Common problems
Problem: Identity is unable to connect to Keycloak
If you are seeing an error message like the one below in your Identity service logs, there is an issue with the connection Identity is trying to make and the Keycloak service:
2022-07-04 15:52:04.250 ERROR 1 --- [main] i.c.i.i.k.config.KeycloakConfiguration : Failure #1. Unable to connect to Keycloak.
This can be caused by:
- The Keycloak service has not started/is not ready.
- Identity making requests from an external IP address.
See details on resolving these issues below.
Solution 1: The Keycloak service has not started/is not ready
The Keycloak service can take time to start due to the supporting systems.
Keycloak is ready to accept connections when the following log lines are visible:
15:24:24,094 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 16.1.1 (WildFly Core 18.0.4.Final) started in 33171ms - Started 718 of 1020 services (699 services are lazy, passive or on-demand)
15:24:24,098 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management
15:24:24,100 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
When the Keycloak service is ready for connections, start (or restart) the Identity pod.
Solution 2: Identity making requests from an external IP address
By default, Keycloak requires TLS on requests that originate from what it considers to be an external source. The Keycloak
documentation for setting up SSL maintains
a list of what they consider to be an external IP address under the external requests
section.
The solution to this issue will depend largely on your environment. However, as a starting point we would suggest you consider these options:
- Configure the communication between the services (for example in a cluster) to use IP ranges that fall within the ranges that Keycloak expects.
- If configuring the IP ranges is not an option, it is possible to disable the SSL requirement in Keycloak itself by completing the following steps:
We would only recommend that requirements for SSL are disabled in a development environment.