[keycloak-dev] Cross-datacenter configuration issues

Hynek Mlnarik hmlnarik at redhat.com
Thu Mar 1 03:33:17 EST 2018


I can only agree that it seems to be a difference between Infinispan server
and JDG, since we did test it in Amazon where each instance of Keycloak and
Infinispan was installed on separate VM [1]. Whether this difference might
be indeed there should be confirmed by someone from JDG team. William,
could you please comment here?

[1]
http://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws.html

On Thu, Mar 1, 2018 at 9:25 AM, Marek Posolda <mposolda at redhat.com> wrote:

> I've just simulated the issue and created
> https://issues.jboss.org/browse/KEYCLOAK-6783 . I am looking at it.
>
> What works and what we tested is:
>
>   * Setup with infinispan-server-8.2.8 on "local" network (infinispan
>     server bind on loopback address like "localhost" . Different
>     infinispan servers running on the same laptop, but on various port
>     offsets)
>
>   * Setup with JDG server 7.1.0 on "local" network (JDG server bound on
>     loopback address like "localhost" . Different JDG servers running on
>     the same laptop, but on various port offsets)
>
>   * Setup with infinispan-server-8.2.8 on "real" network (testing with
>     infinispan hosts bound to real host with IP addresses like 192.168.0.1
> )
>
> We didn't test the combination with JDG server bind on "real" addresses
> and this is the only one where the issue happens
>
> It seems JDG 7.1.0 has some additional security when compared with the
> community infinispan-server 8.2.8 .
>
> The easiest workaround for you might be to test with community
> infinispan-server 8.2.8 instead of JDG 7.1.0 . Server can be downloaded
> from this address:
> http://downloads.jboss.org/infinispan/8.2.8.Final/
> infinispan-server-8.2.8.Final-bin.zip
> .
>
> I hope to update you later today once I have some more info. Thanks for
> the report and all the details you mentioned.
>
> Marek
>
>
> On 28/02/18 21:36, Jared Blashka wrote:
> > Hey all,
> >
> > I'm working on testing out the cross-datacenter replication
> > configuration in our development environment and I'm running into some
> > issues.
> >
> > I stood up some JDG 7.1 instances and some RH-SSO 7.2 instances all
> > running on my localhost all with different port offsets, followed the
> > instructions[1], and everything seemed to work well enough.
> >
> > Once I got beyond that and tried running RH-SSO and JDG on separate
> > servers I started running into issues[2] during RH-SSO startup. Looks
> > like RH-SSO is unable to connect to the remote ___script_cache but
> > that cache isn't mentioned anywhere in the RH-SSO documentation. The
> > error message (and online searching) indicates that this cache only
> > allows remote connections if authorization is enabled. I didn't see
> > any mention of configuration related to authentication or security for
> > the remote caches in the documentation either.
> >
> > At this point we roped in a JDG expert (cc'ed here) and found some
> > additional Infinispan documentation[3] on how to add authentication to
> > the *remote* caches within the JDG configuration but nothing much in
> > the way of adding authentication to the client cache configuration
> > inside RH-SSO that didn't involve programmatic changes. After some
> > additional searching we found some info[4] detailing how to add
> > security configurations to a remote-cache configuration in Infinispan
> > *9.1* but EAP 7.1 is only running Infinispan *8.2* which doesn't have
> > these changes.
> >
> > How did you get this working?
> >
> > Jared Blashka - Identity & Access Management
> >
> >
> > [1]
> > https://access.redhat.com/documentation/en-us/red_hat_
> single_sign-on/7.2/pdf/server_installation_and_
> configuration_guide/Red_Hat_Single_Sign-On-7.2-Server_Installation_and_
> Configuration_Guide-en-US.pdf#__WKANCHOR_1e
> > [2] http://pastebin.test.redhat.com/559674
> > [3]
> > http://infinispan.org/docs/stable/server_guide/server_
> guide.html#general_concepts
> > [4]
> > https://docs.jboss.org/infinispan/9.1/configdocs/
> infinispan-cachestore-remote-config-9.1.html
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>



-- 

--Hynek


More information about the keycloak-dev mailing list