Install failed follow the official guide, configuration error : 'security-realms' isn't an allowed element here

Describe the bug

keycloak version: 16.1.0

Install the server follow this guide: Testing with a sample clustered domain
run add-user.sh and put the credentials into follow configuration

<management>
        <security-realms>
            <security-realm name="ManagementRealm">
                <server-identities>
                    <secret value="bWdtdDEyMyE="/>
                </server-identities

start the server failed：

[Host Controller] 16:24:37,841 ERROR [org.jboss.as.controller] (Controller Boot Thread) 
[Host Controller] 
[Host Controller] OPVDX001: Validation error in host-slave.xml -----------------------------------
[Host Controller] |
[Host Controller] |   8: </extensions>
[Host Controller] |   9: <management>
[Host Controller] |  10: <security-realms>
[Host Controller] |                      ^^^^ 'security-realms' isn't an allowed element here
[Host Controller] |                           
[Host Controller] |                           Elements allowed here are: audit-log, configuration-changes, identity,
[Host Controller] |                             management-interfaces 
[Host Controller] |
[Host Controller] |  11:         <!--security-realm name="ManagementRealm">
[Host Controller] |  12:             <server-identities>
[Host Controller] |  13:                 <secret value="QWRtaW4zODgxMDI1Mg=="/>
[Host Controller] |
[Host Controller] | The primary underlying error message was:
[Host Controller] | > ParseError at [row,col]:[10,21]
[Host Controller] | > Message: WFLYCTL0198: Unexpected element
[Host Controller] | >   '{urn:jboss:domain:19.0}security-realms' encountered
[Host Controller] |
[Host Controller] |-------------------------------------------------------------------------------

Version

16.1.0

Issue Analytics

State:
Created 2 years ago
Comments:9 (1 by maintainers)

Top GitHub Comments

4reactions

marekvesely-directcommented, Jan 12, 2022

Hello, I had the same problem and found a solution after many hours searching on JBoss documentation pages… Keycloak documentation really sucks, it is outdated. They switched authentication to Elytron, so you need to change host-slave.xml file.

You need to define username (authentication-name) and password (clear-text) to this section:

        <subsystem xmlns="urn:wildfly:elytron:15.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
            <authentication-client>
                <authentication-configuration name="hostAuthConfig"
                                              authentication-name="admin"
                                              realm="ManagementRealm">
                    <credential-reference clear-text="{{ vault_direct_insurance_api_keycloak_admin_password }}"/>
                </authentication-configuration>
                <authentication-context name="hcAuthContext">
                    <match-rule authentication-configuration="hostAuthConfig"/>
                </authentication-context>
            </authentication-client>

And reconfigure domain controller:

    <domain-controller>
        <remote authentication-context="hcAuthContext">
            <discovery-options>
                <static-discovery name="primary" protocol="${jboss.domain.master.protocol:remote+http}" host="${jboss.domain.master.address}" port="${jboss.domain.master.port:9990}"/>
            </discovery-options>
        </remote>

1reaction

camaercommented, Jan 28, 2022

I was able to make it work. Turn out my issue was that for the password in credential-reference I was using the token that was generated in the last step of the bin/add-user.sh script as per the keycloak doc while in this case you need to use the HTTP password that you chose using said script. So the original fix from @marekvesely-direct was indeed correct ! Thanks for the help ! The Keyclock doc should indeed updated to reflect this change.