Re: [keycloak-dev] Cross-datacenter configuration issues

I've just simulated the issue and created https://issues.jboss.org/browse/KEYCLOAK-6783 . I am looking at it. What works and what we tested is: * Setup with infinispan-server-8.2.8 on "local" network (infinispan server bind on loopback address like "localhost" . Different infinispan servers running on the same laptop, but on various port offsets) * Setup with JDG server 7.1.0 on "local" network (JDG server bound on loopback address like "localhost" . Different JDG servers running on the same laptop, but on various port offsets) * Setup with infinispan-server-8.2.8 on "real" network (testing with infinispan hosts bound to real host with IP addresses like 192.168.0.1 ) We didn't test the combination with JDG server bind on "real" addresses and this is the only one where the issue happens It seems JDG 7.1.0 has some additional security when compared with the community infinispan-server 8.2.8 . The easiest workaround for you might be to test with community infinispan-server 8.2.8 instead of JDG 7.1.0 . Server can be downloaded from this address: http://downloads.jboss.org/infinispan/8.2.8.Final/ infinispan-server-8.2.8.Final-bin.zip . I hope to update you later today once I have some more info. Thanks for the report and all the details you mentioned. Marek On 28/02/18 21:36, Jared Blashka wrote: > Hey all, > > I'm working on testing out the cross-datacenter replication > configuration in our development environment and I'm running into some > issues. > > I stood up some JDG 7.1 instances and some RH-SSO 7.2 instances all > running on my localhost all with different port offsets, followed the > instructions[1], and everything seemed to work well enough. > > Once I got beyond that and tried running RH-SSO and JDG on separate > servers I started running into issues[2] during RH-SSO startup. Looks > like RH-SSO is unable to connect to the remote ___script_cache but > that cache isn't mentioned anywhere in the RH-SSO documentation. The > error message (and online searching) indicates that this cache only > allows remote connections if authorization is enabled. I didn't see > any mention of configuration related to authentication or security for > the remote caches in the documentation either. > > At this point we roped in a JDG expert (cc'ed here) and found some > additional Infinispan documentation[3] on how to add authentication to > the *remote* caches within the JDG configuration but nothing much in > the way of adding authentication to the client cache configuration > inside RH-SSO that didn't involve programmatic changes. After some > additional searching we found some info[4] detailing how to add > security configurations to a remote-cache configuration in Infinispan > *9.1* but EAP 7.1 is only running Infinispan *8.2* which doesn't have > these changes. > > How did you get this working? > > Jared Blashka - Identity & Access Management > > > [1] > https://access.redhat.com/documentation/en-us/red_hat_ single_sign-on/7.2/pdf/server_installation_and_ configuration_guide/Red_Hat_Single_Sign-On-7.2-Server_Installation_and_ Configuration_Guide-en-US.pdf#__WKANCHOR_1e > [2] http://pastebin.test.redhat.com/559674 > [3] > http://infinispan.org/docs/stable/server_guide/server_ guide.html#general_concepts > [4] > https://docs.jboss.org/infinispan/9.1/configdocs/ infinispan-cachestore-remote-config-9.1.html _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev