6:57 p.m.
Hi,
Correction, I *thought* everything was running in Wildfly domain mode. It turns out I
just got lucky by hitting the same server node in my initial test. After a reboot and
further testing today, I’m not able to login to the Keycloak admin console when both nodes
in my cluster are running. After attempting login, I am either taken back to a blank
login page, or I see error “Unknown code, please login again through your application.”
Once in awhile, I can login without error. I should note that I’m using an Apache reverse
proxy via mod_cluster.
I see no errors in the server logs. I do see message “JBAS010281: Started <x> cache
from keycloak container” for each of “realms”, “sessions”, “loginFailures”, “users”. So,
it looks like my domain config is working. However, I can’t tell for sure that Keycloak
is attempting to use the infinispan caches. Some additional log output showing the values
from keycloak-server.json would be helpful. I used the CLI to upload
“/profile=full-ha/subsystem=keycloak/auth-server=keycloak-1/:update-server-config(bytes-to-upload=/usr/local/wildfly/domain/configuration/keycloak-server.json~,overwrite=true)”
The response was “success” and then I restarted Wildfly on both nodes in the cluster.
Has anyone been able to get Keycloak 1.1 Beta 2 working in a wildfly domain, and using
mod_cluster? If so, could you please provide guidance?
Thanks,
John
From: Schneider, John DODGE CONSULTING SERVICES, LLC
Sent: Monday, December 08, 2014 6:43 PM
To: keycloak-user(a)lists.jboss.org
Subject: 1.1 documentation update for running in domain HA mode
Hi guys,
Thanks so much for getting clustering support working in 1.1. I have it up and running
well in a Wildfly 8 domain setup under the “full-ha” profile. One thing that I was
pulling my hair out about for a while today were some errors related to Infinispan config.
I figured out that if running in HA cluster, you must include the “transport” element
under the cache-container config (i.e. <transport lock-timeout=”60000” />). It
would be great if you could update Chapter 23 of the documentation to reflect this
requirement.
Thanks,
John
6:55 a.m.
Are you using shared database among both cluster nodes? Also when you
start node1 and then start node2, you should see some message similar to
this in the log of node1, which indicates that cluster nodes are connected:
wfnode_1 | 11:28:30,888 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(Incoming-1,shared=udp) ISPN000094: Received new cluster view:
[wfnode1/web|1] (2) [wfnode1/web, wfnode2/web]
wfnode_1 | 11:28:33,767 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(Incoming-10,shared=udp) ISPN000094: Received new cluster view:
[wfnode1/keycloak|1] (2) [wfnode1/keycloak, wfnode2/keycloak]
For more logging of which provider is used by keycloak-server.json, you
can enable DEBUG logging for keycloak in standalone-full.xml (or
domain.xml or whatever you are using):
<logger category="org.keycloak">
<level name="DEBUG"/>
</logger>
Also I think that editing file
|standalone/configuration/keycloak-server.json is just for standalone,
but probably doesn't work for wildfly domain.
|
Maybe you can first try if cluster works in standalone configuration. If
it helps, we can figure the domain later.
Marek
On 10.12.2014 00:57, Schneider, John DODGE CONSULTING SERVICES, LLC wrote:
Hi,
Correction, I **thought** everything was running in Wildfly domain
mode. It turns out I just got lucky by hitting the same server node
in my initial test. After a reboot and further testing today, I’m not
able to login to the Keycloak admin console when both nodes in my
cluster are running. After attempting login, I am either taken back
to a blank login page, or I see error “Unknown code, please login
again through your application.” Once in awhile, I can login without
error. I should note that I’m using an Apache reverse proxy via
mod_cluster.
I see no errors in the server logs. I do see message “JBAS010281:
Started <x> cache from keycloak container” for each of “realms”,
“sessions”, “loginFailures”, “users”. So, it looks like my domain
config is working. However, I can’t tell for sure that Keycloak is
attempting to use the infinispan caches. Some additional log output
showing the values from keycloak-server.json would be helpful. I used
the CLI to upload
“/profile=full-ha/subsystem=keycloak/auth-server=keycloak-1/:update-server-config(bytes-to-upload=/usr/local/wildfly/domain/configuration/keycloak-server.json~,overwrite=true)”
The response was “success” and then I restarted Wildfly on both nodes
in the cluster.
Has anyone been able to get Keycloak 1.1 Beta 2 working in a wildfly
domain, and using mod_cluster? If so, could you please provide guidance?
