<div dir="ltr">@Andrej, try to use the following instructions to set up Keycloak in domain mode. These instructions work for me, so if you follow them precisely they should also work for you.<div><br></div><div>This setup approach assumes that you may want to deploy your secured applications into the same server(s) running Keycloak server.</div><div><br></div><div>Download keycloak-demo-1.6.1.Final.zip from <a href="http://keycloak.jboss.org/keycloak/downloads">http://keycloak.jboss.org/keycloak/downloads</a>.</div><div><br></div><div>unzip ~/Downloads/keycloak-demo-1.6.1.Final.zip</div><div><br></div><div>cd keycloak-demo-1.6.1.Final/keycloak</div><div><br></div><div><br></div><div>Open for edit: domain/configuration/domain.xml</div><div><br></div><div>Add to <extensions> section:</div><div><br></div><div> <extension module="org.keycloak.keycloak-server-subsystem"/></div><div> <extension module="org.keycloak.keycloak-adapter-subsystem"/></div><div><br></div><div>The second one is for securing your deployed .wars with Keycloak server.</div><div><br></div><div><br></div><div>Scroll down to <profile name="full-ha"></div><div><br></div><div>Add to <subsystem xmlns="urn:jboss:domain:datasources:3.0"> section:</div>
<div><br> <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true"><br> <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url><br> <driver>h2</driver><br> <security><br> <user-name>sa</user-name><br> <password>sa</password><br> </security><br> </datasource><br><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Add to <subsystem xmlns="urn:jboss:domain:infinispan:3.0"> section:</div><div class="gmail_extra"><br></div> <cache-container name="keycloak" jndi-name="infinispan/Keycloak"><br> <transport lock-timeout="60000"/><br> <invalidation-cache name="realms" mode="SYNC"/><br> <invalidation-cache name="users" mode="SYNC"/><br> <distributed-cache name="sessions" mode="SYNC" owners="1"/><br> <distributed-cache name="loginFailures" mode="SYNC" owners="1"/><br> </cache-container>
<div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Before the ending </profile> add:</div><br> <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1"><br> <web-context>auth</web-context><br> </subsystem><div class="gmail_extra"><br></div><div class="gmail_extra"> <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">The second one is for securing your deployed .wars with Keycloak server.<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Make sure that you really add all these sections to 'full-ha'. If you use search or any kind of shortcuts to jump through the edited file, it very easy to end up in a different section. So doublecheck. </div><div class="gmail_extra"><br></div><div class="gmail_extra">Now scroll further down to <server-groups> section, and change 'main-server-group' to use 'full-ha' profile:</div><div class="gmail_extra"><br></div> <server-group name="main-server-group" profile="full-ha"><br> <jvm name="default"><br> <heap size="64m" max-size="512m"/><br> </jvm><br> <socket-binding-group ref="full-ha-sockets"/><br> </server-group><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Save the file.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Now start Keycloak in domain mode:</div><div class="gmail_extra"><br></div><div class="gmail_extra"> bin/domain.sh<br></div><div class="gmail_extra"><p class=""><span class=""><br></span></p><p class=""><span class="">Observing the log, you should see many entries for 'server-one', and 'server-two'.</span></p><p class="">You should also see two big stacktraces, as the server will try to start up, and fail due to not being able to find the keycloak-server.json file. (The stacktrace should be more descriptive - current error reporting NullPointerException is a bug)</p><p class="">But that's good, it means that keycloak-server subsystem was picked up, and started to get initialized.</p><p class="">Running this results in two additional directories created:</p><p class=""> domain/servers/server-one</p><p class="">and</p><p class=""> domain/servers/server-two</p><div><br></div><div>Now just copy the configuration from standalone to these two directories:</div><div><br></div><div>mkdir domain/servers/server-one/configuration</div><div>cp standalone/configuration/keycloak-server.json domain/servers/server-one/configuration/</div><div><div>cp -r standalone/configuration/themes domain/servers/server-one/configuration/</div></div><div><div>cp -r standalone/configuration/providers domain/servers/server-one/configuration/</div></div><div><br></div><div><div>mkdir domain/servers/server-two/configuration</div><div>cp standalone/configuration/keycloak-server.json domain/servers/server-two/configuration/</div><div>cp -r standalone/configuration/themes domain/servers/server-two/configuration/</div><div>cp -r standalone/configuration/providers domain/servers/server-two/configuration/</div></div><div><br></div><p class=""><br></p></div><div class="gmail_extra">And start the server again:</div><div class="gmail_extra"><br></div><div class="gmail_extra"> bin/domain.sh</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">You should now see the server start up without any errors. You can now open Keycloak admin on server-one:</div><div class="gmail_extra"><br></div><div class="gmail_extra"> <a href="http://localhost:8080/auth">http://localhost:8080/auth</a></div><div class="gmail_extra"><br></div><div class="gmail_extra">And on server-two:</div><div class="gmail_extra"><br></div><div class="gmail_extra"> <a href="http://localhost:8230/auth/">http://localhost:8230/auth/</a></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">This procedure has always worked for me. If it fails for you then provide your domain.xml, and stdout from console with any stack traces.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 5, 2015 at 9:02 PM, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">I came across this:<div><a href="https://issues.jboss.org/browse/KEYCLOAK-2037" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2037</a><br></div><div><br></div><div>Maybe it's the same issue here?</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On 4 November 2015 at 16:35, Marko Strukelj <span dir="ltr"><<a href="mailto:mstrukel@redhat.com" target="_blank">mstrukel@redhat.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span>On Wed, Nov 4, 2015 at 4:10 PM, Andrej P <span dir="ltr"><<a href="mailto:ado.boj.83@gmail.com" target="_blank">ado.boj.83@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span>On Wed, Nov 4, 2015 at 3:48 PM, Marko Strukelj <span dir="ltr"><<a href="mailto:mstrukel@redhat.com" target="_blank">mstrukel@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div>Can you confirm that you see the following lines in your host-controller.log:</div><br>[Server:authentication-server-demosetup] 15:58:23,220 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 72) WFLYUT0021: Registered web context: /auth<br>[Server:authentication-server-demosetup] 15:58:23,267 INFO [org.jboss.as.server] (ServerService Thread Pool -- 36) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")</div></blockquote></span><div> <font color="#ff0000">No, this lines are missing in log.</font></div></div></div></div></blockquote><div><br></div></span><div>That's the root of your problem then. Keycloak server subsystem doesn't seem to be initialized at all. </div><div>From your config files it follows that your 'authentication-server-demosetup' server is using 'group-authentication' group, and 'group-authentication' group is using 'idbt-ha' profile, and 'idbt-ha' profile contains keycloak-server subsystem declaration ...</div><div><br></div><div>I see no reason for Keycloak server to not get initialized.</div><div><br></div><div>I'm sorry to say, but I'm out of ideas. If I were you I would try from scratch with an OOTB domain.xml, and host.xml, and setup up Keycloak server without any additional applications deployed, following the instructions I described previously - just get server-one, and server-two using the same group tied to full-ha profile. That way you should get Keycloak up and running. Then I would slowly evolve the configuration towards what you have now. Somewhere during that process there must be a step, that breaks things, and it's not obvious what that step is.</div><div><br></div><div><br></div></div></div></div>
<br></div></div><span class="">_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></span></blockquote></div><br></div>
</blockquote></div><br></div></div></div>