect or SAML-based identity provider (IdP), allowing your enterprise user directory or third-party IdP to secure your applications by using standards-based security tokens.
This guide applies to version 22.0.13, which is a minor version of Red Hat build of Keycloak. To upgrade Red Hat build of Keycloak to version 22.0.13, use the following procedures in this order:
- Upgrade the Red Hat build of Keycloak server
- Upgrade Red Hat build of Keycloak adapters
Chapter 2. Upgrading the Red Hat build of Keycloak server
2.1. Preparing for upgrading
Procedure
- Back up the old installation, such as configuration, themes, and so on.
Back up the database using instructions in the documentation for your relational database.
The database will no longer be compatible with the old server after the upgrade. If you need to revert the upgrade, first restore the old installation, and then restore the database from the backup copy.
- Handle any open transactions and delete the data/tx-object-store/ transaction directory.
In a minor upgrade of Red Hat build of Keycloak, all user sessions are lost. After the upgrade, all users will have to log in again.
2.2. Downloading the server ZIP file
Procedure
- Download Red Hat build of Keycloak from the Red Hat website and extract it.
- Move the ZIP file to the desired location.
Extract the archive.
After extracting this file, you should have a directory that is named rhbk-22.0.13.
-
Copy
conf/,providers/andthemes/from the previous installation to the new installation.
2.3. Database migration
Red Hat build of Keycloak can automatically migrate the database schema, or you can choose to do it manually. By default, the database is automatically migrated when you start the new installation for the first time.
2.3.1. Automatic relational database migration
To perform an automatic migration, start the server connected to the desired database. If the database schema has changed for the new version of the server, it will be migrated.
Creating an index on huge tables with millions of records can be very time-consuming and possibly cause a major service disruption. Therefore, a threshold exists to limit the number of records allowed for the index. A warning message appears in the server logs with SQL commands you can apply later manually.
To change the threshold, set the index-creation-threshold property, value for the default connections-liquibase provider:
kc.[sh|bat] start --spi-connections-liquibase-default-index-creation-threshold=300000
kc.[sh|bat] start --spi-connections-liquibase-default-index-creation-threshold=3000002.3.2. Manual relational database migration
To enable manual upgrading of the database schema, set the migration-strategy property value to "manual" for the default connections-jpa provider:
kc.[sh|bat] start --spi-connections-jpa-legacy-migration-strategy=manual
kc.[sh|bat] start --spi-connections-jpa-legacy-migration-strategy=manual
When you start the server with this configuration, the server checks if the database needs to be migrated. The required changes are written to the bin/keycloak-database-update.sql SQL file that you can review and manually run against the database.
If you want to change the path and name of the exported SQL file, set the migration-export property for the default connections-jpa provider:
kc.[sh|bat] start --spi-connections-jpa-legacy-migration-export=<path>/<file.sql>
kc.[sh|bat] start --spi-connections-jpa-legacy-migration-export=<path>/<file.sql>For more details on applying this file to the database, see the documentation for your relational database. After the changes have been written to the file, the server exits.
Chapter 3. Upgrading Red Hat build of Keycloak adapters
It is important that you upgrade Red Hat build of Keycloak server first, and then upgrade the adapters. Earlier versions of the adapter might work with later versions of Red Hat build of Keycloak server, but earlier versions of Red Hat build of Keycloak server might not work with later versions of the adapter.
3.1. Compatibility with older adapters
As mentioned above, we try to support newer release versions of Red Hat build of Keycloak server working with older release versions of the adapters. However, in some cases we need to include fixes on the Red Hat build of Keycloak server side which may break compatibility with older versions of the adapters. For example, when we implement new aspects of the OpenID Connect specification, which older client adapter versions were not aware of.
In those cases, we added Compatibility modes. For OpenId Connect clients, there is a section named OpenID Connect Compatibility Modes in the Red Hat build of Keycloak admin console, on the page with client details. Here, you can disable some new aspects of the Red Hat build of Keycloak server to preserve compatibility with older client adapters. More details are available in the tool tips of individual switches.
3.2. Upgrading the EAP adapter
To upgrade an EAP adapter that has been copied to your web application, perform the following procedure.
Procedure
- Download the new adapter archive.
-
Remove the previous adapter modules by deleting the
EAP_HOME/modules/system/add-ons/keycloak/directory. -
Unzip the downloaded archive into
EAP_HOME.
3.3. Upgrading the JavaScript adapter
To upgrade a JavaScript adapter that has been copied to your web application, perform the following procedure.
Procedure
- Download the new adapter archive.
- Overwrite the keycloak.js file in your application with the keycloak.js file from the downloaded archive.
3.4. Upgrading the Node.js adapter
To upgrade a Node.js adapter that has been copied to your web application, perform the following procedure.
Procedure
- Download the new adapter archive.
- Remove the existing Node.js adapter directory
- Unzip the updated file into its place
- Change the dependency for keycloak-connect in the package.json of your application
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}