Issue migrating from 15.1.1 to 16.1.0

[Ionel GARDAIS]

Hi,

I'm trying to migrate from 15.1.1 to 16.1.0, using the standalone-ha.xml configuration.

I've replicate the changes made from the old versions to the new one, mostly DataSource and minor tweaks.

However, when running the migration script, I get the following output :

Adding keystore to ApplicationRealm...
Failed to get the list of the operation properties: "WFLYCTL0030: No resource definition is registered for address [
    ("core-service" => "management"),
    ("security-realm" => "ApplicationRealm"),
    ("server-identity" => "ssl")
]"

I'm running behind a reverse-proxy acting as a TLS-termination endpoint, talking plain http to Keycloak.

Did I miss a migration step ?

Thanks,

Ionel

[mj]

Hi,

Just to say: here too. :-)

We tried upgrading to 16.0 (coming from 14) and had the same issue. I
was planning to try again with 16.1, but you already did it :-)

It seems to us that there seemed to be no mysql database connectivity.
(even though we copied the mysql odbc connector)

Are you doing mysql as well?

MJ

Op 21-12-2021 om 10:12 schreef Ionel GARDAIS:

> --
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com
> <mailto:keycloak-use...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/1895519415.152294.1640077970368.JavaMail.zimbra%40tech-advantage.com
> <https://groups.google.com/d/msgid/keycloak-user/1895519415.152294.1640077970368.JavaMail.zimbra%40tech-advantage.com?utm_medium=email&utm_source=footer>.

[Ionel GARDAIS]

Hi,

Yeap, mysql too.
I've imported the mysql module as usual :

modules/system/layers/keycloak/com/mysql/main$ cat module.xml
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.5" name="com.mysql">
<resources>
<resource-root path="mysql-connector-java-5.1.47-bin.jar" />
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>


----- Mail original -----
De: "mj" <li...@merit.unu.edu>
À: "keycloak-user" <keyclo...@googlegroups.com>
Envoyé: Mardi 21 Décembre 2021 12:11:55
Objet: [*EXT*] Re: [keycloak-user] Issue migrating from 15.1.1 to 16.1.0

To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/4b4cb7e9-f5f8-d66a-b12d-aaf63ac23ea1%40merit.unu.edu.
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301

[mj]

Reading the other post on java versions compatibility, I just waned to
add that we are running with openjdk-11 on debian 10.11.

So that's not the issue here. Same for you, Ionel?

MJ

Op 21-12-2021 om 13:03 schreef Ionel GARDAIS:

[Ionel GARDAIS]

Debian 11.2 with openjdk 11.0.13 here.

--
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager

----- Mail original -----
De: "mj" <li...@merit.unu.edu>

À: "Ionel GARDAIS" <ionel....@tech-advantage.com>
Cc: "keycloak-user" <keyclo...@googlegroups.com>
Envoyé: Jeudi 23 Décembre 2021 11:58:09
Objet: Re: [*EXT*] Re: [keycloak-user] Issue migrating from 15.1.1 to 16.1.0

To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/d8327fb8-129e-5096-a2cf-9bab99fdb341%40merit.unu.edu.

[Pedro Igor Craveiro e Silva]

There are some breaking changes as we are now using the latest Wildfly versions.

One of these changes is related to how you configure TLS. Could you please check https://www.keycloak.org/docs/latest/server_installation/#enabling-ssl-https-for-the-keycloak-server? 

Basically, Wildfly no longer has the security subsystem and security now is managed through Wildfly Elytron Subsystem.

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/1588064089.283184.1640261785674.JavaMail.zimbra%40tech-advantage.com.

[Ionel GARDAIS]

HI Pedro,

Thanks for pointing out this change.

I'm using a reverse proxy in front of Keycloak to handle the TLS trafic.

From what I understand, going over the TLS setup with a keystore is not required in that case.

This block from the migration script is causing the issue :

# Migrate from 3.2.1 to 3.3.0
if (outcome == failed) of /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:read-resource
    echo Adding keystore to ApplicationRealm...
    /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:add(keystore-path=application.keystore,keystore-relative-to=jboss.server.config.dir,keystore-password=password,alias=server,key-password=password,generate-self-signed-certificate-host=localhost)
    echo
end-if

What if I only keep the lat block from the migration script :

# Migrate from 15.0.0 to 16.0.0
if (outcome == failed) of /subsystem=infinispan/cache-container=hibernate/local-cache=pending-puts/:read-resource
    echo Add pending-puts local cache clustered and expiration time 60000L
    /subsystem=infinispan/cache-container=hibernate/local-cache=pending-puts/:add
    /subsystem=infinispan/cache-container=hibernate/local-cache=pending-puts/component=expiration/:write-attribute(name=max-idle,value=60000L)
    echo
end-if

Ionel

--
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager

---

De: "Pedro Igor Craveiro e Silva" <pigor.c...@gmail.com>
À: "Ionel GARDAIS" <ionel....@tech-advantage.com>
Cc: "mj" <li...@merit.unu.edu>, "keycloak-user" <keyclo...@googlegroups.com>
Envoyé: Jeudi 23 Décembre 2021 13:24:21

[Pedro Igor Craveiro e Silva]

If you are not doing reencryption, it should be fine to skip TLS configuration.

But as a general rule, any reference to `securiry-realm` is no longer valid. For that particular failing block you mentioned, it is relying on the now removed security subsystem and TLS is configured differently as per the link I sent to the documentation.

[Ionel GARDAIS]

OK.

So I did remove all others blocks from the migration script exept the last from 15.0.0 to 16.0.0

Execution went fine.

Startup went fine.

My two keycloaks in standalone-ha seem to run fine with 16.1.0.

Ionel

--
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager

---

De: "Pedro Igor Craveiro e Silva" <pigor.c...@gmail.com>
À: "Ionel GARDAIS" <ionel....@tech-advantage.com>
Cc: "mj" <li...@merit.unu.edu>, "keycloak-user" <keyclo...@googlegroups.com>

Envoyé: Jeudi 23 Décembre 2021 14:15:11

[Pedro Igor Craveiro e Silva]

Glad to hear that.

Unfortunately, the changes in Wildfly were too impactful and we weren't able to provide a better migration story.

This is a key aspect we are looking at for Keycloak.X.

I hope this thread helps others with the same issue. We need people upgrading to the latest versions as fast as possible.

[Morten Jønby]

Hi.

Why is upgrading to the latest version asap so important?

We just had a lot of struggle getting from 11.0.3 to 14 in AKS, so I don’t believe we will run another painful upgrade right away. Upgrade needs to be pretty smooth and especially in k8s it just has to work when upgrading to the latest Helmchart and Docker image. 

Br,

Morten

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/CA%2B3s2iQOyBRiXDFF%3Dtti_KYHEaXXKW_MUWPDfexvkXdp%3Dc-y3A%40mail.gmail.com.

--

Mvh. Morten Sendt fra min iPhone