Professional Documents
Culture Documents
JBoss Enterprise Application Platform-6.3-Administration and Configuration Guide-En-US
JBoss Enterprise Application Platform-6.3-Administration and Configuration Guide-En-US
Platform 6.3
Administration and Configuration
Guide
For Use with Red Hat JBoss Enterprise Application Platform 6
Legal Notice
Co pyright 20 14 Red Hat, Inc..
This do cument is licensed by Red Hat under the Creative Co mmo ns Attributio n-ShareAlike 3.0
Unpo rted License. If yo u distribute this do cument, o r a mo dified versio n o f it, yo u must pro vide
attributio n to Red Hat, Inc. and pro vide a link to the o riginal. If the do cument is mo dified, all Red
Hat trademarks must be remo ved.
Red Hat, as the licenso r o f this do cument, waives the right to enfo rce, and agrees no t to assert,
Sectio n 4 d o f CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shado wman lo go , JBo ss, MetaMatrix, Fedo ra, the Infinity
Lo go , and RHCE are trademarks o f Red Hat, Inc., registered in the United States and o ther
co untries.
Linux is the registered trademark o f Linus To rvalds in the United States and o ther co untries.
Java is a registered trademark o f Oracle and/o r its affiliates.
XFS is a trademark o f Silico n Graphics Internatio nal Co rp. o r its subsidiaries in the United
States and/o r o ther co untries.
MySQL is a registered trademark o f MySQL AB in the United States, the Euro pean Unio n and
o ther co untries.
No de.js is an o fficial trademark o f Jo yent. Red Hat So ftware Co llectio ns is no t fo rmally
related to o r endo rsed by the o fficial Jo yent No de.js o pen so urce o r co mmercial pro ject.
The OpenStack Wo rd Mark and OpenStack Lo go are either registered trademarks/service
marks o r trademarks/service marks o f the OpenStack Fo undatio n, in the United States and o ther
co untries and are used with the OpenStack Fo undatio n's permissio n. We are no t affiliated with,
endo rsed o r spo nso red by the OpenStack Fo undatio n, o r the OpenStack co mmunity.
All o ther trademarks are the pro perty o f their respective o wners.
Abstract
This bo o k is a guide to the administratio n and co nfiguratio n o f Red Hat JBo ss Enterprise
Applicatio n Platfo rm 6 and its patch releases.
T able of Contents
.Preface
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 4. . . . . . . . . .
1. Do c ument Co nventio ns
14
1.1. Typ o g rap hic Co nventio ns
14
1.2. Pull-q uo te Co nventio ns
15
1.3. No tes and Warning s
16
2 . G etting Help and G iving Feed b ac k
16
2 .1. Do Yo u Need Help ?
2 .2. We Need Feed b ac k!
16
17
. .hapt
C
. . . .er
. .1. .. Int
. . .roduct
. . . . . .ion
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 8. . . . . . . . . .
1.1. Ab o ut Red Hat JBo s s Enterp ris e Ap p lic atio n Platfo rm 6
18
1.2. Features o f JBo s s EAP 6
18
1.3. Ab o ut JBo s s EAP 6 O p erating Mo d es
19
1.4. Ab o ut Stand alo ne Servers
19
1.5. Ab o ut Manag ed Do mains
19
1.6 . Ab o ut the Do main Co ntro ller
1.7. Ab o ut Do main Co ntro ller Dis c o very and Failo ver
20
21
22
23
24
. .hapt
C
. . . .er
. .2. .. Applicat
. . . . . . . ion
. . . .Server
. . . . . .Management
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. 5. . . . . . . . . .
2 .1. Start and Sto p JBo s s EAP 6
25
2 .1.1. Start JBo s s EAP 6
2 .1.2. Start JBo s s EAP 6 as a Stand alo ne Server
25
25
25
26
27
29
30
33
35
35
36
37
37
37
39
39
40
2 .4.3. Enab ling /Dis ab ling Des c rip to r Bas ed Pro p erty Rep lac ement
2 .4.4. Co nfig uratio n File His to ry
2 .4.5. Start the Server with a Previo us Co nfig uratio n
2 .4.6 . Save a Co nfig uratio n Snap s ho t Us ing the Manag ement CLI
42
43
43
44
45
45
46
. .hapt
C
. . . .er
. .3.
. .Management
. . . . . . . . . . . .Int
. . erfaces
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. 8. . . . . . . . . .
3 .1. Manag e the Ap p lic atio n Server
48
3 .2. Manag ement Ap p lic atio n Pro g ramming Interfac es (APIs )
3 .3. Ab o ut the Manag ement Co ns o le and Manag ement CLI
3 .4. The Manag ement Co ns o le
48
49
50
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
3 .4. The Manag ement Co ns o le
3 .4.1. Manag ement Co ns o le
3 .4.2. Lo g in to the Manag ement Co ns o le
3 .4.3. Chang e the Lang uag e o f the Manag ement Co ns o le
3 .4.4. Analytic s in EAP Co ns o le
3 .4.5. Enab le/Dis ab le G o o g le Analytic s in EAP Co ns o le
3 .4.6 . Co nfig ure a Server Us ing the Manag ement Co ns o le
3 .4.7. Ad d a Dep lo yment in the Manag ement Co ns o le
3 .4.8 . Create a New Server in the Manag ement Co ns o le
3 .4.9 . Chang e the Default Lo g Levels Us ing the Manag ement Co ns o le
3 .4.10 . Create a New Server G ro up in the Manag ement Co ns o le
3 .5. The Manag ement CLI
50
50
50
51
51
52
54
55
55
56
56
57
57
57
57
58
58
59
60
61
64
66
67
69
69
71
72
3 .6 .4. Dis p lay an O p eratio n Des c rip tio n us ing the Manag ement CLI
72
3 .6 .5. Dis p lay the O p eratio n Names us ing the Manag ement CLI
3 .6 .6 . Dis p lay Availab le Res o urc es us ing the Manag ement CLI
74
75
3 .6 .7. Dis p lay Availab le Res o urc e Des c rip tio ns us ing the Manag ement CLI
3 .6 .8 . Relo ad the Ap p lic atio n Server us ing the Manag ement CLI
80
81
3 .6 .9 . Shut the Ap p lic atio n Server d o wn us ing the Manag ement CLI
81
3 .6 .10 . Co nfig ure an Attrib ute with the Manag ement CLI
3 .6 .11. Co nfig ure Sys tem Pro p erties Us ing the Manag ement CLI
82
83
89
89
89
89
90
90
91
91
3 .8 .2. Enab le Manag ement Interfac e Aud it Lo g g ing fro m the Manag ement CLI
3 .8 .3. Ab o ut a Manag ement Interfac e Aud it Lo g g ing Fo rmatter
91
92
93
93
95
. .hapt
C
. . . .er
. .4. .. User
. . . . .Management
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9. 6. . . . . . . . . .
4 .1. Us er Creatio n
96
96
97
98
98
99
10 0
. .hapt
C
. . . .er
. .5.
. .Net
. . . work
. . . . .and
. . . Port
. . . . .Configurat
. . . . . . . . . ion
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.0. 2. . . . . . . . . .
5 .1. Interfac es
5 .1.1. Ab o ut Interfac es
10 2
10 2
10 3
10 6
10 6
10 9
111
114
114
115
5 .3. IPv6
5 .3.1. Co nfig ure JVM Stac k Preferenc es fo r IPv6 Netwo rking
115
115
5 .3.2. Co nfig ure the Interfac e Dec laratio ns fo r IPv6 Netwo rking
116
116
. .hapt
C
. . . .er
. .6. .. Dat
. . . asource
. . . . . . . .Management
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.1. 8. . . . . . . . . .
6 .1. Intro d uc tio n
118
6 .1.1. Ab o ut JDBC
6 .1.2. JBo s s EAP 6 Sup p o rted Datab as es
118
118
118
118
119
119
119
120
122
122
124
6 .3.1. Create a No n-XA Datas o urc e with the Manag ement Interfac es
6 .3.2. Mo d ify a No n-XA Datas o urc e with the Manag ement Interfac es
124
125
6 .3.3. Remo ve a No n-XA Datas o urc e with the Manag ement Interfac es
6 .4. XA Datas o urc es
126
127
127
129
130
131
131
131
133
133
134
134
136
136
142
142
144
144
145
145
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
6 .8 .1. Examp le Po s tg reSQ L Datas o urc e
145
146
147
148
149
150
152
153
154
155
156
157
. .hapt
C
. . . .er
. .7. .. Configuring
. . . . . . . . . . . Modules
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 59
...........
7 .1. Intro d uc tio n
159
7 .1.1. Mo d ules
159
7 .1.2. G lo b al Mo d ules
16 0
16 0
16 1
16 1
16 2
16 3
16 5
7 .6 . Referenc e
7 .6 .1. Inc lud ed Mo d ules
16 5
16 5
16 6
. .hapt
C
. . . .er
. .8. .. Jsvc
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.6. 7. . . . . . . . . .
8 .1. Intro d uc tio n
16 7
8 .1.1. Ab o ut Js vc
16 7
16 7
. .hapt
C
. . . .er
. .9. .. G
. .lobal
. . . . Valves
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.7. 2. . . . . . . . . .
9 .1. Ab o ut Valves
172
9 .2. Ab o ut G lo b al Valves
172
172
172
173
. .hapt
C
. . . .er
. .1. 0. .. Applicat
. . . . . . . .ion
. . .Deployment
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 7. 5. . . . . . . . . .
10 .1. Ab o ut Ap p lic atio n Dep lo yment
10 .2. Dep lo y with the Manag ement Co ns o le
10 .2.1. Manag e Ap p lic atio n Dep lo yment in the Manag ement Co ns o le
176
10 .2.2. Enab le a Dep lo yed Ap p lic atio n Us ing the Manag ement Co ns o le
176
10 .2.3. Dis ab le a Dep lo yed Ap p lic atio n Us ing the Manag ement Co ns o le
177
178
179
10 .3.1. Manag e Ap p lic atio n Dep lo yment in the Manag ement CLI
179
10 .3.2. Dep lo y an Ap p lic atio n in a Stand alo ne Server Us ing the Manag ement CLI
179
10 .3.3. Und ep lo y an Ap p lic atio n in a Stand alo ne Server Us ing the Manag ement CLI
179
10 .3.4. Dep lo y an Ap p lic atio n in a Manag ed Do main Us ing the Manag ement CLI
10 .3.5. Und ep lo y an Ap p lic atio n in a Manag ed Do main Us ing the Manag ement CLI
18 0
18 1
175
176
18 1
18 1
18 4
18 4
18 4
18 5
10 .5.3. Und ep lo y an Ap p lic atio n fro m a Stand alo ne Server Ins tanc e with the Dep lo yment Sc anner
18 6
10 .5.4. Red ep lo y an Ap p lic atio n to a Stand alo ne Server Ins tanc e with the Dep lo yment
Sc anner
18 7
18 8
18 9
19 0
10 .5.8 . Co nfig ure the Dep lo yment Sc anner with the Manag ement CLI
19 0
19 3
19 3
19 3
19 5
19 6
19 7
. .hapt
C
. . . .er
. .1. 1. .. Securing
. . . . . . . . .JBoss
. . . . . EAP
....6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.9. 9. . . . . . . . . .
11.1. Ab o ut the Sec urity Sub s ys tem
19 9
19 9
20 0
20 1
20 1
20 2
20 2
20 2
20 2
20 3
20 5
20 5
20 6
20 6
20 7
20 8
11.6 .11. Co nfig ure Sec urity Map p ing in a Sec urity Do main
20 8
20 9
212
212
11.6 .13.2. Co nfig ure Java Autho riz atio n Co ntrac t fo r Co ntainers (JACC) Sec urity
212
213
213
214
214
214
11.7.2. Ab o ut IO R
214
215
216
216
217
218
219
222
11.8 .6 . Remo ve Silent Authentic atio n fro m the Default Sec urity Realm
223
225
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
11.8 .7. Dis ab le Remo te Ac c es s to the JMX Sub s ys tem
225
11.8 .8 . Co nfig ure Sec urity Realms fo r the Manag ement Interfac es
225
11.9 . Sec uring the Manag ement Interfac es with Ro le-Bas ed Ac c es s Co ntro l
227
227
227
228
228
229
11.9 .6 . Ab o ut Co ns traints
11.9 .7. Ab o ut JMX and Ro le-Bas ed Ac c es s Co ntro l
230
231
231
231
232
234
235
11.9 .9 .3. Co nfig ure Us er Ro le As s ig nment us ing the Manag ement CLI
238
241
242
245
248
249
251
253
255
255
257
257
11.9 .10 .2. Co nfig ure Ap p lic atio n Res o urc e Co ns traints
11.9 .10 .3. Co nfig ure the Vault Exp res s io n Co ns traint
259
26 0
26 1
26 1
26 3
233
234
270
270
270
271
274
277
277
277
279
279
28 0
28 1
28 1
28 3
28 6
29 2
29 2
29 2
29 4
29 5
29 5
11.13.5. Co nfig ure JBo s s EAP 6 to Us e a Cus to m Imp lementatio n o f the Pas s wo rd Vault
11.13.6 . Sto re and Retrieve Enc ryp ted Sens itive String s in the Java Keys to re
29 7
29 8
1.13.7. Sto re and Res o lve Sens itive String s In Yo ur Ap p lic atio ns
1
11.14. FIPS 140 -2 Co mp liant Enc ryp tio n
11.14.1. Ab o ut FIPS 140 -2 Co mp lianc e
30 0
30 3
30 3
30 3
30 4
30 7
. .hapt
C
. . . .er
. .1. 2. .. Securit
. . . . . . .y. Administ
. . . . . . . .rat
. . ion
. . . .Reference
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
. . 8. . . . . . . . . .
12.1. Inc lud ed Authentic atio n Mo d ules
30 8
12.2. Inc lud ed Autho riz atio n Mo d ules
334
12.3. Inc lud ed Sec urity Map p ing Mo d ules
12.4. Inc lud ed Sec urity Aud iting Pro vid er Mo d ules
335
339
. .hapt
C
. . . .er
. .1. 3.
. . Subsyst
. . . . . . . em
. . . Configurat
. . . . . . . . . .ion
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
. . 0. . . . . . . . . .
13.1. Sub s ys tem Co nfig uratio n O verview
340
. .hapt
C
. . . .er
. .1. 4. .. T
. .he
. . Logging
. . . . . . . . Subsyst
. . . . . . . em
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
. . 1. . . . . . . . . .
14.1. Intro d uc tio n
341
14.1.1. O verview o f Lo g g ing
341
14.1.2. Ap p lic atio n Lo g g ing Framewo rks Sup p o rted By JBo s s Lo g Manag er
14.1.3. Co nfig ure Bo o t Lo g g ing
341
341
342
342
342
343
345
345
346
14.1.11. Ab o ut the Ro o t Lo g g er
14.1.12. Ab o ut Lo g Hand lers
14.1.13. Typ es o f Lo g Hand lers
346
346
346
14.1.14. Ab o ut Lo g Fo rmatters
14.1.15. Lo g Fo rmatter Syntax
347
348
348
349
349
351
354
357
36 1
36 6
371
375
376
377
377
377
378
378
378
379
38 0
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
14.5.4. Sp ec ify a Lo g g ing Pro file in an Ap p lic atio n
14.5.5. Examp le Lo g g ing Pro file Co nfig uratio n
14.6 . Lo g g ing Co nfig uratio n Pro p erties
14.6 .1. Ro o t Lo g g er Pro p erties
14.6 .2. Lo g Categ o ry Pro p erties
38 0
38 1
38 2
38 2
38 2
38 3
38 3
38 4
38 5
38 6
38 6
38 6
38 7
38 7
38 7
38 7
38 8
38 8
. .hapt
C
. . . .er
. .1. 5.
. . Infinispan
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
. . 9. . . . . . . . . .
15.1. Ab o ut Infinis p an
38 9
15.2. Clus tering mo d es
38 9
15.3. Cac he Co ntainers
15.4. Cac he Sto res
39 0
39 2
39 2
39 3
39 3
15.6 .2. Enab le Infinis p an Statis tic s Co llec tio n fro m the Manag ement CLI
15.6 .3. Verify Infinis p an Statis tic s Co llec tio n is Enab led
15.7. JG ro up s
15.7.1. Ab o ut JG ro up s
39 3
39 4
39 4
39 4
. .hapt
C
. . . .er
. .1. 6. .. JVM
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
. . 6. . . . . . . . . .
16 .1. Ab o ut JVM
39 6
16 .1.1. Ab o ut JVM Setting s
16 .1.2. Dis p lay the JVM Status in the Manag ement Co ns o le
39 6
39 7
39 8
. .hapt
C
. . . .er
. .1. 7. .. Web
. . . . Subsyst
. . . . . . . .em
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0. 1. . . . . . . . . .
17.1. Co nfig ure the Web Sub s ys tem
40 1
17.2. Rep lac e the Default Welc o me Web Ap p lic atio n
40 5
. .hapt
C
. . . .er
. .1. 8. .. Web
. . . . Services
. . . . . . . . Subsyst
. . . . . . . .em
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0. 7. . . . . . . . . .
18 .1. Co nfig ure Web Servic es O p tio ns
40 7
. .hapt
C
. . . .er
. .1. 9. .. HT
. . .T. P
. .Clust
. . . . .ering
. . . . .and
. . . Load
. . . . . Balancing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0. 9. . . . . . . . . .
19 .1. Intro d uc tio n
40 9
19 .1.1. Ab o ut Hig h-Availab ility and Lo ad Balanc ing Clus ters
19 .1.2. Co mp o nents Whic h Can Benefit fro m Hig h Availab ility
19 .1.3. O verview o f HTTP Co nnec to rs
19 .1.4. Wo rker No d e
19 .2. Co nnec to r Co nfig uratio n
410
411
412
412
415
40 9
40 9
415
416
416
418
420
424
9 .3.6 . Co nfig ure JBo s s EAP 6 to Ac c ep t Req ues ts Fro m External Web Servers
1
19 .4. Clus tering
19 .4.1. Us e TCP Co mmunic atio n fo r the Clus tering Sub s ys tem
19 .4.2. Co nfig ure the JG ro up s Sub s ys tem to Us e TCP
19 .4.3. Dis ab le Ad vertis ing fo r the mo d _c lus ter Sub s ys tem
9 .4.4. Switc h UDP to TCP fo r Ho rnetQ Clus tering
1
19 .5. Web , HTTP Co nnec to rs , and HTTP Clus tering
19 .5.1. Ab o ut the mo d _c lus ter HTTP Co nnec to r
424
426
426
427
429
431
432
432
458
459
459
46 0
46 0
19 .6 .4. Ins tall the Mo d _jk Mo d ule Into the Ap ac he HTTP Server (RPM)
19 .6 .5. Co nfig uratio n Referenc e fo r Ap ac he Mo d _jk Wo rkers
46 4
46 7
19 .7. Ap ac he mo d _p ro xy
19 .7.1. Ab o ut the Ap ac he mo d _p ro xy HTTP Co nnec to r
19 .7.2. Ins tall the Mo d _p ro xy HTTP Co nnec to r into Ap ac he HTTP Server
46 9
46 9
46 9
19 .8 . Mic ro s o ft ISAPI
19 .8 .1. Ab o ut the Internet Server API (ISAPI) HTTP Co nnec to r
472
472
19 .8 .2. Do wnlo ad and Extrac t Web s erver Co nnec to r Natives fo r Mic ro s o ft IIS
19 .8 .3. Co nfig ure Mic ro s o ft IIS to Us e the ISAPI Red irec to r
19 .8 .4. Co nfig ure the ISAPI Red irec to r to Send Client Req ues ts to JBo s s EAP 6
19 .8 .5. Co nfig ure ISAPI to Balanc e Client Req ues ts Ac ro s s Multip le JBo s s EAP 6 Servers
19 .9 . O rac le NSAPI
472
473
474
477
479
479
48 0
48 1
48 3
. .hapt
C
. . . .er
. .2. 0. .. Messaging
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.8. 6. . . . . . . . . .
2 0 .1. Intro d uc tio n
48 6
2 0 .1.1. Ho rnetQ
2 0 .1.2. Ab o ut Java Mes s ag ing Servic e (JMS)
2 0 .1.3. Sup p o rted Mes s ag ing Styles
2 0 .2. Co nfig uratio n o f Trans p o rts
2 0 .2.1. Ab o ut Ac c ep to rs and Co nnec to rs
48 6
48 6
48 6
48 7
48 7
48 7
49 0
49 1
49 3
49 4
49 4
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
2 0 .4. Dead Co nnec tio n Detec tio n
2 0 .4.1. Clo s ing Dead Co nnec tio n Res o urc es o n the Server
2 0 .4.2. Detec ting Client Sid e Failure
49 4
49 4
49 6
49 7
49 7
49 7
49 8
49 9
49 9
49 9
49 9
50 0
2 0 .7. Diverts
2 0 .7.1. Exc lus ive Divert
2 0 .7.2. No n-exc lus ive Divert
50 1
50 2
50 2
2 0 .8 . Co nfig uratio n
2 0 .8 .1. Co nfig ure the JMS Server
50 3
50 3
50 8
512
512
513
514
516
516
517
517
523
2 0 .9 . Mes s ag e G ro up ing
2 0 .9 .1. Ab o ut Mes s ag e G ro up ing
2 0 .9 .2. Us ing Ho rnetQ Co re API o n Client Sid e
2 0 .9 .3. Co nfig uring Server fo r Java Mes s ag ing Servic e (JMS) Clients
2 0 .9 .4. Clus tered G ro up ing
0 .9 .5. Bes t Prac tic es fo r Clus tered G ro up ing
2
2 0 .10 . Dup lic ate Mes s ag e Detec tio n
2 0 .10 .1. Ab o ut Dup lic ate Mes s ag e Detec tio n
2 0 .10 .2. Us ing Dup lic ate Mes s ag e Detec tio n fo r Send ing Mes s ag es
2 0 .10 .3. Co nfig uring Dup lic ate ID Cac he
524
525
526
526
526
527
528
0 .10 .4. Us ing Dup lic ate Detec tio n with Brid g es and Clus ter Co nnec tio ns
2
2 0 .11. JMS Brid g es
2 0 .11.1. Ab o ut Brid g es
528
528
528
529
531
531
532
533
2 0 .13.2. Bro ad c as t G ro up s
2 0 .13.2.1. Us er Datag ram Pro to c o l (UDP) Bro ad c as t G ro up
533
534
0 .13.2.2. JG ro up s Bro ad c as t G ro up
2
2 0 .13.3. Dis c o very G ro up s
2 0 .13.3.1. Co nfig uring Us er Datag ram Pro to c o l (UDP) Dis c o very G ro up o n the Server
535
536
536
537
538
10
524
524
524
539
539
539
539
542
543
543
544
544
545
546
546
547
548
. .hapt
C
. . . .er
. .2. 1. .. T
. .ransact
. . . . . . ion
. . . .Subsyst
. . . . . . .em
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
. . 9. . . . . . . . . .
2 1.1. Trans ac tio n Sub s ys tem Co nfig uratio n
2 1.1.1. Trans ac tio ns Co nfig uratio n O verview
549
549
549
553
554
555
556
557
557
56 1
56 1
56 1
56 2
56 2
56 2
56 3
56 3
. .hapt
C
. . . .er
. .2. 2. .. Mail
. . . . subsyst
. . . . . . . em
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
. . 5. . . . . . . . . .
2 2.1. Us e c us to m trans p o rts in mail s ub s ys tem
56 5
. .hapt
C
. . . .er
. .2. 3.
. . Ent
. . . erprise
. . . . . . .JavaBeans
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
. . 7. . . . . . . . . .
2 3.1. Intro d uc tio n
56 7
2 3.1.1. O verview o f Enterp ris e JavaBeans
2 3.1.2. O verview o f Enterp ris e JavaBeans fo r Ad minis trato rs
2 3.1.3. Enterp ris e Beans
56 7
56 7
56 7
56 8
56 8
56 8
56 8
56 8
570
571
572
573
573
573
574
575
577
577
11
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
2 3.4.1. Ses s io n Bean Ac c es s Timeo ut
2 3.4.2. Set Default Ses s io n Bean Ac c es s Timeo ut Values
2 3.5. Co nfig uring Mes s ag e-Driven Beans
2 3.5.1. Set Default Res o urc e Ad ap ter fo r Mes s ag e-Driven Beans
577
577
578
578
579
579
579
58 0
58 0
3.7.2. Co nfig ure the EJB3 As ync hro no us Invo c atio n Servic e Thread Po o l
2
2 3.8 . Co nfig uring the EJB3 Remo te Invo c atio n Servic e
2 3.8 .1. EJB3 Remo te Servic e
2 3.8 .2. Co nfig ure the EJB3 Remo te Servic e
2 3.9 . Co nfig uring EJB 2.x Entity Beans
58 0
58 1
58 1
58 1
58 1
58 1
58 1
58 1
58 2
58 4
. .hapt
C
. . . .er
. .2. 4. .. Java
. . . . .Connect
. . . . . . . or
. . Archit
. . . . . .ect
. . .ure
. . .(JCA)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
. . 5. . . . . . . . . .
2 4.1. Intro d uc tio n
2 4.1.1. Ab o ut the Java EE Co nnec to r API (JCA)
2 4.1.2. Java Co nnec to r Arc hitec ture (JCA)
2 4.1.3. Res o urc e Ad ap ters
2 4.2. Co nfig ure the Java Co nnec to r Arc hitec ture (JCA) Sub s ys tem
58 5
58 5
58 5
58 5
58 6
59 1
59 2
59 7
601
601
602
608
608
. .hapt
C
. . . .er
. .2. 5.
. . Deploy
. . . . . . .JBoss
. . . . . .EAP
. . . .6. on
. . . Amaz
. . . . .on
. . .EC2
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6. 1. 3. . . . . . . . . .
2 5.1. Intro d uc tio n
6 13
2 5.1.1. Ab o ut Amaz o n EC2
6 13
2 5.1.2. Ab o ut Amaz o n Mac hine Ins tanc es (AMIs )
2 5.1.3. Ab o ut JBo s s Clo ud Ac c es s
2 5.1.4. JBo s s Clo ud Ac c es s Features
2 5.1.5. Sup p o rted Amaz o n EC2 Ins tanc e Typ es
2 5.1.6 . Sup p o rted Red Hat AMIs
2 5.2. Dep lo ying JBo s s EAP 6 o n Amaz o n EC2
2 5.2.1. O verview o f Dep lo ying JBo s s EAP 6 o n Amaz o n EC2
2 5.2.2. No n-c lus tered JBo s s EAP 6
2 5.2.2.1. Ab o ut No n-c lus tered Ins tanc es
2 5.2.2.2. No n-c lus tered Ins tanc es
2 5.2.2.2.1. Launc h a No n-c lus tered JBo s s EAP 6 Ins tanc e
2 5.2.2.2.2. Dep lo y an Ap p lic atio n o n a no n-c lus tered JBo s s EAP 6 Ins tanc e
2 5.2.2.2.3. Tes t the No n-c lus tered JBo s s EAP 6 Ins tanc e
2 5.2.2.3. No n-c lus tered Manag ed Do mains
2 5.2.2.3.1. Launc h an Ins tanc e to Serve as a Do main Co ntro ller
2 5.2.2.3.2. Launc h O ne o r Mo re Ins tanc es to Serve as Ho s t Co ntro llers
2 5.2.2.3.3. Tes t the No n-Clus tered JBo s s EAP 6 Manag ed Do main
12
6 13
6 13
6 13
6 14
6 14
6 15
6 15
6 15
6 15
6 15
6 15
6 17
6 18
6 19
6 19
6 21
6 23
6 23
6 24
6 25
6 25
2 5.2.3.6 . Co nfig ure the VPC Private Sub net Default Ro ute
2 5.2.3.7. Ab o ut Id entity and Ac c es s Manag ement (IAM)
2 5.2.3.8 . Co nfig ure IAM Setup
2 5.2.3.9 . Ab o ut the S3 Buc ket
2 5.2.3.10 . Co nfig ure S3 Buc ket Setup
6 30
6 30
6 30
6 31
6 31
6 33
6 33
6 36
6 37
6 37
6 39
6 41
6 43
6 43
6 43
6 44
6 44
6 44
6 45
6 45
6 45
6 46
6 48
6 49
6 49
6 49
.Supplement
. . . . . . . . . . al
. . References
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6. 50
...........
A .1. Do wnlo ad Files fro m the Red Hat Cus to mer Po rtal
6 50
A .2. Co nfig ure the Default JDK o n Red Hat Enterp ris e Linux
6 50
. . . . . . . . .Hist
Revision
. . . ory
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6. 53
...........
13
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Preface
1. Document Convent ions
This manual uses several conventions to highlight certain words and phrases and draw attention to
specific pieces of information.
14
Preface
Desktop
Desktop1
photos
scripts
stuff
svgs
svn
Source-code listings are also set in mo no -spaced ro man but add syntax highlighting as follows:
static int kvm_vm_ioctl_deassign_device(struct kvm *kvm,
int r = 0;
15
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
before, "
kvm_deassign_device(kvm, match);
kvm_free_assigned_device(kvm, match);
o ut:
mutex_unlock(& kvm->lock);
return r;
Note
Notes are tips, shortcuts or alternative approaches to the task at hand. Ignoring a note should
have no negative consequences, but you might miss out on a trick that makes your life easier.
Important
Important boxes detail things that are easily missed: configuration changes that only apply to
the current session, or services that need restarting before an update will apply. Ignoring a
box labeled Important will not cause data loss but may cause irritation and frustration.
Warning
Warnings should not be ignored. Ignoring warnings will most likely cause data loss.
16
Preface
Red Hat also hosts a large number of electronic mailing lists for discussion of Red Hat software and
technology. You can find a list of publicly available mailing lists at
https://www.redhat.com/mailman/listinfo. Click on the name of any mailing list to subscribe to that list
or to access the list archives.
17
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Chapter 1. Introduction
1.1. About Red Hat JBoss Ent erprise Applicat ion Plat form 6
Red Hat JBoss Enterprise Application Platform 6 (JBoss EAP 6) is a middleware platform built on
open standards and compliant with the Java Enterprise Edition 6 specification. It integrates JBoss
Application Server 7 with high-availability clustering, messaging, distributed caching, and other
technologies.
JBoss EAP 6 includes a new, modular structure that allows service enabling only when required,
improving start-up speed.
The Management Console and Management Command Line Interface make editing XML
configuration files unnecessary and add the ability to script and automate tasks.
In addition, JBoss EAP 6 includes APIs and development frameworks for quickly developing secure
and scalable Java EE applications.
Report a bug
D escrip t io n
Java Certification
Managed D omain
18
Feat u re
D escrip t io n
Report a bug
19
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
The host controller on each host interacts with the domain controller to control the lifecycle of the
application server instances running on its host and to assist the domain controller to manage them.
Each host can contain multiple server groups.
A server group is a set of server instances which have JBoss EAP 6 installed on them and are
managed and configured as one. The domain controller manages the configuration of and
applications deployed onto server groups. Consequently, each server in a server group shares the
same configuration and deployments.
It is possible for a domain controller, a single host controller, and multiple servers to run within the
same JBoss EAP 6 instance, on the same physical system.
Host controllers are tied to specific physical (or virtual) hosts. You can run multiple host controllers
on the same hardware if you use different configurations, ensuring their ports and other resources do
not conflict.
20
By default, the central management policy is stored in the d o mai n/co nfi g urati o n/d o mai n. xml
file. This file is in the unzipped JBoss EAP 6 installation file, on the domain controller's host's
filesystem.
A d o mai n. xml file must be located in the d o mai n/co nfi g urati o n/ directory of the host
controller set to run as the domain controller. This file is not mandatory for installations on host
controllers that are not meant to run as a domain controller. The presence of a d o mai n. xml file on
such a server does no harm, however.
The d o mai n. xml file contains the profile configurations that can be run on the server instances in a
domain. A profile configuration includes the detailed settings of the various subsystems that
comprise a profile. The domain configuration also includes the definition of socket groups and the
server group definitions.
Report a bug
<remote security-realm="ManagementRealm">
<discovery-options>
</discovery-options>
</remote>
< /domain-controller>
A static discovery option includes the following mandatory attributes:
n ame
The name for this domain controller discovery option
h o st
The remote domain controller's host name.
p o rt
The remote domain controller's port.
21
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
In the example above, the first discovery option is the one expected to succeed. The second can be
used in failover situations.
If a problem arises with the primary domain controller, a host controller that was started with the -backup option can be promoted to act as the domain controller.
Note
Starting a host controller with the --backup option will cause that controller to maintain a
local copy of the domain configuration. This configuration will be used if the host controller is
reconfigured to act as the domain controller.
22
How the host controller contacts the domain controller to register itself and access the domain
configuration.
How to find and contact a remote domain controller.
That the host controller is to act as the domain controller
Configurations specific to the local physical installation. For example, named interface definitions
declared in d o mai n. xml can be mapped to an actual machine-specific IP address in
ho st. xml . And abstract path names in domain.xml can be mapped to actual filesystem paths in
ho st. xml .
Report a bug
23
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
jvm: the default JVM settings for all servers in the group. The host controller merges these settings
with any other configuration provided in ho st. xml to derive the settings used to launch the
server's JVM.
Report a bug
24
25
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
26
Note
You may need to configure your firewall to run this example.
You can create managed domain on two machines, wherein one machine is a domain controller and
the other machine is a host. For more information, refer Section 1.6, About the D omain Controller .
IP1 = IP address of the domain controller (Machine 1)
27
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
28
http://$IP2:8080/
http://$IP2:8230/
Report a bug
2.1.6. St art JBoss EAP 6 wit h an Alt ernat ive Configurat ion
If you do not specify a configuration file, the server starts with the default file. However, when you start
the server, you can specify a configuration manually. The process varies slightly, depending on
whether you are using a Managed D omain or Standalone Server, and depending on which
operating system you are using.
Prereq u isit es
Before using an alternate configuration file, prepare it using the default configuration as a
template. For a Managed D omain, the configuration file needs to be placed in the
EAP_HOME/d o mai n/co nfi g urati o n/ directory. For a Standalone Server, the configuration
file should be placed in the EAP_HOME/stand al o ne/co nfi g urati o n/ directory.
Example configurations
Several example configurations are included in the EAP_HOME/d o cs/exampl es/co nfi g s/
directory. Use these examples to enable extra features such as clustering or the Transactions
XTS API.
Some of the example configurations must be modified before being used. The following
configuration files produce errors if they are used without being modified: stand al o nepi cketl i nk. xml , stand al o ne-g eneri cjms. xml and stand al o ne-ho rnetq co l o cated . xml .
29
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
2. Man ag ed D o main
For a Managed D omain, provide the file name of the configuration file as an option to the -domain-config parameter. The file must be present in the
EAP_HOME/d o mai n/co nfi g urati o n/ directory, and you need to specify the path relative
to that directory.
This example uses the EAP_HOME\d o mai n\co nfi g urati o n\d o mai nal ternate. xml configuration file.
R esu lt
JBoss Enterprise Application Platform is now running, using your alternate configuration file.
Report a bug
30
Note
For information on how to stop a server or server group in a Managed D omain see
Section 2.2.3, Stop a Server Using the Management Console . For information on how to
stop a server using the Management CLI, see Section 2.2.1, Start and Stop Servers Using the
Management CLI .
31
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
$ jps -v
12155 jboss-modules.jar -D [Server: server-o ne] XX:PermSize=256m -XX:MaxPermSize=256m -Xms1303m
...
1219 6 jboss-modules.jar -D [Server: server-two ] XX:PermSize=256m -XX:MaxPermSize=256m -Xms1303m
...
120 9 6 jboss-modules.jar -D [Ho st C o ntro l l er] -Xms64m Xmx512m -XX:MaxPermSize=256m
...
11872 Mai n -Xms128m -Xmx750m -XX:MaxPermSize=350m XX:ReservedCodeCacheSize=96m -XX:+UseCodeCacheFlushing
...
1124 8 jboss-modules.jar -D [Stand al o ne] XX:+UseCompressedOops -verbose:gc
...
1289 2 Jps
...
120 80 jboss-modules.jar -D [P ro cess C o ntro l l er] -Xms64m Xmx512m -XX:MaxPermSize=256m
...
The ps aux command can also be used to return information about multiple EAP
instances.
Below is an abridged output from a verbose ps aux command identifying the
different EAP processes running by PID and role:
$ ps aux | grep java
username 120 80 0.1 0.9 3606588 36772 pts/0
Sl+ 10:09
0:01 /path/to/java -D [P ro cess C o ntro l l er] -server -Xms128m
-Xmx128m -XX:MaxPermSize=256m
...
username 120 9 6 1.0 4.1 3741304 158452 pts/0 Sl+ 10:09
0:13 /path/to/java -D [Ho st C o ntro l l er] -Xms128m -Xmx128m XX:MaxPermSize=256m
...
username 12155 1.7 8.9 4741800 344224 pts/0 Sl+ 10:09
0:22 /path/to/java -D [Server: server-o ne] -XX:PermSize=256m
-XX:MaxPermSize=256m -Xms1000m -Xmx1000m -server ...
username 1219 6 1.8 9.4 4739612 364436 pts/0 Sl+ 10:09
0:22 /path/to/java -D [Server: server-two ] -XX:PermSize=256m
-XX:MaxPermSize=256m -Xms1000m -Xmx1000m -server
...
32
In the above examples, the Pro cess C o n t ro ller processes are the processes to stop
in order to stop the entire domain.
The g rep utility can be used with either of these commands to identify the Pro cess
C o n t ro ller:
jps -v | g rep "P ro cess C o ntro l l er"
ps aux | g rep "P ro cess C o ntro l l er"
Send the process the T ER M signal, by running ki l l PID, where PID is the process ID
identified by one of the commands above.
R esu lt
Each of these alternatives shuts JBoss EAP 6 down cleanly so that data is not lost.
Report a bug
2.1.8. Reference of Swit ches and Argument s t o pass at Server Runt ime
The application server startup script accepts the addition of arguments and switches at runtime. The
use of these parameters allows for the server to be started under alternative configurations to those
defined in the stand al o ne. xml , d o mai n. xml and ho st. xml configuration files. This might
include starting the server with an alternative set of socket bindings or a secondary configuration. A
list of these available parameters can be accessed by passing the help switch at startup.
Examp le 2.5.
The following example is similar to the server startup explained in Section 2.1.2, Start JBoss EAP
6 as a Standalone Server and Section 2.1.3, Start JBoss EAP 6 as a Managed D omain , with
the addition of the -h or --help switches. The results of the help switch are explained in the table
below.
Standalone mode:
[localhost bin]$ stand al o ne. sh -h
D omain mode:
[localhost bin]$ d o mai n. sh -h
Mo d e
D escrip t io n
--ad mi n-o nl y
Standalone
33
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Mo d e
D escrip t io n
--ad mi n-o nl y
D omain
Standalone,
D omain
Standalone,
D omain
D omain
Standalone
Standalone
Standalone,
D omain
D omain
D omain
D omain
Standalone,
D omain
D omain
D omain
D omain
D omain
Standalone
34
D omain
Mo d e
D escrip t io n
D omain
D omain
Standalone,
D omain
D omain
D omain
Standalone
Standalone
Standalone,
D omain
Standalone,
D omain
Report a bug
35
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
If you are running a Managed D omain, the Management Console allows you to selectively start or
stop specific servers in the domain. This includes server groups across the whole of the domain, as
well as specific server instances on a host.
Report a bug
36
2. From the list of Server Instances, select the server you want to start. Servers that are
running are indicated by a check mark.
Hover the cursor over an instance in this list to show options in blue text below the server's
details.
3. To start the instance, click on the St art Server text when it appears. A confirmation dialogue
box will open. Click C o nfi rm to start the server.
R esu lt
The selected server is started and running.
Report a bug
37
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
JBoss EAP 6 automatically provides a number of standard paths without any need for the user to
configure them in a configuration file.
T ab le 2.2. St an d ard Pat h s
Valu e
D escrip t io n
O verrid e a Pat h
If you are running a standalone server, you can override the jbo ss. server. base. d i r,
jbo ss. server. l o g . d i r, or jbo ss. server. co nfi g . d i r paths in one of two ways.
1. You can pass arguments on the command line when you start the server. For example:
bi n/stand al o ne. sh -D jbo ss. server. l o g . d i r= /var/l o g
2. You can modify the JAVA_O P T S variable in the server configuration file. Open the
EAP_HOME/bi n/stand al o ne. co nf file and add the following line at the end of the file:
JAVA_OPTS="$JAVA_OPTS Djboss.server.log.dir=/var/log"
Path overrides are not supported for servers running in a managed domain.
Ad d a C u st o m Pat h
You can also create your own custom path. For example, you may want to define a relative path to
use for logging:
my. rel ati ve. path= /var/l o g
You can then change the log handler to use my. rel ati ve. path,
Report a bug
38
Lo cat io n
domain.xml
host.xml
host-master.xml
host-slave.xml
standalone.xml
Pu rp o se
39
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Server mo d e
Lo cat io n
Pu rp o se
standalone-full.xml
EAP_HOME/stand al o ne/co n
fi g urati o n/stand al o neful l . xml
standalone-ha.xml
EAP_HOME/stand al o ne/co n
fi g urati o n/stand al o neha. xml
standalone-full-ha.xml
EAP_HOME/stand al o ne/co n
fi g urati o n/stand al o neful l -ha. xml
This is an example
configuration for a standalone
server. It includes support for
every possible subsystem
except for those required for
high availability. To use it, stop
your server and restart using
the following command:
EAP_HOME/bi n/stand al o ne
. sh -c stand al o neful l . xml
This example configuration file
enables all of the default
subsystems and adds the
mo d _cl uster and JGroups
subsystems for a standalone
server, so that it can participate
in a high-availability or loadbalancing cluster. This file is
not applicable for a managed
domain. To use this
configuration, stop your server
and restart using the following
command:
EAP_HOME/bi n/stand al o ne
. sh -c stand al o neha. xml
This is an example
configuration for a standalone
server. It includes support for
every possible subsystem,
including those required for
high availability. To use it, stop
your server and restart using
the following command:
EAP_HOME/bi n/stand al o ne
. sh -c stand al o ne-ful l ha. xml
These are only the default locations. You can specify a different configuration file at runtime.
Report a bug
40
41
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
${jms. co nnecti o n. parameters: ' ho st= 10 . 10 . 6 4 . 1;po rt= 54 4 5' } allows the connection
parameters to be overridden by a command-line supplied parameter, while providing a default value.
Report a bug
42
43
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
1. Identify the backed up version that you want to start. This example will recall the instance of
the server model prior to the first modification after successfully booting up.
EAP_HOME/stand al o ne/co nfi g urati o n/stand al o ne_xml _hi sto ry/current/s
tand al o ne. v1. xml
2. Start the server with this configuration of the backed up model by passing in the relative
filename under jbo ss. server. co nfi g . d i r.
EAP_HOME/bi n/stand al o ne. sh --serverco nfi g = stand al o ne_xml _hi sto ry/current/stand al o ne. v1. xml
R esu lt
The application server starts with the selected configuration.
Note
The domain configuration history is located in
EAP_HOME/d o mai n/co nfi g urati o n/d o mai n_xml _hi sto ry/current/d o mai n. v1. xm
l
Start the server with this configuration of the backed up model by passing the relative filename
under jboss.domain.config.dir.
To start the domain with this configuration:
EAP_HOME/bin/domain.sh --domainconfig=domain_xml_history/current/domain.v1.xml
Report a bug
44
45
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Configuration snapshots are a point-in-time copy of the current server configuration. These copies
can be saved and loaded by the administrator.
The following examples use the stand al o ne. xml file, but the same process applies to the
d o mai n. xml and ho st. xml files.
Pro ced u re 2.16 . D elet e a Sp ecif ic Sn ap sh o t
1. Identify the snapshot to be deleted. This example will delete the following file from the
snapshot directory.
EAP_HOME/standalone/configuration/standalone_xml_history/snapshot/2
0110630-165714239standalone.xml
2. Run the : d el ete-snapsho t command to delete a specific snapshot, specifying the name of
the snapshot as in the example below.
[standalone@ localhost:9999 /] : d el ete-snapsho t(name= "20110630165714239standalone.xml")
{"outcome" => "success"}
R esu lt
The snapshot has been deleted.
Pro ced u re 2.17. D elet e All Sn ap sh o t s
Run the : d el ete-snapsho t(name= "al l ") command to delete all snapshots as in the
example below.
[standalone@ localhost:9999 /] : d el ete-snapsho t(name= "al l ")
{"outcome" => "success"}
R esu lt
All snapshots have been deleted.
Report a bug
2.4 .9. List All Configurat ion Snapshot s Using Management CLI
Prereq u isit es
Section 3.5.2, Launch the Management CLI
Configuration snapshots are a point-in-time copy of the current server configuration. These copies
can be saved and loaded by the administrator.
The following example uses the stand al o ne. xml file, but the same process applies to the
d o mai n. xml and ho st. xml files.
Pro ced u re 2.18. List All C o n f ig u rat io n Sn ap sh o t s
List all sn ap sh o t s
46
47
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
The web console is served through the same port as the HTTP management API. It is important to
distinguish between the Management Console accessed as on a default localhost, the Management
Console as accessed remotely by a specific host and port combination, and the exposed domain
API.
T ab le 3.1. U R Ls t o access t h e Man ag emen t C o n so le
48
URL
D escrip t io n
N at ive API
An example of a Native API tool is the Management CLI. This management tool is available for a
Managed D omain or Standalone Server instance, allowing the a user to connect to the domain
controller or a Standalone Server instance and execute management operations available through
the de-typed management model.
The Native API endpoint is the entry point for management clients that rely on the native protocol to
integrate with the management layer. It uses an open binary protocol and an RPC-style API based on
a very small number of Java types to describe and execute management operations. It's used by the
Management CLI management tool, but offers integration capabilities for a wide range of other clients
too.
The Native API endpoint is co-located with either a host controller or a Standalone Server. It must be
enabled to use the Management CLI. By default, it runs on port 9999.
Report a bug
49
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
Note
Port 9990 is predefined as the Management Console socket binding.
2. Enter the username and password of the account that you created previously to log in to the
Management Console login screen.
50
R esu lt
Once logged in, you are redirected to the following address and the the Management Console
landing page appears: http://localhost:9990/console/App.html#home
Report a bug
51
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
console. The Google Analytics feature aims to help Red Hat EAP team understand how the customers
are using the console and which parts of the console matter the most to the customers. This
information will in-turn help the team adapt the console design, features and content to the immediate
needs of the customers.
Report a bug
52
53
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Note
Google Analytics is disabled by default in EAP 6.3 console and its usage is optional
Report a bug
54
55
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
R esu lt
The new server is created and listed in the Server C o nfi g urati o ns list.
Report a bug
56
57
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
[domain@ localhost:9999 /] q ui t
Report a bug
58
From the Management CLI, enter the hel p -co mmand s extended command:
[standalone@ localhost:9999 /] hel p --co mmand s
3. For a more detailed description of a specific command, enter the command, followed by -help.
[standalone@ localhost:9999 /] deploy --hel p
R esu lt
The CLI help information is displayed.
Report a bug
59
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Refer to Section 3.5.7, CLI Batch Mode Commands for a full list of commands available for
working with batches.
4. B at ch co mman d s st o red in ext ern al f iles
Frequently run batch commands can be stored in an external text file and can either be
loaded by passing the full path to the file as an argument to the batch command or executed
directly by being an argument to the run-batch command.
You can create a batch command file using a text editor. Each command must be on a line by
itself and the CLI should be able to access it.
The following command will load a myscri pt. txt file in the batch mode. All commands in
this file will now be accessible to be edited or removed. New commands can be inserted.
Changes made in this batch session do not persist to the myscri pt. txt file.
[standalone@ localhost:9999 /] batch --file=myscript.txt
The following will instantly run the batch commands stored in the file myscri pt. txt
[standalone@ localhost:9999 /] run-batch --file=myscript.txt
R esu lt
The entered sequence of operation requests is completed as a batch.
Report a bug
D escrip t io n
list-batch
remove-batch-line linenumber
60
C o mman d N ame
D escrip t io n
holdback-batch [batchname]
discard-batch
Report a bug
61
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
node-name is the resource node name. This maps to the name attribute of the
element in the configuration XML.
Separate each level of the resource tree with a slash (/).
Refer to the configuration XML files to determine the required address. The
EAP_HOME/stand al o ne/co nfi g urati o n/stand al o ne. xml file holds the
configuration for a standalone server and the
EAP_HOME/d o mai n/co nfi g urati o n/d o mai n. xml and
EAP_HOME/d o mai n/co nfi g urati o n/ho st. xml files hold the configuration for a
managed domain.
b. D et ermin e t h e o p erat io n
Operations differ for each different type of resource node. An operation uses the
following syntax:
:operation-name
operation-name is the name of the operation to request.
Use the read -o perati o n-names operation on any resource address in a
standalone server to list the available operations.
62
"read-resource",
"read-resource-description",
"remove",
"undefine-attribute",
"whoami",
"write-attribute"
]
}
63
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Once the address, operation, and any parameters have been determined, enter the full
operation request.
R esu lt
The management interface performs the operation request on the server configuration.
Report a bug
64
Warning
Red Hat recommends that you explicitly disable SSL in favor of TLSv1.1 or TLSv1.2
in all affected packages.
65
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
received and allow them to be stored in the truststore. Type: Boolean. D efault:
true.
vaul tT ype
If neither co d e nor mo d ul e are specified, the default implementation will be used. If co d e
is specified but not mo d ul e, it will look for the specified class in the Picketbox module. If
mo d ul e an d co d e are specified, it will look for the class specified by co d ein the module
specified by 'module'.
co d e
Type: String.
mo d u le
Type: String
si l ent
Specifies if informational and error messages are to be output to the terminal. Even if the
fal se is specified, the messages will still be logged using the logger if its configuration
allows and/or if the output target was specified as part of the command line using >.
D efault: Fal se.
Report a bug
D escrip t io n
batch
66
C o mman d
D escrip t io n
cd
Changes the current node path to the argument. The current node
path is used as the address for operation requests that do not
contain the address part. If an operation request does include the
address, the included address is considered relative to the
current node path. The current node path may end on a nodetype. In that case, to execute an operation specifying a nodename would be sufficient, such as logging:read-resource.
Clears the screen.
Allows you to add new, remove and list existing generic type
commands. A generic type command is a command that is
assigned to a specific node type and which allows you to perform
any operation available for an instance of that type. It can also
modify any of the properties exposed by the type on any existing
instance.
Connects to the controller on the specified host and port.
D efines a connection factory.
Manages JD BC datasource configurations in the datasource
subsystem.
D eploys the application designated by the file path or enables an
application that is pre-existing but disabled in the repository. If
executed without arguments, this command will list all the existing
deployments.
D isplays the help message. Can be used with the --commands
argument to provide context sensitive results for the given
commands.
D isplays the CLI command history in memory and displays a
status of whether the history expansion is enabled or disabled.
Can be used with arguments to clear, disable and enable the
history expansion as required.
D efines a JMS queue in the messaging subsystem.
D efines a JMS topic in the messaging subsystem.
List the contents of the node path. By default the result is printed
in columns using the whole width of the terminal. Using the -l
switch will print results on one name per line.
Prints the full node path of the current working node.
Terminates the command line interface.
Prints the value and, depending on the arguments, the
description of the attribute of a managed resource.
D isplays the description of a specified operation, or lists all
available operations if none is specified.
Undeploys an application when run with the name of the intended
application. Can be run with arguments to remove the application
from the repository also. Prints the list of all existing deployments
when executed without an application specified.
Prints the application server version and environment
information.
Manages JD BC XA datasource configuration in the datasource
subsystem.
cl ear
co mmand
co nnect
co nnecti o n-facto ry
d ata-so urce
d epl o y
hel p
hi sto ry
jms-q ueue
jms-to pi c
ls
pwd
q ui t
read -attri bute
read -o perati o n
und epl o y
versi o n
xa-d ata-so urce
Report a bug
67
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
D escrip t io n
ad d -namespace
ad d -schema-l o cati o n
d el ete-snapsho t
ful l -repl aced epl o yment
l i st-snapsho ts
read -attri bute
read -chi l d ren-names
read -chi l d ren-reso urces
read -chi l d ren-types
read -co nfi g -as-xml
read -o perati o nd escri pti o n
read -o perati o n-names
read -reso urce
read -reso urced escri pti o n
rel o ad
remo ve-namespace
remo ve-schema-l o cati o n
repl ace-d epl o yment
reso l ve-expressi o n
68
D isplays the names of all the operations for the given resource.
D isplays a model resource's attribute values along with either
basic or complete information about any child resources.
D isplays the description of a resource's attributes, types of
children and operations.
Reloads the server by shutting all services down and restarting.
Removes a namespace prefix mapping from the namespaces
attribute map.
Removes a schema location mapping from the schema-locations
attribute map.
Replace existing content in the runtime with new content. The new
content must have been previously uploaded to the deployment
content repository.
Operation that accepts an expression as input or a string that
can be parsed into an expression, and resolves it against the
local system properties and environment variables.
Takes a set of interface resolution criteria and finds an IP
address on the local machine that matches the criteria, or fails if
no matching IP address can be found.
O p erat io n N ame
D escrip t io n
server-set-restartreq ui red
shutd o wn
start-servers
sto p-servers
take-snapsho t
upl o ad -d epl o ymentbytes
Report a bug
69
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
From the Management CLI, use the read -attri bute operation to display the value of a resource
attribute. For more details on operation requests, refer to the topic Section 3.5.8, Use Operations
and Commands in the Management CLI .
[standalone@ localhost:9999 /]: read -attri bute(name= name-of-attribute)
An advantage of the read -attri bute operation is the ability to expose the current runtime value of
a specific attribute. Similar results can be achieved with the read -reso urce operation, but only with
the addition of the i ncl ud e-runti me request property, and only as part of a list of all available
resources for that node. The read -attri bute operation is intended for fine-grained attribute
queries, as the following example shows.
Examp le 3.7. R u n t h e read -attri bute o p erat io n t o exp o se t h e p u b lic in t erf ace IP
If you know the name of the attribute that you would like to expose, you can use the read attri bute to return the exact value in the current runtime.
[standalone@ localhost:9999 /] /interface=public:readattribute(name=resolved-address)
{
"outcome" => "success",
"result" => "127.0.0.1"
}
The reso l ved -ad d ress attribute is a runtime value, so it is not displayed in the results of the
standard read -reso urce operation.
[standalone@ localhost:9999 /] /interface=public:read-resource
{
"outcome" => "success",
"result" => {
"any" => undefined,
"any-address" => undefined,
"any-ipv4-address" => undefined,
"any-ipv6-address" => undefined,
"inet-address" => expression "${jboss.bind.address:127.0.0.1}",
"link-local-address" => undefined,
"loopback" => undefined,
"loopback-address" => undefined,
"multicast" => undefined,
"name" => "public",
"nic" => undefined,
"nic-match" => undefined,
"not" => undefined,
"point-to-point" => undefined,
"public-address" => undefined,
"site-local-address" => undefined,
"subnet-match" => undefined,
"up" => undefined,
"virtual" => undefined
}
}
70
To display reso l ved -ad d ress and other runtime values, you must use the i ncl ud e-runti me
request property.
[standalone@ localhost:9999 /] /interface=public:read-resource(includeruntime=true)
{
"outcome" => "success",
"result" => {
"any" => undefined,
"any-address" => undefined,
"any-ipv4-address" => undefined,
"any-ipv6-address" => undefined,
"inet-address" => expression "${jboss.bind.address:127.0.0.1}",
"link-local-address" => undefined,
"loopback" => undefined,
"loopback-address" => undefined,
"multicast" => undefined,
"name" => "public",
"nic" => undefined,
"nic-match" => undefined,
"not" => undefined,
"point-to-point" => undefined,
"public-address" => undefined,
"resolved-address" => "127.0.0.1",
"site-local-address" => undefined,
"subnet-match" => undefined,
"up" => undefined,
"virtual" => undefined
}
}
R esu lt
The current runtime attribute value is displayed.
Report a bug
71
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
R esu lt
Your current active user account is displayed.
Report a bug
72
73
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
R esu lt
The description is displayed for the chosen operation.
Report a bug
74
"upload-deployment-stream",
"upload-deployment-url",
"validate-address",
"validate-operation",
"whoami",
"write-attribute"
]
}
R esu lt
The available operation names are displayed.
Report a bug
75
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
From the Management CLI, use the read -reso urce operation to display the available
resources.
[standalone@ localhost:9999 /]: read -reso urce
The following example shows how you might use the read -reso urce operation on a
standalone server instance to expose general resource information. The results resemble the
stand al o ne. xml configuration file, displaying the system resources, extensions, interfaces
and subsystems installed or configured for the server instance. These can be further queried
directly.
76
77
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
The read -reso urce operation can be run to query child nodes from the root. The structure
of the operation first defines the node to expose, and then appends the operation to run
against it.
[standalone@ localhost:9999 /]/subsystem= web/co nnecto r= http: read reso urce
In the following example, specific resource information about a web subsystem component
can be exposed by directing the read -reso urce operation towards the specific web
subsystem node.
The same results are possible by using the cd command to navigate into the child nodes and
run the read -reso urce operation directly.
78
79
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
80
[standalone@ localhost:9999 /]: read -reso urced escri pti o n(l o cal e= true)
R esu lt
D escriptions of the available resources are displayed.
Report a bug
Report a bug
81
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Examp le 3.16 . D isab le t h e d ep lo ymen t scan n er wit h t h e wri te-attri bute o p erat io n
The following example uses the wri te-attri bute operation to disable the deployment scanner.
The operation is run from the root node, using tab completion to aid in populating the correct
resource path.
82
R esu lt
The resource attribute is updated.
Report a bug
83
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
B. Add a system property to all hosts and servers in a managed domain using the following
syntax:
/system-property=PROPERTY_NAME:add(value=PROPERTY_VALUE)
C. Add a system property to a host and its server instances in a managed domain using the
following syntax:
/host=master/systemproperty=PROPERTY_NAME:add(value=PROPERTY_VALUE)
84
D . Add a system property to a server instance in a managed domain using the following
syntax:
/host=master/server-config=server-one/systemproperty=PROPERTY_NAME:add(value=PROPERTY_VALUE)
85
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
B. Read a system property from all hosts and servers in a managed domain using the
following syntax:
/system-property=PROPERTY_NAME:read-resource
C. Read a system property from a host and its server instances in a managed domain using
the following syntax:
/host=master/system-property=PROPERTY_NAME:read-resource
D . Read a system property from a server instance in a managed domain using the following
syntax:
/host=master/server-config=server-one/systemproperty=PROPERTY_NAME:read-resource
86
B. Remove a system property from all hosts and servers in a managed domain using the
following syntax:
/system-property=PROPERTY_NAME:remove
87
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
"success"}}
}}}}
}
C. Remove a system property from a host and its server instances in a managed domain
using the following syntax:
/host=master/system-property=PROPERTY_NAME:remove
D . Remove a system property from a server instance in a managed domain using the
following syntax:
/host=master/server-config=server-one/systemproperty=PROPERTY_NAME:remove
Report a bug
88
89
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
90
Commands made in the CLI are recorded in memory and in the . jbo ss-cl i -hi sto ry file saved to
the user's home directory.
Report a bug
Note
Audit logging can be configured only via the management CLI.
Report a bug
3.8.2. Enable Management Int erface Audit Logging from t he Management CLI
Management interface audit logging is disabled by default but preconfigured to output log records
using a file handler named fi l e to the file EAP_HOME/stand al o ne/d ata/aud i t-l o g . l o g .
To enable audit logging from the Management CLI, enter the following command.
/core-service=management/access=audit/logger=audit-log:writeattribute(name=enabled,value=true)
To see all management interface audit logging configuration attributes and their values, enter the
following command.
/core-service=management/access=audit:read-resource(recursive=true)
In addition to enabling or disabling management interface audit logging, the following l o g g er
configuration attributes are available.
lo g - b o o t
If set to true, management operations when booting the server are included in the audit
log, fal se otherwise. D efault: true.
lo g - read - o n ly
If set to true, all operations will be audit logged. If set to fal se only operations that
change the model will be logged. D efault: fal se.
91
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
D escrip t io n
include-date
date-separator
date-format
compact
escape-control-characters
escape-new-line
D escrip t io n
type
r/o
booting
version
user
domainUUID
92
Field N ame
D escrip t io n
access
remote-address
success
ops
Report a bug
D escrip t io n
R ead O n ly
formatter
False
path
relative-to
failure-count
max-failure-count
disabled-due-to-failure
False
False
True
False
True
Report a bug
93
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
D escrip t io n
D ef au lt Valu e
app-name
undefined
fo rmatter
ho st
max-fai l ure-co unt
max-l eng th
po rt
pro to co l
94
false
USER_LEVEL
0 (zero)
null
localhost
10
undefined
514
null
RFC5424
At t rib u t e
D escrip t io n
D ef au lt Valu e
truncate
false
Report a bug
Note
Add the prefix /ho st= HOST_NAME to the /co re-servi ce commands if the change is to be
applied to a managed domain.
In this example the syslog server is running on the local host on port 514. Replace these parameters
with values appropriate to your environment.
Pro ced u re 3.24 . En ab le Lo g g in g t o a Syslo g Server
1. C reat e a syslo g h an d ler n amed msysl o g
[standalone@ localhost:9999 /]batch
[standalone@ localhost:9999 /]/coreservice=management/access=audit/sysloghandler=mysyslog:add(formatter=json-formatter)
[standalone@ localhost:9999 /]/coreservice=management/access=audit/sysloghandler=mysyslog/protocol=udp:add(host=localhost,port=514)
[standalone@ localhost:9999 /]run-batch
2. Ad d a ref eren ce t o t h e syslo g h an d ler.
[standalone@ localhost:9999 /]/coreservice=management/access=audit/logger=auditlog/handler=mysyslog:add
R esu lt
Management interface audit log entries are logged on the syslog server.
Report a bug
95
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
add-user.bat
96
Add the group or groups to which the user belongs. If the user belongs to multiple groups,
enter a comma-separated list. Leave it blank if you do not want the user to belong to any
groups.
5. R eview t h e in f o rmat io n an d co n f irm.
You are prompted to confirm the information. If you are satisfied, type yes.
6. C h o o se wh et h er t h e u ser rep resen t s a remo t e JB o ss EAP 6 server in st an ce.
Besides administrators, the other type of user which occasionally needs to be added to
JBoss EAP 6 in the Manag ementR eal m is a user representing another instance of JBoss
EAP 6, which must be able to authenticate to join a cluster as a member. The next prompt
allows you to designate your added user for this purpose. If you select yes, you will be given
a hashed secret value, representing the user's password, which would need to be added to
a different configuration file. For the purposes of this task, answer no to this question.
7. En t er ad d it io n al u sers.
You can enter additional users if desired, by repeating the procedure. You can also add them
at any time on a running system. Instead of choosing the default security realm, you can add
users to other realms to fine-tune their authorizations.
8. C reat e u sers n o n - in t eract ively.
You can create users non-interactively, by passing in each parameter at the command line.
This approach is not recommended on shared systems, because the passwords will be
visible in log and history files. The syntax for the command, using the management realm, is:
[user@ ho st bi n]$ ./add-user.sh username password
To use the application realm, use the -a parameter.
[user@ ho st bi n]$ ./add-user.sh -a username password
9. You can suppress the normal output of the add-user script by passing the --si l ent
parameter. This applies only if the minimum parameters username and passwo rd have been
specified. Error messages will still be shown.
R esu lt
Any users you add are activated within the security realms you have specified. Users active within the
Manag ementR eal m realm are able to manage JBoss EAP 6 from remote systems.
See Also :
Section 11.8.1, D efault User Security Configuration
Report a bug
97
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
For a comprehensive list of the command line arguments available for the ad d -user. sh or ad d user. bat command. see Section 4.1.3, Add-user Command Arguments .
For information on how to specify an alternate properties file and location, see Section 4.1.4, Specify
Alternate Properties Files for User Management Information .
For examples that demonstrate how to pass arguments on the ad d -user. sh or ad d -user. bat
command, see Section 4.1.5, Add-user Script Command Line Examples .
Report a bug
D escrip t io n
-a
N/A
-dc
DOMAIN_CONFIGURATION_DI
RECTORY
-sc
SERVER_CONFIGURATION_DI
RECTORY
-up
USER_PROPERTIES_FILE
--userproperties
-g
GROUP_LIST
--group
-gp
--groupproperties
98
GROUP_PROPERTIES_FILE
C o mman d
Lin e
Arg u men t
D escrip t io n
-p
PASSWORD
--password
USER_NAME
REALM_NAME
N/A
N/A
--user
-r
--realm
-s
--silent
-h
--help
Report a bug
4 .1.4 . Specify Alt ernat e Propert ies Files for User Management Informat ion
O verview
By default, user and role information created using the ad d -user. sh or ad d -user. bat script are
stored in properties files located in the server configuration directory. The server configuration
information is stored in the EAP_HOME/stand al o ne/co nfi g urati o n/ directory and the domain
configuration information is stored in the EAP_HOME/d o mai n/co nfi g urati o n/ directory. This
topic describes how to override the default file names and locations.
Pro ced u re 4 .2. Sp ecif y Alt ern at e Pro p ert ies Files
A. To specify an alternate directory for the server configuration, use the -sc argument. This
argument specifies an alternate directory that will contain the server configuration properties
files.
B. To specify an alternate directory for the domain configuration, use the -d c argument. This
argument specifies an alternate directory that will contain the domain configuration properties
files.
C. To specify an alternate user configuration properties file, use the -up or --user-pro perti es
argument. It can be an absolute path or it can be a file name used in conjunction with the -sc
or -d c argument that specifies the alternate configuration directory.
99
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
D . To specify an alternate group configuration properties file, use the -g p or --g ro uppro perti es argument. It can be an absolute path or it can be a file name used in conjunction
with the -sc or -d c argument that specifies the alternate configuration directory.
Note
The ad d -user command is intended to operate on existing properties files. Any alternate
properties files specified in command line arguments must exist or you will see the following
error:
JBAS015234: No appusers.properties files found
For more information about command arguments, see Section 4.1.3, Add-user Command
Arguments .
For examples of the add-user commands, see Section 4.1.5, Add-user Script Command Line
Examples .
Report a bug
100
Examp le 4 .4 . C reat e a u ser b elo n g in g t o sin g le g ro u p u sin g alt ern at e p ro p ert ies f iles
t o st o re t h e in f o rmat io n .
EAP_HOME/bi n/ad d -user. sh -a -u appuser1 -p passwo rd 1! -g app1g ro up sc /ho me/so meusername/userco nfi g s/ -up appusers. pro perti es -g p
appg ro ups. pro perti es
The above command produces the following results.
The user appuser1 is added to the following properties file and that file is now the default file
to store user information.
/ho me/so meusername/userco nfi g s/appusers. pro perti es
The user appuser1 with group app1g ro up is added to the following properties file and that
file is now the default file to store group information.
/ho me/so meusername/userco nfi g s/appg ro ups. pro perti es
Report a bug
101
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<inet-address value="127.0.0.1"/>
</interface>
<interface name="public">
<inet-address value="127.0.0.1"/>
</interface>
< /interfaces>
In the following example a global interface group uses the any-ad d ress element to declare a
wildcard address.
102
<any-address/>
< /interface>
The following example declares a network interface card under a relative group with the name
external .
<nic name="eth0"/>
< /interface>
In the following example a declaration is created as the default group for a specific requirement. In
this instance, the characteristics of the additional elements set the condition for the interface to be a
valid match. This allows for the creation of very specific interface declaration groups, with the ability
to reference them in a preset manner, reducing the configuration and administration time across
multiple server instances.
<subnet-match value="192.168.0.0/16"/>
<up/>
<multicast/>
<not>
<point-to-point/>
</not>
< /interface>
While the interface declarations can be made and edited in the source configuration files, the
Management CLI and Management Console provide a safe, controlled and persistent environment for
configuration changes.
Report a bug
103
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
</interface>
</interfaces>
D escrip t io n
any
any-ad d ress
l o o pback
l o o pback-ad d ress
mul ti cast
ni c
ni c-match
no t
104
D escrip t io n
po i nt-to -po i nt
subnet-match
up
vi rtual
105
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Log into the Management Console of your Managed D omain or Standalone Server
instance.
b. N avig at e t o t h e In t erf aces screen
i. N avig at e t o C o n f ig u rat io n t ab .
Select the C o nfi g urati o n tab from the top of the screen.
ii. Fo r D o main Mo d e o n ly
Select a profile from the P ro fi l e drop-down menu at the top left of the screen.
c. Select Interfaces f ro m t h e N avig at io n Men u .
Expand the G eneral C o nfi g urati o n menu. Select the Interfaces menu item from
the navigation menu.
d. Ad d a N ew In t erf ace
i. Click Ad d .
ii. Enter any required values for Name, Inet Ad d ress and Ad d ress
Wi l d card .
iii. Click Save.
e. Ed it In t erf ace At t rib u t es
i. Select the interface that you need to edit from the Avai l abl e Interfaces list
and click Ed i t.
ii. Enter any required values for Name, Inet Ad d ress and Ad d ress
Wi l d card .
iii. Click Save.
Report a bug
106
each server group in the managed domain, or share a socket binding group between multiple server
groups.
The naming groups allow for simplified references to be used for particular groups of socket
bindings when configuring server groups in the case of a managed domain. Another common use is
for the configuration and management of multiple instances of the standalone server on the one
system. The following examples show the default socket binding groups in the configuration files for
the standalone and domain instances.
107
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
<socket-binding-group name="ha-sockets" default-interface="public">
<!-- Needed for server groups using the 'ha' profile -->
<socket-binding name="ajp" port="8009"/>
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
<socket-binding name="jgroups-mping" port="0" multicastaddress="${jboss.default.multicast.address:230.0.0.4}" multicastport="45700"/>
<socket-binding name="jgroups-tcp" port="7600"/>
<socket-binding name="jgroups-tcp-fd" port="57600"/>
<socket-binding name="jgroups-udp" port="55200" multicastaddress="${jboss.default.multicast.address:230.0.0.4}" multicastport="45688"/>
<socket-binding name="jgroups-udp-fd" port="54200"/>
<socket-binding name="modcluster" port="0" multicastaddress="224.0.1.105" multicast-port="23364"/>
<socket-binding name="osgi-http" interface="management"
port="8090"/>
<socket-binding name="remoting" port="4447"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
<socket-binding-group name="full-sockets" defaultinterface="public">
<!-- Needed for server groups using the 'full' profile -->
<socket-binding name="ajp" port="8009"/>
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
<socket-binding name="jacorb" interface="unsecure"
port="3528"/>
<socket-binding name="jacorb-ssl" interface="unsecure"
port="3529"/>
<socket-binding name="messaging" port="5445"/>
<socket-binding name="messaging-group" port="0" multicastaddress="${jboss.messaging.group.address:231.7.7.7}" multicastport="${jboss.messaging.group.port:9876}"/>
<socket-binding name="messaging-throughput" port="5455"/>
<socket-binding name="osgi-http" interface="management"
port="8090"/>
<socket-binding name="remoting" port="4447"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
<socket-binding-group name="full-ha-sockets" defaultinterface="public">
<!-- Needed for server groups using the 'full-ha' profile -->
108
The socket binding instances can be created and edited in the stand al o ne. xml and
d o mai n. xml source files in the application server directory. The recommended method of
managing bindings is to use either the Management Console or the Management CLI. The
advantages of using the Management Console include a graphical user interface with a dedicated
Socket Binding Group screen under the G eneral C o nfi g urati o n section. The Management CLI
offers an API and workflow based around a command line approach that allows for batch
processing and the use of scripts across the higher and lower levels of the application server
configuration. Both interfaces allow for changes to be persisted or otherwise saved to the server
configuration.
Report a bug
109
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
At t rib u t e
D escrip t io n
R o le
name
Required
po rt
i nterface
mul ti cast-po rt
fi xed -po rt
Required
Optional
Optional
Optional
Optional
C o n f ig u re So cket B in d in g s in So cket B in d in g G ro u p s
Choose either the management CLI or the management console to configure your socket bindings
as required.
A. C o n f ig u re So cket B in d in g s U sin g t h e Man ag emen t C LI
Use the management CLI to configure socket bindings.
a. Ad d a N ew So cket B in d in g
Use the ad d operation to create a new address setting if required. You can run this
command from the root of the management CLI session, which in the following
examples creates a new socket binding titled newsocket, with a po rt attribute declared
as 1234. The examples apply for both a standalone server and a managed domain
editing on the stand ard -so ckets socket binding group as shown.
[domain@ localhost:9999 /] /socket-binding-group=standardsockets/socket-binding=newsocket/:add(port=1234)
b. Ed it Pat t ern At t rib u t es
110
Use the wri te-attri bute operation to write a new value to an attribute. You can use
tab completion to help complete the command string as you type, as well as to expose
the available attributes. The following example updates the po rt value to 2020
[domain@ localhost:9999 /] /socket-binding-group=standardsockets/socket-binding=newsocket/:writeattribute(name=port,value=2020)
c. C o n f irm Pat t ern At t rib u t es
Confirm the values are changed by running the read -reso urce operation with the
i ncl ud e-runti me= true parameter to expose all current values active in the server
model.
[domain@ localhost:9999 /] /socket-binding-group=standardsockets/socket-binding=newsocket/:read-resource
B. C o n f ig u re So cket B in d in g s U sin g t h e Man ag emen t C o n so le
Use the management console to configure socket bindings.
a. Lo g in t o t h e Man ag emen t C o n so le.
Log into the management console of your managed domain or standalone server.
b. N avig at e t o t h e C o nfi g urati o n t ab .
Select the C o nfi g urati o n tab at the top of the screen.
c. Select t h e So cket Bi nd i ng it em f ro m t h e n avig at io n men u .
Expand the G eneral C o nfi g urati o n menu. Select So cket Bi nd i ng . If you are
using a managed domain, select the desired group in the So cket Bi nd i ng G ro ups
list.
d. Ad d a N ew So cket B in d in g
i. Click the Ad d button.
ii. Enter any required values for Name, P o rt and Bi nd i ng G ro up.
iii. Click Save to finish.
e. Ed it So cket B in d in g
i. Select a socket binding from the list and click Ed i t.
ii. Enter any required values such as Name, Interface or P o rt.
iii. Click Save to finish.
Report a bug
111
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Whether your server groups use one of the default socket binding groups, or a custom group.
The requirements of your individual deployments.
Po rt
ajp
8009
http
8080
https
8443
jaco rb
3528
jaco rb
-ssl
jg ro up
sd i ag no
sti cs
3529
112
Mu lt ica
st Po rt
7500
D escrip t io n
f u llso cket s
h aso cket
st an d ar
dso cket
Apache JServ
Protocol. Used for
HTTP clustering
and load balancing.
The default port for
deployed web
applications.
SSL-encrypted
connection between
deployed web
applications and
clients.
CORBA services for
JTS transactions
and other ORBdependent services.
SSL-encrypted
CORBA services.
Multicast. Used for
peer discovery in HA
clusters. Not
configurable using
the Management
Interfaces.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
Yes
Yes
No
No
Yes
No
Yes
No
N ame
Po rt
jg ro up
smpi ng
jg ro up
s-tcp
7600
jg ro up
s-tcpfd
jg ro up
s-ud p
57600
jg ro up
s-ud pfd
messag
i ng
messag
i ng g ro up
54200
messag
i ng thro ug
hput
mo d _cl
uster
5455
o sg i http
8090
55200
Mu lt ica
st Po rt
D escrip t io n
f u llso cket s
h aso cket
st an d ar
dso cket
45700
Multicast. Used to
discover initial
membership in a HA
cluster.
Unicast peer
discovery in HA
clusters using TCP.
Used for HA failure
detection over TCP.
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Multicast peer
discovery in HA
clusters using UD P.
Used for HA failure
detection over UD P.
Yes
No
Yes
No
Yes
No
Yes
No
JMS service.
Yes
Yes
No
No
Referenced by
HornetQ JMS
broadcast and
discovery groups.
Used by JMS
Remoting.
Yes
Yes
No
No
Yes
Yes
No
No
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
45688
5445
23364
remo ti
4447
ng
txn4712
reco ver
yenvi ro
nment
txn4713
statusmanag e
r
Man ag emen t Po rt s
113
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
In addition to the socket binding groups, each host controller opens two more ports for management
purposes:
9 9 9 0 - The Web Management Console port
9 9 9 9 - The port used by the Management Console and Management API
Additionally, if HTTPS is enabled for the Management Console, 9443 is also opened as the default
port.
Report a bug
114
5.3. IPv6
5.3.1. Configure JVM St ack Preferences for IPv6 Net working
Su mmary
This topic covers enabling IPv6 networking for the JBoss EAP 6 installation.
Pro ced u re 5.1. D isab le t h e IPv4 St ack Java Pro p ert y
1. Open the relevant file for the installation:
A. Fo r a St an d alo n e Server:
Open EAP_HOME/bi n/stand al o ne. co nf.
B. Fo r a Man ag ed D o main :
115
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
5.3.2. Configure t he Int erface Declarat ions for IPv6 Net working
Su mmary
Follow these steps to configure the interface inet address to the IPv6 default:
Prereq u isit es
Section 2.1.1, Start JBoss EAP 6
Section 3.4.2, Log in to the Management Console
Pro ced u re 5.2. C o n f ig u re t h e In t erf ace f o r IPv6 N et wo rkin g
1. Select the C o nfi g urati o n tab at the top of the screen.
2. Expand the G eneral C o nfi g urati o n menu and select Interfaces.
3. Select the interface from the Avai l abl e Interfaces list.
4. Click Ed i t in the detail list.
5. Set the inet address to:
${jboss.bind.address.management:[ADDRESS]}
6. Click Save to finish.
7. Restart the server to implement the changes.
Report a bug
116
This topic covers configuring the JBoss EAP 6 installation to prefer IPv6 addresses
through the configuration files.
Pro ced u re 5.3. C o n f ig u re t h e JB o ss EAP 6 In st allat io n t o Pref er IPv6 Ad d resses
1. Open the relevant file for the installation:
A. Fo r a St an d alo n e Server:
Open EAP_HOME/bi n/stand al o ne. co nf.
B. Fo r a Man ag ed D o main :
Open EAP_HOME/bi n/d o mai n. co nf.
2. Append the following Java property to the Java VM options:
-Djava.net.preferIPv6Addresses=true
For example:
# Specify options to pass to the Java VM.
#
if [ "x$JAVA_OPTS" = "x" ]; then
JAVA_OPTS="-Xms64m -Xmx512m -XX:MaxPermSize=256m Djava.net.preferIPv4Stack=false
-Dorg.jboss.resolver.warning=true Dsun.rmi.dgc.client.gcInterval=3600000
-Dsun.rmi.dgc.server.gcInterval=3600000 Djava.net.preferIPv6Addresses=true"
fi
Report a bug
117
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Warning
However, it should not be used in a production environment. It is a very small, self-contained
datasource that supports all of the standards needed for testing and building applications,
but is not robust or scalable enough for production use.
118
For a list of supported and certified datasources, refer here: Section 6.1.2, JBoss EAP 6 Supported
D atabases .
Report a bug
Warning
This feature should only be used for development. It is not recommended for production
environments, because it is not supported by the JBoss administrative and management tools.
Important
It is mandatory to use a reference to an already deployed / defined <driver> entry when
deploying *-d s. xml files.
Report a bug
Note
Any JD BC 4-compliant driver is automatically recognized and installed in the system by name
and version. A JD BC JAR is identified using the Java service provider mechanism. Such JARs
contain the META-INF/services/java.sql.D river text, which contains the name of the D river
classes in that JAR.
119
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
120
The command you choose depends on the number of classes listed in the /MET AINF/servi ces/java. sq l . D ri ver file located in the JD BC driver JAR. For example, the
/MET A-INF/servi ces/java. sq l . D ri ver file in the MySQL 5.1.20 JD BC JAR lists two
classes:
co m. mysq l . jd bc. D ri ver
co m. mysq l . fabri c. jd bc. Fabri cMySQ LD ri ver
When there is more than one entry, you must also specify the name of the driver class. Failure
to do so results in an error similar to the following:
JBAS014749: Operation handler failed: Service jboss.jdbcdriver.mysql is already registered
A. Run the CLI command for JD BC JARs containing one class entry.
/subsystem=datasources/jdbc-driver=DRIVER_NAME:add(drivername=DRIVER_NAME,driver-module-name=MODULE_NAME,driver-xadatasource-class-name=XA_DATASOURCE_CLASS_NAME)
B. Run the CLI command for JD BC JARs containing multiple class entries.
/subsystem=datasources/jdbc-driver=DRIVER_NAME:add(drivername=DRIVER_NAME,driver-module-name=MODULE_NAME,driver-xadatasource-class-name=XA_DATASOURCE_CLASS_NAME, driver-classname=DRIVER_CLASS_NAME)
121
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
R esu lt
The JD BC driver is now installed and set up as a core module, and is available to be referenced by
application datasources.
Report a bug
D o wn lo ad Lo cat io n
MySQL
PostgreSQL
Oracle
http://www.mysql.com/products/connector/
http://jdbc.postgresql.org/
http://www.oracle.com/technetwork/database/feat
ures/jdbc/index-091264.html
http://www-306.ibm.com/software/data/db2/java/
http://www.sybase.com/products/allproductsaz/softwaredeveloperkit/jconnect
http://msdn.microsoft.com/data/jdbc/
IBM
Sybase
Microsoft
Report a bug
Warning
This is advanced usage. Only applications that need functionality not found in the JD BC API
should implement this procedure.
122
Important
This process is required when using the reauthentication mechanism, and accessing vendor
specific classes.
Important
Follow the vendor specific API guidelines closely, as the connection is being controlled by the
IronJacamar container.
Prereq u isit es
Section 6.2.2, Install a JD BC D river as a Core Module .
Pro ced u re 6 .3. Ad d a D ep en d en cy t o t h e Ap p licat io n
A. C o n f ig u re t h e MANIFEST . MF f ile
a. Open the application's MET A-INF/MANIFEST . MF file in a text editor.
b. Add a dependency for the JD BC module and save the file.
Dependencies: MODULE_NAME
B.
123
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
import java.sql.Connection;
import org.jboss.jca.adapters.jdbc.WrappedConnection;
Connection c = ds.getConnection();
WrappedConnection wc = (WrappedConnection)c;
com.mysql.jdbc.Connection mc = wc.getUnderlyingConnection();
Report a bug
Oracle Datasources
Prior to version 10.2 of the Oracle datasource, the <no-tx-separate-pools/> parameter was
required, as mixing non-transactional and transactional connections would result in an error.
This parameter may no longer be required for certain applications.
124
i. Select the C o nfi g urati o n tab from the top of the console.
ii. For D omain mode only, select a profile from the drop-down box in the top left.
iii. Expand the Su b syst ems menu on the left of the console, then expand the
C o n n ect o r menu.
iv. Select D at aso u rces from the menu on the left of the console.
c. C reat e a n ew d at aso u rce
i. Click Ad d at the top of the D ataso urces panel.
ii. Enter the new datasource attributes in the C reate D ataso urce wizard and
proceed with the Next button.
iii. Enter the JD BC driver details in the C reate D ataso urce wizard and click
Next to continue.
iv. Enter the connection settings in the C reate D ataso urce wizard.
v. Click the T est C o nnecti o n button to test the connection to the datasource
and verify the settings are correct.
vi. Click D o ne to finish
R esu lt
The non-XA datasource has been added to the server. It is now visible in either the
stand al o ne. xml or d o mai n. xml file, as well as the management interfaces.
Report a bug
JT A Integration
Non-XA datasources can be integrated with JTA transactions. To integrate the datasource with
JTA, ensure that the jta parameter is set to true.
125
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
/subsystem=datasources/data-source=DATASOURCE_NAME:writeattribute(name=ATTRIBUTE_NAME,value=ATTRIBUTE_VALUE)
c. Reload the server to confirm the changes:
:reload
B. Man ag emen t C o n so le
a. Section 3.4.2, Log in to the Management Console .
b. N avig at e t o t h e D ataso urces p an el in t h e Man ag emen t C o n so le
i. Select the C o nfi g urati o n tab from the top of the console.
ii. For D omain mode only, select a profile from the drop-down box in the top left.
iii. Expand the Su b syst ems menu on the left of the console, then expand the
C o n n ect o r menu.
iv. Select D at aso u rces from expanded menu.
c. Ed it t h e d at aso u rce
i. Select a datasource from the Avai l abl e D ataso urces list. The datasource
attributes are displayed below.
ii. Click Ed i t to edit the datasource attributes.
iii. Click Save to finish.
R esu lt
The non-XA datasource has been configured. The changes are now visible in either the
stand al o ne. xml or d o mai n. xml file, as well as the management interfaces.
To create a new datasource, refer here: Section 6.3.1, Create a Non-XA D atasource with the
Management Interfaces .
To remove the datasource, refer here: Section 6.3.3, Remove a Non-XA D atasource with the
Management Interfaces .
Report a bug
126
A. Man ag emen t C LI
a. Section 3.5.2, Launch the Management CLI .
b. Run the following command to remove a non-XA datasource:
data-source remove --name=DATASOURCE_NAME
B. Man ag emen t C o n so le
a. Section 3.4.2, Log in to the Management Console .
b. N avig at e t o t h e D ataso urces p an el in t h e Man ag emen t C o n so le
i. Select the C o nfi g urati o n tab from the top of the console.
ii. For D omain mode only, select a profile from the drop-down box in the top left.
iii. Expand the Su b syst ems menu on the left of the console, then expand the
C o n n ect o r menu.
iv. Select D at aso u rces.
c. Select the datasource to be deleted, then click R emo ve.
R esu lt
The non-XA datasource has been removed from the server.
To add a new datasource, refer here: Section 6.3.1, Create a Non-XA D atasource with the
Management Interfaces .
Report a bug
Oracle Datasources
Prior to version 10.2 of the Oracle datasource, the <no-tx-separate-pools/> parameter was
required, as mixing non-transactional and transactional connections would result in an error.
This parameter may no longer be required for certain applications.
127
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Pro ced u re 6 .7. C reat e an XA D at aso u rce, U sin g Eit h er t h e Man ag emen t C LI o r t h e
Man ag emen t C o n so le
A. Man ag emen t C LI
a. Section 3.5.2, Launch the Management CLI .
b. Run the following command to create an XA datasource, configuring the variables as
appropriate:
xa-data-source add --name=XA_DATASOURCE_NAME --jndiname=JNDI_NAME --driver-name=DRIVER_NAME --xa-datasourceclass=XA_DATASOURCE_CLASS
c. C o n f ig u re t h e XA d at aso u rce p ro p ert ies
i. Set t h e server n ame
Run the following command to configure the server name for the host:
/subsystem=datasources/xa-datasource=XA_DATASOURCE_NAME/xa-datasourceproperties=ServerName:add(value=HOSTNAME)
ii. Set t h e d at ab ase n ame
Run the following command to configure the database name:
/subsystem=datasources/xa-datasource=XA_DATASOURCE_NAME/xa-datasourceproperties=DatabaseName:add(value=DATABASE_NAME)
d. Enable the datasource:
xa-data-source enable --name=XA_DATASOURCE_NAME
B. Man ag emen t C o n so le
a. Section 3.4.2, Log in to the Management Console .
b. N avig at e t o t h e D ataso urces p an el in t h e Man ag emen t C o n so le
i. Select the C o nfi g urati o n tab from the top of the console.
ii. For D omain mode only, select a profile from the drop-down box at the top left.
iii. Expand the Su b syst ems menu on the left of the console, then expand the
C o n n ect o r menu.
iv. Select D at aso u rces.
c. Select the XA D ataso urce tab.
d. C reat e a n ew XA d at aso u rce
128
i. Click Ad d .
ii. Enter the new XA datasource attributes in the C reate XA D ataso urce wizard
and click Next.
iii. Enter the JD BC driver details in the C reate XA D ataso urce wizard and click
Next.
iv. Enter the XA properties and click Next.
v. Enter the connection settings in the C reate XA D ataso urce wizard.
vi. Click the T est C o nnecti o n button to test the connection to the XA
datasource and verify the settings are correct.
vii. Click D o ne to finish
R esu lt
The XA datasource has been added to the server. It is now visible in either the stand al o ne. xml or
d o mai n. xml file, as well as the management interfaces.
See Also :
Section 6.4.2, Modify an XA D atasource with the Management Interfaces
Section 6.4.3, Remove an XA D atasource with the Management Interfaces
Report a bug
129
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
130
6.4 .4 . XA Recovery
6 .4 .4 .1 . Abo ut XA Re co ve ry Mo dule s
Each XA resource needs a recovery module associated with its configuration. The recovery module
must extend class co m. arjuna. ats. jta. reco very. XAR eso urceR eco very.
JBoss EAP 6 provides recovery modules for JD BC and JMS XA resources. For these types of
resources, recovery modules are automatically registered. If you need to use a custom module, you
can register it in your datasource.
Report a bug
6 .4 .4 .2 . Co nfigure XA Re co ve ry Mo dule s
131
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
For most JD BC and JMS resources, the recovery module is automatically associated with the
resource. In these cases, you only need to configure the options that allow the recovery module to
connect to your resource to perform recovery.
For custom resources which are not JD BC or JMS, contact Red Hat Global Support Services for
information on supported configurations.
Each of these configuration attributes can be set either during datasource creation, or afterward. You
can set them using either the web-based Management Console or the command-line Management
CLI. Refer to Section 6.4.1, Create an XA D atasource with the Management Interfaces and
Section 6.4.2, Modify an XA D atasource with the Management Interfaces for general information on
configuring XA datasources.
Refer to the following tables for general datasource configuration attributes, and for information
about configuration details relating to specific database vendors.
T ab le 6 .2. G en eral C o n f ig u rat io n At t rib u t es
At t rib u t e
D escrip t io n
recovery-username
recovery-password
recovery-security-domain
recovery-plugin-class-name
recovery-plugin-properties
G RANT
G RANT
G RANT
G RANT
132
If you use an Oracle 11 version prior to 11g, change the final EXEC UT E statement to the
following:
133
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
134
Note
If the <val i d ate-o n-match> option is set to true, the <backg ro und val i d ati o n> option should be set to fal se. The reverse is also true. If the
<backg ro und -val i d ati o n> option is set to true, the <val i d ate-o n-match>
option should be set to fal se.
135
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
org.jboss.jca.adapters.jdbc.extensions.novendor.JD BC4ValidConnectionChecker
org.jboss.jca.adapters.jdbc.extensions.novendor.NullValidConnectionChecker
org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker
org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker
org.jboss.jca.adapters.jdbc.extensions.sybase.SybaseValidConnectionChecker
B. Sp ecif y SQ L f o r <ch eck- valid - co n n ect io n - sq l>
You provide the SQL statement used to validate the connection.
The following is an example of how you might specify a SQL statement to validate a
connection for Oracle:
< check-valid-connection-sql>select 1 from dual</check-validconnection-sql>
For MySQL or PostgreSQL, you might specify the following SQL statement:
< check-valid-connection-sql>select 1</check-valid-connection-sql>
3. Set t h e <excep t io n - so rt er> C lass N ame
When an exception is marked as fatal, the connection is closed immediately, even if the
connection is participating in a transaction. Use the exception sorter class option to properly
detect and clean up after fatal connection exceptions. JBoss EAP 6 provides the following
exception sorters:
org.jboss.jca.adapters.jdbc.extensions.db2.D B2ExceptionSorter
org.jboss.jca.adapters.jdbc.extensions.informix.InformixExceptionSorter
org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter
org.jboss.jca.adapters.jdbc.extensions.novendor.NullExceptionSorter
org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter
org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter
org.jboss.jca.adapters.jdbc.extensions.sybase.SybaseExceptionSorter
Report a bug
D escrip t io n
jndi-name
136
Paramet er
D escrip t io n
pool-name
enabled
use-java-context
spy
use-ccm
new-connection-sql
transaction-isolation
TRANSACTION_READ _UNCOMMITTED
TRANSACTION_READ _COMMITTED
TRANSACTION_REPEATABLE_READ
TRANSACTION_SERIALIZ ABLE
TRANSACTION_NONE
url-selector-strategy-class-name
security
validation
timeout
statement
D escrip t io n
jta
connection-url
driver-class
connection-property
pool
url-delimiter
137
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
D escrip t io n
xa-datasource-property
xa-datasource-class
driver
xa-pool
recovery
D escrip t io n
min-pool-size
max-pool-size
prefill
use-strict-min
flush-strategy
FailingConnectionOnly
IdleConnections
EntirePool
The default is Fai l i ng C o nnecti o nO nl y.
allow-multiple-users
D escrip t io n
is-same-rm-override
Whether the
javax. transacti o n. xa. XAR eso urce. i sS
ameR M(XAR eso urce) class returns true or
fal se.
138
Paramet er
D escrip t io n
interleaving
no-tx-separate-pools
pad-xid
wrap-xa-resource
D escrip t io n
user-name
password
security-domain
reauth-plugin
D escrip t io n
valid-connection-checker
An implementation of interface
o rg . jbo ss. jca. ad apto rs. jd bc. Val i d C
o nnecti o nC hecker which provides a
SQ LExcepti o n. i sVal i d C o nnecti o n(C o n
necti o n e) method to validate a connection.
An exception means the connection is
destroyed. This overrides the parameter checkval i d -co nnecti o n-sq l if it is present.
An SQL statement to check validity of a pool
connection. This may be called when a
managed connection is taken from a pool for
use.
check-valid-connection-sql
139
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Paramet er
D escrip t io n
validate-on-match
background-validation
background-validation-millis
use-fast-fail
stale-connection-checker
exception-sorter
14 0
D escrip t io n
Paramet er
D escrip t io n
use-try-lock
blocking-timeout-millis
idle-timeout-minutes
set-tx-query-timeout
query-timeout
allocation-retry
allocation-retry-wait-millis
xa-resource-timeout
D escrip t io n
track-statements
14 1
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Paramet er
D escrip t io n
prepared-statement-cache-size
share-prepared-statements
D escrip t io n
recover-credential
recover-plugin
Report a bug
C o n n ect io n U R L
PostgreSQL
jdbc:postgresql://SERVER_NAME:PORT/DATABA
SE_NAME
jdbc:mysql://SERVER_NAME:PORT/DATABASE_N
AME
jdbc:oracle:thin:@ORACLE_HOST:PORT:ORACL
E_SID
jdbc:db2://SERVER_NAME:PORT/DATABASE_NA
ME
jdbc:microsoft:sqlserver://SERVER_NAME:PORT;
D atabaseName=DATABASE_NAME
MySQL
Oracle
IBM D B2
Microsoft SQLServer
Report a bug
C o n f ig u rat io n Paramet er
D escrip t io n
org.jboss.jca.adapters.jdbc.spi
.ExceptionSorter
<exception-sorter>
Checks whether an
SQLException is fatal for the
connection on which it was
thrown
14 2
C o n f ig u rat io n Paramet er
D escrip t io n
org.jboss.jca.adapters.jdbc.spi
.StaleConnection
<stale-connection-checker>
org.jboss.jca.adapters.jdbc.spi
.ValidConnection
<valid-connection-checker>
JBoss EAP 6 also features implementations of these extensions for several supported databases.
Ext en sio n Imp lemen t at io n s
G en eric
org.jboss.jca.adapters.jdbc.extensions.novendor.NullExceptionSorter
org.jboss.jca.adapters.jdbc.extensions.novendor.NullStaleConnectionChecker
org.jboss.jca.adapters.jdbc.extensions.novendor.NullValidConnectionChecker
org.jboss.jca.adapters.jdbc.extensions.novendor.JD BC4ValidConnectionChecker
Po st g reSQ L
org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter
org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker
MySQ L
org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter
org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLReplicationValidConnectionChecker
org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker
IB M D B 2
org.jboss.jca.adapters.jdbc.extensions.db2.D B2ExceptionSorter
org.jboss.jca.adapters.jdbc.extensions.db2.D B2StaleConnectionChecker
org.jboss.jca.adapters.jdbc.extensions.db2.D B2ValidConnectionChecker
Syb ase
org.jboss.jca.adapters.jdbc.extensions.sybase.SybaseExceptionSorter
org.jboss.jca.adapters.jdbc.extensions.sybase.SybaseValidConnectionChecker
Micro so f t SQ LServer
org.jboss.jca.adapters.jdbc.extensions.mssql.MSSQLValidConnectionChecker
O racle
org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter
org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker
14 3
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker
Report a bug
Note
Ensure you specify the include-runtime=true argument, as all statistics are runtime only
information and the default is fal se.
Report a bug
D escrip t io n
14 4
N ame
D escrip t io n
T o tal Bl o cki ng T i m
e
T o tal C reati o nT i m
e
Wai tC o unt
The total time spent waiting for an exclusive lock on the pool. The value is
in milliseconds.
The total time spent creating connections. The value is in milliseconds.
The number of requests that had to wait for a connection.
JD B C St at ist ics
The following table contains a list of the supported datasource JD BC statistics:
T ab le 6 .16 . JD B C St at ist ics
N ame
D escrip t io n
P repared Statement
C acheAccessC o unt
P repared Statement
C acheAd d C o unt
P repared Statement
C acheC urrentSi ze
P repared Statement
C acheD el eteC o unt
P repared Statement
C acheHi tC o unt
P repared Statement
C acheMi ssC o unt
You can enable C o re and JD BC statistics using appropriately modified versions of the following
commands:
/subsystem=datasources/data-source=ExampleDS/statistics=pool:writeattribute(name=statistics-enabled,value=true)
/subsystem=datasources/data-source=ExampleDS/statistics=jdbc:writeattribute(name=statistics-enabled,value=true)
Report a bug
14 5
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<driver>postgresql</driver>
<security>
<user-name>admin</user-name>
<password>admin</password>
</security>
<validation>
<background-validation>true</background-validation>
<valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidCo
nnectionChecker"></valid-connection-checker>
<exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExcepti
onSorter"></exception-sorter>
</validation>
</datasource>
<drivers>
<driver name="postgresql" module="org.postgresql">
<xa-datasource-class>org.postgresql.xa.PGXADataSource</xadatasource-class>
</driver>
</drivers>
</datasources>
The example below is a mo d ul e. xml file for the PostgreSQL datasource above.
<module xmlns="urn:jboss:module:1.1" name="org.postgresql">
<resources>
<resource-root path="postgresql-9.1-902.jdbc4.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
Report a bug
14 6
datasource-property>
<security>
<user-name>admin</user-name>
<password>admin</password>
</security>
<validation>
<background-validation>true</background-validation>
<valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidCo
nnectionChecker">
</valid-connection-checker>
<exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExcepti
onSorter">
</exception-sorter>
</validation>
</xa-datasource>
<drivers>
<driver name="postgresql" module="org.postgresql">
<xa-datasource-class>org.postgresql.xa.PGXADataSource</xadatasource-class>
</driver>
</drivers>
</datasources>
The example below is a mo d ul e. xml file for the PostgreSQL XA datasource above.
<module xmlns="urn:jboss:module:1.1" name="org.postgresql">
<resources>
<resource-root path="postgresql-9.1-902.jdbc4.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
Report a bug
14 7
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<password>admin</password>
</security>
<validation>
<background-validation>true</background-validation>
<valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnection
Checker"></valid-connection-checker>
<exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter
"></exception-sorter>
</validation>
</datasource>
<drivers>
<driver name="mysql" module="com.mysql">
<xa-datasourceclass>com.mysql.jdbc.jdbc2.optional.MysqlXADataSource</xa-datasourceclass>
</driver>
</drivers>
</datasources>
The example below is a mo d ul e. xml file for the MySQL datasource above.
<module xmlns="urn:jboss:module:1.1" name="com.mysql">
<resources>
<resource-root path="mysql-connector-java-5.0.8-bin.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
Report a bug
14 8
</security>
<validation>
<background-validation>true</background-validation>
<valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnection
Checker"></valid-connection-checker>
<exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter
"></exception-sorter>
</validation>
</xa-datasource>
<drivers>
<driver name="mysql" module="com.mysql">
<xa-datasourceclass>com.mysql.jdbc.jdbc2.optional.MysqlXADataSource</xa-datasourceclass>
</driver>
</drivers>
</datasources>
The example below is a mo d ul e. xml file for the MySQL XA datasource above.
<module xmlns="urn:jboss:module:1.1" name="com.mysql">
<resources>
<resource-root path="mysql-connector-java-5.0.8-bin.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
Report a bug
Oracle Datasources
Prior to version 10.2 of the Oracle datasource, the <no-tx-separate-pools/> parameter was
required, as mixing non-transactional and transactional connections would result in an error.
This parameter may no longer be required for certain applications.
Examp le 6 .14 .
The example below is an Oracle datasource configuration. The datasource has been enabled, a
user has been added, and validation options have been set.
<datasources>
<datasource jndi-name="java:/OracleDS" pool-name="OracleDS">
<connection-url>jdbc:oracle:thin:@ localhost:1521:XE</connectionurl>
14 9
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<driver>oracle</driver>
<security>
<user-name>admin</user-name>
<password>admin</password>
</security>
<validation>
<background-validation>true</background-validation>
<valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnecti
onChecker"></valid-connection-checker>
<stale-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnecti
onChecker"></stale-connection-checker>
<exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSort
er"></exception-sorter>
</validation>
</datasource>
<drivers>
<driver name="oracle" module="com.oracle">
<xa-datasourceclass>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
The example below is a mo d ul e. xml file for the Oracle datasource above.
<module xmlns="urn:jboss:module:1.1" name="com.oracle">
<resources>
<resource-root path="ojdbc6.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
Report a bug
Oracle Datasources
Prior to version 10.2 of the Oracle datasource, the <no-tx-separate-pools/> parameter was
required, as mixing non-transactional and transactional connections would result in an error.
This parameter may no longer be required for certain applications.
150
Important
The following settings must be applied for the user accessing an Oracle XA datasource in
order for XA recovery to operate correctly. The value user is the user defined to connect from
JBoss to Oracle:
GRANT
GRANT
GRANT
GRANT
11g)
OR
GRANT EXECUTE ON sys.dbms_system TO user; (If using an unpatched Oracle version
prior to 11g)
Examp le 6 .15.
The example below is an Oracle XA datasource configuration. The datasource has been enabled,
a user has been added, and validation options have been set.
<datasources>
<xa-datasource jndi-name="java:/XAOracleDS" pool-name="XAOracleDS">
<driver>oracle</driver>
<xa-datasource-property name="URL">jdbc:oracle:oci8:@ tc</xadatasource-property>
<security>
<user-name>admin</user-name>
<password>admin</password>
</security>
<xa-pool>
<is-same-rm-override>false</is-same-rm-override>
<no-tx-separate-pools />
</xa-pool>
<validation>
<background-validation>true</background-validation>
<valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnecti
onChecker"></valid-connection-checker>
<stale-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnecti
onChecker"></stale-connection-checker>
<exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSort
er"></exception-sorter>
</validation>
</xa-datasource>
<drivers>
<driver name="oracle" module="com.oracle">
<xa-datasource-
151
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
The example below is a mo d ul e. xml file for the Oracle XA datasource above.
<module xmlns="urn:jboss:module:1.1" name="com.oracle">
<resources>
<resource-root path="ojdbc6.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
Report a bug
152
Report a bug
153
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
154
Report a bug
155
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
</recover-plugin>
</recovery>
</xa-datasource>
<drivers>
<driver name="ibmdb2" module="com.ibm">
<xa-datasource-class>com.ibm.db2.jcc.DB2XADataSource</xadatasource-class>
</driver>
</drivers>
</datasources>
The example below is a mo d ul e. xml file for the IBM D B2 XA datasource above.
<module xmlns="urn:jboss:module:1.1" name="com.ibm">
<resources>
<resource-root path="db2jcc4.jar"/>
<resource-root path="db2jcc_license_cisuz.jar"/>
<resource-root path="db2jcc_license_cu.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
Report a bug
156
<drivers>
<driver name="sybase" module="com.sybase">
<datasourceclass>com.sybase.jdbc4.jdbc.SybDataSource</datasource-class>
<xa-datasource-class>com.sybase.jdbc4.jdbc.SybXADataSource</xadatasource-class>
</driver>
</drivers>
</datasources>
The example below is a mo d ul e. xml file for the Sybase datasource above.
<module xmlns="urn:jboss:module:1.1" name="com.sybase">
<resources>
<resource-root path="jconn2.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
Report a bug
157
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
er"></exception-sorter>
</validation>
</xa-datasource>
<drivers>
<driver name="sybase" module="com.sybase">
<datasourceclass>com.sybase.jdbc4.jdbc.SybDataSource</datasource-class>
<xa-datasource-class>com.sybase.jdbc4.jdbc.SybXADataSource</xadatasource-class>
</driver>
</drivers>
</datasources>
The example below is a mo d ul e. xml file for the Sybase XA datasource above.
<module xmlns="urn:jboss:module:1.1" name="com.sybase">
<resources>
<resource-root path="jconn2.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
Report a bug
158
<resource-root path="mysql-connector-java-5.1.15.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
< /module>
The module name, co m. mysq l , should match the directory structure for the module,
excluding the mai n/ subdirectory name.
The modules provided in JBoss EAP distributions are located in a system directory within
the JBOSS_HOME/mo d ul es directory. This keeps them separate from any modules
provided by third parties.
Any Red Hat provided layered products that layer on top of JBoss EAP 6.1 or later will also
install their modules within the system directory.
Creating custom static modules can be useful if many applications are deployed on the
same server that use the same third party libraries. Instead of bundling those libraries with
each application, a module containing these libraries can be created and installed by the
JBoss administrator. The applications can then declare an explicit dependency on the
custom static modules.
Users must ensure that custom modules are installed into the JBOSS_HOME/mo d ul es
directory, using a one directory per module layout. This ensures that custom versions of
modules that already exist in the system directory are loaded instead of the shipped
versions. In this way, user provided modules will take precedence over system modules.
159
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
If you use the JBO SS_MO D ULEP AT H environment variable to change the locations in which
JBoss EAP searches for modules, then the product will look for a system subdirectory
structure within one of the locations specified. A system structure must exist somewhere in
the locations specified with JBO SS_MO D ULEP AT H.
D yn amic Mo d u les
D ynamic Modules are created and loaded by the application server for each JAR or WAR
deployment (or subdeployment in an EAR). The name of a dynamic module is derived from
the name of the deployed archive. Because deployments are loaded as modules, they can
configure dependencies and be used as dependencies by other deployments.
Modules are only loaded when required. This usually only occurs when an application is deployed
that has explicit or implicit dependencies.
Report a bug
160
A module's class path contains only its own classes and that of it's immediate dependencies. A
module is not able to access the classes of the dependencies of one of its dependencies. However a
module can specify that an explicit dependency is exported. An exported dependency is provided to
any module that depends on the module that exports it.
Warning
This task requires you to edit the XML configuration files of the server. The server must be
halted before doing this. This is temporary as the final release administration tools will support
this type of configuration.
1. St o p t h e server
Halt the JBoss EAP 6 server.
2. O p en t h e server co n f ig u rat io n f ile
Open the server configuration file in a text editor.
This file will be different for a managed domain or standalone server. In addition, non-default
locations and file names may be used. The default configuration files are
d o mai n/co nfi g urati o n/d o mai n. xml and
stand al o ne/co nfi g urati o n/stand al o ne. xml for managed domains and standalone
servers respectively.
161
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
...
...
The default configuration has a single self-closing tag but a custom configuration may have
separate open and closing tags (possibly with other elements within) like this:
< subsystem xmlns="urn:jboss:domain:ee:1.2" ></subsystem>
4. R ep lace self - clo sin g t ag s if n ecessary
If the EE Subsystem element is a single self-closing tag then replace with appropriate opening
and closing tags like this:
< subsystem xmlns="urn:jboss:domain:ee:1.2" ></subsystem>
5. Ad d ear- su b d ep lo ymen t s- iso lat ed elemen t
Add the ear-subd epl o yments-i so l ated element as a child of the EE Subsystem element
and add the content of fal se like this:
< subsystem xmlns="urn:jboss:domain:ee:1.2" ><ear-subdeploymentsisolated>false</ear-subdeployments-isolated></subsystem>
6. St art t h e server
Relaunch the JBoss EAP 6 server to start it running with the new configuration.
R esu lt :
The server will now be running with Subdeployment Module Isolation disabled for all deployments.
Report a bug
162
<resources>
<resource-root path="properties"/>
163
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
</resources>
< /module>
2. Modify the ee subsystem in the server configuration file. You can use the JBoss CLI or you
can manually edit the file.
A. Follow these steps to modify the server configuration file using the JBoss CLI.
a. Start the server and connect to the Management CLI.
A. For Linux, enter the following at the command line:
$ EAP_HOME/bin/jboss-cli.sh --connect
B. For Windows, enter the following at a command line:
C:\>EAP_HOME\bin\jboss-cli.bat --connect
You should see the following response:
Connected to standalone controller at localhost:9999
b. To create the myo rg -co nf <global-modules> element in the ee subsystem, type
the following in the command line:
/subsystem=ee:write-attribute(name=global-modules, value=
[{"name"=>"myorg-conf","slot"=>"main"}])
You should see the following result:
{"outcome" => "success"}
B. Follow these steps if you prefer to manually edit the server configuration file.
a. Stop the server and open the server configuration file in a text editor. If you are
running a standalone server, this is the
EAP_HOME/stand al o ne/co nfi g urati o n/stand al o ne. xml file, or the
EAP_HOME/d o mai n/co nfi g urati o n/d o mai n. xml file if you are running a
managed domain.
b. Find the ee subsystem and add the global module for myo rg -co nf. The following
is an example of the ee subsystem element, modified to include the myo rg -co nf
element:
<global-modules>
</global-modules>
< /subsystem>
3. Assuming you copied a file named my. pro perti es into the correct module location, you are
now able to load properties files using code similar to the following:
164
T hread.currentThread().getContextClassLoader().getResource("my.prop
erties");
Report a bug
7.6. Reference
7.6.1. Included Modules
A table listing the JBoss EAP 6 included modules and whether they are supported can be found on
the Customer Portal at https://access.redhat.com/articles/1122333.
Report a bug
165
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
166
Chapt er 8 . Jsvc
Chapter 8. Jsvc
8.1. Int roduct ion
8.1.1. About Jsvc
Jsvc is a set of libraries and applications which allow Java applications run on UNIX and UNIX-like
platforms as a background service. It allows an application to perform operations as a privileged
user, and then switch identity to a non-privileged user.
Jsvc uses three processes: a launcher process, a controller process and a controlled process. The
controlled process is also the main Java thread. If the JVM crashes the controller process will restart
it within 60 seconds. Jsvc is a daemon process and for JBoss EAP 6 it must be started by a
privileged user.
Note
Jsvc is for use on Red Hat Enterprise Linux, Solaris and HP-UX only. For similar functionality
on Microsoft Windows, see prunsrv. exe in the Nati ve Uti l i ti es fo r Wi nd o ws
Server download available from the Red Hat Customer Portal.
Report a bug
167
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
File Lo cat io n
EAP-HOME
JSVC-BIN
JSVC-JAR
${eap-installation-location}/jboss-eap-${version}
EAP_HOME/modules/system/layers/base/native/sbin/jsvc
EAP_HOME/modules/system/layers/base/native/sbin/commonsdaemon.jar
EAP_HOME/standalone/configuration
EAP_HOME/standalone/log
CONF-D IR
LOG-D IR
File Lo cat io n
EAP-HOME
JSVC-BIN
JSVC-JAR
/usr/share/jbossas
/usr/bin/jsvc-eap6/jsvc
EAP_HOME/modules/system/layers/base/native/sbin/commonsdaemon.jar
/etc/jbossas/standalone
/var/log/jbossas/standalone
CONF-D IR
LOG-D IR
168
\
\
Chapt er 8 . Jsvc
File Lo cat io n
EAP-HOME
JSVC-BIN
JSVC-JAR
${eap-installation-location}/jboss-eap-${version}
EAP_HOME/modules/system/layers/base/native/sbin/jsvc
EAP_HOME/modules/system/layers/base/native/sbin/commonsdaemon.jar
EAP_HOME/domain/configuration
EAP_HOME/domain/log
CONF-D IR
LOG-D IR
File Lo cat io n
EAP-HOME
JSVC-BIN
JSVC-JAR
/usr/share/jbossas
/usr/bin/jsvc-eap6/jsvc
EAP_HOME/modules/system/layers/base/native/sbin/commonsdaemon.jar
/etc/jbossas/domain
/var/log/jbossas/domain
CONF-D IR
LOG-D IR
169
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
-Djboss.modules.system.pkgs=org.jboss.byteman \
-Djava.awt.headless=true \
-Dorg.jboss.boot.log.file=LOG_DIR/process-controller.log \
-Dlogging.configuration=file:CONF_DIR/logging.properties \
-Djboss.modules.policy-permissions \
-cp "EAP_HOME/jboss-modules.jar:JSVC_JAR" \
org.apache.commons.daemon.support.DaemonWrapper \
-start org.jboss.modules.Main -start-method main \
-mp EAP_HOME/modules org.jboss.as.process-controller \
-jboss-home EAP_HOME -jvm $JAVA_HOME/bin/java \
-mp EAP_HOME/modules -- \
-Dorg.jboss.boot.log.file=LOG_DIR/host-controller.log \
-Dlogging.configuration=file:CONF_DIR/logging.properties \
-Djboss.modules.policy-permissions \
-server -Xms64m -Xmx512m -XX:MaxPermSize=256m \
-Djava.net.preferIPv4Stack=true \
-Djboss.modules.system.pkgs=org.jboss.byteman \
-Djava.awt.headless=true -- -default-jvm $JAVA_HOME/bin/java
St o p JB o ss EAP in D o main Mo d e
JSVC_BIN \
-stop \
-outfile LOG_DIR/jsvc.out.log
\
-errfile LOG_DIR/jsvc.err.log
\
-pidfile LOG_DIR/jsvc.pid \
-user jboss \
-nodetach -D"[Process Controller]" -server -Xms64m \
-Xmx512m -XX:MaxPermSize=256m \
-Djava.net.preferIPv4Stack=true \
-Djboss.modules.system.pkgs=org.jboss.byteman \
-Djava.awt.headless=true \
-Dorg.jboss.boot.log.file=LOG_DIR/process-controller.log \
-Dlogging.configuration=file:CONF_DIR/logging.properties \
-Djboss.modules.policy-permissions \
-cp "EAP_HOME/jboss-modules.jar:JSVC_JAR" \
org.apache.commons.daemon.support.DaemonWrapper \
-start org.jboss.modules.Main -start-method main \
-mp EAP_HOME/modules org.jboss.as.process-controller \
-jboss-home EAP_HOME -jvm $JAVA_HOME/bin/java \
-mp EAP_HOME/modules -- \
-Dorg.jboss.boot.log.file=LOG_DIR/host-controller.log \
-Dlogging.configuration=file:CONF_DIR/logging.properties \
-Djboss.modules.policy-permissions \
-server -Xms64m -Xmx512m -XX:MaxPermSize=256m \
-Djava.net.preferIPv4Stack=true \
-Djboss.modules.system.pkgs=org.jboss.byteman \
-Djava.awt.headless=true -- -default-jvm $JAVA_HOME/bin/java
Note
If JBoss EAP 6 is terminated abnormally, such as a JVM crash, Jsvc will automatically restart
it. If JBoss EAP 6 is terminated correctly, Jsvc will also stop.
170
Chapt er 8 . Jsvc
Report a bug
171
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
172
173
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
/subsystem=web/valve=testvalve:add-param(param-name="NAME", paramvalue="VALUE")
/subsystem=web/valve=testvalve:add-param(
param-name="restrictedUserAgents",
param-value="^.*MS Web Services Client Protocol.*$"
)
The valve is now enabled and configured for all deployed applications.
Report a bug
174
175
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
176
R esu lt
The application is deployed on the relevant server or server group.
Report a bug
2. The method used to disable an application will differ depending on whether you are
deploying to a standalone server instance or a managed domain.
A. D isab le a d ep lo yed ap p licat io n o n a St an d alo n e server in st an ce
The Avai l abl e D epl o yments table shows all available application deployments and
their status.
a. Select the application to be disabled. Click En/D i sabl e to disable the selected
application.
b. Click C o nfi rm to confirm that the application will be disabled on the server
instance.
B. D isab le a d ep lo yed ap p licat io n o n a man ag ed d o main
The Manag e D epl o yments C o ntent screen contains a C o ntent R epo si to ry tab.
The Avai l abl e D epl o yment C o ntent table shows all available application
deployments and their status.
a. Select the Server G ro ups tab to view the server groups and the status of their
deployed applications.
b. Select the name of the server in the Server G ro up table to undeploy an
application from. Click Vi ew to see the applications.
c. Select the application and click En/D i sabl e to disable the application for the
selected server.
d. Click C o nfi rm to confirm that the application will be disabled on the server
instance.
177
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
e. Repeat as required for other server groups. The application status is confirmed for
each server group in the G ro up D epl o yments table for that server group.
R esu lt
The application is undeployed from the relevant server or server group.
Report a bug
2. The method used to undeploy an application will differ depending on whether you are
undeploying from a standalone server instance or a managed domain.
A. U n d ep lo y a d ep lo yed ap p licat io n f ro m a St an d alo n e server in st an ce
The Avai l abl e D epl o yments table shows all available application deployments and
their status.
a. Select the application to be undeployed. Click R emo ve to undeploy the selected
application.
b. Click C o nfi rm to confirm that the application will be undeployed on the server
instance.
B. U n d ep lo y a d ep lo yed ap p licat io n f ro m a man ag ed d o main
The Manag e D epl o yments C o ntent screen contains a C o ntent R epo si to ry tab.
The Avai l abl e D epl o yment C o ntent table shows all available application
deployments and their status.
a. Select the Server G ro ups tab to view the server groups and the status of their
deployed applications.
b. Select the name of the server in the Server G ro up table to undeploy an
application from. Click Vi ew to see the applications.
c. Select the application and click R emo ve to undeploy the application for the
selected server.
178
d. Click C o nfi rm to confirm that the application will be undeployed on the server
instance.
e. Repeat as required for other server groups. The application status is confirmed for
each server group in the G ro up D epl o yments table for that server group.
R esu lt
The application is undeployed from the relevant server or server group. On a standalone instance
the deployment content is also removed. On a managed domain, the deployment content remains in
the content repository and is only undeployed from the server group.
Report a bug
179
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Prereq u isit es
Section 3.5.2, Launch the Management CLI
Section 3.5.4, Connect to a Managed Server Instance Using the Management CLI
Section 10.3.2, D eploy an Application in a Standalone Server Using the Management CLI
Pro ced u re 10.5. U n d ep lo y an Ap p licat io n in a St an d alo n e Server
By default the und epl o y command will undeploy and delete the deployment content from a
standalone instance of JBoss EAP. To retain the deployment content, add the parameter --keepcontent.
R u n t h e und epl o y co mman d
To undeploy the application and delete the deployment content, enter the Management CLI
und epl o y command with the filename of the application deployment.
[standalone@ localhost:9999 /] und epl o y test-application.war
To undeploy the application, but retain the deployment content, enter the Management CLI
und epl o y command with the filename of the application deployment and the parameter --keepcontent.
[standalone@ localhost:9999 /] und epl o y test-application.war --keepcontent
R esu lt
The specified application is now undeployed. Note that the und epl o y command does not produce
any output to the Management CLI if it is successful.
Report a bug
180
181
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
i mport org.jboss.dmr.ModelNode;
i mport java.net.URL;
p ublic class DeployDmrToJson
{
public static void main(String[] args) throws Exception
{
if(args.length < 1)
System.out.println("Deploy\n-----------------------------\n");
System.out.println("Formatted:\n" +
deploy.toJSONString(false));
System.out.println("Unformatted:\n" +
deploy.toJSONString(true));
System.out.println("\nUndeploy\n-----------------------------\n");
System.out.println("Formatted:\n" +
undeploy.toJSONString(false));
System.out.println("Unformatted:\n" +
undeploy.toJSONString(true));
}
182
deployRequest.get("operation").set("deploy");
deployRequest.get("address", "deployment").set(name);
}
}
3. When the class is run the following command formats will be displayed. Use either the
d epl o y or und epl o y command relevant to your requirements.
D eploy
- ----------------------------F ormatted:
"operation" : "composite",
"address" : [],
"steps" : [
"operation" : "add",
"content" : [{"url" :
"file:/Users/username/support/helloWorld.war/dist/helloWorld.war"
}]
},
"operation" : "deploy",
183
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
]
}
nformatted:
U
{ "operation" : "composite", "address" : [], "steps" :
[{"operation" : "add", "address" : {"deployment" :
"helloWorld.war"}, "content" : [{"url" :
"file:/Users/username/support/helloWorld.war/dist/helloWorld.war"
}]},{"operation" : "deploy", "address" : {"deployment" :
"helloWorld.war"}}]}
U ndeploy
- ----------------------------F ormatted:
"operation" : "composite",
"address" : [],
"steps" : [
"operation" : "undeploy",
},
"operation" : "remove",
}
U nformatted:
{ "operation" : "composite", "address" : [], "steps" :
[{"operation" : "undeploy", "address" : {"deployment" :
"helloWorld.war"}},{"operation" : "remove", "address" :
{"deployment" : "helloWorld.war"}}]}
4. Use the following command to deploy or undeploy an application. Replace jso n req uest
with the request outlined above.
Report a bug
184
deployment scanner to suit your needs for deployment frequency and behavior for a variety of
application types.
Report a bug
R esu lt
The application file is deployed to the application server. A marker file is created in the deployment
folder to indicate the successful deployment, and the application is flagged as Enabl ed in the
Management Console.
185
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
10.5.3. Undeploy an Applicat ion from a St andalone Server Inst ance wit h t he
Deployment Scanner
Prereq u isit es
Section 2.1.1, Start JBoss EAP 6
Section 10.5.2, D eploy an Application to a Standalone Server Instance with the D eployment
Scanner
Su mmary
This task shows a method for undeploying applications from a standalone server instance that have
been deployed with the deployment scanner. As indicated in the Section 10.1, About Application
D eployment topic, this method is retained for the convenience of developers, where the Management
Console and Management CLI methods are recommended for application management under
production environments.
Note
The deployment scanner should not be used in conjunction with other deployment methods
for application management. Applications removed from the application server by the
management console will be removed from the runtime without affecting the marker files or
application contained in the deployment directory. To minimize the risk of accidental
redployment or other errors, use the Management CLI and Management Console for
administration in production environments.
186
187
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
R esu lt
The deployment scanner detects a change in the marker file and redeploys the application. A
new . d epl o yed file marker replaces the previous.
B. R ed ep lo y b y creat in g a n ew . d o d epl o y marker f ile
Trigger the deployment scanner redeployment by creating a new . d o d epl o y marker file.
Refer to the manual deployment instructions in Section 10.5.2, D eploy an Application to a
Standalone Server Instance with the D eployment Scanner .
C. R ed ep lo y b y d elet in g t h e marker f ile
As described in Section 10.5.5, Reference for D eployment Scanner Marker Files , deleting a
deployed application's . d epl o yed marker file will trigger an undeployment and create an
. und epl o yed marker. D eleting the undeployment marker will trigger the deployment cycle
again. Refer to Section 10.5.3, Undeploy an Application from a Standalone Server Instance
with the D eployment Scanner for further information.
R esu lt
The application file is redeployed.
Report a bug
O rig in
D escrip t io n
. d o d epl o y
User generated
. ski pd epl o y
User generated
188
Filen ame Su f f ix
O rig in
D escrip t io n
. i sd epl o yi ng
System generated
. d epl o yed
System generated
. fai l ed
System generated
. i sund epl o yi
ng
System generated
System generated
. pend i ng
System generated
Report a bug
D escrip t io n
T yp e
D ef au lt
Valu e
Boolean
False
Boolean
True
Boolean
True
Long
600
189
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
N ame
D escrip t io n
T yp e
D ef au lt
Valu e
path
String
deployment
s
String
jboss.server
.base.dir
Boolean
True
Int
5000
scan-enabl ed
scan-i nterval
Report a bug
190
Configuring the deployment scanner via the Management CLI requires that you first expose
the correct attribute names. You can do this with the read -reso urces operation at either the
root node, or by using the cd command to change into the subsystem child node. You can
also display the attributes with the l s command at this level.
A. Exp o se t h e d ep lo ymen t scan n er at t rib u t es wit h t h e read -reso urce o p erat io n
Use the read -reso urce operation to expose the attributes defined by the default
deployment scanner resource.
[standalone@ localhost:9999 /]/subsystem=deploymentscanner/scanner=default:read-resource
{
"outcome" => "success",
"result" => {
"auto-deploy-exploded" => false,
"auto-deploy-xml" => true,
"auto-deploy-zipped" => true,
"deployment-timeout" => 600,
"path" => "deployments",
"relative-to" => "jboss.server.base.dir",
"scan-enabled" => true,
"scan-interval" => 5000
}
}
B. Exp o se t h e d ep lo ymen t scan n er at t rib u t es wit h t h e l s co mman d
Use the l s command with the -l optional argument to display a table of results that
include the subsystem node attributes, values, and type. You can learn more about the l s
command and its arguments by exposing the CLI help entry by typing l s --hel p. For
more information about the help menu in the Management CLI, refer to the topic
Section 3.5.5, Obtain Help with the Management CLI .
[standalone@ localhost:9999 /] ls -l /subsystem=deploymentscanner/scanner=default
ATTRIBUTE
VALUE
TYPE
auto-deploy-exploded false
BOOLEAN
auto-deploy-xml
true
BOOLEAN
auto-deploy-zipped
true
BOOLEAN
deployment-timeout
600
LONG
path
deployments
STRING
relative-to
jboss.server.base.dir STRING
scan-enabled
true
BOOLEAN
scan-interval
5000
INT
2. C o n f ig u re t h e d ep lo ymen t scan n er wit h t h e wri te-attri bute o p erat io n
Once you have determined the name of the attribute to modify, use the wri te-attri bute to
specify the attribute name and the new value to write to it. The following examples are all run
at the child node level, which can be accessed by using the cd command and tab completion
to expose and change into the default scanner node.
[standalone@ localhost:9999 /] cd subsystem=deploymentscanner/scanner=default
191
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
192
193
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
1. Open a terminal session and navigate to the directory containing the quickstart examples.
2. Run the Maven deploy command to deploy the application. If the application is already
running, it will be redeployed.
[localhost]$ mvn package jboss-as:deploy
3. View the results.
A. The deployment can be confirmed by viewing the operation logs in the terminal window.
B. The deployment can also be confirmed in the status stream of the active application server
instance.
194
R esu lt
The application is deployed to the application server.
Report a bug
195
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
B. The undeployment can also be confirmed in the status stream of the active application
server instance.
R esu lt
The application is undeployed from the application server.
Report a bug
196
A new feature in EAP 6.1.X and later named Inter D eployment D ependencies allows you to declare
dependencies between top level deployments.
1. Create (if it doesn't exist) a jbo ss-al l . xml file in the app. ear/MET A-INF folder, where
app. ear is the application archive that depends on another application archive to be
deployed before it is.
2. Make a jbo ss-d epl o yment-d epend enci es entry in this file as shown below. Note that in
the listing below, framewo rk. ear is the dependency application archive that should be
deployed before app. ear application archive is.
<jboss umlns="urn:jboss:1.0">
<jboss-deployment-dependencies xmlns="urn:jboss:deploymentdependencies:1.0">
<dependency name="framework.ear" />
</jboss-deployment-dependencies>
</jboss>
Report a bug
b.
/d epl o yment-o verl ay= myo verl ay/co ntent= WEBINF\/web. xml : ad d (co ntent= {url = fi l e: ///ho me/user/web. xml })
You can also add more content rules using the second statement.
197
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
/d epl o yment-o verl ay= myo verl ay/d epl o yment= app. war: ad d
B. U sin g co n ven ien ce met h o d s
d epl o yment-o verl ay l i nk --name= myo verl ay --d epl o yments= app. war
You may specify multiple archive names separated by commas.
Note that the deployment archive name need not exist on the server. You are specifying the
name, but not yet linking it to an actual deployment.
3. R ed ep lo y t h e ap p licat io n
/d epl o yment= app. war: red epl o y
Report a bug
198
<authentication>
<module-option name="password-stacking"
value="useFirstPass"/>
</login-module>
<module-option name="usersProperties"
value="${jboss.domain.config.dir}/application-users.properties"/>
<module-option name="rolesProperties"
value="${jboss.domain.config.dir}/application-roles.properties"/>
199
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<module-option name="realm"
value="ApplicationRealm"/>
<module-option name="password-stacking"
value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<authorization>
</authorization>
</security-domain>
<authorization>
</authorization>
</security-domain>
</security-domains>
<vault>
...
</vault>
< /subsystem>
The <securi ty-manag ement>, <subject-facto ry> and <securi ty-pro perti es> elements
are not present in the default configuration. The <subject-facto ry> and <securi typro perti es> elements have been deprecated in JBoss EAP 6.1 onwards.
Report a bug
200
Report a bug
201
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
202
Authentication refers to identifying a subject and verifying the authenticity of the identification. The
most common authentication mechanism is a username and password combination. Other common
authentication mechanisms use shared keys, smart cards, or fingerprints. The outcome of a
successful authentication is referred to as a principal, in terms of Java Enterprise Edition declarative
security.
JBoss EAP 6 uses a pluggable system of authentication modules to provide flexibility and integration
with the authentication systems you already use in your organization. Each security domain
contains one or more configured authentication modules. Each module includes additional
configuration parameters to customize its behavior. The easiest way to configure the authentication
subsystem is within the web-based management console.
Authentication is not the same as authorization, although they are often linked. Many of the included
authentication modules can also handle authorization.
Report a bug
203
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Flag
D et ails
required
requisite
sufficient
optional
4. Ed it au t h en t icat io n set t in g s
After you have added your module, you can modify its C o d e or Fl ag s by clicking Ed i t in
the D etai l s section of the screen. Be sure the Attri butes tab is selected.
5. O p t io n al: Ad d o r remo ve mo d u le o p t io n s.
If you need to add options to your module, click its entry in the Lo g i n Mo d ul es list, and
select the Mo d ul e O pti o ns tab in the D etai l s section of the page. Click the Ad d button,
and provide the key and value for the option. Use the R emo ve button to remove an option.
R esu lt
Your authentication module is added to the security domain, and is immediately available to
applications which use the security domain.
T h e jbo ss. securi ty. securi ty_d o mai n Mo d u le O p t io n
By default, each login module defined in a security domain has the
jbo ss. securi ty. securi ty_d o mai n module option added to it automatically. This option
causes problems with login modules which check to make sure that only known options are defined.
The IBM Kerberos login module, co m. i bm. securi ty. auth. mo d ul e. Krb5Lo g i nMo d ul e is one
of these.
You can disable the behavior of adding this module option by setting the system property to true
when starting JBoss EAP 6. Add the following to your start-up parameters.
-Djboss.security.disable.secdomain.option=true
You can also set this property using the web-based Management Console. In a standalone server,
you can set system properties in the P ro fi l e section of the configuration. In a managed domain,
you can set system properties for each server group.
204
Report a bug
205
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Flag
D et ails
required
requisite
sufficient
optional
4. Ed it au t h o riz at io n set t in g s
After you have added your module, you can modify its C o d e or Fl ag s by clicking Ed i t in
the D etai l s section of the screen. Be sure the Attri butes tab is selected.
5. O p t io n al: Ad d o r remo ve mo d u le o p t io n s.
If you need to add options to your module, click its entry in the P o l i ci es list, and select the
Mo d ul e O pti o ns tab in the D etai l s section of the page. Click Ad d and provide the key
and value for the option. Use the R emo ve button to remove an option.
R esu lt
Your authorization policy module is added to the security domain, and is immediately available to
applications which use the security domain.
Report a bug
206
207
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
If the Lo g Aud i tP ro vi d er module is enabled, JBoss EAP 6 maintains an audit log which records
authentication and authorization in applications and login modules. The file is named aud i t. l o g
by default and stored in the l o g subdirectory of the EAP_HOME directory. This behavior is
determined by the configuration of the logging subsystem's log handlers. The output of the
Lo g Aud i tP ro vi d er module could be sent to a sysl o g server in addition to or instead of a file, by
using the sysl o g log handler.
By default, the Lo g Aud i tP ro vi d er module outputs only to cumulative aud i t. l o g file. To
implement a periodic rotating file handler called AUD IT , enter the following management CLI
command.
/subsystem=logging/periodic-rotating-filehandler=AUDIT/:add(suffix=.yyyy-MM-dd,formatter=%d{HH:mm:ss,SSS} %-5p
[%c] (%t) %s%E%n,level=T R AC E,file={"relative-to" =>
"jboss.server.log.dir","path" => "audit.log"})
See Also :
Section 14.1.12, About Log Handlers
Report a bug
208
Warning
If an application is part of a security domain that uses an authentication cache, user
authentications for that application will also be available to other applications in that security
domain.
209
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<security-domains>
<authentication>
<login-module code="Remoting"
flag="optional">
<module-option name="password-stacking"
value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect"
flag="required">
<module-option name="password-stacking"
value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<authorization>
<policy-module code="Delegating"
flag="required"/>
</authorization>
</security-domain>
<authorization>
<policy-module code="Delegating"
flag="required"/>
</authorization>
</security-domain>
</security-domains>
< /subsystem>
210
You can configure additional security domains as needed using the Management
Console or CLI.
b. En ab le t h e secu rit y d o main in t h e ap p licat io n ' s d escrip t o r f ile
The security domain is specified in the <securi ty-d o mai n> child element of the
<jbo ss-web> element in the application's WEB-INF/jbo ss-web. xml file. The
following example configures a security domain named my-d o mai n.
< jboss-web>
<security-domain>my-domain</security-domain>
< /jboss-web>
This is only one of many settings which you can specify in the WEB-INF/jbo ssweb. xml descriptor.
2. Ad d t h e R eq u ired An n o t at io n t o t h e EJB
You configure security in the EJB using the @ Securi tyD o mai n and @ R o l esAl l o wed
annotations. The following EJB code example limits access to the o ther security domain by
users in the g uest role.
p ackage example.ejb3;
i mport java.security.Principal;
i mport
i mport
i mport
i mport
javax.annotation.Resource;
javax.annotation.security.RolesAllowed;
javax.ejb.SessionContext;
javax.ejb.Stateless;
i mport org.jboss.ejb3.annotation.SecurityDomain;
/ **
* Simple secured EJB using EJB security annotations
* Allow access to "other" security domain by users in a "guest"
role.
*/
@ Stateless
@ RolesAllowed({ "guest" })
@ SecurityDomain("other")
p ublic class SecuredEJB {
/**
* Secured EJB method using security annotations
*/
public String getSecurityInfo() {
// Session context injected using the resource annotation
Principal principal = ctx.getCallerPrincipal();
return principal.toString();
}
211
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
For more code examples, see the ejb-securi ty quickstart in the JBoss EAP 6 Quickstarts
bundle, which is available from the Red Hat Customer Portal.
Report a bug
11.6.13. Java Aut horiz at ion Cont ract for Cont ainers (JACC)
1 1 .6 .1 3.1 . Abo ut Java Aut ho rizat io n Co nt ract fo r Co nt aine rs (JACC)
Java Authorization Contract for Containers (JACC) is a standard which defines a contract between
containers and authorization service providers, which results in the implementation of providers for
use by containers. It was defined in JSR-115, which can be found on the Java Community Process
website at http://jcp.org/en/jsr/detail?id=115. It has been part of the core Java Enterprise Edition (Java
EE) specification since Java EE version 1.3.
JBoss EAP 6 implements support for JACC within the security functionality of the security subsystem.
Report a bug
<authentication>
</login-module>
</authentication>
<authorization>
</authorization>
< /security-domain>
C o n f ig u re a Web Ap p licat io n t o U se JAC C
The jbo ss-web. xml is located in the WEB-INF/ directory of your deployment, and contains
overrides and additional JBoss-specific configuration for the web container. To use your JACCenabled security domain, you need to include the <securi ty-d o mai n> element, and also set the
<use-jbo ss-autho ri zati o n> element to true. The following application is properly configured
to use the JACC security domain above.
< jboss-web>
<security-domain>jacc</security-domain>
212
<use-jboss-authorization>true</use-jboss-authorization>
< /jboss-web>
C o n f ig u re an EJB Ap p licat io n t o U se JAC C
Configuring EJBs to use a security domain and to use JACC differs from Web Applications. For an
EJB, you can declare method permissions on a method or group of methods, in the ejb-jar. xml
descriptor. Within the <ejb-jar> element, any child <metho d -permi ssi o n> elements contain
information about JACC roles. Refer to the example configuration for more details. The
EJBMetho d P ermi ssi o n class is part of the Java Enterprise Edition 6 API, and is documented at
http://docs.oracle.com/javaee/6/api/javax/security/jacc/EJBMethodPermission.html.
<method-permission>
<role-name>employee</role-name>
<role-name>temp-employee</role-name>
<method>
<ejb-name>EmployeeService</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
</assembly-descriptor>
< /ejb-jar>
You can also constrain the authentication and authorization mechanisms for an EJB by using a
security domain, just as you can do for a web application. Security domains are declared in the
jbo ss-ejb3. xml descriptor, in the <securi ty> child element. In addition to the security domain,
you can also specify the run-as principal, which changes the principal the EJB runs as.
<ejb-name>*</ejb-name>
<security-domain>myDomain</security-domain>
<run-as-principal>myPrincipal</run-as-principal>
</security>
</assembly-descriptor>
< /ejb-jar>
Report a bug
11.6.14 . Java Aut hent icat ion SPI for Cont ainers (JASPI)
1 1 .6 .1 4 .1 . Abo ut Java Aut he nt icat io n SPI fo r Co nt aine rs (JASPI) Se curit y
213
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Java Authentication SPI for Containers (JASPI or JASPIC) is a pluggable interface for Java
applications. It is defined in JSR-196 of the Java Community Process. Refer to
http://www.jcp.org/en/jsr/detail?id=196 for details about the specification.
Report a bug
< authentication-jaspi>
<login-module-stack name="...">
</login-module>
</login-module-stack>
<auth-module code="..." login-module-stack-ref="...">
The login module itself is configured in exactly the same way as a standard authentication module.
Because the web-based management console does not expose the configuration of JASPI
authentication modules, you need to stop JBoss EAP 6 completely before adding the configuration
directly to EAP_HOME/d o mai n/co nfi g urati o n/d o mai n. xml or
EAP_HOME/stand al o ne/co nfi g urati o n/stand al o ne. xml .
Report a bug
214
Object type.
Host name of the server.
Port number of the server.
An object key, which identifies the object.
The host name and port number are used to communicate with the server and the object key is used
by the server to identify the object.
Report a bug
D escrip t io n
Valid Valu es
/subsystem=jacorb/ior-settings=default/setting=sas-context:add
/subsystem=jacorb/ior-settings=default/setting=sas-context:writeattribute(name=caller-propagation, value=NONE|SUPPORTED)
The iorASContextType specifies the attributes used to setup the IOR Authentication Service settings.
Each of the following parameters are optional.
T ab le 11.2. io rASC o n t ext T yp e
Paramet er
D escrip t io n
T yp e
Valid Valu es
auth-metho d
Authentication method.
String
real m
Authentication Service
realm name.
Indicates if
authentication is
required.
String
no ne,
username_passwo rd
D efault value:
D efaul t
true, fal se
req ui red
Boolean
215
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
/subsystem=jacorb/ior-settings=default/setting=as-context:add
/subsystem=jacorb/ior-settings=default/setting=as-context:writeattribute(name=ATTRIBUTE, value=VALUE)
The iorTransportconfigType specifies the attributes used to set up the IOR transport settings.
T ab le 11.3. io rT ran sp o rt co n f ig T yp e
Paramet er
D escrip t io n
Valid Valu es
i nteg ri ty
co nfi d enti al i ty
trust-i n-targ et
d etect-repl ay
d etect-mi so rd eri ng
/subsystem=jacorb/ior-settings=default/setting=transport-config:add
/subsystem=jacorb/ior-settings=default/setting=transport-config:writeattribute(name=ATTRIBUTE, value=VALUE)
Report a bug
216
Note
HTTP access is considered to be remote, even if you connect to the localhost using HTTP.
The client sends a message to the server which includes a request to authenticate with the
local SASL mechanism.
The server generates a one-time token, writes it to a unique file, and sends a message to
the client with the full path of the file.
The client reads the token from the file and sends it to the server, verifying that it has local
access to the filesystem.
The server verifies the token and then deletes the file.
Remote clients, including local HTTP clients, use realm-based security. The default realm with the
permissions to configure the JBoss EAP 6 instance remotely using the management interfaces is
Manag ementR eal m. A script is provided which allows you to add users to this realm (or realms
you create). For more information on adding users, see the Getting Started chapter of the JBoss
EAP 6 Installation Guide. For each user, the username and a hashed password are stored in a file.
Man ag ed d o main
EAP_HOME/d o mai n/co nfi g urati o n/mg mt-users. pro perti es
St an d alo n e server
EAP_HOME/stand al o ne/co nfi g urati o n/mg mt-users. pro perti es
Even though the contents of the mg mt-users. pro perti es are masked, the file must still be
treated as a sensitive file. It is recommended that it be set to the file mode of 6 0 0 , which gives no
access other than read and write access by the file owner.
Report a bug
217
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Note
Refer to the Management Interface Audit Logging section of the Administration and Configuration
Guide for more information on audit logging.
Note
Security realms can also be used for your own applications. The security realms discussed
here are specific to the management interfaces.
O u t b o u n d C o n n ect io n s
Some security realms connect to external interfaces, such as an LD AP server. An outbound
connection defines how to make this connection. A pre-defined connection type, l d apco nnecti o n, sets all of the required and optional attributes to connect to the LD AP server and verify
the credential.
For more information on how to configure LD AP authentication see Section 11.8.4, Use LD AP to
Authenticate to the Management Interfaces .
Man ag emen t In t erf aces
A management interface includes properties about how connect to and configure JBoss EAP. Such
information includes the named network interface, port, security realm, and other configurable
information about the interface. Two interfaces are included in a default installation:
http-i nterface is the configuration for the web-based Management Console.
nati ve-i nterface is the configuration for the command-line Management CLI and the RESTlike Management API.
Each of the main configurable elements of the host management subsystem are interrelated. A
security realm refers to an outbound connection, and a management interface refers to a security
realm.
Associated information can be found in Section 11.10.1, Secure the Management Interfaces .
Report a bug
218
Lightweight D irectory Access Protocol (LD AP) is a protocol for storing and distributing directory
information across a network. This directory information includes information about users, hardware
devices, access roles and restrictions, and other information.
Some common implementations of LD AP include OpenLD AP, Microsoft Active D irectory, IBM Tivoli
D irectory Server, Oracle Internet D irectory, and others.
JBoss EAP 6 includes several authentication and authorization modules which allow you to use a
LD AP server as the authentication and authorization authority for your Web and EJB applications.
Report a bug
R eq u ired
D escrip t io n
url
yes
search-d n
no
search-cred enti al s
no
i ni ti al -co ntext-facto ry
no
securi ty-real m
no
219
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
220
<authentication>
</ldap>
</authentication>
< /security-realm>
Warning
It is important to ensure that you do not allow empty LD AP passwords; unless you specifically
desire this in your environment, it is a serious security concern.
EAP 6.1 includes a patch for CVE-2012-5629, which sets the allowEmptyPasswords option for
the LD AP login modules to false if the option is not already configured. For older versions, this
option should be configured manually
221
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
After you create a security realm, you need to reference it in the configuration of your management
interface. The management interface will use the security realm for HTTP digest authentication.
Report a bug
Note
Other clients, such as JBoss Operations Network, also operate using the HTTP interface. If
you want to use these services, and simply disable the Management Console itself, you can
set the co nso l e-enabl ed attribute of the HTTP interface to fal se, instead of disabling the
interface completely.
/host=master/core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value=false)
To disable access to the HTTP interface, which also disables access to the web-based Management
Console, you can delete the HTTP interface altogether.
The following JBoss CLI command allows you to read the current contents of your HTTP interface, in
case you decide to add it again.
222
To re-enable access, issue the following commands to re-create the HTTP Interface with the default
values.
Report a bug
11.8.6. Remove Silent Aut hent icat ion from t he Default Securit y Realm
Su mmary
The default installation of JBoss EAP 6 contains a method of silent authentication for a local
Management CLI user. This allows the local user the ability to access the Management CLI without
username or password authentication. This functionality is enabled as a convenience, and to assist
local users running Management CLI scripts without requiring authentication. It is considered a
useful feature given that access to the local configuration typically also gives the user the ability to
add their own user details or otherwise disable security checks.
The convenience of silent authentication for local users can be disabled where greater security
control is required. This can be achieved by removing the l o cal element within the securi tyreal m section of the configuration file. This applies to both the stand al o ne. xml for a Standalone
Server instance, or ho st. xml for a Managed D omain. You should only consider the removal of the
l o cal element if you understand the impact that it might have on your particular server
configuration.
The preferred method of removing silent authentication is by use of the Management CLI, which
directly removes the l o cal element visible in the following example.
223
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Prereq u isit es
Section 2.1.1, Start JBoss EAP 6
Section 3.5.2, Launch the Management CLI
Pro ced u re 11.7. R emo ve Silen t Au t h en t icat io n f ro m t h e D ef au lt Secu rit y R ealm
R emo ve silen t au t h en t icat io n wit h t h e Man ag emen t C LI
Remove the l o cal element from the Management Realm and Application Realm as required.
Remove the l o cal element from the Management Realm.
A. Fo r St an d alo n e Servers
/core-service=management/securityrealm=ManagementRealm/authentication=local:remove
B. Fo r Man ag ed D o main s
/host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication=local:remove
Remove the l o cal element from the Application Realm.
A. Fo r St an d alo n e Servers
224
/core-service=management/securityrealm=ApplicationRealm/authentication=local:remove
B. Fo r Man ag ed D o main s
/host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication=local:remove
R esu lt
The silent authentication mode is removed from the Manag ementR eal m and the
Appl i cati o nR eal m.
Report a bug
Note
In a managed domain the remoting connector is removed from the JMX subsystem by default.
This command is provided for your information, in case you add it during development.
Report a bug
225
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
The management interfaces are configured to use the Manag ementR eal m security realm by default.
The ManagementRealm stores its user password combinations in the file mg mtusers. pro perti es.
Examp le 11.20. Sp ecif y a Secu rit y R ealm t o u se f o r t h e H T T P Man ag emen t In t erf ace
/ho st= master/co re-servi ce= manag ement/manag ement-i nterface= httpi nterface/: wri te-attri bute(name= securi ty-real m,val ue= TestRealm)
Report a bug
226
227
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Attempting to access a resource that is not addressable will result in a reso urce no t
fo und error.
If a user attempts to write or read a resource that they can address but lack the appropriate
write or read permissions, a P ermi ssi o n D eni ed error is returned.
Report a bug
228
229
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Monitor
Operator
Maintain
er
X
D eployer
Auditor
Administr SuperUs
ator
er
X
X
X
X
X[1]
X[1]
230
Sensitivity constraint configuration is in the Management API at /co reservi ce= manag ement/access= autho ri zati o n/co nstrai nt= sensi ti vi tycl assi fi cati o n.
Vau lt Exp ressio n C o n st rain t
The Vault Expression constraint defines if reading or writing vault expressions is consider a
sensitive operation. By default both reading and writing vault expressions is a sensitive
operation.
Vault Expression constraint configuration is in the Management API at /co reservi ce= manag ement/access= autho ri zati o n/co nstrai nt= vaul t-expressi o n.
Constraints can not be configured in the Management Console at this time.
Report a bug
231
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
232
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
[standalone@ localhost:9999 /] /:reload
{
"outcome" => "success",
"result" => undefined
}
If the server is offline the XML configuration can be edited to enabled or disable RBAC. To do this,
edit the pro vi d er attribute of the access-co ntro l element of the management element. Set the
value to rbac to enable, and si mpl e to disable.
< management>
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
</include>
</role>
</role-mapping>
</access-control>
</management>
Report a bug
233
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
/core-service=management/access=authorization:writeattribute(name=permission-combination-policy, value=POLICYNAME)
The valid policy names are rejecting and permissive.
[standalone@ localhost:9999 /] /coreservice=management/access=authorization:writeattribute(name=permission-combination-policy, value=rejecting)
{"outcome" => "success"}
[standalone@ localhost:9999 access=authorization]
If the server is offline the XML configuration can be edited to change the permission combination
policy value. To do this, edit the permi ssi o n-co mbi nati o n-po l i cy attribute of the accesscontrol element.
< access-control provider="rbac" permission-combinationpolicy="rejecting">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
</include>
</role>
</role-mapping>
< /access-control>
Report a bug
234
Report a bug
235
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
236
When successful, the Ad d User dialog closes, and the list of users is updated to reflect the
changes made. If unsuccessful a Fai l ed to save ro l e assi g nment message is
displayed.
Pro ced u re 11.12. U p d at e t h e ro le assig n men t f o r a u ser
1. Login to the Management console.
2. Navigate to the U sers tab of the R o l e Assi g nment section.
3. Select user from the list.
4. Click Ed it . The selection panel enters edit mode.
237
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
b. To remove an assigned role, selected the required role from the assigned roles list on
the right and click the button with the left-facing arrow next to the assigned roles list.
The role moves from the assigned list to the available list.
c. To add an excluded role, select the required role from the list of available roles on the
left and click button with the right-facing arrow next to the excluded roles list. The role
moves from the available list to the excluded list.
d. To remove an excluded role, selected the required role from the excluded roles list on
the right and click the button with the left-facing arrow next to the excluded roles list.
The role moves from the excluded list to the available list.
5. Click Save to finish.
When successful, the edit view closes, and the list of users is updated to reflect the changes
made. If unsuccessful a Fai l ed to save ro l e assi g nment message is displayed.
Pro ced u re 11.13. R emo ve ro le assig n men t f o r a u ser
1. Login to the Management console.
2. Navigate to the U sers tab of the Role Assignment section.
3. Select the user from the list.
4. Click R emo ve. The R emo ve R o l e Assi g nment confirmation prompt appears.
5. Click C o n f irm.
When successful, the user will no longer appear in the list of user role assignments.
Important
Removing the user from the list of role assignments does not remove the user from the system,
nor does it guarantee that no roles will be assigned to the user. Roles might still be assigned
from group membership.
Report a bug
238
1. Use the :read-children-names operation to get a complete list of the configured roles:
/core-service=management/access=authorization:read-childrennames(child-type=role-mapping)
[standalone@ localhost:9999 access=authorization] :read-childrennames(child-type=role-mapping)
{
"outcome" => "success",
"result" => [
"Administrator",
"Deployer",
"Maintainer",
"Monitor",
"Operator",
"SuperUser"
]
}
2. Use the read -reso urce operation of a specified role-mapping to get the full details of a
specific role:
/core-service=management/access=authorization/rolemapping=ROLENAME:read-resource(recursive=true)
[standalone@ localhost:9999 access=authorization] ./rolemapping=Administrator:read-resource(recursive=true)
{
"outcome" => "success",
"result" => {
"include-all" => false,
"exclude" => undefined,
"include" => {
"user-theboss" => {
"name" => "theboss",
"realm" => undefined,
"type" => "USER"
},
"user-harold" => {
"name" => "harold",
"realm" => undefined,
"type" => "USER"
},
"group-SysOps" => {
"name" => "SysOps",
"realm" => undefined,
"type" => "GROUP"
}
}
}
}
[standalone@ localhost:9999 access=authorization]
Pro ced u re 11.15. Ad d a n ew ro le
239
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
This procedure shows how to add a role-mapping entry for a role. This must be done before the role
can be configured.
Use the ad d operation to add a new role configuration.
/core-service=management/access=authorization/rolemapping=ROLENAME:add
ROLENAME is the name of the role that the new mapping is for.
[standalone@ localhost:9999 access=authorization] ./rolemapping=Auditor:add
{"outcome" => "success"}
[standalone@ localhost:9999 access=authorization]
Pro ced u re 11.16 . Ad d a u ser as in clu d ed in a ro le
This procedure shows how to add a user to the included list of a role.
If no configuration for a role has been done, then a role-mapping entry for it must be done first.
Use the ad d operation to add a user entry to the includes list of the role.
/core-service=management/access=authorization/rolemapping=ROLENAME/include=ALIAS:add(name=USERNAME, type=USER)
ROLENAME is the name of the role being configured.
ALIAS is a unique name for this mapping. Red Hat recommends that you use a naming
convention for your aliases such as user-USERNAME.
USERNAME is the name of the user being added to the include list.
[standalone@ localhost:9999 access=authorization] ./rolemapping=Auditor/include=user-max:add(name=max, type=USER)
{"outcome" => "success"}
[standalone@ localhost:9999 access=authorization]
Pro ced u re 11.17. Ad d a u ser as exclu d ed in a ro le
This procedure shows how to add a user to the excluded list of a role.
If no configuration for a role has been done, then a role-mapping entry for it must be done first.
Use the ad d operation to add a user entry to the excludes list of the role.
/core-service=management/access=authorization/rolemapping=ROLENAME/exclude=ALIAS:add(name=USERNAME, type=USER)
ROLENAME is the name of the role being configured.
USERNAME is the name of the user being added to the exclude list.
ALIAS is a unique name for this mapping. Red Hat recommends that you use a naming
convention for your aliases such as user-USERNAME.
24 0
24 1
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Users authenticated using either the mg mt-users. pro perti es file or an LD AP server, can be
members of user groups. A user group is an arbitrary label that can be assigned to one or more
users.
The RBAC system can be configured to automatically assign roles to users depending on what user
groups they are members of. It can also exclude users from roles based on group membership.
When using the mg mt-users. pro perti es file, group information is stored in the mg mtg ro ups. pro perti es file. When using LD AP the group information is stored in the LD AP sever and
maintained by those responsible for the LD AP server.
Report a bug
24 2
24 3
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
When successful, the Ad d G ro up dialog closes, and the list of groups is updated to reflect
the changes made. If unsuccessful a Fai l ed to save ro l e assi g nment message is
displayed.
Pro ced u re 11.21. U p d at e a ro le assig n men t f o r a g ro u p
1. Login to the Management console.
2. Navigate to the G R O U PS tab of the Role Assignment section.
3. Select the group from the list.
4. Click Edit. The Selection view enters Edit mode.
24 4
To remove an assigned role, selected the required role from the assigned roles list on the
right and click the button with the left-facing arrow next to the assigned roles list. The role
moves from the assigned list to the available list.
To add an excluded role, select the required role from the list of available roles on the left
and click button with the right-facing arrow next to the excluded roles list. The role moves
from the available list to the excluded list.
To remove an excluded role, selected the required role from the excluded roles list on the
right and click the button with the left-facing arrow next to the excluded roles list. The role
moves from the excluded list to the available list.
5. Click Save to finish.
When successful, the edit view closes, and the list of groups is updated to reflect the changes
made. If unsuccessful a Failed t o save ro le assig n men t message is displayed.
Pro ced u re 11.22. R emo ve ro le assig n men t f o r a g ro u p
1. Login to the Management console.
2. Navigate to the G R O U PS tab of the R o le Assig n men t section.
3. Select the group from the list.
4. Click R emo ve. The R emo ve R o l e Assi g nment confirmation prompt appears.
5. Click C o nfi rm.
When successful, the role will no longer appear in the list of group role assignments.
Removing the group from the list of role assignments does not remove the user group from the
system, nor does it guarantee that no roles will be assigned to members of that group. Each
group member might still have a role assigned to them directly.
Report a bug
24 5
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
/core-service=management/access=authorization:read-childrennames(child-type=role-mapping)
[standalone@ localhost:9999 access=authorization] :read-childrennames(child-type=role-mapping)
{
"outcome" => "success",
"result" => [
"Administrator",
"Deployer",
"Maintainer",
"Monitor",
"Operator",
"SuperUser"
]
}
2. Use the read -reso urce operation of a specified role-mapping to get the full details of a
specific role:
/core-service=management/access=authorization/rolemapping=ROLENAME:read-resource(recursive=true)
[standalone@ localhost:9999 access=authorization] ./rolemapping=Administrator:read-resource(recursive=true)
{
"outcome" => "success",
"result" => {
"include-all" => false,
"exclude" => undefined,
"include" => {
"user-theboss" => {
"name" => "theboss",
"realm" => undefined,
"type" => "USER"
},
"user-harold" => {
"name" => "harold",
"realm" => undefined,
"type" => "USER"
},
"group-SysOps" => {
"name" => "SysOps",
"realm" => undefined,
"type" => "GROUP"
}
}
}
}
[standalone@ localhost:9999 access=authorization]
Pro ced u re 11.24 . Ad d a n ew ro le
24 6
This procedure shows how to add a role-mapping entry for a role. This must be done before the role
can be configured.
Use the ad d operation to add a new role configuration.
/core-service=management/access=authorization/rolemapping=ROLENAME:add
[standalone@ localhost:9999 access=authorization] ./rolemapping=Auditor:add
{"outcome" => "success"}
[standalone@ localhost:9999 access=authorization]
Pro ced u re 11.25. Ad d a G ro u p as in clu d ed in a ro le
This procedure shows how to add a Group to the included list of a role.
If no configuration for a role has been done, then a role-mapping entry for it must be done first.
Use the ad d operation to add a Group entry to the includes list of the role.
/core-service=management/access=authorization/rolemapping=ROLENAME/include=ALIAS:add(name=GROUPNAME, type=GROUP)
ROLENAME is the name of the role being configured.
GROUPNAME is the name of the group being added to the include list.
ALIAS is a unique name for this mapping. Red Hat recommends that you use a naming
convention for your aliases such as g ro up-GROUPNAME.
[standalone@ localhost:9999 access=authorization] ./rolemapping=Auditor/include=group-investigators:add(name=investigators,
type=GROUP)
{"outcome" => "success"}
[standalone@ localhost:9999 access=authorization]
Pro ced u re 11.26 . Ad d a g ro u p as exclu d ed in a ro le
This procedure shows how to add a group to the excluded list of a role.
If no configuration for a role has been done, then a role-mapping entry for it must be created first.
Use the ad d operation to add a group entry to the excludes list of the role.
/core-service=management/access=authorization/rolemapping=ROLENAME/exclude=ALIAS:add(name=GROUPNAME, type=GROUP)
ROLENAME is the name of the role being configured
GROUPNAME is the name of the group being added to the include list
ALIAS is a unique name for this mapping. Red Hat recommends that you use a naming
convention for your aliases such as g ro up-GROUPNAME.
24 7
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
24 8
An LD AP directory contains entries for user accounts and groups, cross referenced by attributes.
D epending on the LD AP server configuration, a user entity may map the groups the user belongs to
through memberO f attributes; a group entity may map which users belong to it through
uni q ueMember attributes; or both mappings may be maintained by the LD AP server.
Users generally authenticate against the server using a simple user name. When searching for group
membership information, depending on the directory server in use, searches could be performed
using this simple name or using the distinguished name of the user's entry in the directory.
The authentication step of a user connecting to the server always happens first. Once the user is
successfully authenticated the server loads the user's groups. The authentication step and the
authorization step each require a connection to the LD AP server. The realm optimizes this process by
reusing the authentication connection for the group loading step. As will be shown within the
configuration steps below it is possible to define rules within the authorization section to convert a
user's simple user name to their distinguished name. The result of a " user name to distinguished
name mapping" search during authentication is cached and reused during the authorization query
when the fo rce attribute is set to " false" . When fo rce is true, the search is performed again during
authorization (while loading groups). This is typically done when different servers perform
authentication and authorization.
< authorization>
<ldap connection="...">
<username-to-dn force="true">
<username-is-dn />
</username-to-dn>
</group-to-principal>
</group-search>
</ldap>
< /authorization>
Important
These examples specify some attributes with their default values. This is done for
demonstration. Attributes that specify their default values are removed from the configuration
when it is persisted by the server. The exception is the fo rce attribute. It is required, even
when set to the default value of fal se.
u sern ame- t o - d n
24 9
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
The username-to -d n element specifies how to map the user name to the distinguished name of
their entry in the LD AP directory. This element is only required when both of the following are true:
The authentication and authorization steps are against different LD AP servers.
The group search uses the distinguished name.
1:1 u sern ame- t o - d n
This specifies that the user name entered by the remote user is the user's distinguished
name.
< username-to-dn force="false">
<username-is-dn />
< /username-to-dn>
This defines a 1:1 mapping and there is no additional configuration.
u sern ame- f ilt er
The next option is very similar to the simple option described above for the authentication
step. A specified attribute is searched for a match against the supplied user name.
< username-to-dn force="true">
250
Important
The XML must remain valid after the filter is defined so if any special characters are
used such as & ensure the proper form is used. For example & amp; for the &
character.
T h e G ro u p Search
There are two different styles that can be used when searching for group membership information.
The first style is where the user's entry contains an attribute that references the groups the user is a
member of. The second style is where the group contains an attribute referencing the users entry.
When there is a choice of which style to use Red Hat recommends that the configuration for a user's
entry referencing the group is used. This is because with this method group information can be
loaded by reading attributes of known distinguished names without having to perform any searches.
The other approach requires extensive searches to identify the groups that reference the user.
Before describing the configuration here are some LD IF examples to illustrate this.
251
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
objectClass: uidObject
uid: GroupOne
distinguishedName: uid=GroupOne,ou=groups,dc=principal-togroup,dc=example,dc=org
memberOf: uid=GroupFive,ou=subgroups,ou=groups,dc=principal-togroup,dc=example,dc=org
dn: uid=GroupFive,ou=subgroups,ou=groups,dc=principal-togroup,dc=example,dc=org
objectClass: extensibleObject
objectClass: top
objectClass: groupMember
objectClass: group
objectClass: uidObject
uid: GroupFive
distinguishedName: uid=GroupFive,ou=subgroups,ou=groups,dc=principalto-group,dc=example,dc=org
252
uniqueMember: uid=TestUserFive,ou=users,dc=group-toprincipal,dc=example,dc=org
uniqueMember: uid=GroupOne,ou=groups,dc=group-toprincipal,dc=example,dc=org
G en eral G ro u p Search in g
Before looking at the examples for the two approaches shown above we first need to define the
attributes common to both of these.
< group-search group-name="..." iterative="..." group-dn-attribute="..."
group-name-attribute="..." >
...
< /group-search>
g ro up-name: This attribute is used to specify the form that should be used for the group name
returned as the list of groups of which the user is a member. This can either be the simple form of
the group name or the group's distinguished name. If the distinguished name is required this
attribute can be set to D IST ING UISHED _NAME. D efaults to SIMP LE.
i terati ve: This attribute is used to indicate if, after identifying the groups a user is a member of,
we should also iteratively search based on the groups to identify which groups the groups are a
member of. If iterative searching is enabled we keep going until either we reach a group that is not
a member if any other groups or a cycle is detected. D efaults to fal se.
Cyclic group membership is not a problem. A record of each search is kept to prevent groups that
have already been searched from being searched again.
Important
For iterative searching to work the group entries need to look the same as user entries. The
same approach used to identify the groups a user is a member of is then used to identify the
groups of which the group is a member. This would not be possible if for group to group
membership the name of the attribute used for the cross reference changes or if the direction of
the reference changes.
g ro up-d n-attri bute: On an entry for a group which attribute is its distinguished name.
D efaults to d n.
g ro up-name-attri bute: On an entry for a group which attribute is its simple name. D efaults to
ui d .
<ldap connection="LocalLdap">
<username-to-dn>
253
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
attribute="dn" />
</username-to-dn>
</group-search>
</ldap>
< /authorization>
The most important aspect of this configuration is that the pri nci pal -to -g ro up element has been
added with a single attribute.
g ro up-attri bute: The name of the attribute on the user entry that matches the distinguished
name of the group the user is a member of. D efaults to memberO f.
<ldap connection="LocalLdap">
<username-to-dn>
</username-to-dn>
</group-to-principal>
</group-search>
</ldap>
</authorization>
Here an element g ro up-to -pri nci pal is added. This element is used to define how searches for
groups that reference the user entry will be performed. The following attributes are set:
base-d n: The distinguished name of the context to use to begin the search.
recursi ve: Whether sub-contexts also be searched. D efaults to fal se.
search-by: The form of the role name used in searches. Valid values are SIMP LE and
D IST ING UISHED _NAME. D efaults to D IST ING UISHED _NAME.
Within the group-to-principal element there is a membership-filter element to define the cross reference.
pri nci pal -attri bute: The name of the attribute on the group entry that references the user
entry. D efaults to member.
Report a bug
254
1 1 .9 .9 .8 . Abo ut Sco pe d Ro le s
Scoped Roles are user-defined roles that grant the permissions of one of the standard roles but only
for one or more specified server groups or hosts. Scoped roles allow for management users to be
granted permissions that are limited to only those server groups or hosts that are required.
Scoped roles can be created by users assigned the Administrator or SuperUser roles.
They are defined by five characteristics:
1. A unique name.
2. Which of the standard roles it is based on.
3. If it applies to Server Groups or Hosts
4. The list of server groups or hosts that it is restricted to.
5. If all users are automatically include. This defaults to false.
Once created a scoped role can be assigned to users and groups the same way that the standard
roles are.
Creating a scoped role does not let you define new permissions. Scoped roles can only be used to
apply the permissions of an existing role in a limited scope. For example, you could create a scoped
role based on the D eployer role which is restricted to a single server group.
There are only two scopes that roles can be limited to, host and server group.
H o st - sco p ed ro les
A role that is host-scoped restricts the permissions of that role to one or more hosts. This
means access is provided to the relevant /ho st= */ resource trees but resources that are
specific to other hosts are hidden.
Server- G ro u p - sco p ed ro les
A role that is server-group-scoped restricts the permissions of that role to one or more
server groups. Additionally the role permissions will also apply to the profile, socket
binding group, server config and server resources that are associated with the specified
server-groups. Any sub-resources within any of those that are not logically related to the
server-group will not be visible to the user.
Both host and server-group scoped roles have permissions of the Monitor role for the remainder of
the managed domain configuration.
Report a bug
255
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
256
Important
A Sco p ed R o le cannot be deleted if users or groups are assigned to it. Remove the role
assignments first, and then delete it.
1. Login to the Management Console
2. Navigate to the Sco p ed R o les area of the R o les tab.
3. Select the scoped role to be removed in the table.
4. Click the R emo ve button. The R emo ve Sco ped R o l e dialog appears.
5. Click C o n f irm.The dialog closes and the role is removed.
Report a bug
Examp le 11.25. Make read in g syst em p ro p ert ies a sen sit ive o p erat io n
[domain@ localhost:9999 /] cd /coreservice=management/access=authorization/constraint=sensitivityclassification/type=core/classification=system-property
[domain@ localhost:9999 classification=system-property] :writeattribute(name=configured-requires-read, value=true)
{
"outcome" => "success",
"result" => undefined,
257
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
What roles will be able to perform what operations depending on the configuration of these attributes
is summarized in Table 11.6, Sensitivity Constraint Configuration outcomes .
T ab le 11.6 . Sen sit ivit y C o n st rain t C o n f ig u rat io n o u t co mes
Valu e
req ui res-read
req ui res-wri te
true
Read is sensitive.
Write is sensitive.
Addressing is sensitive.
Only Aud i to r,
Ad mi ni strato r,
SuperUser can read.
Only Aud i to r,
Ad mi ni strato r,
SuperUser can address.
fal se
Report a bug
258
Examp le 11.26 . En ab lin g t h e lo g g er- p ro f ile ap p licat io n reso u rce classif icat io n
[domain@ localhost:9999 /] cd /coreservice=management/access=authorization/constraint=applicationclassification/type=logging/classification=logging-profile
[domain@ localhost:9999 classification=logging-profile] :writeattribute(name=configured-application, value=true)
{
"outcome" => "success",
"result" => undefined,
"server-groups" => {"main-server-group" => {"host" => {"master" =>
{
"server-one" => {"response" => {"outcome" => "success"}},
"server-two" => {"response" => {"outcome" => "success"}}
}}}}
}
[domain@ localhost:9999 classification=logging-profile] :read-resource
{
"outcome" => "success",
"result" => {
"configured-application" => true,
"default-application" => false,
"applies-to" => {"/profile=*/subsystem=logging/loggingprofile=*" => undefined}
}
}
[domain@ localhost:9999 classification=logging-profile]
259
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Important
Application Resource Constraints apply to all resources that match its configuration. For
example, It is not possible to grant a D epl o yer user access to one datasource resource but
not another. If this level of separation is required then it is recommended to configure the
resources in different server groups and create different scoped D epl o yer roles for each
group.
Report a bug
Examp le 11.27. Makin g writ in g t o vau lt exp ressio n s a n o n sen sit ive o p erat io n
[domain@ localhost:9999 /] cd /coreservice=management/access=authorization/constraint=vault-expression
[domain@ localhost:9999 constraint=vault-expression] :writeattribute(name=configured-requires-write, value=false)
{
"outcome" => "success",
"result" => undefined,
"server-groups" => {"main-server-group" => {"host" => {"master" =>
{
"server-one" => {"response" => {"outcome" => "success"}},
"server-two" => {"response" => {"outcome" => "success"}}
}}}}
}
[domain@ localhost:9999 constraint=vault-expression] :read-resource
{
"outcome" => "success",
"result" => {
"configured-requires-read" => undefined,
"configured-requires-write" => false,
"default-requires-read" => true,
"default-requires-write" => true
}
}
[domain@ localhost:9999 constraint=vault-expression]
260
What roles will be able to read and write to vault expressions depending on this configuration is
summarized in Table 11.7, Vault Expression Constraint Configuration outcomes .
T ab le 11.7. Vau lt Exp ressio n C o n st rain t C o n f ig u rat io n o u t co mes
Valu e
true
fal se
req ui res-read
req ui res-wri te
Mo ni to r, Ad mi ni strato r, and
SuperUser can write. D epl o yers can
also write if the vault expression is in an
Application Resource.
Report a bug
261
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
PATH: /subsystem=datasources/jdbc-driver=*
C lassif icat io n : xa- d at a- so u rce
default: false
PATH: /subsystem=datasources/xa-data-source=*
PATH: /deployment=*/subsystem=datasources/xa-data-source=*
PATH: /deployment=*/subdeployment=*/subsystem=datasources/xa-data-source=*
T yp e: lo g g in g
C lassif icat io n : lo g g er
default: false
PATH: /subsystem=logging/logger=*
PATH: /subsystem=logging/logging-profile=*/logger=*
C lassif icat io n : lo g g in g - p ro f ile
default: false
PATH: /subsystem=logging/logging-profile=*
T yp e: mail
C lassif icat io n : mail- sessio n
default: false
PATH: /subsystem=mail/mail-session=*
T yp e: n amin g
C lassif icat io n : b in d in g
default: false
PATH: /subsystem=naming/binding=*
T yp e: reso u rce- ad ap t ers
C lassif icat io n : reso u rce- ad ap t ers
default: false
PATH: /subsystem=resource-adapters/resource-adapter=*
T yp e: secu rit y
C lassif icat io n : secu rit y- d o main
default: false
PATH: /subsystem=security/security-domain=*
Report a bug
262
263
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
requires-addressable: false
requires-read: false
requires-write: true
PATH: /extension=*
C lassif icat io n : jvm
requires-addressable: false
requires-read: false
requires-write: true
PATH: /core-service=platform-mbean/type=runtime ATTRIBUTE: input-arguments, bootclass-path, class-path, boot-class-path-supported, library-path
C lassif icat io n : man ag emen t - in t erf aces
requires-addressable: false
requires-read: false
requires-write: true
/core-service=management/management-interface=native-interface
/core-service=management/management-interface=http-interface
C lassif icat io n : mo d u le- lo ad in g
requires-addressable: false
requires-read: false
requires-write: true
PATH: /core-service=module-loading
C lassif icat io n : p at ch in g
requires-addressable: false
requires-read: false
requires-write: true
PATH: /core-service=patching/addon=*
PATH: /core-service=patching/layer=*"
PATH: /core-service=patching
C lassif icat io n : read - wh o le- co n f ig
requires-addressable: false
requires-read: true
requires-write: true
264
265
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
requires-write: true
PATH: /core-service=vault
C lassif icat io n : service- co n t ain er
requires-addressable: false
requires-read: false
requires-write: true
PATH: /core-service=service-container
C lassif icat io n : sn ap sh o t s
requires-addressable: false
requires-read: false
requires-write: false
PATH: / ATTRIBUTE: take-snapshot, list-snapshots, delete-snapshot
C lassif icat io n : so cket - b in d in g - ref
requires-addressable: false
requires-read: false
requires-write: false
PATH: /subsystem=mail/mail-session=*/server=pop3 ATTRIBUTE: outbound-socketbinding-ref
PATH: /subsystem=mail/mail-session=*/server=imap ATTRIBUTE: outbound-socketbinding-ref
PATH: /subsystem=remoting/connector=* ATTRIBUTE: socket-binding
PATH: /subsystem=web/connector=* ATTRIBUTE: socket-binding
PATH: /subsystem=remoting/local-outbound-connection=* ATTRIBUTE: outboundsocket-binding-ref
PATH: /socket-binding-group=*/local-destination-outbound-socket-binding=*
ATTRIBUTE: socket-binding-ref
PATH: /subsystem=remoting/remote-outbound-connection=* ATTRIBUTE: outboundsocket-binding-ref
PATH: /subsystem=mail/mail-session=*/server=smtp ATTRIBUTE: outbound-socketbinding-ref
PATH: /subsystem=transactions ATTRIBUTE: process-id-socket-binding, status-socketbinding, socket-binding
C lassif icat io n : so cket - co n f ig
requires-addressable: false
266
requires-read: false
requires-write: true
PATH: /interface=* OPERATION: resolve-internet-address
PATH: /core-service=management/management-interface=native-interface ATTRIBUTE:
port, interface, socket-binding
PATH: /socket-binding-group=*
PATH: /core-service=management/management-interface=http-interface ATTRIBUTE:
port, secure-port, interface, secure-socket-binding, socket-binding
PATH: / OPERATION: resolve-internet-address
PATH: /subsystem=transactions ATTRIBUTE: process-id-socket-max-ports
C lassif icat io n : syst em- p ro p ert y
requires-addressable: false
requires-read: false
requires-write: true
PATH: /core-service=platform-mbean/type=runtime ATTRIBUTE: system-properties
PATH: /system-property=*
PATH: / OPERATION: resolve-expression
T yp e: d at aso u rces
C lassif icat io n : d at a- so u rce- secu rit y
requires-addressable: false
requires-read: true
requires-write: true
PATH: /subsystem=datasources/xa-data-source=* ATTRIBUTE: user-name, securitydomain, password
PATH: /subsystem=datasources/data-source=* ATTRIBUTE: user-name, securitydomain, password
T yp e: jd r
C lassif icat io n : jd r
requires-addressable: false
requires-read: false
requires-write: true
PATH: /subsystem=jdr OPERATION: generate-jdr-report
T yp e: jmx
267
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
268
requires-write: true
PATH: /subsystem=remoting/connector=* ATTRIBUTE: authentication-provider, securityrealm
PATH: /subsystem=remoting/remote-outbound-connection=* ATTRIBUTE: username,
security-realm
PATH: /subsystem=remoting/connector=*/security=sasl
T yp e: reso u rce- ad ap t ers
C lassif icat io n : reso u rce- ad ap t er- secu rit y
requires-addressable: false
requires-read: true
requires-write: true
PATH: /subsystem=resource-adapters/resource-adapter=*/connection-definitions=*
ATTRIBUTE: security-domain, recovery-username, recovery-security-domain, securityapplication, security-domain-and-application, recovery-password
T yp e: secu rit y
C lassif icat io n : misc- secu rit y
requires-addressable: false
requires-read: true
requires-write: true
PATH: /subsystem=security ATTRIBUTE: deep-copy-subject-mode
T yp e: web
C lassif icat io n : web - access- lo g
requires-addressable: false
requires-read: false
requires-write: false
PATH: /subsystem=web/virtual-server=*/configuration=access-log
C lassif icat io n : web - co n n ect o r
requires-addressable: false
requires-read: false
requires-write: false
PATH: /subsystem=web/connector=*
C lassif icat io n : web - ssl
requires-addressable: false
269
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
requires-read: true
requires-write: true
PATH: /subsystem=web/connector=*/configuration=ssl
C lassif icat io n : web - sso
requires-addressable: false
requires-read: true
requires-write: true
PATH: /subsystem=web/virtual-server=*/configuration=sso
C lassif icat io n : web - valve
requires-addressable: false
requires-read: false
requires-write: false
PATH: /subsystem=web/valve=*
Report a bug
11.10.2. Specify Which Net work Int erface JBoss EAP 6 Uses
O verview
Isolating services so that they are accessible only to the clients who need them increases the security
of your network. JBoss EAP 6 includes two interfaces in its default configuration, both of which bind
to the IP address 127. 0 . 0 . 1, or l o cal ho st, by default. One of the interfaces is called
manag ement, and is used by the Management Console, CLI, and API. The other is called publ i c,
and is used to deploy applications. These interfaces are not special or significant, but are provided
as a starting point.
270
The manag ement interface uses ports 9 9 9 0 and 9 9 9 9 by default, and the publ i c interface uses
port 80 80 , or port 84 4 3 if you use HTTPS.
You can change the IP address of the management interface, public interface, or both.
1. St o p JB o ss EAP 6 .
Stop JBoss EAP 6 by sending an interrupt in the appropriate way for your operating system.
If you are running JBoss EAP 6 as a foreground application, the typical way to do this is to
press C trl + C .
2. R est art JB o ss EAP 6 , sp ecif yin g t h e b in d ad d ress.
Use the -b command-line switch to start JBoss EAP 6 on a specific interface.
It is possible to edit your XML configuration file directly, to change the default bind addresses.
However, if you do this, you will no longer be able to use the -b command-line switch to specify an IP
address at runtime, so this is not recommended. If you do decide to do this, be sure to stop JBoss
EAP 6 completely before editing the XML file.
Report a bug
271
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Whether your server groups use one of the default socket binding groups, or a custom group.
The requirements of your individual deployments.
Po rt
ajp
8009
http
8080
https
8443
jaco rb
3528
jaco rb
-ssl
jg ro up
sd i ag no
sti cs
3529
272
Mu lt ica
st Po rt
7500
D escrip t io n
f u llso cket s
h aso cket
st an d ar
dso cket
Apache JServ
Protocol. Used for
HTTP clustering
and load balancing.
The default port for
deployed web
applications.
SSL-encrypted
connection between
deployed web
applications and
clients.
CORBA services for
JTS transactions
and other ORBdependent services.
SSL-encrypted
CORBA services.
Multicast. Used for
peer discovery in HA
clusters. Not
configurable using
the Management
Interfaces.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
Yes
Yes
No
No
Yes
No
Yes
No
N ame
Po rt
jg ro up
smpi ng
jg ro up
s-tcp
7600
jg ro up
s-tcpfd
jg ro up
s-ud p
57600
jg ro up
s-ud pfd
messag
i ng
messag
i ng g ro up
54200
messag
i ng thro ug
hput
mo d _cl
uster
5455
o sg i http
8090
55200
Mu lt ica
st Po rt
D escrip t io n
f u llso cket s
h aso cket
st an d ar
dso cket
45700
Multicast. Used to
discover initial
membership in a HA
cluster.
Unicast peer
discovery in HA
clusters using TCP.
Used for HA failure
detection over TCP.
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Multicast peer
discovery in HA
clusters using UD P.
Used for HA failure
detection over UD P.
Yes
No
Yes
No
Yes
No
Yes
No
JMS service.
Yes
Yes
No
No
Referenced by
HornetQ JMS
broadcast and
discovery groups.
Used by JMS
Remoting.
Yes
Yes
No
No
Yes
Yes
No
No
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
45688
5445
23364
remo ti
4447
ng
txn4712
reco ver
yenvi ro
nment
txn4713
statusmanag e
r
Man ag emen t Po rt s
273
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
In addition to the socket binding groups, each host controller opens two more ports for management
purposes:
9 9 9 0 - The Web Management Console port
9 9 9 9 - The port used by the Management Console and Management API
Additionally, if HTTPS is enabled for the Management Console, 9443 is also opened as the default
port.
Report a bug
274
c. The So cket Bi nd i ng D ecl arati o ns screen appears. Initially, the stand ard so ckets group is shown. Choose a different group by selecting it from the combo
box on the right-hand side.
Note
If you use a standalone server, it has only one socket binding group.
The list of socket names and ports is shown, eight values per page. You can go through the
pages by using the arrow navigation below the table.
3. D et ermin e t h e p o rt s yo u n eed t o o p en .
D epending on the function of the particular port and the requirements of your environment,
some ports may need to be opened on your firewall.
4. C o n f ig u re yo u r f irewall t o f o rward t raf f ic t o JB o ss EAP 6 .
Perform these steps to configure your network firewall to allow traffic on the desired port.
a. Log into your firewall machine and access a command prompt, as the root user.
b. Issue the command system-co nfi g -fi rewal l to launch the firewall configuration
utility. A GUI or command-line utility launches, depending on the way you are logged
into the firewall system. This task makes the assumption that you are logged in via
SSH and using the command-line interface.
c. Use the T AB key on your keyboard to navigate to the C usto mi ze button, and press
the ENT ER key. The T rusted Servi ces screen appears.
d. D o not change any values, but use the T AB key to navigate to the Fo rward button,
and press ENT ER to advanced to the next screen. The O ther P o rts screen appears.
e. Use the T AB key to navigate to the <Ad d > button, and press ENT ER . The P o rt and
P ro to co l screen appears.
f. Enter 54 4 5 in the P o rt / P o rt R ang e field, then use the T AB key to move to the
P ro to co l field, and enter tcp. Use the T AB key to navigate to the O K button, and
press ENT ER .
g. Use the T AB key to navigate to the Fo rward button until you reach the P o rt
Fo rward i ng screen.
h. Use the T AB key to navigate to the <Ad d > button, and press the ENT ER key.
i. Fill in the following values to set up port forwarding for port 54 4 5.
Source interface: eth1
Protocol: tcp
Port / Port Range: 54 4 5
D estination IP address: 10 . 1. 1. 2
Port / Port Range: 54 4 5
275
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Note
224.0.1.105:23364 is the default address and port for mod_cluster balancer advertising
UD P multicast.
Report a bug
276
277
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
2. Ad d t h e Java o p t io n s t o t h e f ile.
To ensure the Java options are used, add them to the code block that begins with:
if [ "x$JAVA_OPTS" = "x" ]; then
You can modify the -D java. securi ty. po l i cy value to specify the exact location of your
security policy. It should go onto one line only, with no line break. Using = = when setting the
-D java. securi ty. po l i cy property specifies that the security manager will use only the
specified policy file. Using = specifies that the security manager will use the specified policy
combined with the policy set in the po l i cy. url section of
JAVA_HOME/l i b/securi ty/java. securi ty.
Important
JBoss Enterprise Application Platform releases from 6.2.2 onwards require that the
system property jbo ss. mo d ul es. po l i cy-permi ssi o ns is set to true.
278
279
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
280
JAVA_OPTS="$JAVA_OPTS -Djava.security.debug=access:failure"
Wi nd o ws
set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.debug=access:failure"
R esu lt
A general level of security-related debug information has been enabled.
Report a bug
Warning
Red Hat recommends that you explicitly disable SSL in favor of TLSv1.1 or TLSv1.2 in all
affected packages.
Prereq u isit es
A set of SSL encryption keys and an SSL encryption certificate. You may purchase these from a
certificate-signing authority, or you can generate them yourself using command-line utilities. To
generate encryption keys using utilities available on Red Hat Enterprise Linux, see
Section 11.12.2, Generate a SSL Encryption Key and Certificate .
The following details about your specific environment and setup:
The full directory name where the certificate files are stored.
The encryption password for your encryption keys.
Management CLI running and connected to your domain controller or standalone server.
Select appropriate cipher suites.
C ip h er Su it es
There are a number of available cryptographic primitives used as building blocks to form cipher
suites. The first table lists recommended cryptographic primitives. The second lists cryptographic
primitives which, while they may be used for compatibility with existing software, are not considered
as secure as those recommended.
281
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Warning
Red Hat recommends selectively whitelisting a set of strong ciphers to use for ci pher-sui te.
Enabling weak ciphers is a significant security risk. Consult your JD K vendor's documentation
before deciding on particular cipher suites as there may be compatibility issues.
Note
This procedure uses commands appropriate for a JBoss EAP 6 configuration that uses a
managed domain. If you use a standalone server, modify Management CLI commands by
removing the /pro fi l e= d efaul t from the beginning of any management CLI commands.
Warning
Red Hat recommends that you explicitly disable SSL in favor of TLSv1.1 or TLSv1.2 in all
affected packages.
282
283
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Paramet er
D escrip t io n
-genkeypair
-alias
-keyalg
-keystore
-storepass
-keypass
Note
D ue to an implementation limitation
this must be the same as the store
password.
--dname
When you execute the above command, you are prompted for the following information:
If you did not use the -storepass parameter on the command line, you are asked to
enter the keystore password. Re-enter the new password at the next prompt.
284
If you did not use the -keypass parameter on the command line, you are asked to enter
the key password. Press Enter to set this to the same value as the keystore password.
When the command completes, the file server. keysto re now contains the single key with
the alias jbo ss.
2. Verif y t h e key.
Verify that the key works properly by using the following command.
keytool -list -keystore server.keystore
You are prompted for the keystore password. The contents of the keystore are displayed (in
this case, a single key called jbo ss). Notice the type of the jbo ss key, which is
P ri vateKeyEntry. This indicates that the keystore contains both a public and private entry
for this key.
3. G en erat e a cert if icat e sig n in g req u est .
Run the following command to generate a certificate signing request using the public key
from the keystore you created in step 1.
keytool -certreq -keyalg RSA -alias jboss -keystore server.keystore
-file certreq.csr
You are prompted for the password in order to authenticate to the keystore. The keyto o l
command then creates a new certificate signing request called certreq . csr in the current
working directory.
4. T est t h e n ewly g en erat ed cert if icat e sig n in g req u est .
Test the contents of the certificate by using the following command.
openssl req -in certreq.csr -noout -text
The certificate details are shown.
5. O p t io n al: Su b mit yo u r cert if icat e sig n in g req u est t o a C ert if icat e Au t h o rit y ( C A) .
A Certificate Authority (CA) can authenticate your certificate so that it is considered
trustworthy by third-party clients. The CA supplies you with a signed certificate, and
optionally with one or more intermediate certificates.
6. O p t io n al: Exp o rt a self - sig n ed cert if icat e f ro m t h e keyst o re.
If you only need it for testing or internal purposes, you can use a self-signed certificate. You
can export one from the keystore you created in step 1 as follows:
keytool -export -alias jboss -keystore server.keystore -file
server.crt
You are prompted for the password in order to authenticate to the keystore. A self-signed
certificate, named server. crt, is created in the current working directory.
7. Imp o rt t h e sig n ed cert if icat e, alo n g wit h an y in t ermed iat e cert if icat es.
285
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Import each certificate, in the order that you are instructed by the CA. For each certificate to
import, replace i ntermed i ate. ca or server. crt with the actual file name. If your
certificates are not provided as separate files, create a separate file for each certificate, and
paste its contents into the file.
Note
Your signed certificate and certificate keys are valuable assets. Be cautious with how
you transport them between servers.
D escrip t io n
C LI C o mman d
name
286
At t rib u t e
D escrip t io n
C LI C o mman d
verify-client
H T T P/H T T PS C o n n ect o r
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=verif
y-client,value=want)
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=verif
y-depth,value=10)
287
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
At t rib u t e
D escrip t io n
certificate-key-file
certificate-file
password
288
C LI C o mman d
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=certi
ficate-keyfile,value=../domain
/configuration/serve
r.keystore)
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=certi
ficatefile,value=server.cr
t)
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=passw
ord,value=PASSWORD)
At t rib u t e
D escrip t io n
protocol
Warning
C LI C o mman d
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=proto
col,value=ALL)
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=proto
col,value="TLSv1,
TLSv1.1,TLSv1.2")
289
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
At t rib u t e
D escrip t io n
cipher-suite
C LI C o mman d
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=ciphe
r-suite,
value="TLS_RSA_WITH_
AES_128_CBC_SHA,TLS_
RSA_WITH_AES_256_CBC
_SHA")
Important
Using weak ciphers is a
significant security risk.
See
http://www.nist.gov/manu
script-publicationsearch.cfm?
pub_id=915295 for NIST
recommendations on
cipher suites.
For a list of available OpenSSL
ciphers, see
https://www.openssl.org/docs/a
pps/ciphers.html#CIPHER_STRI
NGS. Note that the following
are not supported:
@ SEC LEVEL, SUIT EB128,
SUIT EB128O NLY ,
SUIT EB19 2.
key-alias
290
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=keyalias,value=KEY_ALIA
S)
At t rib u t e
D escrip t io n
truststore-type
keystore-type
ca-certificate-file
ca-certificate-password
ca-revocation-url
C LI C o mman d
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=trust
storetype,value=jks)
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=keyst
ore-type,value=jks)
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=certi
ficatefile,value=ca.crt)
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=cacertificatepassword,value=MASKE
D_PASSWORD)
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=carevocationurl,value=ca.crl)
291
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
At t rib u t e
D escrip t io n
session-cache-size
session-timeout
C LI C o mman d
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=sessi
on-cachesize,value=100)
/profile=default/subs
ystem=web/connector=
HTTPS/ssl=configurat
ion/:writeattribute(name=sessi
ontimeout,value=43200)
Report a bug
292
Warning
JCEKS keystore implementations differ between Java vendors so you must generate the
keystore using the keyto o l utility from the same vendor as the JD K you use.
Using a keystore generated by the keyto o l from one vendor's JD K in a JBoss EAP instance
running on a JD K from a different vendor results in the following exception:
java.io.IOException:
com.sun.crypto.provider.SealedObjectForKeyProtector
293
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
valid it y
The value of val i d i ty is the period (in days) for which the key will be valid.
keyst o re
The value of keysto re is the filepath and filename in which the keystore's values
are to be stored. The keystore file is created when data is first added to it.
Ensure you use the correct file path separator: / (forward slash) for Red Hat
Enterprise Linux and similar operating systems, \ (backslash) for Microsoft
Windows Server.
The keyto o l utility has many other options. See the documentation for your JRE or your
operating system for more details.
3. R u n t h e keyto o l co mman d
Launch your operating system's command line interface and run the keyto o l utility,
supplying the information that you gathered.
R esu lt
In this a keystore has been created in the file EAP_HOME/vaul t/vaul t. keysto re. It stores a single
key, with the alias vaul t, which will be used to store encrypted strings, such as passwords, for
JBoss EAP.
Report a bug
11.13.3. Mask t he Keyst ore Password and Init ializ e t he Password Vault
Prereq u isit es
Section 11.13.2, Create a Java Keystore to Store Sensitive Strings
1. R u n t h e vaul t. sh co mman d .
Run EAP_HOME/bi n/vaul t. sh. Start a new interactive session by typing 0 .
2. En t er t h e d irect o ry wh ere en cryp t ed f iles will b e st o red .
This directory should be accessible to only limited users. At a minimum the user account
under which JBoss EAP is running requires read-write access. If you followed
Section 11.13.2, Create a Java Keystore to Store Sensitive Strings , your keystore is in a
directory called EAP_HOME/vaul t/.
294
3. En t er t h e p at h t o t h e keyst o re.
Enter the full path to the keystore file. This example uses
EAP_HOME/vaul t/vaul t. keysto re.
4. En cryp t t h e keyst o re p asswo rd .
The following steps encrypt the keystore password, so that you can use it in configuration
files and applications securely.
a. En t er t h e keyst o re p asswo rd .
When prompted, enter the keystore password.
b. En t er a salt valu e.
Enter an 8-character salt value. The salt value, together with the iteration count
(below), are used to create the hash value.
c. En t er t h e it erat io n co u n t .
Enter a number for the iteration count.
d. Make a n o t e o f t h e masked p asswo rd in f o rmat io n .
The masked password, the salt, and the iteration count are printed to standard
output. Make a note of them in a secure location. An attacker could use them to
decrypt the password.
e. En t er t h e alias o f t h e vau lt .
When prompted, enter the alias of the vault. If you followed Section 11.13.2, Create a
Java Keystore to Store Sensitive Strings to create your vault, the alias is vaul t.
5. Exit t h e in t eract ive co n so le.
Type 2 to exit the interactive console.
R esu lt
Your keystore password has been masked for use in configuration files and deployments. In
addition, your vault is fully configured and ready to use.
Report a bug
295
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
make JBoss EAP 6 aware of the password vault which stores and decrypts them. Follow this
procedure to enable this functionality.
Prereq u isit es
Section 11.13.2, Create a Java Keystore to Store Sensitive Strings
Section 11.13.3, Mask the Keystore Password and Initialize the Password Vault
Pro ced u re 11.4 2. Set u p a Passwo rd Vau lt
1. D et ermin e t h e co rrect valu es f o r t h e co mman d .
D etermine the values for the following parameters, which are determined by the commands
used to create the keystore itself. For information on creating a keystore, refer the following
topics: Section 11.13.2, Create a Java Keystore to Store Sensitive Strings and
Section 11.13.3, Mask the Keystore Password and Initialize the Password Vault .
Paramet er
D escrip t io n
KEYSTORE_URL
KEYSTORE_PASSWORD
KEYSTORE_ALIAS
SALT
ITERATION_COUNT
ENC_FILE_D IR
Note
If you use Microsoft Windows Server, in the CLI command, escape each \ character in
a directory path with an additional \ character. For example,
C : \\d ata\\vaul t\\vaul t. keysto re. This is because single \ character is used
for character escaping.
A. Man ag ed D o main
/host=YOUR_HOST/core-service=vault:add(vault-options=
[("KEYSTORE_URL" => "PATH_TO_KEYSTORE"), ("KEYSTORE_PASSWORD" =>
"MASKED_PASSWORD"), ("KEYSTORE_ALIAS" => "ALIAS"), ("SALT" =>
296
297
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
/coreservice=vault:add(code="custom.vault.implementation.CustomSecurity
Vault", module="custom.vault.module", vault-options=
[("KEYSTORE_URL" => "PATH_TO_KEYSTORE"), ("KEYSTORE_PASSWORD" =>
"MASKED_PASSWORD"), ("KEYSTORE_ALIAS" => "ALIAS"), ("SALT" =>
"SALT"),("ITERATION_COUNT" => "ITERATION_COUNT"), ("ENC_FILE_DIR"
=> "ENC_FILE_DIR")])
R esu lt
JBoss EAP 6 is configured to decrypt masked strings using a custom implementation of the
password vault.
Report a bug
11.13.6. St ore and Ret rieve Encrypt ed Sensit ive St rings in t he Java Keyst ore
Su mmary
Including passwords and other sensitive strings in plain-text configuration files is insecure. JBoss
EAP 6 includes the ability to store and mask these sensitive strings in an encrypted keystore, and use
masked values in configuration files.
Prereq u isit es
Section 11.13.2, Create a Java Keystore to Store Sensitive Strings
Section 11.13.3, Mask the Keystore Password and Initialize the Password Vault
Section 11.13.4, Configure JBoss EAP 6 to Use the Password Vault
The EAP_HOME/bi n/vaul t. sh application must be accessible via a command-line interface.
Pro ced u re 11.4 4 . Set u p t h e Java K eyst o re
1. R u n t h e vaul t. sh co mman d .
Run EAP_HOME/bi n/vaul t. sh. Start a new interactive session by typing 0 .
2. En t er t h e d irect o ry wh ere en cryp t ed f iles will b e st o red .
If you followed Section 11.13.2, Create a Java Keystore to Store Sensitive Strings , your
keystore is in the directory EAP_HOME/vaul t. In most cases, it makes sense to store all of
your encrypted information in the same place as the key store. Since this directory will
contain sensitive information it should be accessible to only limited users. At a minimum the
user account under which JBoss EAP is running requires read-write access.
Note
D o not forget to include the trailing slash on the directory name. Either use / or \,
depending on your operating system.
3. En t er t h e p at h t o t h e keyst o re.
298
Enter the full path to the keystore file. This example uses
EAP_HOME/vaul t/vaul t. keysto re.
4. En t er t h e keyst o re p asswo rd , vau lt n ame, salt , an d it erat io n co u n t .
When prompted, enter the keystore password, vault name, salt, and iteration count. A
handshake is performed.
5. Select t h e o p t io n t o st o re a p asswo rd .
Select option 0 to store a password or other sensitive string.
6. En t er t h e valu e.
When prompted, enter the value twice. If the values do not match, you are prompted to try
again.
7. En t er t h e vau lt b lo ck.
Enter the vault block, which is a container for attributes which pertain to the same resource.
An example of an attribute name would be d s_Exampl eD S. This will form part of the
reference to the encrypted string, in your datasource or other service definition.
8. En t er t h e at t rib u t e n ame.
Enter the name of the attribute you are storing. An example attribute name would be
passwo rd .
R esu lt
A message such as the one below shows that the attribute has been saved.
Secured attribute value has been stored in vault.
9. Make n o t e o f t h e in f o rmat io n ab o u t t h e en cryp t ed st rin g .
A message prints to standard output, showing the vault block, attribute name, shared key,
and advice about using the string in your configuration. Make note of this information in a
secure location. Example output is shown below.
********************************************
Vault Block:ds_ExampleDS
Attribute Name:password
Configuration should be done as follows:
VAULT::ds_ExampleDS::password::1
********************************************
10. U se t h e en cryp t ed st rin g in yo u r co n f ig u rat io n .
Use the string from the previous step in your configuration, in place of a plain-text string. A
datasource using the encrypted password above is shown below.
...
<subsystem xmlns="urn:jboss:domain:datasources:1.0">
<datasources>
299
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<datasource jndi-name="java:jboss/datasources/ExampleDS"
enabled="true" use-java-context="true" pool-name="H2DS">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=1</connection-url>
<driver>h2</driver>
<pool></pool>
<security>
<user-name>sa</user-name>
<password>${VAULT::ds_ExampleDS::password::1}</password>
</security>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xadatasource-class>
</driver>
</drivers>
</datasources>
</subsystem>
...
You can use an encrypted string anywhere in your domain or standalone configuration file
where expressions are allowed.
Note
To check if expressions are allowed within a particular subsystem, run the following
CLI command against that subsystem:
/host=master/core-service=management/securityrealm=TestRealm:read-resource-description(recursive=true)
From the output of running this command, look for the value for the expressi o nsal l o wed parameter. If this is true, then you can use expressions within the
configuration of this particular subsystem.
After you store your string in the keystore, use the following syntax to replace any clear-text
string with an encrypted one.
${VAULT::VAULT_BLOCK::ATTRIBUTE_NAME::ENCRYPTED_VALUE}
Here is a sample real-world value, where the vault block is d s_Exampl eD S and the attribute
is passwo rd .
<password>${VAULT::ds_ExampleDS::password::1}</password>
Report a bug
11.13.7. St ore and Resolve Sensit ive St rings In Your Applicat ions
300
O verview
Configuration elements of JBoss EAP 6 support the ability to resolve encrypted strings against
values stored in a Java Keystore, via the Security Vault mechanism. You can add support for this
feature to your own applications.
First, add the password to the vault. Second, replace the clear-text password with the one stored in
the vault. You can use this method to obscure any sensitive string in your application.
Prereq u isit es
Before performing this procedure, make sure that the directory for storing your vault files exists. It
does not matter where you place them, as long as the user who executes JBoss EAP 6 has
permission to read and write the files. This example places the vaul t/ directory into the
/ho me/USER/vaul t/ directory. The vault itself is a file called vaul t. keysto re inside the vaul t/
directory.
301
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
********************************************
Vault Block:DS
Attribute Name:thePass
Configuration should be done as follows:
VAULT::DS::thePass::1
********************************************
Please enter a Digit::
exists 2: Exit
2
0: Store a password
The string that will be added to the Java code is the last value of the output, the line beginning
with VAULT .
The following servlet uses the vaulted string instead of a clear-text password. The clear-text version
is commented out so that you can see the difference.
p ackage vaulterror.web;
i mport java.io.IOException;
i mport java.io.Writer;
i mport
i mport
i mport
i mport
i mport
i mport
i mport
i mport
javax.annotation.Resource;
javax.annotation.sql.DataSourceDefinition;
javax.servlet.ServletException;
javax.servlet.annotation.WebServlet;
javax.servlet.http.HttpServlet;
javax.servlet.http.HttpServletRequest;
javax.servlet.http.HttpServletResponse;
javax.sql.DataSource;
/ *@ DataSourceDefinition(
name = "java:jboss/datasources/LoginDS",
user = "sa",
password = "sa",
className = "org.h2.jdbcx.JdbcDataSource",
url = "jdbc:h2:tcp://localhost/mem:test"
) */
@ DataSourceDefinition(
name = "java:jboss/datasources/LoginDS",
user = "sa",
password = "VAULT::DS::thePass::1",
className = "org.h2.jdbcx.JdbcDataSource",
url = "jdbc:h2:tcp://localhost/mem:test"
)
@ WebServlet(name = "MyTestServlet", urlPatterns = { "/my/" },
loadOnStartup = 1)
p ublic class MyTestServlet extends HttpServlet {
302
@ Resource(lookup = "java:jboss/datasources/LoginDS")
private DataSource ds;
@ Override
protected void doGet(HttpServletRequest req, HttpServletResponse
resp) throws ServletException, IOException {
303
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
11.14 .3. Enable FIPS 14 0-2 Crypt ography for SSL on Red Hat Ent erprise Linux
6
This task describes how to configure the web container (JBoss Web) of JBoss EAP 6 to FIPS 140-2
compliant cryptography for SSL. This task only covers the steps to do this on Red Hat Enterprise
Linux 6.
This task uses the Mozilla NSS library in FIPS mode for this feature.
Prereq u isit es
Red Hat Enterprise Linux 6 must already be configured to be FIPS 140-2 compliant. Refer to
https://access.redhat.com/knowledge/solutions/137833.
Pro ced u re 11.4 5. En ab le FIPS 14 0- 2 C o mp lian t C ryp t o g rap h y f o r SSL
1. C reat e t h e d at ab ase
Create the NSS database in a directory own by the jbo ss user.
$ mkdir -p /usr/share/jboss-as/nssdb
$ chown jboss /usr/share/jboss-as/nssdb
$ modutil -create -dbdir /usr/share/jboss-as/nssdb
2. C reat e N SS co n f ig u rat io n f ile
Create a new text file with the name nss_pkcsl l _fi ps. cfg in the /usr/share/jbo ss-as
directory with the following contents:
name = nss-fips
nssLibraryDirectory=/usr/lib64
nssSecmodDirectory=/usr/share/jboss-as/nssdb
nssModule = fips
The NSS configuration file must specify:
a name,
the directory where the NSS library is located, and
the directory where the NSS database was created as per step 1.
If you are not running a 64bit version of Red Hat Enterprise Linux 6 then set
nssLi braryD i recto ry to /usr/l i b instead of /usr/l i b6 4 .
3. En ab le Su n PK C S11 p ro vid er
Edit the java. securi ty configuration file for your JRE
($JAVA_HO ME/jre/l i b/securi ty/java. securi ty) and add the following line:
security.provider.1=sun.security.pkcs11.SunPKCS11
as/nss_pkcsll_fips.cfg
/usr/share/jboss-
Note that the configuration file specified in this line is the file created in step 2.
304
Any other securi ty. pro vi d er. X lines in this file must have the value of their X increased
by one to ensure that this provider is given priority.
4. En ab le FIPS mo d e f o r t h e N SS lib rary
Run the mo d uti l command as shown to enable FIPS mode:
modutil -fips true -dbdir /usr/share/jboss-as/nssdb
Note that the directory specified here is the one created in step 1.
You may get a security library error at this point requiring you to regenerate the library
signatures for some of the NSS shared objects.
5. C h an g e t h e p asswo rd o n t h e FIPS t o ken
Set the password on the FIPS token using the following command. Note that the name of the
token must be NSS FIP S 14 0 -2 C erti fi cate D B.
modutil -changepw "NSS FIP S 14 0 -2 C erti fi cate D B" -dbdir
/usr/share/jboss-as/nssdb
The password used for the FIPS token must be a FIPS compliant password.
6. C reat e cert if icat e u sin g N SS t o o ls
Enter the following command to create a certificate using the NSS tools.
certutil -S -k rsa -n jbossweb -t "u,u,u" -x -s "CN=localhost,
OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY" -d /usr/share/jbossas/nssdb
7. C o n f ig u re t h e H T T PS co n n ect o r t o u se t h e PK C S11 keyst o re
Add a HTTPS connector using the following command in the JBoss CLI Tool:
/subsystem=web/connector=https/:add(socketbinding=https,scheme=https,protocol=HTTP/1.1,secure=true)
Then add the SSL configuration with the following command, replacing PASSWORD with the
FIPS compliant password from step 5.
/subsystem=web/connector=https/ssl=configuration:add(name=https,pass
word=PASSWORD,keystore-type=PKCS11,
ciphersuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_
SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CB
C_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_C
BC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_C
305
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
BC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SH
A,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_S
HA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_S
HA,
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_
SHA,
TLS_ECDH_anon_WITH_AES_256_CBC_SHA")
8. Verif y
Verify that the JVM can read the private key from the PKCS11 keystore by running the
following command:
keytool -list -storetype pkcs11
ciphersuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_S
HA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_
SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_
SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA
,
TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
keystore-type="PKCS11"/>
< /connector>
306
Note that the ci pher-sui te attribute has linebreaks inserted to make it easier to read.
Report a bug
Note
To enable FIPS you must have a FIPS capable OpenSSL (which supports the FIP S_mo d e
flag) installed on your system.
Report a bug
307
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
308
R eal mD i rect
o rg . jbo ss. as. securi ty. R eal mD i rectLo
g i nMo d ul e
A login module implementation to interface
directly with the security realm. This login
module allows all interactions with the backing
store to be delegated to the realm removing the
need for any duplicate and synchronized
definitions. Used for remoting calls and
management interface.
D escription
T yp e
D ef au lt
D escrip t io n
real m
string
T ab le 12.3. C l i ent
Code
C l i ent
309
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Class
D escription
T ab le 12.4 . C l i ent Mo d u le O p t io n s
O p t io n
T yp e
D ef au lt
D escrip t io n
mul ti -thread ed
true or fal se
fal se
passwo rd -stacki ng
fal se
true or fal se
fal se
T ab le 12.5. R emo ti ng
Code
Class
D escription
T ab le 12.6 . R emo ti ng Mo d u le O p t io n s
310
R emo ti ng
o rg . jbo ss. as. securi ty. remo ti ng . R emo
ti ng Lo g i nMo d ul e
This login module is used to check if the request
currently being authenticated is a request
received over a Remoting connection, and if so
the identity that was created during the
Remoting authentication process is used and
associated with the current request. If the
request did not arrive over a Remoting
connection this module does nothing and
allows the JAAS based login to continue to the
next module.
T ab le 12.6 . R emo ti ng Mo d u le O p t io n s
O p t io n
T yp e
D ef au lt
D escrip t io n
passwo rd -stacki ng
fal se
A fully-qualified
classname.
none
unauthenti cated Id
enti ty
A principal name.
none
A value of
useFi rstP ass
indicates that this login
module should first
look to the information
stored in the
Lo g i nC o ntext for the
identity. This option
can be used when
stacking other login
modules with this one.
A P ri nci pal
implementation class
which contains a
constructor that takes
String arguments for
the principal name.
D efines the principal
name assigned to
requests which contain
no authentication
information. This can
allow unprotected
servlets to invoke
methods on EJBs that
do not require a
specific role. Such a
principal has no
associated roles and
can only access
unsecured EJBs or
EJB methods that are
associated with the
unchecked
permi ssi o n
constraint.
C erti fi cate
o rg . jbo ss. securi ty. auth. spi . BaseC er
tLo g i nMo d ul e
This login module is designed to authenticate
users based on X50 9 C erti fi cates. A use
case for this is C LIENT -C ER T authentication of
a web application.
D escription
T yp e
D ef au lt
D escrip t io n
311
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
T yp e
D ef au lt
D escrip t io n
string
o ther
veri fi er
class
none
C erti fi cateR o l es
o rg . jbo ss. securi ty. auth. spi . C ertR o l
esLo g i nMo d ul e
This login module extends the Certificate login
module to add role mapping capabilities from a
properties file. It takes all of the same options as
the Certificate login module, and adds the
following options.
D escription
T yp e
D ef au lt
D escrip t io n
ro l esP ro perti es
string
312
O p t io n
T yp e
D ef au lt
D escrip t io n
d efaul tR o l esP ro p
erti es
string
ro l eG ro upSeparato
r
A single character.
. (a single period)
T ab le 12.11. D atabase
Code
Class
D atabase
o rg . jbo ss. securi ty. auth. spi . D atabas
eServerLo g i nMo d ul e
A JD BC-based login module that supports
authentication and role mapping. It is based on
two logical tables, with the following definitions.
D escription
T ab le 12.12. D atabase Mo d u le O p t io n s
O p t io n
T yp e
D ef au lt
D escrip t io n
d i g estC al l ba
ck
A fully-qualified
classname
none
d sJnd i Name
A JND I resource
java: /D efaul t
DS
hashAl g o ri thm
String
Use plain
passwords
hashC harset
String
The platform's
default encoding
hashEnco d i ng
String
i g no reP asswo r boolean
d C ase
Base64
false
313
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
T yp e
D ef au lt
D escrip t io n
i nputVal i d ato
r
A fully-qualified
classname
none
prepared SQL
statement
ro l esQ uery
prepared SQL
statement
A fully-qualified
classname
suspend R esume
boolean
boolean
transacti o nMa
nag erJnd i Name
JND I Resource
sel ect
P asswo rd fro m
P ri nci pal s
where
P ri nci pal ID = ?
none
The prepared SQL query to obtain the
information about the roles. It should
be equivalent to sel ect R o l e,
R o l eG ro up fro m R o l es where
P ri nci pal ID = ?, where Role is the
role name and the RoleGroup column
value should always be either R o l es
with a capital R or
C al l erP ri nci pal .
none
The class name of the
D i g estC al l back implementation
that includes pre/post digest content
like salts for hashing the
store/expected password. Only used if
hashSto reP asswo rd or
hashUserP asswo rd is true and
hashAl g o ri thm has been specified.
true
Whether any existing JTA transaction
should be suspended during
database operations.
false
A flag that indicates whether
validation errors should be exposed
to clients or not
java:/Transaction The JND I name of the transaction
Manager
manager used by the login module.
D escription
T yp e
D ef au lt
D escrip t io n
d sJnd i Name
A JND I resource
java: /D efaul tD S
314
O p t io n
T yp e
D ef au lt
D escrip t io n
ro l esQ uery
prepared SQL
statement
sel ect
R o l e,R o l eG ro up
fro m R o l es where
P ri nci pal ID = ?
suspend R esume
true or fal se
true
SQL prepared
statement to be
executed in order to
map roles. It should be
an equivalent to
sel ect R o l e,
R o l eG ro up fro m
R o l es where
P ri nci pal ID = ?,
where Role is the role
name and the
RoleGroup column
value should always
be either R o l es with a
capital R or
C al l erP ri nci pal .
Whether any existing
JTA transaction should
be suspended during
database operations.
T ab le 12.15. Id enti ty
Code
Class
Id enti ty
o rg . jbo ss. securi ty. auth. spi . Id enti t
yLo g i nMo d ul e
Associates the principal specified in the module
options with any subject authenticated against
the module. The type of Principal class used is
o rg . jbo ss. securi ty. Si mpl eP ri nci pal .
If no principal option is specified a principal
with the name of g uest is used.
D escription
T ab le 12.16 . Id enti ty Mo d u le O p t io n s
O p t io n
T yp e
D ef au lt
D escrip t io n
String
g uest
ro l es
comma-separated list
of strings
none
T ab le 12.17. Ld ap
Code
Class
Ld ap
o rg . jbo ss. securi ty. auth. spi . Ld apLo g
i nMo d ul e
315
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
D escription
T ab le 12.18. Ld ap Mo d u le O p t io n s
O p t io n
T yp e
D ef au lt
class name
co m. sun. jnd i . l d a
p. Ld apC txFacto ry
l d ap: // URL
string
credential type
316
D escrip t io n
Ini ti al C o ntextFac
to ry implementation
class name.
If the value of
URL for the LD AP
java. nami ng . secur server.
i ty. pro to co l is
SSL,
l d ap: //l o cal ho st
: 6 36 , otherwise
l d ap: //l o cal ho st
: 389
si mpl e
The security level to
use to bind to the
LD AP server.
If unspecified,
The transport protocol
determined by the
to use for secure
provider.
access, such as SSL.
none
The name of the
principal for
authenticating the
caller to the service.
This is built from other
properties described
below.
none
The type of credential
used by the
authentication scheme.
Some examples
include hashed
password, clear-text
password, key, or
certificate. If this
property is unspecified,
the behavior is
determined by the
service provider.
O p t io n
T yp e
string
string
true or fal se
false
ro l esC txD N
fully-qualified D N
none
ro l eAttri buteID
attribute
D ef au lt
none
ro l es
D escrip t io n
Prefix added to the
username to form the
user D N. You can
prompt the user for a
username and build
the fully-qualified D N
by using the
pri nci pal D NP refi x
and
pri nci pal D NSuffi x
.
Suffix added to the
username to form the
user D N. You can
prompt the user for a
username and build
the fully-qualified D N
by using the
pri nci pal D NP refi x
and
pri nci pal D NSuffi x
.
Whether the credential
should be obtained as
an opaque Object
using the
o rg . jbo ss. securi t
y. auth. cal l back.
O bjectC al l back
type of Callback rather
than as a char[]
password using a
JAAS
PasswordCallback.
This allows for passing
no n-char[]
credential information
to the LD AP server.
The fully-qualified D N
for the context to
search for user roles.
The attribute in the
user object that
contains the D N for the
context to search for
user roles. This differs
from ro l esC txD N in
that the context to
search for a user's
roles may be unique
for each user.
Name of the attribute
containing the user
roles.
317
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
T yp e
D ef au lt
D escrip t io n
ro l eAttri buteIsD N
true or fal se
fal se
ro l eNameAttri bute
ID
attribute
name
ui d Attri buteID
attribute
ui d
matchO nUserD N
true or fal se
fal se
al l o wEmptyP asswo
rd s
true or fal se
fal se
T ab le 12.19 . Ld apExtend ed
318
T ab le 12.19 . Ld apExtend ed
Code
Class
Ld apExtend ed
o rg . jbo ss. securi ty. auth. spi . Ld apExt
Lo g i nMo d ul e
An alternate LD AP login module implementation
that uses searches to locate the bind user and
associated roles. The roles query recursively
follows D Ns to navigate a hierarchical role
structure. It uses the same java. nami ng
options as the Ldap module, and uses the
following options instead of the other options of
the Ldap module.
D escription
T ab le 12.20. Ld apExtend ed Mo d u le O p t io n s
O p t io n
T yp e
D ef au lt
D escrip t io n
baseC txD N
fully-qualified D N
none
bi nd C red enti al
string, optionally
encrypted
none
bi nd D N
fully-qualified D N
none
319
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
T yp e
D ef au lt
D escrip t io n
baseFi l ter
LD AP filter string
none
ro l esC txD N
fully-qualified D N
none
ro l eFi l ter
LD AP filter string
none
320
O p t io n
T yp e
D ef au lt
D escrip t io n
ro l eAttri buteIsD N
true or fal se
fal se
d efaul tR o l e
Role name
none
fal se
parseUsername
true or fal se
fal se
usernameBeg i nStri
ng
string
none
321
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
T yp e
D ef au lt
D escrip t io n
usernameEnd Stri ng
string
none
ro l eNameAttri bute
ID
attribute
name
attribute
ro l eR ecursi o n
integer
searchT i meLi mi t
integer
10 0 0 0 (10 seconds)
searchSco pe
One of:
O BJEC T _SC O P E,
O NELEVEL_SC O P E,
SUBT R EE_SC O P E
true or fal se
SUBT R EE_SC O P E
al l o wEmptyP asswo
rd s
322
fal se
O p t io n
T yp e
D ef au lt
D escrip t io n
none
T ab le 12.21. R o l eMappi ng
Code
Class
R o l eMappi ng
o rg . jbo ss. securi ty. auth. spi . R o l eMap
pi ng Lo g i nMo d ul e
Maps a role which is the end result of the
authentication process to a declarative role.
This module must be flagged as o pti o nal
when you add it to the security domain.
D escription
T ab le 12.22. R o l eMappi ng Mo d u le O p t io n s
O p t io n
T yp e
D ef au lt
D escrip t io n
ro l esP ro perti es
no ne
repl aceR o l e
true or fal se
fal se
Note
The ro l esP ro perti es module option is required for RoleMapping.
323
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
T ab le 12.23. R unAs
Code
Class
R unAs
o rg . jbo ss. securi ty. auth. spi . R unAsLo
g i nMo d ul e
A helper module that pushes a run as role onto
the stack for the duration of the login phase of
authentication, and pops the run as role off the
stack in either the commit or abort phase. This
login module provides a role for other login
modules that must access secured resources in
order to perform their authentication, such as a
login module which accesses a secured EJB.
R unAsLo g i nMo d ul e must be configured
before the login modules that require a run as
role to be established.
D escription
T ab le 12.24 . R unAs O p t io n s
O p t io n
T yp e
D ef au lt
D escrip t io n
ro l eName
role name
no bo d y
principal name
no bo d y
A fully-qualified
classname.
none
T ab le 12.25. Si mpl e
Code
Class
D escription
Si mpl e
o rg . jbo ss. securi ty. auth. spi . Si mpl eS
erverLo g i nMo d ul e
A module for quick setup of security for testing
purposes. It implements the following simple
algorithm:
If the password is null, authenticate the user
and assign an identity of g uest and a role
of g uest.
Otherwise, if the password is equal to the
user, assign an identity equal to the
username and both ad mi n and g uest roles.
Otherwise, authentication fails.
Si mpl e Mo d u le O p t io n s
324
Si mpl e Mo d u le O p t io n s
The Si mpl e module has no options.
T ab le 12.26 . C o nfi g ured Id enti ty
Code
Class
D escription
T yp e
D ef au lt
D escrip t io n
username
string
none
passwo rd
encrypted string
""
Name of a principal
no ne
SecureId enti ty
o rg . pi cketbo x. d ataso urce. securi ty. S
ecureId enti tyLo g i nMo d ul e
325
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
D escription
T yp e
D ef au lt
D escrip t io n
username
string
none
passwo rd
encrypted string
""
manag ed C o nnecti o
nFacto ryName
JCA resource
none
P ro perti esUsers
o rg . jbo ss. securi ty. auth. spi . P ro pert
i esUsersLo g i nMo d ul e
Uses a properties file to store usernames and
passwords for authentication. No authorization
(role mapping) is provided. This module is only
appropriate for testing.
326
Si mpl eUsers
o rg . jbo ss. securi ty. auth. spi . Si mpl eU
sersLo g i nMo d ul e
D escription
T ab le 12.32. Ld apUsers
Code
Class
Ld apUsers
o rg . jbo ss. securi ty. auth. spi . Ld apUse
rsLo g i nMo d ul e
The Ld apUsers module is superseded by the
Extend ed LD AP and Ad vanced Ld ap modules.
D escription
T ab le 12.33. Kerbero s
Code
Class
Kerbero s
co m. sun. securi ty. auth. mo d ul e. Krb5Lo
g i nMo d ul e. In the IBM JD K the classname is
co m. i bm. securi ty. auth. mo d ul e. Krb5Lo
g i nMo d ul e.
Performs Kerberos login authentication, using
GSSAPI. This module is part of the security
framework from the API provided by Sun
Microsystems. D etails can be found at
http://docs.oracle.com/javase/7/docs/jre/api/sec
urity/jaas/spec/com/sun/security/auth/module/Kr
b5LoginModule.html. This module needs to be
paired with another module which handles the
authentication and roles mapping.
D escription
T ab le 12.34 . Kerbero s Mo d u le O p t io n s
O p t io n
T yp e
D ef au lt
D escrip t io n
sto rekey
true or fal se
false
d o No tP ro mpt
true or fal se
false
false
327
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
T yp e
D ef au lt
D escrip t io n
ti cketcache
A file or resource
representing a
Kerberos ticket cache.
true or fal se
false
keytab
A file or resource
representing a
Kerberos keytab.
string
true or fal se
false
328
O p t io n
T yp e
D ef au lt
D escrip t io n
true or fal se
false
true or fal se
false
cl earP ass
true or fal se
false
Same as
useFi rstP ass, but if
authentication fails, the
module uses the
C al l backHand l er to
retrieve a new
username and
password. If the
second authentication
fails, the failure is
reported to the calling
application.
Whether to store the
username and
password in the
module's shared state.
This does not happen
if the keys already exist
in the shared state, or if
authentication fails.
Set this to true to clear
the username and
password from the
shared state after both
phases of
authentication
complete.
T ab le 12.35. SP NEG O
Code
Class
SP NEG O
o rg . jbo ss. securi ty. neg o ti ati o n. spne
g o . SP NEG O Lo g i nMo d ul e
Allows SPNEGO authentication to a Microsoft
Active D irectory server or other environment
which supports SPNEGO. SPNEGO can also
carry Kerberos credentials. This module needs
to be paired with another module which handles
authentication and role mapping.
D escription
T ab le 12.36 . SP NEG O Mo d u le O p t io n s
O p t io n
T yp e
D ef au lt
D escrip t io n
serverSecuri tyD o m
ai n
stri ng
nul l .
329
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
T yp e
D ef au lt
D escrip t io n
fal se
usernameP asswo rd D
o mai n
nul l
stri ng
T ab le 12.37. Ad vanced Ld ap
Code
Class
Ad vanced Ld ap
o rg . jbo ss. securi ty. neg o ti ati o n. Ad va
nced Ld apLo g i nMo d ul e
A module which provides additional
functionality, such as SASL and the use of a
JAAS security domain.
D escription
T ab le 12.38. Ad vanced Ld ap Mo d u le O p t io n s
O p t io n
T yp e
D ef au lt
bi nd Authenti cati o
n
string
none
stri ng
baseC txD N
fully-qualified D N
baseFi l ter
String representing a
LD AP search filter.
ro l eAttri buteID
String value
representing an LD AP
attribute.
ro l eAttri buteIsD N
true or fal se
330
D escrip t io n
O p t io n
T yp e
D ef au lt
D escrip t io n
ro l eNameAttri bute
ID
String representing an
LD AP attribute.
none
recurseR o l es
true or fal se
fal se
none
T ab le 12.39 . Ad vanced AD Ld ap
Code
Class
Ad vanced AD Ld ap
o rg . jbo ss. securi ty. neg o ti ati o n. Ad va
nced AD Lo g i nMo d ul e
This module extends the Ad vanced Ld ap login
module, and adds extra parameters that are
relevant to Microsoft Active D irectory.
D escription
T ab le 12.4 0. UsersR o l es
Code
Class
UsersR o l es
o rg . jbo ss. securi ty. auth. spi . UsersR o
l esLo g i nMo d ul
A simple login module that supports multiple
users and user roles stored in two different
properties files.
D escription
T ab le 12.4 1. UsersR o l es Mo d u le O p t io n s
O p t io n
T yp e
D ef au lt
D escrip t io n
331
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
T yp e
D ef au lt
D escrip t io n
usersP ro perti es
Path to a file or
resource.
ro l esP ro perti es
Path to a file or
resource.
passwo rd -stacki ng
fal se
hashAl g o ri thm
String representing a
password hashing
algorithm.
no ne
hashEnco d i ng
base6 4 or hex
base6 4
332
O p t io n
T yp e
D ef au lt
D escrip t io n
hashC harset
string
unauthenti cated Id
enti ty
principal name
none
C u st o m Au t h en t icat io n Mo d u les
Authentication modules are implementations of javax. securi ty. auth. spi . Lo g i nMo d ul e.
Refer to the API documentation for more information about creating a custom authentication module.
Report a bug
C lass
D enyAll
org.jboss.security.authorization.modules.AllD en
yAuthorizationModule
org.jboss.security.authorization.modules.AllPer
mitAuthorizationModule
org.jboss.security.authorization.modules.D eleg
atingAuthorizationModule
org.jboss.security.authorization.modules.web.W
ebAuthorizationModule
org.jboss.security.authorization.modules.JACCA
uthorizationModule
org.jboss.security.authorization.modules.XACM
LAuthorizationModule
PermitAll
D elegating
Web
JACC
XACML
333
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
AllPermit Au t h o riz at io n Mo d u le
This is a simple authorization module that always permits an authorization request. No configuration
options are available.
D eleg at in g Au t h o riz at io n Mo d u le
This is the default authorization module that delegates decision making to the configured delegates.
Web Au t h o riz at io n Mo d u le
This is the default web authorization module with the default Tomcat authorization logic (permit all).
JAC C Au t h o riz at io n Mo d u le
This module enforces JACC semantics using two delegates (WebJACCPolicyModuleD elegate for web
container authorization requests and EJBJACCPolicyModuleD elegate for EJB container requests).
No configuration options available.
XAC MLAu t h o riz at io n Mo d u le
This module enforces XACML authorization using two delegates for web and EJB containers
(WebXACMLPolicyModuleD elegate and EJBXACMLPolicyModuleD elegate). It creates a PD P object
based on registered policies and evaluates web or EJB requests against it.
Ab st ract Au t h o riz at io n Mo d u le
This is the base authorization module which has to be overridden and provides a facility for
delegating to other authorization modules.
Report a bug
C lass
PropertiesRoles
SimpleRoles
D eploymentRoles
D atabaseRoles
LdapRoles
LdapAttributes
334
A Role Mapping Module that takes into consideration a principal to roles mapping that can be done
in jbo ss-web. xml and jbo ss-app. xml deployment descriptors.
< jboss-web>
. ..
<security-role>
<role-name>Support</role-name>
<principal-name>Mark</principal-name>
<principal-name>Tom</principal-name>
</security-role>
. ..
< /jboss-web>
o rg .jb o ss.secu rit y.map p in g .p ro vid ers.D ep lo ymen t R o leT o R o lesMap p in g Pro vid er
A Role to Roles Mapping Module that takes into consideration a principal to roles mapping that can
be done in the deployment descriptors jbo ss-web. xml and jbo ss-app. xml . In this case
principal-name denotes role to map other roles.
<jboss-web>
...
<security-role>
<role-name>Employee</role-name>
<principal-name>Support</principal-name>
<principal-name>Sales</principal-name>
</security-role>
...
</jboss-web>
Which means that each principal having role Support or Sales will also have role Employee
assigned.
335
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
336
o rg .jb o ss.secu rit y.map p in g .p ro vid ers.at t rib u t e.D ef au lt At t rib u t eMap p in g Pro vid er
Checks module and locates principal name from mapping context to create attribute e-mail address
from module option named principalName + " .email" and maps it to the given principal.
Ld ap At t rib u t eMap p in g Pro vid er
Maps attributes from LD AP to the subject. The options include whatever options your LD AP JND I
provider supports.
C ontext.INITIAL_CONTEXT_FACTORY = "java.naming.factory.initial"
C ontext.SECURITY_PROTOCOL = "java.naming.security.protocol"
C ontext.PROVIDER_URL = "java.naming.provider.url"
C ontext.SECURITY_AUTHENTICATION =
"java.naming.security.authentication"
Options:
bi nd D N: The D N used to bind against the LD AP server for the user and roles queries. This D N
needs read and search permissions on the baseCtxD N and rolesCtxD N values.
bi nd C red enti al : The password for the bindD N. This can be encrypted if the
jaasSecurityD omain is specified.
baseC txD N: The fixed D N of the context to start the user search from.
337
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
baseFi l ter: A search filter used to locate the context of the user to authenticate. The input
username or userD N as obtained from the login module callback is substituted into the filter
anywhere a {0 } expression is used. This substituion behavior comes from the standard
__D i rC o ntext. search(Name, Stri ng , O bject[], SearchC o ntro l s co ns)__ method.
An common example search filter is (ui d = {0 }).
searchT i meLi mi t: The timeout in milliseconds for the user/role searches. D efaults to 10000 (10
seconds).
attri buteLi st: A comma-separated list of attributes for the user. For example,
mail,cn,sn,employeeType,employeeNumber.
jaasSecuri tyD o mai n: The JaasSecurityD omain to use to decrypt the
java. nami ng . securi ty. pri nci pal . The encrypted form of the password is that returned by
the JaasSecuri tyD o mai n#encrypt6 4 (byte[]) method. The
o rg . jbo ss. securi ty. pl ug i ns. P BEUti l s can also be used to generate the encrypted form.
Report a bug
C lass
LogAuditProvider
org.jboss.security.audit.providers.LogAuditProvi
der
Report a bug
338
339
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
34 0
Warning
It is recommended that you do not directly edit the l o g g i ng . pro perti es file unless you
have a serious problem booting the server and need additional logging from the host or
process controller.
Report a bug
D escrip t io n
EAP_HOME/stand al o ne/l o g /g c. l o g
34 1
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Lo g File
D escrip t io n
Report a bug
Note
A fi l ter-spec specified for the root logger is not inherited by other loggers. Instead a
fi l ter-spec must be specified per handler.
D escrip t io n
Paramet ers
accept
d eny
Returns the
inverted value of
the filter
expression
Returns
concatenated
value from
multiple filter
expressions.
expressi o n
Accept
accept
D eny
d eny
Not
no t[fi l ter expressi o n]
All
al l [fi l ter expressi o n]
34 2
no t(match("JBAS"))
al l (match("JBAS"),match("WELD
"))
Filt er T yp e
D escrip t io n
Paramet ers
expressi o n
Any
any[fi l ter expressi o n]
Level Change
l evel C hang e[l evel ]
Levels
l evel s[l evel s]
Level Range
l evel R ang e[mi nLevel ,maxLeve
l]
Filters log
messages with a
level listed in the
list of levels
Filters log
messages within
the specified level
range.
34 3
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Filt er T yp e
D escrip t io n
Paramet ers
A regularexpression based
filter. The
unformatted
message is used
against the
pattern specified
in the expression.
A filter which
replaces the first
match to the
pattern with the
replacement value
A filter which
replaces all
matches of the
pattern with the
replacement value
expressi o n
Match (match["pattern"])
Substitute
(substi tute["pattern","repl ace
ment val ue"])
Substitute All
(substi tuteAl l ["pattern","repl
acement val ue"])
match("JBAS\d + ")
Report a bug
Valu e
D escrip t io n
FINEST
FINER
TRACE
300
400
400
Use for messages that provide detailed information about the running
state of an application. Log messages of T R AC E are usually only captured
when debugging an application.
34 4
Lo g Level
Valu e
D escrip t io n
D EBUG
500
FINE
CONFIG
INFO
500
700
800
WARN
900
WARNING
ERROR
900
1000
SEVERE
FATAL
1000
1100
Report a bug
34 5
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
C o n so le
Console log handlers write log messages to either the host operating system's standard out
(stdout) or standard error (stderr) stream. These messages are displayed when JBoss EAP
6 is run from a command line prompt. The messages from a Console log handler are not
saved unless the operating system is configured to capture the standard out or standard
error stream.
File
File log handlers are the simplest log handlers that write log messages to a specified file.
Perio d ic
Periodic log handlers write log messages to a named file until a specified period of time has
elapsed. Once the time period has passed then the file is renamed by appending the
specified timestamp and the handler continues to write into a newly created log file with the
original name.
Siz e
Size log handlers write log messages to a named file until the file reaches a specified size.
When the file reaches a specified size, it is renamed with a numeric prefix and the handler
continues to write into a newly created log file with the original name. Each size log handler
must specify the maximum number of files to be kept in this fashion.
Asyn c
Async log handlers are wrapper log handlers that provide asynchronous behavior for one
or more other log handlers. These are useful for log handlers that may have high latency or
other performance problems such as writing a log file to a network file system.
C u st o m
Custom log handlers enable to you to configure new types of log handlers that have been
implemented. A custom handler must be implemented as a Java class that extends
java. uti l . l o g g i ng . Hand l er and be contained in a module.
syslo g
Syslog-handlers can be used to send messages to a remote logging server. This allows
multiple applications to send their log messages to the same server, where they can all be
parsed together.
Report a bug
34 6
D escrip t io n
%c
%p
%P
%d
%r
%z
%k
%m
%s
%e
%E
%t
%n
%C
%F
%l
%L
%M
%x
%X
%%
Report a bug
34 7
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Important
When configuring a root logger in a logging profile for a standalone system, the root of the
configuration path is /subsystem= l o g g i ng /l o g g i ng -pro fi l e= NAME/ instead of
/subsystem= l o g g i ng /.
For a managed domain, you must specify which profile to use. You must add the profile name
to the beginning of the configuration path for a managed domain, replacing
/subsystem= l o g g i ng / with /pro fi l e= NAME/subsystem= l o g g i ng /.
Ad d a Lo g H an d ler t o t h e R o o t Lo g g er
34 8
Use the ad d -hand l er operation with the following syntax where HANDLER is the name of
the log handler to be added.
/subsystem=logging/root-logger=ROOT:add-handler(name="HANDLER")
The log handler must already have been created before it can be added to the root logger.
34 9
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Use the remo ve-hand l er with the following syntax, where HANDLER is the name of the log
handler to be removed.
/subsystem=logging/root-logger=ROOT:removehandler(name="HANDLER")
Report a bug
Important
When configuring a log category in a logging profile for a standalone system, the root of the
configuration path is /subsystem= l o g g i ng /l o g g i ng -pro fi l e= NAME/ instead of
/subsystem= l o g g i ng /.
For a managed domain, you must specify which profile to use. You must add the profile name
to the beginning of the configuration path for a managed domain, replacing
/subsystem= l o g g i ng / with /pro fi l e= NAME/subsystem= l o g g i ng /.
Ad d a lo g cat eg o ry
Use the ad d operation with the following syntax. Replace CATEGORY with the category to
be added.
/subsystem=logging/logger=CATEGORY:add
350
351
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Use the wri te-attri bute operation with the following syntax. Replace CATEGORY with
the name of the log category. Replace BOOLEAN with true for this log category to use the
handlers of the root logger. Replace it with false if it is to use only its own assigned
handlers.
/subsystem=logging/logger=CATEGORY:write-attribute(name="useparent-handlers", value="BOOLEAN")
Examp le 14 .9 . Ad d in g a lo g h an d ler
[standalone@ localhost:9999 /]
/subsystem=logging/logger=com.company.accounts.rec:addhandler(name="AccountsNFSAsync")
{"outcome" => "success"}
R emo ve a lo g h an d ler f ro m a lo g cat eg o ry
Use the remo ve-hand l er operation with the following syntax. Replace CATEGORY with
the name of the category and HANDLER with the name of the log handler to be removed.
/subsystem=logging/logger=CATEGORY:remove-handler(name="HANDLER")
352
/subsystem=logging/logger=CATEGORY:remove
Report a bug
Important
When configuring a log handler in a logging profile for a standalone system, the root of the
configuration path is /subsystem= l o g g i ng /l o g g i ng -pro fi l e= NAME/ instead of
/subsystem= l o g g i ng /.
For a managed domain, you must specify which profile to use. You must add the profile name
to the beginning of the configuration path for a managed domain, replacing
/subsystem= l o g g i ng / with /pro fi l e= NAME/subsystem= l o g g i ng /.
Ad d a C o n so le Lo g H an d ler
Use the ad d operation with the following syntax. Replace HANDLER with the console log
handler to be added.
/subsystem=logging/console-handler=HANDLER:add
353
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
354
/subsystem=logging/console-handler=HANDLER:writeattribute(name="target", value="TARGET")
355
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
356
Important
When configuring a log handler in a logging profile for a standalone system, the root of the
configuration path is /subsystem= l o g g i ng /l o g g i ng -pro fi l e= NAME/ instead of
/subsystem= l o g g i ng /.
For a managed domain, you must specify which profile to use. You must add the profile name
to the beginning of the configuration path for a managed domain, replacing
/subsystem= l o g g i ng / with /pro fi l e= NAME/subsystem= l o g g i ng /.
Ad d a f ile lo g h an d ler
Use the ad d operation with the following syntax. Replace PATH with the filename for the file
that the log is being written to. Replace DIR with the name of the directory where the file is to
be located. The value of DIR can be a path variable.
/subsystem=logging/file-handler=HANDLER:add(file={"path"=>"PATH",
"relative-to"=>"DIR"})
357
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
358
/subsystem=logging/file-handler=HANDLER:writeattribute(name="autoflush", value="BOOLEAN")
359
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Set t h e Fo rmat t er
Use the wri te-attri bute operation with the following syntax. Replace HANDLER with the
name of the file log handler. Replace FORMAT with the required formatter string.
/subsystem=logging/file-handler=HANDLER:writeattribute(name="formatter", value="FORMAT")
A log handler can only be removed if it is not being referenced by a log category or an
async log handler.
Report a bug
360
Important
When configuring a log handler in a logging profile for a standalone system, the root of the
configuration path is /subsystem= l o g g i ng /l o g g i ng -pro fi l e= NAME/ instead of
/subsystem= l o g g i ng /.
For a managed domain, you must specify which profile to use. You must add the profile name
to the beginning of the configuration path for a managed domain, replacing
/subsystem= l o g g i ng / with /pro fi l e= NAME/subsystem= l o g g i ng /.
361
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
362
rotating-file-handler=HOURLY_DEBUG:writeattribute(name="append", value="true")
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
Set t h e Au t o Flu sh
Use the wri te-attri bute operation with the following syntax.
/subsystem=logging/periodic-rotating-file-handler=HANDLER:writeattribute(name="autoflush", value="BOOLEAN")
Replace HANDLER with the name of the periodic log handler. Replace BOOLEAN with true
if this handler is to immediately write its output.
JBoss EAP 6 must be restarted for this change to take effect.
363
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Examp le 14 .37.
[standalone@ localhost:9999 /] /subsystem=logging/periodicrotating-file-handler=HOURLY_DEBUG:writeattribute(name="suffix", value=".yyyy-MM-dd-HH")
{"outcome" => "success"}
364
[standalone@ localhost:9999 /]
R emo ve a p erio d ic lo g h an d ler
Use the remo ve operation with the following syntax.
/subsystem=logging/periodic-rotating-file-handler=HANDLER:remove
Replace HANDLER with the name of the periodic log handler.
Report a bug
365
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Important
When configuring a log handler in a logging profile the root of the configuration path is
/subsystem= l o g g i ng /l o g g i ng -pro fi l e= NAME/ instead of /subsystem= l o g g i ng /.
Ad d a n ew lo g h an d ler
Use the ad d operation with the following syntax.
/subsystem=logging/size-rotating-file-handler=HANDLER:add(file=
{"path"=>"PATH", "relative-to"=>"DIR"})
Replace HANDLER with the name of the log handler. Replace PATH with the filename for the
file that the log is being written to. Replace DIR with the name of the directory where the file
is to be located. The value of DIR can be a path variable.
366
367
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
/subsystem=logging/size-rotating-file-handler=HANDLER:writeattribute(name="autoflush", value="BOOLEAN")
Replace HANDLER with the name of the log handler. Replace BOOLEAN with true if this
handler is to immediately write its output.
368
369
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
370
Important
When configuring a log handler in a logging profile for a standalone system, the root of the
configuration path is /subsystem= l o g g i ng /l o g g i ng -pro fi l e= NAME/ instead of
/subsystem= l o g g i ng /.
For a managed domain, you must specify which profile to use. You must add the profile name
to the beginning of the configuration path for a managed domain, replacing
/subsystem= l o g g i ng / with /pro fi l e= NAME/subsystem= l o g g i ng /.
Ad d a n ew asyn c lo g h an d ler
Use the ad d operation with the following syntax.
/subsystem=logging/async-handler=HANDLER:add(queuelength="LENGTH")
Replace HANDLER with the name of the log handler. Replace LENGTH with value of the
maximum number of log requests that can be held in queue.
Examp le 14 .51.
[standalone@ localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:add(queue-length="10")
{"outcome" => "success"}
D isp lay t h e co n f ig u rat io n o f an asyn c lo g h an d ler
Use the read -reso urce operation with the following syntax.
/subsystem=logging/async-handler=HANDLER:read-resource
Replace HANDLER with the name of the log handler.
Examp le 14 .52.
[standalone@ localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:read-resource
{
"outcome" => "success",
"result" => {
371
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Examp le 14 .53.
[standalone@ localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:write-attribute(name="level", value="INFO")
{"outcome" => "success"}
[standalone@ localhost:9999 /]
Set t h e q u eu e len g t h
Use the wri te-attri bute operation with the following syntax.
/subsystem=logging/async-handler=HANDLER:writeattribute(name="queue-length", value="LENGTH")
Replace HANDLER with the name of the log handler. Replace LENGTH with value of the
maximum number of log requests that can be held in queue.
JBoss EAP 6 must be restarted for this change to take effect.
Examp le 14 .54 .
[standalone@ localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:write-attribute(name="queue-length",
value="150")
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
372
Examp le 14 .55.
[standalone@ localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:write-attribute(name="overflow-action",
value="DISCARD")
{"outcome" => "success"}
[standalone@ localhost:9999 /]
Ad d su b - h an d lers
Use the ad d -hand l er operation with the following syntax.
/subsystem=logging/async-handler=HANDLER:addhandler(name="SUBHANDLER")
Replace HANDLER with the name of the log handler. Replace SUBHANDLER with the name
of the log handler that is to be added as a sub-handler of this async handler.
Examp le 14 .56 .
[standalone@ localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:add-handler(name="NFS_FILE")
{"outcome" => "success"}
[standalone@ localhost:9999 /]
R emo ve su b - h an d lers
Use the remo ve-hand l er operation with the following syntax.
/subsystem=logging/async-handler=HANDLER:removehandler(name="SUBHANDLER")
Replace HANDLER with the name of the log handler. Replace SUBHANDLER with the name
of the sub-handler to remove.
Examp le 14 .57.
[standalone@ localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:remove-handler(name="NFS_FILE")
{"outcome" => "success"}
[standalone@ localhost:9999 /]
373
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Examp le 14 .58.
[standalone@ localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:remove
{"outcome" => "success"}
[standalone@ localhost:9999 /]
Report a bug
D escrip t io n
D ef au lt Valu e
port
514
374
At t rib u t e
D escrip t io n
D ef au lt Valu e
app-name
null
enabled
level
facility
server-address
hostname
syslog-format
true
ALL
user-level
localhost
null
RFC5424
Report a bug
375
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
[standalone@ localhost:9999 /] /subsystem= l o g g i ng /co nso l ehand l er= HANDLER: wri te-attri bute(name= named -fo rmatter,
val ue= XML_FO R MAT T ER )
3. Restart the JBoss EAP 6 server for the change to take effect.
[standalone@ localhost:9999 /] shutd o wn --restart= true
R esu lt
The custom XML formatter is added to the console log handler. Output to the console log will be
formatted in XML, for example:
<record>
<date>2014-03-11T13:02:53</date>
<millis>1394539373833</millis>
<sequence>116</sequence>
<logger>org.jboss.as</logger>
<level>INFO</level>
<class>org.jboss.as.server.BootstrapListener</class>
<method>logAdminConsole</method>
<thread>282</thread>
<message>JBAS015951: Admin console listening on http://%s:%d</message>
<param>127.0.0.1</param>
<param>9990</param>
</record>
Report a bug
14 .4 . Per-deployment Logging
14 .4 .1. About Per-deployment Logging
Per-deployment logging allows a developer to configure in advance the logging configuration for
their application. When the application is deployed, logging begins according to the defined
configuration. The log files created through this configuration contain information only about the
behavior of the application.
This approach has advantages and disadvantages over using system-wide logging. An advantage
is that the administrator of the JBoss EAP instance does not need to configure logging. A
disadvantage is that the per-deployment logging configuration is read only on startup and so
cannot be changed at runtime.
Report a bug
376
Important
Logging profiles are only available in version 6.1.0 and later. They cannot be configured
using the management console.
Logging profiles are independent sets of logging configuration that can be assigned to deployed
applications. As with the regular logging subsystem, a logging profile can define handlers,
categories and a root logger but cannot refer to configuration in other profiles or the main logging
subsystem. The design of logging profiles mimics the logging subsystem for ease of configuration.
The use of logging profiles allows administrators to create logging configuration that are specific to
one or more applications without affecting any other logging configuration. Because each profile is
defined in the server configuration, the logging configuration can be changed without requiring that
the affected applications be redeployed.
Each logging profile can have the following configuration:
A unique name. This is required.
Any number of log handlers.
Any number of log categories.
Up to one root logger.
An application can specify a logging profile to use in its MANIFEST . MF file, using the loggingprofile attribute.
Report a bug
377
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
378
/subsystem=logging/logging-profile=accounts-appprofile/logger=com.company.accounts.ejbs:add-handler(name="ejbtrace-file")
Report a bug
Note
If you are using Maven and the maven-war-pl ug i n, you can put your MANIFEST.MF file in
src/mai n/reso urces/MET A-INF/ and add the following configuration to your po m. xml
file.
< plugin>
<artifactId>maven-war-plugin</artifactId>
<configuration>
<archive>
<manifestFile>src/main/resources/METAINF/MANIFEST.MF</manifestFile>
</archive>
</configuration>
< /plugin>
When the application is deployed it will use the configuration in the specified logging profile for its
log messages.
379
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
Examp le 14 .6 0. C LI sessio n
localhost:bin user$ ./jboss-cli.sh -c
[standalone@ localhost:9999 /] /subsystem=logging/loggingprofile=accounts-app-profile:add
{"outcome" => "success"}
[standalone@ localhost:9999 /] /subsystem=logging/loggingprofile=accounts-app-profile/file-handler=ejb-trace-file:add(file=
{path=>"ejb-trace.log", "relative-to"=>"jboss.server.log.dir"})
{"outcome" => "success"}
[standalone@ localhost:9999 /] /subsystem=logging/loggingprofile=accounts-app-profile/file-handler=ejb-trace-file:writeattribute(name="level", value="DEBUG")
{"outcome" => "success"}
[standalone@ localhost:9999 /] /subsystem=logging/loggingprofile=accounts-appprofile/logger=com.company.accounts.ejbs:add(level=TRACE)
{"outcome" => "success"}
[standalone@ localhost:9999 /] /subsystem=logging/loggingprofile=accounts-app-profile/logger=com.company.accounts.ejbs:addhandler(name="ejb-trace-file")
{"outcome" => "success"}
[standalone@ localhost:9999 /]
<logging-profile name="accounts-app-profile">
<file-handler name="ejb-trace-file">
<level name="DEBUG"/>
380
trace.log"/>
</file-handler>
<logger category="com.company.accounts.ejbs">
<level name="TRACE"/>
<handlers>
<handler name="ejb-trace-file"/>
</handlers>
</logger>
</logging-profile>
< /logging-profiles>
Report a bug
D at at yp e
D escrip t io n
level
String
handlers
filter-spec
String[]
String
Note
A fi l ter-spec specified for the root logger is not inherited by other handlers. Instead a
fi l ter-spec must be specified per handler.
Report a bug
D at at yp e
D escrip t io n
level
String
handlers
String[]
381
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Pro p ert y
D at at yp e
D escrip t io n
use-parenthandlers
category
Boolean
filter-spec
String
If set to true, this category will use the log handlers of the
root logger in addition to any other assigned handlers.
The log category from which log messages will be
captured.
An expression value that defines a filter. The following
expression defines a filter that does not match a pattern:
no t(match("JBAS. *"))
String
Report a bug
D at at yp e
D escrip t io n
level
String
encoding
formatter
target
String
String
String
autoflush
Boolean
name
enabled
String
Boolean
filter-spec
String
Report a bug
D at at yp e
D escrip t io n
level
String
encoding
formatter
append
String
String
Boolean
autoflush
Boolean
382
Pro p ert y
D at at yp e
D escrip t io n
name
file
String
Object
relative-to
String
path
String
enabled
Boolean
filter-spec
String
Report a bug
D at at yp e
D escrip t io n
append
Boolean
autoflush
Boolean
encoding
formatter
level
String
String
String
name
file
String
Object
relative-to
String
path
String
383
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Pro p ert y
D at at yp e
D escrip t io n
suffix
String
enabled
Boolean
filter-spec
String
Report a bug
D at at yp e
D escrip t io n
append
Boolean
autoflush
Boolean
encoding
formatter
level
String
String
String
name
file
String
Object
relative-to
String
384
Pro p ert y
D at at yp e
D escrip t io n
path
String
rotate-size
Integer
max-backupindex
enabled
Integer
filter-spec
String
rotate-on-boot
Boolean
Boolean
Report a bug
D at at yp e
D escrip t io n
level
String
name
queue-length
String
Integer
overflow-action
String
subhandlers
String[]
enabled
Boolean
filter-spec
String
Report a bug
385
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
< root-logger>
<level name="INFO"/>
<handlers>
<handler name="CONSOLE"/>
<handler name="FILE"/>
</handlers>
< /root-logger>
Report a bug
<handler name="accounts-rec"/>
</handlers>
< /logger>
Report a bug
<level name="INFO"/>
<append value="true"/>
< /file-handler>
Report a bug
<formatter>
</formatter>
386
<append value="true"/>
< /periodic-rotating-file-handler>
Report a bug
<level name="DEBUG"/>
<rotate-size value="500k"/>
<max-backup-index value="5"/>
<append value="true"/>
< /size-rotating-file-handler>
Report a bug
<level name="INFO"/>
<queue-length value="512"/>
<overflow-action value="block"/>
<subhandlers>
<handler name="FILE"/>
<handler name="accounts-record"/>
</subhandlers>
< /async-handler>
Report a bug
387
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Important
Users can add more cache containers and caches, and reference them via JND I. However, this
is unsupported in JBoss Enterprise Application Platform 6.
For more information about Infinispan functionality and configuration options see the Infinispan
Documentation.
Report a bug
388
Chapt er 1 5. Infinispan
performance, but the less likely you are to lose data in a server failure. The hash algorithm also
works to reduce network traffic by locating entries without multicasting or storing metadata.
Syn ch ro n o u s an d Asyn ch ro n o u s R ep licat io n
Replication can be performed either in either synchronous or asynchronous mode, and the mode
chosen will depend on your requirements and your application. With synchronous replication, the
thread that handles the user request will be blocked until replication has been successful. Only when
replication has been successful will a response be sent back to the client, and the thread released.
Synchronous replication will have an impact on network traffic because it requires a response from
each node in the cluster. It has the advantage, however, of ensuring that all modifications have been
made to all nodes in the cluster.
Asynchronous replication is carried out in the background. Infinispan implements a replication
queue, which is used by a background thread to carry out replication. Replication is triggered either
on a time basis, or on the queue size. A replication queue allows increased performance because
there is no conversation being carried out between the cluster nodes. The trade off with
asynchronous replication is that it is not quite so accurate. Failed replication attempts are written to a
log, not notified in real time.
Report a bug
<transport lock-timeout="60000"/>
<locking isolation="REPEATABLE_READ"/>
</replicated-cache>
</cache-container>
<transport lock-timeout="60000"/>
<file-store/>
</replicated-cache>
389
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
mode="ASYNC" batching="true">
<file-store/>
</distributed-cache>
</cache-container>
Note the default cache defined in each cache container. In this example, in the web cache
container, the repl cache is defined as the default. The repl cache will therefore be used
to when clustering web sessions.
The cache containers and cache attributes can be configured using the Management
Console or CLI commands, but it is not advisable to change the names of either cache
containers or caches.
C o n f ig u re C ach e C o n t ain ers
Cache containers for Infinispan can be configured using the CLI or the Management
Console.
Pro ced u re 15.1. C o n f ig u re t h e In f in isp an C ach e C o n t ain ers in t h e Man ag emen t
C o n so le
1. Select the C o n f ig u rat io n tab from the top of the screen.
2. For D omain mode only, select either h a or f u ll- h a from the drop down menu at top
left.
3. Expand the Su b syst ems menu, then expand the In f in isp an menu. Select C ach e
C o n t ain ers.
4. Select a cache container from the C ache C o ntai ners table.
5. Ad d , R emo ve o r Set D ef au lt C ach e C o n t ain er
a. To create a new cache container, click Ad d from the C ache C o ntai ners
table.
b. To remove a cache container, select the cache container in the C ache
C o ntai ners table. Click R emo ve and click O K to confirm.
c. To set a cache container as default, click Set D efaul t, enter a cache
container name from the drop down list, click Save to confirm.
6. To add or update the attributes of a cache container, select the cache container in
the C ache C o ntai ners table. Select one from the At t rib u t es, T ran sp o rt and
Aliases tabs in the D etai l s area of the screen, and click Ed i t. For help about
the content of the At t rib u t es, T ran sp o rt and Aliases tabs, click Need Hel p?.
Pro ced u re 15.2. C o n f ig u re t h e In f in isp an C ach e C o n t ain ers in t h e Man ag emen t
C LI
1. To get a list of configurable attributes, enter the following CLI command:
/profile=profile name/subsystem=infinispan/cachecontainer=container name:read-resource
390
Chapt er 1 5. Infinispan
2. You can use the Management CLI to add, remove and update cache containers.
Before issuing any commands to do with cache containers, ensure that you use the
correct profile in the Management CLI command.
a. Ad d a C ach e C o n t ain er
To add a cache container base your command on the following example:
/profile=profile-name/subsystem=infinispan/cachecontainer="cache container name":add
b. R emo ve a C ach e C o n t ain er
To remove a cache container base your command on the following example:
/profile=profile-name/subsystem=infinispan/cachecontainer="cache container name":remove
c. U p d at e C ach e C o n t ain er at t rib u t es
Use the write-attribute operation to write a new value to an attribute. You can
use tab completion to help complete the command string as you type, as
well as to expose the available attributes. The following example updates
statistics-enabled to true.
/profile=profile name/subsystem=infinispan/cachecontainer=cache container name:writeattribute(name=statistics-enabled,value=true)
Report a bug
391
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Warning
Enabling Infinispan statistics can have a negative impact on the performance of the Infinispan
subsystem. Statistics should be enabled only when required.
Statistics collection can be enabled for each cache-container, cache or both. The statistics option for
each cache overrides the option for the cache-container. Enabling or disabling statistics collection
for a cache container will cause all caches in that container to inherit the setting, unless they
explicitly specify their own. If only a cache-container is enabled for statistics, useful statistics are
available.
Report a bug
15.6.1. Enable Infinispan St at ist ics Collect ion in t he St art up Configurat ion
File
Pro ced u re 15.3. En ab le In f in isp an St at ist ics in t h e St art u p C o n f ig u rat io n File
Add the attribute stati sti cs-enabl ed =VALUE to the required cache-co ntai ner or cache
XML tag under the Infinispan subsystem.
Report a bug
15.6.2. Enable Infinispan St at ist ics Collect ion from t he Management CLI
Pro ced u re 15.4 . En ab le In f in isp an St at ist ics C o llect io n f ro m t h e Man ag emen t C LI
In this procedure:
392
Chapt er 1 5. Infinispan
Note
To undefine an attribute, enter the following command:
/subsystem=infinispan/cachecontainer=CACHE_CONTAINER/CACHE_TYPE=CACHE:undefineattribute(name=statistics-enabled)
Report a bug
15.7. JGroups
15.7.1. About JGroups
393
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
JGroups is a messaging toolkit which allows developers to create reliable messaging applications
where system reliability is an issue. JGroups can be used to create clusters whose nodes can send
messages to each other.
The JGroups subsystem provides all the communication mechanisms for how the servers in a cluster
talk to each other. EAP is preconfigured with two JGroups stacks.
udp - the nodes in the cluster use UD P (User D atagram Protocol) multicasting to communicate
with each other. UD P is generally faster but less reliable than TCP.
tcp - the nodes in the cluster use TCP (Transmission Control Protocol) to communicate with each
other. TCP tends to be slower than UD P, but will more reliably deliver data to its destination.
The preconfigured stacks can be used, or you can define your own to suit your system's specific
requirements.
Report a bug
394
Chapt er 1 5. Infinispan
395
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<servers>
<server name="server-one" group="main-server-group" autostart="true">
<jvm name="default"/>
</server>
<server name="server-two" group="main-server-group" autostart="true">
<jvm name="default">
<heap size="64m" max-size="256m"/>
</jvm>
<socket-bindings port-offset="150"/>
</server>
<server name="server-three" group="other-server-group" autostart="false">
<socket-bindings port-offset="250"/>
</server>
</servers>
In this instance, a server named server-two belongs to the server group named mai n-serverg ro up, inheriting the JVM settings from the d efaul t JVM group. In the previous example, the
main heap size for mai n-server-g ro up was set at 512 megabytes. By declaring the lower
maximum heap size of 256 megabytes, server-two can override the d o mai n. xml settings to
fine-tune performance as desired.
Warning
Setting the JAVA_OPTS environment variable will re-define the default values for the
JAVA_OPTS environment variable. This can break or terminate the start of JBoss EAP.
Report a bug
396
Chapt er 1 6 . JVM
D escrip t io n
Max
Used
Committed
Init
397
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<jvm name="default">
<heap size="1303m" max-size="1303m"/>
<permgen max-size="256m"/>
<jvm-options>
<option value="-XX:+UseCompressedOops"/>
</jvm-options>
</jvm>
398
Chapt er 1 6 . JVM
399
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Note
The mo d _cl uster component is only available if your profile is ha or ful l -ha, in a
managed domain, or if you start your standalone server with the stand al o ne-ha or
stand al o ne-ful l -ha profile. mo d _cl uster configuration is covered in Section 19.5.2,
Configure the mo d _cl uster Subsystem .
D escrip t io n
Instance ID
4 00
C LI C o mman d
/profile=fullha/subsystem=web:wri
teattribute(name=insta
nceid,value=worker1)
O p t io n
D escrip t io n
D isabled?
D evelopment?
Keep Generated?
Check Interval?
D isplay Source?
C LI C o mman d
/profile=fullha/subsystem=web/conf
iguration=jspconfiguration/:write
attribute(name=disab
led,value=false)
/profile=fullha/subsystem=web/conf
iguration=jspconfiguration/:write
attribute(name=devel
opment,value=false)
/profile=fullha/subsystem=web/conf
iguration=jspconfiguration/:write
attribute(name=keepgenerated,value=true
)
/profile=fullha/subsystem=web/conf
iguration=jspconfiguration/:write
attribute(name=check
-interval,value=0)
/profile=fullha/subsystem=web/conf
iguration=jspconfiguration/:write
attribute(name=displ
ay-sourcefragment,value=true)
AJP and HTTP connectors use mo d _cl uster, mo d _jk, mo d _pro xy, ISAP I, and NSAP I for load
balancing and HA clustering. To configure a connector, select the C o nnecto rs tab and click Ad d .
To remove a connector, select its entry and click R emo ve. To edit a connector, select its entry and
click Ed i t.
4 01
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
When you create a new connector using the Management CLI, its options are all set at once, as in the
following command:
T ab le 17.2. C o n n ect o r O p t io n s
O p t io n
D escrip t io n
Name
Socket Binding
Scheme
Protocol
Enabled
4 02
C LI C o mman d
/profile=fullha/subsystem=web/con
nector=ajp/:readattribute(name=name)
/profile=fullha/subsystem=web/con
nector=ajp/:writeattribute(name=socke
t-binding,value=ajp)
/profile=fullha/subsystem=web/con
nector=ajp/:writeattribute(name=schem
e,value=http)
/profile=fullha/subsystem=web/con
nector=ajp/:writeattribute(name=proto
col,value=AJP/1.3)
/profile=fullha/subsystem=web/con
nector=ajp/:writeattribute(name=enabl
ed,value=true)
O p t io n
D escrip t io n
Redirect Port
Redirect Binding
C LI C o mman d
/profile=fullha/subsystem=web/con
nector=http:writeattribute(name=redir
ect-port,value=8443)
/profile=fullha/subsystem=web/con
nector=http:writeattribute(name=redir
ectbinding,value=https)
To configure virtual servers, click the Vi rtual Servers tab. Use the Ad d button to add a new
virtual server. To edit or remove a virtual server, select its entry and click the Ed i t or R emo ve button.
When you add a new virtual server using the Management CLI, all required options are set at once,
as in the following command.
D escrip t io n
Name
C LI C o mman d
/profile=fullha/subsystem=web/vir
tual-server=defaulthost/:readattribute(name=name)
4 03
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
D escrip t io n
Alias
D efault Module
C LI C o mman d
/profile=fullha/subsystem=web/vir
tual-server=defaulthost/:writeattribute(name=alias
,value=
["localhost","exampl
e.com"])
/profile=fullha/subsystem=web/vir
tual-server=defaulthost/:writeattribute(name=defau
lt-webmodule,value=ROOT.wa
r)
Report a bug
4 04
< jboss-web>
<context-root>/</context-root>
< /jboss-web>
3. D ep lo y yo u r ap p licat io n .
D eploy your application to the server group or server you modified in the first step. The
application is now available on http: //SERVER_URL:PORT/.
Report a bug
4 05
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
D escrip t io n
WSD L Host
WSD L Port
4 06
C LI C o mman d
/profile=fullha/subsystem=webservi
ces/:writeattribute(name=modif
y-wsdladdress,value=true)
/profile=fullha/subsystem=webservi
ces/:writeattribute(name=wsdlhost,value=127.0.0.1)
/profile=fullha/subsystem=webservi
ces/:writeattribute(name=wsdlport,value=80)
O p t io n
D escrip t io n
C LI C o mman d
/profile=fullha/subsystem=webservi
ces/:writeattribute(name=wsdlsecureport,value=443)
Note
You may need to change the profile to modify a different managed domain profile, or remove
the /profile=full-ha part of the command for a standalone server.
4 07
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
4 08
The web server itself can be clustered for HA, using one of several compatible load balancing
mechanisms. The most flexible is mo d _cl uster connector, which is tightly integrated with the JBoss
EAP 6 container. Other choices include Apache mo d _jk or mo d _pro xy connectors, or the ISAPI
and NSAPI connectors.
T h e Ap p licat io n
D eployed applications can be made highly-available because of the Java Enterprise Edition 6 (Java
EE 6) specification. Stateless or stateful session EJBs can be clustered so that if the node which is
involved in the work disappears, another node can take over, and in the case of stateful session
beans, preserve the state.
Report a bug
Web server
mod_ httpd in
cluste JBoss
r
Enterprise
Web Server,
httpd
provided by
operating
system (Red
Hat
Enterprise
Linux,
HewlettPackard HPUX)
Su p p o rt ed
Su p p o rt ed
o p erat in g syst ems p ro t o co ls
Ad ap t s t o d ep lo ymen t
st at u s
Su p p
o rt s
st ick
y
sessi
on
Yes
HTTP,
HTTPS, AJP
4 09
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Con
n ect
or
Web server
Su p p o rt ed
Su p p o rt ed
o p erat in g syst ems p ro t o co ls
Ad ap t s t o d ep lo ymen t
st at u s
Su p p
o rt s
st ick
y
sessi
on
mod_j httpd in
k
JBoss
Enterprise
Web Server,
httpd
provided by
operating
system (Red
Hat
Enterprise
Linux,
HewlettPackard HPUX)
mod_ httpd in
proxy JBoss
Enterprise
Web Server
AJP
Yes
HTTP,
HTTPS, AJP
Yes
ISAPI
Microsoft IIS
Microsoft Windows
Server
AJP
NSAP
I
Oracle
iPlanet Web
Server
Oracle Solaris
AJP
4 10
Yes
Yes
A worker node, sometimes referred to as simply a node, is a JBoss EAP 6 server which accepts
requests from one or more client-facing Web servers. JBoss EAP 6 can accept requests from its own
web server such as Apache HTTP Server, Microsoft IIS, or Oracle iPlanet Web Server.
For an overview of HTTP connectors supported by JBoss EAP 6 and how to configure them, see
Section 19.1.3, Overview of HTTP Connectors .
C lu st er n o d e
A cluster node is a member of a cluster of servers. Such a cluster may be load-balancing, highavailability, or both. In a load-balancing cluster, a central manager distributes work loads amongst
its nodes equally, by some situation-specific measurement of equality. In a high-availability cluster,
some nodes are actively doing work, and others are waiting to step in if one of the active nodes
leaves the cluster.
Report a bug
If you prefer to use the CLI to do this task, then execute the following command in a CLI
command prompt:
[standalone@ localhost:9999 /] ./subsystem=threads/threadfactory=http-connector-factory:add(thread-name-pattern="HTTP-%t",
priority="9", group-name="uq-thread-pool")
4 11
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
2. C reat e an execu t o r
You can use one of six in-built executor classes to act as the executor for this factory. The six
executors are:
unbo und ed -q ueue-thread -po o l : This type of thread pool always accepts tasks. If
fewer than the maximum number of threads are running, a new thread is started up to run
the submitted task; otherwise, the task is placed into an unbounded FIFO queue to be
executed when a thread is available.
Note
The single-thread executor type provided by
Executo rs. si ng l eT hread Executo r() is essentially an unbounded-queue
executor with a thread limit of one. This type of executor is deployed using the
unbo und ed -q ueue-thread -po o l -executo r element.
bo und ed -q ueue-thread -po o l : This type of executor maintains a fixed-length queue
and two pool sizes: a co re size and a maxi mum size. When a task is accepted, if the
number of running pool threads is less than the co re size, a new thread is started to
execute the task. If space remains in the queue, the task is placed in the queue. If the
number of running pool threads is less than the maxi mum size, a new thread is started to
execute the task. If blocking is enabled on the executor, the calling thread will block until
space becomes available in the queue. The task is delegated to the handoff executor, if a
handoff executor is configured. Otherwise, the task is rejected.
bl o cki ng -bo und ed -q ueue-thread -po o l : A thread pool executor with a bounded
queue where threads submittings tasks may block. Such a thread pool has a core and
maximum size and a specified queue length. When a task is submitted, if the number of
running threads is less than the core size, a new thread is created. Otherwise, if there is
room in the queue, the task is enqueued. Otherwise, if the number of running threads is
less than the maximum size, a new thread is created. Otherwise, the caller blocks until
room becomes available in the queue.
q ueuel ess-thread -po o l : Sometimes, a simple thread pool is required to run tasks in
separate threads, reusing threads as they complete their tasks with no intervening queue.
This type of pool is ideal for handling tasks which are long-running, perhaps utilizing
blocking I/O, since tasks are always started immediately upon acceptance rather than
accepting a task and then delaying its execution until other running tasks have
completed. This type of executor is declared using the q ueuel ess-thread -po o l executo r element.
bl o cki ng -q ueuel ess-thread -po o l : A thread pool executor with no queue where
threads submittings tasks may block. When a task is submitted, if the number of running
threads is less than the maximum size, a new thread is created. Otherwise, the caller
blocks until another thread completes its task and accepts the new one.
sched ul ed -thread -po o l :This is a special type of executor whose purpose is to
execute tasks at specific times and time intervals, based on the
java. uti l . co ncurrent. Sched ul ed T hread P o o l Executo r class. This type of
executor is configured with the sched ul ed -thread -po o l -executo r element:
4 12
In this example, we will use the unbo und ed -q ueue-thread -po o l to act as the executor.
Modify the values of max-threads and keepalive-time parameters to suit your server
needs.
<unbounded-queue-thread-pool name="uq-thread-pool">
<thread-factory name="http-connector-factory" />
<max-threads count="10" />
<keepalive-time time="30" unit="seconds" />
</unbounded-queue-thread-pool>
4 13
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
4 14
in the Customer Service Portal, listed under the available JBoss EAP 6 downloads for your
installation platform.
Report a bug
19.3.2. Inst all t he Apache HT T P Server included wit h JBoss EAP 6 (Zip)
Prereq u isit es
Root-level or administrator access.
A supported version of Java installed.
The following packages installed:
krb5-wo rkstati o n
mo d _auth_kerb (required for Kerberos functionality)
el i nks (required for the apachectl functionality)
On Red Hat Enterprise Linux 7, apr-uti l -l d ap (LD AP authentication functionality)
The Apache Portability Runtime (APR) must be installed. In Red Hat Enterprise Linux, install
package apr-uti l -d evel .
The Apache HT T P Server Z ip archive contains symbolic links to several Kerberos modules, which
is why the mo d _auth_kerb package is a prerequisite. If Kerberos functionality is not required, there
is no need to install the mo d _auth_kerb package and the associated symbolic link can be deleted:
EAP_HOME/httpd /mo d ul es/mo d _auth_kerb. so .
For information on Apache HTTP Server installation for Microsoft Windows Server environment, see
the Configuring the Environment section in the Installing Enterprise Web Server on Windows section of
JBoss Enterprise Web Server 2 Installation Guide.
Pro ced u re 19 .2. In st all t h e Ap ach e H T T P Server
1. N avig at e t o t h e JB o ss EAP d o wn lo ad s list f o r yo u r p lat f o rm, o n t h e R ed H at
C u st o mer Po rt al.
Log in to the Customer Portal at https://access.redhat.com. Click on D o wnl o ad s, then R ed
Hat Enterpri se Appl i cati o n Server in the list of P ro d uct D o wnl o ad s. Select the
correct JBoss EAP version from the Versi o n drop-down menu.
2. C h o o se t h e h t t p d b in ary f ro m t h e list .
Find the Apache HT T P Server option for your operating system and architecture. Click the
D o wnl o ad link. A Z ip file containing the Apache HTTP Server distribution downloads to
your computer.
3. Ext ract t h e Z ip t o t h e syst em wh ere t h e Ap ach e H T T P Server b in ary will ru n .
Extract the Z ip file on your preferred server, to a temporary location. The Z ip file will contain
the httpd directory under a jboss-ews-version-number folder. Copy the httpd folder and
place it inside the directory where you installed the JBoss EAP 6, commonly referred to as
EAP_HOME.
4 15
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Your Apache HTTP Server is now be located in EAP_HOME/httpd / directory. You can now
use this location for HTTPD_HOME, as found in other JBoss EAP 6 documentation.
4. R u n t h e Po st - in st allat io n scrip t an d creat e ap ach e u ser an d g ro u p acco u n t s
In a terminal emulator, switch to the root user account, navigate to the EAP _HO ME/httpd
directory and execute the following command.
./.postinstall
Next, check to see if a user called apache exists on the system by running the following
command:
id apache
If the user does not exist then it will need to be added, along with the appropriate usergroup.
In order to achieve this, execute the following:
/usr/sbin/groupadd -g 91 -r apache 2> /dev/null || :
/usr/sbin/useradd -c "Apache" -u 48 -g 91 -s /sbin/nologin -r
apache 2>
/dev/null || :
Once this is completed, if the apache user will be running the httpd service, then the
ownership of the HTTP directories will need to be changed to reflect this:
chown -R apache:apache httpd
To test that the above commands have been successful, check that the apache user has
execution permission to the Apache HTTP Server install path.
ls -l
The output should be similar to:
drwxrwxr-- 11 apache apache 4096 Feb 14 06:52 httpd
5. C o n f ig u re t h e Ap ach e H T T P Server.
Switch to the new user account using the following command
sudo su apache
and then configure the Apache HTTP server as the apache user to meet the needs of your
organization. You can use the documentation available from the Apache Foundation at
http://httpd.apache.org/ for general guidance.
6. St art t h e Ap ach e H T T P Server.
Start the Apache HTTP Server using the following command:
EAP_HOME/httpd/sbin/apachectl start
4 16
7. St o p t h e Ap ach e H T T P Server.
To stop the Apache HTTP Server, issue the following command:
EAP_HOME/httpd/sbin/apachectl stop
Report a bug
19.3.3. Inst all Apache HT T P Server in Red Hat Ent erprise Linux (RHEL) 5, 6,
and 7 (RPM)
Prereq u isit es
Root-level access.
The latest version of elinks package installed (required for the apachectl functionality).
Subscribe to Red Hat Enterprise Linux (RHEL) channels (to install Apache HTTP Server from
RHEL channels).
Subscribe to jbapppl atfo rm-6 -AR C H-server-VER S-rpm Red Hat Network (RHN) channel (to
install EAP specific distribution of Apache HTTP Server).
You can install Apache HTTP Server using either of the following methods:
From Red Hat Enterprise Linux (RHEL) channels: An active subscription to Red Hat Enterprise
Linux (RHEL) channels is necessary to install Apache HTTP server.
From jbapppl atfo rm-6 -AR C H-server-VER S-rpm channel (JBoss EAP specific distribution):
JBoss EAP distributes its own version of the Apache HTTP Server. An active subscription to
jbapppl atfo rm-6 -AR C H-server-VER S-rpm channel is necessary to install the JBoss EAP
specific distribution of Apache HTTP Server.
Pro ced u re 19 .3. In st all an d C o n f ig u re Ap ach e H T T P Server in R ed H at En t erp rise Lin u x
5 an d 6 ( R PM)
1. In st all httpd
To install the JBoss EAP specific version of httpd package run the following command:
yum install httpd
To install httpd explicitly from Red Hat Enterprise Linux (RHEL) channels run the following
command:
yum install httpd --disablerepo=jbappplatform-6-*
Note
You must run only one of the above commands to install the httpd package on your
system.
4 17
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
You can define the service behavior for the httpd service at boot from the command line or
with the service configuration graphical tool. Run the following command to define the
behavior:
chkconfig httpd on
To use the service configuration tool run the following command and change the service
setting in the displayed window:
system-config-services
3. St art httpd
Start httpd using the following command:
service httpd start
4. St o p httpd
Stop httpd using the following command:
service httpd stop
Pro ced u re 19 .4 . In st all an d C o n f ig u re Ap ach e H T T P Server in R ed H at En t erp rise Lin u x
7 ( R PM)
1. In st all httpd 22
To install the JBoss EAP specific version of httpd 22 package run the following command:
yum install httpd22
2. Set t h e Service B o o t B eh avio r
Run the following command to start the httpd 22 service at boot:
systemctl enable httpd22.service
3. St art httpd 22
Start httpd 22 using the following command:
systemctl start httpd22.service
4. St o p httpd 22
Stop httpd 22 using the following command:
systemctl stop httpd22.service
Report a bug
4 18
Note
There is no need to use ProxyPass directives because mod_cluster automatically configures
the URLs that must be forwarded to JBossWEB.
D escrip t io n
Valu es
CreateBalancers
UseAlias
0: Ignore aliases
1: Check aliases
D efault: 0
LBstatusRecalTime
WaitForRemove
D efault: 5 seconds
D efault: 10 seconds
4 19
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
D erivat ive
D escrip t io n
ProxyPassMatch/ProxyPass
ProxyPassMatch and
ProxyPass are mod_proxy
directives which, when using !
(instead of the back-end url),
prevent reverse-proxy in the
path. This is used to allow
httpd to serve static information
like images. For example,
Valu es
P ro xyP assMatch
^(/. *\. g i f)$ !
The above example allows
httpd to serve the .gif files
directly.
A hot-standby node in the mod_cluster logic is the last resort node to which all requests are routed if
all other nodes are down. This is similar to the hot-standby logic in mod_proxy.
To configure a hot-standby node, replace the dynamic-load-provider in mod_cluster subsystem with
a simple-load-provider with factor set to 0, for example:
<subsystem xmlns="urn:jboss:domain:modcluster:1.2">
<mod-cluster-config advertise-socket="modcluster" connector="ajp">
<dynamic-load-provider>
<load-metric type="busyness"/>
</dynamic-load-provider>
+
<simple-load-provider factor="0"/>
</mod-cluster-config>
</subsystem>
In mod_cluster-manager console, the node is displayed with OK status and Load: 0. For more
information, refer Apache mod_cluster-manager Application section in the JBoss Enterprise Application
Platform Development Guide.
For instance, if there are three nodes:
Node A, Load: 10
Node B, Load: 10
Node C, Load: 0
The load will be balanced between nodes A and B. If both the nodes are unavailable, node C will
take the load.
mo d _man ag er
The context of a mod_manager directive is VirtualHost in all cases, except when mentioned otherwise.
server co nfi g context implies that the directive must be outside a VirtualHost configuration. If not,
an error message is displayed and httpd does not start.
4 20
D escrip t io n
EnableMCPMReceive
MemManagerFile
Valu es
Maxnode
Maxhost
Maxsessionid
D efault: 100
D efault: 20
D efault: 20
4 21
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
D erivat ive
D escrip t io n
Valu es
ManagerBalancerName
mycl uster
on/off
on/off
on/off
PersistSlots
CheckNonce
AllowD isplay
AllowCmd
ReduceD isplay
SetHandler mod_clustermanager
<Location
/mod_clustermanager>
SetHandler
mod_cluster-manager
Order
deny,allow
Allow from
127.0.0.1
</Location>
4 22
Off
on/off
D efault: on - Nonce checked
D efault: on - Commands
allowed
Note
When accessing the location defined in httpd.conf:
Transferred: Corresponds to the POST data send to the back-end server.
Connected: Corresponds to the number of requests that have been processed when the
mod_cluster status page was requested.
Num_sessions: Corresponds to the number of sessions mod_cluster report as active (on which
there was a request during the past 5 minutes). That field is not present when Maxsessionid is
zero. This field is for demonstration and debugging purposes only.
Report a bug
19.3.5. Use an Ext ernal Web Server as t he Web Front -end for JBoss EAP 6
Applicat ions
O verview
For reasons to use an external web server as the web front-end, as well as advantages and
disadvantages of the different HTTP connectors supported by JBoss EAP 6, refer to Section 19.1.3,
Overview of HTTP Connectors . In some situations, you can use the Apache HTTP Server that
comes with your operating system. Otherwise, you can use the Apache HTTP Server that ships as
part of JBoss Enterprise Web Server.
After you have decided which web server and HTTP connector to use, refer to one of the following
procedures:
Section 19.3.2, Install the Apache HTTP Server included with JBoss EAP 6 (Z ip)
Section 19.5.3, Install the mod_cluster Module Into Apache HTTP Server or JBoss Enterprise
Web Server (Z ip)
Section 19.6.3, Install the mod_jk Module Into the Apache HTTP Server (Z IP)
Section 19.8.3, Configure Microsoft IIS to Use the ISAPI Redirector
Section 19.9.2, Configure the NSAPI Connector on Oracle Solaris
Section 19.3.6, Configure JBoss EAP 6 to Accept Requests From External Web Servers
Report a bug
19.3.6. Configure JBoss EAP 6 t o Accept Request s From Ext ernal Web
Servers
O verview
JBoss EAP 6 does not need to know which proxy it is accepting requests from, only the port and
protocol to look for. This is not true of mo d _cl uster, which is more tightly coupled to the
configuration of JBoss EAP 6. But the following task works for mo d _jk, mo d _pro xy, ISAP I, and
NSAP I. Substitute the protocols and ports in the examples with the ones you need to configure.
4 23
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
To configure JBoss EAP 6 for mo d _cl uster, refer to Section 19.5.6, Configure a mod_cluster
Worker Node .
Prereq u isit es
You need to be logged into the Management CLI or Management Console to perform this task. The
exact steps in the task use the Management CLI, but the same basic procedure is used in the
Management Console.
You need a list of which protocols you will be using, whether HTTP, HTTPS, or AJP.
Pro ced u re 19 .5. Ed it C o n f ig u rat io n an d ad d So cket B in d in g s
1. C o n f ig u re t h e jvmR o ute syst em p ro p ert y.
By default, the jvmRoute is set to the same value as the server name. If you need to customize
it, you can use a command like the following. Replace or remove the /pro fi l e= ha portion
of the command, depending on which profile you use or whether you use a standalone
server. Replace the string C UST O M_R O UT E_NAME with your custom jvmRoute name.
[user@ localhost:9999 /] /pro fi l e= ha/subsystem= web: wri teattri bute(name= "i nstance-i d ",val ue= "C UST O M_R O UT E_NAME")
2. List t h e co n n ect o rs availab le in t h e web su b syst em.
Note
This step is only necessary if you are not using the ha or ful l -ha profiles for either a
standalone server, or a server group in a Managed D omain. Those configurations
already include all of the necessary connectors.
In order for an external web server to be able to connect to JBoss EAP 6's web server, the web
subsystem needs a connector. Each protocol needs its own connector, which is tied to a
socket group.
To list the connectors currently available, issue the following command:
[standalone@ localhost:9999 /] /subsystem= web: read -chi l d rennames(chi l d -type= co nnecto r)
If there is no line indicating the connector your need (HTTP, HTTPS, AJP), you need to add
the connector.
3. R ead t h e co n f ig u rat io n o f a co n n ect o r.
To see the details of how a connector is configured, you can read its configuration. The
following command reads the configuration of the AJP connector. The other connectors have
similar configuration output.
[standalone@ localhost:9999 /] /subsystem= web/co nnecto r= ajp: read reso urce(recursi ve= true)
{
"outcome" => "success",
4 24
"result" => {
"enable-lookups" => false,
"enabled" => true,
"max-post-size" => 2097152,
"max-save-post-size" => 4096,
"protocol" => "AJP/1.3",
"redirect-port" => 8443,
"scheme" => "http",
"secure" => false,
"socket-binding" => "ajp",
"ssl" => undefined,
"virtual-server" => undefined
}
}
4. Ad d t h e n ecessary co n n ect o rs t o t h e web su b syst em.
To add a connector to the web subsystem, it needs to have a socket binding. The socket
binding is added to the socket binding group used by your server or server group. The
following steps assume that your server group is server-g ro up-o ne and that your socket
binding group is stand ard -so ckets.
a. Ad d a so cket t o t h e so cket b in d in g g ro u p .
To add a socket to the socket binding group, issue the following command, replacing
the protocol and port with the ones you need.
[standalone@ localhost:9999 /] /so cket-bi nd i ng g ro up= stand ard -so ckets/so cket-bi nd i ng = ajp: ad d (po rt= 80 0 9 )
b. Ad d t h e so cket b in d in g t o t h e web su b syst em.
Issue the following command to add a connector to the web subsystem, substituting
the socket binding name and protocol with the ones you need.
[standalone@ localhost:9999 /]
/subsystem= web/co nnecto r= ajp: ad d (so cket-bi nd i ng = ajp,
pro to co l = "AJP /1. 3", enabl ed = true, scheme= "http")
Report a bug
4 25
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Refer to the following two procedures to configure JGroups and mod_cluster subsystems to use TCP
for network communication:
Section 19.4.2, Configure the JGroups Subsystem to Use TCP
Section 19.4.3, D isable Advertising for the mo d _cl uster Subsystem
Report a bug
4 26
/profile=full-ha/subsystem=jgroups/stack=tcp/:addprotocol(type=BARRIER)
/profile=full-ha/subsystem=jgroups/stack=tcp/:addprotocol(type=pbcast.NAKACK)
/profile=full-ha/subsystem=jgroups/stack=tcp/:addprotocol(type=UNICAST2)
/profile=full-ha/subsystem=jgroups/stack=tcp/:addprotocol(type=pbcast.STABLE)
/profile=full-ha/subsystem=jgroups/stack=tcp/:addprotocol(type=pbcast.GMS)
/profile=full-ha/subsystem=jgroups/stack=tcp/:addprotocol(type=UFC)
/profile=full-ha/subsystem=jgroups/stack=tcp/:addprotocol(type=MFC)
/profile=full-ha/subsystem=jgroups/stack=tcp/:addprotocol(type=FRAG2)
/profile=full-ha/subsystem=jgroups/stack=tcp/:addprotocol(type=RSVP)
/profile=full-ha/subsystem=jgroups:write-attribute(name=defaultstack,value=tcp)
run-batch
/profile=fullha/subsystem=jgroups/stack=tcp/protocol=TCPPING/property=initial_ho
sts/:add(value="HostA[7600],HostB[7600]")
/profile=fullha/subsystem=jgroups/stack=tcp/protocol=TCPPING/property=port_range
/:add(value=0)
/profile=fullha/subsystem=jgroups/stack=tcp/protocol=TCPPING/property=timeout/:a
dd(value=3000)
/profile=fullha/subsystem=jgroups/stack=tcp/protocol=TCPPING/property=num_initia
l_members/:add(value=3)
2. R u n t h e scrip t in b at ch mo d e.
Warning
The servers running the profile have to be shutdown before executing the batch file.
In a terminal emulator, navigate to the directory containing the jbo ss-cl i . sh script and
enter the command
./jboss-cli.sh -c --file=SCRIPT_NAME
where SCRIPT_NAME is the name and path containing the script.
R esu lt
The T C P P ING stack is now available to the JGroups subsystem. If it is used, the JGroups subsystem
uses TCP for all network communication. To configure the mo d _cl uster subsystem to use TCP as
well, see Section 19.4.3, D isable Advertising for the mo d _cl uster Subsystem .
4 27
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
4 28
4 29
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
The httpd balancer no longer advertises its presence to worker nodes and UD P multicast is no
longer used.
Report a bug
Note
If security is enabled, you must set the cluster-password attribute:
< clusterpassword>${jboss.messaging.cluster.password:ChangeMe>}</clusterpassword>
<broadcast-group name="bg-group1">
<socket-binding>messaging-group</socket-binding>
<broadcast-period>5000</broadcast-period>
<connector-ref>netty</connector-ref>
</broadcast-group>
< /broadcast-groups>
< discovery-groups>
<discovery-group name="dg-group1">
<socket-binding>messaging-group</socket-binding>
<refresh-timeout>10000</refresh-timeout>
</discovery-group>
< /discovery-groups
2. O p t io n ally, remo ve t h e "messag in g - g ro u p " so cket - b in d in g :
4 30
4. C o n f ig u re t h e relat ed so cket b in d in g s.
Note
The system property substitution can be used for either " host" or " port" , if required.
<address>jms</address>
<connector-ref>netty</connector-ref>
<static-connectors>
<connector-ref>other-cluster-node1</connector-ref>
<connector-ref>other-cluster-node2</connector-ref>
</static-connectors>
< /cluster-connection>
This process has to be repeated on each of the cluster nodes so that each node has
connectors to every other node in the cluster.
Note
D o not configure a node with a connection to itself. This is considered as a
misconfiguration.
Report a bug
4 31
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Note
The mo d _cl uster configuration page is only visible for ha and ful l -ha profiles. For a
managed domain these profiles are ha and ful l -ha, and for a standalone server they are
stand al o ne-ha and stand al o ne-ful l -ha.
D escrip t io n
4 32
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=loadbalancinggroup,value=myGroup)
O p t io n
D escrip t io n
Balancer
Advertise Socket
Advertise
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=balan
cer,value=myBalancer
)
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=adver
tisesocket,value=modclus
ter)
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=adver
tise-securitykey,value=myKey)
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=adver
tise,value=true)
D escrip t io n
C LI C o mman d
4 33
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
D escrip t io n
Sticky Session
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=stick
ysession,value=true)
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=stick
y-sessionforce,value=false)
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=stick
y-sessionremove,value=false)
D escrip t io n
4 34
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=autoenablecontexts,value=true)
O p t io n
D escrip t io n
Excluded Contexts
A comma-separated list of
contexts that mo d _cl uster
should ignore. If no host is
indicated, the host is assumed
to be l o cal ho st. R O O T
indicates the root context of the
Web Application. The default
value is
R O O T ,i nvo ker,jbo ssws,ju
d d i ,co nso l e.
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=exclu
dedcontexts,value="ROOT
,invoker,jbossws,judd
i,console")
D escrip t io n
Proxy URL
Proxy List
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=proxy
-url,value=myhost)
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=proxy
list,value="127.0.0.1
,127.0.0.2")
D escrip t io n
C LI C o mman d
4 35
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
D escrip t io n
ssl
Key Alias
Key Store
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/ssl=configuration/:
writeattribute(name=ssl,v
alue=true)
/subsystem=modcluster
/mod-clusterconfig=configuration
/ssl=configuration/:
writeattribute(name=keyalias,value=jboss)
/subsystem=modcluster
/mod-clusterconfig=configuration
/ssl=configuration/:
writeattribute(name=keystore,value=System.g
etProperty("user.hom
e") + "/.keystore")
4 36
O p t io n
D escrip t io n
Password
Trust Algorithm
Cert File
CRL File
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/ssl=configuration/:
writeattribute(name=passw
ord,value=changeit)
/subsystem=modcluster
/mod-clusterconfig=configuration
/ssl=configuration/:
writeattribute(name=trust
algorithm,value=PKIX
)
/subsystem=modcluster
/mod-clusterconfig=configuration
/ssl=configuration/:
writeattribute(name=cacertificatefile,value=${user.ho
me}/jboss.crt)
4 37
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
D escrip t io n
Key File
Cipher Suite
Revocation URL
4 38
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/ssl=configuration/:
writeattribute(name=trust
-max-certlength,value=5)
/subsystem=modcluster
/mod-clusterconfig=configuration
/ssl=configuration/:
writeattribute(name=certi
ficate-keyfile,value=${user.ho
me}/.keystore)
/subsystem=modcluster
/mod-clusterconfig=configuration
/ssl=configuration/:
writeattribute(name=ciphe
r-suite,value=ALL)
/subsystem=modcluster
/mod-clusterconfig=configuration
/ssl=configuration/:
writeattribute(name=encod
ingalgorithms,value=ALL
)
/subsystem=modcluster
/mod-clusterconfig=configuration
/ssl=configuration/:
writeattribute(name=carevocationurl,value=jboss.crl)
O p t io n
D escrip t io n
Protocol
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/ssl=configuration/:
writeattribute(name=proto
col,value="TLSv1,
TLSv1.1,TLSv1.2")
Warning
Red Hat recommends
that you explicitly
disable SSL in favor of
TLSv1.1 or TLSv1.2 in all
affected packages.
D escrip t io n
Node Timeout
Socket Timeout
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=nodetimeout,value=-1)
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=socke
t-timeout,value=20)
4 39
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
D escrip t io n
Max Attempts
Flush Packets
440
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=stopcontexttimeout,value=10)
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=sessi
on-drainingstrategy,value=DEFAU
LT)
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=maxattempts,value=1)
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=flush
-packets,value=false)
O p t io n
D escrip t io n
Flush Wait
Ping
SMAX
TTL
Node Timeout
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=flush
-wait,value=-1)
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=ping,
value=10)
profile=fullha/subsystem=modclust
er/mod-clusterconfig=configuration
/:writeattribute(name=smax,
value=ThreadsPerChil
d)
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=ttl,v
alue=-1)
/subsystem=modcluster
/mod-clusterconfig=configuration
/:writeattribute(name=nodetimeout,value=-1)
441
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
The following mo d _cl uster configuration options are not available in the management console,
but can only be set using the management CLI.
A simple load provider is used if no dynamic load provider is present. It assigns each cluster member
a load factor of 1, and distributes work evenly without applying a load balancing algorithm. To add
it, use the following management CLI command.
/subsystem=modcluster/mod-cluster-config=configuration/simple-loadprovider:add
A dynamic load provider can be configured to use a variety of algorithms in combination, in order to
determine which cluster node receives the next request. You can create a load provider and configure
it to suit your environment, and you can have more than one load metric active simultaneously by
adding them via the CLI. The default dynamic load provider uses busyness as the determining load
metric. The dynamic load provider options and possible load metrics are shown below.
T ab le 19 .10. mo d _cl uster D yn amic Lo ad Pro vid er O p t io n s
O p t io n
D escrip t io n
D ecay
History
442
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/dynamic-loadprovider=configurati
on/:writeattribute(name=decay
,value=2)
/subsystem=modcluster
/mod-clusterconfig=configuration
/dynamic-loadprovider=configurati
on/:writeattribute(name=histo
ry,value=9)
O p t io n
D escrip t io n
Load Metric
C LI C o mman d
/subsystem=modcluster
/mod-clusterconfig=configuration
/dynamic-loadprovider=configurati
on/loadmetric=busyness/:wri
teattribute(name=capac
ity,value=1.0)
/subsystem=modcluster
/mod-clusterconfig=configuration
/dynamic-loadprovider=configurati
on/loadmetric=busyness/:wri
teattribute(name=type,
value=busyness)
/subsystem=modcluster
/mod-clusterconfig=configuration
/dynamic-loadprovider=configurati
on/loadmetric=busyness/:wri
teattribute(name=weigh
t,value=1)
443
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
The heap load metric uses the heap usage to determine which cluster receives the next
work load.
sessio n s
The sessi o n load metric uses the number of active sessions as a metric.
req u est s
The req uests load metric uses the number of client requests to determine which cluster
node receives the next work load. For instance, capacity 1000 means that 1000
requests/sec is considered to be a full load.
sen d - t raf f ic
The send -traffi c load metric uses the amount of traffic sent from the worker node to the
clients. E.g. the default capacity of 512 indicates that the node should be considered under
full load if the average outbound traffic is 512 KB/s or higher.
receive- t raf f ic
The receive-traffic load metric uses the amount of traffic sent to the worker node from the
clients. E.g. the default capacity of 1024 indicates that the node should be considered
under full load if the average inbound traffic is 1024 KB/s or higher.
b u syn ess
This metric represents the amount of threads from the thread pool being busy serving
requests.
444
Report a bug
Note
If you use a 64 bit system the mod_cluster binary web server modules will be located here:
EAP _HO ME/mo d ul es/system/l ayers/base/nati ve/l i b6 4 /httpd /mo d ul es. You
must use this path whenever you need access to the modules.
445
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Note
Using the name JBoss_HTTP. co nf is an arbitrary convention in this document. The
configuration file will be loaded, regardless of its name, if it is saved in the co nf. d /
directory with the . co nf extension.
Add the following to your configuration file:
LoadModule
LoadModule
LoadModule
LoadModule
slotmem_module modules/mod_slotmem.so
manager_module modules/mod_manager.so
proxy_cluster_module modules/mod_proxy_cluster.so
advertise_module modules/mod_advertise.so
This causes Apache HTTP Server to automatically load the modules that mo d _cl uster
needs in order to function.
5. C reat e a p ro xy server list en er.
446
Continue editing HTTPD_HOME/httpd /co nf. d /JBo ss_HT T P . co nf and add the following
minimal configuration, replacing the values in capital letters with suitable values for your
environment.
Listen IP_ADDRESS:PORT
<VirtualHost IP_ADDRESS:PORT>
<Location />
Order deny,allow
Deny from all
Allow from *.MYDOMAIN.COM
</Location>
KeepAliveTimeout 60
MaxKeepAliveRequests 0
EnableMCPMReceive On
ManagerBalancerName mycluster
ServerAdvertise On
</VirtualHost>
These directives create a new virtual server which listens on IP _AD D R ESS: P O R T , allows
connections from MY D O MAIN. C O M, and advertises itself as a balancer called mycl uster.
These directives are covered in detail in the documentation for Apache Web Server. To learn
more about the ServerAd verti se and Enabl eMC P MR ecei ve directives, and the
implications of server advertisement, see Section 19.5.5, Configure Server Advertisement
Properties for Your mod_cluster-enabled Web Server .
Save the file and exit.
6. R est art t h e Ap ach e H T T P Server.
The way to restart the Apache HTTP Server depends on whether you are using Red Hat
Enterprise Linux's Apache HTTP Server or the Apache HTTP Server included in JBoss
Enterprise Web Server. Choose one of the two methods below.
A. R ed H at En t erp rise Lin u x 6 Ap ach e H T T P Server
Issue the following command:
[root@ host]# servi ce httpd restart
B. JB o ss En t erp rise Web Server H T T P Server
JBoss Enterprise Web Server runs on both Red Hat Enterprise Linux and Microsoft
Windows Server. The method for restarting the Apache HTTP Server is different for each.
A. R ed H at En t erp rise Lin u x
In Red Hat Enterprise Linux, JBoss Enterprise Web Server installs its Apache HTTP
Server as a service. To restart the Apache HTTP Server, issue the following two
commands:
[ro o t@ ho st ~ ]# servi ce httpd sto p
[ro o t@ ho st ~ ]# servi ce httpd start
447
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
448
If you choose to upgrade to Apache HTTP Server 2.2.26, install the latest version using
the following command.
yum install httpd
3. To have the Apache HTTP Server service start at boot, enter the following command:
A. For Red Hat Enterprise Linux 5 and 6:
service httpd add
B. For Red Hat Enterprise Linux 7:
systemctl enable httpd22.service
4. Start the mod_cluster balancer with the following command:
A. For Red Hat Enterprise Linux 5 and 6:
service httpd start
B. For Red Hat Enterprise Linux 7:
systemctl start httpd22.service
Report a bug
19.5.5. Configure Server Advert isement Propert ies for Your mod_clust erenabled Web Server
Su mmary
For instructions on configuring your web server to interact with the mod_cluster load balancer, see
Section 19.5.3, Install the mod_cluster Module Into Apache HTTP Server or JBoss Enterprise Web
Server (Z ip) . One aspect of the configuration which needs more explanation is server advertisement.
When server advertisement is active, the web server broadcasts messages containing the IP address
and port number specified in the mod_cluster virtual host. To configure these values, see
Section 19.5.3, Install the mod_cluster Module Into Apache HTTP Server or JBoss Enterprise Web
Server (Z ip) . If UD P multicast is not available on your network, or you prefer to configure worker
nodes with a static list of proxy servers, you can disable server advertisement and manually
configure the worker nodes. See Section 19.5.6, Configure a mod_cluster Worker Node for
information on configuring a worker node.
The changes in this procedure need to be made to the httpd . co nf associated with your Apache
HTTP Server instance. This is often /etc/httpd /co nf/httpd . co nf in Red Hat Enterprise Linux,
or may be in the etc/ directory of your standalone Apache HTTP Server instance.
Pro ced u re 19 .8. Ed it t h e h t t p d .co n f f ile an d imp lemen t t h e ch an g es
1. D isab le t h e Ad verti seFreq uency p aramet er, if it exist s.
449
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
If you have a line like the following in your <Vi rtual Ho st> statement, comment it out by
putting a # (hash) character before the first character. The value may be different from 5.
AdvertiseFrequency 5
2. Ad d t h e d irect ive t o d isab le server ad vert isemen t .
Add the following directive inside the <Vi rtual Ho st> statement, to disable server
advertisement.
ServerAdvertise Off
3. En ab le t h e ab ilit y t o receive MC PM messag es.
Add the following directive to allow the Web server to receive MCPM messages from the worker
nodes.
EnableMCPMReceive On
4. R est art t h e Web server.
Restart the Web server by issuing one of the following, depending on whether you use Red
Hat Enterprise Linux or Microsoft Windows Server.
A. R ed H at En t erp rise Lin u x
[root@ host ]# service httpd restart
B. Micro so f t Win d o ws Server
C:\> net service http
C:\> net service httpd start
R esu lt
The web server no longer advertises the IP address and port of your mod_cluster proxy. To reiterate,
you need to configure your worker nodes to use a static address and port to communicate with the
proxy. See Section 19.5.6, Configure a mod_cluster Worker Node for more details.
Report a bug
4 50
The load-balancing web server is configured via the mo d _cl uster subsystem. To configure the
mo d _cl uster subsystem, refer to Configure the mod_cluster Subsystem in the Administration and
Configuration Guide.
Worker nodes in a managed domain shares an identical configuration across a server group.
Worker nodes running as standalone servers are configured individually. The configuration steps
are otherwise identical.
Wo rker N o d e C o n f ig u rat io n
A standalone server must be started with the stand al o ne-ha or stand al o ne-ful l -ha profile.
A server group in a managed domain must use the ha or ful l -ha profile, and the ha-so ckets
or ful l -ha-so ckets socket binding group. JBoss EAP 6 ships with a cluster-enabled server
group called o ther-server-g ro up which meets these requirements.
Note
Where Management CLI commands are given, they assume you use a managed domain. If you
use a standalone server, remove the /pro fi l e= ful l -ha portion of the commands.
4 51
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
/i nterface= unsecure: wri te-attri bute(name= i netad d ress,val ue= "${jbo ss. bi nd . ad d ress. unsecure: EXTERNAL_IP_AD
DRESS}"
: rel o ad
You should see the following result for each command.
"outcome" => "success"
d. For hosts that participate in a managed domain but are not the master, you must
change the host name from master to a unique name. This name must be unique
across slaves and will be used for the slave to identify to the cluster, so make a note
of the name you use.
i. Start the JBoss EAP slave host using the following syntax:
bi n/d o mai n. sh --ho st-co nfi g = HOST_SLAVE_XML_FILE_NAME
For example:
bi n/d o mai n. sh --ho st-co nfi g = ho st-sl ave0 1. xml
ii. Launch the Management CLI.
iii. Use the following syntax to replace the host name:
/ho st= master: wri teattri bute(name= "name",val ue= UNIQUE_HOST_SLAVE_NAME)
For example:
/ho st= master: wri te-attri bute(name= "name",val ue= "ho stsl ave0 1")
You should see the following result.
"outcome" => "success"
This modifies the XML in the ho st-sl ave0 1. xml file as follows:
<host name="host-slave01" xmlns="urn:jboss:domain:1.6">
e. For newly configured hosts that need to join a managed domain, you must remove the
l o cal element and add the remo te element ho st attribute that points to the domain
controller. This step does not apply for a standalone server.
i. Start the JBoss EAP slave host using the following syntax:
bi n/d o mai n. sh --ho st-co nfi g = HOST_SLAVE_XML_FILE_NAME
For example:
bi n/d o mai n. sh --ho st-co nfi g = ho st-sl ave0 1. xml
4 52
4 53
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
4 54
c. Specify the secret value by typing the following command. Be sure to replace the
SEC R ET _VALUE with the masked password generated in the previous step.
/co re-servi ce= manag ement/securi tyreal m= Manag ementR eal m/serveri d enti ty= secret: ad d (val ue= "${VAULT : : secret: : passwo rd : : SEC
RET_VALUE}")
: rel o ad
You should see the following result for each command.
"outcome" => "success"
Note
When creating a password in the vault, it must be specified in plain text, not
Base64-encoded.
4 55
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Note
The password must be entered in plain text and will be visible to anyone
who issues a ps -ef command.
B. Place the password in a properties file and pass the properties file URL as a
command line argument.
i. Add the key/value pair to a properties file. For example:
server.identity.password=changeme
ii. Start the server with the command line arguments
--properties=URL_TO_PROPERTIES_FILE
.
5. R est art t h e server.
The slave will now authenticate to the master using its host name as the username and the
encrypted string as its password.
R esu lt
Your standalone server, or servers within a server group of a managed domain, are now configured
as mod_cluster worker nodes. If you deploy a clustered application, its sessions are replicated to all
cluster nodes for failover, and it can accept requests from an external Web server or load balancer.
Each node of the cluster discovers the other nodes using automatic discovery, by default.To
configure automatic discovery, and the other specific settings of the mo d _cl uster subsystem, see
Section 19.5.2, Configure the mo d _cl uster Subsystem . To configure the Apache HTTP Server,see
Section 19.3.5, Use an External Web Server as the Web Front-end for JBoss EAP 6 Applications .
Report a bug
4 56
2. In both Cluster NEW and Cluster OLD , make sure that the configuration option sti ckysessi o n is set to true (this is true by default). Enabling this option means that all new
requests made to a cluster node in either cluster will continue to go to that node.
/profile=full-ha/subsystem=modcluster/mod-clusterconfig=configuration/:write-attribute(name=stickysession,value=true)
3. Add the nodes in Cluster NEW to the mod_cluster configuration individually using the
process described here: Section 19.5.6, Configure a mod_cluster Worker Node
4. Configure the load balancer (mod_cluster) to stop the individual contexts in Cluster OLD .
Stopping contexts (as opposed to disabling them) in Cluster OLD will allow the individual
contexts to shutdown gracefully (and eventually shutdown the whole node). Existing
sessions will still be served, but no new sessions will be directed to those nodes. The stopped
contexts may take several minutes to several hours to stop.
You can use the following CLI command to stop a context. Replace the parameter values with
values that are relevant in your environment.
[standalone@ localhost:9999 subsystem=modcluster] :stopcontext(context=/myapp, virtualhost=default-host, waittime=50)
R esu lt
You have successfully upgraded a JBoss EAP 6 Cluster.
Report a bug
4 57
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Note
mo d _cl uster is a more advanced load balancer than mo d _jk. mo d _cl uster provides all
of the functionality of mo d _jk and additional features. For more information about
mo d _cl uster, see Section 19.5.1, About the mo d _cl uster HTTP Connector .
4 58
If you need to install Apache HTTP Server, use the instructions in the Red Hat Enterprise Linux
Deployment Guide.
If you need to install JBoss Enterprise Web Server, use the instructions from the JBoss Enterprise
Web Server Installation Guide.
If you are using Apache HTTP Server, download the JBoss EAP 6 Native Components package
for your platform from the Red Hat Customer Portal at https://access.redhat.com. This package
contains both the mo d _jk and mo d _cl uster binaries precompiled for Red Hat Enterprise
Linux. If you are using JBoss Enterprise Web Server, it already includes the binary for mo d _jk.
If you are using Red Hat Enterprise Linux (RHEL) 5 and native Apache HTTP server (httpd 2.2.3),
load the mod_perl module prior to loading mod_jk module.
You must be logged in with administrative (root) privileges.
Pro ced u re 19 .11. In st all t h e mo d _jk Mo d u le
1. C o n f ig u re t h e mo d _jk mo d u le.
a. Create a new file called HTTPD_HOME/co nf. d /mo d -jk. co nf and add the
following to it:
T he JkMount directive
The JkMo unt directive specifies which URLs Apache should forward to the
mod_jk module. Based on the directive's configuration, mod_jk forwards the
received URL to the correct Servlet containers.
To serve static content directly, and only use the load balancer for Java
applications, the URL path should be /appl i cati o n/*. To use mod_jk as a
load balancer, use the value /*, to forward all URLs to mod_jk.
4 59
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Look over the values and ensure they are reasonable for your setup. When you are
satisfied, save the file.
b. Sp ecif y a JK Mo u n t File d irect ive
In addition to the JKMount directive in the mo d -jk. co nf, you can specify a file
which contains multiple URL patterns to be forwarded to mod_jk.
i. Add the following to the HTTPD_HOME/co nf/mo d -jk. co nf file:
# You can use external file for mount points.
# It will be checked for updates each 60 seconds.
# The format of the file is: /url=worker
# /examples/*=loadbalancer
JkMountFile conf/uriworkermap.properties
ii. Create a new file called HTTPD_HOME/co nf/uri wo rkermap. pro perti es,
with a line for each URL pattern to be matched. The following example shows
examples of the syntax of the file.
# Simple worker configuration file
/*=loadbalancer
c. C o p y t h e mo d _jk.so f ile t o t h e h t t p d ' s mo d u les d irect o ry
Note
This is only necessary if the Apache HTTP server does not have mo d _jk. so
in its mo d ul es/ directory. You can skip this step if you are using the Apache
HTTP server included as a download as part of JBoss EAP 6.
4 60
Extract the Native Web Server Connectors Z ip package. Locate the mo d _jk. so file in
either the
EAP_HOME/mo d ul es/system/l ayers/base/nati ve/l i b/httpd /mo d ul es/ or
the
EAP_HOME/mo d ul es/system/l ayers/base/nati ve/l i b6 4 /httpd /mo d ul es/
directories, depending on whether your operating system is 32-bit or 64-bit.
Copy the file to the HTTPD_HOME/mo d ul es/ directory.
2. C o n f ig u re t h e mo d _jk wo rker n o d es.
a. Create a new file called HTTPD_HOME/co nf/wo rkers. pro perti es. Use the
following example as your starting point, and modify the file to suit your needs.
# Define list of workers that will be used
# for mapping requests
worker.list=loadbalancer,status
# Define Node1
# modify the host as your host IP or DNS name.
worker.node1.port=8009
worker.node1.host=node1.mydomain.com
worker.node1.type=ajp13
worker.node1.ping_mode=A
worker.node1.lbfactor=1
# Define Node2
# modify the host as your host IP or DNS name.
worker.node2.port=8009
worker.node2.host=node2.mydomain.com
worker.node2.type=ajp13
worker.node2.ping_mode=A
worker.node2.lbfactor=1
# Load-balancing behavior
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=node1,node2
worker.loadbalancer.sticky_session=1
# Status worker for managing load balancer
worker.status.type=status
For a detailed description of the syntax of the wo rkers. pro perti es file, and
advanced configuration options, see Section 19.6.5, Configuration Reference for
Apache Mod_jk Workers .
3. R est art t h e Web Server.
The way to restart the web server depends on whether you are using Red Hat Enterprise
Linux's Apache HTTP server or the Apache HTTP server included in JBoss Enterprise Web
Server. Choose one of the following methods.
A. R ed H at En t erp rise Lin u x' s Ap ach e H T T P Server
Issue the following command:
4 61
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
4 62
To perform this task, you must be using Apache HTTP Server installed on a supported
environment or the Apache HTTP Server installed in JBoss Enterprise Web Server. Note that the
Apache HTTP Server installed in JBoss Enterprise Web Server is part of the JBoss EAP 6
distribution.
If you need to install Apache HTTP Server, use the instructions from the Red Hat Enterprise Linux
Deployment Guide, available from https://access.redhat.com/site/documentation/.
If you need to install JBoss Enterprise Web Server, use the instructions from the JBoss Enterprise
Web Server Installation Guide, available from https://access.redhat.com/site/documentation/.
You must be logged in with administrative (root) privileges.
Pro ced u re 19 .12. R ed H at En t erp rise Lin u x 5: mo d _jk wit h Ap ach e H T T P Server 2.2.3
1. Install mod_jk-ap22 1.2.37 and its dependency mod_perl from the jbapppl atfo rm-6 -*server-5-rpm channel:
yum install mod_jk
2. O p t io n al: Copy the sample configuration files for use:
cp /usr/share/doc/mod_jk-ap22-1.2.37/mod_jk.conf.sample
/etc/httpd/conf.d/mod_jk.conf
cp /usr/share/doc/mod_jk-ap22-1.2.37/workers.properties.sample
/etc/httpd/conf/workers.properties
These files should be edited to suit your needs.
3. Start the server:
service httpd start
Note
The following error message indicates that your mod_jk module had been loaded before
mod_perl was present:
Cannot load /etc/httpd/modules/mod_jk.so into server:
/etc/httpd/modules/mod_jk.so: undefined symbol:
ap_get_server_description
To ensure mod_perl module is loaded before mod_jk module add the following to the
/etc/httpd /co nf. d /mo d _jk. co nf:
<IfModule !perl_module>
LoadModule perl_module modules/mod_perl.so
</IfModule>
LoadModule jk_module modules/mod_jk.so
4 63
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Pro ced u re 19 .13. R ed H at En t erp rise Lin u x 5: mo d _jk wit h JB o ss EAP Ap ach e H T T P
Server 2.2.26
1. Install both mod_jk and the latest Apache HTTP Server 2.2.26 provided by the
jbapppl atfo rm-6 -*-server-5-rpm channel with this command:
yum install mod_jk httpd
2. O p t io n al: Copy the sample configuration files for use:
cp /usr/share/doc/mod_jk-ap22-1.2.37/mod_jk.conf.sample
/etc/httpd/conf.d/mod_jk.conf
cp /usr/share/doc/mod_jk-ap22-1.2.37/workers.properties.sample
/etc/httpd/conf/workers.properties
These files should be edited to suit your needs.
3. Start the server:
service httpd start
Pro ced u re 19 .14 . R ed H at En t erp rise Lin u x 6 : mo d _jk wit h JB o ss EAP Ap ach e H T T P
Server 2.2.26
1. Install mod_jk-ap22 1.2.37 and Apache HTTP Server 2.2.26 httpd package from the
jbapppl atfo rm-6 -*-server-6 -rpm channel (any existing versions will be updated):
yum install mod_jk httpd
2. O p t io n al: Copy the sample configuration files for use:
cp /usr/share/doc/mod_jk-ap22-1.2.37/mod_jk.conf.sample
/etc/httpd/conf.d/mod_jk.conf
cp /usr/share/doc/mod_jk-ap22-1.2.37/workers.properties.sample
/etc/httpd/conf/workers.properties
These files should be edited to suit your needs.
3. Start the server:
service httpd start
Pro ced u re 19 .15. R ed H at En t erp rise Lin u x 6 : mo d _jk wit h Ap ach e H T T P Server 2.2.15
1. Install mod_jk with Apache HTTP Server 2.2.15 with the following command:
yum install mod_jk
2. O p t io n al: Copy the sample configuration files for use:
4 64
cp /usr/share/doc/mod_jk-ap22-1.2.37/mod_jk.conf.sample
/etc/httpd/conf.d/mod_jk.conf
cp /usr/share/doc/mod_jk-ap22-1.2.37/workers.properties.sample
/etc/httpd/conf/workers.properties
These files should be edited to suit your needs.
3. Start the server:
service httpd start
Pro ced u re 19 .16 . R ed H at En t erp rise Lin u x 7: mo d _jk wit h JB o ss EAP Ap ach e H T T P
Server 2.2.26
1. Install mod_jk-ap22 1.2.37 and Apache HTTP Server 2.2.26 httpd22 package from the
jbapppl atfo rm-6 -*-server-6 -rpm channel (any existing versions will be updated):
yum install mod_jk
2. O p t io n al: Copy the sample configuration files for use:
cp /usr/share/doc/mod_jk-ap22-1.2.37/mod_jk.conf.sample
/etc/httpd22/conf.d/mod_jk.conf
cp /usr/share/doc/mod_jk-ap22-1.2.37/workers.properties.sample
/etc/httpd22/conf/workers.properties
These files should be edited to suit your needs.
3. Start the server:
systemctl start httpd22.service
Report a bug
4 65
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Node templates specify default per-node settings. You can override the template within the node
settings itself. You can see an example of node templates in Example 19.5, Example
wo rkers. pro perti es file .
T ab le 19 .11. G lo b al p ro p ert ies
Pro p ert y
D escrip t io n
worker.list
The list of worker names used by mod_jk. These workers are available to
receive requests.
D escrip t io n
type
The type of the worker. The default type is ajp13. Other possible values
are ajp14 , l b, status.
For more information on these directives, refer to the Apache Tomcat
Connector AJP Protocol Reference at
http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html.
balance_workers
sticky_session
Specifies the worker nodes that the load balancer must manage. You can
use the directive multiple times for the same load balancer. It consists of a
comma-separated list of worker names. This is set per worker, not per
node. It affects all nodes balanced by that worker type.
Specifies whether requests from the same session are always routed to
the same worker. The default is 0 , meaning that sticky sessions are
disabled. To enable sticky sessions, set it to 1. Sticky sessions should
usually be enabled, unless all of your requests are truly stateless. This is
set per worker, not per node. It affects all nodes balanced by that worker
type.
D escrip t io n
host
The hostname or IP address of the worker. The worker node must support
the ajp protocol stack. The default value is l o cal ho st.
The port number of the remote server instance listening for defined
protocol requests. The default value is 80 0 9 , which is the default
listening port for AJP13 workers. The default value for AJP14 workers is
80 11.
port
4 66
Pro p ert y
D escrip t io n
ping_mode
The conditions under which connections are probed for network status.
The probe uses an empty AJP13 packet for CPing, and expects a CPong
in response. Specify the conditions by using a combination of directive
flags. The flags are not separated by a comma or any white-space. The
ping_mode can be any combination of C , P , I, and A.
C - Connect. Probe the connection one time after connecting to the
server. Specify the timeout using the value of co nnect_ti meo ut.
Otherwise, the value of pi ng _ti meo ut is used.
P - Prepost. Probe the connection before sending each request to the
server. Specify the timeout using the prepo st_ti meo ut directive.
Otherwise, the value of pi ng _ti meo ut is used.
I - Interval. Probe the connection at an interval specified by
co nnecti o n_pi ng _i nterval , if present. Otherwise, the value of
pi ng _ti meo ut is used.
A - All. A shortcut for C P I, which specifies that all connection probes
are used.
ping_timeout,
connect_timeout,
prepost_timeout,
connection_ping_inter
val
lbfactor
The timeout values for the connection probe settings above. The value is
specified in milliseconds, and the default value for pi ng _ti meo ut is
10000.
4 67
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Further configuration details for Apache mod_jk are out of the scope of this document. Refer to the
Apache documentation at http://tomcat.apache.org/connectors-doc/ for further instructions.
Report a bug
4 68
1. En ab le t h e mo d _pro xy mo d u les in t h e h t t p d
Look for the following lines in your HTTPD_HOME/co nf/httpd . co nf file. If they are not
present, add them to the bottom. If they are present but the lines begin with a comment (#)
character, remove the character. Save the file afterward. Usually, the modules are already
present and enabled.
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_http_module modules/mod_proxy_http.so
# Uncomment these to proxy FTP or HTTPS
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
2. Ad d a n o n - lo ad - b alan cin g p ro xy.
Add the following configuration to your HTTPD_HOME/co nf/httpd . co nf file, directly
beneath any other <Vi rtual Ho st> directives you may have. Replace the values with ones
appropriate to your setup.
This example uses a virtual host. See the next step to use the default httpd configuration.
<VirtualHost *:80>
# Your domain name
ServerName Domain_NAME_HERE
ProxyPreserveHost On
# The IP and port of JBoss EAP 6
# These represent the default values, if your httpd is on the same
host
# as your JBoss EAP 6 managed domain or server
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
# The location of the HTML files, and access control information
DocumentRoot /var/www
<Directory /var/www>
Options -Indexes
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
After making your changes, save the file.
3. Ad d a lo ad - b alan cin g p ro xy.
To use mo d _pro xy as a load balancer, and send work to multiple JBoss EAP 6 servers, add
the following configuration to your HTTPD_HOME/co nf/httpd . co nf file. The example IP
addresses are fictional. Replace them with the appropriate values for your environment.
<Proxy balancer://mycluster>
Order deny,allow
4 69
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
The examples above all communicate using the HTTP protocol. You can use AJP or HTTPS
protocols instead, if you load the appropriate mo d _pro xy modules. Refer to Apache's
mo d _pro xy documentation http://httpd.apache.org/docs/2.2/mod/mod_proxy.html for more
details.
4. En ab le st icky sessio n s.
Sticky sessions mean that if a client request originally goes to a specific JBoss EAP 6 node,
all future requests will be sent to the same node, unless the node becomes unavailable. This
is almost always the correct behavior.
To enable sticky sessions for mo d _pro xy, add the sti ckysessi o n parameter to the
P ro xyP ass statement. This example also shows some other parameters which you can use.
See Apache's mo d _pro xy documentation at
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html for more information on them.
ProxyPass /MyApp balancer://mycluster stickysession=JSESSIONID
lbmethod=bytraffic nofailover=Off
5. R est art t h e Web Server.
Restart the web server for your changes to take effect.
R esu lt
4 70
Your Apache HTTP server is configured to use mo d _pro xy to send client requests to JBoss EAP 6
servers or clusters, either in a standard or load-balancing configuration. To configure JBoss EAP 6
to respond to these requests, see Section 19.3.6, Configure JBoss EAP 6 to Accept Requests From
External Web Servers .
Report a bug
19.8.2. Download and Ext ract Webserver Connect or Nat ives for Microsoft IIS
1. In a web browser, navigate to the Red Hat Customer Support portal at
https://access.redhat.com.
2. Navigate to D o wnl o ad s, then R ed Hat JBo ss Mi d d l eware D o wnl o ad So ftware,
then select Enterpri se Appl i cati o n P l atfo rm from the P ro d uct drop-down list.
3. Select the appropriate version from the Versi o n drop-down list.
4. Choose the D o wnl o ad option of either R ed Hat JBo ss Enterpri se Appl i cati o n
P l atfo rm 6 . 3. 0 Webserver C o nnecto r Nati ves fo r Wi nd o ws Server 20 0 8
x86 _6 4 or R ed Hat JBo ss Enterpri se Appl i cati o n P l atfo rm 6 . 3. 0
Webserver C o nnecto r Nati ves fo r Wi nd o ws Server 20 0 8 i 6 86 depending on
the architecture of the server.
5. Open the Z ip file and copy the contents of the jbo ss-eap6 . 3/mo d ul es/system/l ayers/base/nati ve/sbi n directory to a location on your
server. It is assumed the contents were copied to C : \co nnecto rs\.
Report a bug
Note
See https://access.redhat.com/site/articles/111663 for a list of supported configurations of
Microsoft Windows Server and IIS.
4 71
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
4 72
4 73
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
4 74
worker.list=worker01, worker02
# Entries that define the host and port associated with these
workers
# First JBoss EAP 6 server definition, port 8009 is standard port
for AJP in EAP
worker.worker01.host=127.0.0.1
worker.worker01.port=8009
worker.worker01.type=ajp13
# Second JBoss EAP 6 server definition
worker.worker02.host=127.0.0.100
worker.worker02.port=8009
worker.worker02.type=ajp13
5.
C reat e t h e rewri te. pro perti es f ile.
The rewri te. pro perti es file contains simple URL rewriting rules for specific applications.
The rewritten path is specified using name-value pairs, as shown in the example below. Place
this file into the C : \co nnecto rs\ directory.
#Simple example
# Images are accessible under abc path
/app-01/abc/=/app-01/images/
6. R est art t h e IIS server.
Restart your IIS server by using the net sto p and net start commands.
C:\> net stop was /Y
C:\> net start w3svc
R esu lt
The IIS server is configured to send client requests to the specific JBoss EAP 6 servers you have
configured, on an application-specific basis.
Report a bug
19.8.5. Configure ISAPI t o Balance Client Request s Across Mult iple JBoss EAP
6 Servers
O verview
This configuration balances client requests across the JBoss EAP 6 servers you specify. If you prefer
to send client requests to specific JBoss EAP 6 servers on a per-deployment basis, refer to
Section 19.8.4, Configure the ISAPI Redirector to Send Client Requests to JBoss EAP 6 instead.
This configuration is done on the IIS server, and assumes that JBoss EAP 6 is already configured as
per Section 19.3.6, Configure JBoss EAP 6 to Accept Requests From External Web Servers .
Prereq u isit es
4 75
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
4 76
4 77
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
worker.router.balance_workers=worker01,worker02
# Define the status worker for jkmanager
worker.status.type=status
5.
C reat e t h e rewri te. pro perti es f ile.
The rewri te. pro perti es file contains simple URL rewriting rules for specific applications.
The rewritten path is specified using name-value pairs, as shown in the example below. Place
this file into the C : \co nnecto rs\ directory.
#Simple example
# Images are accessible under abc path
/app-01/abc/=/app-01/images/
6. R est art t h e IIS server.
Restart your IIS server by using the net sto p and net start commands.
C:\> net stop was /Y
C:\> net start w3svc
R esu lt
The IIS server is configured to send client requests to the JBoss EAP 6 servers referenced in the
wo rkers. pro perti es file, spreading the load across the servers in a 1:3 ratio. This ratio is derived
from the load balancing factor (l bfacto r) assigned to each server.
Report a bug
4 78
Oracle iPlanet Web Server 7.0.15 or later for Intel architectures, or 7.0.14 or later for SPARC
architectures, is installed and configured, aside from the NSAPI connector
JBoss EAP 6 is installed and configured on each server which will serve as a worker node. Refer
to Section 19.3.6, Configure JBoss EAP 6 to Accept Requests From External Web Servers .
The JBoss Native Components Z IP package is downloaded from the Customer Service Portal at
https://access.redhat.com.
Pro ced u re 19 .20. Ext ract an d Set u p t h e N SAPI C o n n ect o r
1. Ext ract t h e JB o ss N at ive C o mp o n en t s p ackag e.
The rest of this procedure assumes that the Native Components package is extracted to the
EAP_HOME directory. For the rest of this procedure, the directory
/o pt/o racl e/webserver7/co nfi g / is referred to as IPLANET_CONFIG. If your Oracle
iPlanet configuration directory is different, modify the procedure accordingly.
2. D isab le servlet map p in g s.
Open the IPLANET_CONFIG/d efaul t. web. xml file and locate the section with the
heading Bui l t In Server Mappi ng s. D isable the mappings to the following three
servlets, by wrapping them in XML comment characters (<! -- and -->).
default
invoker
jsp
The following example configuration shows the disabled mappings.
<!-- ============== Built In Servlet Mappings =============== -->
<!-- The servlet mappings for the built in servlets defined above.
-->
<!-- The mapping for the default servlet -->
<!--servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping-->
<!-- The mapping for the invoker servlet -->
<!--servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping-->
<!-- The mapping for the JSP servlet -->
<!--servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
</servlet-mapping-->
Save and exit the file.
3. C o n f ig u re t h e iPlan et Web Server t o lo ad t h e N SAPI co n n ect o r mo d u le.
4 79
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Add the following lines to the end of the IPLANET_CONFIG/mag nus. co nf file, modifying file
paths to suit your configuration. These lines define the location of the
nsapi _red i recto r. so module, as well as the wo rkers. pro perti es file, which lists the
worker nodes and their properties.
Init fn="load-modules" funcs="jk_init,jk_service"
shlib="EAP_HOME/modules/system/layers/base/native/lib/nsapi_redirec
tor.so" shlib_flags="(global|now)"
Init fn="jk_init"
worker_file="IPLANET_CONFIG/connectors/workers.properties"
log_level="info" log_file="IPLANET_CONFIG/connectors/nsapi.log"
shm_file="IPLANET_CONFIG/connectors/tmp/jk_shm"
The configuration above is for a 32-bit architecture. If you use 64-bit Solaris, change the
string l i b/nsapi _red i recto r. so to l i b6 4 /nsapi _red i recto r. so .
Save and exit the file.
4. C o n f ig u re t h e N SAPI co n n ect o r.
You can configure the NSAPI connector for a basic configuration, with no load balancing, or
a load-balancing configuration. Choose one of the following options, after which your
configuration will be complete.
Section 19.9.3, Configure NSAPI as a Basic HTTP Connector
Section 19.9.4, Configure NSAPI as a Load-balancing Cluster
Report a bug
Note
In IPLANET_CONFIG/o bj. co nf, spaces are not allowed at the beginning of a line,
except when the line is a continuation of the previous line.
4 80
Edit the IPLANET_CONFIG/o bj. co nf file. Locate the section which starts with <O bject
name= "d efaul t">, and add each URL pattern to match, in the format shown by the example
file below. The string jknsapi refers to the HTTP connector which will be defined in the next
step. The example shows the use of wildcards for pattern matching.
<Object name="default">
[...]
NameTrans fn="assign-name"
NameTrans fn="assign-name"
NameTrans fn="assign-name"
NameTrans fn="assign-name"
NameTrans fn="assign-name"
</Object>
from="/status" name="jknsapi"
from="/images(|/*)" name="jknsapi"
from="/css(|/*)" name="jknsapi"
from="/nc(|/*)" name="jknsapi"
from="/jmx-console(|/*)" name="jknsapi"
The example above redirects requests to the URL path /status to the worker called
wo rker0 1, and all URL paths beneath /nc/ to the worker called wo rker0 2. The third line
indicates that all URLs assigned to the jknsapi object which are not matched by the
previous lines are served to wo rker0 1.
Save and exit the file.
3.
D ef in e t h e wo rkers an d t h eir at t rib u t es.
Create a file called wo rkers. pro perti es in the IP LANET _C O NFIG /co nnecto rs/
directory. Paste the following contents into the file, and modify them to suit your environment.
# An entry that lists all the workers defined
worker.list=worker01, worker02
# Entries that define the host and port associated with these
workers
worker.worker01.host=127.0.0.1
worker.worker01.port=8009
worker.worker01.type=ajp13
worker.worker02.host=127.0.0.100
worker.worker02.port=8009
worker.worker02.type=ajp13
4 81
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
The wo rkers. pro perti es file uses the same syntax as Apache mod_jk. For information
about which options are available, refer to Section 19.6.5, Configuration Reference for
Apache Mod_jk Workers .
Save and exit the file.
4. R est art t h e iPlan et Web Server.
Issue the following command to restart the iPlanet Web Server.
IPLANET_CONFIG/../bin/stopserv
IPLANET_CONFIG/../bin/startserv
R esu lt
iPlanet Web Server now sends client requests to the URLs you have configured to deployments on
JBoss EAP 6.
Report a bug
Note
In IPLANET_CONFIG/o bj. co nf, spaces are not allowed at the beginning of a line,
except when the line is a continuation of the previous line.
Edit the IPLANET_CONFIG/o bj. co nf file. Locate the section which starts with <O bject
name= "d efaul t">, and add each URL pattern to match, in the format shown by the example
file below. The string jknsapi refers to the HTTP connector which will be defined in the next
step. The example shows the use of wildcards for pattern matching.
<Object name="default">
[...]
NameTrans fn="assign-name"
NameTrans fn="assign-name"
NameTrans fn="assign-name"
NameTrans fn="assign-name"
4 82
from="/status" name="jknsapi"
from="/images(|/*)" name="jknsapi"
from="/css(|/*)" name="jknsapi"
from="/nc(|/*)" name="jknsapi"
This jksnapi object defines the worker nodes used to serve each path that was mapped to
the name= "jksnapi " mapping in the d efaul t object. Everything except for URLs matching
/jkmanag er/* is redirected to the worker called ro uter.
3. D ef in e t h e wo rkers an d t h eir at t rib u t es.
Create a file called wo rkers. pro perti es in IP LANET _C O NFIG /co nnecto r/. Paste the
following contents into the file, and modify them to suit your environment.
# The advanced router LB worker
# A list of each worker
worker.list=router,status
# First JBoss EAP server
# (worker node) definition.
# Port 8009 is the standard port for AJP
#
worker.worker01.port=8009
worker.worker01.host=127.0.0.1
worker.worker01.type=ajp13
worker.worker01.ping_mode=A
worker.worker01.socket_timeout=10
worker.worker01.lbfactor=3
# Second JBoss EAP server
worker.worker02.port=8009
worker.worker02.host=127.0.0.100
worker.worker02.type=ajp13
worker.worker02.ping_mode=A
worker.worker02.socket_timeout=10
worker.worker02.lbfactor=1
# Define the load-balancer called "router"
worker.router.type=lb
4 83
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
worker.router.balance_workers=worker01,worker02
# Define the status worker
worker.status.type=status
The wo rkers. pro perti es file uses the same syntax as Apache mod_jk. For information
about which options are available, refer to Section 19.6.5, Configuration Reference for
Apache Mod_jk Workers .
Save and exit the file.
4. R est art t h e iPlan et Web Server.
Choose one of the following procedures, depending on whether you run iPlanet Web Server
6.1 or 7.0.
A. iPlan et Web Server 6 .1
IPLANET_CONFIG/../stop
IPLANET_CONFIG/../start
B. iPlan et Web Server 7.0
IPLANET_CONFIG/../bin/stopserv
IPLANET_CONFIG/../bin/startserv
R esu lt
The iPlanet Web Server redirects the URL patterns you have configured to your JBoss EAP 6 servers
in a load-balancing configuration.
Report a bug
4 84
4 85
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Each subscription receives a copy of every message sent to the topic. This differs from the
Message Queue pattern, where each message is only consumed by a single consumer.
Subscriptions that are durable retain copies of each message sent to the topic until the
subscriber consumes them. These copies are retained even in the event of a server restart.
Non-durable subscriptions last only as long as the connection that created them.
Report a bug
4 86
Chapt er 2 0 . Messaging
D ef au lt
D escrip t io n
batch-delay
0 milliseconds
direct-deliver
true
4 87
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Pro p ert y
D ef au lt
D escrip t io n
local-address
local-port
nio-remoting-threads
-1
tcp-no-delay
true
tcp-send-buffer-size
32768 bytes
tcp-receive-buffer-size
32768 bytes
use-nio
false
4 88
Chapt er 2 0 . Messaging
Note
Netty TCP properties are valid for all types of transport (Netty SSL, Netty HTTP and Netty
Servlet).
Report a bug
Warning
Red Hat recommends that you explicitly disable SSL in favor of TLSv1.1 or TLSv1.2 in all
affected packages.
The following example shows Netty configuration for one way SSL:
Note
Most of the following parameters can be used with acceptors as well as connectors. However
some parameters work only with acceptors. The parameter description explains the difference
between using these parameters in connectors and acceptors.
< acceptors>
<netty-acceptor name="netty" socket-binding="messaging"/>
D ef au lt
D escrip t io n
ssl-enabled
true
4 89
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
D ef au lt
key-store-password
[keystore password]
D escrip t io n
4 90
Chapt er 2 0 . Messaging
Note
The following parameters can be used with acceptors as well as connectors. Netty HTTP
transport does not allow the reuse of standard HTTP port (8080 by default). The use of
standard HTTP port results in an exception. You can use Section 20.2.5, Configuring Netty
Servlet (Netty Servlet Transport) for tunneling HornetQ connections through standard HTTP
port.
< acceptors>
<netty-acceptor name="netty" socket-binding="messaging-http">
D ef au lt
D escrip t io n
http-enabled
http-client-idle-time
false
500 milliseconds
http-client-idle-scan-period
500 milliseconds
http-response-time
10000 milliseconds
http-server-scan-period
5000 milliseconds
http-requires-session-id
false
Warning
Automatic client failover is not supported for clients connecting through Netty HTTP transport.
4 91
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
< web-app>
<servlet>
<servlet-name>HornetQServlet</servlet-name>
<servletclass>org.jboss.netty.channel.socket.http.HttpTunnelingServlet</servlet
-class>
<init-param>
<param-name>endpoint</param-name>
<param-value>local:org.hornetq</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>HornetQServlet</servlet-name>
<url-pattern>/HornetQServlet</url-pattern>
</servlet-mapping>
< /web-app>
The init parameter endpoint specifies the host attribute of the Netty acceptor that the servlet will
forward its packets to
Insert the Netty servlet acceptor on the server side configuration: The following example shows the
definition of an acceptor in server configuration files (stand al o ne. xml and d o mai n. xml ):
< acceptors>
<acceptor name="netty-servlet">
<factory-class>
org.hornetq.core.remoting.impl.netty.NettyAcceptorFactory
</factory-class>
</acceptor>
< /acceptors>
The last step is to define a connector for the client in server configuration files
(stand al o ne. xml and d o mai n. xml ):
4 92
Chapt er 2 0 . Messaging
Warning
Automatic client failover is not supported for clients connecting through HTTP tunneling
servlet.
Note
Netty servlet cannot be used to configure EAP 6 servers in order to set up a HornetQ cluster.
Report a bug
20.3. About Java Naming and Direct ory Int erface (JNDI)
The Java Naming and Directory Interface (JNDI) is a standard Java API for naming and directory
services. It allows Java-based technologies to discover and organize named components in a
distributed computing environment.
Report a bug
4 93
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
C lientSessionFactory sf = null;
C lientSession session = null;
t ry
locator = HornetQClient.createServerLocatorWithoutHA(..);
sf = locator.createClientSessionFactory();;
session = sf.createSession(...);
if (session != null)
session.close();
if (sf != null)
{
sf.close();
}
if(locator != null)
{
locator.close();
}
The following example shows a JMS client application which closes its session and session factory
in a fi nal l y block:
ConnectionFactory jmsConnectionFactory =
HornetQJMSClient.createConnectionFactoryWithoutHA(...);
jmsConnection = jmsConnectionFactory.createConnection();
if (connection != null)
connection.close();
4 94
Chapt er 2 0 . Messaging
at
org.hornetq.core.client.impl.DelegatingSession.<init>(DelegatingSession.j
ava:83)
at org.acme.yourproject.YourClass (YourClass.java:666)
The log message contains information about the code part where a JMS connection or user session
was created and not closed later.
Report a bug
4 95
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
The default value for client failure check period is 3000 milliseconds. A value of -1 means that the
client will never close the connection if no data is received from the server. The value of client failure
check period is much lower than connection TTL so that clients can reconnect in case of a transition
failure.
C o n f ig u rin g Asyn ch ro n o u s C o n n ect io n Execu t io n
By default, packets received on the server side are executed on the remoting thread. It is possible to
free up the remoting thread by processing operations asynchronously on any thread from the thread
pool. You can configure asynchronous connection execution using async-connectionexecution-enabled parameter in stand al o ne. xml and d o mai n. xml server configuration files.
The default value of this parameter is " true" .
Note
If you process operations asynchronously on any thread from the thread pool, it adds a little
latency. Short running operations are always handled on the remoting thread for performance
reasons.
Report a bug
4 96
Chapt er 2 0 . Messaging
Important
To achieve best performance, we recommend storing the large messages directory on a
different physical volume to the message journal or the paging directory
Report a bug
Note
The value of the attribute mi n-l arg e-messag e-si ze should be in bytes
You may choose to compress large messages for fast and efficient transfer. All
compression/de-compression operations are handled on client side. If the compressed
message is smaller than mi n-l arg e-messag e-si ze,it is sent to the server as a regular
message. Using Java Messaging Service (JMS) you can compress large messages by
setting the boolean property co mpress-l arg e-messag es " true" on the server locator or
ConnectionFactory.
<connectors>
<connector-ref connector-name="netty"/>
</connectors>
. ..
4 97
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<min-large-message-size>204800</min-large-message-size>
<compress-large-messages>true</compress-large-messages>
/connection-factory>
<
Report a bug
20.6. Paging
20.6.1. About Paging
HornetQ supports many message queues with each queue containing millions of messages. The
HornetQ server runs with limited memory thereby making it difficult to store all message queues in
memory at one time.
Paging is a mechanism used by the HornetQ server to transparently page messages in and out of
memory on need basis in order to accomodate large message queues in a limited memory.
HornetQ starts paging messages to disk, when the size of messages in memory for a particular
address exceeds the maximum configured message size.
Note
HornetQ paging is enabled by default.
Report a bug
< hornetq-server>
...
<paging-directory>/location/paging-directory</paging-directory>
...
< /hornetq-server>
4 98
Chapt er 2 0 . Messaging
The paging-directory parameter is used to specify a location/folder to store the page files.
HornetQ creates one folder for each paging address in this paging directory. The page files are
stored in these folders.
The default paging directory is EAP _HO ME/stand al o ne/d ata/messag i ng pag i ng (standalone
mode) and EAP _HO ME/d o mai n/servers/SER VER NAME/d ata/messag i ng pag i ng (domain
mode).
Report a bug
Note
Paging is done individually per address. If you configure a max-size-bytes for an address,
it means each matching address will have a maximum size that you specified. However it does
not mean that the total overall size of all matching addresses is limited to max-size-bytes.
You can configure the maximum size in bytes (max-size-bytes) for an address in server
configuration files (stand al o ne. xml and d o mai n. xml ):
< address-settings>
<address-setting match="jms.someaddress">
<max-size-bytes>104857600</max-size-bytes>
<page-size-bytes>10485760</page-size-bytes>
<address-full-policy>PAGE</address-full-policy>
</address-setting>
< /address-settings>
The following table describes the parameters on the address settings:
T ab le 20.4 . Pag in g Ad d ress Set t in g s
Elemen t
D ef au lt
Valu e
D escrip t io n
max-sizebytes
page-sizebytes
addressfull-policy
10485760
This is used to specify the maximum memory size the address can
have before entering nto paging mode
This is used to specify the size of each page file used on the paging
system
This value of this attribute is used for paging decisions. You can set
either of these values for this attribute: P AG E: To enable paging and
page messages beyond the set limit to disk, D R O P : To silently drop
messages which exceed the set limit, FAIL: To drop messages and
send an exception to client message producers, BLO C K: To block
client message producers when they send messages beyond the set
limit
2097152
PAGE
4 99
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Elemen t
D ef au lt
Valu e
D escrip t io n
page-maxcache-size
Important
If you don't want to page messages when the maximum size is reached, you may choose to
configure an address in order to simply drop messages, drop messages with an exception on
client side or block producers from sending further messages, by setting the address-fullpolicy to D R O P , FAIL and BLO C K respectively. In the default configuration, all addresses
are configured to page messages after an address reaches max-size-bytes.
Ad d resses wit h Mu lt ip le Q u eu es
When a message is routed to an address that has multiplte queues bound to it, there is only a single
copy of the message in memory. Each queue only handles a reference to this original copy of the
message. Thus the memory is freed up only when all the queues referencing the original message,
have delivered the message.
Note
A single lazy queue/subscription can reduce the Input/Output performance of the entire
address as all the queues will have messages being sent through an extra storage on the
paging system.
Report a bug
20.7. Divert s
D iverts are objects configured in HornetQ; which help in diverting messages from one address (to
which the message is routed) to some other address. D iverts can be configured in server
configuration files (stand al o ne. xml and d o mai n. xml ).
D iverts can be classified into the following types:
Exclusive D ivert: A message is only diverted to a new address and not sent to the old address at
all
Non-exclusive D ivert: A message continues to go the old address, and a copy of it is also sent to
the new address. Non-exclusive diverts can be used for splitting the flow of messages
D iverts can be configured to apply a T ransfo rmer and an optional message filter. An optional
message filter helps only divert messages which match the specified filter. A transformer is used for
transforming messages to another form. When a transformer is specified; all diverted messages are
transformed by the T ransfo rmer.
A divert only diverts a message to an address within the same server. If you need to divert a message
to an address on a different server, you can follow the pattern described below:
500
Chapt er 2 0 . Messaging
D ivert messages to a local store and forward queue. Setup a bridge which consumes from that
queue and directs messages to an address on a different server
You can combine diverts with bridges to create various routings.
Report a bug
<address>jms.topic.priceUpdates</address>
<forwarding-address>jms.queue.priceForwarding</forwarding-address>
<transformer-class-name>
org.hornetq.jms.example.AddForwardingTimeTransformer
</transformer-class-name>
<exclusive>true</exclusive>
< /divert>
The following list describes the attributes used in the above example:
address: Messages sent to this address are diverted to another address
forwarding-address: Messages are diverted to this address from the old address
filter-string: Messages which match the filter-string value are diverted. All other
messages are routed to the normal address
transformer-class-name: If you specify this parameter; it executes transformation for each
matching message. This allows you to change a message's body or property before it is diverted
exclusive: Used to enable or disable exclusive divert
Report a bug
501
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
The above example makes a copy of every message sent to jms.queue.orders address and sends
it to jms.topic.spyTopic address.
Report a bug
502
Chapt er 2 0 . Messaging
Warning
The value of jo urnal -fi l e-si ze must be higher than or equal to mi n-l arg emessag e-si ze (100KiB by default), or the server won't be able to store the message.
<jms-connection-factories>
<connection-factory name="InVmConnectionFactory">
<connectors>
<connector-ref connector-name="in-vm"/>
</connectors>
<entries>
<entry name="java:/ConnectionFactory"/>
</entries>
</connection-factory>
<connection-factory name="RemoteConnectionFactory">
<connectors>
<connector-ref connector-name="netty"/>
</connectors>
<entries>
<entry
name="java:jboss/exported/jms/RemoteConnectionFactory"/>
</entries>
</connection-factory>
<pooled-connection-factory name="hornetq-ra">
<transaction mode="xa"/>
<connectors>
<connector-ref connector-name="in-vm"/>
</connectors>
<entries>
<entry name="java:/JmsXA"/>
</entries>
</pooled-connection-factory>
< /jms-connection-factories>
5. C o n f ig u re t h e netty co n n ect o rs an d accep t o rs
This JMS connection factory uses netty acceptors and connectors. These are references to
connector and acceptor objects deployed in the server configuration file. The connector
object defines the transport and parameters used to connect to the HornetQ server. The
acceptor object identifies the type of connections accepted by the HornetQ server.
To configure the netty connectors, include the following settings:
< connectors>
503
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
binding="messaging-throughput">
</netty-connector>
</netty-acceptor>
<hornetq-server>
<journal-min-files>2</journal-min-files>
<journal-type>NIO</journal-type>
<persistence-enabled>true</persistence-enabled>
<jms-connection-factories>
<connection-factory name="InVmConnectionFactory">
<connectors>
<connector-ref connector-name="in-vm"/>
</connectors>
<entries>
<entry name="java:/ConnectionFactory"/>
</entries>
</connection-factory>
<connection-factory name="RemoteConnectionFactory">
<connectors>
<connector-ref connector-name="netty"/>
</connectors>
<entries>
<entry
name="java:jboss/exported/jms/RemoteConnectionFactory"/>
</entries>
</connection-factory>
<pooled-connection-factory name="hornetq-ra">
<transaction mode="xa"/>
<connectors>
<connector-ref connector-name="in-vm"/>
</connectors>
<entries>
<entry name="java:/JmsXA"/>
</entries>
504
Chapt er 2 0 . Messaging
</pooled-connection-factory>
</jms-connection-factories>
<connectors>
</netty-connector>
</connectors>
<acceptors>
</netty-acceptor>
</acceptors>
</hornetq-server>
< /subsystem>
7. C o n f ig u re t h e so cket b in d in g g ro u p s
The netty connectors reference the messag i ng and messag i ng -thro ug hput socket
bindings. The messag i ng socket binding uses port 5445, and the messag i ng thro ug hput socket binding uses port 5455. The <so cket-bi nd i ng -g ro up> tag is in a
separate section of the server configuration file. Ensure the following socket bindings are
present in the <so cket-bi nd i ng -g ro ups> element:
< socket-binding-group name="standard-sockets" defaultinterface="public" port-offset="${jboss.socket.binding.portoffset:0}">
...
...
</socket-binding-group>
8. Ad d q u eu e in st an ces t o H o rn et Q
There are 4 ways to setup the queue instances (or JMS destinations) for HornetQ.
Use the Management Console
To use the Management Console, the server must have been started in the Messag eEnabl ed mode. You can do this by using the -c option and forcing the use of the
stand al o ne-ful l . xml (for standalone servers) configuration file. For example, in the
standalone mode, the following will start the server in a message enabled mode
./standalone.sh -c standalone-full.xml
505
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Once the server has started, logon to the Management Console and select the
C o n f ig u rat io n tab. Expand the Su b syst ems menu, then expand the Messag in g menu
and click D est in at io n s. Next to D efaul t on the JMS Messaging Provider table, click
Vi ew, and then click Ad d to enter details of the JMS destination.
Use the Management CLI:
First, connect to the Management CLI:
bin/jboss-cli.sh --connect
Next, change into the messaging subsystem:
cd /subsystem=messaging/hornetq-server=default
Finally, execute an add operation, replacing the examples values given below with your
own:
./jms-queue=testQueue:add(durable=false,entries=
["java:jboss/exported/jms/queue/test"])
Create a JMS configuration file and add it to the deployments folder
Start by creating a JMS configuration file: example-jms.xml. Add the following entries to it,
replacing the values with your own:
< ?xml version="1.0" encoding="UTF-8"?>
<messagingdeployment xmlns="urn:jboss:messaging-deployment:1.0">
<hornetq-server>
<jms-destinations>
<jms-queue name="testQueue">
<entry name="queue/test"/>
<entry
name="java:jboss/exported/jms/queue/test"/>
</jms-queue>
<jms-topic name="testTopic">
<entry name="topic/test"/>
<entry
name="java:jboss/exported/jms/topic/test"/>
</jms-topic>
</jms-destinations>
</hornetq-server>
< /messaging-deployment>
Save this file in the deployments folder and do a deployment.
Add entries in the JBoss EAP 6 configuration file.
Using the standalone-full.xml as an example, find the messaging subsystem in this file.
<subsystem xmlns="urn:jboss:domain:messaging:1.4">
Add the following entries in it, again, replacing the example values with your own. You will
need to add these entries in after the </jms-connection-factories> end tag but before the
</hornetq-server> element:
506
Chapt er 2 0 . Messaging
<jms-destinations>
<jms-queue name="testQueue">
<entry name="queue/test"/>
<entry name="java:jboss/exported/jms/queue/test"/>
</jms-queue>
<jms-topic name="testTopic">
<entry name="topic/test"/>
<entry name="java:jboss/exported/jms/topic/test"/>
</jms-topic>
</jms-destinations>
9. Perf o rm ad d it io n al co n f ig u rat io n
If you need additional settings, review the D TD in EAP_HOME/d o cs/schema/jbo ss-asmessag i ng _1_4 . xsd .
Report a bug
D escrip t io n
. (a single period)
D escrip t io n
news.europe.#
news.*
news.*.sport
507
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
The values in this example are used to illustrate the rest of this topic.
< address-settings>
<address-setting match="#">
<dead-letter-address>jms.queue.DLQ</dead-letter-address>
<expiry-address>jms.queue.ExpiryQueue</expiry-address>
<redelivery-delay>0</redelivery-delay>
<max-size-bytes>10485760</max-size-bytes>
<address-full-policy>BLOCK</address-full-policy>
<message-counter-history-day-limit>10</message-counter-historyday-limit>
</address-setting>
< /address-settings>
D escrip t io n
D ef au lt Valu e
T yp e
ad d ress-ful l po l i cy
D etermines what
happens when an
address where maxsize-bytes is specified
becomes full.
If a dead letter address
is specified, messages
are moved to the dead
letter address if maxd el i very-attempts
delivery attempts have
failed. Otherwise, these
undelivered messages
are discarded.
Wildcards are allowed.
If the expiry address is
present, expired
messages are sent to
the address or
addresses matched by
it, instead of being
discarded. Wildcards
are allowed.
D efines whether a
queue only uses last
values or not.
The maximum number
of times to attempt to
re-deliver a message
before it is sent to
d ead -l etterad d ress or
discarded.
The maximum bytes
size.
PAGE
STRING
jms.queue.D LQ
STRING
jms.queue.ExpiryQueu
e
STRING
false
BOOLEAN
10
INT
10485760L
LONG
max-d el i veryattempts
max-si ze-bytes
508
Chapt er 2 0 . Messaging
Elemen t
D escrip t io n
D ef au lt Valu e
T yp e
10
INT
INT
5
0L
INT
LONG
-1L
LONG
false
BOOLEAN
509
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
[domain@ localhost:9999 /]
/profile=full/subsystem=messaging/hornetqserver=default/address-setting=patternname/:add(max-deliveryattempts=5)
b. Ed it Pat t ern At t rib u t es
Use the wri te operation to write a new value to an attribute. You can use tab
completion to help complete the command string as you type, as well as to expose the
available attributes. The following example updates the max-d el i very-attempts
value to 10
[standalone@ localhost:9999 /] /subsystem=messaging/hornetqserver=default/address-setting=patternname/:writeattribute(name=max-delivery-attempts,value=10)
[domain@ localhost:9999 /]
/profile=full/subsystem=messaging/hornetqserver=default/address-setting=patternname/:writeattribute(name=max-delivery-attempts,value=10)
c. C o n f irm Pat t ern At t rib u t es
Confirm the values are changed by running the read -reso urce operation with the
i ncl ud e-runti me= true parameter to expose all current values active in the server
model.
[standalone@ localhost:9999 /] /subsystem=messaging/hornetqserver=default/address-setting=patternname/:read-resource
[domain@ localhost:9999 /]
/profile=full/subsystem=messaging/hornetqserver=default/address-setting=patternname/:read-resource
B. C o n f ig u re t h e Ad d ress Set t in g s U sin g t h e Man ag emen t C o n so le
Use the Management Console to configure address settings.
a. Log into the Management Console of your Managed D omain or Standalone Server.
b. Select the C o nfi g urati o n tab at the top of the screen. For D omain mode, select a
profile from the P ro fi l e menu at the top left. Only the ful l and ful l -ha profiles
have the messag i ng subsystem enabled.
c. Expand the Messag i ng menu, and select D esti nati o ns.
d. A list of JMS Providers is shown. In the default configuration, only one provider, called
d efaul t, is shown. Click Vi ew to view the detailed settings for this provider.
e. Click the Ad d ress Setti ng s tab. Either add a new pattern by clicking Ad d , or select
an existing pattern and clickEd i t to update the settings.
510
Chapt er 2 0 . Messaging
f. If you are adding a new pattern, the P attern field refers to the match parameter of the
ad d ress-setti ng element. You can also edit the D ead Letter Ad d ress, Expi ry
Ad d ress, R ed el i very D el ay, and Max D el i very Attempts. Other options need
to be configured using the Management CLI.
Report a bug
511
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<bridge name="myBridge">
<queue-name>jms.queue.InQueue</queue-name>
<forwarding-address>jms.queue.OutQueue</forwarding-address>
<ha>true</ha>
<reconnect-attempts>-1</reconnect-attempts>
<use-duplicate-detection>true</use-duplicate-detection>
<static-connectors>
<connector-ref>
bridge-connector
</connector-ref>
</static-connectors>
</bridge>
< /bridges>
D escrip t io n
name
queue-name
forwarding-address
512
Chapt er 2 0 . Messaging
At t rib u t e
D escrip t io n
ha
reconnect-attempts
use-duplicate-detection
static-connectors
Report a bug
< subsystem>
<subsystem xmlns="urn:jboss:domain:messaging:1.3">
<hornetq-server>
...
</hornetq-server>
<jms-bridge name="myBridge">
<source>
<connection-factory name="ConnectionFactory"/>
<destination name="jms/queue/InQueue"/>
</source>
<target>
<connection-factory
513
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
name="jms/RemoteConnectionFactory"/>
<destination name="jms/queue/OutQueue"/>
<context>
<property key="java.naming.factory.initial"
value="org.jboss.naming.remote.client.InitialContextFactory"/>
<property key="java.naming.provider.url"
value="remote://192.168.40.1:4447"/>
</context>
</target>
<quality-of-service>AT_MOST_ONCE</quality-of-service>
<failure-retry-interval>1000</failure-retry-interval>
<max-retries>-1</max-retries>
<max-batch-size>10</max-batch-size>
<max-batch-time>100</max-batch-time>
<add-messageID-in-header>true</add-messageID-in-header>
</jms-bridge>
. ..
< /subsystem>
D escrip t io n
name
source connection-factory
target connection-factory
quality-of-service
failure-retry-interval
max-retries
max-batch-size
514
Chapt er 2 0 . Messaging
At t rib u t e
D escrip t io n
max-batch-time
add-messageID -in-header
515
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
-->
<address-setting match="jms.queue.exampleQueue">
<dead-letter-address>jms.queue.deadLetterQueue</dead-letter-address>
<max-delivery-attempts>3</max-delivery-attempts>
</address-setting>
If a <d ead -l etter-ad d ress> is not specified, messages are removed after trying to deliver <maxd el i very-attempts> times. By default, messages delivery is attempted 10 times. Setting <maxd el i very-attempts> to -1 allows infinite redelivery attempts. For example, a dead letter can be set
globally for a set of matching addresses and you can set <max-d el i very-attempts> to -1 for a
specific address setting to allow infinite redelivery attempts only for this address. Address wildcards
can also be used to configure dead letter settings for a set of addresses.
Report a bug
T ab le 20.10. H o rn et Q At t rib u t es
At t rib u t e
516
D ef au lt Valu e T yp e
D escrip t io n
Chapt er 2 0 . Messaging
At t rib u t e
D ef au lt Valu e T yp e
D escrip t io n
al l o wfai l back
true
BOOLEAN
true
BOOLEAN
accepto r
STRING
backupg ro up-name
backup
false
BOOLEAN
check-fo rl i ve-server
false
BOOLEAN
cl ustered
false
BOOLEAN
cl usterpasswo rd
CHANGE ME!!
STRING
cl usteruser
HORNETQ.CLU STRING
STER.AD MIN.U
SER
cl usterco nnecti o n
createtrue
bi nd i ng sdir
createtrue
jo urnal -d i r
co nnecti o nttl o verri d e
co nnecti o nfacto ry
-1L
BOOLEAN
BOOLEAN
LONG
517
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
At t rib u t e
D ef au lt Valu e T yp e
co nnecto r
co nnecto rservi ce
d i vert
d i sco veryg ro up
fai l backd el ay
5000
LONG
false
BOOLEAN
20000
INT
jmx-d o mai n
org.hornetq
STRING
jmxmanag ementenabl ed
false
BOOLEAN
jo urnal buffer-si ze
jo urnal bufferti meo ut
501760
(490KiB)
500000 (0.5
milliseconds)
for ASYNCIO
journal and
3333333 (3.33
milliseconds)
for NIO journal
LONG
g ro upi ng hand l er
i d -cachesi ze
i n-vmaccepto r
i n-vmco nnecto r
518
D escrip t io n
LONG
Chapt er 2 0 . Messaging
At t rib u t e
D ef au lt Valu e T yp e
D escrip t io n
10
INT
30
INT
10485760
LONG
INT
jo urnal mi n-fi l es
jo urnal sync-no ntransacti o n
al
jo urnal synctransacti o n
al
jo urnal type
INT
true
BOOLEAN
true
BOOLEAN
ASYNCIO
String
reference
STRING
false
BOOLEAN
true
BOOLEAN
jms.queue.hor
netq.managem
ent
hornetq.notific
ations
STRING
STRING
INT
-1
LONG
jms-to pi c
l i veco nnecto rref
519
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
At t rib u t e
D ef au lt Valu e T yp e
D escrip t io n
25
INT
false
BOOLEAN
Percentage of available
memory which if exceeded
results in a warning log
Whether message counters are
enabled
10
INT
10000
LONG
30000
LONG
INT
INT
-1
INT
false
BOOLEAN
true
BOOLEAN
true
BOOLEAN
undefined
LIST
undefined
LIST
undefined
LIST
po o l ed co nnecti o nfacto ry
remo ti ng i ntercepto r
s
remo ti ng i nco mi ng i ntercepto r
s
remo ti ng o utg o i ng i ntercepto r
s
520
Chapt er 2 0 . Messaging
At t rib u t e
D ef au lt Valu e T yp e
D escrip t io n
run-syncspeed -test
false
Whether to perform a
diagnostic test on how fast
your disk can sync on startup.
Useful when determining
performance issues
The name of the cluster
connection to replicate from if
more than one cluster
connection is configured
A runtime queue
BOOLEAN
STRING
repl i cati o n
cl ustername
runti meq ueue
remo teco nnecto r
remo teaccepto r
sched ul ed thread po o l -maxsi ze
securi tyd o mai n
INT
other
STRING
securi tyenabl ed
securi tysetti ng
true
BOOLEAN
10000
LONG
-1
LONG
shared
sto re
thread po o l -maxsi ze
transacti o n
-ti meo ut
true
BOOLEAN
30
INT
300000
LONG
transacti o n
-ti meo utscan-peri o d
wi l d -card ro uti ng enabl ed
1000
LONG
true
BOOLEAN
521
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Warning
The value of jo urnal -fi l e-si ze must be higher than the size of message sent to server, or
the server will not be able to store the message.
Report a bug
<expiry-address>jms.queue.expiryQueue</expiry-address>
< /address-setting>
522
Chapt er 2 0 . Messaging
If the messages are expired and no expiry address is specified, the messages are removed from the
queue and dropped.
C o n f ig u rin g Exp iry R eap er T h read
A reaper thread periodically inspects the queues to validate if messages have expired.
message-expiry-scan-period
How often the queues will be scanned to detect expired messages (in milliseconds, default is
30000ms, set to -1 to disable the reaper thread).
message-expiry-thread-priority
The reaper thread priority. It must be between 0 and 9, 9 being the highest priority, default is 3.
Report a bug
Important
Message groups are especially useful when there is a need for messages with a certain value
of the property (group id) to be processed serially by a single consumer.
Report a bug
523
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<connectors>
<connector-ref connector-name="netty-connector"/>
</connectors>
<entries>
<entry name="ConnectionFactory"/>
</entries>
<autogroup>true</autogroup>
< /connection-factory>
An alternative to the above two approaches is to set a specific message group id through the
connection factory. This will in-turn set the property JMSXG ro upID to the specified value for all
messages sent through this connection factory. To set a specific message group id on the
connection factory, edit the g ro up-i d property in server configuration files (stand al o ne. xml and
d o mai n. xml ) as follows:
<connectors>
<connector-ref connector-name="netty-connector"/>
</connectors>
<entries>
<entry name="ConnectionFactory"/>
</entries>
<group-id>Group-0</group-id>
< /connection-factory>
Report a bug
524
Chapt er 2 0 . Messaging
The local handler is responsible for deciding the route which a message group should take. The
remote handlers communicate with the local handler and work accordingly. Each cluster should
choose a specific node to have a local grouping handler and all the other nodes should have remote
handlers.
You can configure " local" and " remote" grouping handlers in server configuration files
(stand al o ne. xml and d o mai n. xml ) as follows:
<type>LOCAL</type>
<address>jms</address>
<timeout>5000</timeout>
< /grouping-handler>
< grouping-handler name="my-grouping-handler">
<type>REMOTE</type>
<address>jms</address>
<timeout>5000</timeout>
< /grouping-handler>
The " timeout" attribute ensures that a routing decision is made quickly within the specified time. If a
decision is not made within this time an exception is thrown.
The node which initially receives a message group takes the routing decision based on regular
cluster routing conditions (round-robin queue availability). The node proposes this decision to the
respective grouping handler which then routes the messages to the proposed queue if it accepts the
proposal.
If the grouping handler rejects the proposal, it proposes some other route and the routing takes place
accordingly. The other nodes follow suite and forward the message groups to the chosen queue.
After a message arrives on a queue it is pinned to a customer on that queue.
Report a bug
525
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
D uplicate message detection allows filtering of duplicate messages without the need of coding the
duplicate detection logic within the application. You can configure duplicate message detection in
HornetQ.
When a sender(client/server) sends a message to another server there can be a situation where the
target server(receiver) or the connection fails after sending the message but before sending a
response to the sender indicating that the process was successful. In such situations, it is very
difficult for the sender(client) to determine if the message was sent successfully to the intended
receiver.
The message send may or may not be successful depending on when the target receiver or
connection failed (before or after sending the message). If the sender (client/server) decides to resend
the last message it can result in a duplicate message being sent to the address.
HornetQ provides duplicate message detection for messages sent to addresses.
Report a bug
20.10.2. Using Duplicat e Message Det ect ion for Sending Messages
To enable duplicate message detection for sent messages you need to set a special property on the
message to a unique value. You can create this value the way you wish but this value must be
unique.
When the target server receives this message, it checks if the special property is set. If the property is
set then the target server checks its memory cache for a received message with that value of the
header. If the server finds any message with the same value of the header it ignores the message sent
by a client.
If you are sending messages in a transaction then you do not have to set the property for every
message you send in that transaction; you only need to set it once in the transaction. If the server
detects a duplicate message for any message in the transaction, then it will ignore the entire
transaction.
The name of the property that you set is given by the value of
org.hornetq.api.core.HDR_DUPLICATE_DETECTION_ID, which is _HQ_DUPL_ID. The value of
this property can be of type byte[] or Si mpl eStri ng for core API. For Java Messaging Service
(JMS) clients, it must be of the type Stri ng with a unique value. An easy way of generating a unique
id is by generating a UUID .
The following example shows how to set the property for core API:
...
ClientMessage message = session.createMessage(true);
SimpleString myUniqueID = "This is my unique id";
this
message.setStringProperty(HDR_DUPLICATE_DETECTION_ID, myUniqueID);
...
The following example shows how to set the property for JMS clients:
...
526
Chapt er 2 0 . Messaging
message.setStringProperty(HDR_DUPLICATE_DETECTION_ID.toString(),
myUniqueID);
...
Report a bug
Note
Set the size of the duplicate ID cache to a large size in order to ensure that resending of
messages does not overwrite the previously sent messages stored in the cache.
Report a bug
20.10.4 . Using Duplicat e Det ect ion wit h Bridges and Clust er Connect ions
Core bridges can be configured to automatically add a unique duplicate ID value (if there isn't
already one in the message) before forwarding the message to the target. To configure a core bridge
for duplication message detection set the property use-duplicate-detection to " true" in server
configuration files (stand al o ne. xml and d o mai n. xml ). The default value of this parameter is
" true" .
Cluster connections internally use core bridges to move messages between nodes of the cluster. To
configure a cluster connection for duplicate message detection set the property use-duplicatedetection to " true" in server configuration files (stand al o ne. xml and d o mai n. xml ). The
default value of this parameter is " true" .
Report a bug
527
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
The function of a bridge is to consume messages from a source queue, and forward them to a target
address, typically on a different HornetQ server. Bridges cope with unreliable connections,
automatically reconnecting when the connections become available again. HornetQ bridges can be
configured with filter expressions to only forward certain messages.
Important
JMS bridge cannot be deployed to EAP 6 server, which includes HornetQ configured as a
dedicated backup. The reason is that Transaction Manager on a dedicated backup server is
unable to recover transactions previously started on the HornetQ live server.
Report a bug
528
Chapt er 2 0 . Messaging
<properties>
</properties>
<resources>
<!-- Insert resources required to connect to
the source or target
-->
</resources>
<dependencies>
<!-- Add the dependencies required by JMS Bridge
code
-->
<module name="javax.transaction.api"/>
</dependencies>
< /module>
iii. Copy the messaging provider JARs required for the JND I lookup of the source
resources to the module's mai n/ subdirectory. The directory structure for the
MyCustomMQ module should now look like the following.
modules/
`-- system
`-- layers
`-- base
`-- org
`-- mycustommq
`-- main
|-- mycustommq-1.2.3.jar
|-- mylogapi-0.0.1.jar
|-- module.xml
b. Configure the JMS bridge in the messag i ng subsystem of the JBoss EAP 6 server.
i. Before you begin, stop the server and back up the current server configuration
files. If you are running a standalone server, this is the
EAP_HOME/stand al o ne/co nfi g urati o n/stand al o ne-ful l -ha. xml
file. If you are running a managed domain, back up both the
EAP_HOME/d o mai n/co nfi g urati o n/d o mai n. xml and the
EAP_HOME/d o mai n/co nfi g urati o n/ho st. xml files.
529
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
ii. Add the jms-bri d g e element to the messag i ng subsystem in the server
configuration file. The so urce and targ et elements provide the names of the
JMS resources used for JND I lookups. If user and passwo rd credentials are
specified, they are passed as arguments when JMS connection is created.
The following is an example of the jms-bri d g e element configured for the
MyCustomMQ messaging provider:
...
<source>
<connection-factory name="ConnectionFactory"/>
<destination name="sourceQ"/>
<user>user1</user>
<password>pwd1</password>
<context>
<property key="java.naming.factory.initial"
value="org.mycustommq.jndi.MyCustomMQInitialContextFact
ory"/>
<property key="java.naming.provider.url"
value="tcp://127.0.0.1:9292"/>
</context>
</source>
<target>
<connection-factory
name="java:/ConnectionFactory"/>
<destination name="/jms/targetQ"/>
</target>
<quality-of-service>DUPLICATES_OK</quality-ofservice>
<failure-retry-interval>500</failure-retryinterval>
<max-retries>1</max-retries>
<max-batch-size>500</max-batch-size>
<max-batch-time>500</max-batch-time>
<add-messageID-in-header>true</add-messageID-inheader>
</jms-bridge>
< /subsystem>
In the above example, the JND I properties are defined in the co ntext element
for the so urce. If the co ntext element is omitted, as in the targ et example
above, the JMS resources are looked up in the local instance.
Report a bug
530
Chapt er 2 0 . Messaging
The HornetQ journal is append only with a configurable file size, which improves performance by
enabling single write operations. It consists of a set of files on disk, which are initially pre-created to
a fixed size and filled with padding. As server operations (add message, delete message, update
message, etc.) are performed, records of the operations are appended to the journal until the journal
file is full, at which point the next journal file is used.
A sophisticated garbage collection algorithm determines whether journal files can be reclaimed and
re-used when all of their data has been deleted. A compaction algorithm removes dead space from
journal files and compresses the data.
The journal also fully supports both local and XA transactions.
The majority of the journal is written in Java, but interaction with the file system has been abstracted
to allow different pluggable implementations. The two implementations shipped with HornetQ are:
Java New I/O (NIO)
Uses standard Java NIO to interface with the file system. This provides extremely good
performance and runs on any platform with a Java 6 or later runtime.
Linux Asynchronous IO (AIO)
Uses a native code wrapper to talk to the Linux asynchronous IO library (AIO). With AIO, HornetQ
receives a message when data has been persisted. This removes the need for explicit syncs. AIO
will typically provide better performance than Java NIO, but requires Linux kernel 2.6 or later and
the libaio package.
AIO also requires ext2, ext3, ext4, jfs or xfs type file systems.
The standard HornetQ core server uses the following journal instances:
bindings journal
Stores bindings-related data, including the set of queues deployed on the server and their
attributes. It also stores data such as ID sequence counters. The bindings journal is always a NIO
journal, as it typically has low throughput in comparison to the message journal.
The files on this journal are prefixed as hornetq-bindings. Each file has a bindings extension. File
size is 1048576 bytes, and it is located in the bindings folder.
JMS journal
Stores all JMS-related data, for example, any JMS queues, topics or connection factories and any
JND I bindings for these resources. Any JMS resources created with the management API are
persisted to this journal. Any resources configured with configuration files are not. This journal is
created only if JMS is in use.
message journal
Stores all message-related data, including messages themselves and duplicate-id caches. By
default, HornetQ uses AIO for this journal. If AIO is not available, it will automatically fall back to
NIO.
Large messages are persisted outside the message journal. In low memory situations, configure
HornetQ to page messages to disk. If persistence is not required, HornetQ can be configured not to
persist any data.
Report a bug
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Important
You can configure a node through server configuration files (stand al o ne. xml and
d o mai n. xml ) and copy this configuration to other nodes to generate a symmetric cluster.
However you must be careful when you are copying the server configuration files. You must
not copy the HornetQ data (i.e. the bindings, journal, and large messages directories) from
one node to another. When a node is started for the first time it persists a unique identifier to
the journal directory which is needed for proper formation of clusters.
Report a bug
532
Chapt er 2 0 . Messaging
Connectors are used on the client to define how and in what ways it connects to the server. Servers
use broadcast groups to broadcast connectors over the network. The broadcast group takes a set of
connector pairs and broadcasts them on the network. Each connector pair contains connection
settings for a live and backup server.
You can define broadcast groups in broadcast-groups element of server configuration files
(stand al o ne. xml and d o mai n. xml ). A single HornetQ server can have many broadcast groups.
You can define either a User D atagram Protocol (UD P) or a JGroup broadcast group.
Report a bug
< broadcast-groups>
<broadcast-group name="my-broadcast-group">
<local-bind-address>172.16.9.3</local-bind-address>
<local-bind-port>5432</local-bind-port>
<group-address>231.7.7.7</group-address>
<group-port>9876</group-port>
<broadcast-period>2000</broadcast-period>
<connector-ref>netty</connector-ref>
</broadcast-group>
< /broadcast-groups>
Note
In the configuration example shown above, the attributes " local-bind-address" , " local-bindport" , " group-address" and " group-port" are deprecated. Instead of these attributes you can
choose to use the attribute " socket-binding" .
The example shown below defines a UD P broadcast group replacing all the deprecated attributes
with the attribute " socket-binding" :
< broadcast-groups>
<broadcast-group name="my-broadcast-group">
<socket-binding>messaging-group</socket-binding>
<broadcast-period>2000</broadcast-period>
<connector-ref>netty</connector-ref>
</broadcast-group>
< /broadcast-groups>
The table shown below describes all the important parameters used in the above examples and in
general to define a UD P broadcast group:
T ab le 20.11. U D P B ro ad cast G ro u p Paramet ers
At t rib u t e
D escrip t io n
533
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
At t rib u t e
D escrip t io n
name attribute
local-bind-address
local-bind-port
group-address
group-port
socket-binding
broadcast-period
connector-ref
Report a bug
< broadcast-groups>
<broadcast-group name="bg-group1">
<jgroups-stack>udp</jgroups-stack>
<jgroups-channel>udp</jgroups-channel>
<broadcast-period>2000</broadcast-period>
<connector-ref>netty</connector-ref>
</broadcast-group>
< /broadcast-groups>
The JGroups broadcast group definition uses two main attributes:
jgroups-stack attribute: This denotes the name of a stack defined in the
o rg . jbo ss. as. cl usteri ng . jg ro ups subsystem
jgroups-channel attribute: This denotes the channel which JGroups channels connect to for
broadcasting
Report a bug
534
Chapt er 2 0 . Messaging
Note
You must configure each discovery group with an appropriate broadcast endpoint which
matches its broadcast group counterpart (UD P or JGroups).
Report a bug
< discovery-groups>
<discovery-group name="my-discovery-group">
<local-bind-address>172.16.9.7</local-bind-address>
<group-address>231.7.7.7</group-address>
<group-port>9876</group-port>
<refresh-timeout>10000</refresh-timeout>
</discovery-group>
< /discovery-groups>
Note
In the configuration example shown above, the attributes " local-bind-address" , " groupaddress" and " group-port" are deprecated. Instead of these attributes you can choose to use
the attribute " socket-binding" .
The example shown below defines a UD P discovery group replacing all the deprecated attributes
with the attribute " socket-binding" :
< discovery-groups>
<discovery-group name="my-discovery-group">
<socket-binding>messaging-group</socket-binding>
535
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<refresh-timeout>10000</refresh-timeout>
</discovery-group>
/discovery-groups>
<
The table shown below describes all the important parameters used in the above example and in
general to define a discovery group:
T ab le 20.12. U D P D isco very G ro u p Paramet ers
At t rib u t e
D escrip t io n
name attribute
local-bind-address
group-address
group-port
socket-binding
refresh-timeout
Report a bug
< discovery-groups>
<discovery-group name="dg-group1">
<jgroups-stack>udp</jgroups-stack>
536
Chapt er 2 0 . Messaging
<jgroups-channel>udp</jgroups-channel>
<refresh-timeout>10000</refresh-timeout>
</discovery-group>
< /discovery-groups>
Note
JGroup attributes and UD P specific attributes are exclusive. You can use either JGroup or
UD P set of attributes in the configuration of a discovery group or a broadcast group
Report a bug
2 0 .1 3.3.3. Co nfiguring Disco ve ry Gro ups fo r Java Me ssaging Se rvice (JMS) Clie nt s
D iscovery groups can be configured for JMS and core clients. You can specify the discovery group
to be used for a JMS connection factory in server configuration files (stand al o ne. xml and
d o mai n. xml ):
<entry name="ConnectionFactory"/>
</entries>
< /connection-factory>
The element discovery-group-ref is used to specify the name of a discovery group. When a
client application downloads this connection factory from Java Naming and D irectory Interface
(JND I) and creates JMS connections, these connections are load balanced across all the servers
which the discovery group maintains by listening on the multicast address specified in the discovery
group configuration.
If you are using JMS but not JND I to lookup for a connection factory then you can specify the
discovery group parameters directly when creating the JMS connection factory:
537
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Note
In a symmetric cluster each node knows about all the queues that exist on all the other
nodes and what consumers they have. With this knowledge it can determine how to load
balance and redistribute messages around the nodes.
Report a bug
538
Chapt er 2 0 . Messaging
< cluster-connections>
<cluster-connection name="my-cluster">
<address>jms</address>
<connector-ref>netty-connector</connector-ref>
<check-period>1000</check-period>
<connection-ttl>5000</connection-ttl>
<min-large-message-size>50000</min-large-message-size>
<call-timeout>5000</call-timeout>
<retry-interval>500</retry-interval>
<retry-interval-multiplier>1.0</retry-interval-multiplier>
<max-retry-interval>5000</max-retry-interval>
<reconnect-attempts>-1</reconnect-attempts>
<use-duplicate-detection>true</use-duplicate-detection>
<forward-when-no-consumers>false</forward-when-no-consumers>
<max-hops>1</max-hops>
<confirmation-window-size>32000</confirmation-window-size>
<call-failover-timeout>30000</call-failover-timeout>
<notification-interval>1000</notification-interval>
<notification-attempts>2</notification-attempts>
<discovery-group-ref discovery-group-name="my-discovery-group"/>
</cluster-connection>
< /cluster-connections>
The following table defines the configurable attributes:
T ab le 20.13. C lu st er C o n n ect io n s C o n f ig u rab le At t rib u t es
At t rib u t e
D escrip t io n
address
connector-ref
check-period
D ef au lt
30,000 milliseconds
539
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
At t rib u t e
D escrip t io n
D ef au lt
connection-ttl
60,000 milliseconds
min-large-message-size
call-timeout
retry-interval
retry-intervalmultiplier
max-retry-interval
reconnect-attempts
use-duplicate-detection
54 0
102400 milliseconds
30,000 milliseconds
500 milliseconds
2000 milliseconds
-1 (infinite retries)
True
Chapt er 2 0 . Messaging
At t rib u t e
D escrip t io n
D ef au lt
< cluster-user>HORNETQ.CLUSTER.ADMIN.USER</cluster-user>
< cluster-password>NEW USER</cluster-password>
Warning
It is important to change the default values of these credentials to prevent remote clients from
making connections to the server using the default values.
Report a bug
54 1
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Important
Configuration of collocated backup servers cannot contain configuration of destinations or
connection factories.
Note
The following information references stand al o ne-ful l -ha. xml . The configuration
changes can be applied to stand al o ne-ful l -ha. xml , or any configuration files derived
from it.
Report a bug
54 2
Chapt er 2 0 . Messaging
The advantage of shared store high-availability is that no replication occurs between the live and
backup nodes. This means it does not suffer any performance penalties due to the overhead of
replication during normal operation.
The disadvantage of shared store replication is that it requires a shared file system, and when the
backup server activates it must load the journal from the shared store. This can take some time,
depending on the amount of data in the store.
If the highest performance during normal operation is required, there is access to a fast SAN, and a
slightly slower failover rate is acceptable (depending on the amount of data), shared store highavailability is recommended.
Report a bug
Important
NFS is supported under strict configuration guidelines outlined below.
The Red Hat Enterprise Linux NFS implementation supports both direct I/O (opening files with the
O_D IRECT flag set), and kernel based asynchronous I/O. With both of these features present, it is
possible to use NFS as a shared storage option, under strict configuration rule:
The Red Hat Enterprise Linux NFS client cache must be disabled.
Note
It is recommended that, if using NFS under the above stipulations, a highly-available NFS
configuration is used.
Report a bug
54 3
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Important
Check the server log after JBoss EAP 6 is started, to ensure that the native library successfully
loaded, and that the ASYNCIO journal type is being used. If the native library fails to load,
HornetQ will revert to the NIO journal type, and this will be stated in the server log.
The NIO journal type uses standard Java NIO to interface with the file system. It provides very good
performance and runs on all supported platforms.
To specify the HornetQ journal type, set the parameter <jo urnal -type> in the Messag i ng
subsystem.
Report a bug
20.14 .5. Configuring Hornet Q for Dedicat ed T opology wit h Shared St ore
To configure the live and backup servers for shared store in dedicated topology, configure the
stand al o ne-X. xml files on each server to have the following:
< shared-store>true</shared-store>
< paging-directory path="${shared.directory}/journal"/>
< bindings-directory path="${shared.directory}/bindings"/>
< journal-directory path="${shared.directory}/journal"/>
< large-messages-directory path="${shared.directory}/large-messages"/>
.
< cluster-connections>
<cluster-connection name="my-cluster">
...
</cluster-connection>
< /cluster-connections>
T ab le 20.14 . H o rn et Q Servers Set u p At t rib u t es ( f o r b o t h live an d b acku p servers)
At t rib u t e
D escrip t io n
shared-store
paging-directory path
bindings-directory path
journal-directory path
large-messages-directory path
54 4
Chapt er 2 0 . Messaging
At t rib u t e
D escrip t io n
failover-on-shutdown
< backup>true</backup>
The setup attribute exclusively for HornetQ backup server is: al l o w-fai l back. This specifies
whether the backup server will automatically shutdown if the original live server comes back up.
Report a bug
Warning
Only persistent messages are replicated. Any non-persistent messages do not survive failover.
Message replication between a live and a backup server is achieved via network traffic as the live
and backup servers do not share the same data stores. All the journals are replicated between the
two servers as long as the two servers are within the same cluster and have the same cluster
username and password. All persistent data traffic received by the live server gets replicated to the
backup server.
When the backup server comes online, it looks for and connects to a live server to attempt
synchronization. While it is synchronizing, it is unavailable as a backup server. Synchronization
can take a long time depending on the amount of data to be synchronized and the network speed. If
the backup server comes online and no live server is available, the backup server will wait until the
live server is available in the cluster.
To enable servers to replicate data, a link must be defined between them in the stand al o ne-ful l ha. xml file. A backup server will only replicate with a live server with the same group name. The
group name must be defined in the backup-group-name parameter in the stand al o ne-ful l ha. xml file on each server.
In the event of a live server failing, the correctly configured and fully synchronized backup server
takes over its duties. The backup server will activate only if the live server has failed and the backup
server is able to connect to more than half of the servers in the cluster. If more than half of the other
servers in the cluster also fail to respond it would indicate a general network failure and the backup
server will wait to retry the connection to the live server.
To get to the original state after failover, it is necessary to start the live server and wait until it is fully
synchronized with the backup server. When this has been achieved, you can shutdown the backup
server for the original live server to activate again. This happens automatically if the allowfailback attribute is set to true.
Report a bug
54 5
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<shared-store>false</shared-store>
<backup-group-name>NameOfLiveBackupPair</backup-group-name>
<check-for-live-server>true</check-for-live-server>
.
.
.
<cluster-connections>
<cluster-connection name="my-cluster">
...
</cluster-connection>
</cluster-connections>
T ab le 20.15. H o rn et Q R ep licat in g Set u p At t rib u t es
At t rib u t e
D escrip t io n
shared-store
backup-group-name
check-for-live-server
failover-on-shutdown
D escrip t io n
allow-failback
max-saved-replicated-journal-size
Report a bug
54 6
Chapt er 2 0 . Messaging
The backup server only takes over if the live server crashes and there is a failover. After the live server
has been restarted, and if the al l o w-fai l back attribute is set to true, it becomes the live server
again. When the original live server takes over, the backup server reverts to being backup for the live
server.
Important
Clustering should be enabled even if you are not using the clustering capabilities. This is
because each node of the HA cluster must have a cluster-connection to all of the other nodes,
in order to negotiate roles with the other servers.
High availability cluster topology is achieved by the live and backup server as they send information
about their connection details using IP multicasts. If IP multicasts can not be used, it is also possible
to use a static configuration of the initial connections. After the initial connection, the client is
informed about the topology. If the current connection is stale, the client establishes a new
connection to another node.
After a live server has failed and a backup server has taken over, you will need to restart the live
server and have clients fail back. To do this, restart the original live server and kill the new live server.
You can do this by killing the process itself or wait for the server to crash on its own. You can also
cause failover to occur on normal server shutdown, to enable this set the fai l o ver-o n-shutd o wn
property to true in the stand al o ne. xml configuration file:
<failover-on-shutdown>true</failover-on-shutdown>
By default, the fai l o ver-o n-shutd o wn property is set to false.
You can also force the new live server to shutdown when the old live server comes back up allowing
the original live server to take over automatically by setting the al l o w-fai l back property to true in
the stand al o ne. xml configuration file:
<allow-failback>true</allow-failback>
In replication HA mode, to force the new live server to shutdown when the old live server comes back,
set the check-fo r-l i ve-server property to true in stand al o ne. xml configuration file:
<check-for-live-server>true</check-for-live-server>
Report a bug
54 7
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Note
In order for the TM options to be visible in the Management Console or Management CLI, the
transacti o ns subsystem must be enabled. It is enabled by default, and required for many
other subsystems to function properly, so it is very unlikely that it would be disabled.
54 8
Most options are shown in the Transaction Manager configuration page. The R eco very options are
hidden by default. Click the R eco very tab to see the recovery options. Click Ed i t to edit any of the
options. Changes take effect immediately.
Click the Need Hel p? label to display in-line help text.
C o n f ig u re t h e T M u sin g t h e Man ag emen t C LI
In the Management CLI, you can configure the TM using a series of commands. The commands all
begin with /pro fi l e= d efaul t/subsystem= transacti o ns/ for a managed domain with profile
d efaul t, or /subsystem= transacti o ns for a Standalone Server.
Important
HornetQ does not allow multiple instances to share a message log store. If you are configuring
multiple instances of HornetQ, each instance must have its own message log store.
T ab le 21.1. T M C o n f ig u rat io n O p t io n s
O p t io n
D escrip t io n
C LI C o mman d
Enable Statistics
D efault Timeout
54 9
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
D escrip t io n
C LI C o mman d
Socket Binding
Recovery Listener
The following options are for advanced use and can only be modified using the Management CLI. Be
cautious when changing them from the default configuration. Contact Red Hat Global Support
Services for more information.
T ab le 21.2. Ad van ced T M C o n f ig u rat io n O p t io n s
O p t io n
D escrip t io n
C LI C o mman d
jts
550
O p t io n
D escrip t io n
C LI C o mman d
node-identifier
process-id-socket-max-ports
551
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
O p t io n
D escrip t io n
C LI C o mman d
process-id-uuid
use-hornetq-store
Report a bug
552
553
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
R esu lt
Your XA D atasource is configured and ready to use.
Report a bug
Transaction Commit
Transaction Rollback
554
Transaction Timeout
Report a bug
555
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
D EBUG
INFO
WARN
ERROR
FAILURE
U se Paren t H an d lers
Whether the logger should send its output to its parent logger. The default behavior
is true.
3. Changes take effect immediately.
Report a bug
556
557
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
You can verify this by re-running the : pro be operation on the l o g -sto re and
checking that the participant is no longer listed. If this is the last participant, the
transaction is also deleted.
R ef resh t h e st at u s o f a t ran sact io n wh ich n eed s reco very.
If a transaction needs recovery, you can use the : refresh CLI command to be sure it still
requires recovery, before attempting the recovery.
/profile=default/subsystem=transactions/log-store=logstore/transactions=0\:ffff7f000001\:b66efc2\:4f9e6f8f\:9/participants=2:refresh
View T ran sact io n St at ist ics
If Transaction Manager statistics are enabled, you can view statistics about the Transaction
Manager and transaction subsystem. See Section 21.1.2, Configure the Transaction Manager for
information about how to enable Transaction Manager statistics.
You can view statistics either via the management console or the management CLI. In the
management console, transaction statistics are available via R u n t ime St at u s Su b syst ems
T ran sact io n s. Transaction statistics are available for each server in a managed domain. To
view the status of a different server, select C hang e Server in the left-hand menu and select the
server from the list.
The following table shows each available statistic, its description, and the management CLI
command to view the statistic.
T ab le 21.4 . T ran sact io n Su b syst em St at ist ics
St at ist ic
D escrip t io n
Total
Committed
558
C LI C o mman d
/host=master/server=
serverone/subsystem=transac
tions/:readattribute(name=numbe
r-oftransactions,include
-defaults=true)
/host=master/server=
serverone/subsystem=transac
tions/:readattribute(name=numbe
r-of-committedtransactions,include
-defaults=true)
St at ist ic
D escrip t io n
Aborted
Timed Out
Heuristics
In-Flight Transactions
C LI C o mman d
/host=master/server=
serverone/subsystem=transac
tions/:readattribute(name=numbe
r-of-abortedtransactions,include
-defaults=true)
/host=master/server=
serverone/subsystem=transac
tions/:readattribute(name=numbe
r-of-timed-outtransactions,include
-defaults=true)
/host=master/server=
serverone/subsystem=transac
tions/:readattribute(name=numbe
r-ofheuristics,includedefaults=true)
/host=master/server=
serverone/subsystem=transac
tions/:readattribute(name=numbe
r-of-inflighttransactions,include
-defaults=true)
/host=master/server=
serverone/subsystem=transac
tions/:readattribute(name=numbe
r-of-applicationrollbacks,includedefaults=true)
559
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
St at ist ic
D escrip t io n
Participant ID
C LI C o mman d
/host=master/server=
serverone/subsystem=transac
tions/:readattribute(name=numbe
r-of-resourcerollbacks,includedefaults=true)
/host=master/server=
serverone/subsystem=transac
tions/log-store=logstore:read-childrennames(childtype=transactions)
Report a bug
560
Report a bug
Note
In a managed domain, the JacORB subsystem is available in ful l and ful l -ha profiles
only. In a standalone server, it is available when you use the stand al o ne-ful l . xml or
stand al o ne-ful l -ha. xml configurations.
561
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Refer to the other sections of the form for advanced configuration options. Each section
includes a Need Hel p? link with detailed information about the parameters.
C o n f ig u re t h e O R B u sin g t h e Man ag emen t C LI
You can configure each aspect of the ORB using the Management CLI. The following commands
configure the initializers to the same values as the procedure above, for the Management Console.
This is the minimum configuration for the ORB to be used with JTS.
These commands are configured for a managed domain using the ful l profile. If necessary,
change the profile to suit the one you need to configure. If you use a standalone server, omit the
/pro fi l e= ful l portion of the commands.
Note
For JTS activation, the server must be restarted as reload is not enough.
Report a bug
562
Note
A JD BC datasource used as a Transactions object store must specify jta= "fal se" in the
d ataso urce section of the server's configuration file.
D escrip t io n
use-jd bc-sto re
563
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
564
565
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
566
Important
Entity beans are now deprecated in EJB 3.1 and Red Hat recommends the use of JPA entities
instead. Red Hat only recommends the use of Entity beans for backwards compatibility with
legacy systems.
Report a bug
567
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
2. Click on the C o n f ig u rat io n tab at the top of the screen. Expand the C o n t ain er menu and
select EJB 3. Select the B ean Po o ls tab.
3. Click Ad d . The Ad d EJB3 Bean P o o l s dialog appears.
4. Specify the required details, Name, Max P o o l Si ze, T i meo ut value, and T i meo ut unit.
5. Click Save button to finish.
Pro ced u re 23.2. C reat e a b ean p o o l u sin g t h e C LI
1. Launch the CLI tool and connect to your server. Refer to Section 3.5.4, Connect to a
Managed Server Instance Using the Management CLI .
2. Use the ad d operation with the following syntax.
/subsystem=ejb3/strict-max-bean-instance-pool=BEANPOOLNAME:add(maxpool-size=MAXSIZE, timeout=TIMEOUT, timeout-unit="UNIT")
Replace BEANPOOLNAME with the required name for the bean pool.
Replace MAXSIZE with the maximum size of the bean pool.
Replace TIMEOUT
Replace UNIT with the required time unit. Allowed values are: NANO SEC O ND S,
MIC R O SEC O ND S, MILLISEC O ND S, SEC O ND S, MINUT ES, HO UR S, and D AY S.
3. Use the read -reso urce operation to confirm the creation of the bean pool.
/subsystem=ejb3/strict-max-bean-instance-pool=BEANPOOLNAME:readresource
<pools>
<bean-instance-pools>
<strict-max-pool
name="slsb-strict-max-pool" max-pool-
size="20"
568
instance-acquisition-timeout="5"
instance-acquisition-timeout-unit="MINUTES" />
instance-acquisition-timeout="5"
instance-acquisition-timeout-unit="MINUTES" />
</bean-instance-pools>
</pools>
< /subsystem>
Report a bug
569
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
Report a bug
570
571
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<session-bean>
<stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
</stateless>
<stateful default-access-timeout="5000" cache-ref="simple"/>
<singleton default-access-timeout="5000"/>
</session-bean>
<mdb>
<resource-adapter-ref resource-adapter-name="hornetq-ra"/>
<bean-instance-pool-ref pool-name="mdb-strict-max-pool"/>
</mdb>
< /subsystem>
Report a bug
572
<thread-pools>
</thread-pools>
< /subsystem>
Report a bug
573
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Section 23.7.2, Configure the EJB3 Asynchronous Invocation Service Thread Pool
Section 23.8.2, Configure the EJB3 Remote Service
Pro ced u re 23.11. R emo ve an EJB t h read p o o l u sin g t h e Man ag emen t C o n so le
1. Login to the Management Console. Section 3.4.2, Log in to the Management Console .
2. Click on the C o n f ig u rat io n tab at the top of the screen. Expand the C o n t ain er menu and
select EJB 3. Select the T h read Po o ls tab.
3. Select the thread pool to you want to remove.
4. Click R emo ve. The R emo ve Item dialog appears.
5. Click O K to confirm.
Pro ced u re 23.12. R emo ve a t h read p o o l u sin g t h e C LI
1. Launch the CLI tool and connect to your server. Refer to Section 3.5.4, Connect to a
Managed Server Instance Using the Management CLI .
2. Use the remo ve operation with the following syntax.
/subsystem=ejb3/thread-pool=THREADPOOLNAME:remove
Replace THREADPOOLNAME with the name of the thread pool.
Report a bug
574
Important
When changing the value of the keepal i ve-ti me attribute with the CLI the required value is
an object representation. It has the following syntax.
/subsystem=ejb3/thread-pool=THREADPOOLNAME:writeattribute(name="keepalive-time", value={"time" => "VALUE","unit" =>
"UNIT"}
575
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
576
<session-bean>
<stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
</stateless>
<singleton default-access-timeout="5000"/>
</session-bean>
< /subsystem>
Report a bug
577
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Pro ced u re 23.18. Set t h e D ef au lt R eso u rce Ad ap t er f o r Messag e- D riven B ean s u sin g t h e
C LI
1. Launch the CLI tool and connect to your server. Refer to Section 3.5.4, Connect to a
Managed Server Instance Using the Management CLI .
2. Use the wri te-attri bute operation with the following syntax.
/subsystem=ejb3:write-attribute(name="default-resource-adaptername", value="RESOURCE-ADAPTER")
Replace RESOURCE-ADAPTER with name of the resource adapter to be used.
3. Use the read -reso urce operation to confirm the changes.
/subsystem=ejb3:read-resource
<resource-adapter-ref resource-adapter-name="hornetq-ra"/>
<bean-instance-pool-ref pool-name="mdb-strict-max-pool"/>
</mdb>
< /subsystem>
Report a bug
578
JBoss Administrators can configure the EJB3 Timer Service in the JBoss EAP 6 Management
Console. The features that can be configured are the thread pool that is used for scheduled bean
invocation and the directory where the Timer Service data is stored.
Pro ced u re 23.19 . C o n f ig u re t h e EJB 3 T imer Service
1. Login to the Management Console. See Section 3.4.2, Log in to the Management Console .
2. Click on the C o n f ig u rat io n tab at the top of the screen. Expand the C o n t ain er menu and
select EJB 3. Select the Services tab, click on T imer Services.
3. Click Edit. The fields in the D etai l s area can now be edited.
4. You can select a different EJB3 thread pool used for the Timer Service if additional thread
pools have been configured, and you can change the directory used to save the Timer
Service data. The Timer Service data directory configuration consists of two values: P ath, the
directory that data is stored in; and R el ati ve T o , the directory which contains P ath. By
default R el ati ve T o is set to a Filesystem Path Variable.
5. Click Save to finish.
Report a bug
579
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
580
Container-Managed Persistence (CMP) is handled by the o rg . jbo ss. as. cmp extension. CMP is
enabled by default in the managed domain and standalone server full configurations, e.g.
stand al o ne-ful l . xml .
To enable CMP in a different configuration, add the o rg . jbo ss. as. cmp module to the list of
enabled extensions in the server configuration file.
< extensions>
<extension module="org.jboss.as.cmp"/>
< /extensions>
Once the extension has been added, you must also add the following element in the profile's XML
configuration file under the <profile> element.
< subsystem xmlns="urn:jboss:domain:cmp:1.1"/>
To disable CMP in a server configuration, remove the extension entry for the o rg . jbo ss. as. cmp
module.
