Chapter 4. Manage Subsystem Configuration

Low-level configuration of Red Hat Single Sign-On is done by editing the standalone.xml, standalone-ha.xml, or domain.xml file in your distribution. The location of this file depends on your operating mode.

While there are endless settings you can configure here, this section will focus on configuration of the keycloak-server subsystem. No matter which configuration file you are using, configuration of the keycloak-server subsystem is the same.

The keycloak-server subsystem is typically declared toward the end of the file like this:

<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">

Note that anything changed in this subsystem will not take effect until the server is rebooted.

4.1. Configure SPI Providers

The specifics of each configuration setting is discussed elsewhere in context with that setting. However, it is useful to understand the format used to declare settings on SPI providers.

Red Hat Single Sign-On is a highly modular system that allows great flexibility. There are more than 50 service provider interfaces (SPIs), and you are allowed to swap out implementations of each SPI. An implementation of an SPI is known as a provider.

All elements in an SPI declaration are optional, but a full SPI declaration looks like this:

<spi name="myspi">
    <provider name="myprovider" enabled="true">
            <property name="foo" value="bar"/>
    <provider name="mysecondprovider" enabled="true">
            <property name="foo" value="foo"/>

Here we have two providers defined for the SPI myspi. The default-provider is listed as myprovider. However it is up to the SPI to decide how it will treat this setting. Some SPIs allow more than one provider and some do not. So default-provider can help the SPI to choose.

Also notice that each provider defines its own set of configuration properties. The fact that both providers above have a property called foo is just a coincidence.

The type of each property value is interpreted by the provider. However, there is one exception. Consider the jpa provider for the eventStore API:

<spi name="eventsStore">
    <provider name="jpa" enabled="true">
            <property name="exclude-events" value="[&quot;EVENT1&quot;,

We see that the value begins and ends with square brackets. That means that the value will be passed to the provider as a list. In this example, the system will pass the provider a list with two element values EVENT1 and EVENT2. To add more values to the list, just separate each list element with a comma. Unfortunately, you do need to escape the quotes surrounding each list element with &quot;.

4.2. Start the JBoss EAP CLI

Besides editing the configuration by hand, you also have the option of changing the configuration by issuing commands via the jboss-cli tool. CLI allows you to configure servers locally or remotely. And it is especially useful when combined with scripting.

To start the JBoss EAP CLI, you need to run jboss-cli.


$ .../bin/


> ...\bin\jboss-cli.bat

This will bring you to a prompt like this:


[disconnected /]

If you wish to execute commands on a running server, you will first execute the connect command.


[disconnected /] connect
[standalone@localhost:9990 /]

You may be thinking to yourself, "I didn’t enter in any username or password!". If you run jboss-cli on the same machine as your running standalone server or domain controller and your account has appropriate file permissions, you do not have to setup or enter in a admin username and password. See the JBoss EAP Configuration Guide for more details on how to make things more secure if you are uncomfortable with that setup.

4.3. CLI Embedded Mode

If you do happen to be on the same machine as your standalone server and you want to issue commands while the server is not active, you can embed the server into CLI and make changes in a special mode that disallows incoming requests. To do this, first execute the embed command with the config file you wish to change.


[disconnected /] embed-server --server-config=standalone.xml
[standalone@embedded /]

4.4. CLI GUI Mode

The CLI can also run in GUI mode. GUI mode launches a Swing application that allows you to graphically view and edit the entire management model of a running server. GUI mode is especially useful when you need help formatting your CLI commands and learning about the options available. The GUI can also retrieve server logs from a local or remote server.

Start in GUI mode

$ .../bin/ --gui

Note: to connect to a remote server, you pass the --connect option as well. Use the --help option for more details.

After launching GUI mode, you will probably want to scroll down to find the node, subsystem=keycloak-server. If you right-click on the node and click Explore subsystem=keycloak-server, you will get a new tab that shows only the keycloak-server subsystem.

cli gui

4.5. CLI Scripting

The CLI has extensive scripting capabilities. A script is just a text file with CLI commands in it. Consider a simple script that turns off theme and template caching.



To execute the script, I can follow the Scripts menu in CLI GUI, or execute the script from the command line as follows:

$ .../bin/ --file=turn-off-caching.cli

4.6. CLI Recipes

Here are some configuration tasks and how to perform them with CLI commands. Note that in all but the first example, we use the wildcard path ** to mean you should substitute or the path to the keycloak-server subsystem.

For standalone, this just means:

** = /subsystem=keycloak-server

For domain mode, this would mean something like:

** = /profile=auth-server-clustered/subsystem=keycloak-server

4.6.1. Change the web context of the server


4.6.2. Set the global default theme


4.6.3. Add a new SPI and a provider


4.6.4. Disable a provider


4.6.5. Change the default provider for an SPI


4.6.6. Configure the dblock SPI

**/spi=dblock/provider=jpa/:add(properties={lockWaitTimeout => "900"},enabled=true)

4.6.7. Add or change a single property value for a provider


4.6.8. Remove a single property from a provider


4.6.9. Set values on a provider property of type List