Upgrade from 15.1 to 16.1.0

I am upgrading from version 15.1 to 16.1.0. This is a standalone configuration and is using a local MySQL database backend. I went with a fresh copy of the latest 16.1.0 Keycloak tar file and am piece by piece moving configuration text from the 15.1 standalone.xml to the 16.1.0 standalone.xml. When I run the bin/jboss-cli.sh --file=bin/migrate-standalone.cli I get the following error:

Adding keystore to ApplicationRealm…
Failed to get the list of the operation properties: “WFLYCTL0030: No resource definition is registered for address [
(“core-service” => “management”),
(“security-realm” => “ApplicationRealm”),
(“server-identity” => “ssl”)

I can successfully start a 16.1.0 instance with the piecemeal changes to the standalone.xml, but the migration script throws the above. Any suggestions on what I’m doing wrong?

Legacy security subsystem in Wildfly, which was already deprecated for long, was removed. You now have to use the Elytron subsystem for TLS/SSL handling. See Keycloak release notes for link to Wildfly docs!

Generally: never edit the standalone.xml manually. Always use CLI scripts!


I did work off info from this link. I’m using Apache2 as a reverse-proxy for my TLS/SSL needs.

You have an error telling you something about ssl and security realm which had been removed from Wildfly. So, deal with it and read the official docs. I don‘t care about other peoples lists, I stick to official docs and have always a working system.

1 Like

I’m pretty sure this is not the best answer to give on this problem.

Upgrade process is not an easy task, and finding the right documentation on this subject is also not an easy task.

On this specific problem it seems that the right way of running the bin/migrate-standalone.cli is by first editing it and removing past migrations. This error message is coming from old migrations which are not required (and the script is not a smart one, no test is done on the current version).

I found a reference to it in a very old migration documentation (Migration from older versions | keycloak-documentation that’s about Keycloak 3.2.0 ):

Lastly, you may want to examine the contents of the scripts before running. They show exactly what will be changed for each version. They also have values at the top of the script that you may need to change based on your environment.

That’s not present anymore in the current documentation, but others have reported that editing the migration scripts was the key feature for a successful run. And removing old migration is a safe edit.

1 Like