JBoss - JBoss EAP 6 Administration and Configuration Guide
JBoss - JBoss EAP 6 Administration and Configuration Guide
JBoss - JBoss EAP 6 Administration and Configuration Guide
Edition 2
Sande Gilda Eamon Logue Darrin Mison David Ryan Misty Stanley-Jones Keerat Verma T om Wells
Legal Notice
Legal Notice
Copyright 2012 Red Hat, Inc.. T he text of and illustrations in this document are licensed by Red Hat under a Creative Commons AttributionShare Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux is the registered trademark of Linus T orvalds in the United States and other countries. Java is a registered trademark of Oracle and/or its affiliates. XFS is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL is a registered trademark of MySQL AB in the United States, the European Union and other countries. All other trademarks are the property of their respective owners.
Abstract
T his book is a guide to the administration and configuration of JBoss Enterprise Application Platform 6 and its patch releases.
Table of Contents
Table of Contents
Preface 1. Document Conventions 1.1. T ypographic Conventions 1.2. Pull-quote Conventions 1.3. Notes and Warnings 2. Getting Help and Giving Feedback 2.1. Do You Need Help? 2.2. Give us Feedback 1. Introduction to Administering the JBoss Enterprise Application Platform 1.1. Introducing JBoss Enterprise Application Platform 6 1.2. New and Changed Features in JBoss Enterprise Application Platform 6 2. Application Server Management 2.1. Manage the Application Server 2.2. Installation Structure and Details 2.3. JBoss Enterprise Application Platform 6 Profiles 2.4. About JBoss Enterprise Application Platform 6 Configuration Files 2.5. Management APIs 2.5.1. Management Application Programming Interfaces (APIs) 2.6. Start JBoss Enterprise Application Platform 6 2.6.1. Start JBoss Enterprise Application Platform 6 2.6.2. Start JBoss Enterprise Application Platform 6 as a Standalone Server 2.6.3. Start JBoss Enterprise Application Platform 6 as a Managed Domain 2.6.4. Start JBoss Enterprise Application Platform 6 with an Alternative Configuration 2.6.5. Stop JBoss Enterprise Application Platform 6 2.6.6. Reference of Switches and Arguments to pass at Server Runtime 2.7. Run JBoss Enterprise Application Platform 6 as a Service 2.7.1. Run JBoss Enterprise Application Platform 6 as an Operating System Service 2.7.2. Install JBoss Enterprise Application Platform as a Service in Red Hat Enterprise Linux 2.7.3. Install JBoss Enterprise Application Platform 6 as a Service in Microsoft Windows 2.8. Start and Stop Servers 2.8.1. Start and Stop Servers 2.8.2. Start a Server Using the Management Console 2.8.3. Stop a Server Using the Management Console 2.9. Filesystem Paths 2.9.1. Filesystem Paths 2.10. Configuration File History 2.10.1. Configuration File History 2.10.2. Start the Server with a Previous Configuration 2.10.3. Save a Configuration Snapshot Using the Management CLI 2.10.4. Load a Configuration Snapshot 2.10.5. Delete a Configuration Snapshot Using Management CLI 2.10.6. List All Configuration Snapshots Using Management CLI 3. Management Interfaces 3.1. About the Management Console and Management CLI 3.2. T he Management Console 3.2.1. Management Console 3.2.2. Log in to the Management Console 3.2.3. Change the Language of the Management Console 3.2.4. Configure a Server Using the Management Console 3.2.5. Add a Deployment in the Management Console 3.2.6. Create a New Server in the Management Console 3.2.7. Change the Default Log Levels Using the Management Console 3.2.8. Create a New Server Group in the Management Console 3.3. T he Management CLI 3.3.1. About the Management Command Line Interface (CLI) 3.3.2. Launch the Management CLI 3.3.3. Quit the Management CLI 3.3.4. Connect to a Managed Server Instance Using the Management CLI 3.3.5. Get Help with the Management CLI
Table of Contents
6.5.1. About Datasource Security 6.6. Datasource Configuration 6.6.1. Datasource Parameters 6.6.2. Datasource Connection URLs 6.6.3. Datasource Extensions 6.7. Example Datasources 6.7.1. Example PostgreSQL Datasource 6.7.2. Example PostgreSQL XA Datasource 6.7.3. Example MySQL Datasource 6.7.4. Example MySQL XA Datasource 6.7.5. Example Oracle Datasource 6.7.6. Example Oracle XA Datsource 6.7.7. Example Microsoft SQLServer Datasource 6.7.8. Example Microsoft SQLServer XA Datasource 6.7.9. Example IBM DB2 Datasource 6.7.10. Example IBM DB2 XA Datasource 6.7.11. Example Sybase Datasource 6.7.12. Example Sybase XA Datasource
7. Configuring Modules 7.1. Introduction 7.1.1. Modules 7.1.2. Global Modules 7.1.3. Module Dependencies 7.1.4. Subdeployment Class Loader Isolation 7.2. Disable Sub-Deployment Module Isolation for All Deployments 7.3. Add a module to all deployments 7.4. Reference 7.4.1. Included Modules 7.4.2. Dynamic Module Naming 8. Application Deployment 8.1. About Application Deployment 8.2. Deploy with the Management Console 8.2.1. Manage Application Deployment in the Management Console 8.2.2. Deploy an Application Using the Management Console 8.2.3. Undeploy an Application Using the Management Console 8.3. Deploy with the Management CLI 8.3.1. Manage Application Deployment in the Management CLI 8.3.2. Deploy an Application in a Managed Domain Using the Management CLI 8.3.3. Undeploy an Application in a Managed Domain Using the Management CLI 8.3.4. Deploy an Application in a Standalone Server Using the Management CLI 8.3.5. Undeploy an Application in a Standalone Server Using the Management CLI 8.4. Deploy with the Deployment Scanner 8.4.1. Manage Application Deployment in the Deployment Scanner 8.4.2. Deploy an Application to a Standalone Server Instance with the Deployment Scanner 8.4.3. Undeploy an Application to a Standalone Server Instance with the Deployment Scanner 8.4.4. Redeploy an Application to a Standalone Server Instance with the Deployment Scanner 8.4.5. Reference for Deployment Scanner Marker Files 8.4.6. Reference for Deployment Scanner Attributes 8.4.7. Configure the Deployment Scanner 8.4.8. Configure the Deployment Scanner with the Management CLI 8.5. Deploy with Maven 8.5.1. Manage Application Deployment with Maven 8.5.2. Deploy an Application with Maven 8.5.3. Undeploy an Application with Maven 9. Securing JBoss Enterprise Application Platform 9.1. About the Security Subsystem 9.2. About the Structure of the Security Subsystem 9.3. Configure the Security Subsystem 9.4. About Deep Copy Subject Mode 9.5. Enable Deep Copy Subject Mode 9.6. Security Domains 9.6.1. About Security Domains 9.6.2. About Picketbox
Table of Contents
11.3.3. Configure a Console Log Handler in the CLI 11.3.4. Configure a File Log Handler in the CLI 11.3.5. Configure a Periodic Log Handler in the CLI 11.3.6. Configure a Size Log Handler in the CLI 11.3.7. Configure a Async Log Handler in the CLI 11.4. Logging Configuration Properties 11.4.1. Root Logger Properties 11.4.2. Log Category Properties 11.4.3. Console Log Handler Properties 11.4.4. File Log Handler Properties 11.4.5. Periodic Log Handler Properties 11.4.6. Size Log Handler Properties 11.4.7. Async Log Handler Properties 11.5. Sample XML Configuration for Logging 11.5.1. Sample XML Configuration for the Root Logger 11.5.2. Sample XML Configuration for a Log Category 11.5.3. Sample XML Configuration for a Console Log Handler 11.5.4. Sample XML Configuration for a File Log Handler 11.5.5. Sample XML Configuration for a Periodic Log Handler 11.5.6. Sample XML Configuration for a Size Log Handler 11.5.7. Sample XML Configuration for a Async Log Handler
12. JVM 12.1. About JVM 12.1.1. About JVM Settings 12.1.2. Display the JVM Status in the Management Console 13. HT T P Clustering and Load Balancing 13.1. Introduction 13.1.1. About High-Availability and Load Balancing Clusters 13.1.2. Components Which Can Benefit from High Availability 13.1.3. Overview of HT T P Connectors 13.1.4. Worker Node 13.2. General Configuration 13.2.1. Subsystem Configuration Overview 13.2.2. Configure the Web Subsystem 13.2.3. Implement SSL Encryption for the JBoss Enterprise Application Platform Web Server 13.2.4. Generate a SSL Encryption Key and Certificate 13.2.5. SSL Connector Reference 13.2.6. About Web Service Endpoints 13.2.7. Replace the Default Welcome Web Application 13.2.8. About the Stand-Alone HT T PD 13.2.9. Install the Apache HT T PD included with JBoss Enterprise Application Platform 6 13.2.10. Use an External HT T PD as the Web Front-end for JBoss Enterprise Application Platform Applications 13.2.11. Configure the JBoss Enterprise Application Platform to Accept Requests From an External HT T PD 13.2.12. Use T CP Communication for the Clustering Subsystem 13.2.13. Configure the JGroups Subsystem to Use T CP 13.2.14. Configure the mod_cluster Subsystem to Use T CP 13.3. Web, HT T P Connectors, and HT T P Clustering 13.3.1. About the mod_cluster HT T P Connector 13.3.2. Configure the mod_cluster Subsystem 13.3.3. Install the mod_cluster Module Into Apache HT T PD or Enterprise Web Server HT T PD 13.3.4. Configure Server Advertisement Properties for Your mod_cluster-enabled HT T PD 13.3.5. Configure a mod_cluster Worker Node 13.4. Apache mod_jk 13.4.1. About the Apache mod_jk HT T P Connector 13.4.2. Configure the JBoss Enterprise Application Platform to Communicate with Apache Mod_jk 13.4.3. Install the Mod_jk Module Into Apache HT T PD or Enterprise Web Server HT T PD 13.4.4. Configuration Reference for Apache Mod_jk Workers 13.5. Apache mod_proxy 13.5.1. About the Apache mod_proxy HT T P Connector 13.5.2. Install the Mod_proxy HT T P Connector Into Apache HT T PD
10
Table of Contents
16.3.1. Enterprise Bean T hread Pools 16.3.2. Create a T hread Pool 16.3.3. Remove a T hread Pool 16.3.4. Edit a T hread Pool 16.4. Configuring Session Beans 16.4.1. Session Bean Access T imeout 16.4.2. Set Default Session Bean Access T imeout Values 16.5. Configuring Message-Driven Beans 16.5.1. Set Default Resource Adapter for Message-Driven Beans 16.6. Configuring the EJB3 T imer Service 16.6.1. EJB3 T imer Service 16.6.2. Configure the EJB3 timer Service 16.7. Configuring the EJB Asynchronous Invocation Service 16.7.1. EJB3 Asynchronous Invocation Service 16.7.2. Configure the EJB3 Asynchronous Invocation Service T hread Pool 16.8. Configuring the EJB3 Remote Invocation Service 16.8.1. EJB3 Remote Service 16.8.2. Configure the EJB3 Remote Service 16.9. Configuring EJB 2.x Entity Beans 16.9.1. EJB Entity Beans 16.9.2. Container-Managed Persistence 16.9.3. Enable EJB 2.x Container-Managed Persistence 16.9.4. Configure EJB 2.x Container-Managed Persistence 16.9.5. CMP Subsystem Properties for HiLo Key Generators
17. Java Connector Architecture (JCA) 17.1. Introduction 17.1.1. About the Java EE Connector API (JCA) 17.1.2. Java Connector Architecture (JCA) 17.1.3. Resource Adapters 17.2. Configure the Java Connector Architecture (JCA) Subsystem 17.3. Deploy a Resource Adapter 17.4. Configure a Deployed Resource Adapter 17.5. Resource Adapter Descriptor Reference 17.6. Deploy the WebSphere MQ Resource Adapter 18. Deploy JBoss Enterprise Application Platform 6 on Amazon EC2 18.1. Introduction 18.1.1. About Amazon EC2 18.1.2. About Amazon Machine Instances (AMIs) 18.1.3. About JBoss Cloud Access 18.1.4. JBoss Cloud Access Features 18.1.5. Supported Amazon EC2 Instance T ypes 18.1.6. Supported Red Hat AMIs 18.2. Deploying JBoss Enterprise Application Platform 6 on Amazon EC2 18.2.1. Overview of Deploying JBoss Enterprise Application Platform 6 on Amazon EC2 18.2.2. Non-clustered JBoss Enterprise Application Platform 6 18.2.3. Clustered JBoss Enterprise Application Platform 6 18.3. Establishing Monitoring with JBoss Operations Network (JON) 18.3.1. About AMI Monitoring 18.3.2. About Connectivity Requirements 18.3.3. About Network Address T ranslation (NAT ) 18.3.4. About Amazon EC2 and DNS 18.3.5. About Routing in EC2 18.3.6. About T erminating and Restarting with JON 18.3.7. Configure an Instance to Register with JBoss Operations Network 18.4. User Script Configuration 18.4.1. Permanent Configuration Parameters 18.4.2. Custom Script Parameters 18.5. T roubleshooting 18.5.1. About T roubleshooting Amazon EC2
11
12
Preface
Preface
1. Document Conventions
T his manual uses several conventions to highlight certain words and phrases and draw attention to specific pieces of information. In PDF and paper editions, this manual uses typefaces drawn from the Liberation Fonts set. T he Liberation Fonts set is also used in HT ML editions if the set is installed on your system. If not, alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and later includes the Liberation Fonts set by default. 1.1. T ypographic Conventions Four typographic conventions are used to call attention to specific words and phrases. T hese conventions, and the circumstances they apply to, are as follows. Mono-spaced Bold Used to highlight system input, including shell commands, file names and paths. Also used to highlight keys and key combinations. For example: T o see the contents of the file m y_next_bestselling_novel in your current working directory, enter the cat m y_next_bestselling_novel command at the shell prompt and press Enter to execute the command. T he above includes a file name, a shell command and a key, all presented in mono-spaced bold and all distinguishable thanks to context. Key combinations can be distinguished from an individual key by the plus sign that connects each part of a key combination. For example: Press Enter to execute the command. Press Ctrl + Alt+ F2 to switch to a virtual terminal. T he first example highlights a particular key to press. T he second example highlights a key combination: a set of three keys pressed simultaneously. If source code is discussed, class names, methods, functions, variable names and returned values mentioned within a paragraph will be presented as above, in m ono-spaced bold . For example: File-related classes include filesystem for file systems, file for files, and dir for directories. Each class has its own associated set of permissions. Proportional Bold T his denotes words or phrases encountered on a system, including application names; dialog box text; labeled buttons; check-box and radio button labels; menu titles and sub-menu titles. For example: Choose System Preferences Mouse from the main menu bar to launch Mouse Preferences. In the Buttons tab, click the Left-handed m ouse check box and click Close to switch the primary mouse button from the left to the right (making the mouse suitable for use in the left hand). T o insert a special character into a gedit file, choose Applications Accessories Character Map from the main menu bar. Next, choose Search Find from the Character Map menu bar, type the name of the character in the Search field and click Next. T he character you sought will be highlighted in the Character T able . Double-click this highlighted character to place it in the T ext to copy field and then click the Copy button. Now switch back to your document and choose Edit Paste from the gedit menu bar. T he above text includes application names; system-wide menu names and items; application-specific menu names; and buttons and text found within a GUI interface, all presented in proportional bold and all distinguishable by context. Mono-spaced Bold Italic or Proportional Bold Italic Whether mono-spaced bold or proportional bold, the addition of italics indicates replaceable or variable text. Italics denotes text you do not input literally or displayed text that changes depending on
13
Source-code listings are also set in m ono-spaced rom an but add syntax highlighting as follows:
package org.jboss.book.jca.ex1; import javax.naming.InitialContext; public class ExClient { public static void main(String args[]) throws Exception { InitialContext iniCtx = new InitialContext(); Object ref = iniCtx.lookup("EchoBean"); EchoHome home = (EchoHome) ref; Echo echo = home.create(); System.out.println("Created Echo"); System.out.println("Echo.echo('Hello') = " + echo.echo("Hello")); } }
1.3. Notes and Warnings Finally, we use three visual styles to draw attention to information that might otherwise be overlooked.
Note
Notes are tips, shortcuts or alternative approaches to the task at hand. Ignoring a note should have no negative consequences, but you might miss out on a trick that makes your life easier.
Important
Important boxes detail things that are easily missed: configuration changes that only apply to the current session, or services that need restarting before an update will apply. Ignoring a box labeled 'Important' will not cause data loss but may cause irritation and frustration.
14
Preface
Warning
Warnings should not be ignored. Ignoring warnings will most likely cause data loss.
Additional information:
Be sure to give us your name so that you can receive full credit for reporting the issue.
15
16
bundles/
docs/ domain/
modules/
standalone/
welcome-content/
jboss-m odules.jar
17
data/
log/
servers/
tmp/
T able 2.3. Directories within the standalone/ directory Name configuration/ Purpose Configuration files for the standalone server. T hese files are modified by the Management Console and Management CLI, and are not meant to be edited directly. Information about deployed services. T he standalone server does include a deployment scanner, so you can place archives in this directory to be deployed. However, the recommended approach is to manage deployments using the Management Console or Management CLI. External libraries which pertain to a standalone server mode. Empty by default. Contains temporary data such as files pertaining to the shared-key mechanism used by the Management CLI to authenticate local users to the server.
deployments/
lib/ tmp/
Report a bug
18
host.xml
host-master.xml
host-slave.xml
standalone.xml
EAP_HOME/standalone/conf iguration/standalone.xm l
standalone-ha.xml
EAP_HOME/standalone/conf iguration/standaloneha.xm l
T hese are only the default locations. You can specify a different configuration file at run-time. Report a bug
19
T he web console is served through the same port as the HT T P management API. It is important to distinguish between the Management Console accessed as on a default localhost, the Management Console as accessed remotely by a specific host and port combination, and the exposed domain API. T able 2.5. T ableT itle URL http://localhost:9990/console Description T he Management Console accessed on the local host, controlling the Managed Domain configuration. T he Management Console accessed remotely, naming the host and controlling the Managed Domain configuration. T he HT T P Management API runs on the same port as the Management Console, displaying the raw attributes and values exposed to the API.
http://hostname:9990/console
Native API An example of a Native API tool is the Management CLI. T his management tool is available for a Managed Domain or Standalone Server instance, allowing the a user to connect to the domain controller or a Standalone Server instance and execute management operations available through the de-typed management model. T he Native API endpoint is the entry point for management clients that rely on the native protocol to integrate with the management layer. It uses an open binary protocol and an RPC-style API based on a very small number of Java types to describe and execute management operations. It's used by the Management CLI management tool, but offers integration capabilities for a wide range of other clients too. T he Native API endpoint is co-located with either a host controller or a Standalone Server. It must be enabled to use the Management CLI. By default, it runs on port 9999.
20
Report a bug
Result T he JBoss Enterprise Application Platform 6 Standalone Server instance starts. Report a bug 2.6.3. Start JBoss Enterprise Application Platform 6 as a Managed Domain Red Hat Enterprise Linux.
Run the command: EAP_HOME/bin/domain.sh
Result
21
Example configurations
Several example configurations are included in the configuration directories. Use these examples to enable extra features such as clustering or the T ransactions XT S API. 1. Managed Domain For a Managed Domain, provide the file name of the configuration file as an option to the -domain-config parameter. You do not need to give the full path, if the configuration file resides in the EAP_HOME/dom ain/configuration/ directory. Example 2.3. Using an alternate configuration file for a Managed Domain in Red Hat Enterprise Linux
[user@host bin]$ ./domain.sh --domain-config= domain-alternate.xml
Example 2.4 . Using an alternate configuration file for a Managed Domain in Microsoft Windows Server
C:\EAP_HOME\bin> domain.bat --domain-config= domain-alternate.xml
2. Standalone server For a Standalone Server, provide the filename of the configuration file as an option to the -server-config parameter. You do not need to give the full path to the configuration file if it is in the EAP_HOME/standalone/configuration/ directory. Example 2.5. Using an alternate configuration file for a Standalone Server in Red Hat Enterprise Linux
[user@host bin]$ ./standalone.sh --server-config= standalonealternate.xml
Example 2.6. Using an alternate configuration file for a Standalone Server in Microsoft Windows Server
C:\EAP_HOME\bin> standalone.bat --server-config= standalone-alternate.xml
Result: JBoss Enterprise Application Platform 6 is now running, using your alternate configuration.
22
Report a bug 2.6.5. Stop JBoss Enterprise Application Platform 6 T ask Summary: T he way that you stop JBoss Enterprise Application Platform 6 depends on how it was started. T his task covers stopping an instance that was started interactively, stopping an instance that was started by a service, and stopping an instance that was forked into the background by a script.
Note
T his task does not address stopping a server or server group in a Managed Domain. For those scenarios, see Section 2.8.3, Stop a Server Using the Management Console.
Procedure 2.1. T ask: 1. Stop an instance which was started interactively from a command prompt. Press Ctrl-C in the terminal where JBoss Enterprise Application Platform 6 is running. 2. Stop an instance which was started as an operating system service. Depending on your operating system, use one of the following procedures. A. Red Hat Enterprise Linux For Red Hat Enterprise Linux, if you have written a service script, use its stop facility. T his needs to be written into the script. T hen you can use service scriptname stop , where scriptname is the name of your script. B. Microsoft Windows Server In Microsoft Windows, use the net service command, or stop the service from the Services applet in the Control Panel. 3. Stop an instance which is running in the background (Red Hat Enterprise Linux) a. Locate the instance from the process list. One option is to run the command ps aux |grep "[j]ava -server" . T his returns one result for each JBoss Enterprise Application Platform 6 instance that is running on the local machine. b. Send the process the T ERM signal, by running kill process_ID, where process_ID is the number in the second field of the ps aux command above. Result: Each of these alternatives shuts JBoss Enterprise Application Platform 6 down cleanly so that data is not lost. Report a bug 2.6.6. Reference of Switches and Arguments to pass at Server Runtime T he application server startup script accepts the addition of arguments and switches at runtime. T he use of these parameters allows for the server to be started under alternative configurations to those defined in the standalone.xm l , dom ain.xm l and host.xm l configuration files. T his might include starting the server with an alternative set of socket bindings or a secondary configuration. A list of these available parameters can be accessed by passing the help switch at startup.
Example 2.7. T he following example is similar to the server startup explained in Section 2.6.2, Start JBoss Enterprise Application Platform 6 as a Standalone Server, with the addition of the -h or --help switches. T he results of the help switch are explained in the table below.
[localhost bin]$ standalone.sh -h
23
-b=<value> -b <value> -b<interface>=<value> -c=<config> -c <config> -D<name>[=<value>] -h --help -P=<url> -P <url> --properties=<url> -S<name>[=<value>] --serverconfig=<config> -u=<value> -u <value> -V -v --version
Report a bug
24
2. Add the start-up script as a service. Add the new jboss-as-standalone.sh service to list of automatically started services, using the chkconfig service management command.
[user@host init.d]$ sudo chkconfig --add jboss-as-standalone.sh
3. Edit the script options. If desired, edit the jboss-as.conf file to customize start-up options for JBoss Enterprise Application Platform and the JVM. Use the comments in the file as guidance. It is recommended to set the JBOSS_HOME variable in this file, to point to the directory where you extracted JBoss Enterprise Application Platform 6. Do not add a trailing slash (/) at the end of the directory name. 4. Edit the script itself. You may need to edit the start-up script itself. It makes certain assumptions about the name of your start-up file and the location of your JBoss Enterprise Application Platform instance. Customize the script, paying special attention to the following variables, which you will need to customize to start JBoss Enterprise Application Platform 6 as a managed domain. JBOSS_HOME - the location where JBoss Enterprise Application Platform 6 is extracted JBOSS_USER - the user with the ability to run JBoss Enterprise Application Platform. T his should be a non-privileged user, as no superuser privileges as required. JBOSS_CONFIG - the name of the configuration file used to start JBoss Enterprise Application Platform 6, such as dom ain.xm l or standalone.xm l JBOSS_SCRIPT - the script used to start JBoss Enterprise Application Platform 6, such as dom ain.sh or standalone.sh 5. Start the service. If desired, start the new service using the standard syntax for starting Red Hat Enterprise Linux services.
[user@host bin]$ sudo service jboss-as-standalone.sh start
Result JBoss Enterprise Application Platform 6 starts automatically when the Red Hat Enterprise Linux reaches its default run-level, and stops automatically when the operating system goes through its shutdown routine. Report a bug 2.7.3. Install JBoss Enterprise Application Platform 6 as a Service in Microsoft Windows Summary T his task installs JBoss Enterprise Application Platform 6 as a service on Microsoft Windows. Prerequisites You need administrator access to complete this task. Procedure 2.3. T ask 1. Download the Native Utilities package for your architecture. 32-bit, 64-bit, and Itanium 64-bit packages are available from the Red Hat Customer Portal at https://access.redhat.com. For more information on downloading software from the Red Hat Customer Portal, refer to the JBoss Enterprise Application Platform 6 Installation Guide, available here: https://access.redhat.com/knowledge/docs/JBoss_Enterprise_Application_Platform/. 2. Unzip the downloaded archive. Unzip the archive into a new folder. Result: T he m odules\native\bin\ folder is created. T he m odules\native\bin\ folder contains the files you need to install JBoss Enterprise Application Platform 6 as a service. T hese services are part of Procrun, which is a series of wrapper scripts provided by Apache Commons. T o learn more about Procrun and its syntax, refer
25
Result T he service is installed. JBoss Enterprise Application Platform 6 is listed in the Services applet services.m sc . 4. Manage your service. Use the m odules\bin\prunm gr.exe executable to manage, edit, add, or delete services. T he following command-line options are supported: run service start stop update install delete pause [seconds] version help T he general syntax is:
prunmgr.exe command service_name
Result You can use the net service command at the command line, or the services.m sc applet, to start, stop, and manage automatic start-up of JBoss Enterprise Application Platform 6 in Microsoft Windows Server. Report a bug
26
Figure 2.1. Server Instances 2. Select a server From the list of Server Instances, select the server you want to start. Servers that are running are indicated by a check mark. 3. Click the Start button Click on the Start button above the server list to open the confirmation dialogue box. Click the Confirm button to start the server.
27
Report a bug 2.8.3. Stop a Server Using the Management Console Prerequisites Section 2.6.3, Start JBoss Enterprise Application Platform 6 as a Managed Domain Section 3.2.2, Log in to the Management Console Procedure 2.5. T ask 1. Navigate to Server Instances in the Management Console a. Select the Runtim e tab from the top-right of the console. b. Select Domain Status Server Instances from the menu on the left of the console.
28
2. Select a server From the list of Server Instances, select the server you want to stop. Servers that are running are indicated by a check mark. 3. Click the Stop button Click on the Stop button above the server list to open the confirmation dialogue box. Click the Confirm button to start the server.
Report a bug
29
JBoss Enterprise Application Platform 6 uses logical names for a filesystem paths. T he dom ain.xm l , host.xm l and standalone.xm l configurations all include a section where paths can be declared. Other sections of the configuration can then reference those paths by their logical name, avoiding the declaration of the absolute path for each instance. T his benefits configuration and administration efforts as it allows specific host configurations to resolve to universal logical names. For example, the logging subsystem configuration includes a reference to the jboss.server.log.dir path that points to the server's log directory.
JBoss Enterprise Application Platform 6 automatically provides a number of standard paths without any need for the user to configure them in a configuration file. T able 2.7. Standard Paths Value jboss.hom e user.hom e user.dir java.hom e jboss.server.base .dir jboss.server.data .dir jboss.server.log. dir jboss.server.tm p. dir jboss.dom ain.serv ers.dir Description T he root directory of the JBoss EAP 6 distribution. T he user home directory. T he user's current working directory. T he Java installation directory T he root directory for an individual server instance. T he directory the server will use for persistent data file storage. T he directory the server will use for log file storage. T he directory the server will use for temporary file storage. T he directory under which a host controller will create the working area for individual server instances in a managed domain.