Report a bug
<key-generators>
</key-generators>
< /subsystem>
581
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
H iLo K ey G en erat o rs
HiLo key generators use a database to create and store entity identity keys. HiLo Key
generators must have unique names and are configured with properties that specify the
datasource used to store the data as well as the names of the table and columns that store
the keys.
HiLo key generators can be added using the CLI using the following command syntax:
/subsystem=cmp/hilo-keygenerator=UNIQUE_NAME/:add(property=value,
property=value, ...)
<key-generators>
<hilo name="HiLoKeyGeneratorFactory">
<block-size>10</block-size>
<create-table>true</create-table>
<datasource>java:jboss/datasources/ExampleDS</data-source>
<id-column>HIGHVALUES</id-column>
<sequence-column>SEQUENCENAME</sequence-column>
<sequence-name>general</sequence-name>
<table-name>HILOSEQUENCES</table-name>
</hilo>
</key-generators>
</subsystem>
Note
The block-size must be set to a value !=0, otherwise the generated PKey will not
incremented and therefore the creation of entities fail with a
D uplicateKeyException.
582
Note
The select-hi-ddl must be set as 'FOR UPD ATE' in case of cluster to ensure the
consistency. All databases do not support the locking feature.
Report a bug
23.9.5. CMP Subsyst em Propert ies for HiLo Key Generat ors
T ab le 23.1. C MP Su b syst em Pro p ert ies f o r H iLo K ey G en erat o rs
Pro p ert y
D at a
t yp e
D escrip t io n
bl o ck-si ze
create-tabl e
long
boolean
create-tabl eddl
d ata-so urce
d ro p-tabl e
i d -co l umn
sel ect-hi -d d l
string
token
token
token
token
boolean
token
string
Report a bug
583
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
584
Report a bug
D ef au lt Valu e
D escrip t io n
enabl ed
fai l -o nerro r
fai l -o nwarn
true
true
false
D ef au lt Valu e
D escrip t io n
enabl ed
true
585
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
If bean validation is not specified, it is considered present and the enabl ed attribute
defaults to true.
Wo rk man ag ers
There are two types of work managers:
D ef au lt wo rk man ag er
The default work manager and its thread pools.
C u st o m wo rk man ag er
A custom work manager definition and its thread pools.
The following table describes the attributes you can set for work managers.
T ab le 24 .3. Wo rk man ag er at t rib u t es
At t rib u t e
D escrip t io n
name
The following table describes the attributes you can set for work manager thread pools.
T ab le 24 .4 . T h read p o o l at t rib u t es
At t rib u t e
D escrip t io n
q ueue-l eng th
max-thread
keepal i ve-ti me
thread -facto ry
B o o t st rap co n t ext s
D escrip t io n
name
wo rkmanag er
586
D ef au lt Valu e
D escrip t io n
d ebug
false
erro r
false
587
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
588
589
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
590
B. In Standalone mode, select the Application Component from the list. Click En/D i sabl e.
Click C o nfi rm on the Are Y o u Sure? dialog to enable the component.
Pro ced u re 24 .4 . D ep lo y a reso u rce ad ap t er man u ally
Copy the resource adapter archive to the server deployments directory,
A. For a standalone server, copy the resource adapter archive to the
EAP_HOME/stand al o ne/d epl o yments/ directory.
B. For a managed domain, you must use the Management Console or Management CLI to deploy
the resource adapter archive to the server groups.
Report a bug
Note
In the following procedure, the command line you must type follows the
[stand al o ne@ l o cal ho st: 9 9 9 9 /] prompt. D o not type the text within the curly braces.
That is the output you should see as a result of the command, for example, {"o utco me" = >
"success"}.
591
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
592
593
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
594
17. The admin object is complete, but disabled. Click Enabl e to enable the admin object.
18. A dialog asks R eal l y mo d i fy Ad mi n O jbect? for the JND I name. Click C o nfi rm. The
admin object should now appear as Enabl ed .
19. You must reload the server configuration to complete the process. Click on the R unti me tab.
Expand the Server menu. Select O vervi ew in the left navigation panel.
a. Reload the servers
A. In D omain mode, hover the mouse over a server group. Select R estart G ro up.
B. In Standalone mode, a R el o ad button will be available. Click R el o ad .
20. A dialog asks D o yo u want to rel o ad the server co nfi g urati o n? for the
specified server. Click C o nfi rm. The server configuration is up to date.
Pro ced u re 24 .7. C o n f ig u re a reso u rce ad ap t er man u ally
1. Stop the JBoss EAP 6 server.
Important
You must stop the server before editing the server configuration file for your change to
be persisted on server restart.
2. Open the server configuration file for editing.
A. For a standalone server, this is the
EAP_HOME/stand al o ne/co nfi g urati o n/stand al o ne. xml file.
B. For a managed domain, this is the EAP_HOME/d o mai n/co nfi g urati o n/d o mai n. xml
file.
3. Find the urn: jbo ss: d o mai n: reso urce-ad apters subsystem in the configuration file.
4. If there are no resource adapters defined for this subsystem, first replace:
<resource-adapters>
</resource-adapters>
< /subsystem>
5. Replace the <! -- <reso urce-ad apter> co nfi g urati o n l i sted bel o w --> with
the XML definition for your resource adapter. The following is the XML representation of the
resource adapter configuration created using the Management CLI and Web-based
Management Console described above.
595
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
< resource-adapter>
<archive>
eis.rar
</archive>
<transaction-support>XATransaction</transaction-support>
<config-property name="server">
localhost
</config-property>
<config-property name="port">
9000
</config-property>
<connection-definitions>
<connection-definition classname="com.acme.eis.ra.EISManagedConnectionFactory"
jndi-name="java:/eis/AcmeConnectionFactory"
pool-name="java:/eis/AcmeConnectionFactory">
<config-property name="name">
Acme Inc
</config-property>
</connection-definition>
</connection-definitions>
<admin-objects>
<admin-object classname="com.acme.eis.ra.EISAdminObjectImpl"
jndi-name="java:/eis/AcmeAdminObject"
pool-name="java:/eis/AcmeAdminObject">
<config-property name="threshold">
10
</config-property>
</admin-object>
</admin-objects>
< /resource-adapter>
6. St art t h e server
Relaunch the JBoss EAP 6 server to start it running with the new configuration.
Report a bug
D escrip t io n
596
Elemen t
D escrip t io n
transacti o n-suppo rt
D escrip t io n
D escrip t io n
cl ass-name
jnd i -name
enabl ed
use-java-co ntext
po o l -name
use-ccm
D escrip t io n
po o l
xa-po o l
securi ty
ti meo ut
val i d ati o n
reco very
T ab le 24 .11. Po o l elemen t s
Elemen t
D escrip t io n
mi n-po o l -si ze
max-po o l -si ze
prefi l l
use-stri ct-mi n
597
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Elemen t
D escrip t io n
fl ush-strateg y
T ab le 24 .12. XA p o o l elemen t s
Elemen t
D escrip t io n
mi n-po o l -si ze
max-po o l -si ze
prefi l l
use-stri ct-mi n
fl ush-strateg y
i s-same-rm-o verri d e
i nterl eavi ng
no -tx-separate-po o l s
pad -xi d
wrap-xa-reso urce
D escrip t io n
appl i cati o n
598
Elemen t
D escrip t io n
D escrip t io n
D escrip t io n
D escrip t io n
599
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
D escrip t io n
reco ver-pl ug i n
The deployment schemas are defined in jbo ss-as-reso urce-ad apters_1_0 . xsd and
http://www.ironjacamar.org/doc/schema/ironjacamar_1_0.xsd for automatic activation.
Report a bug
Examp le 24 .1.
/deployment=example.rar/subsystem=resourceadapters/statistics=statistics/connectiondefinitions=java\:\/testMe:read-resource(include-runtime=true)
Note
Ensure you specify the include-runtime=true argument, as all statistics are runtime only
information and the default is fal se.
Report a bug
D escrip t io n
600
N ame
D escrip t io n
MaxUsed C o unt
MaxWai tC o unt
MaxWai tT i me
T i med O ut
T o tal Bl o cki ng T i m
e
T o tal C reati o nT i m
e
Wai tC o unt
Report a bug
601
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Note
There is a known issue in WebSphere MQ Resource Adapter version 7.5.0.3 and earlier that
causes periodic recovery to fail with an XA exception with messages similar to the following in
the JBoss EAP server log:
WARN [com.arjuna.ats.jta] (Periodic Recovery) ARJUNA016027: Local
XARecoveryModule.xaRecovery got XA exception
XAException.XAER_INVAL: javax.transaction.xa.XAException: The
method 'xa_recover' has failed with errorCode '-5'.
For this reason, it is recommended that you use version 7.5.0.4 or later. A detailed description
of this issue can be found here: http://www-01.ibm.com/support/docview.wss?
uid=swg1IC97579.
Prereq u isit es
Before you get started, you must verify the version of the WebSphere MQ resource adapter and
understand some of the WebSphere MQ configuration properties.
The WebSphere MQ resource adapter is supplied as a Resource Archive (RAR) file called
wmq . jmsra-VERSION. rar. You must use version 7. 5. 0 . 0 and hi g her.
You must know the values of the following WebSphere MQ configuration properties. Refer to the
WebSphere MQ product documentation for details about these properties.
MQ.QUEUE.MANAGER: The name of the WebSphere MQ queue manager
MQ.HOST.NAME: The host name used to connect to the WebSphere MQ queue manager
MQ.CHANNEL.NAME: The server channel used to connect to the WebSphere MQ queue
manager
MQ.QUEUE.NAME: The name of the destination queue
MQ.TOPIC.NAME: The name of the destination topic
MQ.PORT: The port used to connect to the WebSphere MQ queue manager
MQ.CLIENT: The transport type
For outbound connections, you must also be familiar with the following configuration property:
MQ.CONNECTIONFACTORY.NAME: The name of the connection factory instance that will
provide the connection to the remote system
Note
The following are default configurations provided by IBM and are subject to change. Please
refer to WebSphere MQ documentation for more information.
602
1. If you need transaction support with the WebSphereMQ resource adapter, you must
repackage the wmq . jmsra-VER SIO N. rar archive to include the mq etcl i ent. jar. You
can use the following command:
[user@ host ~]$ jar -uf wmq . jmsra-VERSION. rar mq etcl i ent. jar
Be sure to replace the VERSION with the correct version number.
2. Copy the wmq . jmsra-VERSION. rar file to the EAP_HOME/stand al o ne/d epl o yments/
directory.
3. Add the resource adapter to the server configuration file.
a. Open the EAP_HOME/stand al o ne/co nfi g urati o n/stand al o ne-ful l . xml file
in an editor.
b. Find the urn: jbo ss: d o mai n: reso urce-ad apters subsystem in the
configuration file.
c. If there are no resource adapters defined for this subsystem, first replace:
< subsystem xmlns="urn:jboss:domain:resource-adapters:1.1"/>
with this:
< subsystem xmlns="urn:jboss:domain:resource-adapters:1.1">
<resource-adapters>
</resource-adapters>
< /subsystem>
d. The resource adapter configuration depends on whether you need transaction
support and recovery. If you do not need transaction support, choose the first
configuration step below. If you do need transaction support, choose the second
configuration step.
A. For non-transactional deployments, replace the <! -- <reso urce-ad apter>
co nfi g urati o n l i sted bel o w --> with the following:
< resource-adapter>
<archive>
wmq.jmsra-VERSION.rar
</archive>
<transaction-support>NoTransaction</transactionsupport>
<connection-definitions>
<connection-definition
classname="com.ibm.mq.connector.outbound.ManagedConnectionFacto
ryImpl"
jndiname="java:jboss/MQ.CONNECTIONFACTORY.NAME"
pool-name="MQ.CONNECTIONFACTORY.NAME">
<config-property name="hostName">
MQ.HOST.NAME
603
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
</config-property>
<config-property name="port">
MQ.PORT
</config-property>
<config-property name="channel">
MQ.CHANNEL.NAME
</config-property>
<config-property name="transportType">
MQ.CLIENT
</config-property>
<config-property name="queueManager">
MQ.QUEUE.MANAGER
</config-property>
<security>
<securitydomain>MySecurityDomain</security-domain>
</security>
</connection-definition>
</connection-definitions>
<admin-objects>
<admin-object
classname="com.ibm.mq.connector.outbound.MQQueueProxy"
jndi-name="java:jboss/MQ.QUEUE.NAME"
pool-name="MQ.QUEUE.NAME">
<config-property name="baseQueueName">
MQ.QUEUE.NAME
</config-property>
<config-property name="baseQueueManagerName">
MQ.QUEUE.MANAGER
</config-property>
<admin-object classname="com.ibm.mq.connector.outbound.MQTopicProxy"
jndi-name="java:jboss/MQ.TOPIC.NAME" poolname="MQ.TOPIC.NAME">
<config-property name="baseTopicName">
MQ.TOPIC.NAME
</config-property>
<config-property name="brokerPubQueueManager">
MQ.QUEUE.MANAGER
</config-property>
</admin-object>
</admin-object>
</admin-objects>
< /resource-adapter>
Be sure to replace the VERSION with the actual version in the name of the RAR.
B. For transactional deployments, replace the <! -- <reso urce-ad apter>
co nfi g urati o n l i sted bel o w --> with the following:
< resource-adapter>
<archive>
wmq.jmsra-VERSION.rar
</archive>
<transaction-support>XATransaction</transaction-
604
support>
<connection-definitions>
<connection-definition
classname="com.ibm.mq.connector.outbound.ManagedConnectionFacto
ryImpl"
jndiname="java:jboss/MQ.CONNECTIONFACTORY.NAME"
pool-name="MQ.CONNECTIONFACTORY.NAME">
<config-property name="hostName">
MQ.HOST.NAME
</config-property>
<config-property name="port">
MQ.PORT
</config-property>
<config-property name="channel">
MQ.CHANNEL.NAME
</config-property>
<config-property name="transportType">
MQ.CLIENT
</config-property>
<config-property name="queueManager">
MQ.QUEUE.MANAGER
</config-property>
<security>
<securitydomain>MySecurityDomain</security-domain>
</security>
<recovery>
<recover-credential>
<user-name>USER_NAME</user-name>
<password>PASSWORD</password>
</recover-credential>
</recovery>
</connection-definition>
</connection-definitions>
<admin-objects>
<admin-object
classname="com.ibm.mq.connector.outbound.MQQueueProxy"
jndi-name="java:jboss/MQ.QUEUE.NAME"
pool-name="MQ.QUEUE.NAME">
<config-property name="baseQueueName">
MQ.QUEUE.NAME
</config-property>
<config-property name="baseQueueManagerName">
MQ.QUEUE.MANAGER
</config-property>
</admin-object>
<admin-object classname="com.ibm.mq.connector.outbound.MQTopicProxy"
jndi-name="java:jboss/MQ.TOPIC.NAME" poolname="MQ.TOPIC.NAME">
<config-property name="baseTopicName">
MQ.TOPIC.NAME
</config-property>
605
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<config-property name="brokerPubQueueManager">
MQ.QUEUE.MANAGER
</config-property>
</admin-object>
</admin-objects>
< /resource-adapter>
Be sure to replace the VERSION with the actual version in the name of the RAR.
You must also replace the USER_NAME and PASSWORD with the valid user name
and password.
Note
To support transactions, the <transaction-support> element was set to
XAT ransacti o n. To support XA recovery, the <recovery> element was
added to the connection definition.
e. If you want to change the default provider for the EJB3 messaging system in JBoss
EAP 6 from HornetQ to WebSphere MQ, modify the urn: jbo ss: d o mai n: ejb3: 1. 2
subsystem as follows:
Replace:
< mdb>
<resource-adapter-ref resource-adapter-name="hornetqra"/>
<bean-instance-pool-ref pool-name="mdb-strict-max-pool"/>
< /mdb>
with:
< mdb>
<resource-adapter-ref resource-adapter-name="wmq.jmsraVERSION.rar"/>
<bean-instance-pool-ref pool-name="mdb-strict-max-pool"/>
< /mdb>
Be sure to replace the VERSION with the actual version in the name of the RAR.
Pro ced u re 24 .9 . Mo d if y t h e MD B co d e t o u se t h e reso u rce ad ap t er
Configure the ActivationConfigProperty and ResourceAdapter in the MD B code as follows:
@ MessageDriven( name="WebSphereMQMDB",
activationConfig =
@ ActivationConfigProperty(propertyName =
"destinationType",propertyValue = "javax.jms.Queue"),
@ ActivationConfigProperty(propertyName = "useJNDI",
propertyValue = "false"),
@ ActivationConfigProperty(propertyName = "hostName",
propertyValue = "MQ.HOST.NAME"),
606
= "MQ.PORT"),
@ ActivationConfigProperty(propertyName = "channel",
propertyValue = "MQ.CHANNEL.NAME"),
@ ActivationConfigProperty(propertyName = "queueManager",
propertyValue = "MQ.QUEUE.MANAGER"),
@ ActivationConfigProperty(propertyName = "destination",
propertyValue = "MQ.QUEUE.NAME"),
@ ActivationConfigProperty(propertyName = "transportType",
propertyValue = "MQ.CLIENT")
})
@ ResourceAdapter(value = "wmq.jmsra-VERSION.rar")
@ TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
p ublic class WebSphereMQMDB implements MessageListener {
}
Be sure to replace the VERSION with the actual version in the name of the RAR.
Report a bug
24 .10. Configure a Generic JMS Resource Adapt er for Use wit h a T hirdpart y JMS Provider
Su mmary
JBoss EAP 6 can be configured to work with third-party JMS providers, however not all JMS
providers produce a JMS JCA resource adapter for integration with Java application platforms. This
procedure covers the steps required to configure the generic JMS resource adapter included in
JBoss EAP 6 to connect to a JMS provider. In this procedure, Tibco EMS 6.3 is used as an example
JMS provider, however other JMS providers may need a different configuration.
Important
The generic JMS JCA resource adapter should only be used when a JMS provider does not
provide its own resource adapter. Before using the generic JMS resource adapter, you should
first check with the JMS provider to see if they have their own resource adapter that can be
used with JBoss EAP 6.
Prereq u isit es
This procedure assumes that a JMS provider server is already configured and ready for use. Any
binaries required for the provider's JMS implementation will be needed. You will also need to know
the values of the following JMS provider properties:
607
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
PROVIDER_HOST:PROVIDER_PORT: The host name and port number of the JMS provider server.
PROVIDER_CONNECTION_FACTORY: The name of the connection factory deployed on the JMS
provider server. This must be XA.
PROVIDER_QUEUE, PROVIDER_TOPIC: The names of the queues and topics on the JMS provider
server that are to be used.
Pro ced u re 24 .10. C o n f ig u re a G en eric JMS R eso u rce Ad ap t er
1. Create an O bjectFacto ry implementation for the JND I binding of queues and topics:
a. Using the code below as a template, replace the server details with your JMS provider
server values.
i mport java.util.Hashtable;
i mport java.util.Properties;
public RemoteJMSObjectFactory() {
}
try {
"com.tibco.tibjms.naming.TibjmsInitialContextFactory");
env.put(Context.URL_PKG_PREFIXES,
"com.tibco.tibjms.naming");
env.put(Context.PROVIDER_URL,
"tcp://TIBCO_HOST:TIBCO_PORT");
return o;
} catch (NamingException e) {
e.printStackTrace();
throw e;
}
}
}
b. Compile the above code, and save the resulting class file in a JAR file named
remo teJMSO bjectFacto ry. jar
2. Create a g eneri cjms module for your JBoss EAP 6 instance:
608
<resource-root path="tibjms.jar"/>
<resource-root path="tibcrypt.jar"/>
<resource-root path="remoteJMSObjectFactory.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.jms.api"/>
</dependencies>
< /module>
3. Add the generic JMS module as a dependency for all deployments as global modules.
Note
In this procedure, EAP_HOME/stand al o ne/co nfi g urati o n/stand al o neful l . xml is used as the JBoss EAP 6 configuration file.
In EAP_HOME/stand al o ne/co nfi g urati o n/stand al o ne-ful l . xml , under
<subsystem xml ns= "urn: jbo ss: d o mai n: ee: 1. 1">, add:
< global-modules>
<module name="org.jboss.genericjms.provider" slot="main"/>
<module name="org.jboss.common-core" slot="main"/>
< /global-modules>
4. Replace the default HornetQ resource adapter with the generic resource adapter.
In EAP_HOME/stand al o ne/co nfi g urati o n/stand al o ne-ful l . xml , replace
<subsystem xml ns= "urn: jbo ss: d o mai n: ejb3: 1. 4 "> <md b>, with:
< mdb>
<resource-adapter-ref resource-adaptername="org.jboss.genericjms"/>
609
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<bean-instance-pool-ref pool-name="mdb-strict-max-pool"/>
< /mdb>
5. Add bindings for your JMS topics and queues as remote objects as necessary.
In EAP_HOME/stand al o ne/co nfi g urati o n/stand al o ne-ful l . xml , under
<subsystem xml ns= "urn: jbo ss: d o mai n: nami ng : 1. 3">, add the bindings, replacing
PROVIDER_QUEUE and PROVIDER_TOPIC as necessary:
< bindings>
<object-factory name="PROVIDER_QUEUE"
module="org.jboss.genericjms.provider"
class="org.jboss.qa.RemoteJMSObjectFactory"/>
<object-factory name="PROVIDER_TOPIC"
module="org.jboss.genericjms.provider"
class="org.jboss.qa.RemoteJMSObjectFactory"/>
< /bindings>
6. In EAP_HOME/stand al o ne/co nfi g urati o n/stand al o ne-ful l . xml , add the generic
resource adapter configuration to <subsystem
xml ns= "urn: jbo ss: d o mai n: reso urce-ad apters: 1. 1">.
Replace PROVIDER_CONNECTION_FACTORY, PROVIDER_HOST, and PROVIDER_PORT with
the JMS provider values.
< resource-adapters>
<resource-adapter id="org.jboss.genericjms">
<transaction-support>NoTransaction</transaction-support>
<connection-definitions>
<connection-definition classname="org.jboss.resource.adapter.jms.JmsManagedConnectionFactory"
jndi-name="java:/jms/PROVIDER_CONNECTION_FACTORY" poolname="PROVIDER_CONNECTION_FACTORY">
<config-property name="JndiParameters">
java.naming.factory.initial=com.tibco.tibjms.naming.TibjmsInitialCo
ntextFactory;java.naming.provider.url=tcp://PROVIDER_HOST:PROVIDER
_PORT
</config-property>
<config-property name="ConnectionFactory">
PROVIDER_CONNECTION_FACTORY
</config-property>
<security>
<application/>
</security>
</connection-definition>
</connection-definitions>
</resource-adapter>
< /resource-adapters>
R esu lt
The generic JMS resource adapter is now configured and ready for use.
610
When creating a new message driven bean (MD B), use code similar below to use the resource
adapter. Replace PROVIDER_CONNECTION_FACTORY, PROVIDER_HOST, and PROVIDER_PORT
with the JMS provider values.
Optionally, the example below also configures a secure connection for Tibco EMS by specifying the
user and passwo rd properties (replace the property values as needed).
@ MessageDriven(activationConfig = {
@ ActivationConfigProperty(propertyName = "destinationType",
propertyValue = "javax.jms.Queue"),
@ ActivationConfigProperty(propertyName = "jndiParameters",
propertyValue =
"java.naming.factory.initial=com.tibco.tibjms.naming.TibjmsInitialContex
tFactory;java.naming.provider.url=tcp://PROVIDER_HOST:PROVIDER_PORT")
@ ActivationConfigProperty(propertyName = "destination", propertyValue
= "PROVIDER_QUEUE"),
@ ActivationConfigProperty(propertyName = "connectionFactory",
propertyValue = "PROVIDER_CONNECTION_FACTORY"),
@ ActivationConfigProperty(propertyName = "user", propertyValue =
"USER"),
@ ActivationConfigProperty(propertyName = "password", propertyValue =
"PASSWORD"),
} )
@ ResourceAdapter("org.jboss.genericjms")
p ublic class SampleMdb implements MessageListener {
@ Override
}
}
Report a bug
611
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
612
Important
JBoss Cloud Access does not currently provide support for the full-ha profile, in either
standalone instances or a managed domain.
Report a bug
D escrip t io n
Standard Instance
Important
The instance type Mi cro (t1. mi cro ) is not suitable for deployment of JBoss EAP 6.
Report a bug
613
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
614
A pre-configured Security Group which allows incoming requests on at least ports 22, 8080, and
9990.
Pro ced u re 25.1. Lau n ch a N o n - clu st ered In st an ce o f JB o ss EAP 6 o n a R ed H at AMI
( Amaz o n Mach in e Imag e)
1. Configure the User D ata field. The configurable parameters are available here:
Section 25.4.1, Permanent Configuration Parameters , Section 25.4.2, Custom Script
Parameters .
2. Fo r Pro d u ct io n In st an ces
For a production instance, add the following line beneath the USER _SC R IP T line of the User
D ata field, to ensure security updates are applied on boot.
yum -y update
Note
yum -y upd ate should be run regularly, to apply security fixes and enhancements.
3. Launch the Red Hat AMI instance.
615
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
R esu lt
A non-clustered instance of JBoss EAP 6 has been configured, and launched on a Red Hat AMI.
Report a bug
25.2.2.2.2. D ep lo y an Ap p licat io n o n a n o n - clu st ered JB o ss EAP 6 In st an ce
Su mmary
This topic covers deploying an application to a non-clustered JBoss EAP 6 instance on a Red Hat
AMI.
1. A. D ep lo y t h e Samp le Ap p licat io n
Add the following lines to the User D ata field:
# Deploy the sample application from the local filesystem
deploy --force /usr/share/java/jboss-ec2-eap-samples/hello.war
B. D ep lo y a C u st o m Ap p licat io n
Add the following lines to the User D ata field, configuring the application name and the
URL:
# Get the application to be deployed from an Internet URL
mkdir -p /usr/share/java/jboss-ec2-eap-applications
wget https://<your secure storage hostname>/<path>/<app
name>.war -O /usr/share/java/jboss-ec2-eap-applications/<app
616
name>.war
617
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
5. Log in:
Username: ad mi n
Password: Specified in the User D ata field here: Section 25.2.2.2.1, Launch a Nonclustered JBoss EAP 6 Instance .
6. T est t h e Samp le Ap p licat io n
Navigate to http: //<public-DNS>: 80 80 /hel l o to test that the sample application is
running successfully. The text Hel l o Wo rl d ! should appear in the browser. If the text is
not visible, refer here: Section 25.5.1, About Troubleshooting Amazon EC2 .
7. Log out of the JBoss EAP 6 Admin Console.
R esu lt
The JBoss EAP 6 instance is running correctly.
Report a bug
618
EC2 .
619
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
5. Fo r Pro d u ct io n In st an ces
For a production instance, add the following line beneath the USER _SC R IP T line of the User
D ata field, to ensure security updates are applied on boot.
yum -y update
Note
yum -y upd ate should be run regularly, to apply security fixes and enhancements.
6. Launch the Red Hat AMI instance.
R esu lt
A non-clustered JBoss EAP 6 managed domain has been configured, and launched on a Red Hat
AMI.
Report a bug
25.2.2.3.2. Lau n ch O n e o r Mo re In st an ces t o Serve as H o st C o n t ro llers
Su mmary
This topic covers the steps required to launch one or more instances of JBoss EAP 6 to serve as
non-clustered host controllers on a Red Hat AMI (Amazon Machine Image).
Prereq u isit es
Configure and launch the non-clustered domain controller. Refer to Section 25.2.2.3.1, Launch
an Instance to Serve as a D omain Controller .
Section 25.2.3.8, Configure IAM Setup
Section 25.2.3.10, Configure S3 Bucket Setup
Pro ced u re 25.4 . Lau n ch H o st C o n t ro llers
620
For each instance you would like to create, repeat the following steps:
1. Select an AMI.
2. D efine the desired number of instances (the number of slave host controllers).
3. Select the VPC and instance type.
4. Click on Security Group.
5. Ensure that all traffic from the JBoss EAP 6 subnet is allowed.
6. D efine other restrictions as desired.
7. Add the following into the User D ata field:
## mod cluster proxy addresses
MOD_CLUSTER_PROXY_LIST=10.0.0.4:7654
## host controller setup
### static domain controller discovery setup
JBOSS_DOMAIN_MASTER_ADDRESS=10.0.0.5
### S3 domain controller discovery setup
# JBOSS_DOMAIN_S3_SECRET_ACCESS_KEY=<your secret key>
# JBOSS_DOMAIN_S3_ACCESS_KEY=<your access key>
# JBOSS_DOMAIN_S3_BUCKET=<your bucket name>
JBOSS_HOST_PASSWORD=<password for slave host controllers>
## subnet prefix this machine is connected to
SUBNET=10.0.1.
#### to run the example no modifications below should be needed
####
JBOSS_HOST_USERNAME=admin
PORTS_ALLOWED="1024:65535"
JBOSS_IP=`hostname | sed -e 's/ip-//' -e 'y/-/./'` #listen on
public/private EC2 IP address
cat > $USER_SCRIPT << "EOF"
## Server instance configuration
sed -i "s/other-server-group/main-server-group/"
$JBOSS_CONFIG_DIR/$JBOSS_HOST_CONFIG
## this will workaround the problem that in a VPC, instance
hostnames are not resolvable
echo -e "127.0.0.1\tlocalhost.localdomain localhost" > /etc/hosts
echo -e "::1\tlocalhost6.localdomain6 localhost6" >> /etc/hosts
for (( i=1 ; i<255 ; i++ )); do
echo -e "$SUBNET$i\tip-${SUBNET//./-}$i" ;
done >> /etc/hosts
EOF
For further information on domain controller discovery on Amazon EC2, see
Section 25.2.2.3.4, Configuring D omain Controller D iscovery and Failover on Amazon
EC2 .
621
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
8. Fo r Pro d u ct io n In st an ces
For a production instance, add the following line beneath the USER _SC R IP T line of the User
D ata field, to ensure security updates are applied on boot.
yum -y update
Note
yum -y upd ate should be run regularly, to apply security fixes and enhancements.
9. Launch the Red Hat AMI instance.
R esu lt
The JBoss EAP 6 non-clustered host controllers are configured and launched on a Red Hat AMI.
Report a bug
25.2.2.3.3. T est t h e N o n - C lu st ered JB o ss EAP 6 Man ag ed D o main
Su mmary
This topic covers the steps required to test the non-clustered JBoss EAP 6 managed domain on a
Red Hat AMI (Amazon Machine Image).
To test the managed domain you must know the elastic IP addresses of both the Apache HTTP server
and JBoss EAP 6 domain controller.
Prereq u isit es
Configure and launch the domain controller. See Section 25.2.2.3.1, Launch an Instance to
Serve as a D omain Controller .
Configure and launch the host controllers. See Section 25.2.2.3.2, Launch One or More
Instances to Serve as Host Controllers .
Pro ced u re 25.5. T est t h e Web Server
Navigate to http: //ELAST IC _IP _O F_AP AC HE_HT T P D in a browser to confirm the web server
is running successfully.
Pro ced u re 25.6 . T est t h e D o main C o n t ro ller
1. Navigate to http: //ELAST IC _IP _O F_D O MAIN_C O NT R O LLER : 9 9 9 0 /co nso l e
2. Log in using the username of ad mi n and the password specified in the User D ata field for the
domain controller and the admin console landing page for a managed domain should
appear
(http: //ELAST IC _IP _O F_D O MAIN_C O NT R O LLER : 9 9 9 0 /co nso l e/App. html #server
-i nstances).
3. Click the Server label at the top right side of the screen, and select any of the host controllers
in the Ho st dropdown menu at the top left side of the screen.
622
4. Verify that each host controller has two server configurations called server-o ne and
server-two and that they both belong to the mai n-server-g ro up.
5. Log out of the JBoss EAP 6 Admin Console.
Pro ced u re 25.7. T est t h e H o st C o n t ro llers
1. Navigate to http: //ELASTIC_IP_OF_APACHE_HTTPD/hel l o to test that the sample
application is running successfully. The text Hel l o Wo rl d ! should appear in the browser.
If the text is not visible, refer here: Section 18.5.1, " About Troubleshooting Amazon EC2" .
2. Connect to the Apache HTTP server instance:
$ ssh -L7654:localhost:7654 ELASTIC_IP_OF_APACHE_HTTPD
3. Navigate to http: //l o cal ho st: 76 54 /mo d _cl uster-manag er to confirm all instances
are running correctly.
R esu lt
The JBoss EAP 6 web server, domain controller, and host controllers are running correctly on a Red
Hat AMI.
Report a bug
25.2.2.3.4 . C o n f ig u rin g D o main C o n t ro ller D isco very an d Failo ver o n Amaz o n EC 2
For a managed domain running on Amazon EC2, in addition to static domain controller discovery,
host controllers can dynamically discover a domain controller using the Amazon S3 storage system.
In particular, host controllers and the domain controller can be configured with information needed
to access an Amazon S3 bucket.
Using this configuration, when a domain controller is started, it writes its contact information to an S3
file in the bucket. Whenever a host controller attempts to contact the domain controller, it gets the
domain controller's contact information from the S3 file.
This means that if the domain controller's contact information changes (for example, it is common for
an EC2 instance's IP address to change when it is stopped and started), the host controllers do not
need to be reconfigured. The host controllers are able to get the domain controller's new contact
information from the S3 file.
You can automatically enable domain controller discovery by passing the
JBOSS_DOMAIN_S3_ACCESS_KEY, JBOSS_DOMAIN_S3_SECRET_ACCESS_KEY, and
JBOSS_DOMAIN_S3_BUCKET parameters to the JBoss EAP 6 instance when launching it. See
Section 25.4.1, Permanent Configuration Parameters for configurable parameters. Alternatively,
you can manually configure domain discovery using the following configuration.
The manual domain controller discovery configuration is specified using the following properties:
access- key
The Amazon AWS user account access key.
secret - access- key
The Amazon AWS user account secret access key.
lo cat io n
623
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
<discovery-options>
<discovery-option name="s3-discovery"
code="org.jboss.as.host.controller.discovery.S3Discovery"
module="org.jboss.as.host-controller">
<property name="secret-access-key"
value="S3_SECRET_ACCESS_KEY"/>
</discovery-option>
</discovery-options>
</remote>
< /domain-controller>
<discovery-options>
<discovery-option name="s3-discovery"
code="org.jboss.as.host.controller.discovery.S3Discovery"
module="org.jboss.as.host-controller">
<property name="secret-access-key"
value="S3_SECRET_ACCESS_KEY"/>
</discovery-option>
</discovery-options>
</local>
< /domain-controller>
Report a bug
624
The JBoss EAP 6 AMIs include two configuration files for use in clustered instances, stand al o neec2-ha. xml and stand al o ne-mo d _cl uster-ec2-ha. xml . Each of these configuration files
provides clustering without the use of multicast because Amazon EC2 does not support multicast.
This is done by using TCP unicast for cluster communications and S3_PING as the discovery
protocol. The stand al o ne-mo d _cl uster-ec2-ha. xml configuration also provides easy
registration with mod_cluster proxies.
Similarly, the d o mai n-ec2. xml configuration file provides two profiles for use in clustered
managed domains: ec2-ha, and mod_cluster-ec2-ha.
Report a bug
2 5 .2 .3.2 . Cre at e a Re lat io nal Dat abase Se rvice Dat abase Inst ance
Su mmary
This topic covers the steps to create a relational database service database instance, using MySQL
as an example.
Warning
It is highly recommended that the back-up and maintenance features remain enabled for
production environments.
Important
It is good practice to create separate user/password pairs for each application accessing the
database. Tune other configuration options according to your application's requirements.
625
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
R esu lt
The database is created. It will initialize and be ready for use after a few minutes.
Report a bug
Important
VPC is recommended for a JBoss EAP 6 cluster setup as it greatly simplifies secure
communication between cluster nodes, a JON Server and the mod_cluster proxy. Without a
VPC, these communication channels need to be encrypted and authenticated.
For detailed instructions on configuring SSL, refer here: Section 11.12.1, Implement SSL
Encryption for the JBoss EAP 6 Web Server .
626
b. Create an ACL to allow all traffic out and traffic in on only TCP ports 22, 80 0 9 , 80 80 ,
84 4 3, 9 4 4 3, 9 9 9 0 and 16 16 3.
R esu lt
The Virtual Private Cloud has been successfully created.
Report a bug
627
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
`hostname`"
628
7. D isable the Amazon EC2 cloud source/destination checking for this instance so it can act as
a router.
a. Right-click on the running Apache HTTP server instance and choose " C hang e
So urce/D est check" .
b. Click on Y es, D i sabl e.
8. Assign the elastic IP to this instance.
R esu lt
The Apache HTTP server instance has been launched successfully.
Report a bug
629
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Su mmary
This topic covers the configuration steps required for setting up IAM for clustered JBoss EAP 6
instances. The S3_PING protocol uses an S3 bucket to discover other cluster members. JG ro u p s
version 3.0.x requires Amazon AWS account access and secret keys to authenticate against the S3
service.
Because S3 domain controller discovery makes use of an S3 bucket, it requires Amazon AWS
account access and secret keys to authenticate against the S3 service (similar to the S3_PING
protocol used by JGroups). The IAM user and S3 bucket used for S3 discovery must be different from
the IAM user and S3 bucket used for clustering.
It is a security risk to enter your main account credentials in the user-data field, store them online or
in an AMI. To circumvent this, a separate account can be created using the Amazon IAM feature
which would be only granted access to a single S3 bucket.
Pro ced u re 25.11. C o n f ig u re IAM Set u p
1. Go to the IAM tab in the AWS console.
2. Click on users.
3. Select C reate New Users.
4. Choose a name, and ensure the G enerate an access key fo r each User option is
checked.
5. Select D o wnl o ad cred enti al s, and save them in a secure location.
6. Close the window.
7. Click on the newly created user.
8. Make note of the User AR M value. This value is required to set up the S3 bucket, documented
here: Section 25.2.3.10, Configure S3 Bucket Setup .
R esu lt
The IAM user account has been successfully created.
Report a bug
630
Note
Bucket names are unique across the entire S3. Names cannot be reused.
4. Right click on the new bucket and select P ro perti es.
5. Click Ad d bucket po l i cy in the permissions tab.
6. Click New po l i cy to open the policy creation wizard.
a. Copy the following content into the new policy, replacing
arn: aws: i am: : 0 5555555555: user/jbo sscl uster* with the value defined
here: Section 25.2.3.8, Configure IAM Setup . Change both instances of
cl usterbucket123 to the name of the bucket defined in step 3 of this procedure.
{
"Version": "2008-10-17",
"Id": "Policy1312228794320",
"Statement": [
{
"Sid": "Stmt1312228781799",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::055555555555:user/jbosscluster"
]
},
"Action": [
"s3:ListBucketVersions",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:PutBucketVersioning",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetBucketVersioning"
],
"Resource": [
"arn:aws:s3:::clusterbucket123/*",
"arn:aws:s3:::clusterbucket123"
631
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
]
}
]
}
R esu lt
A new S3 bucket has been created, and configured successfully.
Report a bug
Warning
Running a JBoss EAP 6 cluster in a subnet with network mask smaller than 24 bits or
spanning multiple subnets complicates acquiring a unique server peer ID for each cluster
member.
Refer to the JBOSS_CLUSTER_ID variable for information on how to make such a
configuration work reliably: Section 25.4.1, Permanent Configuration Parameters .
632
Important
The auto-scaling Amazon EC2 feature can be used with JBoss EAP 6 cluster nodes. However,
ensure it is tested b ef o re deployment. You should ensure that your particular workloads
scale to the desired number of nodes, and that the performance meets your needs for the
instance type you are planning to use (different instance types receive a different share of the
EC2 cloud resources).
Furthermore, instance locality and current network/storage/host machine/RD S utilization can
affect performance of a cluster. Test with your expected real-life loads and try to account for
unexpected conditions.
Down-scaling a cluster
The Amazon EC2 scale-down action terminates the nodes without any chance to gracefully
shut down, and, as some transactions might be interrupted, other cluster nodes (and load
balancers) will need time to fail over. This is likely to impact your application users'
experience.
It is recommended that you either scale down the application cluster manually by disabling the
server from the mod_cluster management interface until processed sessions are completed, or
shut down the JBoss EAP 6 instance gracefully (SSH access to the instance or JON can be
used).
Test that your chosen procedure for scaling-down does not lead to adverse effects on your
users' experience. Additional measures might be required for particular workloads, load
balancers and setups.
633
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
634
R esu lt
The clustered JBoss EAP 6 AMIs have been configured and launched successfully.
Report a bug
25.2.3.11.2. T est t h e C lu st ered JB o ss EAP 6 In st an ce
Su mmary
This topic covers the steps to confirm that the clustered JBoss EAP 6 instances are running correctly.
Pro ced u re 25.14 . T est in g t h e C lu st ered In st an ce
1. Navigate to http://ELASTIC_IP_OF_APACHE_HTTPD in a browser to confirm the web server is
running successfully.
2. T est t h e C lu st ered N o d es
a. Navigate to http://ELASTIC_IP_OF_APACHE_HTTPD /cluster-demo/put.jsp in a
browser.
b. Verify that one of the cluster nodes logs the following message:
Putting date now
c. Stop the cluster node that logged the message in the previous step.
d. Navigate to http://ELASTIC_IP_OF_APACHE_HTTPD /cluster-demo/get.jsp in a
browser.
e. Verify that the time shown is the same as the time that was PUT using put. jsp in
Step 2-a.
f. Verify that one of the running cluster nodes logs the following message:
Getting date now
635
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
636
637
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
user-name="${db.user}" --password="${db.passwd}"
/profile=mod_cluster-ec2-ha/subsystem=datasources/datasource=ExampleDS:enable
EOC
## this will workaround the problem that in a VPC, instance
hostnames are not resolvable
echo -e "127.0.0.1\tlocalhost.localdomain localhost" > /etc/hosts
echo -e "::1\tlocalhost6.localdomain6 localhost6" >> /etc/hosts
for (( i=1 ; i<255 ; i++ )); do
echo -e "$SUBNET$i\tip-${SUBNET//./-}$i" ;
done >> /etc/hosts
EOF
7. Fo r Pro d u ct io n In st an ces
For a production instance, add the following line beneath the USER _SC R IP T line of the User
D ata field, to ensure security updates are applied on boot.
yum -y update
Note
yum -y upd ate should be run regularly, to apply security fixes and enhancements.
8. Launch the Red Hat AMI instance.
R esu lt
A clustered JBoss EAP 6 managed domain is configured and launched on a Red Hat AMI.
Report a bug
25.2.3.12.2. Lau n ch O n e o r Mo re In st an ces t o Serve as C lu st er H o st C o n t ro llers
Su mmary
This topic covers the steps required to launch one or more instances of JBoss EAP 6 to serve as
cluster host controllers on a Red Hat AMI (Amazon Machine Image).
Prereq u isit es
Configure and launch the cluster domain controller. Refer to Section 25.2.3.12.1, Launch an
Instance to Serve as a Cluster D omain Controller .
Section 25.2.3.8, Configure IAM Setup
Section 25.2.3.10, Configure S3 Bucket Setup
Pro ced u re 25.16 . Lau n ch H o st C o n t ro llers
For each instance you would like to create, repeat the following steps:
638
1. Select an AMI.
2. D efine the desired number of instances (the number of slave host controllers).
3. Select the VPC and instance type.
4. Click on Security Group.
5. Ensure that all traffic from the JBoss EAP 6 cluster subnet is allowed.
6. D efine other restrictions as desired.
7. Add the following into the User D ata field:
## mod cluster proxy addresses
MOD_CLUSTER_PROXY_LIST=10.0.0.4:7654
## clustering setup
JBOSS_JGROUPS_S3_PING_SECRET_ACCESS_KEY=<your secret key>
JBOSS_JGROUPS_S3_PING_ACCESS_KEY=<your access key>
JBOSS_JGROUPS_S3_PING_BUCKET=<your bucket name>
## host controller setup
### static domain controller discovery setup
JBOSS_DOMAIN_MASTER_ADDRESS=10.0.0.5
### S3 domain controller discovery setup
# JBOSS_DOMAIN_S3_SECRET_ACCESS_KEY=<your secret key>
# JBOSS_DOMAIN_S3_ACCESS_KEY=<your access key>
# JBOSS_DOMAIN_S3_BUCKET=<your bucket name>
JBOSS_HOST_PASSWORD=<password for slave host controllers>
## database credentials configuration
JAVA_OPTS="$JAVA_OPTS Ddb.host=instancename.something.rds.amazonaws.com Ddb.database=mydatabase -Ddb.user=<user> -Ddb.passwd=<pass>"
## subnet prefix this machine is connected to
SUBNET=10.0.1.
#### to run the example no modifications below should be needed
####
JBOSS_HOST_USERNAME=admin
PORTS_ALLOWED="1024:65535"
JBOSS_IP=`hostname | sed -e 's/ip-//' -e 'y/-/./'` #listen on
public/private EC2 IP address
cat > $USER_SCRIPT << "EOF"
## Server instance configuration
sed -i "s/main-server-group/other-server-group/"
$JBOSS_CONFIG_DIR/$JBOSS_HOST_CONFIG
## install the JDBC driver as a core module
yum -y install mysql-connector-java
mkdir -p /usr/share/jbossas/modules/com/mysql/main
cp -v /usr/share/java/mysql-connector-java-*.jar
/usr/share/jbossas/modules/com/mysql/main/mysql-connector-java.jar
639
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Note
yum -y upd ate should be run regularly, to apply security fixes and enhancements.
9. Launch the Red Hat AMI instance.
R esu lt
The JBoss EAP 6 cluster host controllers are configured and launched on a Red Hat AMI.
Report a bug
25.2.3.12.3. T est t h e C lu st ered JB o ss EAP 6 Man ag ed D o main
Su mmary
This topic covers the steps required to test the clustered JBoss EAP 6 managed domain on a Red Hat
AMI (Amazon Machine Image).
To test the Managed D omain you must know the elastic IP addresses of both the Apache HTTP
server and JBoss EAP 6 D omain Controller.
Prereq u isit es
64 0
Configure and launch the cluster domain controller. See Section 25.2.3.12.1, Launch an
Instance to Serve as a Cluster D omain Controller .
Configure and launch the cluster host controllers. See Section 25.2.3.12.2, Launch One or More
Instances to Serve as Cluster Host Controllers .
Pro ced u re 25.17. T est t h e Ap ach e H T T P server in st an ce
Navigate to http: //ELASTIC_IP_OF_APACHE_HTTP_SERVER in a browser to confirm the web
server is running successfully.
Pro ced u re 25.18. T est t h e D o main C o n t ro ller
1. Navigate to http: //ELASTIC_IP_OF_DOMAIN_CONTROLLER: 9 9 9 0 /co nso l e
2. Log in using the username ad mi n and the password specified in the User D ata field for the
domain controller. Once logged in, the administration console landing page for a managed
domain should appear
(http: //ELASTIC_IP_OF_DOMAIN_CONTROLLER: 9 9 9 0 /co nso l e/App. html #serveri nstances).
3. Click the Server label at the top right side of the screen. Select any of the host controllers in
the Ho st dropdown menu at the top left side of the screen.
4. Verify that this host controller has two server configurations called server-o ne and
server-two and verify that they both belong to the o ther-server-g ro up.
Pro ced u re 25.19 . T est t h e H o st C o n t ro llers
1. Navigate to http: //ELASTIC_IP_OF_APACHE_HTTP_SERVER/cl uster-d emo /put. jsp
in a browser.
2. Verify that one of the host controllers logs the following message: P utti ng d ate no w.
3. Stop the server instance that logged the message in the previous step (see Stop a Server Using
the Management Console).
4. Navigate to http: //ELASTIC_IP_OF_APACHE_HTTP_SERVER/cl uster-d emo /g et. jsp
in a browser.
5. Verify that the time shown is the same as the time that was P UT using put. jsp in Step 2.
6. Verify that one of the running server instances logs the following message: G etti ng d ate
no w.
7. Restart the stopped server instance (see Section 2.8.3, Start a Server Using the Management
Console)
8. Connect to the Apache HTTP server instance.
$ ssh -L7654:localhost:7654 ELASTIC_IP_OF_APACHE_HTTP_SERVER
9. Navigate to http: //l o cal ho st: 76 54 /mo d _cl uster-manag er to confirm all instances
are running correctly.
R esu lt
The JBoss EAP 6 web server, domain controller, and host controllers are running correctly on a Red
Hat AMI.
64 1
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Report a bug
25.3. Est ablishing Monit oring wit h JBoss Operat ions Net work (JON)
25.3.1. About AMI Monit oring
With your business application deployed to a correctly-configured AMI instance, the next step is to
establish monitoring of the platform with JBoss Operations Network (JON).
The JON server is commonly located inside a corporate network, so it's necessary to establish a
secure connection between the server and each of its agents. Establishing a VPN between the two
points is the most common solution but this complicates the required networking configuration. This
chapter provides network configuration guidelines for enabling communication between the JON
agent and JON server. For more extensive information on configuration, management, and usage
please refer to the official Red Hat documentation for JBoss Operations Network (JON).
64 2
If there are multiple clustered JON servers, make sure each agent can communicate with all servers in
the JON cluster via the IP and hostname pairs as configured through the JON server administration
console. The JON server used by the agent to register may not be the server it tries to use after
initialization.
Report a bug
64 3
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
If an Amazon EC2 instance will access a small subset of corporate private network addresses (for
example only JON servers), only these addresses should be routed through the VPN. This
increases security and lowers the chance of Amazon EC2 or private network address space
collisions.
Report a bug
25.3.6. About T erminat ing and Rest art ing wit h JON
One of the benefits of a cloud environment is the ease by which you can terminate and launch a
machine instance. You can also launch an instance identical to the initial one. This may cause
issues if the new instance tries to register with JON servers using the same agent name as the
previously running agent. If this happens the JON server will not allow an agent to reconnect with a
missing or non-matching identification token.
To avoid this, ensure that terminated agents are removed from the JON inventory before trying to
connect an agent with the same name or specify the correct identification token when starting new
agent.
Another issue that you might encounter is when an agent machine is assigned a new VPN IP address
that no longer matches the address recorded in the JON configuration. An example might include a
machine that is restarted or where a VPN connection is terminated. In this case, it is recommended
that you bind the JON agent's life cycle to the VPN connection's life cycle. If the connection drops,
you can stop the agent. When the connection is restored again, update JO N_AG ENT _AD D R in
/etc/sysco nfi g /jo n-ag ent-ec2 to reflect the new IP address and restart the agent.
Information on how to change the agent's IP address can be found in the Configuring JON Servers
and Agents Guide available at
https://access.redhat.com/site/documentation/JBoss_Operations_Network/.
If there are a high number of instances launched and/or terminated it can become impractical to add
and remove them manually from the JON inventory. JON's scripting capabilities can be used for
automate these steps. Refer to the JON documentation for further information.
Report a bug
25.3.7. Configure an Inst ance t o Regist er wit h JBoss Operat ions Net work
Use the following procedure to register a JBoss EAP 6 instance with JBoss Operations Network.
For JBoss EAP 6, add this to the User D ata field.
JON_SERVER_ADDR=jon2.it.example.com
## if instance not already configured to resolve its hostname
JON_AGENT_ADDR=`ip addr show dev eth0 primary to 0/0 | sed -n
's#.*inet \([0-9.]\+\)/.*#\1#p'`
PORTS_ALLOWED=16163
# insert other JON options when necessary.
See Section 25.4.1, Permanent Configuration Parameters , parameters starting with JON_ for the
format of JON options.
Report a bug
D escrip t io n
D ef au lt
JBOSS_JGROUPS_S3_PING_
ACCESS_KEY
N/A
JBOSS_JGROUPS_S3_PING_
SECRET_ACCESS_KEY
JBOSS_JGROUPS_S3_PING_
BUCKET
JBOSS_CLUSTER_ID
N/A
N/A
Last octet of eth0's IP address
PORTS_ALLOWED
JBOSSAS_AD MIN_PASSWOR
D
JON_SERVER_AD D R
Comma-delimited list of
IPs/hostnames of mod_cluster
proxies if mod_cluster is to be
used.
List of incoming ports to be
allowed by firewall in addition
to the default ones.
Password for the ad mi n user.
N/A
N/A
N/A
N/A
64 5
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
N ame
D escrip t io n
D ef au lt
JON_SERVER_PORT
7080
JON_AGENT_NAME
JON_AGENT_PORT
JON_AGENT_AD D R
JON_AGENT_OPTS
JBOSS_SERVER_CONFIG
JBOSS_IP
JBOSSCONF
JBOSS_D OMAIN_CONTROLLE
R
JBOSS_D OMAIN_MASTER_AD
D RESS
JBOSS_HOST_NAME
64 6
Instance's ID
16163
JON agent chooses the IP of
local hostname by default.
N/A
fal se
N/A
The value of the HOSTNAME
environment variable.
N ame
D escrip t io n
D ef au lt
JBOSS_HOST_USERNAME
JBOSS_HOST_NAME
JBOSS_HOST_PASSWORD
JBOSS_HOST_CONFIG
JBOSS_D OMAIN_S3_ACCESS
_KEY
JBOSS_D OMAIN_S3_SECRET
_ACCESS_KEY
JBOSS_D OMAIN_S3_BUCKET
N/A
N/A
N/A
N/A
Report a bug
D escrip t io n
JBOSS_D EPLOY_D IR
JBOSS_CONFIG_D IR
JBOSS_HOST_CONFIG
JBOSS_SERVER_CONFIG
64 7
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
N ame
D escrip t io n
USER_SCRIPT
USER_CLI_COMMAND S
Report a bug
64 8
Supplemental References
A.1. Download Files from t he Red Hat Cust omer Port al
Prereq u isit es
Before you begin this task, you need a Customer Portal account. Browse to
https://access.redhat.com and click the R eg i ster link in the upper right corner to create an
account.
Pro ced u re A.1. Lo g in an d D o wn lo ad Files f ro m t h e R ed H at C u st o mer Po rt al
1. Browse to https://access.redhat.com and click the Lo g i n link in the top right corner. Enter
your credentials and click Lo g In.
R esu lt
You are logged into RHN and you are returned to the main web page at
https://access.redhat.com.
2. N avig at e t o t h e D o wnl o ad s p ag e.
Use one of the following options to navigate to the D o wnl o ad s page.
A. Click the D o wnl o ad s link in the top navigation bar.
B. Navigate directly to https://access.redhat.com/downloads/.
3. Select t h e p ro d u ct an d versio n t o d o wn lo ad .
Use one of the following ways to choose the correct product and version to download.
A. Step through the navigation one level at a time.
B. Search for your product using the search area at the top right-hand side of the screen.
4. D o wn lo ad t h e ap p ro p riat e f ile f o r yo u r o p erat in g syst em an d in st allat io n met h o d
o f ch o ice.
D epending on the product you choose, you may have the choice of a Z ip archive, RPM, or
native installer for a specific operating system and architecture. Click either the file name or
the D o wnl o ad link to the right of the file you want to download.
R esu lt
The file is downloaded to your computer.
Report a bug
64 9
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Important
This task only applies to Red Hat Enterprise Linux.
Note
It may not be necessary to do this step. Red Hat Enterprise Linux uses OpenJD K 1.6 as the
default option. If this is what you want, and your system is working properly, you do not need
to manually specify which JD K to use.
Prereq u isit es
In order to complete this task, you need to have superuser access, either through direct login or
by means of the sud o command.
Pro ced u re A.2. C o n f ig u re t h e D ef au lt JD K
1. D et ermin e t h e p at h s f o r yo u r p ref erred java an d javac b in aries.
You can use the command rpm -q l packagename | g rep bin to find the locations of
binaries installed from RPMs. The default locations of the java and javac binaries on Red
Hat Enterprise Linux 32-bit systems are as follows.
T ab le A.1. D ef au lt lo cat io n s f o r java an d javac b in aries
JD K
Pat h
OpenJD K 1.6
Oracle JD K 1.6
650
Supplement al References
R esu lt :
The alternative JD K is selected and active.
Report a bug
651
JBoss Ent erprise Applicat ion Plat form 6 .3 Administ rat ion and Configurat ion G uide
Revision History
R evisio n 6 .3.0- 51
T u esd ay N o vemb er 18 2014 R u ssell D icken so n
Red Hat JBoss Enterprise Application Platform 6.3.0 Continuous Release
R evisio n 6 .3.0- 38
Mo n d ay Au g u st 4 2014
Red Hat JBoss Enterprise Application Platform 6.3.0.GA
652
San d e G ild a