keycloak-scim/server_installation/topics/operating-mode/crossdc/proc-setting-up-infinispan.adoc

[id='setting-up-infinispan-{context}']
= Setting Up {jdgserver_name} Clusters
For Cross-Datacenter replication, you start by creating remote {jdgserver_name} clusters that can back up {project_name} data.

.Prerequisites

* Download and install {jdgserver_name} Server {jdgserver_version_latest}.

[NOTE]
====
{jdgserver_name} Server {jdgserver_version_latest} requires Java 11.
====

* Create a user to authenticate client connections from {jdgserver_name}, for example:
+
[source,bash,options="nowrap",subs=attributes+]
----
$ bin/cli.sh user create myuser -p "qwer1234!"
----
+
You specify these credentials in the Hot Rod client configuration when you set up {jdgserver_name}.

* Create an SSL keystore and truststore to secure connections between {jdgserver_name} and {project_name}.

For example, you can use keytool as follows:

[source,bash,options="nowrap",subs=attributes+]
----
# Create a keystore to provide an SSL identity to your {jdgserver_name} cluster
keytool -genkey -alias server -keyalg RSA -keystore server.jks -keysize 2048

# Export an SSL certificate from the keystore
keytool -exportcert -keystore server.jks -alias server -file server.crt

# Import the SSL certificate into a truststore that {jdgserver_name} can use to verify the SSL identity for {jdgserver_name}
keytool -importcert -keystore truststore.jks -alias server -file server.crt
rm server.crt
----

.Procedure

. Open `infinispan.xml` for editing.
+
By default, {jdgserver_name} Server uses `server/conf/infinispan.xml` for static configuration such as cluster transport and security mechanisms. 

. Create a stack the uses TCPPING. The default tcp stack finds nodes by using IP multicast, which is typically unavailable.
+
[source,xml,options="nowrap",subs=attributes+]
----
<stack name="global-cluster" extends="tcp">
    <!-- Remove MPING protocol from the stack and add TCPPING -->
    <TCPPING initial_hosts="server1[7800],server2[7800]" stack.combine="REPLACE" stack.position="MPING"/>
</stack>
----
+
NOTE: The `initial_hosts` file contains the list of all Infinispan servers at both sites.

. Configure the {jdgserver_name} cluster transport to perform Cross-Datacenter replication.
.. Add the RELAY2 protocol to a JGroups stack.
+
[source,xml,options="nowrap",subs=attributes+]
----
<jgroups>
   <stack name="xsite" extends="udp"> <1>
      <relay.RELAY2 site="site1" <2>
                    max_site_masters="1000"/> <3>
      <remote-sites default-stack="global-cluster"> <4>
         <remote-site name="site1"/>
         <remote-site name="site2"/>
      </remote-sites>
   </stack>
</jgroups>
----
<1> Creates a stack named `xsite` that extends the default UDP cluster transport.
<2> Adds the RELAY2 protocol and names the cluster you are configuring as `site1`. +
The site name must be unique to each {jdgserver_name} cluster.
<3> Sets 1000 as the number of relay nodes for the cluster. You should set a value that is equal to or greater than the maximum number of nodes in your {jdgserver_name} cluster.
<4> Names all {jdgserver_name} clusters that backup caches with {jdgserver_name} data and uses the default TCP stack for inter-cluster transport.
+
.. Configure the {jdgserver_name} cluster transport to use the stack.
+
[source,xml,options="nowrap",subs=attributes+]
----
<cache-container name="default" statistics="true">
      <transport cluster="${infinispan.cluster.name:cluster}"
                 stack="xsite"/> <1>
</cache-container>
----
<1> Uses the `xsite` stack for the cluster.
+
. Configure the keystore as an SSL identity in the server security realm.
+
[source,xml,options="nowrap",subs=attributes+]
----
<server-identities>
  <ssl>
    <keystore path="server.jks" <1>
              relative-to="infinispan.server.config.path"
              keystore-password="password" <2>
              alias="server" /> <3>
  </ssl>
</server-identities>
----
<1> Specifies the path of the keystore that contains the SSL identity.
<2> Specifies the password to access the keystore.
<3> Names the alias of the certificate in the keystore.
+
. Configure the authentication mechanism for the Hot Rod endpoint.
+
[source,xml,options="nowrap",subs=attributes+]
----
<endpoints socket-binding="default">
   <hotrod-connector name="hotrod">
      <authentication>
         <sasl mechanisms="SCRAM-SHA-512" <1>
               server-name="infinispan" /> <2>
      </authentication>
   </hotrod-connector>
   <rest-connector name="rest"/>
</endpoints>
----
<1> Configures the SASL authentication mechanism for the Hot Rod endpoint.  SCRAM-SHA-512 is the default SASL mechanism for Hot Rod. However you can use whatever is appropriate for your environment, such as GSSAPI.
<2> Defines the name that {jdgserver_name} servers present to clients. You specify this name in the Hot Rod client configuration when you set up {project_name}.
+
. Create a cache template.
+
[source,xml,options="nowrap",subs=attributes+]
----
<cache-container ... >
  <replicated-cache-configuration name="sessions-cfg" <1>
                                  mode="SYNC"> <2>
    <locking acquire-timeout="0" /> <3>
    <backups>
      <backup site="site2" strategy="SYNC" /> <4>
    </backups>
  </replicated-cache-configuration>
</cache-container>
----
<1> Creates a cache template named `sessions-cfg`.
<2> Defines a cache that synchronously replicates data across the cluster.
<3> Disables timeout for lock acquisition.
<4> Names the backup site for the {jdgserver_name} cluster you are configuring.
+
. Repeat the preceding steps to modify `infinispan.xml` on each node in the {jdgserver_name} cluster.
. Start the cluster and open {jdgserver_name} Console in any browser.
. Authenticate with the {jdgserver_name} user you created.
. Add caches for {jdgserver_name} data using the `sessions-cfg` cache template.
.. Navigate to the *Data Container* tab and then select *Create Cache*.
.. Specify a name for the cache.
.. Select `sessions-cfg` from the *Template* drop-down menu.
.. Select *Create*.
+
Use preceding steps to create each of the following caches:
+
* work
* sessions
* clientSessions
* offlineSessions
* offlineClientSessions
* actionTokens
* loginFailures

NOTE: We recommend that you create caches on {jdgserver_name} clusters at runtime through the CLI, Console, or Hot Rod and REST endpoints rather than adding caches to infinispan.xml. This strategy ensures that your caches are automatically synchronized across the cluster and permanently stored. Be sure to create the caches at each site. See the {jdgserver_name} documentation for more information.

ifeval::[{project_product}==true]
[role="_additional-resources"]
.Additional resources
link:https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html-single/data_grid_server_guide/index#start_server[Getting Started with Data Grid Server] +
link:https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html-single/data_grid_guide_to_cross-site_replication/index#configure_relay-xsite[Configuring Data Grid Clusters for Cross-Site Replication] +
link:https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html-single/data_grid_server_guide/index#ssl_identity-server[Setting Up SSL Identities for Data Grid Server] +
link:https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html-single/data_grid_server_guide/index#configuring_endpoints[Configuring Data Grid Endpoints] +
link:https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html-single/data_grid_server_guide/index#configure_hotrod_authentication-server[Configuring Hot Rod Authentication Mechanisms] +
link:https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html-single/data_grid_server_guide/index#create_remote_cache[Remotely Creating Caches on Data Grid Clusters]
endif::[]