Users can add their own paths or override all except the first five of the above by adding a path element to their configuration file. T he following example shows a new relative path declaration relative to the root directory for the individual server instance.
T he structure of a path declaration uses the following attributes. T able 2.8. Path Attributes Attribute nam e path Description T he name of the path. T he actual filesystem path. T reated as an absolute path, unless the relative-to attribute is specified, in which case the value is treated as relative to that path. An optional attribute indicating the name of another previously named path, or of one of the standard paths provided by the system.
relative-to
A path element in a dom ain.xm l configuration file only requires the name attribute. It does not need to include any information indicating what the actual filesystem path is, as shown in the following example.
30
T his configuration simply declares that there is a path named exam ple that the other parts of the dom ain.xm l configuration can reference. T he actual filesystem location declared by exam ple is specific to the respective host.xm l configuration files of the host instances joining the domain groups. If this approach is used, there must be a path element in each machine's host.xm l that specifies what the actual filesystem path is.
A path element in a standalone.xm l must include the specification of the actual filesystem path. Report a bug
2. Start the server with this instance of the backed up model by passing in the relative filename under jboss.server.config.dir .
EAP_HOME/bin/standalone.sh --serverconfig=standalone_xml_history/current/standalone.v1.xml
31
Result T he application server starts with the selected configuration. Report a bug 2.10.3. Save a Configuration Snapshot Using the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Snapshots are a point-in-time copy of the current server instance. T hese copies can be saved and loaded by the administrator. T he following example uses the standalone.xm l instance, but the same process applies to the dom ain.xm l and host.xm l models. T ask Save a snapshot Run the take-snapshot operation to capture a copy of the current server instance.
[standalone@localhost:9999 /] :take-snapshot { "outcome" => "success", "result" => "/home/User/EAP_HOME/standalone/configuration/standalone_xml_history/snapshot/20 110630-172258657standalone.xml" }
Result A snapshot of the current server instance has been saved. Report a bug 2.10.4 . Load a Configuration Snapshot Snapshots are a point-in-time copy of the current server instance. T hese copies can be saved and loaded by the administrator. T he process of loading snapshots is similar to the method used to Section 2.10.2, Start the Server with a Previous Configuration, running from the command line rather than the Management CLI interface used to create, list and delete snapshots. T he following example uses the standalone.xm l instance, but the same process applies to the dom ain.xm l and host.xm l models. Procedure 2.6. T ask 1. Identify the snapshot to be loaded. T his example will recall the following file from the snapshot directory. T he default path for the snapshot files is as follows.
EAP_HOME/standalone/configuration/standalone_xml_history/snapshot/2011081 2-191301472standalone.xml
T he snapshots are expressed by their relative paths, by which the above example can be written as follows.
jboss.server.config.dir/standalone_xml_history/snapshot/20110812191301472standalone.xml
2. Start the server with the selected snapshot instance by passing in the filename.
EAP_HOME/bin/standalone.sh --serverconfig=standalone_xml_history/snapshot/20110913-164449522standalone.xml
32
Report a bug 2.10.5. Delete a Configuration Snapshot Using Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Snapshots are a point-in-time copy of the current server instance. T hese copies can be saved and loaded by the administrator. T he following examples use the standalone.xm l instance, but the same process applies to the dom ain.xm l and host.xm l models. Procedure 2.7. Delete a Specific Snapshot 1. Identify the snapshot to be deleted. T his example will delete the following file from the snapshot directory.
EAP_HOME/standalone/configuration/standalone_xml_history/snapshot/20110630165714239standalone.xml
2. Run the :delete-snapshot command to delete a specific snapshot, specifying the name of the snapshot as in the example below.
[standalone@localhost:9999 /] :delete-snapshot(name=" 20110630165714239standalone.xml") {"outcome" => "success"}
Result T he snapshot has been deleted. Procedure 2.8. Delete All Snapshots Run the :delete-snapshot(nam e="all") command to delete all snapshots as in the example below.
[standalone@localhost:9999 /] :delete-snapshot(name="all") {"outcome" => "success"}
Result All snapshots have been deleted. Report a bug 2.10.6. List All Configuration Snapshots Using Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Snapshots are a point-in-time copy of the current server instance. T hese copies can be saved and loaded by the administrator. T he following example uses the standalone.xm l instance, but the same process applies to the dom ain.xm l and host.xm l models. Procedure 2.9. T ask List all snapshots List all of the saved snapshots by running the :list-snapshots command.
33
34
Result
35
Report a bug 3.2.3. Change the Language of the Management Console T he language settings of web-based Management Console use English by default. You can choose to use one of the following languages instead. Supported Languages German (de) Simplified Chinese (zh-Hans) Brazilian Portuguese (pt-BR) French (fr) Spanish (es) Japanese (ja) Procedure 3.2. T ask 1. Log into the Management Console. Log into the web-based Management Console. 2. Open the Settings dialog. Near the bottom right of the screen is a Settings label. Click it to open the settings for the Management Console. 3. Select the desired language. Select the desired language from the Locale selection box. Select Save . A confirmation box informs you that you need to reload the application. Click Confirm . Refresh your web browser to use the new locale. Report a bug 3.2.4 . Configure a Server Using the Management Console Prerequisites Section 2.6.3, Start JBoss Enterprise Application Platform 6 as a Managed Domain Section 3.2.2, Log in to the Management Console Procedure 3.3. T ask 1. Navigate to the server's Server Configuration panel in the Management Console a. Select the Server tab from the top-right of the console. b. Expand the Server Configurations menu item on the left of the console and select the relevant server from the list.
36
Figure 3.2. Server configuration 2. Edit the server configuration a. Select the Edit button beneath the server list. b. Make changes to the configuration attributes. c. Select the Save button beneath the server list. Result T he server configuration is changed, and will take effect next time the server restarts. Report a bug 3.2.5. Add a Deployment in the Management Console Prerequisites Section 3.2.2, Log in to the Management Console Procedure 3.4 . T ask 1. Navigate to the Manage Deploym ents panel in the Management Console a. Select the Runtim e tab from the top right of the console. b. For either a managed domain or a standalone server, select the Deployments Manage Deployments option from the menu on the left of the console. T he Manage Deploym ents panel appears.
37
Figure 3.3. Manage domain deployments 2. Add deployment content Select the Add Content button in the top right of the Deploym ents panel. An Upload dialog box appears. 3. Choose a file to deploy In the dialog box, select the Choose File button. Browse to the file you want to deploy and select it for upload. Select the Next button to proceed once a file has been selected.
Figure 3.4 . Deployment selection 4. Verify deployment names Verify the deployment name and runtime name that appear in the Upload dialog box. Select the Save button to upload the file once the names are verified.
38
Result T he selected content is uploaded to the server and is now ready for deployment.
39
Report a bug 3.2.6. Create a New Server in the Management Console Prerequisites Section 2.6.3, Start JBoss Enterprise Application Platform 6 as a Managed Domain Section 3.2.2, Log in to the Management Console Procedure 3.5. T ask 1. Navigate to the Server Configurations page in the Management Console Select the Server tab from the top-right of the console. 2. Create a new configuration a. Select the Add button at the top of the Server Configuration panel. b. Edit the basic server settings in the Create Server Configuration dialog. c. Select the Save button to save the new server configuration. Result T he new server is created and listed in the Server Configurations list. Report a bug 3.2.7. Change the Default Log Levels Using the Management Console Procedure 3.6. T ask 1. Navigate to the Logging panel in the Management Console a. If you are working with a managed domain, select the Profiles tab from the top-right of the console, then select the relevant profile from the drop-down list on the left of the console. b. For either a managed domain or a standalone server, select the Core Logging option from the menu on the left of the console. c. Click on the Log Categories tab in the top of the console.
40
Figure 3.8. Logging panel 2. Edit logger details Edit the details for any of the entries in the Log Categories table. a. Select an entry in the Log Categories table, then select the Edit button in the Details section below. b. Set the log level for the category with the Log Level drop-down box. Select the Save button when done. Result T he log levels for the relevant categories are now updated. Report a bug 3.2.8. Create a New Server Group in the Management Console Prerequisites Section 3.2.2, Log in to the Management Console Procedure 3.7. T ask 1. Navigate to the Server Groups view Select the Profiles tab in the top-right corner. 2. Select the Group Configurations tab under the Server Groups menu in the left hand column.
41
Figure 3.9. T he Server Groups view 3. Add a server group Click the Add button to add a new server group. 4. Configure the server group a. Enter a name for the server group. b. Select the profile you want to add the server group to. c. Select the socket binding you want to add the server group to. d. Select the Save button to save your new group.
Result
42
B. Launch the CLI in Windows Run the EAP_HOME\bin\jboss-cli.bat file by double-clicking it, or by entering the following at a command line:
C:\>EAP_HOME\bin\jboss-cli.bat
Report a bug 3.3.3. Quit the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Procedure 3.9. T ask Run the quit command From the Management CLI, enter the quit command:
[domain@localhost:9999 /] quit Closed connection to localhost:9999
Report a bug 3.3.4 . Connect to a Managed Server Instance Using the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Procedure 3.10. T ask Run the connect command From the Management CLI, enter the connect command:
43
A. Alternatively, to connect to a managed server when starting the Management CLI on a Linux system, use the --connect parameter:
$ EAP_HOME/bin/jboss-cli.sh --connect
B. T he --connect parameter can be used to specify the host and port of the server. T o connect to the address 192.168.0.1 with the port value 9999 the following would apply:
$ EAP_HOME/bin/jboss-cli.sh --connect --controller=192.168.0.1:9999
Report a bug 3.3.5. Get Help with the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Summary T he Management CLI features a help dialog with general and context sensitive options. T he help commands dependent on the operation context require an established connection to either a standalone or domain controller. T hese commands will not appear in the listing unless the connection has been established. Procedure 3.11. T ask 1. Run the help command From the Management CLI, enter the help command:
[standalone@localhost:9999 /] help
2. Get context sensitive help From the Management CLI, enter the help -com m ands extended command:
[standalone@localhost:9999 /] help --commands
3. For a more detailed description of a specific command, execute the help command with '-help' as the argument.
[standalone@localhost:9999 /] deploy --help
Result T he CLI help information is displayed. Report a bug 3.3.6. Use the Management CLI in Batch Mode Prerequisites Section 3.3.2, Launch the Management CLI Section 3.3.4, Connect to a Managed Server Instance Using the Management CLI Procedure 3.12. T ask Batch processing allows a number of operation requests to be grouped in a sequence and executed together as a unit. If any of the operation requests in the sequence fail, the entire group of operations is rolled back. 1. Enter batch mode Enter batch mode with the batch command.
44
Batch mode is indicated by the hash symbol (# ) in the prompt. 2. Add operation requests to the batch Once in batch mode, enter operation requests as normal. T he operation requests are added to the batch in the order they are entered. Refer to Section 3.3.7, Use Operations and Commands in the Management CLI for details on formatting operation requests. 3. Run the batch Once the entire sequence of operation requests is entered, run the batch with the run-batch command.
[standalone@localhost:9999 / #] run-batch The batch executed successfully.
Result T he entered sequence of operation requests is completed as a batch. Report a bug 3.3.7. Use Operations and Commands in the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Section 3.3.4, Connect to a Managed Server Instance Using the Management CLI Procedure 3.13. T ask 1. Construct the operation request Operation requests allow for low-level interaction with the management model. T hey provide a controlled way to edit server configurations. An operation request consists of three parts: an address, prefixed with a slash (/). an operation name, prefixed with a colon (:). an optional set of parameters, contained within parentheses (()). a. Determine the address T he configuration is presented as a hierarchical tree of addressable resources. Each resource node offers a different set of operations. T he address specifies which resource node to perform the operation on. An address uses the following syntax:
/node-type=node-name
node-type is the resource node type. T his maps to an element name in the configuration XML. node-name is the resource node name. T his maps to the nam e attribute of the element in the configuration XML. Separate each level of the resource tree with a slash (/). Refer to the configuration XML files to determine the required address. T he EAP_HOME/standalone/configuration/standalone.xm l file holds the configuration for a standalone server and the EAP_HOME/dom ain/configuration/dom ain.xm l and EAP_HOME/dom ain/configuration/host.xm l files hold the configuration for a managed domain.
45
Example 3.1. Example operation addresses T o perform an operation on the logging subsystem, use the following address in an operation request:
/subsystem=logging
T o perform an operation on the Java datasource, use the following address in an operation request:
/subsystem=datasources/data-source=java
b. Determine the operation Operations differ for each different type of resource node. An operation uses the following syntax:
:operation-name
operation-name is the name of the operation to request. Use the read-operation-nam es operation on any resource address in a standalone server to list the available operations. Example 3.2. Available operations T o list all available operations for the logging subsystem, enter the following request for a standalone server:
[standalone@localhost:9999 /] /subsystem=logging:read-operation-names { "outcome" => "success", "result" => [ "add", "read-attribute", "read-children-names", "read-children-resources", "read-children-types", "read-operation-description", "read-operation-names", "read-resource", "read-resource-description", "remove", "undefine-attribute", "whoami", "write-attribute" ] }
c. Determine any parameters Each operation may require different parameters. Parameters use the following syntax:
(parameter-name=parameter-value)
parameter-name is the name of the parameter. parameter-value is the value of the parameter. Multiple parameters are separated by commas (,). T o determine any required parameters, perform the read-children-types command on a resource node, passing the operation name as a parameter. Refer to Example 3.3, Determine operation parameters for details.
46
Example 3.3. Determine operation parameters T o determine any required parameters for the read-children-types operation on the logging subsystem, enter the read-operation-description command as follows:
[standalone@localhost:9999 /] /subsystem=logging:read-operationdescription(name=read-children-types) { "outcome" => "success", "result" => { "operation-name" => "read-children-types", "description" => "Gets the type names of all the children under the selected resource", "reply-properties" => { "type" => LIST, "description" => "The children types", "value-type" => STRING }, "read-only" => false } }
2. Enter the full operation request Once the address, operation, and any parameters have been determined, enter the full operation request. Example 3.4 . Example operation request
[standalone@localhost:9999 /] /subsystem=web/connector=http:readresource(recursive=true)
Result T he management interface performs the operation request on the server configuration. Report a bug 3.3.8. Reference of Management CLI Commands Prerequisites Section 3.3.2, Launch the Management CLI Summary T he topic Section 3.3.5, Get Help with the Management CLI describes how to access the Management CLI help features, including a help dialogue with general and context sensitive options. T he help commands are dependent on the operation context and require an established connection to either a standalone or domain controller. T hese commands will not appear in the listing unless the connection has been established.
47
cd
help
history
jm s-queue jm s-topic ls
version xa-data-source
Report a bug 3.3.9. Reference of Management CLI Operations Exposing operations in the Management CLI
48
Operations in the Management CLI can be exposed by using the read-operation-nam es operation described in the topic Section 3.4.5, Display the Operation Names using the Management CLI. T he operation descriptions can be exposed by using the read-operation-descriptions operation described in the topic Section 3.4.4, Display an Operation Description using the Management CLI.
49
list-snapshots read-attribute read-children-nam es read-children-resources read-children-types read-config-as-xm l read-operationdescription read-operation-nam es read-resource read-resourcedescription reload rem ove-nam espace rem ove-schem a-location replace-deploym ent
resolve-expression
upload-deploym entstream
upload-deploym ent-url
50
validate-address write-attribute
Validates the operation's address. Sets the value of an attribute for the selected resource.
Report a bug
Procedure 3.14 . T ask Run the read-attribute operation From the Management CLI, use the read-attribute operation to display the value of a resource attribute. For more details on operation requests, refer to the topic Section 3.3.7, Use Operations and Commands in the Management CLI.
[standalone@localhost:9999 /]:read-attribute(name= name-of-attribute)
An advantage of the read-attribute operation is the ability to expose the current runtime value of a specific attribute. Similar results can be achieved with the read-resource operation, but only with the addition of the include-runtim e request property, and only as part of a list of all available resources for that node. T he read-attribute operation is intended for fine-grained attribute queries, as the following example shows.
51
Example 3.5. Run the read-attribute operation to expose the public interface IP If you know the name of the attribute that you would like to expose, you can use the readattribute to return the exact value in the current runtime.
[standalone@localhost:9999 /] /interface=public:read-attribute(name=resolvedaddress) { "outcome" => "success", "result" => "127.0.0.1" }
T he resolved-address attribute is a runtime value, so it is not displayed in the results of the standard read-resource operation.
[standalone@localhost:9999 /] /interface=public:read-resource { "outcome" => "success", "result" => { "any" => undefined, "any-address" => undefined, "any-ipv4-address" => undefined, "any-ipv6-address" => undefined, "inet-address" => expression "${jboss.bind.address:127.0.0.1}", "link-local-address" => undefined, "loopback" => undefined, "loopback-address" => undefined, "multicast" => undefined, "name" => "public", "nic" => undefined, "nic-match" => undefined, "not" => undefined, "point-to-point" => undefined, "public-address" => undefined, "site-local-address" => undefined, "subnet-match" => undefined, "up" => undefined, "virtual" => undefined } }
T o display resolved-address and other runtime values, you must use the include-runtim e request property.
[standalone@localhost:9999 /] /interface=public:read-resource(includeruntime=true) { "outcome" => "success", "result" => { "any" => undefined, "any-address" => undefined, "any-ipv4-address" => undefined, "any-ipv6-address" => undefined, "inet-address" => expression "${jboss.bind.address:127.0.0.1}", "link-local-address" => undefined, "loopback" => undefined, "loopback-address" => undefined, "multicast" => undefined, "name" => "public", "nic" => undefined, "nic-match" => undefined, "not" => undefined, "point-to-point" => undefined, "public-address" => undefined, "resolved-address" => "127.0.0.1", "site-local-address" => undefined, "subnet-match" => undefined, "up" => undefined, "virtual" => undefined } }
52
Result
T he current runtime attribute value is displayed. Report a bug 3.4 .2. Display the Active User in the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Summary T he whoam i operation is a global operation used to identify the attributes of the current active user. T he operation exposes the identity of the username and the realm that they are assigned to. T he whoam i operation is useful for administrators managing multiple users accounts across multiple realms, or to assist in keeping track of active users across domain instances with multiple terminal session and users accounts. Procedure 3.15. T ask Run the whoam i operation From the Management CLI, use the whoam i operation to display the active user account.
[standalone@localhost:9999 /] :whoami
T he following example uses the whoam i operation in a standalone server instance to show that the active user is usernam e , and that the user is assigned to the Managem entRealm realm. Example 3.6. Use the whoam i in a standalone instance
[standalone@localhost:9999 /]:whoami { "outcome" => "success", "result" => {"identity" => { "username" => "username", "realm" => "ManagementRealm" }} }
Result Your current active user account is displayed. Report a bug 3.4 .3. Display System and Server Information in the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Procedure 3.16. T ask Run the version command From the Management CLI, enter the version command:
[domain@localhost:9999 /] version
Result Your application server version and environment information is displayed. Report a bug
53
Example 3.7. Display the list-snapshots operation description T he following example shows the method for describing the list-snapshots operation.
[standalone@localhost:9999 /] :read-operation-description(name=list-snapshots) { "outcome" => "success", "result" => { "operation-name" => "list-snapshots", "description" => "Lists the snapshots", "reply-properties" => { "type" => OBJECT, "value-type" => { "directory" => { "type" => STRING, "description" => "The directory where the snapshots are stored" }, "names" => { "type" => LIST, "value-type" => STRING, "description" => "The names of the snapshots within the snapshots directory" } } }, "read-only" => false } }
Result T he description is displayed for the chosen operation. Report a bug 3.4 .5. Display the Operation Names using the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Procedure 3.18. T ask Run the read-operation-nam es operation From the Management CLI, use the read-operation-nam es operation to display the names of the available operations. For more details on operation requests, refer to the topic Section 3.3.7, Use Operations and Commands in the Management CLI.
[standalone@localhost:9999 /]:read-operation-names
54
Example 3.8. Display the operation names using the Management CLI T he following example shows the method for describing the read-operation-nam es operation.
[standalone@localhost:9999 /]:read-operation-names { "outcome" => "success", "result" => [ "add-namespace", "add-schema-location", "delete-snapshot", "full-replace-deployment", "list-snapshots", "read-attribute", "read-children-names", "read-children-resources", "read-children-types", "read-config-as-xml", "read-operation-description", "read-operation-names", "read-resource", "read-resource-description", "reload", "remove-namespace", "remove-schema-location", "replace-deployment", "shutdown", "take-snapshot", "upload-deployment-bytes", "upload-deployment-stream", "upload-deployment-url", "validate-address", "write-attribute" ] }
Result T he available operation names are displayed. Report a bug 3.4 .6. Display Available Resources using the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Summary T he read-resource operation is a global operation used to read resource values. It can be used to expose either basic or complete information about the resources of the current or child nodes, along with a range of request properties to expand or limit the scope of the operation results. T he request properties include the following parameters. Request Properties recursive Whether to recursively include complete information about child resources. recursive-depth T he depth to which information about child resources should be included. proxies Whether to include remote resources in a recursive query. For example including the host level resources from slave Host Controllers in a query of the Domain Controller.
55
include-runtim e Whether to include runtime attributes in the response, such as attribute values that do not come from the persistent configuration. T his request property is set to false by default. include-defaults A boolean request property that serves to enable or disable the reading of default attributes. When set to false only the attributes set by the user are returned, ignoring any that remain undefined.
Procedure 3.19. T ask 1. Run the read-resource operation From the Management CLI, use the read-resource operation to display the available resources.
[standalone@localhost:9999 /]:read-resource
T he following example shows how you might use the read-resource operation on a standalone server instance to expose general resource information. T he results resemble the standalone.xm l configuration file, displaying the system resources, extensions, interfaces and subsystems installed or configured for the server instance. T hese can be further queried directly.
56
57
58
2. Run the read-resource operation against a child node T he read-resource operation can be run to query child nodes from the root. T he structure of the operation first defines the node to expose, and then appends the operation to run against it.
[standalone@localhost:9999 /]/subsystem=web/connector=http:read-resource
In the following example, specific resource information about a web subsystem component can be exposed by directing the read-resource operation towards the specific web subsystem node. Example 3.10. Expose child node resources from the root node
[standalone@localhost:9999 /] /subsystem=web/connector=http:read-resource { "outcome" => "success", "result" => { "enable-lookups" => false, "enabled" => true, "executor" => undefined, "max-connections" => undefined, "max-post-size" => 2097152, "max-save-post-size" => 4096, "name" => "http", "protocol" => "HTTP/1.1", "proxy-name" => undefined, "proxy-port" => undefined, "redirect-port" => 8433, "scheme" => "http", "secure" => false, "socket-binding" => "http", "ssl" => undefined, "virtual-server" => undefined } }
T he same results are possible by using the cd command to navigate into the child nodes and run the read-resource operation directly.
59
3. Use the recursive parameter to include active values in results T he recursive parameter can be used to expose the values of all attributes, including nonpersistent values, those passed at startup, or other attributes otherwise active in the runtime model.
[standalone@localhost:9999 /]/interface=public:read-resource(includeruntime=true)
Compared to the previous example, the inclusion of the include-runtim e request property exposes additional active attributes, such as the bytes sent and byes received by the http connector.
60
Example 3.12. Expose additional and active values with the include-runtim e parameter
[standalone@localhost:9999 /] /subsystem=web/connector=http:readresource(include-runtime=true) { "outcome" => "success", "result" => { "bytesReceived" => "0", "bytesSent" => "0", "enable-lookups" => false, "enabled" => true, "errorCount" => "0", "executor" => undefined, "max-connections" => undefined, "max-post-size" => 2097152, "max-save-post-size" => 4096, "maxTime" => "0", "name" => "http", "processingTime" => "0", "protocol" => "HTTP/1.1", "proxy-name" => undefined, "proxy-port" => undefined, "redirect-port" => 8433, "requestCount" => "0", "scheme" => "http", "secure" => false, "socket-binding" => "http", "ssl" => undefined, "virtual-server" => undefined } }
Report a bug 3.4 .7. Display Available Resource Descriptions using the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Procedure 3.20. T ask 1. Run the read-resource-description operation From the Management CLI, use the read-resource-description operation to read and display the available resources. For more details on operation requests, refer to the topic Section 3.3.7, Use Operations and Commands in the Management CLI.
[standalone@localhost:9999 /]:read-resource-description
2. Use optional parameters T he read-resource-description operation allows the use of the additional parameters. a. Use the operations parameter to include descriptions of the resource's operations.
[standalone@localhost:9999 /]:read-resourcedescription(operations=true)
b. Use the inherited parameter to include or exclude descriptions of the resource's inherited operations. T he default state is true.
[standalone@localhost:9999 /]:read-resourcedescription(inherited=false)
c. Use the recursive parameter to include recursive descriptions of the child resources.
[standalone@localhost:9999 /]:read-resourcedescription(recursive=true)
d. Use the locale parameter to get the resource description in. If null, the default locale will
61
Result Descriptions of the available resources are displayed. Report a bug 3.4 .8. Reload the Application Server using the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Procedure 3.21. T ask Run the reload operation From the Management CLI, use the reload operation to shut the server down via the System .exit(0) system call. For more details on operation requests, refer to the topic Section 3.3.7, Use Operations and Commands in the Management CLI.
[standalone@localhost:9999 /]:reload {"outcome" => "success"}
Result T he application server reloads by shutting down all services and starting the runtime again. T he Management CLI automatically reconnects. Report a bug 3.4 .9. Shut the Application Server down using the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Procedure 3.22. T ask Run the shutdown operation From the Management CLI, use the shutdown operation to shut the server down via the System .exit(0) system call. For more details on operation requests, refer to the topic Section 3.3.7, Use Operations and Commands in the Management CLI.
[standalone@localhost:9999 /]:shutdown
Result T he application server is shut down. T he Management CLI will be disconnected as the runtime is unavailable. Report a bug 3.4 .10. Configure an Attribute with the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Summary T he write-attribute operation is a global operation used to write or modify a selected resource attribute. You can use the operation to make persistent changes and to modify the configuration settings of your managed server instances. T he request properties include the following parameters.
62
Request Properties nam e T he name of the attribute to set the value for under the selected resource. value T he desired value of the attribute under the selected resource. May be null if the underlying model supports null values.
Procedure 3.23. T ask Run the write-attribute operation From the Management CLI, use the write-attribute operation to modify the value of a resource attribute. T he operation can be run at the child node of the resource or at the root node of the Management CLI where the full resource path is specified.
Example 3.13. Disable the deployment scanner with the write-attribute operation T he following example uses the write-attribute operation to disable the deployment scanner. T he operation is run from the root node, using tab completion to aid in populating the correct resource path.
[standalone@localhost:9999 /] /subsystem=deploymentscanner/scanner=default:write-attribute(name=scan-enabled,value=false) {"outcome" => "success"}
T he results of the operation can be confirmed directly with the read-attribute operation.
[standalone@localhost:9999 /] /subsystem=deployment-scanner/scanner=default:readattribute(name=scan-enabled) { "outcome" => "success", "result" => false }
T he results can also be confirmed by listing all of the node's available resource attributes with the read-resource operation. In the following example, this particular configuration shows the scanenabled attribute is now set to false .
[standalone@localhost:9999 /] /subsystem=deployment-scanner/scanner=default:readresource { "outcome" => "success", "result" => { "auto-deploy-exploded" => false, "auto-deploy-xml" => true, "auto-deploy-zipped" => true, "deployment-timeout" => 600, "path" => "deployments", "relative-to" => "jboss.server.base.dir", "scan-enabled" => false, "scan-interval" => 5000 } }
63
T he Management CLI features a command history functionality that is enabled by default in the application server installation. T he history is kept both as a record in the volatile memory of the active CLI session, and appended to a log file that saves automatically in the user's home directory as .jboss-cli-history. T his history file is configured by default to record up to a maximum of 500 CLI commands. T he history command by itself will return the history of the current session, or with additional arguments will disable, enable or clear the history from the session memory. T he Management CLI also features the ability to use your keyboard's arrow keys to go back and forth in the history of commands and operations. Functions of the Management CLI history Section 3.5.2, Show the Management CLI Command history Section 3.5.3, Clear the Management CLI Command history Section 3.5.4, Disable the Management CLI Command history Section 3.5.5, Enable the Management CLI Command history Report a bug 3.5.2. Show the Management CLI Command history Prerequisites Section 3.3.2, Launch the Management CLI Procedure 3.24 . T ask Run the history command From the Management CLI, enter the history command:
[standalone@localhost:9999 /] history
Result T he CLI command history stored in memory since the CLI startup or the history clear command is displayed. Report a bug 3.5.3. Clear the Management CLI Command history Prerequisites Section 3.3.2, Launch the Management CLI Procedure 3.25. T ask Run the history --clear command From the Management CLI, enter the history --clear command:
[standalone@localhost:9999 /] history --clear
Result T he history of commands recorded since the CLI startup is cleared from the session memory. T he command history is still present in the .jboss-cli-history file saved to the user's home directory. Report a bug 3.5.4 . Disable the Management CLI Command history Prerequisites Section 3.3.2, Launch the Management CLI Procedure 3.26. T ask
64
Run the history --disable command From the Management CLI, enter the history --disable command:
[standalone@localhost:9999 /] history --disable
Result Commands made in the CLI will not be recorded either in memory or in the .jboss-cli-history file saved to the user's home directory. Report a bug 3.5.5. Enable the Management CLI Command history Prerequisites Section 3.3.2, Launch the Management CLI Procedure 3.27. T ask Run the history --enable command From the Management CLI, enter the history --enable command:
[standalone@localhost:9999 /] history --enable
Result Commands made in the CLI are recorded in memory and in the .jboss-cli-history file saved to the user's home directory. Report a bug
65
Note
HT T P communication with JBoss Enterprise Application Platform 6 is considered to be remote access, even if the traffic originates on the localhost. T herefore, you must create at least one user in order to be able to use the management console. If you attempt to access the management console before adding a user, you will receive an error because it does not even deploy until the user is added.
Procedure 4 .1. T ask 1. Invoke the add-user.sh or add-user.bat script. Change to the EAP_HOME/bin/ directory. Invoke the appropriate script for your operating system. Red Hat Enterprise Linux
[user@host bin]$ ./add-user.sh
2. Choose to add a Management user. Select option a to add a Management user. T his user is added to the Managem entRealm and is authorized to perform management operations using the web-based Management Console or command-line based Management CLI. T he other choice, b , adds a user to the ApplicationRealm , and provides no particular permissions. T hat realm is provided for use with applications. 3. Choose the realm for the user. T he next prompt refers to the realm where the user will be added. For a user with permissions to manage JBoss Enterprise Application Platform 6, choose the default, which is Managem entRealm . 4. Enter the desired username and password. When prompted, enter the security realm, username and password. Pressing ENT ER selects the default realm of Managem entRealm , which allows the user to administer JBoss Enterprise Application Platform 6 using the management interfaces. You must add at least one user to this realm. You are prompted to confirm the information. If you are satisfied, type yes . 5. Choose whether the user represents a remote JBoss Enterprise Application Platform 6 server instance. Besides administrators, the other type of user which occasionally needs to be added to JBoss Enterprise Application Platform 6 in the Managem entRealm is a user representing another instance of JBoss Enterprise Application Platform 6, which needs to be able to authenticate to join a cluster as a member. T he next prompt allows you to designate your added user for this purpose. If you select yes, you will be given a hashed secret value, representing the user's
66
6. Enter additional users. You can enter additional users if desired, by repeating the procedure. You can also add them at any time on a running system. Instead of choosing the default security realm, you can add users to other realms to fine-tune their authorizations. 7. Create users non-interactively. You can create users non-interactively, by passing in each parameter at the command line. T his approach is not recommended on shared systems, because the passwords will be visible in log and history files. T he syntax for the command, using the management realm, is:
[user@host bin]$ ./add-user.sh username password
Result Any users you add are activated within the security realms you have specified. Users active within the Managem entRealm realm are able to manage JBoss Enterprise Application Platform 6 from remote systems. Report a bug 4 .1.2. Add a User to the Management Interface Use the same procedure outlined in Section 4.1.1, Add the Initial User for the Management Interfaces. Report a bug
67
In the following example a global interface group uses the any-address element to declare a wildcard address.
T he following example declares a network interface card under a relative group with the name external .
68
In the following example a declaration is created as the default group for a specific requirement. In this instance, the characteristics of the additional elements set the condition for the interface to be a valid match. T his allows for the creation of very specific interface declaration groups, with the ability to reference them in a preset manner, reducing the configuration and administration time across multiple server instances.
While the interface declarations can be made and edited in the source configuration files, the Management CLI and Management Console provide a safe, controlled and persistent environment for configuration changes. Report a bug 5.1.2. Configure Interfaces T he default interface configurations in the standalone.xm l and host.xm l configuration files offer three named interfaces with relative interface tokens for each. You can use the Management Console or Management CLI to configure additional attributes and values, as listed in the table below. You can also replace the relative interface bindings with specific values as required. Note that if you do so, you will be unable to pass an interface value at server runtime, as the -b switch can only override a relative value.
69
loopback loopback-address
site-local-address
Configure Interface Attributes Choose either the Management CLI or the Management Console to configure your interface attributes as required. A. Configure Interface Attributes with the Management CLI Use the Management CLI to add new interfaces and write new values to the interface attributes. 1. Add a New Interface Use the add operation to create a new interface if required. You can run this command from the root of the Management CLI session, which in the following example creates a new interface name title interfacename, with an inet-address declared as 12.0.0.2.
/interface=interfacename/:add(inet-address=12.0.0.2)
70
3. Edit Interface Attributes Confirm the values are changed by running the read-resource operation with the include-runtim e=true parameter to expose all current values active in the server model.
[standalone@localhost:9999 interface=public] :read-resource(includeruntime=true)
B. Configure Interface Attributes with the Management Console Use the Management Console to add new interfaces and write new values to the interface attributes. 1. Log into the Management Console. Log into the Management Console of your Managed Domain or Standalone Server instance. 2. If you use a Managed Domain, choose the correct profile. Select the Profiles tab at the top right, and then select the correct profile from the Profile menu at the top left of the next screen. 3. Select the Interfaces item from the navigation menu. Select the Interfaces menu item from the navigation menu. 4. Add a New Interface a. Click the Add button. b. Enter any required values for Nam e , Inet Address and Address Wildcard . c. Click the Save to finish. 5. Edit Interface Attributes a. Select the Interface to edit and click the Edit button. b. Enter any required values for Nam e , Inet Address and Address Wildcard . c. Click the Save to finish. Report a bug
71
Example 5.6. Default socket bindings for the standalone configuration T he default socket binding groups in the standalone.xm l configuration file are grouped under standard-sockets. T his group is also referenced to the public interface, using the same logical referencing methodology.
<socket-binding-group name="standard-sockets" default-interface="public"> <socket-binding name="http" port="8080"/> <socket-binding name="https" port="8443"/> <socket-binding name="jacorb" port="3528"/> <socket-binding name="jacorb-ssl" port="3529"/> <socket-binding name="jmx-connector-registry" port="1090" interface="management"/> <socket-binding name="jmx-connector-server" port="1091" interface="management"/> <socket-binding name="jndi" port="1099"/> <socket-binding name="messaging" port="5445"/> <socket-binding name="messaging-throughput" port="5455"/> <socket-binding name="osgi-http" port="8090" interface="management"/> <socket-binding name="remoting" port="4447"/> <socket-binding name="txn-recovery-environment" port="4712"/> <socket-binding name="txn-status-manager" port="4713"/> </socket-binding-group>
72
Example 5.7. Default socket bindings for the domain configuration T he default socket binding groups in the dom ain.xm l configuration file contain four groups: the standard-sockets, ha-sockets, full-sockets and the full-ha-sockets groups. T hese groups are also referenced to an interface called public .
73
74
T he socket binding instances can be created and edited in the standalone.xm l and dom ain.xm l source files in the application server directory. T he recommended method of managing bindings is to use either the Management Console or the Management CLI. T he advantages of using the Management Console include a graphical user interface with a dedicated Socket Binding Group screen under the General Configuration section. T he Management CLI offers an API and workflow based around a command line approach that allows for batch processing and the use of scripts across the higher and lower levels of the application server configuration. Both interfaces allow for changes to be persisted or otherwise saved to the server configuration. Report a bug 5.2.2. Configure Socket Bindings Socket bindings can be defined in unique socket binding groups. T he Standalone Server contains one such group, the standard-sockets group, and is unable to create any further groups. Instead you can create alternate Standalone Server configuration files. For the Managed Domain however, you can create multiple socket binding groups and configure the socket bindings that they contain as you require. T he following table shows the available attributes for each socket binding. T able 5.2. Socket Binding Attributes Component Name Description Logical name of the socket configuration that should be used elsewhere in the configuration. Base port to which a socket based on this configuration should be bound. Note that servers can be configured to override this base value by applying an increment or decrement to all port values. Logical name of the interface to which a socket based on this configuration should be bound. If not defined, the value of the "default-interface" attribute from the enclosing socket binding group will be used. If the socket will be used for multicast, the multicast address to use. Bound to the lifecycle of the conversation. T he conversation scope is between the lengths of the request and the session, and is controlled by the application. If the above contexts do not meet your needs, you can define custom scopes. Role Required
Port
Required
Interface
Optional
Multicast Address
Optional
Multicast Port
Optional
Fixed Port
Optional
Configure Socket Bindings in Socket Binding Groups Choose either the Management CLI or the Management Console to configure your socket bindings as required. A. Configure Socket Bindings Using the Management CLI
75
2. Edit Pattern Attributes Use the write operation to write a new value to an attribute. You can use tab completion to help complete the command string as you type, as well as to expose the available attributes. T he following example updates the port value to 2020
[domain@localhost:9999 /] /socket-binding-group=standard-sockets/socketbinding=newsocket/:write-attribute(name=port,value=2020)
3. Confirm Pattern Attributes Confirm the values are changed by running the read-resource operation with the include-runtim e=true parameter to expose all current values active in the server model.
[domain@localhost:9999 /] /socket-binding-group=standard-sockets/socketbinding=newsocket/:read-resource
B. Configure Socket Bindings Using the Management Console Use the Management Console to configure socket bindings. 1. Log into the Management Console. Log into the Management Console of your Managed Domain or Standalone Server. 2. Select the Profile tab Select the Profiles tab at the top right. 3. Select the Socket Binding item from the navigation menu. Select the Socket Binding menu item from the navigation menu. If you are using a Managed Domain, select the desired group in the Socket Binding Groups menu. 4. Add a New Socket Binding a. Click the Add button. b. Enter any required values for Nam e , Port and Binding Group . c. Click the Save to finish. 5. Edit Interface Attributes a. Select the Socket Binding to edit and click the Edit button. b. Enter any required values such as Nam e , Interface or Port. c. Click the Save to finish. Report a bug 5.2.3. Network Ports Used By JBoss Enterprise Application Platform 6 T he ports used by the JBoss Enterprise Application Platform 6 default configuration depend on several factors: Whether you use a Managed Domain or Standalone Server configuration. Whether your server groups use one of the default socket binding groups, or a custom group. T he requirements of your individual deployments.
76
Unless otherwise stated, the ports use the T CP protocol. T he default socket binding groups full-ha-sockets full-sockets ha-sockets standard-sockets
77
ajp
8009
Apache JServ Protocol. Used for HT T P clustering and load balancing. T he default port for deployed web applications. SSL-encrypted connection between deployed web applications and clients. CORBA services for JT S transactions and other ORBdependent services. SSL-encrypted CORBA services. 7500 Multicast. Used for peer discovery in HA clusters. Multicast. Used to discover initial membership in a HA cluster. Unicast peer discovery in HA clusters using T CP. Used for HA failure detection over T CP. 45688 Unicast peer discovery in HA clusters using UDP. Used for HA failure detection over UDP. JMS service. Referenced by HornetQ JMS broadcast and discovery groups.
http
8080
Yes
Yes
Yes
Yes
https
8443
Yes
Yes
Yes
Yes
jacorb
3528
Yes
Yes
No
No
jacorb -ssl jgroup sdiagno stics jgroup sm ping jgroup s-tcp jgroup s-tcpfd jgroup s-udp jgroup s-udpfd m essag ing m essag inggroup m essag ingthroug hput m od_cl uster
3529
Yes Yes
Yes No
No Yes
No No
45700
Yes
No
Yes
No
7600
Yes
No
Yes
No
57600
Yes
No
Yes
No
55200
Yes
No
Yes
No
54200
Yes
No
Yes
No
5445
Yes Yes
Yes Yes
No No
No No
5455
Yes
Yes
No
No
23364
Multicast port for communication between the JBoss Enterprise Application Platform and the HT T P load balancer. Used by internal components which use the OSGi subsystem. Used for remote EJB
Yes
No
Yes
No
osgihttp
8090
Yes
Yes
Yes
Yes
rem oti
4447
Yes
Yes
Yes
Yes
78
ng
4713
T he JT A / JT S transation manager.
Yes
Yes
Yes
Yes
Management Ports In addition to the socket binding groups, each host controller opens two more ports for management purposes: 9990 - T he Web Management Console port 9999 - T he port used by the Management Console and Management API Report a bug 5.2.4 . About Port Offsets for Socket Binding Groups Port offsets are a numeric offset added to the port values given by the socket binding group for that server. T his allows a single server to inherit the socket bindings of the server group that is belongs, with an offset to ensure that it does not clash with the other servers in the group. For instance, if the HT T P port of the socket binding group is 8080, and your server uses a port offset of 100, its HT T P port is 8180. Report a bug 5.2.5. Configure Port Offsets Configure Port Offsets Choose either the Management CLI or the Management Console to configure your port offsets. A. Configure Port Offsets Using the Management CLI Use the Management CLI to configure port offsets. 1. Edit Port Offsets Use the write operation to write a new value to the port offset atttribute. T he following example updates the socket-binding-port-offset value of server-two to 250. T his server is a member of the default local host group.
[domain@localhost:9999 /] /host=master/server-config=server-two/:writeattribute(name=socket-binding-port-offset,value=250)
2. Confirm Port Offset Attributes Confirm the values are changed by running the read-resource operation with the include-runtim e=true parameter to expose all current values active in the server model.
[domain@localhost:9999 /] /host=master/server-config=server-two/:readresource(include-runtime=true)
B. Configure Port Offsets Using the Management Console Use the Management Console to configure port offsets. 1. Log into the Management Console. Log into the Management Console of your Managed Domain. 2. Select the Server tab Select the Server tab at the top right. 3. Edit Port Offset Attributes a. Select the server under the Configuration Nam e section and click the Edit button. b. Enter any desired values in the Port Offset field. c. Click the Save button to finish.
79
Report a bug
5.3. IPv6
5.3.1. Configure JVM Stack Preferences for IPv6 Networking T ask Summary T his topic covers enabling IPv6 networking for the JBoss Enterprise Application Platform 6 installation.
Procedure 5.1. T ask 1. Open the relevant file for the installation: A. For a Standalone Server: Open EAP_HOME/bin/standalone.conf . B. For a Managed Domain: Open EAP_HOME/bin/dom ain.conf . 2. Change the IPv4 Stack Java property to false:
-Djava.net.preferIPv4Stack=false
For example:
# Specify options to pass to the Java VM. # if [ "x$JAVA_OPTS" = "x" ]; then JAVA_OPTS="-Xms64m -Xmx512m -XX:MaxPermSize=256m Djava.net.preferIPv4Stack=false -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 Djava.net.preferIPv6Addresses=true" fi
Report a bug 5.3.2. Configure the Interface Declarations for IPv6 Networking T ask Summary Follow these steps to configure the interface inet address to the IPv6 default: Prerequisites Section 2.6.1, Start JBoss Enterprise Application Platform 6 Section 3.2.2, Log in to the Management Console Procedure 5.2. T ask 1. Select the Profile tab, in the top right corner of the console. 2. Select the Interfaces option under General Configuration . 3. Select the named network interface to configure. 4. Click the Edit button. 5. Set the inet address to:
${jboss.bind.address.management:[ADDRESS]}
6. Click the Save button to save the changes. 7. Restart the server to implement the changes. Report a bug 5.3.3. Configure JVM Stack Preferences for IPv6 Addresses T ask Summary
80
Procedure 5.3. T ask 1. Open the relevant file for the installation: A. For a Standalone Server: Open EAP_HOME/bin/standalone.conf . B. For a Managed Domain: Open EAP_HOME/bin/dom ain.conf . 2. Append the following Java property to the Java VM options:
-Djava.net.preferIPv6Addresses=true
For example:
# Specify options to pass to the Java VM. # if [ "x$JAVA_OPTS" = "x" ]; then JAVA_OPTS="-Xms64m -Xmx512m -XX:MaxPermSize=256m Djava.net.preferIPv4Stack=false -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 Djava.net.preferIPv6Addresses=true" fi
Report a bug
81
Warning
However, it should not be used in a production environment. It is a very small, self-contained datasource that supports all of the standards needed for testing and building applications, but is not robust or scalable enough for production use. For a list of supported and certified datasources, refer here: Section 6.1.2, JBoss Enterprise Application Platform 6 Supported Databases. Report a bug 6.1.5. Deployment of -ds.xml files In JBoss Enterprise Application Platform 6, datasources are defined as a resource of the server subsystem. In previous versions, a * -ds.xm l datasource configuration file was required in the deployment directory of the server configuration. * -ds.xm l files can still be deployed in JBoss Enterprise Application Platform 6, following the schema available here: http://docs.jboss.org/ironjacamar/schema/datasources_1_1.xsd.
82
Warning
T his feature should only be used for development. It is not recommended for production environments, because it is not supported by the JBoss administrative and management tools.
Important
It is mandatory to use a reference to an already deployed / defined <driver> entry when deploying * -ds.xm l files.
Report a bug
Note
T he preferred installation method for JDBC drivers is to install them as a core module. T o install the JDBC driver as a core module, refer here: Section 6.2.2, Install a JDBC Driver as a Core Module.
Prerequisites Before performing this task, you need to meet the following prerequisites: Download the JDBC driver from your database vendor. Procedure 6.1. T ask 1. Access the Management Console. Section 3.2.2, Log in to the Management Console 2. Deploy the JAR file to your server or server group. If you use a managed domain, deploy the JAR file to a server group. Otherwise, deploy it to your server. See Section 8.2.2, Deploy an Application Using the Management Console. Result: T he JDBC driver is deployed, and is available for your applications to use. Report a bug 6.2.2. Install a JDBC Driver as a Core Module Prerequisites Before performing this task, you need to meet the following prerequisites: Download the JDBC driver from your database vendor. JDBC driver download locations are listed here: Section 6.2.3, JDBC Driver Download Locations. Extract the archive. Procedure 6.2. T ask
83
T he module name, com .m ysql , should match the directory structure for the module. 4. Start the Server. 5. Start the Management CLI. 6. Run the following CLI command to add the JDBC driver module as a driver:
/subsystem=datasources/jdbc-driver=DRIVER_NAME:add(drivername=DRIVER_NAME,driver-module-name=MODULE_NAME,driver-xa-datasource-classname=XA_DATASOURCE_CLASS_NAME)
Result T he JDBC driver is now installed and set up as a core module, and is available to be referenced by application datasources. Report a bug 6.2.3. JDBC Driver Download Locations T he following table gives the standard download locations for JDBC drivers of common databases used with the JBoss Enterprise Application Platform. T hese links point to third-party websites which are not controlled or actively monitored by Red Hat. For the most up-to-date drivers for your database, check your database vendor's documentation and website. T able 6.1. JDBC driver download locations Vendor MySQL PostgreSQL Oracle IBM Sybase Microsoft Download Location http://www.mysql.com/products/connector/ http://jdbc.postgresql.org/ http://www.oracle.com/technology/software/tech/ja va/sqlj_jdbc/index.html http://www-306.ibm.com/software/data/db2/java/ http://www.sybase.com/products/allproductsaz/softwaredeveloperkit/jconnect http://msdn.microsoft.com/data/jdbc/
84
Summary T his topic covers the steps required to use the JDBC specific classes. T his is necessary when an application needs to use vendor specific functionality that is not part of the JDBC API.
Warning
T his is advanced usage. Only applications that need functionality not found in the JDBC API should implement this procedure.
Important
T his process is required when using the reauthentication mechanism, and accessing vendor specific classes.
Important
Follow the vendor specific API guidelines closely, as the connection is being controlled by the IronJacamar container.
Prerequisites Section 6.2.2, Install a JDBC Driver as a Core Module. Procedure 6.3. Add a Dependency to the Application A. Configure the MANIFEST .MF file 1. Open the application's MET A-INF/MANIFEST .MF file in a text editor. 2. Add a dependency for the JDBC module and save the file.
Dependencies: MODULE_NAME
B.
1. Create a jboss-deploym ent-structure.xm l file Create a file called jboss-deploym ent-structure.xm l in the MET A-INF/ or WEBINF folder of the application. Example 6.4 . Example jboss-deploym ent-structure.xm l file
<jboss-deployment-structure> <deployment> <dependencies> <module name="com.mysql" /> </dependencies> </deployment> </jboss-deployment-structure>
85
Example 6.5. Access the Vendor Specific API T he example below accesses the MySQL API.
import java.sql.Connection; import org.jboss.jca.adapters.jdbc.WrappedConnection; Connection c = ds.getConnection(); WrappedConnection wc = (WrappedConnection)c; com.mysql.jdbc.Connection mc = wc.getUnderlyingConnection();
Report a bug
Oracle Datasources
Prior to version 10.2 of the Oracle datasource, the <no-tx-separate-pools/> parameter was required, as mixing non-transactional and transactional connections would result in an error. T his parameter may no longer be required for certain applications.
Procedure 6.4 . T ask A. Management CLI 1. Launch the CLI tool and connect to your server. 2. Run the following command to create a non-XA datasource, configuring the variables as appropriate:
data-source add --name=DATASOURCE_NAME --jndi-name=JNDI_NAME --drivername=DRIVER_NAME --connection-url=CONNECTION_URL
B. Management Console 1. Login to the Management Console. 2. Navigate to the Datasources panel in the Management Console a. A. Standalone Mode Select the Profile tab from the top-right of the console. B. Domain Mode a. Select the Profiles tab from the top-right of the console. b. Select the appropriate profile from the drop-down box in the top left. c. Expand the Subsystems menu on the left of the console. b. Select Connector Datasources from the menu on the left of the console.
86
Figure 6.1. Datasources panel 3. Create a new datasource a. Select the Add button at the top of the Datasources panel. b. Enter the new datasource attributes in the Create Datasource wizard and proceed with the Next button. c. Enter the JDBC driver details in the Create Datasource wizard and proceed with the Next button. d. Enter the connection settings in the Create Datasource wizard and select the Done button. Result T he non-XA datasource has been added to the server. It is now visible in either the standalone.xm l or dom ain.xm l file, as well as the management interfaces. Report a bug 6.3.2. Modify a Non-XA Datasource with the Management Interfaces T ask Summary T his topic covers the steps required to modify a non-XA datasource, using either the Management Console or the Management CLI. Prerequisites Section 2.6.1, Start JBoss Enterprise Application Platform 6.
JTA Integration
Non-XA datasources can be integrated with JT A transactions. T o integrate the datasource with JT A, ensure that the jta parameter is set to true .
Procedure 6.5. T ask A. Management CLI 1. Section 3.3.2, Launch the Management CLI. 2. Use the write-attribute command to configure a datasource attribute:
/subsystem=datasources/data-source=DATASOURCE_NAME:writeattribute(name=ATTRIBUTE_NAME,value=ATTRIBUTE_VALUE)
87
B. Management Console 1. Section 3.2.2, Log in to the Management Console. 2. Navigate to the Datasources panel in the Management Console a. A. Standalone Mode Select the Profile tab from the top-right of the console. B. Domain Mode a. Select the Profiles tab from the top-right of the console. b. Select the appropriate profile from the drop-down box in the top left. c. Expand the Subsystems menu on the left of the console. b. Select Connector Datasources from the menu on the left of the console.
Figure 6.2. Datasources panel 3. Edit the datasource a. Select the relevant datasource from the Available Datasources list. T he datasource attributes are displayed in the Attributes panel below it. b. Select the Edit button to edit the datasource attributes. c. Edit the datasource attributes and select the Save button when done. Result T he non-XA datasource has been configured. T he changes are now visible in either the standalone.xm l or dom ain.xm l file, as well as the management interfaces. T o create a new datasource, refer here: Section 6.3.1, Create a Non-XA Datasource with the Management Interfaces. T o remove the datasource, refer here: Section 6.3.3, Remove a Non-XA Datasource with the Management Interfaces. Report a bug 6.3.3. Remove a Non-XA Datasource with the Management Interfaces T ask Summary T his topic covers the steps required to remove a non-XA datasource from JBoss Enterprise Application Platform 6, using either the Management Console or the Management CLI.
88
Prerequisites Section 2.6.1, Start JBoss Enterprise Application Platform 6. Procedure 6.6. T ask A. Management CLI 1. Section 3.3.2, Launch the Management CLI. 2. Run the following command to remove a non-XA datasource:
data-source remove --name=DATASOURCE_NAME
B. Management Console 1. Section 3.2.2, Log in to the Management Console. 2. Navigate to the Datasources panel in the Management Console a. A. Standalone Mode Select the Profile tab from the top-right of the console. B. Domain Mode a. Select the Profiles tab from the top-right of the console. b. Select the appropriate profile from the drop-down box in the top left. c. Expand the Subsystems menu on the left of the console. b. Select Connector Datasources from the menu on the left of the console.
Figure 6.3. Datasources panel 3. Select the registered datasource to be deleted, and click the Rem ove button in the top right corner of the console. Result T he non-XA datasource has been removed from the server. T o add a new datasource, refer here: Section 6.3.1, Create a Non-XA Datasource with the Management Interfaces. Report a bug
6.4. XA Datasources
6.4 .1. Create an XA Datasource with the Management Interfaces T ask Summary
89
Oracle Datasources
Prior to version 10.2 of the Oracle datasource, the <no-tx-separate-pools/> parameter was required, as mixing non-transactional and transactional connections would result in an error. T his parameter may no longer be required for certain applications.
Procedure 6.7. T ask A. Management CLI 1. Section 3.3.2, Launch the Management CLI. 2. Run the following command to create an XA datasource, configuring the variables as appropriate:
xa-data-source add --name=XA_DATASOURCE_NAME --jndi-name=JNDI_NAME -driver-name=DRIVER_NAME --xa-datasource-class=XA_DATASOURCE_CLASS
3. Configure the XA datasource properties a. Set the server name Run the following command to configure the server name for the host:
/subsystem=datasources/xa-data-source=XA_DATASOURCE_NAME/xadatasource-properties=ServerName:add(value=HOSTNAME)
b. Set the database name Run the following command to configure the database name:
/subsystem=datasources/xa-data-source=XA_DATASOURCE_NAME/xadatasource-properties=DatabaseName:add(value=DATABASE_NAME)
B. Management Console 1. Section 3.2.2, Log in to the Management Console. 2. Navigate to the Datasources panel in the Management Console a. A. Standalone Mode Select the Profile tab from the top-right of the console. B. Domain Mode a. Select the Profiles tab from the top-right of the console. b. Select the appropriate profile from the drop-down box in the top left. c. Expand the Subsystems menu on the left of the console. b. Select Connector Datasources from the menu on the left of the console.
