[keycloak-user] Configuring Keycloak in Standalone Clustered Mode

Rafael Weingärtner rafaelweingartner at gmail.com
Tue Jul 10 08:55:47 EDT 2018 

Hey Dmitry, thanks for the reply.

The alternative "JDBC_PING" looks promising. However, if I already have a
transit network that can be used to bind together all keycloak replicas, I
can "export/bind" the multicast ports of the containers on the host, and
then everything should work out of the box, right?

On Tue, Jul 10, 2018 at 9:35 AM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Rafael,
>
> In Keycloak, clustering is implemented via Infinispan [1] (a
> distributed cache), which in turn uses JGroups [2] as a communication
> layer. By default, nodes use IP multicast for discovery (MPING in
> JGroups terminology). So as long as your nodes live in the same private
> network that supports multicast, you should be fine.
>
> If IP multicast is restricted (like e.g. on AWS), one can use alternate
> discovery methods like JDBC_PING (using shared database) or S3_PING
> (obviously, using S3).
>
> See Keycloak documentation on network setup for clustering [3], as well
> as Infinispan and JGroups docs on the same.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> [1] http://infinispan.org
> [2] http://www.jgroups.org
> [3] https://www.keycloak.org/docs/latest/server_installation/index.html
> #_clustering
>
> On Sat, 2018-07-07 at 09:09 -0300, Rafael Weingärtner wrote:
> > Hello Keycloak communities,
> >
> > I am configuring Keycloak for production, and we will need to use it
> > in a
> > clustered fashion. I have read about the two possible deployment
> > scenarios
> > “Standalone clustered mode”  and “domain clustered mode”.  It seems
> > that
> > the “Standalone clustered mode”  is the simpler one. Also, we will be
> > using
> > Docker to deploy Keycloak. Therefore, we will not have the burden of
> > managing configuration files manually. The update (configurations
> > and/or
> > Keycloak versions) should always be a matter of stopping and starting
> > a new
> > version of the Docker container.
> >
> > I have one doubt though. It seems pretty magical that to configure
> > Keycloak
> > in HA mode I only need to use “standalone-ha.xml”. How does the
> > discovery
> > process of nodes happen? I mean, are the replicates communicating
> > with each
> > other directly, or is everything via a shared database? Do I need to
> > expose
> > some specific port from my Keycloaks replicas to the network? Or only
> > the
> > standard 443/80 is enough?
> >
> > Thanks in advance for your help ;)
> >
> > --
> > Rafael Weingärtner
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rafael Weingärtner

More information about the keycloak-user mailing list