Thanks,
John
*From:*Schneider, John DODGE CONSULTING SERVICES, LLC
*Sent:* Monday, December 08, 2014 6:43 PM
*To:* keycloak-user(a)lists.jboss.org
*Subject:* 1.1 documentation update for running in domain HA mode
Hi guys,
Thanks so much for getting clustering support working in 1.1. I have
it up and running well in a Wildfly 8 domain setup under the “full-ha”
profile. One thing that I was pulling my hair out about for a while
today were some errors related to Infinispan config. I figured out
that if running in HA cluster, you must include the “transport”
element under the cache-container config (i.e. <transport
lock-timeout=”60000” />). It would be great if you could update
Chapter 23 of the documentation to reflect this requirement.
Thanks,
John
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:07 p.m.
New subject: [External] Re: 1.1 Beta2 in Wildfly cluster
Hi Marek,
Thanks for getting back to me. I did see the ISPN000094 message you described in my log
files, but it didn’t look like the messages you listed. My messages only noted one node.
After disabling the firewall on both nodes, Keycloak is now working in domain mode with
Infinispan providers in my config. Now I just have to figure out all the ports necessary
for JGroups to function correctly. Once I figure this out, I will respond back.
Hopefully you can add this info to the documentation to help others out in the future.
Thanks again for your help,
John
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Friday, December 12, 2014 6:56 AM
To: Schneider, John DODGE CONSULTING SERVICES, LLC; keycloak-user(a)lists.jboss.org
Subject: [External] Re: [keycloak-user] 1.1 Beta2 in Wildfly cluster
Are you using shared database among both cluster nodes? Also when you start node1 and then
start node2, you should see some message similar to this in the log of node1, which
indicates that cluster nodes are connected:
wfnode_1 | 11:28:30,888 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(Incoming-1,shared=udp) ISPN000094: Received new cluster view: [wfnode1/web|1] (2)
[wfnode1/web, wfnode2/web]
wfnode_1 | 11:28:33,767 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(Incoming-10,shared=udp) ISPN000094: Received new cluster view: [wfnode1/keycloak|1] (2)
[wfnode1/keycloak, wfnode2/keycloak]
For more logging of which provider is used by keycloak-server.json, you can enable DEBUG
logging for keycloak in standalone-full.xml (or domain.xml or whatever you are using):
<logger category="org.keycloak">
<level name="DEBUG"/>
</logger>
Also I think that editing file standalone/configuration/keycloak-server.json is just for
standalone, but probably doesn't work for wildfly domain.
Maybe you can first try if cluster works in standalone configuration. If it helps, we can
figure the domain later.
Marek
On 10.12.2014 00:57, Schneider, John DODGE CONSULTING SERVICES, LLC wrote:
Hi,
Correction, I *thought* everything was running in Wildfly domain mode. It turns out I
just got lucky by hitting the same server node in my initial test. After a reboot and
further testing today, I’m not able to login to the Keycloak admin console when both nodes
in my cluster are running. After attempting login, I am either taken back to a blank
login page, or I see error “Unknown code, please login again through your application.”
Once in awhile, I can login without error. I should note that I’m using an Apache reverse
proxy via mod_cluster.
I see no errors in the server logs. I do see message “JBAS010281: Started <x> cache
from keycloak container” for each of “realms”, “sessions”, “loginFailures”, “users”. So,
it looks like my domain config is working. However, I can’t tell for sure that Keycloak
is attempting to use the infinispan caches. Some additional log output showing the values
from keycloak-server.json would be helpful. I used the CLI to upload
“/profile=full-ha/subsystem=keycloak/auth-server=keycloak-1/:update-server-config(bytes-to-upload=/usr/local/wildfly/domain/configuration/keycloak-server.json~,overwrite=true)”
The response was “success” and then I restarted Wildfly on both nodes in the cluster.
Has anyone been able to get Keycloak 1.1 Beta 2 working in a wildfly domain, and using
mod_cluster? If so, could you please provide guidance?
Thanks,
John
From: Schneider, John DODGE CONSULTING SERVICES, LLC
Sent: Monday, December 08, 2014 6:43 PM
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: 1.1 documentation update for running in domain HA mode
Hi guys,
Thanks so much for getting clustering support working in 1.1. I have it up and running
well in a Wildfly 8 domain setup under the “full-ha” profile. One thing that I was
pulling my hair out about for a while today were some errors related to Infinispan config.
I figured out that if running in HA cluster, you must include the “transport” element
under the cache-container config (i.e. <transport lock-timeout=”60000” />). It
would be great if you could update Chapter 23 of the documentation to reflect this
requirement.
Thanks,
John
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:09 p.m.
New subject: [External] Re: 1.1 Beta2 in Wildfly cluster
I now have it working with my firewall enabled. The Wildfly config is socket-binding with
name “jgroups-udp”. For an HA domain cluster, this is within socket-binding-group
“ha-sockets”. Default values are UDP port 55200 and multicast port 45688 with multicast
address 230.0.0.4. I think it would be helpful to mention this in the Keycloak docs. The
Wildfly docs for clustering only note information applicable to mod_cluster, which is
different than this.
Thanks,
John
From: Schneider, John DODGE CONSULTING SERVICES, LLC
Sent: Friday, December 12, 2014 1:08 PM
To: 'Marek Posolda'; keycloak-user(a)lists.jboss.org
Subject: RE: [External] Re: [keycloak-user] 1.1 Beta2 in Wildfly cluster
Hi Marek,
Thanks for getting back to me. I did see the ISPN000094 message you described in my log
files, but it didn’t look like the messages you listed. My messages only noted one node.
After disabling the firewall on both nodes, Keycloak is now working in domain mode with
Infinispan providers in my config. Now I just have to figure out all the ports necessary
for JGroups to function correctly. Once I figure this out, I will respond back.
Hopefully you can add this info to the documentation to help others out in the future.
Thanks again for your help,
John
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Friday, December 12, 2014 6:56 AM
To: Schneider, John DODGE CONSULTING SERVICES, LLC;
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: [External] Re: [keycloak-user] 1.1 Beta2 in Wildfly cluster
Are you using shared database among both cluster nodes? Also when you start node1 and then
start node2, you should see some message similar to this in the log of node1, which
indicates that cluster nodes are connected:
wfnode_1 | 11:28:30,888 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(Incoming-1,shared=udp) ISPN000094: Received new cluster view: [wfnode1/web|1] (2)
[wfnode1/web, wfnode2/web]
wfnode_1 | 11:28:33,767 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(Incoming-10,shared=udp) ISPN000094: Received new cluster view: [wfnode1/keycloak|1] (2)
[wfnode1/keycloak, wfnode2/keycloak]
For more logging of which provider is used by keycloak-server.json, you can enable DEBUG
logging for keycloak in standalone-full.xml (or domain.xml or whatever you are using):
<logger category="org.keycloak">
<level name="DEBUG"/>
</logger>
Also I think that editing file standalone/configuration/keycloak-server.json is just for
standalone, but probably doesn't work for wildfly domain.
Maybe you can first try if cluster works in standalone configuration. If it helps, we can
figure the domain later.
Marek
On 10.12.2014 00:57, Schneider, John DODGE CONSULTING SERVICES, LLC wrote:
Hi,
Correction, I *thought* everything was running in Wildfly domain mode. It turns out I
just got lucky by hitting the same server node in my initial test. After a reboot and
further testing today, I’m not able to login to the Keycloak admin console when both nodes
in my cluster are running. After attempting login, I am either taken back to a blank
login page, or I see error “Unknown code, please login again through your application.”
Once in awhile, I can login without error. I should note that I’m using an Apache reverse
proxy via mod_cluster.
I see no errors in the server logs. I do see message “JBAS010281: Started <x> cache
from keycloak container” for each of “realms”, “sessions”, “loginFailures”, “users”. So,
it looks like my domain config is working. However, I can’t tell for sure that Keycloak
is attempting to use the infinispan caches. Some additional log output showing the values
from keycloak-server.json would be helpful. I used the CLI to upload
“/profile=full-ha/subsystem=keycloak/auth-server=keycloak-1/:update-server-config(bytes-to-upload=/usr/local/wildfly/domain/configuration/keycloak-server.json~,overwrite=true)”
The response was “success” and then I restarted Wildfly on both nodes in the cluster.
Has anyone been able to get Keycloak 1.1 Beta 2 working in a wildfly domain, and using
mod_cluster? If so, could you please provide guidance?
Thanks,
John
From: Schneider, John DODGE CONSULTING SERVICES, LLC
Sent: Monday, December 08, 2014 6:43 PM
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: 1.1 documentation update for running in domain HA mode
Hi guys,
Thanks so much for getting clustering support working in 1.1. I have it up and running
well in a Wildfly 8 domain setup under the “full-ha” profile. One thing that I was
pulling my hair out about for a while today were some errors related to Infinispan config.
I figured out that if running in HA cluster, you must include the “transport” element
under the cache-container config (i.e. <transport lock-timeout=”60000” />). It
would be great if you could update Chapter 23 of the documentation to reflect this
requirement.
Thanks,
John
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:23 a.m.
New subject: [External] Re: 1.1 Beta2 in Wildfly cluster
Thanks, I've added small "troubleshooting" section to our clustering
docs and mentioned this info here.
Cheers,
Marek
On 12.12.2014 20:09, Schneider, John DODGE CONSULTING SERVICES, LLC wrote:
I now have it working with my firewall enabled. The Wildfly config is
socket-binding with name “jgroups-udp”. For an HA domain cluster,
this is within socket-binding-group “ha-sockets”. Default values are
UDP port 55200 and multicast port 45688 with multicast address
230.0.0.4. I think it would be helpful to mention this in the
Keycloak docs. The Wildfly docs for clustering only note information
applicable to mod_cluster, which is different than this.
Thanks,
John
*From:*Schneider, John DODGE CONSULTING SERVICES, LLC
*Sent:* Friday, December 12, 2014 1:08 PM
*To:* 'Marek Posolda'; keycloak-user(a)lists.jboss.org
*Subject:* RE: [External] Re: [keycloak-user] 1.1 Beta2 in Wildfly cluster
Hi Marek,
Thanks for getting back to me. I did see the ISPN000094 message you
described in my log files, but it didn’t look like the messages you
listed. My messages only noted one node. After disabling the firewall
on both nodes, Keycloak is now working in domain mode with Infinispan
providers in my config. Now I just have to figure out all the ports
necessary for JGroups to function correctly. Once I figure this out,
I will respond back. Hopefully you can add this info to the
documentation to help others out in the future.
Thanks again for your help,
John
*From:*Marek Posolda [mailto:mposolda@redhat.com]
*Sent:* Friday, December 12, 2014 6:56 AM
*To:* Schneider, John DODGE CONSULTING SERVICES, LLC;
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
*Subject:* [External] Re: [keycloak-user] 1.1 Beta2 in Wildfly cluster
Are you using shared database among both cluster nodes? Also when you
start node1 and then start node2, you should see some message similar
to this in the log of node1, which indicates that cluster nodes are
connected:
wfnode_1 | 11:28:30,888 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(Incoming-1,shared=udp) ISPN000094: Received new cluster view:
[wfnode1/web|1] (2) [wfnode1/web, wfnode2/web]
wfnode_1 | 11:28:33,767 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(Incoming-10,shared=udp) ISPN000094: Received new cluster view:
[wfnode1/keycloak|1] (2) [wfnode1/keycloak, wfnode2/keycloak]
For more logging of which provider is used by keycloak-server.json,
you can enable DEBUG logging for keycloak in standalone-full.xml (or
domain.xml or whatever you are using):
<logger category="org.keycloak">
<level name="DEBUG"/>
</logger>
Also I think that editing file
|standalone/configuration/keycloak-server.json is just for standalone,
but probably doesn't work for wildfly domain.|
Maybe you can first try if cluster works in standalone configuration.
If it helps, we can figure the domain later.
Marek
On 10.12.2014 00:57, Schneider, John DODGE CONSULTING SERVICES, LLC wrote:
Hi,
Correction, I **thought** everything was running in Wildfly domain
mode. It turns out I just got lucky by hitting the same server
node in my initial test. After a reboot and further testing
today, I’m not able to login to the Keycloak admin console when
both nodes in my cluster are running. After attempting login, I
am either taken back to a blank login page, or I see error
“Unknown code, please login again through your application.” Once
in awhile, I can login without error. I should note that I’m using
an Apache reverse proxy via mod_cluster.
I see no errors in the server logs. I do see message “JBAS010281:
Started <x> cache from keycloak container” for each of “realms”,
“sessions”, “loginFailures”, “users”. So, it looks like my domain
config is working. However, I can’t tell for sure that Keycloak
is attempting to use the infinispan caches. Some additional log
output showing the values from keycloak-server.json would be
helpful. I used the CLI to upload
“/profile=full-ha/subsystem=keycloak/auth-server=keycloak-1/:update-server-config(bytes-to-upload=/usr/local/wildfly/domain/configuration/keycloak-server.json~,overwrite=true)”
The response was “success” and then I restarted Wildfly on both
nodes in the cluster.
Has anyone been able to get Keycloak 1.1 Beta 2 working in a
wildfly domain, and using mod_cluster? If so, could you please
provide guidance?
Thanks,
John
*From:*Schneider, John DODGE CONSULTING SERVICES, LLC
*Sent:* Monday, December 08, 2014 6:43 PM
*To:* keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
*Subject:* 1.1 documentation update for running in domain HA mode
Hi guys,
Thanks so much for getting clustering support working in 1.1. I
have it up and running well in a Wildfly 8 domain setup under the
“full-ha” profile. One thing that I was pulling my hair out about
for a while today were some errors related to Infinispan config.
I figured out that if running in HA cluster, you must include the
“transport” element under the cache-container config (i.e.
<transport lock-timeout=”60000” />). It would be great if you
could update Chapter 23 of the documentation to reflect this
requirement.
Thanks,
John
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
3416
days inactive
3423
days old
4 comments
2 participants
participants (2)
-
Marek Posolda -
Schneider, John DODGE CONSULTING SERVICES, LLC