I can only agree that it seems to be a difference between Infinispan server
and JDG, since we did test it in Amazon where each instance of Keycloak and
Infinispan was installed on separate VM [1]. Whether this difference might
be indeed there should be confirmed by someone from JDG team. William,
could you please comment here?
[1]
On Thu, Mar 1, 2018 at 9:25 AM, Marek Posolda <mposolda(a)redhat.com> wrote:
I've just simulated the issue and created
https://issues.jboss.org/browse/KEYCLOAK-6783 . I am looking at it.
What works and what we tested is:
* Setup with infinispan-server-8.2.8 on "local" network (infinispan
server bind on loopback address like "localhost" . Different
infinispan servers running on the same laptop, but on various port
offsets)
* Setup with JDG server 7.1.0 on "local" network (JDG server bound on
loopback address like "localhost" . Different JDG servers running on
the same laptop, but on various port offsets)
* Setup with infinispan-server-8.2.8 on "real" network (testing with
infinispan hosts bound to real host with IP addresses like 192.168.0.1
)
We didn't test the combination with JDG server bind on "real" addresses
and this is the only one where the issue happens
It seems JDG 7.1.0 has some additional security when compared with the
community infinispan-server 8.2.8 .
The easiest workaround for you might be to test with community
infinispan-server 8.2.8 instead of JDG 7.1.0 . Server can be downloaded
from this address:
http://downloads.jboss.org/infinispan/8.2.8.Final/
infinispan-server-8.2.8.Final-bin.zip
.
I hope to update you later today once I have some more info. Thanks for
the report and all the details you mentioned.
Marek
On 28/02/18 21:36, Jared Blashka wrote:
> Hey all,
>
> I'm working on testing out the cross-datacenter replication
> configuration in our development environment and I'm running into some
> issues.
>
> I stood up some JDG 7.1 instances and some RH-SSO 7.2 instances all
> running on my localhost all with different port offsets, followed the
> instructions[1], and everything seemed to work well enough.
>
> Once I got beyond that and tried running RH-SSO and JDG on separate
> servers I started running into issues[2] during RH-SSO startup. Looks
> like RH-SSO is unable to connect to the remote ___script_cache but
> that cache isn't mentioned anywhere in the RH-SSO documentation. The
> error message (and online searching) indicates that this cache only
> allows remote connections if authorization is enabled. I didn't see
> any mention of configuration related to authentication or security for
> the remote caches in the documentation either.
>
> At this point we roped in a JDG expert (cc'ed here) and found some
> additional Infinispan documentation[3] on how to add authentication to
> the *remote* caches within the JDG configuration but nothing much in
> the way of adding authentication to the client cache configuration
> inside RH-SSO that didn't involve programmatic changes. After some
> additional searching we found some info[4] detailing how to add
> security configurations to a remote-cache configuration in Infinispan
> *9.1* but EAP 7.1 is only running Infinispan *8.2* which doesn't have
> these changes.
>
> How did you get this working?
>
> Jared Blashka - Identity & Access Management
>
>
> [1]
>
https://access.redhat.com/documentation/en-us/red_hat_
single_sign-on/7.2/pdf/server_installation_and_
configuration_guide/Red_Hat_Single_Sign-On-7.2-Server_Installation_and_
Configuration_Guide-en-US.pdf#__WKANCHOR_1e
> [2]
http://pastebin.test.redhat.com/559674
> [3]
>
http://infinispan.org/docs/stable/server_guide/server_
guide.html#general_concepts
> [4]
>
https://docs.jboss.org/infinispan/9.1/configdocs/
infinispan-cachestore-remote-config-9.1.html
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev