-
Bug
-
Resolution: Done
-
Major
-
None
-
False
-
None
-
False
-
-
Migration scenario
- from: JBoss EAP 7.4.10
- to: JBoss EAP 8.0
Issue
The migration tool throws an error (WFLYCTL0367) when migrating the Keycloak subsystem:
ERROR Migration failed: org.jboss.migration.core.ServerMigrationFailureException: org.jboss.migration.wfly10.config.management.ManagementOperationException: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-4" => "WFLYCTL0367: Cannot remove capability 'org.wildfly.security.security-domain.custom-domain' as it is required by other capabilities: capability 'org.wildfly.security.sasl-authentication-factory.custom-sasl-authentication' requires it for attribute 'security-domain' at address '/subsystem=elytron/sasl-authentication-factory=custom-sasl-authentication'"}}
Steps to reproduce
on standalone.xml file you should have this type of configuration:
<security-domain name="custom-domain" default-realm="CustomRealm" permission-mapper="default-permission-mapper" security-event-listener="local-audit"> <realm name="CustomRealm" /> <realm name="KeycloakRealm" /> </security-domain> ... <security-realms> <custom-realm name="KeycloakRealm" module="org.keycloak.keycloak-wildfly-elytron-oidc-adapter" class-name="org.keycloak.adapters.elytron.KeycloakSecurityRealm"> ... </custom-realm> <custom-realm name="CustomRealm"> ... </custom-realm> </security-realms>
Then you should reference the security domain "custom-domain" in your authentication factories:
Workaround
To solve this problem I needed to split up the definition of the security domain in this way:
<security-domain name="custom-domain" default-realm="CustomRealm" permission-mapper="default-permission-mapper" security-event-listener="local-audit"> <realm name="CustomRealm"/> </security-domain> <security-domain name="keycloak-domain" default-realm="KeycloakOIDCRealm" permission-mapper="default-permission-mapper" security-event-listener="local-audit"> <realm name="KeycloakOIDCRealm"/> </security-domain>
Then changing the references on the authentication factories.
- clones
-
JBEAP-26765 [GSS](8.0.z) CMTOOL-364 - EAP 8.0 Migration Tool Exception: WFLYCTL0367
- Closed