I'm setting up keycloak (8.0.0/head, atm) for ops behind an ssl terminating proxy. In "standalone.xml" I want to change, <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/> <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/> to, <server name="default-server"> <http-listener name="default" socket-binding="http" enable-http2="true" proxy-address-forwarding="true" /> <https-listener name="https" socket-binding="https" enable-http2="true" security-realm="UndertowRealm" /> I'd like to do this with scripting CLI, eventually for orchestrated deployment. checking mgmt access, open/display of gui /opt/keycloak/bin/jboss-cli.sh \ --connect \ --controller=10.0.0.1:9990 \ --properties=/etc/keycloak/jboss.properties \ --user=mgmtuser \ --password=mgmtpass \ --gui works fine -- I can read all my controller's data/props/etc. I've created a script/batch input file cat /tmp/https.cli /subsystem=undertow/server=default-server/http-listener=default/:list-clear /subsystem=undertow/server=default-server/https-listener=https/:list-clear /subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=socket-binding,value=http):write-attribute(name=enable-http2,value=true):write-attribute(name=proxy-address-forwarding,value=false) /subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=socket-binding,value=https):write-attribute(name=enable-http2,value=true):write-attribute(name=security-realm,value=UndertowRealm) but exec of cli, with that^ input, fails /opt/keycloak/bin/jboss-cli.sh \ --connect \ --controller=10.0.0.1:9990 \ --properties=/etc/keycloak/jboss.properties \ --user=mgmtuser \ --password=mgmtpass \ --file=/etc/keycloak/https-setup.cli \ Failed to connect to the controller: Unable to authenticate against controller at 10.0.0.1:9990: Authentication failed: all available authentication mechanisms failed: DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Server rejected authentication in 'standalone.xml', the auth mech IS defined, ... <sasl> <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" s <mechanism-configuration> <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/> <mechanism-realm realm-name="ApplicationRealm"/> </mechanism> </mechanism-configuration> </sasl-authentication-factory> <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" se <mechanism-configuration> <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/> <mechanism-realm realm-name="ManagementRealm"/> </mechanism> </mechanism-configuration> </sasl-authentication-factory> ... WHY is that mech being rejected? Where are the allowed/available auth "mechanism-name" listed/documented? And, ideally, their usage?