Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-3115

Keycloak not using custom Infinispan config [GHI#39614]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      infinispan

      Describe the bug

      Hello
      We recently tried to upgrade from v26.1.3 to v26.2.3 to resolve CVE-2025-3910 and CVE-2025-3501.

      We use a destributed cache setup with TCPPING, we were using JDBC_PING but switched to TCPPINg due to CVE-2023-5384.

      The newer versions seems to pick up the configuration file and parse it but not use it. Supplying a non existing path or an invalid XML file would throw an error.

      Version 26.1.3 showed the following log:

      [org.infinispan.CLUSTER] (ForkJoinPool.commonPool-worker-1) ISPN000078: Starting JGroups channel `ISPN` with stack `tcp-ping`

      Version 26.2.3 shows the following log:

      [org.infinispan.CLUSTER] (main) ISPN000078: Starting JGroups channel {{ISPN}} with stack {{jdbc-ping}}

      Our setup does not have a JDBC ping configuration so I'm not sure what details the JGroup channel is opened with.

          1. Version

      26.2.3

          1. Regression
      • [x] The issue is a regression
          1. Expected behavior

      Keycloak to pick up custom cache config file, parse it and use it for JGroup channel creation.

      Our configuration looks like

      ...

      <jgroups>
      <stack name="tcp-ping" extends="tcp">
      <TCP external_addr="${env.JGROUPS_DISCOVERY_EXTERNAL_IP}" bind_port="${env.JGROUPS_DISCOVERY_EXTERNAL_PORT}"/>
      <TCPPING initial_hosts="${env.JGROUPS_DISCOVERY_INITIAL_HOSTS}" port_range="0"
      stack.combine="REPLACE"
      stack.position="MPING" />
      </stack>
      </jgroups>

      ...
          1. Actual behavior

      Keycloak picks up custom cache config file, parse it and but seems to use default configuration with JDBC_PING.

          1. How to Reproduce?

      Startup Keycloak with a `KC_CACHE_CONFIG_FILE` pointing to a custom configuration file and `KC_CACHE` set to `ispn`.
      Ensure the custom configuration file creates a custom stack with an distinctive name.
      Look for the `Starting JGroups channel ISPN with stack <stack name>`

          1. Anything else?

      Trying to switch to using JDBC_PING didn't work as it still does not seems to use the custom configuration.

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core (shared)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: