5. Database configuration#

Keycloak uses an external database to store configurations and settings. By default, the Keycloak app installs and configures a PostgreSQL database.

In case you want to use your own database backend, you can change the database settings for Keycloak prior or after the app installation.

5.1. Default database#

The Keycloak app installation procedure automatically installs and configures the PostgreSQL database during the initial installation of the app in the UCS domain. Keycloak uses this database for all additional installations of the app in the UCS domain. The default database doesn’t provide replication or any kind of failover.

However, it’s not mandatory to use the default PostgreSQL database instance. Administrators may decide to use another one, for example, if there is a need to use an already existing or clustered database.

5.2. Custom database#

Keycloak supports a wide range of different databases as backend. For detailed information, consult the Keycloak manual Configuring the database [7].


On the contrary to the official Keycloak container image, the custom image that the Keycloak App provides, does not contain the drivers that support an Oracle Database. Using an Oracle Database as a backend for Keycloak is currently not supported.

The Keycloak app provides app settings for the configuration of the database backend. For the available settings, see the Settings section.


Changing these settings doesn’t affect the database itself, no matter if you use the command line tools or the App Center. The database settings only tell Keycloak where and how to connect to the database. Ensure that you first perform the needed changes on the database itself.

5.3. Changing the database configuration#

The following sections explain how to change the database settings. The example uses the MariaDB database and the following assumptions:

  • The database for Keycloak exists.

  • The Keycloak server can connect to the database.

  • A user account with the appropriate permissions for the database exists.


The database user needs the following minimum privileges to work in a single machine setup. Use the GRANT command:

ON `<database>`.* TO `<user>`@`<host>`;

5.3.1. Initial installation#

This section explains how to setup the Keycloak app to use a different database, such as MariaDB in this example, during the initial and first installation of the Keycloak app in the UCS domain.

To specify an existing MariaDB database during the initial installation, you can either run the following installation command from the command line:

Listing 5.1 Install Keycloak with alternative database settings#
$ univention-app install keycloak --set \
    kc/db/url="jdbc:mariadb://database-server:3306/database-name" \
    kc/db/password="database-password" \

Or alternatively, you can set the corresponding app settings kc/db/url, kc/db/password and kc/db/username during the installation in the Univention App Center.

Additional installations of the Keycloak app automatically use these database settings without any further database configuration.

5.3.2. After initial installation#

After you completed the app installation in the UCS domain, Keycloak stores the database settings in a domain wide settings object. Subsequent installations of the Keycloak app use these settings, regardless of the database settings during the installation.


Changing the database settings after the installations means loosing every existing configuration settings and session.

You have to manually backup Keycloak before and restore the settings after changing the database backend. For more information, see Backup and restore.

To change the database settings for existing Keycloak instances you have to use the following steps:

  1. Change the domain wide database settings with the following command on one of the UCS systems that has Keycloak installed:

    $ univention-keycloak domain-config \
      --set username="database-username" \
      --set uri="jdbc:mariadb://database-server:3306/database-name" \
      --set password="database-password" \
      --set driver="org.mariadb.jdbc.Driver" \
      --set ping_datatype="VARBINARY(255)"
  2. Re-configure one of the Keycloak instances and verify that it works:

    $ univention-app configure keycloak
  3. Re-configure the rest of the Keycloak instances.