[keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster

mahendra sonawale mahson1 at gmail.com
Wed Nov 15 08:38:13 EST 2017 

Hello Cedric/Keycloak User comm,

Sorry for getting back late over this. my set-up needs Admin team`s
intervention to change the broadcast value hence the delay in response.

I got /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts value changed to 0

And also tested the multicast set-up message test with "McastReceiverTest"
and "McastSenderTest" which works fine.

BUT KEYCLOAK is still NOT working in cluster. I get auto logged out.

PFA the HA file which I am using in my configuration.

IP addresses are dummy.
Node 1 : 1.2.3.4
Node 2 : 1.2.3.5

This all I tried.
1) Start command - nohup ./bin/standalone.sh
--server-config=standalone-ha.xml -b $HOSTNAME -u 230.0.0.4 &
2) Tried to run both the nodes with public as well as private interface -
but no luck.
3) I have hardware load balancer where SSL terminates. so domain will
communicate to the both the nodes in round robin and both nodes should be

4) PFB the HTTPD Conf

-------------------------
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule remoteip_module modules/mod_remoteip.so

ProxyPreserveHost On
LimitRequestFieldSize 163840
LimitRequestLine 163840

#<VirtualHost _default_:80>
 ServerName rapid.gi-de.com:443
 ErrorLog /opt/keycloak/fiam_error_log
 CustomLog /opt/keycloak/fiam_access_log combined
 LogLevel warn

RequestHeader set X-Forwarded-Proto "https"

<Proxy https://abc.com/* >
 RewriteEngine on
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 # not rewrite css, js and images
 RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png)$ [NC]
 RewriteRule ^(.*)$ /auth [NC,L,QSA]
#Options -Indexes FollowSymLinks
 AllowOverride None
 Order allow,deny
 Allow from all
</Proxy>


ProxyPass /auth http://1.2.3.4:8080/auth
ProxyPassReverse /auth http://1.2.3.4:8080/auth

------------------
And on 2nd node only proxy pass has change in IP address as 1.2.3.5

6) Server logs:
2017-11-15 14:03:06,255 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,256 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-7) ISPN000094: Received new cluster view for channel hibernate:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,259 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-8) ISPN000094: Received new cluster view for channel web:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,263 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-1) ISPN000094: Received new cluster view for channel server:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,263 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-7) ISPN000079: Channel hibernate local address is
keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
2017-11-15 14:03:06,264 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-1) ISPN000079: Channel server local address is
keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]
2017-11-15 14:03:06,264 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-3) ISPN000094: Received new cluster view for channel ejb:
[keycloak1.accounts.intern|0] (1) [keycloak1.accounts.intern]
2017-11-15 14:03:06,265 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-3) ISPN000079: Channel ejb local address is
keycloak1.accounts.intern, physical addresses are [1.2.3.4:55200]




ProxyPass /auth http://1.2.3.4:8080/auth
ProxyPassReverse /auth http://1.2.3.4:8080/auth

Thanks,
Mahendra






On Thu, Nov 9, 2017 at 6:35 PM, Cédric Couralet <cedric.couralet at gmail.com>
wrote:

> 2017-11-09 12:34 GMT+01:00 mahendra sonawale <mahson1 at gmail.com>:
> > (You can look for the value in
> > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts, it should be 0)
> >
> > In our production linux env the value is 1 --  does that really affect??
> > and would that be the only cause?
> >
>
> Yes, it is important. At least for us, changing this value to 0 was
> enough to have a working cluster.
> As I understand it, the value 1 is a protection against DOS but, in
> the case of Keycloak prevents each node to discover the others. In a
> controlled environment (as recommended in the keycloak docs), I see no
> problem enabling it.
>
> I'm far for expert, so maybe someone will have a better idea.
>

More information about the keycloak-user mailing list