1
<#import "/templates/guide.adoc" as tmpl>
2
<#import "/templates/kc.adoc" as kc>
3
<#import "/templates/options.adoc" as opts>
4
<#import "/templates/links.adoc" as links>
5
<#import "/templates/profile.adoc" as profile>
8
title="Configuring the database"
9
summary="An overview about how to configure relational databases"
10
includedOptions="db db-* transaction-xa-enabled">
12
This {section} explains how to configure the {project_name} server to store data in a relational database.
16
The server has built-in support for different databases. You can query the available databases by viewing the expected values for the `db` configuration option. The following table lists the supported databases and their tested versions.
20
|Database | Option value | Tested Version
22
|MariaDB Server | `mariadb` | ${properties["mariadb.version"]}
23
|Microsoft SQL Server | `mssql` | ${properties["mssql.version"]?replace("-latest","")}
24
|MySQL | `mysql` | ${properties["mysql.version"]}
25
|Oracle Database | `oracle` | ${properties["oracledb.version"]}
26
|PostgreSQL | `postgres` | ${properties["postgresql.version"]}
27
|Amazon Aurora PostgreSQL | `postgres` | ${properties["aurora-postgresql.version"]}
30
By default, the server uses the `dev-file` database. This is the default database that the server will use to persist data and
31
only exists for development use-cases. The `dev-file` database is not suitable for production use-cases, and must be replaced before deploying to production.
35
== Installing a database driver
37
Database drivers are shipped as part of {project_name} except for the Oracle Database and Micrsoft SQL Server drivers which need to be installed separately.
39
Install the necessary driver if you want to connect to one of these databases or skip this section if you want to connect to a different database for which the database driver is already included.
41
=== Installing the Oracle Database driver
43
To install the Oracle Database driver for {project_name}:
45
. Download the `ojdbc11` and `orai18n` JAR files from one of the following sources:
47
.. *Zipped JDBC driver and Companion Jars* version ${properties["oracle-jdbc.version"]} from the https://www.oracle.com/database/technologies/appdev/jdbc-downloads.html[Oracle driver download page].
49
.. Maven Central via `link:++https://repo1.maven.org/maven2/com/oracle/database/jdbc/ojdbc11/${properties["oracle-jdbc.version"]}/ojdbc11-${properties["oracle-jdbc.version"]}.jar++[ojdbc11]` and `link:++https://repo1.maven.org/maven2/com/oracle/database/nls/orai18n/${properties["oracle-jdbc.version"]}/orai18n-${properties["oracle-jdbc.version"]}.jar++[orai18n]`.
51
.. Installation media recommended by the database vendor for the specific database in use.
53
. When running the unzipped distribution: Place the `ojdbc11` and `orai18n` JAR files in {project_name}'s `providers` folder
55
. When running containers: Build a custom {project_name} image and add the JARs in the `providers` folder. When building a custom image for the Keycloak Operator, those images need to be optimized images with all build-time options of Keycloak set.
57
A minimal Dockerfile to build an image which can be used with the {project_name} Operator and includes Oracle Database JDBC drivers downloaded from Maven Central looks like the following:
59
[source,dockerfile,subs="attributes+"]
61
FROM quay.io/keycloak/keycloak:{containerlabel}
62
ADD --chown=keycloak:keycloak https://repo1.maven.org/maven2/com/oracle/database/jdbc/ojdbc11/${properties["oracle-jdbc.version"]}/ojdbc11-${properties["oracle-jdbc.version"]}.jar /opt/keycloak/providers/ojdbc11.jar
63
ADD --chown=keycloak:keycloak https://repo1.maven.org/maven2/com/oracle/database/nls/orai18n/${properties["oracle-jdbc.version"]}/orai18n-${properties["oracle-jdbc.version"]}.jar /opt/keycloak/providers/orai18n.jar
64
# Setting the build parameter for the database:
66
# Add all other build parameters needed, for example enable health and metrics:
67
ENV KC_HEALTH_ENABLED=true
68
ENV KC_METRICS_ENABLED=true
69
# To be able to use the image with the {project_name} Operator, it needs to be optimized, which requires {project_name}'s build step:
70
RUN /opt/keycloak/bin/kc.sh build
73
See the <@links.server id="containers" /> {section} for details on how to build optimized images.
75
Then continue configuring the database as described in the next section.
77
=== Installing the Microsoft SQL Server driver
79
To install the Microsoft SQL Server driver for {project_name}:
81
. Download the `mssql-jdbc` JAR file from one of the following sources:
83
.. Download a version from the https://learn.microsoft.com/en-us/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sql-server[Microsoft JDBC Driver for SQL Server page].
85
.. Maven Central via `link:++https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/${properties["mssql-jdbc.version"]}/mssql-jdbc-${properties["mssql-jdbc.version"]}.jar++[mssql-jdbc]`.
87
.. Installation media recommended by the database vendor for the specific database in use.
89
. When running the unzipped distribution: Place the `mssql-jdbc` in {project_name}'s `providers` folder
91
. When running containers: Build a custom {project_name} image and add the JARs in the `providers` folder. When building a custom image for the {project_name} Operator, those images need to be optimized images with all build-time options of {project_name} set.
93
A minimal Dockerfile to build an image which can be used with the {project_name} Operator and includes Microsoft SQL Server JDBC drivers downloaded from Maven Central looks like the following:
95
[source,dockerfile,subs="attributes+"]
97
FROM quay.io/keycloak/keycloak:{containerlabel}
98
ADD --chown=keycloak:keycloak https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/${properties["mssql-jdbc.version"]}/mssql-jdbc-${properties["mssql-jdbc.version"]}.jar /opt/keycloak/providers/mssql-jdbc.jar
99
# Setting the build parameter for the database:
101
# Add all other build parameters needed, for example enable health and metrics:
102
ENV KC_HEALTH_ENABLED=true
103
ENV KC_METRICS_ENABLED=true
104
# To be able to use the image with the {project_name} Operator, it needs to be optimized, which requires {project_name}'s build step:
105
RUN /opt/keycloak/bin/kc.sh build
108
See the <@links.server id="containers" /> {section} for details on how to build optimized images.
110
Then continue configuring the database as described in the next section.
114
== Configuring a database
116
For each supported database, the server provides some opinionated defaults to simplify database configuration. You complete the configuration by providing some key settings such as the database host and credentials.
118
. Start the server and set the basic options to configure a database
120
<@kc.start parameters="--db postgres --db-url-host mypostgres --db-username myuser --db-password change_me"/>
123
This command includes the minimum settings needed to connect to the database.
125
The default schema is `keycloak`, but you can change it by using the `db-schema` configuration option.
128
Do NOT use the `--optimized` flag for the `start` command if you want to use a particular DB (except the H2).
129
Executing the build phase before starting the server instance is necessary.
130
You can achieve it either by starting the instance without the `--optimized` flag,
131
or by executing the `build` command before the optimized start.
132
For more information, see <@links.server id="configuration"/>.
134
== Overriding default connection settings
136
The server uses JDBC as the underlying technology to communicate with the database. If the default connection settings are insufficient, you can specify a JDBC URL using the `db-url` configuration option.
138
The following is a sample command for a PostgreSQL database.
140
<@kc.start parameters="--db postgres --db-url jdbc:postgresql://mypostgres/mydatabase"/>
142
Be aware that you need to escape characters when invoking commands containing special shell characters such as `;` using the CLI, so you might want to set it in the configuration file instead.
144
== Overriding the default JDBC driver
146
The server uses a default JDBC driver accordingly to the database you chose.
148
To set a different driver you can set the `db-driver` with the fully qualified class name of the JDBC driver:
150
<@kc.start parameters="--db postgres --db-driver=my.Driver"/>
152
Regardless of the driver you set, the default driver is always available at runtime.