90
Figure 6.4 . Datasources panel 3. Select the XA Datasource panel. 4. Create a new XA datasource a. Select the Add button at the top of the XA Datasources panel. b. Enter the new XA datasource attributes in the Create XA Datasource wizard and proceed with the Next button. c. Enter the JDBC driver details in the Create XA Datasource wizard and proceed with the Next button. d. Edit the XA properties and proceed with the Next button. e. Enter the connection settings in the Create XA Datasource wizard and select the Done button. Result T he XA datasource has been added to the server. It is now visible in either the standalone.xm l or dom ain.xm l file, as well as the management interfaces. T o configure the datasource further, refer here: Section 6.4.2, Modify an XA Datasource with the Management Interfaces. T o remove the datasource, refer here: Section 6.4.3, Remove an XA Datasource with the Management Interfaces. Report a bug 6.4 .2. Modify an XA Datasource with the Management Interfaces T ask Summary T his topic covers the steps required to modify an XA datasource, using either the Management Console or the Management CLI. Prerequisites Section 2.6.1, Start JBoss Enterprise Application Platform 6. Procedure 6.8. T ask A. Management CLI 1. Section 3.3.2, Launch the Management CLI. 2. Configure XA datasource attributes Use the write-attribute command to configure a datasource attribute:
91
3. Configure XA datasource properties Run the following command to configure an XA datasource subresource:
/subsystem=datasources/xa-data-source=DATASOURCE_NAME/xa-datasourceproperties=PROPERTY_NAME:add(value=PROPERTY_VALUE)
B. Management Console 1. Section 3.2.2, Log in to the Management Console. 2. Navigate to the Datasources panel in the Management Console a. A. Standalone Mode Select the Profile tab from the top-right of the console. B. Domain Mode a. Select the Profiles tab from the top-right of the console. b. Select the appropriate profile from the drop-down box in the top left. c. Expand the Subsystems menu on the left of the console. b. Select Connector Datasources from the menu on the left of the console.
Figure 6.5. Datasources panel 3. Select the XA Datasource panel. 4. Edit the datasource a. Select the relevant XA datasource from the Available XA Datasources list. T he XA datasource attributes are displayed in the Attributes panel below it. b. Select the Edit button to edit the datasource attributes. c. Edit the XA datasource attributes and select the Save button when done. Result T he XA datasource has been configured. T he changes are now visible in either the standalone.xm l or dom ain.xm l file, as well as the management interfaces. T o create a new datasource, refer here: Section 6.4.1, Create an XA Datasource with the Management Interfaces. T o remove the datasource, refer here: Section 6.4.3, Remove an XA Datasource with the Management Interfaces.
92
Report a bug 6.4 .3. Remove an XA Datasource with the Management Interfaces T ask Summary T his topic covers the steps required to remove an XA datasource from JBoss Enterprise Application Platform 6, using either the Management Console or the Management CLI. Prerequisites Section 2.6.1, Start JBoss Enterprise Application Platform 6. Procedure 6.9. T ask A. Management CLI 1. Section 3.3.2, Launch the Management CLI. 2. Run the following command to remove an XA datasource:
xa-data-source remove --name=XA_DATASOURCE_NAME
B. Management Console 1. Section 3.2.2, Log in to the Management Console. 2. Navigate to the Datasources panel in the Management Console a. A. Standalone Mode Select the Profile tab from the top-right of the console. B. Domain Mode a. Select the Profiles tab from the top-right of the console. b. Select the appropriate profile from the drop-down box in the top left. c. Expand the Subsystems menu on the left of the console. b. Select Connector Datasources from the menu on the left of the console.
Figure 6.6. Datasources panel 3. Select the XA Datasource panel. 4. Select the registered XA datasource to be deleted, and click the Rem ove button in the top right corner of the console. Result T he XA datasource has been removed from the server. T o add a new XA datasource, refer here: Section 6.4.1, Create an XA Datasource with the Management Interfaces.
93
Report a bug 6.4 .4 . XA Recovery 6.4 .4 .1. About XA Recovery Modules Each XA resource needs a recovery module associated with its configuration. T he recovery module must extend class com .arjuna.ats.jta.recovery.XAResourceRecovery. JBoss Enterprise Application Platform provides recovery modules for JDBC and JMS XA resources. For these types of resources, recovery modules are automatically registered. If you need to use a custom module, you can register it in your datasource. Report a bug 6.4 .4 .2. Configure XA Recovery Modules For most JDBC and JMS resources, the recovery module is automatically associated with the resource. In these cases, you only need to configure the options that allow the recovery module to connect to your resource to perform recovery. For custom resources which are not JDBC or JMS, contact Red Hat Global Support Services for information on supported configurations. Each of these configuration attributes can be set either during datasource creation, or afterward. You can set them using either the web-based Management Console or the command-line Management CLI. Refer to Section 6.4.1, Create an XA Datasource with the Management Interfaces and Section 6.4.2, Modify an XA Datasource with the Management Interfaces for general information on configuring XA datasources. Refer to the following tables for general datasource configuration attributes, and for information about configuration details relating to specific database vendors. T able 6.2. General Configuration Attributes Attribute recovery-username Description T he username the recovery module should use to connect to the resource for recovery. T he password the recovery module should use to connect to the resource for recovery. T he security domain the recovery module should use to connect to the resource for recovery. If you need to use a custom recovery module, set this attribute to the fully-qualified class name of the module. T he module should extend class com .arjuna.ats.jta.reco very.XAResourceRecovery. If you use a custom recovery module which requires properties to be set, set this attribute to the list of commaseparated key=value pairs for the properties.
recovery-password
recovery-security-domain
recovery-plugin-class-name
recovery-plugin-properties
Vendor-Specific Configuration Information Oracle If the Oracle datasource is configured incorrectly, you may see errors like the following in your log output:
94
T o resolve this error, ensure that the Oracle user configured in recovery-username has access to the tables needed for recovery. T he following SQL statement shows the correct grants for Oracle 11g or Oracle 10g R2 instances patched for Oracle bug 5945463.
GRANT GRANT GRANT GRANT SELECT ON sys.dba_pending_transactions TO recovery-username; SELECT ON sys.pending_trans$ TO recovery-username; SELECT ON sys.dba_2pc_pending TO recovery-username; EXECUTE ON sys.dbms_xa TO recovery-username;
If you use an Oracle 11 version prior to 11g, change the final EXECUT E statement to the following:
GRANT EXECUTE ON sys.dbms_system TO recovery-username;
PostgreSQL See the PostgreSQL documentation for instructions on enabling prepared (i.e. XA) transactions. Version 8.4-701 of PostgreSQL's JDBC driver has a bug in org.postgresql.xa.PGXAConnection which breaks recovery in certain situations. T his is fixed in newer versions. MySQL Based on http://bugs.mysql.com/bug.php?id=12161, XA transaction recovery did not work in some versions of MySQL 5. T his is addressed in MySQL 6.1. Refer to the bug URL or to the MySQL documentation for more information. IBM DB2 IBM DB2 expects method XAResource.recover to be called only during the designated resynchronization stage which occurs when the application server is restarted after a crash or failure. T his is a design decision in the DB2 implementation, and out of the scope of this documentation.
Report a bug
95
Report a bug
security
validation
timeout
statement
96
T able 6.4 . Non-XA datasource parameters Parameter jta connection-url driver-class connection-property Description Enable JT A integration for non-XA datasources. Does not apply to XA datasources. T he JDBC driver connection URL. T he fully-qualified name of the JDBC driver class. Arbitrary connection properties passed to the method Driver.connect(url,props). Each connection-property specifies a string name/value pair. T he property name comes from the name, and the value comes from the element content. Contains child elements which are pooling settings. Refer to T able 6.6, Pool parameters common to non-XA and XA datasources.
pool
T able 6.5. XA datasource parameters Parameter xa-datasource-property Description A property to assign to implementation class XADataSource . Specified by name= value. If a setter method exists, in the format setName, the property is set by calling a setter method in the format of setName(value). T he fully-qualified name of the implementation class javax.sql.XADataSource . A unique reference to the classloader module which contains the JDBC driver. T he accepted format is driverName#majorVersion.minorVersion. Contains child elements which are pooling settings. Refer to T able 6.6, Pool parameters common to non-XA and XA datasources and T able 6.7, XA pool parameters. Contains child elements which are recovery settings. Refer to T able 6.12, Recovery parameters.
xa-datasource-class driver
xa-pool
recovery
T able 6.6. Pool parameters common to non-XA and XA datasources Parameter min-pool-size max-pool-size prefill Description T he minimum number of connections a pool holds. T he maximum number of connections a pool can hold. Whether to try to prefill the connection pool. An empty element denotes a true value. T he default is false . Whether the pool-size is strict. Defaults to false . Whether the pool should be flushed in the case of an error. Valid values are: FailingConnectionOnly IdleConnections EntirePool T he default is FailingConnectionOnly. allow-multiple-users Specifies if multiple users will access the datasource through the getConnection(user, password) method, and whether the internal pool type should account for this behavior.
use-strict-min flush-strategy
97
interleaving no-tx-separate-pools
pad-xid wrap-xa-resource
T able 6.8. Security parameters Parameter user-name password security-domain Description T he username to use to create a new connection. T he password to use to create a new connection. Contains the name of a JAAS security-manager which handles authentication. T his name correlates to the application-policy/name attribute of the JAAS login configuration. Defines a reauthentication plugin to use to reauthenticate physical connections.
reauth-plugin
98
T able 6.9. Validation parameters Parameter valid-connection-checker Description An implementation of interface org.jboss.jca.adaptors.jdbc.ValidCon nectionChecker which provides a SQLException.isValidConnection(Conne ction e) method to validate a connection. An exception means the connection is destroyed. T his overrides the parameter check-validconnection-sql if it is present. An SQL statement to check validity of a pool connection. T his may be called when a managed connection is taken from a pool for use. Indicates whether connection level validation is performed when a connection factory attempts to match a managed connection for a given set. Mutually exclusive to background validation . Specifies that connections are validated on a background thread, rather than being validated prior to use. Mutually exclusive to validateon-m atch . T he amount of time, in milliseconds, that background validation runs. If true, fail a connection allocation on the first attempt, if the connection is invalid. Defaults to false . An instance of org.jboss.jca.adapters.jdbc.StaleCon nectionChecker which provides a Boolean isStaleConnection(SQLException e) method. If this method returns true , the exception is wrapped in an org.jboss.jca.adapters.jdbc.StaleCon nectionException , which is a subclass of SQLException . An instance of org.jboss.jca.adapters.jdbc.Exceptio nSorter which provides a Boolean isExceptionFatal(SQLException e) method. T his method validates whether an exception should be broadcast to all instances of javax.resource.spi.ConnectionEventLi stener as a connectionErrorOccurred message.
check-valid-connection-sql
validate-on-match
background-validation
background-validation-millis use-fast-fail
stale-connection-checker
exception-sorter
99
idle-timeout-minutes
set-tx-query-timeout
query-timeout allocation-retry
allocation-retry-wait-millis
xa-resource-timeout
T able 6.11. Statement parameters Parameter track-statements Description Whether to check for unclosed statements when a connection is returned to a pool and a statement is returned to the prepared statement cache. If false, statements are not tracked. Valid values true : statements and result sets are tracked, and a warning is issued if they are not closed. false : neither statements or result sets are tracked. nowarn : statements are tracked but no warning is issued. T his is the default. prepared-statement-cache-size T he number of prepared statements per connection, in a Least Recently Used (LRU) cache. Whether asking for the same statement twice without closing it uses the same underlying prepared statement. T he default is false .
share-prepared-statements
T able 6.12. Recovery parameters Parameter recover-credential recover-plugin Description A username/password pair or security domain to use for recovery. An implementation of class org.jboss.jca.core.spi.recoveryRecov eryPlugin class, to be used for recovery.
Report a bug
100
Report a bug 6.6.2. Datasource Connection URLs T able 6.13. Datasource PostgreSQL MySQL Oracle IBM DB2 Microsoft SQLServer Connection URL jdbc:postgresql://SERVER_NAME:PORT/DATABASE_N AME jdbc:mysql://SERVER_NAME:PORT/DATABASE_NAME jdbc:oracle:thin:@ORACLE_HOST:PORT:ORACLE_SID jdbc:db2://SERVER_NAME:PORT/DATABASE_NAME jdbc:microsoft:sqlserver://SERVER_NAME:PORT;Data baseName= DATABASE_NAME
Report a bug 6.6.3. Datasource Extensions Datasource deployments can use several extensions in the JDBC resource adapter to improve the connection validation, and check whether an exception should reestablish the connection. T hose extensions are: T able 6.14 . Datasource Extensions Datasource Extension org.jboss.jca.adapters.jdbc.spi.E xceptionSorter Configuration Parameter <exception-sorter> Description Checks whether an SQLException is fatal for the connection on which it was thrown Wraps stale SQLExceptions in a org.jboss.jca.adapters. jdbc.StaleConnectionExc eption Checks whether a connection is valid for use by the application
org.jboss.jca.adapters.jdbc.spi.S taleConnection
<stale-connection-checker>
org.jboss.jca.adapters.jdbc.spi.V alidConnection
<valid-connection-checker>
JBoss Enterprise Application Platform 6 also features implementations of these extensions for several supported databases. Extension Implementations Generic org.jboss.jca.adapters.jdbc.extensions.novendor.NullExceptionSorter org.jboss.jca.adapters.jdbc.extensions.novendor.NullStaleConnectionChecker org.jboss.jca.adapters.jdbc.extensions.novendor.NullValidConnectionChecker org.jboss.jca.adapters.jdbc.extensions.novendor.JDBC4ValidConnectionChecker PostgreSQL org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker MySQL org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLReplicationValidConnectionChecker org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker IBM DB2 org.jboss.jca.adapters.jdbc.extensions.db2.DB2ExceptionSorter org.jboss.jca.adapters.jdbc.extensions.db2.DB2StaleConnectionChecker org.jboss.jca.adapters.jdbc.extensions.db2.DB2ValidConnectionChecker
101
Sybase org.jboss.jca.adapters.jdbc.extensions.sybase.SybaseExceptionSorter org.jboss.jca.adapters.jdbc.extensions.sybase.SybaseValidConnectionChecker Microsoft SQLServer org.jboss.jca.adapters.jdbc.extensions.mssql.MSSQLValidConnectionChecker Oracle org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker
Report a bug
Report a bug
102
Example 6.9. T he example below is a PostgreSQL XA datasource configuration. T he datasource has been enabled, a user has been added, and validation options have been set.
<datasources> <xa-datasource jndi-name="java:jboss/PostgresXADS" pool-name="PostgresXADS"> <driver>postgresql</driver> <xa-datasource-property name="ServerName">localhost</xa-datasource-property> <xa-datasource-property name="PortNumber">5432</xa-datasource-property> <xa-datasource-property name="DatabaseName">postgresdb</xa-datasourceproperty> <security> <user-name>admin</user-name> <password>admin</password> </security> <validation> <valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChe cker"> </valid-connection-checker> <exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"> </exception-sorter> </validation> </xa-datasource> <drivers> <driver name="postgresql" module="org.postgresql"> <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class> </driver> </drivers> </datasources>
103
Example 6.10. T he example below is a MySQL datasource configuration. T he datasource has been enabled, a user has been added, and validation options have been set.
<datasources> <datasource jndi-name="java:jboss/MySqlDS" pool-name="MySqlDS"> <connection-url>jdbc:mysql://mysql-localhost:3306/jbossdb</connection-url> <driver>mysql</driver> <security> <user-name>admin</user-name> <password>admin</password> </security> <validation> <valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"></ valid-connection-checker> <exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"></except ion-sorter> </validation> </datasource> <drivers> <driver name="mysql" module="com.mysql"> <xa-datasource-class>com.mysql.jdbc.jdbc2.optional.MysqlXADataSource</xadatasource-class> </driver> </drivers> </datasources>
104
Example 6.11. T he example below is a MySQL XA datasource configuration. T he datasource has been enabled, a user has been added, and validation options have been set.
<datasources> <xa-datasource jndi-name="java:jboss/MysqlXADS" pool-name="MysqlXADS"> <driver>mysql</driver> <xa-datasource-property name="ServerName">localhost</xa-datasource-property> <xa-datasource-property name="DatabaseName">mysqldb</xa-datasource-property> <security> <user-name>admin</user-name> <password>admin</password> </security> <validation> <valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"></ valid-connection-checker> <exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"></except ion-sorter> </validation> </xa-datasource> <drivers> <driver name="mysql" module="com.mysql"> <xa-datasource-class>com.mysql.jdbc.jdbc2.optional.MysqlXADataSource</xadatasource-class> </driver> </drivers> </datasources>
Oracle Datasources
Prior to version 10.2 of the Oracle datasource, the <no-tx-separate-pools/> parameter was required, as mixing non-transactional and transactional connections would result in an error. T his parameter may no longer be required for certain applications.
105
Example 6.12. T he example below is an Oracle datasource configuration. T he datasource has been enabled, a user has been added, and validation options have been set.
<datasources> <datasource jndi-name="java:/OracleDS" pool-name="OracleDS"> <connection-url>jdbc:oracle:thin:@localhost:1521:XE</connection-url> <driver>oracle</driver> <security> <user-name>admin</user-name> <password>admin</password> </security> <validation> <valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker"> </valid-connection-checker> <stale-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker"> </stale-connection-checker> <exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter"></exce ption-sorter> </validation> </datasource> <drivers> <driver name="oracle" module="com.oracle"> <xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xadatasource-class> </driver> </drivers> </datasources>
Oracle Datasources
Prior to version 10.2 of the Oracle datasource, the <no-tx-separate-pools/> parameter was required, as mixing non-transactional and transactional connections would result in an error. T his parameter may no longer be required for certain applications.
Important
T he following settings must be applied for the user accessing an Oracle XA datasource in order for XA recovery to operate correctly: GRANT GRANT GRANT GRANT SELECT ON sys.dba_pending_transactions T O user; SELECT ON sys.pending_trans$ T O user; SELECT ON sys.dba_2pc_pending T O user; EXECUT E ON sys.dbms_xa T O user;
106
Example 6.13. T he example below is an Oracle XA datasource configuration. T he datasource has been enabled, a user has been added, and validation options have been set.
<datasources> <xa-datasource jndi-name="java:/XAOracleDS" pool-name="XAOracleDS"> <driver>oracle</driver> <xa-datasource-property name="URL">jdbc:oracle:oci8:@tc</xa-datasourceproperty> <security> <user-name>admin</user-name> <password>admin</password> </security> <xa-pool> <is-same-rm-override>false</is-same-rm-override> <no-tx-separate-pools /> </xa-pool> <validation> <valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker"> </valid-connection-checker> <stale-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker"> </stale-connection-checker> <exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter"></exce ption-sorter> </validation> </xa-datasource> <drivers> <driver name="oracle" module="com.oracle"> <xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xadatasource-class> </driver> </drivers> </datasources>
107
Example 6.14 . T he example below is a Microsoft SQLServer datasource configuration. T he datasource has been enabled, a user has been added, and validation options have been set.
<datasources> <datasource jndi-name="java:/MSSQLDS" pool-name="MSSQLDS"> <connectionurl>jdbc:microsoft:sqlserver://localhost:1433;DatabaseName=MyDatabase</connection -url> <driver>sqlserver</driver> <security> <user-name>admin</user-name> <password>admin</password> </security> <validation> <valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.mssql.MSSQLValidConnectionChecker"></ valid-connection-checker> </validation> </datasource> <drivers> <driver name="sqlserver" module="com.microsoft"> <xa-datasourceclass>com.microsoft.sqlserver.jdbc.SQLServerXADataSource</xa-datasource-class> </driver> </datasources>
T he example below is a m odule.xm l file for the Microsoft SQLServer datasource above.
<module xmlns="urn:jboss:module:1.1" name="com.microsoft"> <resources> <resource-root path="sqljdbc4.jar"/> </resources> <dependencies> <module name="javax.api"/> <module name="javax.transaction.api"/> </dependencies> </module>
108
Example 6.15. T he example below is a Microsoft SQLServer XA datasource configuration. T he datasource has been enabled, a user has been added, and validation options have been set.
<datasources> <xa-datasource jndi-name="java:/MSSQLXADS" pool-name="MSSQLXADS"> <driver>sqlserver</driver> <xa-datasource-property name="ServerName">localhost</xa-datasource-property> <xa-datasource-property name="DatabaseName">mssqldb</xa-datasource-property> <xa-datasource-property name="SelectMethod">cursor</xa-datasource-property> <security> <user-name>admin</user-name> <password>admin</password> </security> <xa-pool> <is-same-rm-override>false</is-same-rm-override> </xa-pool> <validation> <valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.mssql.MSSQLValidConnectionChecker"></ valid-connection-checker> </validation> </xa-datasource> <drivers> <driver name="sqlserver" module="com.microsoft"> <xa-datasourceclass>com.microsoft.sqlserver.jdbc.SQLServerXADataSource</xa-datasource-class> </driver> </drivers> </datasources>
T he example below is a m odule.xm l file for the Microsoft SQLServer XA datasource above.
<module xmlns="urn:jboss:module:1.1" name="com.microsoft"> <resources> <resource-root path="sqljdbc4.jar"/> </resources> <dependencies> <module name="javax.api"/> <module name="javax.transaction.api"/> </dependencies> </module>
109
Example 6.16. T he example below is an IBM DB2 datasource configuration. T he datasource has been enabled, a user has been added, and validation options have been set.
<datasources> <datasource jndi-name="java:/DB2DS" pool-name="DB2DS"> <connection-url>jdbc:db2:ibmdb2db</connection-url> <driver>ibmdb2</driver> <pool> <min-pool-size>0</min-pool-size> <max-pool-size>50</max-pool-size> </pool> <security> <user-name>admin</user-name> <password>admin</password> </security> <validation> <valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.db2.DB2ValidConnectionChecker"></vali d-connection-checker> <stale-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.db2.DB2StaleConnectionChecker"></stal e-connection-checker> <exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.db2.DB2ExceptionSorter"></exceptionsorter> </validation> </datasource> <drivers> <driver name="ibmdb2" module="com.ibm"> <xa-datasource-class>com.ibm.db2.jdbc.DB2XADataSource</xa-datasource-class> </driver> </drivers> </datasources>
T he example below is a m odule.xm l file for the IBM DB2 datasource above.
<module xmlns="urn:jboss:module:1.1" name="com.ibm"> <resources> <resource-root path="db2jcc.jar"/> </resources> <dependencies> <module name="javax.api"/> <module name="javax.transaction.api"/> </dependencies> </module>
110
Example 6.17. T he example below is an IBM DB2 XA datasource configuration. T he datasource has been enabled, a user has been added and validation options have been set.
<datasources> <xa-datasource jndi-name="java:/DB2XADS" pool-name="DB2XADS"> <driver>ibmdb2</driver> <xa-datasource-property name="DatabaseName">ibmdb2db</xa-datasourceproperty> <security> <user-name>admin</user-name> <password>admin</password> </security> <xa-pool> <is-same-rm-override>false</is-same-rm-override> </xa-pool> <validation> <valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.db2.DB2ValidConnectionChecker"></vali d-connection-checker> <stale-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.db2.DB2StaleConnectionChecker"></stal e-connection-checker> <exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.db2.DB2ExceptionSorter"></exceptionsorter> </validation> <recovery> <recovery-plugin classname="org.jboss.jca.core.recovery.ConfigurableRecoveryPlugin"> <config-property name="EnableIsValid">false</config-property> <config-property name="IsValidOverride">false</config-property> <config-property name="EnableClose">false</config-property> </recovery-plugin> </recovery> </xa-datasource> <drivers> <driver name="ibmdb2" module="com.ibm"> <xa-datasource-class>com.ibm.db2.jdbc.DB2XADataSource</xa-datasource-class> </driver> </drivers> </datasources>
T he example below is a m odule.xm l file for the IBM DB2 XA datasource above.
<module xmlns="urn:jboss:module:1.1" name="com.ibm"> <resources> <resource-root path="db2jcc.jar"/> </resources> <dependencies> <module name="javax.api"/> <module name="javax.transaction.api"/> </dependencies> </module>
111
Example 6.18. T he example below is a Sybase datasource configuration. T he datasource has been enabled, a user has been added, and validation options have been set.
<datasources> <datasource jndi-name="java:jboss/SybaseDB" pool-name="SybaseDB" enabled="true"> <connection-url>jdbc:sybase:Tds:localhost:5000/DATABASE? JCONNECT_VERSION=6</connection-url> <security> <user-name>admin</user-name> <password>admin</password> </security> <validation> <valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.sybase.SybaseValidConnectionChecker"> </valid-connection-checker> <exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.sybase.SybaseExceptionSorter"></excep tion-sorter> </validation> </datasource> <drivers> <driver name="sybase" module="com.sybase"> <datasource-class>com.sybase.jdbc2.jdbc.SybDataSource</datasource-class> <xa-datasource-class>com.sybase.jdbc3.jdbc.SybXADataSource</xa-datasourceclass> </driver> </drivers> </datasources>
112
Example 6.19. T he example below is a Sybase XA datasource configuration. T he datasource has been enabled, a user has been added, and validation options have been set.
<datasources> <xa-datasource jndi-name="java:jboss/SybaseXADS" pool-name="SybaseXADS" enabled="true"> <xa-datasource-property name="NetworkProtocol">Tds</xa-datasource-property> <xa-datasource-property name="ServerName">myserver</xa-datasource-property> <xa-datasource-property name="PortNumber">4100</xa-datasource-property> <xa-datasource-property name="DatabaseName">mydatabase</xa-datasourceproperty> <security> <user-name>admin</user-name> <password>admin</password> </security> <validation> <valid-connection-checker classname="org.jboss.jca.adapters.jdbc.extensions.sybase.SybaseValidConnectionChecker"> </valid-connection-checker> <exception-sorter classname="org.jboss.jca.adapters.jdbc.extensions.sybase.SybaseExceptionSorter"></excep tion-sorter> </validation> </xa-datasource> <drivers> <driver name="sybase" module="com.sybase"> <datasource-class>com.sybase.jdbc2.jdbc.SybDataSource</datasource-class> <xa-datasource-class>com.sybase.jdbc3.jdbc.SybXADataSource</xa-datasourceclass> </driver> </drivers> </datasources>
Report a bug
113
Modules are only loaded when required. T his usually only occurs when an application is deployed that has explicit or implicit dependencies. Report a bug 7.1.2. Global Modules A global module is a module that JBoss Enterprise Application Platform 6 provides as a dependency to every application. Any module can be made global by adding it to the application server's list of global modules. It does not require changes to the module. Report a bug 7.1.3. Module Dependencies A module dependency is a declaration that one module requires the classes of another module in order to function. Modules can declare dependencies on any number of other modules. When the application server loads a module, the modular class loader parses the dependencies of that module and adds the classes from each dependency to its class path. If a specified dependency cannot be found, the module will fail to load. Deployed applications (JAR and WAR) are loaded as dynamic modules and make use of dependencies to access the APIs provided by JBoss Enterprise Application Platform 6. T here are two types of dependencies: explicit and implicit. Explicit dependencies are declared in configuration by the developer. Static modules can declare dependencies in the modules.xml file. Dynamic modules can have dependencies declared in the MANIFEST .MF or jboss-deployment-structure.xml deployment descriptors of the deployment. Explicit dependencies can be specified as optional. Failure to load an optional dependency will not cause a module to fail to load. However if the dependency becomes available later it will NOT be added to the module's class path. Dependencies must be available when the module is loaded. Implicit dependencies are added automatically by the application server when certain conditions or metadata are found in a deployment. T he Java EE 6 APIs supplied with JBoss Enterprise Application Platform
114
are examples of modules that are added by detection of implicit dependencies in deployments. Deployments can also be configured to exclude specific implicit dependencies. T his is done with the jboss-deployment-structure.xml deployment descriptor file. T his is commonly done when an application bundles a specific version of a library that the application server will attempt to add as an implicit dependency. A module's class path contains only its own classes and that of it's immediate dependencies. A module is not able to access the classes of the dependencies of one of its dependencies. However a module can specify that an explicit dependency is exported. An exported dependency is provided to any module that depends on the module that exports it.
Example 7.1. Module dependencies Module A depends on Module B and Module B depends on Module C. Module A can access the classes of Module B, and Module B can access the classes of Module C. Module A cannot access the classes of Module C unless: Module A declares an explicit dependency on Module C, or Module B exports its dependency on Module C.
Report a bug 7.1.4 . Subdeployment Class Loader Isolation Each subdeployment in an Enterprise Archive (EAR) is an dynamic module with its own class loader and cannot access the resources of other subdeployments. T his is called subdeployment class loader isolation. JBoss Enterprise Application Platform 6 has strict subdeployment class loader isolation disabled by default. It can be enabled if required. Report a bug
Warning
T his task requires you to edit the XML configuration files of the server. T he server must be halted before doing this. T his is temporary as the final release administration tools will support this type of configuration. 1. Stop the server Halt the JBoss Enterprise Application Platform server. 2. Open the server configuration file Open the server configuration file in a text editor. T his file will be different for a managed domain or standalone server. In addition, non-default locations and file names may be used. T he default configuration files are dom ain/configuration/dom ain.xm l and standalone/configuration/standalone.xm l for managed domains and standalone servers respectively. 3. Locate the EE Subsystem Configuration Locate the EE Subsystem configuration element in the configuration file. T he <profile> element of the configuration file contains several subsystem elements. T he EE Subsystem element has the namespace of urn:jboss:dom ain:ee:1.0 .
115
T he default configuration has a single self-closing tag but a custom configuration may have separate open and closing tags (possibly with other elements within) like this:
<subsystem xmlns="urn:jboss:domain:ee:1.0" ></subsystem>
4. Replace self-closing tags if necessary If the EE Subsystem element is a single self-closing tag then replace with with appropriate opening and closing tags like this:
<subsystem xmlns="urn:jboss:domain:ee:1.0" ></subsystem>
5. Add ear-subdeployments-isolated element Add the ear-subdeploym ents-isolated element as a child of the EE Subsystem element and add the content of false like this:
<subsystem xmlns="urn:jboss:domain:ee:1.0" ><ear-subdeploymentsisolated>false</ear-subdeployments-isolated></subsystem>
6. Start the server Relaunch the JBoss Enterprise Application Platform server to start it running with the new configuration. Result: T he server will now be running with Subdeployment Module Isolation disabled for all deployments. Report a bug
116
3. Click the Add button in the Global Modules section. T he Create Module dialog appears. 4. T ype in the name of the module and optionally the module slot. 5. Click the Save button to add the new global module, or click the Cancel link to abort. If you click the Save button, the dialog will close and the specified module will be added to the list of global modules. If you click Cancel , the dialog will close and no changes will be made. Result T he modules added to the list of global modules will be added as dependencies to every deployment. Report a bug
7.4. Reference
7.4 .1. Included Modules asm .asm ch.qos.cal10n com .google.guava com .h2database.h2 com .sun.jsf-im pl com .sun.jsf-im pl com .sun.xm l.bind com .sun.xm l.m essaging.saaj gnu.getopt javaee.api javax.activation.api javax.annotation.api javax.api javax.ejb.api javax.el.api javax.enterprise.api javax.enterprise.deploy.api javax.faces.api javax.faces.api javax.inject.api javax.interceptor.api javax.jm s.api javax.jws.api javax.m ail.api javax.m anagem ent.j2ee.api javax.persistence.api javax.resource.api javax.rm i.api javax.security.auth.m essage.api javax.security.jacc.api javax.servlet.api javax.servlet.jsp.api javax.servlet.jstl.api javax.transaction.api javax.validation.api javax.ws.rs.api javax.wsdl4 j.api javax.xm l.bind.api
117
118
org.jboss.as.appclient org.jboss.as.cli org.jboss.as.clustering.api org.jboss.as.clustering.com m on org.jboss.as.clustering.ejb3.infinispan org.jboss.as.clustering.im pl org.jboss.as.clustering.infinispan org.jboss.as.clustering.jgroups org.jboss.as.clustering.service org.jboss.as.clustering.singleton org.jboss.as.clustering.web.infinispan org.jboss.as.clustering.web.spi org.jboss.as.cm p org.jboss.as.connector org.jboss.as.console org.jboss.as.controller org.jboss.as.controller-client org.jboss.as.deploym ent-repository org.jboss.as.deploym ent-scanner org.jboss.as.dom ain-add-user org.jboss.as.dom ain-http-error-context org.jboss.as.dom ain-http-interface org.jboss.as.dom ain-m anagem ent org.jboss.as.ee org.jboss.as.ee.deploym ent org.jboss.as.ejb3 org.jboss.as.em bedded org.jboss.as.host-controller org.jboss.as.jacorb org.jboss.as.jaxr org.jboss.as.jaxrs org.jboss.as.jdr org.jboss.as.jm x org.jboss.as.jpa org.jboss.as.jpa.hibernate org.jboss.as.jpa.hibernate org.jboss.as.jpa.hibernate.infinispan org.jboss.as.jpa.openjpa org.jboss.as.jpa.spi org.jboss.as.jpa.util org.jboss.as.jsr77 org.jboss.as.logging org.jboss.as.m ail org.jboss.as.m anagem ent-client-content org.jboss.as.m essaging org.jboss.as.m odcluster org.jboss.as.nam ing org.jboss.as.network org.jboss.as.osgi org.jboss.as.platform -m bean org.jboss.as.pojo org.jboss.as.process-controller org.jboss.as.protocol org.jboss.as.rem oting
119
120
org.jboss.sasl org.jboss.security.negotiation org.jboss.security.xacm l org.jboss.shrinkwrap.core org.jboss.staxm apper org.jboss.stdio org.jboss.threads org.jboss.vfs org.jboss.weld.api org.jboss.weld.core org.jboss.weld.spi org.jboss.ws.api org.jboss.ws.com m on org.jboss.ws.cxf.jbossws-cxf-client org.jboss.ws.cxf.jbossws-cxf-factories org.jboss.ws.cxf.jbossws-cxf-server org.jboss.ws.cxf.jbossws-cxf-transports-httpserver org.jboss.ws.jaxws-client org.jboss.ws.jaxws-jboss-httpserver-httpspi org.jboss.ws.native.jbossws-native-core org.jboss.ws.native.jbossws-native-factories org.jboss.ws.native.jbossws-native-services org.jboss.ws.saaj-im pl org.jboss.ws.spi org.jboss.ws.tools.com m on org.jboss.ws.tools.wsconsum e org.jboss.ws.tools.wsprovide org.jboss.xb org.jboss.xnio org.jboss.xnio.nio org.jboss.xts org.jdom org.jgroups org.joda.tim e org.junit org.om g.api org.osgi.core org.picketbox org.picketlink org.python.jython.standalone org.scannotation.scannotation org.slf4 j org.slf4 j.ext org.slf4 j.im pl org.slf4 j.jcl-over-slf4 j org.w3c.css.sac sun.jdk Report a bug 7.4 .2. Dynamic Module Naming All deployments are loaded as modules by JBoss Enterprise Application Platform 6 and named according to the following conventions. 1. Deployments of WAR and JAR files are named with the following format:
121
For example, inventory.war and store.jar will have the module names of deploym ent.inventory.war and deploym ent.store.jar respectively. 2. Subdeployments within an Enterprise Archive are named with the following format:
deployment.EAR_NAME.SUBDEPLOYMENT_NAME
For example, the subdeployment of reports.war within the enterprise archive accounts.ear will have the module name of deploym ent.accounting.ear.reports.war . Report a bug
122
123
Figure 8.1. Available deployments a. Enable the application in a standalone server instance Click on the Enable button in the Deploym ents table to enable the application deployment. b. Confirm Click on the confirm button to confirm that the application will be enabled on the server instance.
Figure 8.2. Available deployments in a standalone server B. Deploy to a managed domain T he Deploym ent Content section contains a Content Repository table showing all
124
Figure 8.3. Available deployments in a managed domain a. Enable the application in a Managed Domain Click on the Add to Groups button in the Content Repository table. b. Select server groups Check the boxes for each of the server groups that you want the application to be added to and click on the Save button to continue.
Figure 8.4 . Select server groups for application deployment c. Confirm Click on the Server Group Deploym ents tab to view the Server Groups table. Your application is now deployed to the server groups that you have selected.
125
Result T he application is deployed on the relevant server or server group. Report a bug 8.2.3. Undeploy an Application Using the Management Console Prerequisites Section 3.2.2, Log in to the Management Console Section 3.2.5, Add a Deployment in the Management Console Section 8.2.2, Deploy an Application Using the Management Console Procedure 8.2. T ask 1. Navigate to the Manage Deploym ents panel in the Management Console a. Select the Runtim e tab from the top right of the console. b. Select the Deployments Manage Deployments option from the menu on the left of the console. 2. Undeploy an application T he undeployment method will differ depending on whether you are deploying to a standalone server instance or a managed domain. A. Undeploy from a standalone server instance T he Deploym ents table shows all available application deployments and their status.
126
Figure 8.6. Available deployments a. Disable the application in a standalone server instance Click on the Disable button in the Deploym ents table to disable the application. b. Confirm that you wish to disable the application Click on the confirm button to confirm that the application will be disabled on the server instance.
Figure 8.7. Confirm the application to disable B. Undeploy from a managed domain T he Deploym ent Content section contains a Content Repository table showing all available application deployments and their status.
127
Figure 8.8. Available deployments in a managed domain a. Disable the application in a Managed Domain Click on the Server Group Deploym ents tab to view the server groups and the status of their deployed applications.
Figure 8.9. Server group deployments b. Select server group Click on the name of the server in the Server Group table to undeploy an application from. c. Disable the application from the selected server Click on the disable button to disable the application for the selected server. d. Confirm that you wish to disable the application Click on the confirm button to confirm that the application will be disabled on the server instance.
128
Figure 8.10. Confirm the application to disable e. Repeat undeployment for remaining server groups Repeat as required for other server groups. T he application status is confirmed for each server group in the Deploym ents table.
Result T he application is undeployed from the relevant server or server group. Report a bug
129
A. Alternatively, define specific server groups for the deployment with the --server-groups parameter.
[domain@localhost:9999 /] deploy /path/to/test-application.war --servergroups server_group_1, server_group_2 'test-application.war' deployed successfully.
Result T he specified application is now deployed to a server group in your managed domain. Report a bug 8.3.3. Undeploy an Application in a Managed Domain Using the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Section 3.3.4, Connect to a Managed Server Instance Using the Management CLI Section 8.3.2, Deploy an Application in a Managed Domain Using the Management CLI Procedure 8.4 . T ask Run the undeploy command From the Management CLI, enter the undeploy command with the filename of the application deployment. T he application can be undeployed from any server group that it was originally deployed to with the addition of the --all-relevant-server-groups parameter.
[domain@localhost:9999 /] undeploy test-application.war --all-relevantserver-groups Successfully undeployed test-application.war.
Result T he specified application is now undeployed. Report a bug 8.3.4 . Deploy an Application in a Standalone Server Using the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Section 3.3.4, Connect to a Managed Server Instance Using the Management CLI Procedure 8.5. T ask Run the deploy command From the Management CLI, enter the deploy command with the path to the application deployment.
[standalone@localhost:9999 /] deploy ~/path/to/test-application.war 'test-application.war' deployed successfully.
130
Result
T he specified application is now deployed in the standalone server. Report a bug 8.3.5. Undeploy an Application in a Standalone Server Using the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Section 3.3.4, Connect to a Managed Server Instance Using the Management CLI Section 8.3.4, Deploy an Application in a Standalone Server Using the Management CLI Procedure 8.6. T ask Run the undeploy command From the Management CLI, enter the undeploy command with the filename of the application deployment.
[standalone@localhost:9999 /] undeploy test-application.war Successfully undeployed test-application.war.
131
Result T he application file is deployed to the application server. A marker file is created in the deployment folder to indicate the successful deployment, and the application is flagged as Enabled in the Management Console.
Report a bug 8.4 .3. Undeploy an Application to a Standalone Server Instance with the Deployment Scanner Prerequisites Section 2.6.1, Start JBoss Enterprise Application Platform 6 Section 8.4.2, Deploy an Application to a Standalone Server Instance with the Deployment Scanner Summary T his task shows a method for undeploying applications from a standalone server instance that have been deployed with the deployment scanner. As indicated in the Section 8.1, About Application Deployment topic, this method is retained for the convenience of developers, where the Management Console and Management CLI methods are recommended for application management under production environments.
Note
T he deployment scanner should not be used in conjunction with other deployment methods for application management. Applications removed from the application server by the management console will be removed from the runtime without affecting the marker files or application contained in the deployment directory. T o minimize the risk of accidental redployment or other errors, use the Management CLI and Management Console for administration in production environments.
Procedure 8.8. T ask Undeploy the application T here are two methods to undeploy the application depending on whether you want to delete the application from the deployment folder or only alter its deployment status. A. Undeploy by deleting the marker file Delete the deployed application's exam ple.war.deployed marker file to trigger the deployment scanner to begin undeploying the application from the runtime. Result T he deployment scanner undeploys the application and creates a exam ple.war.undeployed marker file. T he application remains in the deployment folder. B. Undeploy by removing the application Remove the application from the deployment directory to trigger the deployment scanner to begin undeploying the application from the runtime.
132
Result T he application file is undeployed from the application server and is not visible in the Deploym ents screen of the Management Console. Report a bug 8.4 .4 . Redeploy an Application to a Standalone Server Instance with the Deployment Scanner Prerequisites Section 2.6.1, Start JBoss Enterprise Application Platform 6 Section 8.4.2, Deploy an Application to a Standalone Server Instance with the Deployment Scanner Summary T his task shows a method for redeploying applications to a standalone server instance that have been deployed with the deployment scanner. As indicated in the Section 8.1, About Application Deployment topic, this method is retained for the convenience of developers, where the Management Console and Management CLI methods are recommended for application management under production environments. Procedure 8.9. T ask Redeploy the application T here are three possible methods to redeploy an application deployed with the deployment scanner. T hese methods trigger the deployment scanner to initiate a deployment cycle, and can be chosen to suit personal preference. A. Redeploy by altering the marker file T rigger the deployment scanner redeployment by altering the marker file's access and modification timestamp. In the following Linux example, a Unix touch command is used. Example 8.3. Redeploy with the Unix touch command
[user@host bin]$ touch EAP_HOME/standalone/deployments/example.war.dodeploy
Result T he deployment scanner detects a change in the marker file and redeploys the application. A new .deployed file marker replaces the previous. B. Redeploy by creating a new .dodeploy marker file T rigger the deployment scanner redeployment by creating a new .dodeploy marker file. Refer to the manual deployment instructions in Section 8.4.2, Deploy an Application to a Standalone Server Instance with the Deployment Scanner. C. Redeploy by deleting the marker file As described in Section 8.4.5, Reference for Deployment Scanner Marker Files, deleting a deployed application's .deployed marker file will trigger an undeployment and create an .undeployed marker. Deleting the undeployment marker will trigger the deployment cycle again. Refer to Section 8.4.3, Undeploy an Application to a Standalone Server Instance with the Deployment Scanner for further information. Result T he application file is redeployed.
133
Example 8.4 . Marker file example T he following example shows the marker file for a successfully deployed instance of an application called testapplication.war .
testapplication.war.deployed
T able 8.1. Marker filetype definitions Filename Suffix .dodeploy .skipdeploy Origin User generated User generated Description Indicates that the content should be deployed or redeployed into the runtime. Disables auto-deploy of an application while present. Useful as a method of temporarily blocking the auto-deployment of exploded content, preventing the risk of incomplete content edits pushing live. Can be used with zipped content, although the scanner detects in-progress changes to zipped content and waits until completion. Indicates the initiation of deployment. T he marker file will be deleted when the deployment process completes. Indicates that the content has been deployed. T he content will be undeployed if this file is deleted. Indicates deployment failure. T he marker file contains information about the cause of failure. If the marker file is deleted, the content will be visible to the auto-deployment again. Indicates a response to a .deployed file deletion. T he content will be undeployed and the marker will be automatically deleted upon completion. Indicates that the content has been undeployed. Deletion of the marker file has no impact to content redeployment. Indicates that deployment instructions will be sent to the server pending resolution of a detected issue. T his marker serves as a global deployment road-block. T he scanner will not instruct the server to deploy or undeploy any other content while this condition exists.
System generated
Report a bug 8.4 .6. Reference for Deployment Scanner Attributes T he deployment scanner contains the following attributes that are exposed to the Management CLI and able to be configured using the write-attribute operation. For more information on configuration options, refer to the topic Section 8.4.8, Configure the Deployment Scanner with the Management CLI.
134
Name
T able 8.2. Deployment Scanner Attributes Description Allows the automatic deployment of exploded content without requiring a .dodeploy marker file. Recommended for only basic development scenarios to prevent exploded application deployment from occurring during changes by the developer or operating system. Allows the automatic deployment of XML content without requiring a .dodeploy marker file. Allows the automatic deployment of zipped content without requiring a .dodeploy marker file. T he time value in seconds for the deployment scanner to allow a deployment attempt before being cancelled. Defines the actual filesystem path to be scanned. If the relative-to attribute is specified, the path value acts as a relative addition to that directory or path. Reference to a filesystem path defined in the paths section of the server configuration XML file. Allows the automatic scanning for applications by scan-interval and at startup. T he time interval in milliseconds between scans of the repository. A value of less than 1 restricts the scanner to operate only at startup. T ype Boolean default Value False
auto-deploy-exploded
auto-deploy-xm l
Boolean
T rue
auto-deploy-zipped
Boolean
T rue
Long
60
path
String
Deployment s
relative-to
String
scan-enabled
Boolean
scan-interval
Int
5000
Report a bug 8.4 .7. Configure the Deployment Scanner T he deployment scanner can be configured using the Management Console or the Management CLI. You can create a new deployment scanner or manage the existing scanner attributes. T hese include the scanning interval, the location of the deployment folder, and the application file types that will trigger a deployment. Report a bug 8.4 .8. Configure the Deployment Scanner with the Management CLI Prerequisites Section 3.3.2, Launch the Management CLI Summary While there are multiple methods of configuring the deployment scanner, the Management CLI can be used to expose and modify the attributes by use of batch scripts or in real time. You can modify the behaviour of the deployment scanner by use of the read-attribute and write-attribute global command line operations. Further information about the deployment scanner attributes are defined in the topic Section 8.4.6, Reference for Deployment Scanner Attributes. T he deployment scanner is a subsystem of JBoss Enterprise Application Platform 6, and can be viewed in the standalone.xm l .
<subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1"> <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000"/> </subsystem>
135
Procedure 8.10. T ask 1. Determine the deployment scanner attributes to configure Configuring the deployment scanner via the Management CLI requires that you first expose the correct attribute names. You can do this with the read-resources operation at either the root node, or by using the cd command to change into the subsystem child node. You can also display the attributes with the ls command at this level. A. Expose the deployment scanner attributes with the read-resource operation Use the read-resource operation to expose the attributes defined by the default deployment scanner resource.
[standalone@localhost:9999 /]/subsystem=deploymentscanner/scanner=default:read-resource { "outcome" => "success", "result" => { "auto-deploy-exploded" => false, "auto-deploy-xml" => true, "auto-deploy-zipped" => true, "deployment-timeout" => 60, "path" => "deployments", "relative-to" => "jboss.server.base.dir", "scan-enabled" => true, "scan-interval" => 5000 } }
B. Expose the deployment scanner attributes with the ls command Use the ls command with the -l optional argument to display a table of results that include the subsystem node attributes, values, and type. You can learn more about the ls command and its arguments by exposing the CLI help entry by typing ls --help . For more information about the help menu in the Management CLI, refer to the topic Section 3.3.5, Get Help with the Management CLI.
[standalone@localhost:9999 /] ls -l /subsystem=deploymentscanner/scanner=default ATTRIBUTE VALUE TYPE auto-deploy-exploded false BOOLEAN auto-deploy-xml true BOOLEAN auto-deploy-zipped true BOOLEAN deployment-timeout 60 LONG path deployments STRING relative-to jboss.server.base.dir STRING scan-enabled true BOOLEAN scan-interval 5000 INT
2. Configure the deployment scanner with the write-attribute operation Once you have determined the name of the attribute to modify, use the write-attribute to specify the attribute name and the new value to write to it. T he following examples are all run at the child node level, which can be accessed by using the cd command and tab completion to expose and change into the default scanner node.
[standalone@localhost:9999 /] cd subsystem=deployment-scanner/scanner=default
a. Enable automatic deployment of exploded content Use the write-attribute operation to enable the automatic deployment of exploded application content.
[standalone@localhost:9999 scanner=default] :write-attribute(name=autodeploy-exploded,value=true) {"outcome" => "success"}
b. Disable the automatic deployment of XML content Use the write-attribute operation to disable the automatic deployment of XML application content.
[standalone@localhost:9999 scanner=default] :write-attribute(name=autodeploy-xml,value=false) {"outcome" => "success"}
136
d. Configure the path attribute Use the write-attribute operation to modify the path attribute, substituting the example newpathnam e value for the new path name for the deployment scanner to monitor. Note that the server will require a reload to take effect.
[standalone@localhost:9999 scanner=default] :writeattribute(name=path,value=newpathname) { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } }
e. Configure the relative path attribute Use the write-attribute operation to modify the relative reference to the filesystem path defined in the paths section of the configuration XML file. Note that the server will require a reload to take effect.
[standalone@localhost:9999 scanner=default] :writeattribute(name=relative-to,value=new.relative.dir) { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } }
f. Disable the deployment scanner Use the write-attribute operation to disable the deployment scanner by setting the scan-enabled value to false.
[standalone@localhost:9999 scanner=default] :write-attribute(name=scanenabled,value=false) {"outcome" => "success"}
g. Change the scan interval Use the write-attribute operation to modify the scan interval time from 5000 milliseconds to 10000 milliseconds.
[standalone@localhost:9999 scanner=default] :write-attribute(name=scaninterval,value=10000) {"outcome" => "success"}
Result Your configuration changes are saved to the deployment scanner. Report a bug
137
3. Confirm the application deployment A. View result in terminal window T he deployment can be confirmed by viewing the operation logs in the terminal window. Example 8.5. Maven confirmation for helloworld application
[INFO] ----------------------------------------------------------------------[INFO] BUILD SUCCESSFUL [INFO] ----------------------------------------------------------------------[INFO] Total time: 3 seconds [INFO] Finished at: Mon Oct 10 17:22:05 EST 2011 [INFO] Final Memory: 21M/343M [INFO] -----------------------------------------------------------------------
B. View results in server terminal window T he deployment can also be confirmed in the status stream of the active application server instance. Example 8.6. Application server confirmation for helloworld application
17:22:04,922 INFO [org.jboss.as.server.deployment] (pool-1-thread-3) Content added at location /home/username/EAP_Home/standalone/data/content/2c/39607b0c8dbc6a36585f7 2866c1bcfc951f3ff/content 17:22:04,924 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) Starting deployment of "jboss-as-helloworld.war" 17:22:04,954 INFO [org.jboss.weld] (MSC service thread 1-3) Processing CDI deployment: jboss-as-helloworld.war 17:22:04,973 INFO [org.jboss.weld] (MSC service thread 1-2) Starting Services for CDI deployment: jboss-as-helloworld.war 17:22:04,979 INFO [org.jboss.weld] (MSC service thread 1-4) Starting weld service 17:22:05,051 INFO [org.jboss.web] (MSC service thread 1-2) registering web context: /jboss-as-helloworld 17:22:05,064 INFO [org.jboss.as.server.controller] (pool-1-thread-3) Deployed "jboss-as-helloworld.war"
Result
138
T he application is deployed to the application server. Report a bug 8.5.3. Undeploy an Application with Maven Prerequisites Section 2.6.1, Start JBoss Enterprise Application Platform 6 Summary T his task shows a method for undeploying applications with Maven. T he example provided uses the jboss-as-helloworld.war application found in the Enterprise Application Server Quick Starts collection. T he helloworld project contains a POM file which initializes the jboss-as-m avenplugin . T his plug-in provides simple operations to deploy and undeploy applications to and from the application server. Procedure 8.12. Undeploy an application with Maven 1. Run the Maven deploy command in a terminal session Open a terminal session and navigate to the directory containing the quickstart examples. Example 8.7. Change into the helloworld application directory
[localhost]$ cd ~/EAP_Quickstarts/helloworld
3. Confirm the application undeployment A. View result in terminal window T he undeployment can be confirmed by viewing the operation logs in the terminal window. Example 8.8. Maven confirmation for helloworld application
[INFO] ----------------------------------------------------------------------[INFO] Building JBoss AS Quickstarts: Helloworld [INFO] task-segment: [jboss-as:undeploy] [INFO] ----------------------------------------------------------------------[INFO] [jboss-as:undeploy {execution: default-cli}] [INFO] Executing goal undeploy for /home/username/EAP_Quickstarts/helloworld/target/jboss-as-helloworld.war on server localhost (127.0.0.1) port 9999. Oct 10, 2011 5:33:02 PM org.jboss.remoting3.EndpointImpl <clinit> INFO: JBoss Remoting version 3.2.0.Beta2 Oct 10, 2011 5:33:02 PM org.xnio.Xnio <clinit> INFO: XNIO Version 3.0.0.Beta2 Oct 10, 2011 5:33:02 PM org.xnio.nio.NioXnio <clinit> INFO: XNIO NIO Implementation Version 3.0.0.Beta2 [INFO] ----------------------------------------------------------------------[INFO] BUILD SUCCESSFUL [INFO] ----------------------------------------------------------------------[INFO] Total time: 1 second [INFO] Finished at: Mon Oct 10 17:33:02 EST 2011 [INFO] Final Memory: 11M/212M [INFO] -----------------------------------------------------------------------
B. View results in server terminal window T he undeployment can also be confirmed in the status stream of the active application server instance.
139
17:33:02,334 INFO [org.jboss.weld] (MSC service thread 1-3) Stopping weld service 17:33:02,342 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) Stopped deployment jboss-as-helloworld.war in 15ms 17:33:02,352 INFO [org.jboss.as.server.controller] (pool-1-thread-5) Undeployed "jboss-as-helloworld.war"
14 0
14 1
T he <security-m anagem ent> , <subject-factory> , and <security-properties> elements are empty in the default configuration.
Each top-level element within the security subsystem contains information about a different aspect of the security configuration. <security-management> T his section overrides high-level behaviors of the security subsystem. Each setting is optional. It is unusual to change any of these settings except for deep copy subject mode. Option deep-copy-subject-mode authentication-manager-class-name default-callback-handler-class-name Description Specifies whether to copy or link to security tokens, for additional thread safety. Specifies an alternate AuthenticationManager implementation class name to use. Specifies a global class name for the CallbackHandler implementation to be used with login modules. Specifies an alternate AuthorizationManager implementation class name to use. Specifies an alternate AuditManager implementation class name to use. Specifies an alternate IdentityT rustManager implementation class name to use. Specifies the MappingManager
14 2
<subject-factory> T he subject factory controls creation of subject instances. It may use the authentication manager to verify the caller. T he main use of the subject factory is for JCA components to establish a subject.It is unusual to need to modify the subject factory. <security-domains> A container element which holds multiple security domains. A security domain may contain information about authentication, authorization, mapping, and auditing modules, as well as JASPI authentication and JSSE configuration. Your application would specify a security domain to manage its security information. <security-properties> Contains names and values of properties which are set on the java.security.Security class.
Report a bug
14 3
Report a bug
14 4
If you use security domains, you can remove all specific security configuration from your application itself. T his allows you to change security parameters centrally. One common scenario that benefits from this type of configuration structure is the process of moving applications between testing and production environments. Report a bug 9.6.2. About Picketbox Picketbox is the foundational security framework that provides the authentication, authorization, audit and mapping capabilities to Java applications running in the JBoss Enterprise Application Platform. It provides the following capabilities, in a single framework with a single configuration: Section 9.6.3, About Authentication Section 9.6.5, About Authorization and access control Section 9.6.7, About Security Auditing Section 9.6.9, About Security Mapping of principals, roles, and attributes T he Picketbox configuration uses a mark-up language called eXtensible Access Control Markup Language (XACML). Report a bug 9.6.3. About Authentication Authentication refers to identifying a subject and verifying the authenticity of the identification. T he most common authentication mechanism is a username and password combination. Other common authentication mechanisms use shared keys, smart cards, or fingerprints. T he outcome of a successful authentication is referred to as a principal, in terms of Java Enterprise Edition declarative security. T he JBoss Enterprise Application Platform uses a pluggable system of authentication modules to provide flexibility and integration with the authentication systems you already use in your organization. Each security domain contains one or more configured authentication modules. Each module includes additional configuration parameters to customize its behavior. T he easiest way to configure the authentication subsystem is within the web-based management console. Authentication is not the same as authorization, although they are often linked. Many of the included authentication modules can also handle authorization. Report a bug 9.6.4 . Configure Authentication in a Security Domain T o configure authentication settings for a security domain, log into the management console and follow this procedure. Procedure 9.2. T ask 1. Open the security domain's detailed view. Click the Profiles label at the top right of the management console. In a managed domain, select the profile to modify from the Profile selection box at the top left of the Profile view. Click the Security menu item at the left, and click Security Dom ains from the expanded menu. Click the View link for the security domain you want to edit. 2. Navigate to the Authentication subsystem configuration. Click the Authentication label at the top of the view if it is not already selected. T he configuration area is divided into two areas: Login Modules and Details. T he login module is the basic unit of configuration. A security domain can include several login modules, each of which can include several attributes and options. 3. Add an authentication module. Click the Add button to add a JAAS authentication module. Fill in the details for your module. T he Code is the class name of the module. T he Flags controls how the module relates to other authentication modules within the same security domain. Explanation of the Flags T he Java Enterprise Edition 6 specification provides the following explanation of the flags for security modules. T he following list is taken from
14 5
Requisite
Sufficient
Optional
After you have added your module, you can modify its Code or Flags by clicking the Edit button in the Details section of the screen. Be sure the Attributes tab is selected. 4. Optional: Add, edit, or remove module options. If you need to add options to your module, click its entry in the Login Modules list, and select the Module Options tab in the Details section of the page. Click the Add button, and provide the key and value for the option. T o edit an option that already exists, click the key or to change it. Use the Rem ove button to remove an option. Result Your authentication module is added to the security domain, and is immediately available to applications which use the security domain. T he jboss.security.security_dom ain Module Option By default, each login module defined in a security domain has the jboss.security.security_dom ain module option added to it automatically. T his option causes problems with login modules which check to make sure that only known options are defined. T he IBM Kerberos login module, com .ibm .security.auth.m odule.Krb5LoginModule is one of these. You can disable the behavior of adding this module option by setting the system property to true when starting JBoss Enterprise Application Platform. Add the following to your start-up parameters.
-Djboss.security.disable.secdomain.option=true
You can also set this property using the web-based Management Console. In a standalone server, you can set system properties in the Profile section of the configuration. In a managed domain, you can set system properties for each server group. Report a bug 9.6.5. About Authorization Authorization is a mechanism for granting or denying access to a resource based on identity. It is implemented as a set of declarative security roles which can be granted to principals. T he JBoss Enterprise Application Platform uses a modular system to configure authorization. Each security domain can contain one or more authorization policies. Each policy has a basic module which defines its behavior. It is configured through specific flags and attributes. T he easiest way to configure the authorization subsystem is by using the web-based management console. Authorization is different from authentication, and usually happens after authentication. Many of the authentication modules also handle authorization. Report a bug
14 6
9.6.6. Configure Authorization in a Security Domain T o configure authorization settings for a security domain, log into the management console and follow this procedure. Procedure 9.3. T ask 1. Open the security domain's detailed view. Click the Profiles label at the top right of the management console. In a managed domain, select the profile to modify from the Profile selection box at the top left of the Profile view. Click the Security menu item at the left, and click Security Dom ains from the expanded menu. Click the View link for the security domain you want to edit. 2. Navigate to the Authorization subsystem configuration. Click the Authorization label at the top of the view if it is not already selected. T he configuration area is divided into two areas: Policies and Details. T he login module is the basic unit of configuration. A security domain can include several authorization policies, each of which can include several attributes and options. 3. Add a policy. Click the Add button to add a JAAS authorization policy module. Fill in the details for your module. T he Code is the class name of the module. T he Flags controls how the module relates to other authorization policy modules within the same security domain. Explanation of the Flags T he Java Enterprise Edition 6 specification provides the following explanation of the flags for security modules. T he following list is taken from http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html#AppendixA. Refer to that document for more detailed information. Flag Required Details T he LoginModule is required to succeed. If it succeeds or fails, authorization still continues to proceed down the LoginModule list. LoginModule is required to succeed. If it succeeds, authorization continues down the LoginModule list. If it fails, control immediately returns to the application (authorization does not proceed down the LoginModule list). T he LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authorization does not proceed down the LoginModule list). If it fails, authorization continues down the LoginModule list. T he LoginModule is not required to succeed. If it succeeds or fails, authorization still continues to proceed down the LoginModule list.
Requisite
Sufficient
Optional
After you have added your module, you can modify its Code or Flags by clicking the Edit button in the Details section of the screen. Be sure the Attributes tab is selected. 4. Optional: Add, edit, or remove module options. If you need to add options to your module, click its entry in the Login Modules list, and select the Module Options tab in the Details section of the page. Click the Add button, and provide the key and value for the option. T o edit an option that already exists, click the key or to change it. Use the Rem ove button to remove an option. Result Your authorization policy module is added to the security domain, and is immediately available to applications which use the security domain. Report a bug 9.6.7. About Security Auditing
14 7
14 8
Procedure 9.5. T ask 1. Open the security domain's detailed view. Click the Profiles label at the top right of the management console. T his tab is labeled Profile in a standalone server. In a managed domain, select the profile to modify from the Profile selection box at the top left of the Profile view. Click the Security menu item at the left, and click Security Dom ains from the expanded menu. Click the View link for the security domain you want to edit. 2. Navigate to the Mapping subsystem configuration. Click the Mapping label at the top of the view if it is not already selected. T he configuration area is divided into two areas: Modules and Details. T he mapping module is the basic unit of configuration. A security domain can include several mapping modules, each of which can include several attributes and options. 3. Add a module. Click the Add button to add a security mapping module. Fill in the details for your module. T he Code is the class name of the module. T he T ype field refers to the type of mapping this module performs. Allowed values are principal, role, attribute or credential. After you have added your module, you can modify its Code or T ype by clicking the Edit button in the Details section of the screen. Be sure the Attributes tab is selected. 4. Optional: Add, edit, or remove module options. If you need to add options to your module, click its entry in the Modules list, and select the Module Options tab in the Details section of the page. Click the Add button, and provide the key and value for the option. T o edit an option that already exists, click the Rem ove label key to remove it, and add it again with the new value. Use the Rem ove button to remove an option. Result Your security mapping module is added to the security domain, and is immediately available to applications which use the security domain. Report a bug 9.6.11. Use a Security Domain in Your Application Overview T o use a security domain in your application, first you must configure the domain in either the server's configuration file or the application's descriptor file. T hen you must add the required annotations to the EJB that uses it. T his topic covers the steps required to use a security domain in your application. Procedure 9.6. Configure Your Application to Use a Security Domain 1. Define the Security Domain You can define the security domain either in the server's configuration file or the application's descriptor file. A. Configure the security domain in the server's configuration file T he security domain is configured in the security subsystem of the server's configuration file. If the JBoss Enterprise Application Platform instance is running in a managed domain, this is the dom ain/configuration/dom ain.xm l file. If the JBoss Enterprise Application Platform instance is running as a standalone server, this is the standalone/configuration/standalone.xm l file. T he other , jboss-web-policy, and jboss-ejb-policy security domains are provided by default in JBoss Enterprise Application Platform 6. T he following XML example was copied from the security subsystem in the server's configuration file.
14 9
You can configure additional security domains as needed using the Management Console or CLI. B. Configure the security domain in the application's descriptor file T he security domain is specified in the <security-dom ain> child element of the <jbossweb> element in the application's WEB-INF/jboss-web.xm l file. T he following example configures a security domain named m y-dom ain .
<jboss-web> <security-domain>my-domain</security-domain> </jboss-web>
T his is only one of many settings which you can specify in the WEB-INF/jboss-web.xm l descriptor. 2. Add the Required Annotation to the EJB You configure security in the EJB using the @ SecurityDom ain and @ RolesAllowed annotations. T he following EJB code example limits access to the other security domain by users in the guest role.
150
import org.jboss.ejb3.annotation.SecurityDomain; /** * Simple secured EJB using EJB security annotations * Allow access to "other" security domain by users in a "guest" role. */ @Stateless @RolesAllowed({ "guest" }) @SecurityDomain("other") public class SecuredEJB { // Inject the Session Context @Resource private SessionContext ctx; /** * Secured EJB method using security annotations */ public String getSecurityInfo() { // Session context injected using the resource annotation Principal principal = ctx.getCallerPrincipal(); return principal.toString(); } }
For more code examples, see the ejb-security quickstart in the JBoss Enterprise Application Platform 6 Quickstarts bundle, which is available from the Red Hat Customer Portal. Report a bug 9.6.12. Java Authorization Contract for Containers (JACC) 9.6.12.1. About Java Authorization Contract for Containers (JACC) Java Authorization Contract for Containers (JACC) is a standard which defines a contract between containers and authorization service providers, which results in the implementation of providers for use by containers. It was defined in JSR-115, which can be found on the Java Community Process website at http://jcp.org/en/jsr/detail?id=115. It has been part of the core Java Enterprise Edition (Java EE) specification since Java EE version 1.3. JBoss Enterprise Application Platform implements support for JACC within the security functionality of the security subsystem. Report a bug 9.6.12.2. Configure Java Authorization Contract for Containers (JACC) Security T o configure Java Authorization Contract for Containers (JACC), you need to configure your security domain with the correct module, and then modify your jboss-web.xm l to include the correct parameters. Add JACC Support to the Security Domain T o add JACC support to the security domain, add the JACC authorization policy to the authorization stack of the security domain, with the required flag set. T he following is an example of a security domain with JACC support. However, the security domain is configured in the Management Console or Management CLI, rather than directly in the XML.
151
Configure a Web Application to use JACC T he jboss-web.xm l is located in the MET A-INF/ or WEB-INF/ directory of your deployment, and contains overrides and additional JBoss-specific configuration for the web container. T o use your JACCenabled security domain, you need to include the <security-dom ain> element, and also set the <use-jboss-authorization> element to true . T he following application is properly configured to use the JACC security domain above.
<jboss-web> <security-domain>jacc</security-domain> <use-jboss-authorization>true</use-jboss-authorization> </jboss-web>
Configure an EJB Application to Use JACC Configuring EJBs to use a security domain and to use JACC differs from Web Applications. For an EJB, you can declare method permissions on a method or group of methods, in the ejb-jar.xm l descriptor. Within the <ejb-jar> element, any child <m ethod-perm ission> elements contain information about JACC roles. Refer to the example configuration for more details. T he EJBMethodPerm ission class is part of the Java Enterprise Edition 6 API, and is documented at http://docs.oracle.com/javaee/6/api/javax/security/jacc/EJBMethodPermission.html.
You can also constrain the authentication and authorization mechanisms for an EJB by using a security domain, just as you can do for a web application. Security domains are declared in the jbossejb3.xm l descriptor, in the <security> child element. In addition to the security domain, you can also specify the run-as principal, which changes the principal the EJB runs as.
Report a bug
152
Report a bug 9.6.13. Java Authentication SPI for Containers (JASPI) 9.6.13.1. About Java Authentication SPI for Containers (JASPI) Security Java Application SPI for Containers (JASPI or JASPIC) is a pluggable interface for Java applications. It is defined in JSR-196 of the Java Community Process. Refer to http://www.jcp.org/en/jsr/detail?id=196 for details about the specification. Report a bug 9.6.13.2. Configure Java Authentication SPI for Containers (JASPI) Security T o authenticate against a JASPI provider, add a <authentication-jaspi> element to your security domain. T he configuration is similar to a standard authentication module, but login module elements are enclosed in a <login-m odule-stack> element. T he structure of the configuration is:
T he login module itself is configured in exactly the same way as a standard authentication module. Because the web-based management console does not expose the configuration of JASPI authentication modules, you need to stop the JBoss Enterprise Application Platform completely before adding the configuration directly to the EAP_HOME/dom ain/configuration/dom ain.xm l or EAP_HOME/standalone/configuration/standalone.xm l . Report a bug
Note
HT T P access is considered to be remote, even if you connect to the localhost using HT T P. 1. T he client sends a message to the server which includes a request to authenticate with the local SASL mechanism. 2. T he server generates a one-time token, writes it to a unique file, and sends a message to the client with the full path of the file. 3. T he client reads the token from the file and sends it to the server, verifying that it has local
153
Standalone server
EAP_HOME/standalone/configuration/mgmt-users.properties
Even though the contents of the m gm t-users.properties are masked, the file should still be treated as a sensitive file. It is recommended that it be set to the file mode of 600 , which gives no access other than read and write access by the file owner. Report a bug 9.7.2. Overview of Advanced Management Interface Configuration T he Management interface configuration in the EAP_HOME/dom ain/configuration/host.xm l or EAP_HOME/standalone/configuration/standalone.xm l controls which network interfaces the host controller process binds to, which types of management interfaces are available at all, and which type of authentication system is used to authenticate users on each interface. T his topic discusses how to configure the Management Interfaces to suit your environment. T he Management subsystem consists of a <m anagem ent> element that includes several configurable attributes, and the following three configurable child elements. T he security realms and outbound connections are each first defined, and then applied to the management interfaces as attributes. <security-realm s> <outbound-connections> <m anagem ent-interfaces> Security Realms T he security realm is responsible for the authentication and authorization of users allowed to administer the JBoss Enterprise Application Platform via the Management API, Management CLI, or web-based Management Console. T wo different file-based security realms are included in a default installation: Managem entRealm and ApplicationRealm . Each of these security realms uses a -users.properties file to store users and hashed passwords, and a -roles.properties to store mappings between users and roles. Support is also included for an LDAP-enabled security realm.
Note
Security realms can also be used for your own applications. T he security realms discussed here are specific to the management interfaces.
Outbound Connections Some security realms connect to external interfaces, such as an LDAP server. An outbound connection defines how to make this connection. A pre-defined connection type, ldap-connection , sets all of the required and optional attributes to connect to the LDAP server and verify the credential. Management Interfaces
154
A management interface includes properties about how connect to and configure JBoss Enterprise Application Platform. Such information includes the named network interface, port, security realm, and other configurable information about the interface. T wo interfaces are included in a default installation: http-interface is the configuration for the web-based Management Console. native-interface is the configuration for the command-line Management CLI and the REST -like Management API. Each of the three main configurable elements of the host management subsystem are interrelated. A security realm refers to an outbound connection, and a management interface refers to a security realm. Report a bug 9.7.3. About LDAP Lightweight Directory Access Protocol (LDAP) is a protocol for storing and distributing directory information across a network. T his directory information includes information about users, hardware devices, access roles and restrictions, and other information. Some common implementations of LDAP include OpenLDAP, Microsoft Active Directory, IBM T ivoli Directory Server, Oracle Internet Directory, and others. JBoss Enterprise Application Platform includes several authentication and authorization modules which allow you to use a LDAP server as the authentication and authorization authority for your Web and EJB applications. Report a bug 9.7.4 . Use LDAP to Authenticate to the Management Interfaces T o use an LDAP directory server as the authentication source for the Management Console, Management CLI, or Management API, you need to perform the following procedures: 1. Create an outbound connection to the LDAP server. 2. Create an LDAP-enabled security realm. 3. Reference the new security domain in the Management Interface. Create an Outbound Connection to an LDAP Server T he LDAP outbound connection allows the following attributes: T able 9.1. Attributes of an LDAP Outbound Connection Attribute name Required yes Description T he name to identify this connection. T his name is used in the security realm definition. T he URL address of the directory server. T he fully distinguished name (DN) of the user authorized to perform searches. T he password of the user authorized to perform searches. T he initial context factory to use when establishing the connection. Defaults to com .sun.jndi.ldap.LdapC txFactory.
url search-dn
yes yes
search-credentials initial-context-factory
yes no
155
Example 9.7. Add an LDAP Outbound Connection T his example adds an outbound connection with the following properties set: Search DN: cn=search,dc=acm e,dc=com Search Credential: m yPass URL: http://127.0.0.1
/host=master/core-service=management/ldap-connection=ldap_connection/:add(searchcredential=myPass,url=http://127.0.0.1,search-dn=cn=search,dc=acme,dc=com)
Create an LDAP-Enabled Security Realm T he Management Interfaces can authenticate against LDAP server instead of the property-file based security realms configured by default. T he LDAP authenticator operates by first establishing a connection to the remote directory server. It then performs a search using the username which the user passed to the authentication system, to find the fully-qualified distinguished name (DN) of the LDAP record. A new connection is established, using the DN of the user as the credential, and password supplied by the user. If this authentication to the LDAP server is successful, the DN is verified to be valid. T he LDAP security realm needs the following configuration attributes and elements in order to perform its functions. connection T he name of the connection defined in <outbound-connections> to use to connect to the LDAP directory. base-dn T he distinguished name of the context to begin searching for the user. recursive Whether the search should be recursive throughout the LDAP directory tree, or only search the specified context. Defaults to false . user-dn T he attribute of the user that holds the distinguished name. T his is subsequently used to test authentication as the user can complete. Defaults to dn . One of usernam e-filter or advanced-filter , as a child element T he usernam e-filter takes a single attribute called attribute , whose value is the name of the LDAP attribute which holds the username, such as userNam e or sam baAccountNam e . T he advanced-filter takes a single attribute called filter . T his attribute contains a filter query in standard LDAP syntax. Be cautious to escape any & characters by changing them to & am p;. An example of a filter is:
(&(sAMAccountName={0})(memberOf=cn=admin,cn=users,dc=acme,dc=com))
156
Example 9.9. XML Representing an LDAP-enabled Security Realm T his example uses the following parameters: connection - ldap_connection base-dn - cn=users,dc=acm e,dc=com . username-filter - attribute="sam baAccountNam e"
<security-realm name="TestRealm"> <authentication> <ldap connection="ldap_connection" base-dn="cn=users,dc=acme,dc=com"> <username-filter attribute="sambaAccountName" /> </ldap> </authentication> </security-realm>
Example 9.10. Add an LDAP Security Realm T he command below adds a security realm and sets its attributes.
/host=master/core-service=management/securityrealm=ldap_security_realm/authentication=ldap:add(base-dn="DC=mycompany,DC=org", recursive=true, username-attribute="MyAccountName", connection="ldap_connection")
Apply the New Security Realm to the Management Interface After you create a security realm, you need to reference it in the configuration of your management interface. T he management interface will use the security realm for HT T P digest authentication.
Example 9.11. Apply the Security Realm to the HT T P Interface After this configuration is in place, the web-based Management Console will use LDAP to authenticate its users.
/host=master/core-service=management/management-interface=http-interface/:writeattribute(name=security-realm,value=TestRealm)
Restart JBoss Enterprise Application Platform and your HT T P interface uses your LDAP server for authentication. Report a bug 9.7.5. Disable the HT T P Management Interface In a managed domain, you only need access to the HT T P interface on the domain controller, rather than on domain member servers. In addition, on a production server, you may decide to disable the webbased Management Console altogether.
157
Note
Other clients, such as JBoss Operations Network, also operate using the HT T P interface. If you want to use these services, and simply disable the Management Console itself, you can set the console-enabled-attribute of the HT T P interface to false , instead of disabling the interface completely.
/host=master/core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value=false)
T o disable access to the HT T P interface, which also disables access to the web-based Management Console, you can delete the HT T P interface altogether. T he following JBoss CLI command allows you to read the current contents of your HT T P interface, in case you decide to add it again.
T o re-enable access, issue the following commands to re-create the HT T P Interface with the default values.
Report a bug 9.7.6. Remove Silent Authentication from the Default Security Realm
158
Summary T he default installation of JBoss Enterprise Application Platform 6 contains a method of silent authentication for a local Management CLI user. T his allows the local user the ability to access the Management CLI without username or password authentication. T his functionality is enabled as a convenience, and to assist local users running Management CLI scripts without requiring authentication. It is considered a useful feature given that access to the local configuration typically also gives the user the ability to add their own user details or otherwise disable security checks. T he convenience of silent authentication for local users can be disabled where greater security control is required. T his can be achieved by removing the local element within the security-realm section of the configuration file. T his applies to both the standalone.xm l for a Standalone Server instance, or host.xm l for a Managed Domain. You should only consider the removal of the local element if you understand the impact that it might have on your particular server configuration. T he preferred method of removing silent authentication is by use of the Management CLI, which directly removes the local element visible in the following example.
Prerequisites Section 2.6.1, Start JBoss Enterprise Application Platform 6 Section 3.3.2, Launch the Management CLI Procedure 9.7. T ask Remove silent authentication with the Management CLI Remove the local element from the Management Realm and Application Realm as required. 1. Remove the local element from the Management Realm.
/core-service=management/securityrealm=ManagementRealm/authentication=local:remove
Result T he silent authentication mode is removed from the Managem entRealm and the ApplicationRealm . Report a bug 9.7.7. Disable Remote Access to the JMX Subsystem
159
Note
T he remoting connector is removed from the JMX subsystem by default. T his command is provided for your information, in case you add it during development.
Example 9.16. Remove the Remote Connector from the JMX Subsystem
/profile=default/subsystem=jmx/remoting-connector=jmx/:remove
Example 9.17. Remove the JMX Subsystem Run this command for each profile you use, if you use a managed domain.
/profile=default/subsystem=jmx/:remove
Report a bug 9.7.8. Configure Security Realms for the Management Interfaces T he Management Interfaces use security realms to control authentication and access to the configuration mechanisms of JBoss Enterprise Application Platform. T his topic shows you how to read and configure security realms. T hese commands use the Management CLI. Read a Security Realm's Configuration T his example shows the default configuration for the Managem entRealm security realm. It uses a file called m gm t-users.properties to store its configuration information.
Write a Security Realm T he following commands create a new security realm called T estRealm and set the name and directory for the relevant properties file.
160
Apply a Security Realm to the Management Interface After adding a security realm, supply its name as a reference to the Management Interface.
Changes to management interfaces take effect after JBoss Enterprise Application Platform is restarted. Report a bug
161
It is possible to edit your XML configuration file directly, to change the default bind addresses. However, if you do this, you will no longer be able to use the -b command-line switch to specify an IP address at run-time, so this is not recommended. If you do decide to do this, be sure to stop the JBoss Enterprise Application Platform completely before editing the XML file. Report a bug 9.8.3. Configure Network Firewalls to Work with JBoss Enterprise Application Platform 6 Overview Most production environments use firewalls as part of an overall network security strategy. If you need multiple server instances to communicate with each other or with external services such as web servers or databases, your firewall needs to take this into account. A well-managed firewall only opens the ports which are necessary to operation, and limits access to the ports to specific IP addresses, subnets, and network protocols. A full discussion of firewalls is out of the scope of this documentation. Prerequisites Determine the ports you need to open. Refer to Section 9.8.4, Network Ports Used By JBoss Enterprise Application Platform 6 to determine the list of ports for your situation. An understanding of your firewall software is required. T his procedure uses the system -configfirewall command in Red Hat Enterprise Linux 6. Microsoft Windows Server includes a built-in firewall, and several third-party firewall solutions are available for each platform.
162
Assumptions T his procedure configures a firewall in an environment with the following assumptions: T he operating system is Red Hat Enterprise Linux 6. JBoss Enterprise Application Platform 6 runs on host 10.1.1.2 . Optionally, the server has its own firewall. T he network firewall server runs on host 10.1.1.1 on interface eth0 , and has an external interface eth1 . You want traffic on port 5445 (a port used by JMS) forwarded to JBoss Enterprise Application Platform 6. No other traffic should be allowed through the network firewall. Procedure 9.8. T ask 1. Log into the Management Console. Log into the Management Console. By default, it runs on http://localhost:9990/console/. 2. Managed Domain: Determine the socket binding group your server group uses. Each server group uses a socket binding group, which is a collection of socket bindings. A socket binding is a name-value pair of port name and number. T o determine which socket binding group your server groups, click the Server Groups label at the top right side of the screen. T hen click the name of your server group in the Available server group configurations table. T he Server attributes area at the bottom of the screen is populated with the profile and socket binding group used by the server group. 3. Determine the socket bindings used by the socket binding group. Click the Profiles label at the top right of the Management Console. At the left-hand side of the screen, a series of menus is shown. T he bottom menu heading is General Configuration . Click the Socket Binding Groups item below this heading. T he Socket Binding Declarations screen appears. Initially, the standard-sockets group is shown. You can choose a different group by selecting it from the combo box on the right-hand side.
Note
If you use a standalone server, it has only one socket binding group. T he list of socket names and ports is shown, six values per page. You can go through the pages by using the arrow navigation below the table. 4. Determine the ports you need to open. Depending on the function of the particular port and the needs of your environment, some of the ports may need to be accessible across your firewall. If you are unsure of the purpose of a socket binding, refer to Section 9.8.4, Network Ports Used By JBoss Enterprise Application Platform 6 for a list of the default socket bindings and their purposes. 5. Configure your firewall to forward traffic to JBoss Enterprise Application Platform 6. Perform these steps to configure your network firewall to allow traffic on the desired port. a. Log into your firewall machine and access a command prompt, as the root user. b. Issue the command system -config-firewall to launch the firewall configuration utility. A GUI or command-line utility launches, depending on the way you are logged into the firewall system. T his task makes the assumption that you are logged in via SSH and using the command-line interface. c. Use the T AB key on your keyboard to navigate to the Custom ize button, and press the ENT ER key. T he T rusted Services screen appears. d. Do not change any values, but use the T AB key to navigate to the Forward button, and press ENT ER to advanced to the next screen. T he Other Ports screen appears. e. Use the T AB key to navigate to the <Add> button, and press ENT ER . T he Port and Protocol screen appears. f. Enter 54 4 5 in the Port / Port Range field, then use the T AB key to move to the Protocol field, and enter tcp . Use the T AB key to navigate to the OK button, and press ENT ER . g. Use the T AB key to navigate to the Forward button until you reach the Port Forwarding screen. h. Use the T AB key to navigate to the <Add> button, and press the ENT ER key. i. Fill in the following values to set up port forwarding for port 5445. Source interface: eth1 Protocol: tcp
163
164
Name
T able 9.2. Reference of the default socket bindings Port Mulicast Port Description full-hasockets Yes fullsockets Yes hasocket Yes standar dsocket Yes
ajp
8009
Apache JServ Protocol. Used for HT T P clustering and load balancing. T he default port for deployed web applications. SSL-encrypted connection between deployed web applications and clients. CORBA services for JT S transactions and other ORBdependent services. SSL-encrypted CORBA services. 7500 Multicast. Used for peer discovery in HA clusters. Multicast. Used to discover initial membership in a HA cluster. Unicast peer discovery in HA clusters using T CP. Used for HA failure detection over T CP. 45688 Unicast peer discovery in HA clusters using UDP. Used for HA failure detection over UDP. JMS service. Referenced by HornetQ JMS broadcast and discovery groups.
http
8080
Yes
Yes
Yes
Yes
https
8443
Yes
Yes
Yes
Yes
jacorb
3528
Yes
Yes
No
No
jacorb -ssl jgroup sdiagno stics jgroup sm ping jgroup s-tcp jgroup s-tcpfd jgroup s-udp jgroup s-udpfd m essag ing m essag inggroup m essag ingthroug hput m od_cl uster
3529
Yes Yes
Yes No
No Yes
No No
45700
Yes
No
Yes
No
7600
Yes
No
Yes
No
57600
Yes
No
Yes
No
55200
Yes
No
Yes
No
54200
Yes
No
Yes
No
5445
Yes Yes
Yes Yes
No No
No No
5455
Yes
Yes
No
No
23364
Multicast port for communication between the JBoss Enterprise Application Platform and the HT T P load balancer. Used by internal components which use the OSGi subsystem. Used for remote EJB
Yes
No
Yes
No
osgihttp
8090
Yes
Yes
Yes
Yes
rem oti
4447
Yes
Yes
Yes
Yes
165
4713
T he JT A / JT S transation manager.
