Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Install failed follow the official guide, configuration error : 'security-realms' isn't an allowed element here

See original GitHub issue

Describe the bug

keycloak version: 16.1.0

  1. Install the server follow this guide: Testing with a sample clustered domain

  2. run add-user.sh and put the credentials into follow configuration

<management>
        ​<security-realms>
            ​<security-realm name="ManagementRealm">
                ​<server-identities>
                    ​<secret value="bWdtdDEyMyE="/>
                ​</server-identities
  1. start the server failed:
[Host Controller] 16:24:37,841 ERROR [org.jboss.as.controller] (Controller Boot Thread) 
[Host Controller] 
[Host Controller] OPVDX001: Validation error in host-slave.xml -----------------------------------
[Host Controller] |
[Host Controller] |   8: </extensions>
[Host Controller] |   9: <management>
[Host Controller] |  10: <security-realms>
[Host Controller] |                      ^^^^ 'security-realms' isn't an allowed element here
[Host Controller] |                           
[Host Controller] |                           Elements allowed here are: audit-log, configuration-changes, identity,
[Host Controller] |                             management-interfaces 
[Host Controller] |
[Host Controller] |  11:         <!--security-realm name="ManagementRealm">
[Host Controller] |  12:             <server-identities>
[Host Controller] |  13:                 <secret value="QWRtaW4zODgxMDI1Mg=="/>
[Host Controller] |
[Host Controller] | The primary underlying error message was:
[Host Controller] | > ParseError at [row,col]:[10,21]
[Host Controller] | > Message: WFLYCTL0198: Unexpected element
[Host Controller] | >   '{urn:jboss:domain:19.0}security-realms' encountered
[Host Controller] |
[Host Controller] |-------------------------------------------------------------------------------

Version

16.1.0

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:9 (1 by maintainers)

github_iconTop GitHub Comments

4reactions
marekvesely-directcommented, Jan 12, 2022

Hello, I had the same problem and found a solution after many hours searching on JBoss documentation pages… Keycloak documentation really sucks, it is outdated. They switched authentication to Elytron, so you need to change host-slave.xml file.

You need to define username (authentication-name) and password (clear-text) to this section:

        <subsystem xmlns="urn:wildfly:elytron:15.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
            <authentication-client>
                <authentication-configuration name="hostAuthConfig"
                                              authentication-name="admin"
                                              realm="ManagementRealm">
                    <credential-reference clear-text="{{ vault_direct_insurance_api_keycloak_admin_password }}"/>
                </authentication-configuration>
                <authentication-context name="hcAuthContext">
                    <match-rule authentication-configuration="hostAuthConfig"/>
                </authentication-context>
            </authentication-client>

And reconfigure domain controller:

    <domain-controller>
        <remote authentication-context="hcAuthContext">
            <discovery-options>
                <static-discovery name="primary" protocol="${jboss.domain.master.protocol:remote+http}" host="${jboss.domain.master.address}" port="${jboss.domain.master.port:9990}"/>
            </discovery-options>
        </remote>
1reaction
camaercommented, Jan 28, 2022

I was able to make it work. Turn out my issue was that for the password in credential-reference I was using the token that was generated in the last step of the bin/add-user.sh script as per the keycloak doc while in this case you need to use the HTTP password that you chose using said script. So the original fix from @marekvesely-direct was indeed correct ! Thanks for the help ! The Keyclock doc should indeed updated to reflect this change.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Wildfly 26.1.2 Cannot anymore configure EJB remote ...
Wildfly 26.1.2 Cannot anymore configure EJB remote connections from a remote server ... 'security-realms' isn't an allowed element here
Read more >
[keycloak-user] Error 'secure-deployment' isn't an allowed ...
I'm trying secure a war file in Wildfly 14.0.1.Final with keycloak. I followed the documentation given here : https://www.keycloak.org/docs/ ...
Read more >
WildFly Elytron Security
Configure Kerberos authentication for applications. Secure applications and the management interfaces with an LDAP-based identity store.
Read more >
authentication - running Wildfly-17 standalone failed to run ...
Configure Wildfly-17 for LDAP Authentication failed to run with exception telling that properties tag not allowed under authentication which ...
Read more >
Securing Applications and Services Guide - Keycloak
Here is a description of each configuration option: realm ... Install the EAP 6 adapters for OIDC using the following command:.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Upgrade WebAuthn4j dependency version

Next page

Latest Keycloak Container errors on database migrations during startup