154
Only set this property if you really need to. For instance, when leveraging the capabilities from a JDBC Driver Wrapper for
155
a specific cloud database service.
157
== Configuring Unicode support for the database
159
Unicode support for all fields depends on whether the database allows VARCHAR and CHAR fields to use the Unicode character set.
161
* If these fields can be set, Unicode is likely to work, usually at the expense of field length.
162
* If the database only supports Unicode in the NVARCHAR and NCHAR fields, Unicode support for all text fields is unlikely to work because the server schema uses VARCHAR and CHAR fields extensively.
164
The database schema provides support for Unicode strings only for the following special fields:
166
* *Realms*: display name, HTML display name, localization texts (keys and values)
168
* *Federation* Providers: display name
170
* *Users*: username, given name, last name, attribute names and values
172
* *Groups*: name, attribute names and values
176
* Descriptions of objects
178
Otherwise, characters are limited to those contained in database encoding, which is often 8-bit. However, for some database systems, you can enable UTF-8 encoding of Unicode characters and use the full Unicode character set in all text fields. For a given database, this choice might result in a shorter maximum string length than the maximum string length supported by 8-bit encodings.
180
=== Configuring Unicode support for an Oracle database
182
Unicode characters are supported in an Oracle database if the database was created with Unicode support in the VARCHAR and CHAR fields. For example, you configured AL32UTF8 as the database character set. In this case, the JDBC driver requires no special settings.
184
If the database was not created with Unicode support, you need to configure the JDBC driver to support Unicode characters in the special fields. You configure two properties. Note that you can configure these properties as system properties or as connection properties.
186
. Set `oracle.jdbc.defaultNChar` to `true`.
188
. Optionally, set `oracle.jdbc.convertNcharLiterals` to `true`.
192
For details on these properties and any performance implications, see the Oracle JDBC driver configuration documentation.
195
=== Unicode support for a Microsoft SQL Server database
197
Unicode characters are supported only for the special fields for a Microsoft SQL Server database. The database requires no special settings.
199
The `sendStringParametersAsUnicode` property of JDBC driver should be set to `false` to significantly improve performance. Without this parameter,
200
the Microsoft SQL Server might be unable to use indexes.
202
=== Configuring Unicode support for a MySQL database
204
Unicode characters are supported in a MySQL database if the database was created with Unicode support in the VARCHAR and CHAR fields when using the CREATE DATABASE command.
206
Note that the utf8mb4 character set is not supported due to different storage requirements for the utf8 character set. See MySQL documentation for details. In that situation, the length restriction on non-special fields does not apply because columns are created to accommodate the number of characters, not bytes. If the database default character set does not allow Unicode storage, only the special fields allow storing Unicode values.
209
. Under JDBC driver settings, locate the *JDBC connection settings*.
210
. Add this connection property: `characterEncoding=UTF-8`
212
=== Configuring Unicode support for a PostgreSQL database
214
Unicode is supported for a PostgreSQL database when the database character set is UTF8. Unicode characters can be used in any field with no reduction of field length for non-special fields. The JDBC driver requires no special settings. The character set is determined when the PostgreSQL database is created.
216
. Check the default character set for a PostgreSQL cluster by entering the following SQL command.
223
. If the default character set is not UTF 8, create the database with the UTF8 as the default character set using a command such as:
228
create database keycloak with encoding 'UTF8';
231
[[preparing-keycloak-for-amazon-aurora-postgresql]]
232
== Preparing for Amazon Aurora PostgreSQL
234
When using Amazon Aurora PostgreSQL, the https://github.com/awslabs/aws-advanced-jdbc-wrapper[Amazon Web Services JDBC Driver] offers additional features like transfer of database connections when a writer instance changes in a Multi-AZ setup.
235
This driver is not part of the distribution and needs to be installed before it can be used.
237
To install this driver, apply the following steps:
239
. When running the unzipped distribution: Download the JAR file from the https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/[Amazon Web Services JDBC Driver releases page] and place it in {project_name}'s `providers` folder.
241
. When running containers: Build a custom {project_name} image and add the JAR in the `providers` folder.
243
A minimal Dockerfile to build an image which can be used with the {project_name} Operator looks like the following:
245
[source,dockerfile,subs="attributes+"]
247
FROM quay.io/keycloak/keycloak:{containerlabel}
248
ADD --chmod=0666 https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/download/${properties["aws-jdbc-wrapper.version"]}/aws-advanced-jdbc-wrapper-${properties["aws-jdbc-wrapper.version"]}.jar /opt/keycloak/providers/aws-advanced-jdbc-wrapper.jar
251
See the <@links.server id="containers" /> {section} for details on how to build optimized images, and the <@links.operator id="customizing-keycloak" /> {section} on how to run optimized and non-optimized images with the {project_name} Operator.
252
. Configure {project_name} to run with the following parameters:
253
`db-url`:: Insert `aws-wrapper` to the regular PostgreSQL JDBC URL resulting in a URL like `+jdbc:aws-wrapper:postgresql://...+`.
254
`db-driver`:: Set to `software.amazon.jdbc.Driver` to use the AWS JDBC wrapper.
255
`transaction-xa-enabled`:: Set to `false`, as the Amazon Web Services JDBC Driver does not support XA transactions.
257
== Preparing for MySQL server
259
Beginning with MySQL 8.0.30, MySQL supports generated invisible primary keys for any InnoDB table that is created without an explicit primary key (more information https://dev.mysql.com/doc/refman/8.0/en/create-table-gipks.html[here]).
260
If this feature is enabled, the database schema initialization and also migrations will fail with the error message `Multiple primary key defined (1068)`.
261
You then need to disable it by setting the parameter `sql_generate_invisible_primary_key` to `OFF` in your MySQL server configuration before installing or upgrading Keycloak.
263
== Changing database locking timeout in a cluster configuration
265
Because cluster nodes can boot concurrently, they take extra time for database actions. For example, a booting server instance may perform some database migration, importing, or first time initializations. A database lock prevents start actions from conflicting with each other when cluster nodes boot up concurrently.
267
The maximum timeout for this lock is 900 seconds. If a node waits on this lock for more than the timeout, the boot fails. The need to change the default value is unlikely, but you can change it by entering this command:
269
<@kc.start parameters="--spi-dblock-jpa-lock-wait-timeout 900"/>
271
== Using Database Vendors without XA transaction support
272
{project_name} uses XA transactions and the appropriate database drivers by default. Certain vendors, such as Azure SQL and MariaDB Galera, do not support or rely on the XA transaction mechanism. To use Keycloak without XA transaction support using the appropriate JDBC driver, enter the following command:
274
<@kc.build parameters="--db=<vendor> --transaction-xa-enabled=false"/>
276
{project_name} automatically chooses the appropriate JDBC driver for your vendor.
278
== Setting JPA provider configuration option for migrationStrategy
280
To setup the JPA migrationStrategy (manual/update/validate) you should setup JPA provider as follows:
282
.Setting the `migration-strategy` for the `quarkus` provider of the `connections-jpa` SPI
283
<@kc.start parameters="--spi-connections-jpa-quarkus-migration-strategy=manual"/>
285
If you want to get a SQL file for DB initialization, too, you have to add this additional SPI initializeEmpty (true/false):
287
.Setting the `initialize-empty` for the `quarkus` provider of the `connections-jpa` SPI
288
<@kc.start parameters="--spi-connections-jpa-quarkus-initialize-empty=false"/>
290
In the same way the migrationExport to point to a specific file and location:
292
.Setting the `migration-export` for the `quarkus` provider of the `connections-jpa` SPI
293
<@kc.start parameters="--spi-connections-jpa-quarkus-migration-export=<path>/<file.sql>"/>