libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions
keycloak-scim/server_installation/topics/operating-mode/crossdc/proc-configuring-remote-cache.adoc
Don Naro 47b8591bbf doc updates to keycloak-16628 (#52)
2021-02-02 20:59:48 +01:00

137 lines
5.7 KiB
Text
Raw Blame History

[id="proc-configuring-remote-cache-{context}"]
= Configuring Remote Cache Stores on {project_name}
After you set up remote {jdgserver_name} clusters to back up {jdgserver_name} data, you can configure the Infinispan subsystem to use those clusters as remote stores.
.Prerequisites
* Set up remote {jdgserver_name} clusters that can back up {jdgserver_name} data.
* Create a truststore that contains the SSL certificate with the {jdgserver_name} Server identity.
.Procedure
. Add the truststore to the {project_name} deployment.
. Create a socket binding that points to your {jdgserver_name} cluster.
+
[source,xml,options="nowrap",subs=attributes+]
----
<outbound-socket-binding name="remote-cache"> <1>
<remote-destination host="${remote.cache.host:server_hostname}"> <2>
<port="${remote.cache.port:11222}"/> <3>
</outbound-socket-binding>
----
<1> Names the socket binding as `remote-cache`.
<2> Specifies one or more hostnames for the {jdgserver_name} cluster.
<3> Defines the port of `11222` where the Hot Rod endpoint listens.
+
. Add the `org.keycloak.keycloak-model-infinispan` module to the `keycloak` cache container in the Infinispan subsystem.
+
[source,xml,options="nowrap",subs=attributes+]
----
<subsystem xmlns="urn:jboss:domain:infinispan:11.0">
<cache-container name="keycloak" module="org.keycloak.keycloak-model-infinispan">
----
+
. Create a `hotrod-client.properties` file with the following content:
+
[source,xml,options="nowrap",subs=attributes+]
----
infinispan.client.hotrod.server_list = server1:11222
infinispan.client.hotrod.auth_username = myuser
infinispan.client.hotrod.auth_password = qwer1234!
infinispan.client.hotrod.auth_realm = default
infinispan.client.hotrod.auth_server_name = infinispan
infinispan.client.hotrod.sasl_mechanism = SCRAM-SHA-512
infinispan.client.hotrod.trust_store_file_name = /path/to/truststore.jks
infinispan.client.hotrod.trust_store_type = JKS
infinispan.client.hotrod.trust_store_password = password
----
. Update a replicated cache named `work` that is in the Infinispan subsystem with the following configuration:
+
[source,xml,options="nowrap",subs=attributes+]
----
<replicated-cache name="work"> <1>
<remote-store cache="work" <2>
remote-servers="remote-cache" <3>
passivation="false"
fetch-state="false"
purge="false"
preload="false"
shared="true">
<property name="rawValues">true</property>
<property name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</replicated-cache>
----
<1> Names the cache in the {jdgserver_name} configuration.
<2> Names the corresponding cache on the remote {jdgserver_name} cluster.
<3> Specifies the `remote-cache` socket binding.
+
The preceding cache configuration includes recommended settings for {jdgserver_name} caches.
Hot Rod client configuration properties specify the {jdgserver_name} user credentials and SSL keystore and truststore details.
+
Refer to the
ifeval::[{project_community}==true]
https://infinispan.org/docs/11.0.x/titles/xsite/xsite.html#configure_clients-xsite[{jdgserver_name} documentation]
endif::[]
ifeval::[{project_product}==true]
https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html-single/data_grid_guide_to_cross-site_replication/index#configure_clients-xsite[{jdgserver_name} documentation]
endif::[]
for descriptions of each property.
. Add distributed caches to the Infinispan subsystem for each of the following caches:
+
* sessions
* clientSessions
* offlineSessions
* offlineClientSessions
* actionTokens
* loginFailures
+
For example, add a cache named `sessions` with the following configuration:
+
[source,xml,options="nowrap",subs=attributes+]
----
<distributed-cache name="sessions" <1>
owners="1"> <2>
<remote-store cache="sessions" <3>
remote-servers="remote-cache" <4>
passivation="false"
fetch-state="false"
purge="false"
preload="false"
shared="true">
<property name="rawValues">true</property>
<property name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</distributed-cache>
----
<1> Names the cache in the {jdgserver_name} configuration.
<2> Configures one replica of each cache entry across the {jdgserver_name} cluster.
<3> Names the corresponding cache on the remote {jdgserver_name} cluster.
<4> Specifies the `remote-cache` socket binding.
+
. Start each {project_name} server with `hotrod-client.properties` on the classpath, for example:
+
[source,xml,options="nowrap",subs=attributes+]
----
./standalone.sh -c standalone-ha.xml -Djboss.node.name=node11 -Djboss.site.name=site1 \
-Djboss.default.multicast.address=234.56.78.1 -Dremote.cache.host=server1 \
-Djava.net.preferIPv4Stack=true -b _PUBLIC_IP_ADDRESS_
-P path/to/hotrod-client.properties
----
+
. Check server logs for the following messages:
+
[source,options="nowrap",subs=attributes+]
----
Received new cluster view for channel keycloak: [node11|1] (2) [node11, node12]
-----
ifeval::[{project_product}==true]
[role="_additional-resources"]
.Additional resources
link:https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html-single/configuring_data_grid/index[Data Grid Configuration Guide] +
link:https://access.redhat.com/webassets/avalon/d/red-hat-data-grid/8.1/api/org/infinispan/client/hotrod/configuration/package-summary.html[Hot Rod Client Configuration API] +
link:https://access.redhat.com/webassets/avalon/d/red-hat-data-grid/8.1/configdocs/[Data Grid Configuration Schema Reference]
endif::[]
Reference in a new issue View git blame Copy permalink