Exporting a RH-SSO Realm

Solution Verified - Updated

Environment

  • Red Hat Single Sign-On (RH-SSO)
    • 7
  • Exporting Realm with all private keys, passwords, and users so it can be imported or re-imported exactly as it is.
  • OpenShift Container Platform (OCP)
  • Red Hat Build keycloak(RHBK)
    • 22.x

Issue

  • Need to export a complete Realm with all users
    • Exporting a Realm from the Admin Console masks private keys and passwords.
  • How to export realm in RH-SSO deployed on OpenShift?

Resolution

Export the Realm at server boot using system properties.

  • For realms with many users:

      bin/standalone.sh --server-config=<YOUR CONFIG XML FILE (ex. standalone-ha.xml)> -Dkeycloak.migration.action=export -Dkeycloak.migration.realmName=<your realm> -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=<DIR TO EXPORT TO>

  • For realms with few users, where a single file will do

      bin/standalone.sh --server-config=<YOUR CONFIG XML FILE (ex. standalone-ha.xml)> -Dkeycloak.migration.action=export -Dkeycloak.migration.realmName=<your realm> -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=<FILE TO EXPORT TO>

  • For not exporting users at all

      bin/standalone.sh --server-config=<YOUR CONFIG XML FILE (ex. standalone-ha.xml)> -Dkeycloak.migration.action=export -Dkeycloak.migration.realmName=<your realm> -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.usersExportStrategy=SKIP -Dkeycloak.migration.file=<FILE TO EXPORT TO>

  • Importing an export

      bin/standalone.sh --server-config=<YOUR CONFIG XML FILE (ex. standalone-ha.xml)> -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=<FILE TO IMPORT> -Dkeycloak.migration.strategy=OVERWRITE_EXISTING

To export RH-SSO database as a JSON file on the OpenShift pod refer steps described in RH-SSO documentation for OpenShift.

Refer Export and Import in the documentation for more information on various options.

Root Cause

  • Only boot time exports will output users
  • Admin Console exports mask secrets, passwords, and other private information

See Admin console export/import

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.