Yes
Yes
Yes
Yes
Management Ports In addition to the socket binding groups, each host controller opens two more ports for management purposes: 9990 - T he Web Management Console port 9999 - T he port used by the Management Console and Management API Report a bug
166
1. Edit the configuration file. Open the configuration file for editing. T his file is located in one of two places, depending on whether you use a managed domain or standalone server. T his is not the executable file used to start the server or domain. A. Managed Domain EAP_HOME/bin/dom ain.conf B. Standalone Server EAP_HOME/bin/standalone.conf 2. Add the Java options at the end of the file. Add the following line to a new line at the very end of the file. You can modify the Djava.security.policy value to specify the exact location of your security policy. It should go onto one line only, with no line break. You can modify the -Djava.security.debug to log more or less information, by specifying the debug level. T he most verbose is failure,access,policy.
JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djboss.home.dir=$PWD/.. Djava.security.policy==$PWD/server.policy -Djava.security.debug=failure"
3. Start the domain or server. Start the domain or server as normal. Report a bug 9.9.3. About Java Security Manager Policies T he Java Security Manager uses a security policy to determine whether a given action will be permitted or denied. T he security policy is a set of defined permissions for different classes of code. T he Java Security Manager compares actions requested by applications against the security policy. If an action is allowed by the policy, the Java Security Manager will permit that action to take place. If the action is not allowed by the policy, the Java Security Manager will deny that action. T he security policy can define permissions based on the location of code or on the code's signature. T he Java Security Manager and the security policy used are configured using the Java Virtual Machine options java.security.m anager and java.security.policy. Report a bug 9.9.4 . Write a Java Security Manager Policy Introduction An application called policytool is included with most JDK and JRE distributions, for the purpose of creating and editing Java Security Manager security policies. Detailed information about policytool is linked from http://docs.oracle.com/javase/6/docs/technotes/tools/. Basic Information A security policy consists of the following configuration elements: CodeBase T he URL location (excluding the host and domain information) where the code originates from. T his parameter is optional. SignedBy T he alias used in the keystore to reference the signer whose private key was used to sign the code. T his can be a single value or a comma-separated list of values. T his parameter is optional. If omitted, presence or lack of a signature has no impact on the Java Security Manager. Principals A list of principal_type/principal_name pairs, which must be present within the executing thread's principal set. T he Principals entry is optional. If it is omitted, it signifies "any principals".
167
Permissions A permission is the access which is granted to the code. Many permissions are provided as part of the Java Enterprise Edition 6 (Java EE 6) specification. T his document only covers additional permissions which are provided by JBoss Enterprise Application Platform.
Procedure 9.10. T ask 1. Start policytool . Start the policytool tool in one of the following ways. A. Red Hat Enterprise Linux From your GUI or a command prompt, run /usr/bin/policytool . B. Microsoft Windows Server Run policytool.exe from your Start menu or from the bin\ of your Java installation. T he location can vary. 2. Create a new policy. T o create a new policy, select Add Policy Entry. Add the parameters you need, then click Done . 3. Edit an existing policy Select the policy from the list of existing policies, and select the Edit Policy Entry button. Edit the parameters as needed. 4. Delete an existing policy. Select the policy from the list of existing policies, and select the Delete Policy Entry button. Permission Specific to JBoss Enterprise Application Platform org.jboss.security.SecurityAssociation.getPrincipalInfo Provides access to the org.jboss.security.SecurityAssociationgetPrincipal() and getCredential() methods. T he risk involved with using this runtime permission is the ability to see the current thread caller and credentials. org.jboss.security.SecurityAssociation.getSubject Provides access to the org.jboss.security.SecurityAssociationgetSubject() method. org.jboss.security.SecurityAssociation.setPrincipalInfo Provides access to the org.jboss.security.SecurityAssociationsetPrincipal(), setCredential(), setSubject(), pushSubjectContext(), and popSubjectContext() methods. T he risk involved with using this runtime permission is the ability to set the current thread caller and credentials. org.jboss.security.SecurityAssociation.setServer Provides access to the org.jboss.security.SecurityAssociationsetServer method. T he risk involved with using this runtime permission is the ability to enable or disable multithread storage of the caller principal and credential. org.jboss.security.SecurityAssociation.setRunAsRole Provides access to the org.jboss.security.SecurityAssociationpushRunAsRole , popRunAsRole , pushRunAsIdentity, and popRunAsIdentity methods. T he risk involved with using this runtime permission is the ability to change the current caller run-as role principal. org.jboss.security.SecurityAssociation.accessContextInfo Provides access to the org.jboss.security.SecurityAssociationaccessContextInfo , and accessContextInfo getter and setter methods. T his allows you to both set and get the current security context info.
168
org.jboss.naming.JndiPermission Provides special permissions to files and directories in a specified JNDI tree path, or recursively to all files and subdirectories. A JndiPermission consists of a pathname and a set of valid permissions related to the file or directory. T he available permissions include: bind rebind unbind lookup list listBindings createSubcontext all Pathnames ending in /* indicate that the specified permissions apply to all files and directories of the pathname. Pathnames ending in /- indicate recursive permissions to all files and subdirectories of the pathname. Pathnames consisting of the special token <<ALL BINDINGS>> matches any file in any directory. org.jboss.security.srp.SRPPermission A custom permission class for protecting access to sensitive SRP information like the private session key and private key. T his permission does not have any actions defined. T he getSessionKey target provides access to the private session key which results from the SRP negotiation. Access to this key allows you to encrypt and decrypt messages that have been encrypted with the session key. org.hibernate.secure.HibernatePermission T his permission class provides basic permissions to secure Hibernate sessions. T he target for this property is the entity name. T he available actions include: insert delete update read * (all) org.jboss.metadata.spi.stack.MetaDataStackPermission Provides a custom permission class for controlling how callers interact with the metadata stack. T he available permissions are: modify push (onto the stack) pop (off the stack) peek (onto the stack) * (all) org.jboss.config.spi.ConfigurationPermission Secures setting of configuration properties. Defines only permission target names, and no actions. T he targets for this property include: <property name> (the property this code has permission to set) * (all properties) org.jboss.kernel.KernelPermission Secures access to the kernel configuration. Defines only permission target names and no actions. T he targets for this property include:
169
Report a bug 9.9.5. Debug Security Manager Policies You can enable debugging information to help you troubleshoot security policy-related issues. T he java.security.debug option configures the level of security-related information reported. T he command java -Djava.security.debug=help will produce help output with the full range of debugging options. Setting the debug level to all is useful when troubleshooting a security-related failure whose cause is completely unknown, but for general use it will produce too much information. A sensible general default is access:failure . Procedure 9.11. Enable general debugging T his procedure will enable a sensible general level of security-related debug information. Add the following line to the server configuration file. If the JBoss Enterprise Application Platform instance is running in a managed domain, the line is added to the bin/dom ain.conf file for Linux or the bin/dom ain.conf.bat file for Windows. If the JBoss Enterprise Application Platform instance is running as a standalone server, the line is added to the bin/standalone.conf file for Linux, or the bin\standalone.conf.bat file for Windows. Linux
JAVA_OPTS="$JAVA_OPTS -Djava.security.debug=access:failure"
Windows
JAVA_OPTS="%JAVA_OPTS% -Djava.security.debug=access:failure"
Result A general level of security-related debug information has been enabled. Report a bug
170
When set to false , property replacements are disabled. Procedure 9.12. jboss-descriptor-property-replacem ent jboss-descriptor-property-replacem ent is used to enable or disable property replacement in the following descriptors: jboss-ejb3.xm l jboss-app.xm l jboss-web.xm l * -jm s.xm l * -ds.xm l T he default value for jboss-descriptor-property-replacem ent is true . 1. In the Management CLI, run the following command to determine the value of jbossdescriptor-property-replacem ent:
/subsystem=ee:read-attribute(name="jboss-descriptor-property-replacement")
Procedure 9.13. spec-descriptor-property-replacem ent spec-descriptor-property-replacem ent is used to enable or disable property replacement in the following descriptors: ejb-jar.xm l persistence.xm l T he default value for spec-descriptor-property-replacem ent is false . 1. In the Management CLI, run the following command to confirm the value of spec-descriptorproperty-replacem ent:
/subsystem=ee:read-attribute(name="spec-descriptor-property-replacement")
Result T he descriptor based property replacement tags have been successfully configured. Report a bug
171
172
4. Run the keytool command, supplying the information that you gathered. Example 9.25. Example input and output of keystore command
$ keytool -genkey -alias vault -keyalg RSA -keysize 1024 -keystore /home/USER/vault/vault.keystore Enter keystore password: vault22 Re-enter new password:vault22 What is your first and last name? [Unknown]: Accounting Administrator What is the name of your organizational unit? [Unknown]: AccountingServices What is the name of your organization? [Unknown]: MyOrganization What is the name of your City or Locality? [Unknown]: Raleigh What is the name of your State or Province? [Unknown]: NC What is the two-letter country code for this unit? [Unknown]: US Is CN=Accounting Administrator, OU=AccountingServices, O=MyOrganization, L=Raleigh, ST=NC, C=US correct? [no]: yes Enter key password for <vault> (RETURN if same as keystore password):
Result A file named vault.keystore is created in the /hom e/USER/vault/ directory. It stores a single key, called vault, which will be used to store encrypted strings, such as passwords, for the JBoss Enterprise Application Platform. Report a bug 9.11.3. Mask the Keystore Password and Initialize the Password Vault Prerequisites Section 9.11.2, Create a Java Keystore to Store Sensitive Strings T he EAP_HOME/bin/vault.sh application needs to be accessible via a command-line interface. 1. Run the vault.sh command. Run EAP_HOME/bin/vault.sh . Start a new interactive session by typing 0 . 2. Enter the directory where encrypted files will be stored. T his directory should be reasonably secure, but the JBoss Enterprise Application Platform needs to be able to access it. If you followed Section 9.11.2, Create a Java Keystore to Store Sensitive Strings, your keystore is in a directory called vault/ in your home directory. T his example uses the directory /hom e/USER/vault/.
173
3. Enter the path to the keystore. Enter the full path to the keystore file. T his example uses /hom e/USER/vault/vault.keystore . 4. Encrypt the keystore password. T he following steps encrypt the keystore password, so that you can use it in configuration files and applications securely. a. Enter the keystore password. When prompted, enter the keystore password. b. Enter a salt value. Enter an 8-character salt value. T he salt value, together with the iteration count (below), are used to create the hash value. c. Enter the iteration count. Enter a number for the iteration count. d. Make a note of the masked password information. T he masked password, the salt, and the iteration count are printed to standard output. Make a note of them in a secure location. An attacker could use them to decrypt the password. e. Enter the alias of the vault. When prompted, enter the alias of the vault. If you followed Section 9.11.2, Create a Java Keystore to Store Sensitive Strings to create your vault, the alias is vault. 5. Exit the interactive console. T ype exit to exit the interactive console. Result Your keystore password has been masked for use in configuration files and deployments. In addition, your vault is fully configured and ready to use. Report a bug 9.11.4 . Configure the JBoss Enterprise Application Platform to Use the Password Vault Overview Before you can mask passwords and other sensitive attributes in configuration files, you need to make the JBoss Enterprise Application Platform aware of the password vault which stores and decrypts them. Follow this procedure to enable this functionality. Prerequisites Section 9.11.2, Create a Java Keystore to Store Sensitive Strings Section 9.11.3, Mask the Keystore Password and Initialize the Password Vault Procedure 9.15. T ask 1. Determine the correct values for the command. Determine the values for the following parameters, which are determined by the commands used to create the keystore itself. For information on creating a keystore, refer to the following topics: Section 9.11.2, Create a Java Keystore to Store Sensitive Strings and Section 9.11.3, Mask the Keystore Password and Initialize the Password Vault. Parameter KEYST ORE_URL Description T he file system path or URI of the keystore file, usually called something like vault.keystore T he password used to access the keystore. T his value should be masked. T he name of the keystore. T he salt used to encrypt and decrypt keystore values. T he number of times the encryption algorithm is run. T he path to the directory from which the keystore commands are run. T ypically the
174
2. Use the Management CLI to enable the password vault. Run one of the following commands, depending on whether you use a managed domain or standalone server configuraiton. Substitute the values in the command with the ones from the first step of this procedure. A. Managed Domain
/host=YOUR_HOST/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "PATH_TO_KEYSTORE"), ("KEYSTORE_PASSWORD" => "MASKED_PASSWORD"), ("KEYSTORE_ALIAS" => "ALIAS"), ("SALT" => "SALT"),("ITERATION_COUNT" => "ITERATION_COUNT"), ("ENC_FILE_DIR" => "ENC_FILE_DIR")])
B. Standalone Server
/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "PATH_TO_KEYSTORE"), ("KEYSTORE_PASSWORD" => "MASKED_PASSWORD"), ("KEYSTORE_ALIAS" => "ALIAS"), ("SALT" => "SALT"),("ITERATION_COUNT" => "ITERATION_COUNT"), ("ENC_FILE_DIR" => "ENC_FILE_DIR")])
Result T he JBoss Enterprise Application Platform is configured to decrypt masked strings using the password vault. T o add strings to the vault and use them in your configuration, refer to the following topic: Section 9.11.5, Store and Retrieve Encrypted Sensitive Strings in the Java Keystore. Report a bug 9.11.5. Store and Retrieve Encrypted Sensitive Strings in the Java Keystore Overview Including passwords and other sensitive strings in plain-text configuration files is insecure. T he JBoss Enterprise Application Platform includes the ability to store and mask these sensitive strings in an encrypted keystore, and use masked values in configuration files. Prerequisites Section 9.11.2, Create a Java Keystore to Store Sensitive Strings Section 9.11.3, Mask the Keystore Password and Initialize the Password Vault Section 9.11.4, Configure the JBoss Enterprise Application Platform to Use the Password Vault T he EAP_HOME/bin/vault.sh application needs to be accessible via a command-line interface. Procedure 9.16. T ask 1. Run the vault.sh command. Run EAP_HOME/bin/vault.sh . Start a new interactive session by typing 0 . 2. Enter the directory where encrypted files will be stored. If you followed Section 9.11.2, Create a Java Keystore to Store Sensitive Strings, your keystore is in a directory called vault/ in your home directory. In most cases, it makes sense to store all of your encrypted information in the same place as the key store. T his example uses the directory /hom e/USER/vault/.
Note
Do not forget to include the trailing slash on the directory name. Either use / or \, depending on your operating system. 3. Enter the path to the keystore.
175
9. Make note of the information about the encrypted string. A message prints to standard output, showing the vault block, attribute name, shared key, and advice about using the string in your configuration. Make note of this information in a secure location. Example output is shown below.
******************************************** Vault Block:ds_ExampleDS Attribute Name:password Shared Key:N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0 Configuration should be done as follows: VAULT::ds_ExampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNm I2TElORV9CUkVBS3ZhdWx0 ********************************************
10. Use the encrypted string in your configuration. Use the string from the previous step in your configuration, in place of a plain-text string. A datasource using the encrypted password above is shown below.
... <subsystem xmlns="urn:jboss:domain:datasources:1.0"> <datasources> <datasource jndi-name="java:jboss/datasources/ExampleDS" enabled="true" use-java-context="true" pool-name="H2DS"> <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url> <driver>h2</driver> <pool></pool> <security> <user-name>sa</user-name> <password>VAULT::ds_ExampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNl MDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0</password> </security> </datasource> <drivers> <driver name="h2" module="com.h2database.h2"> <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasourceclass> </driver> </drivers> </datasources> </subsystem> ...
You can use an encrypted string anywhere in your domain or standalone configuration file. After you store your string in the keystore, use the following syntax to replace any clear-text string with an encrypted one.
176
Here is a sample real-world value, where the vault block is ds_Exam pleDS and the attribute is password .
<password>${VAULT::ds_ExampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMW NlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0}</password>
Report a bug 9.11.6. Store and Resolve Sensitive Strings In Your Applications Overview Configuration elements of the JBoss Enterprise Application Platform support the ability to resolve encrypted strings against values stored in a Java Keystore, via the Security Vault mechanism. You can add support for this feature to your own applications. First, add the password to the vault. Second, replace the clear-text password with the one stored in the vault. You can use this method to obscure any sensitive string in your application. Prerequisites Before performing this procecure, make sure that the directory for storing your vault files exists. It does not matter where you place them, as long as the user who executes JBoss Enterprise Application Platform has permission to read and write the files. T his example places the vault/ directory into the /hom e/USER/vault/ directory. T he vault itself is a file called vault.keystore inside the vault/ directory.
177
Example 9.26. Adding the Password String to the Vault Add the string to the vault using the EAP_HOME/bin/vault.sh command. T he full series of commands and responses is included in the following screen output. Values entered by the user are emphasized. Some output is removed for formatting. In Microsoft Windows, the name of the command is vault.bat. Note that in Microsoft Windows, file paths use the \ character as a directory separater, rather than the / character.
[user@host bin]$ ./vault.sh ********************************** **** JBoss Vault ******** ********************************** Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit 0 Starting an interactive session Enter directory to store encrypted files:/home/user/vault/ Enter Keystore URL:/home/user/vault/vault.keystore Enter Keystore password: ... Enter Keystore password again: ... Values match Enter 8 character salt:12345678 Enter iteration count as a number (Eg: 44):25 Enter Keystore Alias:vault Vault is initialized and ready for use Handshake with Vault complete Please enter a Digit:: 0: Store a password 2: Exit 0 Task: Store a password Please enter attribute value: sa Please enter attribute value again: sa Values match Enter Vault Block:DS Enter Attribute Name:thePass Attribute Value for (DS, thePass) saved
Please make note of the following: ******************************************** Vault Block:DS Attribute Name:thePass Shared Key:OWY5M2I5NzctYzdkOS00MmZhLWExZGYtNjczM2U5ZGUyOWIxTElORV9CUkVBS3ZhdWx0 Configuration should be done as follows: VAULT::DS::thePass::OWY5M2I5NzctYzdkOS00MmZhLWExZGYtNjczM2U5ZGUyOWIxTElORV9CUkVBS 3ZhdWx0 ******************************************** Please enter a Digit:: 2: Exit 2 0: Store a password 1: Check whether password exists
T he string that will be added to the Java code is the last value of the output, the line beginning with VAULT .
T he following servlet uses the vaulted string instead of a clear-text password. T he clear-text version is commented out so that you can see the difference.
178
/*@DataSourceDefinition( name = "java:jboss/datasources/LoginDS", user = "sa", password = "sa", className = "org.h2.jdbcx.JdbcDataSource", url = "jdbc:h2:tcp://localhost/mem:test" )*/ @DataSourceDefinition( name = "java:jboss/datasources/LoginDS", user = "sa", password = "VAULT::DS::thePass::OWY5M2I5NzctYzdkOS00MmZhLWExZGYtNjczM2U5ZGUyOWIxTElORV9CUkVB S3ZhdWx0", className = "org.h2.jdbcx.JdbcDataSource", url = "jdbc:h2:tcp://localhost/mem:test" ) @WebServlet(name = "MyTestServlet", urlPatterns = { "/my/" }, loadOnStartup = 1) public class MyTestServlet extends HttpServlet { private static final long serialVersionUID = 1L;
@Resource(lookup = "java:jboss/datasources/LoginDS") private DataSource ds; @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { Writer writer = resp.getWriter(); writer.write((ds != null) + ""); } }
Your servlet is now able to resolve the vaulted string. Report a bug
179
180
Option
T able 10.2. Client Module Options T ype true or false Default false Description Set to true if each thread has its own principal and credential storage. Set to false to indicate that all threads in the VM share the same identity and credential. Set to useFirstPass to indicate that this login module should look for information stored in the LoginContext to use as the identity. T his option can be used when stacking other login modules with this one. Set to true if the identity and credential seen at the start of the login() method should be restored after the logout() method is invoked. m ulti-threaded
password-stacking
useFirstPass or false
false
>restore-loginidentity
true or false
false
T able 10.3. Certificate Code Class Description Certificate org.jboss.security.auth.spi.BaseCertL oginModule T his login module is designed to authenticate users based on X509 Certificates. A use case for this is CLIENT -CERT authentication of a web application.
T able 10.4 . Certificate Module Options Option securityDom ain T ype string Default none Description Name of the security domain that has the JSSE configuration for the truststore holding the trusted certificates. T he class name of the org.jboss.securit y.auth.certs.X509 CertificateVerifi er to use for verification of the login certificate.
verifier
Class
none
T able 10.5. CertificateUsers Code Class Description CertificateUsers org.jboss.security.auth.spi.UsersRole sLoginModule Uses a properties resources. T he first maps usernames to passwords, and the second maps usernames to roles.
181
password-stacking
useFirstPass or false
false
hashAlgorithm
A string
none
hashEncoding
base64 or hex
base64
182
hashCharSet
A string
T he encoding used to convert the clear-text password to a byte array. T he file containing the mappings between users and passwords. Each property in the file has the format usernam e=password . T he file containing the mappings between users and roles. Each property in the file has the format usernam e=role1,ro le2,...,roleN . Whether the password comparison should ignore case. T his is useful for hashed password encoding where the case of the hashed password is not significant. A Principal implementation class which contains a constructor that takes a String argument for the princpal name. T he character used to seperate the username from the role group name in the rolesGroup file. Name of the resource or file to fall back to if the usersProperties file can't be found. Name of the resource or file to fall back to if the rolesProperties file cannot be found. Whether to hash the password entered by the user, when hashAlgorithm is specified. Defaults to true . Whether the store password returned from getUsersPassword( ) should be hashed, when hashAlgorithm is specified. T he class name of the org.jboss.crypto. digest.DigestCall
usersProperties
rolesProperties
roles.properties
ignorePasswordCas e
true or false
false
principalClass
A fully-qualified classname.
none
roleGroupSeparato r
A single character
. (a single period)
defaultUsersPrope rties
string
defaultUsers.prop erties
defaultRolesPrope rties
string
defaultRoles.prop erties
hashUserPassword
true or false
true
hashStorePassword
true or false
true
digestCallback
A fully-qualified classname.
none
183
callback.option.S TRING
Various
none
T able 10.7. CertificateRoles Code Class Description CertificateRoles org.jboss.security.auth.spi.CertRoles LoginModule T his login module extends the Certificate login module to add role mapping capabilities from a properties file. It takes all of the same options as the Certificate login module, and adds the following options.
184
T able 10.8. CertificateRoles Module Options Option rolesProperties T ype A string Default roles.properties Description T he name of the resource or file containing the roles to assign to each user. T he role properties file must be in the format username=role1,role2 where the username is the DN of the certificate, escaping any = (equals) and space characters. T he following example is in the correct format:
CN\=unit-testsclient,\ OU\=Red\ Hat\ Inc.,\ O\=Red\ Hat\ Inc.,\ ST\=North\ Carolina,\ C\=US=JBossAdmin
defaultRolesPrope rties
A string
defaultRoles.prop erties
Name of the resource or file to fall back to if the rolesProperties file cannot be found. Which character to use as the role group separator in the roleProperties file.
roleGroupSeparato r
A single character
. (a single period)
T able 10.9. Database Code Class Description Database org.jboss.security.auth.spi.DatabaseS erverLoginModule A JDBC-based login module that supports authentication and role mapping. It is based on two logical tables, with the following definitions. Principals: PrincipalID (text), Password (text) Roles: PrincipalID (text), Role (text), RoleGroup (text)
185
principalsQuery
select Password from Principals where PrincipalID=? select Role, RoleGroup from Roles where PrincipalID=?
rolesQuery
T able 10.11. DatabaseCertificate Code Class Description DatabaseCertificate org.jboss.security.auth.spi.DatabaseC ertLoginModule T his login module extends the Certificate login module to add role mapping capabilities from a database table. It has the same options plus these additional options:
T able 10.12. DatabaseCertificate Module Options Option dsJndiNam e T ype A JNDI resource Default Description T he name of the JNDI resource storing the authentication information. T his option is required. select Role,RoleGroup from Roles where PrincipalID=? SQL prepared statement to be executed in order to map roles. It should be an equivalent to select Role, RoleGroup from Roles where PrincipalID=? , where Role is the role name and the RoleGroup column value should always be Roles. with capital R . Whether any existing JT A transaction should be suspended during database operations.
rolesQuery
suspendResum e
true or false
true
T able 10.13. Identity Code Class Description Identity org.jboss.security.auth.spi.IdentityL oginModule Associates the principal specified in the module options with any subject authenticated against the module. T he type of Principal class used is org.jboss.security.Sim plePrincipal.. If no principal option is specified a principal with the name of guest is used.
186
T able 10.14 . Identity Module Options Option principal roles T ype A string A comma-separated list of strings Default guest none Description T he name to use for the principal. A comma-delimited list of roles which will be assigned to the subject.
T able 10.15. Ldap Code Class Description Ldap org.jboss.security.auth.spi.LdapLogin Module Authenticates against an LDAP server, when the username and password are stored in an LDAP server that is accessible using a JNDI LDAP provider. Many of the options are not required, because they are determined by the LDAP provider or the environment.
187
ldap:// URL none , sim ple , or the name of a SASL mechanism A transport protocol
A string
A credential type
none
principalDNPrefi x
A string
none
principalDNSuffix string
useObjectCredenti al
true or false
188
rolesCtxDN
A fully-qualified DN
none
T he fully-qualified DN for the context to search for user roles. T he attribute in the user object that contains the DN for the context to search for user roles. T his differs from rolesCtxDN in that the context to search for a user's roles may be unique for each user. Name of the attribute containing the user roles. Whether or not the roleAttributeID contains the fullyqualified DN of a role object. If false, the role name is taken from the value of the roleNam eAttribute Id attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set to true . Name of the attribute within the roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true , this property is used to find the role object's name attribute. Name of the attribute in the UserRolesAttribut eDN that corresponds to the user ID. T his is used to locate the user roles. Whether or not the search for user roles should match on the user's fully distinguished DN or the username only. If true , the full user DN is used as the match value. If false , only the username is used as the match value against the uidAttributeNam e attribute. Whether to allow empty passwords. Most LDAP servers treat empty passwords as
userRolesCtxDNAtt ributeNam e
An attribute
none
rolesAttributeID
An attribute
roles
rolesAttributeIsD N
true or false
false
An attribute
group
uidAttributeID
An attribute
uid
m atchOnUserDN
true or false
false
allowEm ptyPasswor ds
true or false
true
189
T able 10.17. LdapExtended Code Class Description LdapExtended org.jboss.security.auth.spi.LdapExtLo ginModule An alternate LDAP login module implementation that uses searches to locate the bind user and associated roles. T he roles query recursively follows DNs to navigate a hierarchical role structure. It uses the same java.nam ing options as the Ldap module, and uses the following options instead of the other options of the Ldap module. T he authentication happens in 2 steps: 1. An initial bind to the LDAP server is done using the bindDN and bindCredential options. T he bindDN is a LDAP user with the ability to search both the baseCtxDN and rolesCtxDN trees for the user and roles. T he user DN to authenticate against is queried using the filter specified by the baseFilter attribute. 2. T he resulting user DN is authenticated by binding to the LDAP server using the user DN as the InitialLdapContext environment Context.SECURIT Y_PRINCIPAL. T he Context.SECURIT Y_CREDENT IALS property is set to the String password obtained by the callback handler.
