On Jan 19, 2015, at 11:02 AM, Marek Posolda <mposolda(a)redhat.com&gt; wrote: oops, sorry. The server-info page was added recently and it's not in 1.1.Beta2. It would be available in 1.1.0.Final (or alternative is to build keycloak from master). Anyway, if you enable debug logging for org.keycloak.services.DefaultKeycloakSessionFactory you should see in server.log which providers are used and hence you should see 'infinispan' for realmCache, userCache and userSessions. We also recently added "Troubleshooting" page to clustering docs, which might help you to figure out what ports are needed https://github.com/keycloak/keycloak/blob/master/docbook/reference/en/en-... . You can try to temporarily disable firewall and see if it helps with cluster communication. Then you can figure more accurately which ports you need to open. But generally we rely on infinispan/jgroups for cluster, so more info about cluster config and switch between udp/tcp should be available in their docs. Marek > On 19.1.2015 13:32, prab rrrr wrote: > Hi Marek - Thanks for the below pointers. I believe my setup is good but probably the udp communication is blocked in my organization as I do not see the specific log you mentioned. Here are some of the log messages I see: > > Starting JGroups channel > Received new cluster view ... node 1 (no information about node2) > > I will look at JGroups documentation to have the communication setup using tcp on a different port. Hopefully that would address the problem. > > I tried out the url you provided to verify the setup but it doesn't work - checked on two different setups. fyi - I am using 1.1Beta2 version. > > Regards, > Raghu > From: Marek Posolda <mposolda(a)redhat.com&gt; > To: prab rrrr <prabhalar(a)yahoo.com>; Keycloak-user <keycloak-user(a)lists.jboss.org&gt; > Sent: Monday, January 19, 2015 6:09 AM > Subject: Re: [keycloak-user] Keycloak Clustering Issues > > That's quite strange. I've just tested same scenario and works fine for me. If you do any change on user, the user is invalidated from cache on node-1 and this change about invalidation should be propagated to node-2 . As long as you have shared database, node-2 should then retrieve newest data about shared user from database. > > I would suggest to try this: > > * Make sure that your infinispan cluster is correctly set. You can check it by seeing the message similar to this in server.log of both nodes: node_1 | 10:49:50,344 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-10,shared=udp) ISPN000094: Received new cluster view: [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak] > > * Make sure that you enable "infinispan" as provider of realmCache and userCache and configured connectionsInfinispan . When you open admin console on any node like: http://node-1:8080/auth/admin/master/console/index.html#/server-info > > you should see: > connectionsInfinispan default > realmCache infinispan > userCache infinispan > userSessions infinispan > > * If still seeing issues, you can try to enable trace logging for "org.keycloak.models.cache.infinispan" category. > > Hope this helps, > Marek > > >> On 17.1.2015 04:32, prab rrrr wrote: >> >> >> Anyone noticed any issues with Infinispan? I saw a weird issue. After setting up a cluster with two nodes, made some changes on node-1 (created a user and changed the first name). While the user appeared on node-2, the change to the first name didn't make it. Restarting the node-2 didn't help either. Wondering if Infinispan is preventing all the changes to be picked up from database. If so, what settings would ensure that the data is consistent between the nodes? >> >> Thanks, >> Raghu >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi Marek - Need some more help from you. I have a cluster of two nodes now and I see the below message on both the nodes after I utilized tcp instead of udp. > Received new cluster view: [node1/keycloak|1] (2) [node1/keycloak, > node2/keycloak] > > While testing the SAML IDP functionality using Spring SAML as service > provider, I noticed that the session information on one node was not > getting replicated on the second one (after successfully logging in > with 1st node, I took it down and the second node redirected me to > login page instead of picking up from where the first one left off) > > Tried to increase logging for INFINISPAN and JGroups in > standalone.xml but didn't see any change in logs. Any suggestions on > how I can figure out what is happening? > > Thanks, > Raghu ------------------------------------------------------------------------ *From:* Raghu Prabhala <prabhalar(a)yahoo.com&gt; *To:* Marek Posolda <mposolda(a)redhat.com&gt; *Cc:* Keycloak-user <keycloak-user(a)lists.jboss.org&gt; *Sent:* Friday, January 23, 2015 2:19 PM *Subject:* Re: [keycloak-user] Keycloak Clustering Issues Figured out the issue. Udp communication was not allowed. So switched to "tcp". Updated the Jira 979 with the settings for tcp. Please update your documentation so that it can benefit others Sent from my iPhone On Jan 19, 2015, at 11:02 AM, Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: oops, sorry. The server-info page was added recently and it's not in 1.1.Beta2. It would be available in 1.1.0.Final (or alternative is to build keycloak from master). Anyway, if you enable debug logging for org.keycloak.services.DefaultKeycloakSessionFactory you should see in server.log which providers are used and hence you should see 'infinispan' for realmCache, userCache and userSessions. We also recently added "Troubleshooting" page to clustering docs, which might help you to figure out what ports are needed https://github.com/keycloak/keycloak/blob/master/docbook/reference/en/en-... . You can try to temporarily disable firewall and see if it helps with cluster communication. Then you can figure more accurately which ports you need to open. But generally we rely on infinispan/jgroups for cluster, so more info about cluster config and switch between udp/tcp should be available in their docs. Marek On 19.1.2015 13:32, prab rrrr wrote: > Hi Marek - Thanks for the below pointers. I believe my setup is good > but probably the udp communication is blocked in my organization as I > do not see the specific log you mentioned. Here are some of the log > messages I see: > > Starting JGroups channel > Received new cluster view ... node 1 (no information about node2) > I will look at JGroups documentation to have the communication setup > using tcp on a different port. Hopefully that would address the problem. > > I tried out the url you provided to verify the setup but it doesn't > work - checked on two different setups. fyi - I am using 1.1Beta2 > version. > > Regards, > Raghu > ------------------------------------------------------------------------ > *From:* Marek Posolda <mposolda(a)redhat.com&gt; <mailto:mposolda@redhat.com> > *To:* prab rrrr <prabhalar(a)yahoo.com&gt; <mailto:prabhalar@yahoo.com>; > Keycloak-user <keycloak-user(a)lists.jboss.org&gt; > <mailto:keycloak-user@lists.jboss.org> > *Sent:* Monday, January 19, 2015 6:09 AM > *Subject:* Re: [keycloak-user] Keycloak Clustering Issues > > That's quite strange. I've just tested same scenario and works fine > for me. If you do any change on user, the user is invalidated from > cache on node-1 and this change about invalidation should be > propagated to node-2 . As long as you have shared database, node-2 > should then retrieve newest data about shared user from database. > > I would suggest to try this: > > * Make sure that your infinispan cluster is correctly set. You can > check it by seeing the message similar to this in server.log of both > nodes: node_1 | 10:49:50,344 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-10,shared=udp) ISPN000094: Received new cluster view: > [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak] > > * Make sure that you enable "infinispan" as provider of realmCache > and userCache and configured connectionsInfinispan . When you open > admin console on any node like: > http://node-1:8080/auth/admin/master/console/index.html#/server-info > <http://localhost:8080/auth/admin/master/console/index.html#/server-info> > > you should see: > connectionsInfinispan default > realmCache infinispan > userCache infinispan > userSessions infinispan > > * If still seeing issues, you can try to enable trace logging for > "org.keycloak.models.cache.infinispan" category. > > Hope this helps, > Marek > > > On 17.1.2015 04:32, prab rrrr wrote: >> >> >> Anyone noticed any issues with Infinispan? I saw a weird issue. >> After setting up a cluster with two nodes, made some changes on >> node-1 (created a user and changed the first name). While the user >> appeared on node-2, the change to the first name didn't make it. >> Restarting the node-2 didn't help either. Wondering if Infinispan is >> preventing all the changes to be picked up from database. If so, >> what settings would ensure that the data is consistent between the >> nodes? >> >> Thanks, >> Raghu >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >