I've just simulated the issue and created
https://issues.jboss.org/browse/KEYCLOAK-6783 . I am looking at it.
What works and what we tested is:
* Setup with infinispan-server-8.2.8 on "local" network (infinispan
server bind on loopback address like "localhost" . Different
infinispan servers running on the same laptop, but on various port
offsets)
* Setup with JDG server 7.1.0 on "local" network (JDG server bound on
loopback address like "localhost" . Different JDG servers running on
the same laptop, but on various port offsets)
* Setup with infinispan-server-8.2.8 on "real" network (testing with
infinispan hosts bound to real host with IP addresses like 192.168.0.1 )
We didn't test the combination with JDG server bind on "real" addresses
and this is the only one where the issue happens
It seems JDG 7.1.0 has some additional security when compared with the
community infinispan-server 8.2.8 .
The easiest workaround for you might be to test with community
infinispan-server 8.2.8 instead of JDG 7.1.0 . Server can be downloaded
from this address:
http://downloads.jboss.org/infinispan/8.2.8.Final/infinispan-server-8.2.8...
.
I hope to update you later today once I have some more info. Thanks for
the report and all the details you mentioned.
Marek
On 28/02/18 21:36, Jared Blashka wrote:
Hey all,
I'm working on testing out the cross-datacenter replication
configuration in our development environment and I'm running into some
issues.
I stood up some JDG 7.1 instances and some RH-SSO 7.2 instances all
running on my localhost all with different port offsets, followed the
instructions[1], and everything seemed to work well enough.
Once I got beyond that and tried running RH-SSO and JDG on separate
servers I started running into issues[2] during RH-SSO startup. Looks
like RH-SSO is unable to connect to the remote ___script_cache but
that cache isn't mentioned anywhere in the RH-SSO documentation. The
error message (and online searching) indicates that this cache only
allows remote connections if authorization is enabled. I didn't see
any mention of configuration related to authentication or security for
the remote caches in the documentation either.
At this point we roped in a JDG expert (cc'ed here) and found some
additional Infinispan documentation[3] on how to add authentication to
the *remote* caches within the JDG configuration but nothing much in
the way of adding authentication to the client cache configuration
inside RH-SSO that didn't involve programmatic changes. After some
additional searching we found some info[4] detailing how to add
security configurations to a remote-cache configuration in Infinispan
*9.1* but EAP 7.1 is only running Infinispan *8.2* which doesn't have
these changes.
How did you get this working?
Jared Blashka - Identity & Access Management
[1]
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/...
[2]
http://pastebin.test.redhat.com/559674
[3]
http://infinispan.org/docs/stable/server_guide/server_guide.html#general_...
[4]
https://docs.jboss.org/infinispan/9.1/configdocs/infinispan-cachestore-re...