Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-26765

[GSS](8.0.z) CMTOOL-364 - EAP 8.0 Migration Tool Exception: WFLYCTL0367

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • 8.0 Update 3
    • None
    • Migration
    • None
    • False
    • None
    • False

    Description

      Migration scenario

      • from: JBoss EAP 7.4.10
      • to: JBoss EAP 8.0

      Issue

      The migration tool throws an error (WFLYCTL0367) when migrating the Keycloak subsystem:

      ERROR Migration failed: org.jboss.migration.core.ServerMigrationFailureException: org.jboss.migration.wfly10.config.management.ManagementOperationException: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-4" => "WFLYCTL0367: Cannot remove capability 'org.wildfly.security.security-domain.custom-domain' as it is required by other capabilities:
capability 'org.wildfly.security.sasl-authentication-factory.custom-sasl-authentication' requires it for attribute 'security-domain' at address '/subsystem=elytron/sasl-authentication-factory=custom-sasl-authentication'"}}

      Steps to reproduce

      on standalone.xml file you should have this type of configuration:

       

      <security-domain name="custom-domain" default-realm="CustomRealm" permission-mapper="default-permission-mapper"
    security-event-listener="local-audit">
    <realm name="CustomRealm" />
    <realm name="KeycloakRealm" />
</security-domain>
...
<security-realms>
    <custom-realm name="KeycloakRealm" module="org.keycloak.keycloak-wildfly-elytron-oidc-adapter" class-name="org.keycloak.adapters.elytron.KeycloakSecurityRealm">
        ...
    </custom-realm>
    <custom-realm name="CustomRealm">
        ...
    </custom-realm>
</security-realms>

      Then you should reference the security domain "custom-domain" in your authentication factories:

       

      • http-authentication-factory
      • sasl-authentication-factory

         

      Workaround

      To solve this problem I needed to split up the definition of the security domain in this way:

       

      <security-domain name="custom-domain" default-realm="CustomRealm" permission-mapper="default-permission-mapper" security-event-listener="local-audit">
    <realm name="CustomRealm"/>
</security-domain>
<security-domain name="keycloak-domain" default-realm="KeycloakOIDCRealm" permission-mapper="default-permission-mapper" security-event-listener="local-audit">
    <realm name="KeycloakOIDCRealm"/>
</security-domain>

      Then changing the references on the authentication factories.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. CMTOOL-364 EAP 8.0 Migration Tool Exception: WFLYCTL0367

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Open

          Activity

            People

              emartins@redhat.com Eduardo Martins
              emartins@redhat.com Eduardo Martins
              Eduardo Martins
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: