[keycloak-dev] Cross-datacenter configuration issues

Marek Posolda mposolda at redhat.com
Thu Mar 1 03:25:49 EST 2018 

I've just simulated the issue and created 
https://issues.jboss.org/browse/KEYCLOAK-6783 . I am looking at it.

What works and what we tested is:

  * Setup with infinispan-server-8.2.8 on "local" network (infinispan
    server bind on loopback address like "localhost" . Different
    infinispan servers running on the same laptop, but on various port
    offsets)

  * Setup with JDG server 7.1.0 on "local" network (JDG server bound on
    loopback address like "localhost" . Different JDG servers running on
    the same laptop, but on various port offsets)

  * Setup with infinispan-server-8.2.8 on "real" network (testing with
    infinispan hosts bound to real host with IP addresses like 192.168.0.1 )

We didn't test the combination with JDG server bind on "real" addresses 
and this is the only one where the issue happens

It seems JDG 7.1.0 has some additional security when compared with the 
community infinispan-server 8.2.8 .

The easiest workaround for you might be to test with community 
infinispan-server 8.2.8 instead of JDG 7.1.0 . Server can be downloaded 
from this address: 
http://downloads.jboss.org/infinispan/8.2.8.Final/infinispan-server-8.2.8.Final-bin.zip 
.

I hope to update you later today once I have some more info. Thanks for 
the report and all the details you mentioned.

Marek


On 28/02/18 21:36, Jared Blashka wrote:
> Hey all,
>
> I'm working on testing out the cross-datacenter replication 
> configuration in our development environment and I'm running into some 
> issues.
>
> I stood up some JDG 7.1 instances and some RH-SSO 7.2 instances all 
> running on my localhost all with different port offsets, followed the 
> instructions[1], and everything seemed to work well enough.
>
> Once I got beyond that and tried running RH-SSO and JDG on separate 
> servers I started running into issues[2] during RH-SSO startup. Looks 
> like RH-SSO is unable to connect to the remote ___script_cache but 
> that cache isn't mentioned anywhere in the RH-SSO documentation. The 
> error message (and online searching) indicates that this cache only 
> allows remote connections if authorization is enabled. I didn't see 
> any mention of configuration related to authentication or security for 
> the remote caches in the documentation either.
>
> At this point we roped in a JDG expert (cc'ed here) and found some 
> additional Infinispan documentation[3] on how to add authentication to 
> the *remote* caches within the JDG configuration but nothing much in 
> the way of adding authentication to the client cache configuration 
> inside RH-SSO that didn't involve programmatic changes. After some 
> additional searching we found some info[4] detailing how to add 
> security configurations to a remote-cache configuration in Infinispan 
> *9.1* but EAP 7.1 is only running Infinispan *8.2* which doesn't have 
> these changes.
>
> How did you get this working?
>
> Jared Blashka - Identity & Access Management
>
>
> [1] 
> https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/pdf/server_installation_and_configuration_guide/Red_Hat_Single_Sign-On-7.2-Server_Installation_and_Configuration_Guide-en-US.pdf#__WKANCHOR_1e
> [2] http://pastebin.test.redhat.com/559674
> [3] 
> http://infinispan.org/docs/stable/server_guide/server_guide.html#general_concepts
> [4] 
> https://docs.jboss.org/infinispan/9.1/configdocs/infinispan-cachestore-remote-config-9.1.html

More information about the keycloak-dev mailing list