Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-26765

[GSS](8.0.z) CMTOOL-364 - EAP 8.0 Migration Tool Exception: WFLYCTL0367

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 8.0 Update 3
    • None
    • Migration
    • None

      Migration scenario

      • from: JBoss EAP 7.4.10
      • to: JBoss EAP 8.0

      Issue

      The migration tool throws an error (WFLYCTL0367) when migrating the Keycloak subsystem:

      ERROR Migration failed: org.jboss.migration.core.ServerMigrationFailureException: org.jboss.migration.wfly10.config.management.ManagementOperationException: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-4" => "WFLYCTL0367: Cannot remove capability 'org.wildfly.security.security-domain.custom-domain' as it is required by other capabilities:
capability 'org.wildfly.security.sasl-authentication-factory.custom-sasl-authentication' requires it for attribute 'security-domain' at address '/subsystem=elytron/sasl-authentication-factory=custom-sasl-authentication'"}}

      Steps to reproduce

      on standalone.xml file you should have this type of configuration:

       

      <security-domain name="custom-domain" default-realm="CustomRealm" permission-mapper="default-permission-mapper"
    security-event-listener="local-audit">
    <realm name="CustomRealm" />
    <realm name="KeycloakRealm" />
</security-domain>
...
<security-realms>
    <custom-realm name="KeycloakRealm" module="org.keycloak.keycloak-wildfly-elytron-oidc-adapter" class-name="org.keycloak.adapters.elytron.KeycloakSecurityRealm">
        ...
    </custom-realm>
    <custom-realm name="CustomRealm">
        ...
    </custom-realm>
</security-realms>

      Then you should reference the security domain "custom-domain" in your authentication factories:

       

      • http-authentication-factory
      • sasl-authentication-factory

         

      Workaround

      To solve this problem I needed to split up the definition of the security domain in this way:

       

      <security-domain name="custom-domain" default-realm="CustomRealm" permission-mapper="default-permission-mapper" security-event-listener="local-audit">
    <realm name="CustomRealm"/>
</security-domain>
<security-domain name="keycloak-domain" default-realm="KeycloakOIDCRealm" permission-mapper="default-permission-mapper" security-event-listener="local-audit">
    <realm name="KeycloakOIDCRealm"/>
</security-domain>

      Then changing the references on the authentication factories.

              emartins@redhat.com Eduardo Martins
              emartins@redhat.com Eduardo Martins
              Francesco Pezzulli
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: