Uploaded image for project: 'JBoss Server Migration Tool'
  1. JBoss Server Migration Tool
  2. CMTOOL-364

EAP 8.0 Migration Tool Exception: WFLYCTL0367

XMLWordPrintable

      Migration scenario

      • from: JBoss EAP 7.4.10
      • to: JBoss EAP 8.0

      Issue

      The migration tool throws an error (WFLYCTL0367) when migrating the Keycloak subsystem:

      ERROR Migration failed: org.jboss.migration.core.ServerMigrationFailureException: org.jboss.migration.wfly10.config.management.ManagementOperationException: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-4" => "WFLYCTL0367: Cannot remove capability 'org.wildfly.security.security-domain.custom-domain' as it is required by other capabilities:
      capability 'org.wildfly.security.sasl-authentication-factory.custom-sasl-authentication' requires it for attribute 'security-domain' at address '/subsystem=elytron/sasl-authentication-factory=custom-sasl-authentication'"}}

      Steps to reproduce

      on standalone.xml file you should have this type of configuration:

       

      <security-domain name="custom-domain" default-realm="CustomRealm" permission-mapper="default-permission-mapper"
          security-event-listener="local-audit">
          <realm name="CustomRealm" />
          <realm name="KeycloakRealm" />
      </security-domain>
      ...
      <security-realms>
          <custom-realm name="KeycloakRealm" module="org.keycloak.keycloak-wildfly-elytron-oidc-adapter" class-name="org.keycloak.adapters.elytron.KeycloakSecurityRealm">
              ...
          </custom-realm>
          <custom-realm name="CustomRealm">
              ...
          </custom-realm>
      </security-realms> 

      Then you should reference the security domain "custom-domain" in your authentication factories:

       

      • http-authentication-factory
      • sasl-authentication-factory

         

      Workaround

      To solve this problem I needed to split up the definition of the security domain in this way:

       

      <security-domain name="custom-domain" default-realm="CustomRealm" permission-mapper="default-permission-mapper" security-event-listener="local-audit">
          <realm name="CustomRealm"/>
      </security-domain>
      <security-domain name="keycloak-domain" default-realm="KeycloakOIDCRealm" permission-mapper="default-permission-mapper" security-event-listener="local-audit">
          <realm name="KeycloakOIDCRealm"/>
      </security-domain>

      Then changing the references on the authentication factories.

              istudens@redhat.com Ivo Studensky
              emartins@redhat.com Eduardo Martins
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: