[keycloak-dev] Cross-datacenter configuration issues

Jared Blashka jblashka at redhat.com
Wed Feb 28 15:36:46 EST 2018


Hey all,

I'm working on testing out the cross-datacenter replication configuration
in our development environment and I'm running into some issues.

I stood up some JDG 7.1 instances and some RH-SSO 7.2 instances all running
on my localhost all with different port offsets, followed the
instructions[1], and everything seemed to work well enough.

Once I got beyond that and tried running RH-SSO and JDG on separate servers
I started running into issues[2] during RH-SSO startup. Looks like RH-SSO
is unable to connect to the remote ___script_cache but that cache isn't
mentioned anywhere in the RH-SSO documentation. The error message (and
online searching) indicates that this cache only allows remote connections
if authorization is enabled. I didn't see any mention of configuration
related to authentication or security for the remote caches in the
documentation either.

At this point we roped in a JDG expert (cc'ed here) and found some
additional Infinispan documentation[3] on how to add authentication to the
*remote* caches within the JDG configuration but nothing much in the way of
adding authentication to the client cache configuration inside RH-SSO that
didn't involve programmatic changes. After some additional searching we
found some info[4] detailing how to add security configurations to a
remote-cache configuration in Infinispan *9.1* but EAP 7.1 is only running
Infinispan *8.2* which doesn't have these changes.

How did you get this working?

Jared Blashka - Identity & Access Management


[1]
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/pdf/server_installation_and_configuration_guide/Red_Hat_Single_Sign-On-7.2-Server_Installation_and_Configuration_Guide-en-US.pdf#__WKANCHOR_1e
[2] http://pastebin.test.redhat.com/559674
[3]
http://infinispan.org/docs/stable/server_guide/server_guide.html#general_concepts
[4]
https://docs.jboss.org/infinispan/9.1/configdocs/infinispan-cachestore-remote-config-9.1.html


More information about the keycloak-dev mailing list