[keycloak-user] Configuring Keycloak in Standalone Clustered Mode
Dmitry Telegin
dt at acutus.pro
Tue Jul 10 08:35:43 EDT 2018
Hi Rafael,
In Keycloak, clustering is implemented via Infinispan [1] (a
distributed cache), which in turn uses JGroups [2] as a communication
layer. By default, nodes use IP multicast for discovery (MPING in
JGroups terminology). So as long as your nodes live in the same private
network that supports multicast, you should be fine.
If IP multicast is restricted (like e.g. on AWS), one can use alternate
discovery methods like JDBC_PING (using shared database) or S3_PING
(obviously, using S3).
See Keycloak documentation on network setup for clustering [3], as well
as Infinispan and JGroups docs on the same.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
[1] http://infinispan.org
[2] http://www.jgroups.org
[3] https://www.keycloak.org/docs/latest/server_installation/index.html
#_clustering
On Sat, 2018-07-07 at 09:09 -0300, Rafael Weingärtner wrote:
> Hello Keycloak communities,
>
> I am configuring Keycloak for production, and we will need to use it
> in a
> clustered fashion. I have read about the two possible deployment
> scenarios
> “Standalone clustered mode” and “domain clustered mode”. It seems
> that
> the “Standalone clustered mode” is the simpler one. Also, we will be
> using
> Docker to deploy Keycloak. Therefore, we will not have the burden of
> managing configuration files manually. The update (configurations
> and/or
> Keycloak versions) should always be a matter of stopping and starting
> a new
> version of the Docker container.
>
> I have one doubt though. It seems pretty magical that to configure
> Keycloak
> in HA mode I only need to use “standalone-ha.xml”. How does the
> discovery
> process of nodes happen? I mean, are the replicates communicating
> with each
> other directly, or is everything via a shared database? Do I need to
> expose
> some specific port from my Keycloaks replicas to the network? Or only
> the
> standard 443/80 is enough?
>
> Thanks in advance for your help ;)
>
> --
> Rafael Weingärtner
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list