<div dir="ltr">@Andrej, try to use the following instructions to set up Keycloak in domain mode. These instructions work for me, so if you follow them precisely they should also work for you.<div><br></div><div>This setup approach assumes that you may want to deploy your secured applications into the same server(s) running Keycloak server.</div><div><br></div><div>Download keycloak-demo-1.6.1.Final.zip from <a href="http://keycloak.jboss.org/keycloak/downloads">http://keycloak.jboss.org/keycloak/downloads</a>.</div><div><br></div><div>unzip ~/Downloads/keycloak-demo-1.6.1.Final.zip</div><div><br></div><div>cd keycloak-demo-1.6.1.Final/keycloak</div><div><br></div><div><br></div><div>Open for edit: domain/configuration/domain.xml</div><div><br></div><div>Add to &lt;extensions&gt; section:</div><div><br></div><div>    &lt;extension module=&quot;org.keycloak.keycloak-server-subsystem&quot;/&gt;</div><div>    &lt;extension module=&quot;org.keycloak.keycloak-adapter-subsystem&quot;/&gt;</div><div><br></div><div>The second one is for securing your deployed .wars with Keycloak server.</div><div><br></div><div><br></div><div>Scroll down to &lt;profile name=&quot;full-ha&quot;&gt;</div><div><br></div><div>Add to &lt;subsystem xmlns=&quot;urn:jboss:domain:datasources:3.0&quot;&gt; section:</div>







<div><br>                    &lt;datasource jndi-name=&quot;java:jboss/datasources/KeycloakDS&quot; pool-name=&quot;KeycloakDS&quot; enabled=&quot;true&quot; use-java-context=&quot;true&quot;&gt;<br>                        &lt;connection-url&gt;jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE&lt;/connection-url&gt;<br>                        &lt;driver&gt;h2&lt;/driver&gt;<br>                        &lt;security&gt;<br>                            &lt;user-name&gt;sa&lt;/user-name&gt;<br>                            &lt;password&gt;sa&lt;/password&gt;<br>                        &lt;/security&gt;<br>                    &lt;/datasource&gt;<br><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Add to &lt;subsystem xmlns=&quot;urn:jboss:domain:infinispan:3.0&quot;&gt; section:</div><div class="gmail_extra"><br></div>                &lt;cache-container name=&quot;keycloak&quot; jndi-name=&quot;infinispan/Keycloak&quot;&gt;<br>                    &lt;transport lock-timeout=&quot;60000&quot;/&gt;<br>                    &lt;invalidation-cache name=&quot;realms&quot; mode=&quot;SYNC&quot;/&gt;<br>                    &lt;invalidation-cache name=&quot;users&quot; mode=&quot;SYNC&quot;/&gt;<br>                    &lt;distributed-cache name=&quot;sessions&quot; mode=&quot;SYNC&quot; owners=&quot;1&quot;/&gt;<br>                    &lt;distributed-cache name=&quot;loginFailures&quot; mode=&quot;SYNC&quot; owners=&quot;1&quot;/&gt;<br>                &lt;/cache-container&gt;







<div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Before the ending &lt;/profile&gt; add:</div><br>            &lt;subsystem xmlns=&quot;urn:jboss:domain:keycloak-server:1.1&quot;&gt;<br>                &lt;web-context&gt;auth&lt;/web-context&gt;<br>            &lt;/subsystem&gt;<div class="gmail_extra"><br></div><div class="gmail_extra">            &lt;subsystem xmlns=&quot;urn:jboss:domain:keycloak:1.1&quot;/&gt;<br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">The second one is for securing your deployed .wars with Keycloak server.<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Make sure that you really add all these sections to &#39;full-ha&#39;. If you use search or any kind of shortcuts to jump through the edited file, it very easy to end up in a different section. So doublecheck. </div><div class="gmail_extra"><br></div><div class="gmail_extra">Now scroll further down to &lt;server-groups&gt; section, and change &#39;main-server-group&#39; to use &#39;full-ha&#39; profile:</div><div class="gmail_extra"><br></div>        &lt;server-group name=&quot;main-server-group&quot; profile=&quot;full-ha&quot;&gt;<br>            &lt;jvm name=&quot;default&quot;&gt;<br>                &lt;heap size=&quot;64m&quot; max-size=&quot;512m&quot;/&gt;<br>            &lt;/jvm&gt;<br>            &lt;socket-binding-group ref=&quot;full-ha-sockets&quot;/&gt;<br>        &lt;/server-group&gt;<div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Save the file.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Now start Keycloak in domain mode:</div><div class="gmail_extra"><br></div><div class="gmail_extra">    bin/domain.sh<br></div><div class="gmail_extra"><p class=""><span class=""><br></span></p><p class=""><span class="">Observing the log, you should see many entries for &#39;server-one&#39;, and &#39;server-two&#39;.</span></p><p class="">You should also see two big stacktraces, as the server will try to start up, and fail due to not being able to find the keycloak-server.json file. (The stacktrace should be more descriptive - current error reporting NullPointerException is a bug)</p><p class="">But that&#39;s good, it means that keycloak-server subsystem was picked up, and started to get initialized.</p><p class="">Running this results in two additional directories created:</p><p class="">    domain/servers/server-one</p><p class="">and</p><p class="">    domain/servers/server-two</p><div><br></div><div>Now just copy the configuration from standalone to these two directories:</div><div><br></div><div>mkdir domain/servers/server-one/configuration</div><div>cp standalone/configuration/keycloak-server.json domain/servers/server-one/configuration/</div><div><div>cp -r standalone/configuration/themes domain/servers/server-one/configuration/</div></div><div><div>cp -r standalone/configuration/providers domain/servers/server-one/configuration/</div></div><div><br></div><div><div>mkdir domain/servers/server-two/configuration</div><div>cp standalone/configuration/keycloak-server.json domain/servers/server-two/configuration/</div><div>cp -r standalone/configuration/themes domain/servers/server-two/configuration/</div><div>cp -r standalone/configuration/providers domain/servers/server-two/configuration/</div></div><div><br></div><p class=""><br></p></div><div class="gmail_extra">And start the server again:</div><div class="gmail_extra"><br></div><div class="gmail_extra">    bin/domain.sh</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">You should now see the server start up without any errors. You can now open Keycloak admin on server-one:</div><div class="gmail_extra"><br></div><div class="gmail_extra">    <a href="http://localhost:8080/auth">http://localhost:8080/auth</a></div><div class="gmail_extra"><br></div><div class="gmail_extra">And on server-two:</div><div class="gmail_extra"><br></div><div class="gmail_extra">    <a href="http://localhost:8230/auth/">http://localhost:8230/auth/</a></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">This procedure has always worked for me. If it fails for you then provide your domain.xml, and stdout from console with any stack traces.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 5, 2015 at 9:02 PM, Stian Thorgersen <span dir="ltr">&lt;<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">I came across this:<div><a href="https://issues.jboss.org/browse/KEYCLOAK-2037" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2037</a><br></div><div><br></div><div>Maybe it&#39;s the same issue here?</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On 4 November 2015 at 16:35, Marko Strukelj <span dir="ltr">&lt;<a href="mailto:mstrukel@redhat.com" target="_blank">mstrukel@redhat.com</a>&gt;</span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span>On Wed, Nov 4, 2015 at 4:10 PM, Andrej P <span dir="ltr">&lt;<a href="mailto:ado.boj.83@gmail.com" target="_blank">ado.boj.83@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span>On Wed, Nov 4, 2015 at 3:48 PM, Marko Strukelj <span dir="ltr">&lt;<a href="mailto:mstrukel@redhat.com" target="_blank">mstrukel@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div>Can you confirm that you see the following lines in your host-controller.log:</div><br>[Server:authentication-server-demosetup] 15:58:23,220 INFO  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 72) WFLYUT0021: Registered web context: /auth<br>[Server:authentication-server-demosetup] 15:58:23,267 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 36) WFLYSRV0010: Deployed &quot;keycloak-server.war&quot; (runtime-name : &quot;keycloak-server.war&quot;)</div></blockquote></span><div>   <font color="#ff0000">No, this lines are missing in log.</font></div></div></div></div></blockquote><div><br></div></span><div>That&#39;s the root of your problem then. Keycloak server subsystem doesn&#39;t seem to be initialized at all. </div><div>From your config files it follows that your &#39;authentication-server-demosetup&#39; server is using &#39;group-authentication&#39; group, and &#39;group-authentication&#39; group is using &#39;idbt-ha&#39; profile, and &#39;idbt-ha&#39; profile contains keycloak-server subsystem declaration ...</div><div><br></div><div>I see no reason for Keycloak server to not get initialized.</div><div><br></div><div>I&#39;m sorry to say, but I&#39;m out of ideas. If I were you I would try from scratch with an OOTB domain.xml, and host.xml, and setup up Keycloak server without any additional applications deployed, following the instructions I described previously - just get server-one, and server-two using the same group tied to full-ha profile. That way you should get Keycloak up and running. Then I would slowly evolve the configuration towards what you have now. Somewhere during that process there must be a step, that breaks things, and it&#39;s not obvious what that step is.</div><div><br></div><div><br></div></div></div></div>
<br></div></div><span class="">_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></span></blockquote></div><br></div>
</blockquote></div><br></div></div></div>