190
T able 10.18. LdapExtended Module Options Option baseCtxDN T ype A fully-qualified DN Default none Description T he fixed DN of the top-level context to begin the user search. T he DN used to bind against the LDAP server for the user and roles queries. T his DN needs read and search permissions on the baseCtxDN and rolesCtxDN values. T he password for the bindDN . T his can be encrypted if the jaasSecurityDom ai n is specified. T he JMX ObjectNam e of the JaasSecurityDom ai n to use to decrypt the bindCredential . T he encrypted form of the password is the format returned by the JaasSecurityDom ai n.encrypt64 (byte[ ]) method. A search filter used to locate the context of the user to authenticate. T he input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}). T he fixed DN of the context to search for user roles. T his is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is. A search filter used to locate the roles associated with the authenticated user. T he input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. T he authenticated userDN is substituted into the
bindDN
A fully-qualified DN
none
bindCredential
none
jaasSecurityDom ai n
A JMX ObjectName
none
baseFilter
none
rolesCtxDN
fully-qualified DN
none
roleFilter
191
none false
parseUsernam e
true or false
false
usernam eBeginStri ng
a string
none
usernam eEndString
a string
none
192
roleNam eAttribute ID
An attribute
group
Name of the attribute within the roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true , this property is used to find the role object's name attribute. T he name of the attribute in the user entry that contains the DN of the user. T his may be necessary if the DN of the user itself contains special characters (backslash for example) that prevent correct user mapping. If the attribute does not exist, the entry's DN is used. T he numbers of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0 . T he timeout in milliseconds for user or role searches. T he search scope to use.
distinguishedNam e Attribute
An attribute
distinguishedNam e
roleRecursion
An integer
searchT im eLim it
An integer
searchScope
SUBT REE_SCOPE
allowEm ptyPasswor ds
true
Whether to allow empty passwords. Most LDAP servers treat empty passwords as anonymous login attempts. T o reject empty passwords, set this to false.
T able 10.19. RoleMapping Code Class Description RoleMapping org.jboss.security.auth.spi.RoleMapp ingLoginModule Maps a role which is the end result of the authentication process to a declarative role. T his module must be flagged as optional when you add it to the security domain.
193
replaceRole
true or false
false
T able 10.21. RunAs Code Class RunAs Class: org.jboss.security.auth.spi.RunAsLogi nModule A helper module that pushes a run as role onto the stack for the duration of the login phase of authentication, and pops the run as role off the stack in either the commit or abort phase. T his login module provides a role for other login modules that must access secured resources in order to perform their authentication, such as a login module which accesses a secured EJB. RunAsLoginModule must be configured before the login modules that require a run as role to be established.
Description
T able 10.22. RunAs Options Option roleNam e T ype A role name. Default nobody Description T he name of the role to use as the run as role during the login phase.
T able 10.23. Sim ple Code Class Description Sim ple org.jboss.security.auth.spi.Sim pleSe rverLoginModule A module for quick setup of security for testing purposes. It implements the following simple algorithm: f the password is null, authenticate the user and assign an identity of guest and a role of guest. Otherwise, if the password is equal to theuser, assign an identity equal to the username and both and and guest roles. Otherwise, authentication fails.
194
Code Class
T able 10.24 . ConfiguredIdentity ConfiguredIdentity org.picketbox.datasource.security.Co nfiguredIdentityLoginModule Associates the principal specified in the module options with any subject authenticated against the module. T he type of Principal class used is org.jboss.security.Sim plePrincipal .
Description
T able 10.25. ConfiguredIdentity Module Options Option principal T ype Name of a principal. Default guest Description T he principal which will be associated with any subject authenticated against the module.
T able 10.26. SecureIdentity Code Class Description SecureIdentity org.picketbox.datasource.security.Se cureIdentityLoginModule T his module is provided for legacy purposes. It allows you to encrypt a password and then use the encrypted password with a static principal. If your application uses SecureIdentity, consider using a password vault mechanism instead.
T able 10.27. SecureIdentity Module Options Option usernam e password T ype string encrypted string Default none none Description T he username for authentication. T he password to use for authentication. T o encrypt the password, use the module directly at the command line.
java org.picketbox.d atasource.secur ity.SecureIdent ityLoginModule password_to_enc rypt
Paste the result of this command into the module option's value field. m anagedConnectio nFactoryNam e A JCA resource none T he name of the JCA connection factory for your datasource.
195
T able 10.29. PropertiesUsers Module Options Option properties T ype T he fully-qualified file path and name of a Java properties file or resource. Default none Description T he properties file containing the usernames and cleartext passwords to be used for authentication.
T able 10.30. Sim pleUsers Code Class Description Sim pleUsers org.jboss.security.auth.spi.Sim pleUs ersLoginModule T his login module stores the username and clear-text password in a Java properties file. It is included for testing only, and is not appropriate for a production environment.
T able 10.31. Sim pleUsers Module Options Option usernam e password T ype string string Default none none Description T he username to use for authentication. T he clear-text password to use for authentication.
T able 10.32. LdapUsers Code Class Description LdapUsers org.jboss.security.auth.spi.LdapUsers LoginModule T he LdapUsers module is superseded by the ExtendedLDAP and AdvancedLdap modules.
T able 10.33. Kerberos Code Class Description Kerberos com .sun.security.auth.m odule.Krb5Log inModule Performs Kerberos login authentication, using GSSAPI. T his module is part of the security framework from the API provided by Sun Microsystems. Details can be found at http://docs.oracle.com/javase/1.4.2/docs/guide/se curity/jaas/spec/com/sun/security/auth/module/Kr b5LoginModule.html. T his module needs to be paired with another module which handles the authentication and roles mapping.
196
T able 10.34 . Kerberos Module Options Option storekey T ype true or false Default false Description Whether or not to add the KerberosKey to the subject's private credentials. If set to true , the user is not prompted for the password. If true , the GT G is obtained from the ticket cache. If false , the ticket cache is not used. T he location of the ticket cache.
doNotProm pt
true or false
false
useT icketCache
false
ticketcache
T he default depends on which operating system you use. Red Hat Enterprise Linux / Solaris: /tm p/krb5cc_uid , using the numeric UID value of the operating system. Microsoft Windows Server: uses the Local Security Authority (LSA) API to find the ticketcache.
useKeyT ab
true or false
false
Whether to obtain the principal's key from a key table file. T he location of the key table file.
keytab
the location in the operating system's Kerberos configuration file, or /hom e/user/krb5.k eytab none
principal
A string
T he name of the principal. T his can either be a simple user name or a service name such as host/testserver.a cm e.com . Use this instead of obtaining the principal from the key table, or when the key table contains more than one principal. Whether to retrieve the username and password from the module's shared state, using javax.security.au th.login.nam e and javax.security.au th.login.password as the keys. If authentication fails, no retry attempt is made. Same as useFirstPass, but if authentication fails, the
useFirstPass
true or false
false
tryFirstPass
true or false
false
197
clearPass
true or false
false
T able 10.35. SPNEGOUsers Code Class Description SPNEGOUsers org.jboss.security.negotiation.spneg o.SPNEGOLoginModule Allows SPNEGO authentication to a Microsoft Active Directory server or other environment which supports SPNEGO. SPNEGO can also carry Kerberos credentials. T his module needs to be paired with another module which handles authentication and role mapping.
T able 10.36. SPNEGO Module Options Option storeKey useKeyT ab principal T ype true or false true or false String reperesenting a principal for Kerberos auhentication. A file or resource representing a keytab. true or false true or false Default false false none Description Whether or not to store the key. Whether to use a key table. T he name of the principal for authentication. T he location of a key table. Whether to prompt for a password. Whether to record more verbose messages for debugging purposes.
T able 10.37. AdvancedLdap Code Class Description AdvancedLdap org.jboss.security.negotiation.Advan cedLdapLoginModule A module which provides additional functionality, such as SASL and the use of a JAAS security domain.
198
T able 10.38. AdvancedLdap Module Options Option bindAuthenticatio n T ype string Default none Description T he type of SASL authentication to use for binding to the directory server. T he name of the JAAS security domain to use. T he URI of the directory server. T he distinguished name to use as the base for searches. T he filter to use to narrow down search results. T he LDAP attribute which contains the names of authorization roles. Whether the role attribute is a Distinguished Name (DN). T he attribute contained within the RoleAttributeId which contains the actual role attribute. Whether to recorsively search the RoleAttributeId for roles.
string string A fully qualified Distinguished Name (DN). String representing a LDAP search filter. A string representing an LDAP attribute.
baseFilter
none
roleAttributeID
none
roleAttributeIsDN
true or false
false
roleNam eAttribute ID
none
recurseRoles
true or false
false
T able 10.39. AdvancedADLdap Code Class Description AdvancedADLdap org.jboss.security.negotiation.Advan cedADLoginModule T his module extends the AdvancedLdap login module, and adds extra parameters that are relevant to Microsoft Active Directory.
T able 10.4 0. AdvancedADLdap Module Options Option prim aryGroupID T ype A string representing a Microsoft Active Directory group ID. Default none Description A primary group for limiting authorization. T he primary group ID is used to obtain the objectSid of the user, for authorization.
T able 10.4 1. UsersRoles Code Class Description UsersRoles org.jboss.security.auth.spi.UsersRole sLoginModul A simple login module that supports multiple users and user roles stored in two different properties files.
199
rolesProperties
roles.properties
password-stacking
useFirstPass or false
false
hashAlgorithm
none
hashEncoding
base64 or hex
base64
hashCharset
A string
unauthenticatedId entity
A principal name
200
Custom Authentication Modules Authentication modules are implementations of org.jboss.security.LoginModule . Refer to the API documentation for more information about creating a custom authentication module. Report a bug
Report a bug
Report a bug
201
202
203
Report a bug 11.1.5. About Log Levels Log levels are an ordered set of enumerated values that indicate the nature and severity of a log message. T he level of a given log message is specified by the developer using the appropriate methods of their chosen logging framework to send the message. JBoss Enterprise Application Platform 6 supports all the log levels used by the supported application logging frameworks. T he most commonly used six log levels are (in order of lowest to highest): T RACE , DEBUG , INFO , WARN , ERROR and FAT AL. Log levels are used by log categories and handlers to limit the messages they are responsible for. Each log level has an assigned numeric value which indicates its order relative to other log levels. Log categories and handlers are assigned a log level and they only process log messages of that level or higher. For example a log handler with the level of WARN will only record messages of the levels WARN , ERROR and FAT AL. Report a bug 11.1.6. Supported Log Levels T able 11.3. Supported Log Levels Log Level FINEST FINER T RACE Value 300 400 400 Description Use for messages that provide detailed information about the running state of an application. Log messages of T RACE are usually only captured when debugging an application. Use for messages that indicate the progress individual requests or activities of an application. Log messages of DEBUG are usually only captured when debugging an application. Use for messages that indicate the overall progress of the application. Often used for application startup, shutdown and other major lifecycle events. Use to indicate a situation that is not in error but is not considered ideal. May indicate circumstances that may lead to errors in the future. Use to indicate an error that has occurred that could prevent the current activity or request from completing but will not prevent the application from running. Use to indicate events that could cause critical service failure and application shutdown and possibly cause JBoss Enterprise Application Platform 6 to shutdown.
DEBUG
500
FAT AL
1100
Report a bug
204
11.1.7. About Log Categories Log categories define a set of log messages to capture and one or more log handlers which will process the messages. T he log messages to capture are defined by their Java package of origin and log level. Messages from classes in that package and of that log level or lower are captured by the log category and sent to the specified log handlers. Log categories can optionally use the log handlers of the root logger instead of their own handlers. Report a bug 11.1.8. About the Root Logger T he root logger captures all log messages sent to the server (of a specified level) that are not captured by a log category. T hese messages are then sent to one or more log handlers. By default the root logger is configured to use a console and a periodic log handler. T he periodic log handler is configured to write to the file server.log . T his file is sometimes referred to as the server log. Report a bug 11.1.9. About Log Handlers Log handlers define how captured log messages are recorded by JBoss Enterprise Application Platform. T here are six types of log handler that can be configured: Console , File , Periodic , Size , Async and Custom . Report a bug 11.1.10. T ypes of Log Handlers Console Console log handlers write log messages to either the host operating systems standard out (stdout) or standard error (stderr) stream. T hese messages are displayed when JBoss Enterprise Application Platform 6 is run from a command line prompt. T he messages from a Console log handler are not saved unless the operating system is configured to captured the standard out or standard error stream. File File log handlers are the simplest log handlers that write log messages to a specified file. Periodic Periodic file handlers write log messages to a named file until a specified period of time has elapsed. Once the time period has past then the file is renamed by appending the specified timestamp and the handler continues to write into a newly created log file with the original name. Size Size log handlers write log messages to a named file until the file reaches a specified size. When the file reaches a specified size, it is renamed with a numeric prefix and the handler continues to write into a newly created log file with the original name. Each size log handler must specify the maximum number of files to be kept in this fashion. Async Async log handlers are wrapper log handlers that provide asynchronous behaviour for one or more other log handlers. T hese are useful for log handlers that may have high latency or other performance problems such as writing a log file to a network file system. Custom Custom log handlers enable to you to configure new types of log handlers that have been implemented. A custom handler must be implemented as a Java class that extends
205
Report a bug 11.1.11. About Log Formatters A log formatter is the configuration property of a log handler that defines the appearance of log messages from that handler. It is a string that uses a syntax based on java.util.Form atter class. For example the log formatter string from the default configuration, %d{HH:m m :ss,SSS} %-5p [%c] (%t) %s%E%n , creates log messages that look like:
15:53:26,546 INFO [org.jboss.as] (Controller Boot Thread) JBAS015951: Admin console listening on http://127.0.0.1:9990
Report a bug 11.1.12. Log Formatter Syntax T able 11.4 . Log Formatter Syntax Symbol %c %p %P %d %r %z %k %m %s %e %E %t %n %C %F %l %L %M %x %X %% Description T he category of the logging event T he level of the log entry (info/debug/etc) T he localized level of the log entry T he current date/time (yyyy-MM-dd HH:mm:ss,SSS form) T he relative time (milliseconds since the log was initialised) T he time zone A log resource key (used for localization of log messages) T he log message (including exception trace) T he simple log message (no exception trace) T he exception stack trace (no extended module information) T he exception stack trace (with extended module information) T he name of the current thread A newline character T he class of the code calling the log method (slow) T he filename of the class calling the log method (slow) T he source location of the code calling the log method (slow) T he line number of the code calling the log method (slow) T he method of the code calling the log method (slow) T he Log4J Nested Diagnostic Context T he Log4J Message Diagnostic Context A literal percent character (escaping)
Report a bug
206
Figure 11.1. Logging Configuration in the Management Console T he tasks you can perform to configure the root logger are: Edit the log level. Add and remove log handlers. T he tasks you can perform to configure log categories are: Add and remove log categories. Edit log category properties. Add and remove log handlers from a category. T he main tasks you can perform to configure log handlers are: Adding new handlers. Configuring handlers. All six supported log handlers (including custom) can be configured in the management console. Report a bug
207
Set the Log Level of the Root Logger Use the write-attribute operation with the following syntax where LEVEL is one of the supported log levels.
/subsystem=logging/root-logger=ROOT:write-attribute(name="level", value="LEVEL")
Example 11.2. Root Logger write-attribute operation to set the log level
[standalone@localhost:9999 /] /subsystem=logging/root-logger=ROOT:writeattribute(name="level", value=DEBUG) {"outcome" => "success"} [standalone@localhost:9999 /]
Add a Log Handler to the Root Logger Use the root-logger-assign-handler operation with the following syntax where HANDLER is the name of the log handler to be added.
/subsystem=logging/root-logger=ROOT:root-logger-assignhandler(name="HANDLER")
T he log handler must already have been created before it can be added to the root logger.
Remove a Log Handler from the Root Logger Use the root-logger-unassign-handler with the following syntax, where HANDLER is the name of the log handler to be removed.
/subsystem=logging/root-logger=ROOT:root-logger-unassignhandler(name="HANDLER")
208
Report a bug 11.3.2. Configure a Log Category in the CLI Log categories can be added, removed and edited in the CLI. T he main tasks you will perform to configure a log category are: Display the configuration of a log category. Add a new log category. Set the log level. Add log handlers to a log category. Remove log handlers from a log category. Remove a log category. Display a log category configuration Use the read-resource operation with the following syntax. Replace CATEGORY with the name of the category.
/subsystem=logging/logger=CATEGORY:read-resource
Add a log category Use the add operation with the following syntax. Replace CATEGORY with the category to be added.
/subsystem=logging/logger=CATEGORY:add
Set the log level Use the write-attribute operation with the following syntax. Replace CATEGORY with the name of the log category and LEVEL with the log level that is to be set.
/subsystem=logging/logger=CATEGORY:write-attribute(name="level", value="LEVEL")
209
Set the log category to use the log handlers of the root logger. Use the write-attribute operation with the following syntax. Replace CATEGORY with the name of the log category. Replace BOOLEAN with true for this log category to use the handlers of the root logger. Replace it with false if it is to use only its own assigned handlers.
/subsystem=logging/logger=CATEGORY:write-attribute(name="use-parenthandlers", value="BOOLEAN")
Add a log handlers to a log category Use the assign-handler operation with the following syntax. Replace CATEGORY with the name of the category and HANDLER with the name of the handler to be added.
/subsystem=logging/logger=CATEGORY:assign-handler(name="HANDLER")
T he log handler must already have been created before it can be added to the root logger.
Remove a log handler from a log category Use the unassign-handler operation with the following syntax. Replace CATEGORY with the name of the category and HANDLER with the name of the log handler to be removed.
/subsystem=logging/logger=CATEGORY:unassign-handler(name="HANDLER")
Remove a category Use the rem ove operation with the following syntax. Replace CATEGORY with the name of the category to be removed.
210
/subsystem=logging/logger=CATEGORY:remove
Report a bug 11.3.3. Configure a Console Log Handler in the CLI Console log handlers can be added, removed and edited in the CLI. Procedure 11.1. Display a console log handler configuration Use the read-resource operation with the following syntax. Replace HANDLER with the name of the console log handler.
/subsystem=logging/console-handler=HANDLER:read-resource
Example 11.12.
[standalone@localhost:9999 /] /subsystem=logging/console-handler=CONSOLE:readresource { "outcome" => "success", "result" => { "autoflush" => true, "encoding" => undefined, "filter" => undefined, "formatter" => "%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n", "level" => "INFO", "target" => "System.out" } } [standalone@localhost:9999 /]
Procedure 11.2. Add a Console Log Handler Use the add operation with the following syntax. Replace HANDLER with the console log handler to be added.
/subsystem=logging/console-handler=HANDLER:add
Example 11.13.
[standalone@localhost:9999 /] /subsystem=logging/consolehandler=ERRORCONSOLE:add {"outcome" => "success"} [standalone@localhost:9999 /]
Procedure 11.3. Set the Log Level Use the change-log-level operation with the following syntax. Replace HANDLER with the name of the console log handler and LEVEL with the log level that is to be set.
/subsystem=logging/console-handler=HANDLER:change-log-level(level="LEVEL")
211
Example 11.14 .
[standalone@localhost:9999 /] /subsystem=logging/consolehandler=ERRORCONSOLE:change-log-level(level="TRACE") {"outcome" => "success"} [standalone@localhost:9999 /]
Procedure 11.4 . Set the T arget Use the write-attribute operation with the following syntax. Replace HANDLER with the name of the console log handler. Replace TARGET with either System .err or System .out for the system error stream or standard out stream respectively.
/subsystem=logging/console-handler=HANDLER:write-attribute(name="target", value="TARGET")
Example 11.15.
[standalone@localhost:9999 /] /subsystem=logging/consolehandler=ERRORCONSOLE:write-attribute(name="target", value="System.err") {"outcome" => "success"} [standalone@localhost:9999 /]
Procedure 11.5. Set the Encoding Use the write-attribute operation with the following syntax. Replace HANDLER with the name of the console log handler. Replace ENCODING with the name of the required character encoding system.
/subsystem=logging/console-handler=HANDLER:write-attribute(name="encoding", value="ENCODING")
Example 11.16.
[standalone@localhost:9999 /] /subsystem=logging/consolehandler=ERRORCONSOLE:write-attribute(name="encoding", value="utf-8") {"outcome" => "success"} [standalone@localhost:9999 /]
Procedure 11.6. Set the Formatter Use the write-attribute operation with the following syntax. Replace HANDLER with the name of the console log handler. Replace FORMAT with the required formatter string.
/subsystem=logging/console-handler=HANDLER:write-attribute(name="formatter", value="FORMAT")
Example 11.17.
[standalone@l/subsystem=logging/console-handler=ERRORCONSOLE:writeattribute(name="formatter", value="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n")) {"outcome" => "success"} [standalone@localhost:9999 /]
Procedure 11.7. Set the Auto Flush Use the write-attribute operation with the following syntax. Replace HANDLER with the name of the console log handler. Replace BOOLEAN with true if this handler is to immediately write its output.
212
/subsystem=logging/console-handler=HANDLER:write-attribute(name="autoflush", value="BOOLEAN")
Example 11.18.
[standalone@localhost:9999 /] /subsystem=logging/consolehandler=ERRORCONSOLE:write-attribute(name="autoflush", value="true") {"outcome" => "success"} [standalone@localhost:9999 /]
Procedure 11.8. Remove a Console Log Handler Use the rem ove operation with the following syntax. Replace HANDLER with the name of the console log handler to be removed.
/subsystem=logging/console-handler=HANDLER:remove
Example 11.19.
[standalone@localhost:9999 /] /subsystem=logging/consolehandler=ERRORCONSOLE:remove {"outcome" => "success"} [standalone@localhost:9999 /]
Report a bug 11.3.4 . Configure a File Log Handler in the CLI File log handlers can be added, removed and edited in the CLI. T he main tasks you will perform to configure a file log handler are: Display the configuration of a file log handler Add a new file log handler. Set the handler's log level. Set the handler's appending behaviour. Set whether the handler uses autoflush or not. Set the encoding used for the handler's output. Specify the file to which the log handler will write. Set the formatter used for the handler's output. Remove a file log handler. Display a file log handler configuration Use the read-resource operation with the following syntax. Replace HANDLER with the name of the file log handler.
/subsystem=logging/file-handler=HANDLER:read-resource
213
Add a file log handler Use the add operation with the following syntax. Replace PATH with the filename for the file that the log is being written to. Replace DIR with the name of the directory where the file is to be located. T he value of DIR can be a path variable.
/subsystem=logging/file-handler=HANDLER:add(file={"path"=>"PATH", "relative-to"=>"DIR"})
Set the Log level Use the change-log-level operation with the following syntax. Replace HANDLER with the name of the file log handler. Replace LEVEL with the log level that is to be set.
/subsystem=logging/file-handler=HANDLER:change-log-level(level="LEVEL")
Set the append behaviour Use the write-attribute operation with the following syntax. Replace HANDLER with the name of the file log handler. Replace BOOLEAN with false if you required that a new log file be created each time the application server is launched. Replace BOOLEAN with true if the application server should continue to use the same file.
/subsystem=logging/file-handler=HANDLER:write-attribute(name="append", value="BOOLEAN")
214
JBoss Enterprise Application Platform 6 must be restarted for this change to take effect. Set the Auto Flush Use the write-attribute operation with the following syntax. Replace HANDLER with the name of the file log handler. Replace BOOLEAN with true if this handler is to immediately write its output.
/subsystem=logging/file-handler=HANDLER:write-attribute(name="autoflush", value="BOOLEAN")
JBoss Enterprise Application Platform 6 must be restarted for this change to take effect. Set the Encoding Use the write-attribute operation with the following syntax. Replace HANDLER with the name of the file log handler. Replace ENCODING with the name of the required character encoding system.
/subsystem=logging/file-handler=HANDLER:write-attribute(name="encoding", value="ENCODING")
Change the file to which the log handler writes Use the change-file operation with the following syntax. Replace PATH with the filename for the file that the log is being written to. Replace DIR with the name of the directory where the file is to be located. T he value of DIR can be a path variable.
/subsystem=logging/file-handler=HANDLER:change-file(file={"path"=>"PATH", "relative-to"=>"DIR"})
215
Example 11.26. Change the file to which the log handler writes
[standalone@localhost:9999 /] /subsystem=logging/filehandler=accounts_log:change-file(file={"path"=>"accounts-debug.log", "relative-to"=>"jboss.server.log.dir"}) {"outcome" => "success"} [standalone@localhost:9999 /]
Set the Formatter Use the write-attribute operation with the following syntax. Replace HANDLER with the name of the console log handler. Replace FORMAT with the required formatter string.
/subsystem=logging/file-handler=HANDLER:write-attribute(name="formatter", value="FORMAT")
Remove a File Log Handler Use the rem ove operation with the following syntax. Replace HANDLER with the name of the file log handler to be removed.
/subsystem=logging/file-handler=HANDLER:remove
A log handler can only be removed if it is not being referenced by a log category or an async log handler.
Report a bug 11.3.5. Configure a Periodic Log Handler in the CLI Periodic log handlers can be added, removed and edited in the CLI. T he main tasks you will perform to configure a periodic log handler are: Display the configuration of a periodic log handler Add a new periodic log handler. Set the handler's log level. Set the handler's appending behaviour. Set whether the handler uses autoflush or not. Set the encoding used for the handler's output. Specify the file to which the log handler will write. Set the formatter used for the handler's output. Set the suffix for rotated logs Remove a periodic log handler.
216
Each of those tasks are described below. Display a Periodic Rotating File log handler configuration Use the read-resource operation with the following syntax.
/subsystem=logging/periodic-rotating-file-handler=HANDLER:read-resource
Add a new Periodic Rotating File log handler Use the add operation with the following syntax.
/subsystem=logging/periodic-rotating-filehandler=HANDLER:add(file={"path"=>"PATH", "relative-to"=>"DIR"}, suffix="SUFFIX")
Replace HANDLER with the name of the log handler. Replace PATH with the filename for the file that the log is being written to. Replace DIR with the name of the directory where the file is to be located. T he value of DIR can be a path variable. Replace SUFFIX with the file rotation suffix to be used.
Set the Log level Use the change-log-level operation with the following syntax.
/subsystem=logging/periodic-rotating-file-handler=HANDLER:change-loglevel(level="LEVEL")
Replace HANDLER with the name of the periodic log handler. Replace LEVEL with the log level that is to be set.
217
Set the append behaviour Use the write-attribute operation with the following syntax.
/subsystem=logging/periodic-rotating-handler=HANDLER:writeattribute(name="append", value="BOOLEAN")
Replace HANDLER with the name of the periodic log handler. Replace BOOLEAN with false if you required that a new log file be created each time the application server is launched. Replace BOOLEAN with true if the application server should continue to use the same file. JBoss Enterprise Application Platform 6 must be restarted for this change to take effect.
Set the Auto Flush Use the write-attribute operation with the following syntax.
/subsystem=logging/periodic-rotating-file-handler=HANDLER:writeattribute(name="autoflush", value="BOOLEAN")
Replace HANDLER with the name of the periodic log handler. Replace BOOLEAN with true if this handler is to immediately write its output. JBoss Enterprise Application Platform 6 must be restarted for this change to take effect.
Set the Encoding Use the write-attribute operation with the following syntax.
/subsystem=logging/periodic-rotating-file-handler=HANDLER:writeattribute(name="encoding", value="ENCODING")
Replace HANDLER with the name of the periodic log handler. Replace ENCODING with the name of the required character encoding system.
218
Change the file to which the log handler writes Use the change-file operation with the following syntax.
/subsystem=logging/periodic-rotating-file-handle=HANDLER:changefile(file={"path"=>"PATH", "relative-to"=>"DIR"})
Replace HANDLER with the name of the periodic log handler. Replace PATH with the filename for the file that the log is being written to. Replace DIR with the name of the directory where the file is to be located. T he value of DIR can be a path variable.
Example 11.35. Change the file to which the log handler writes
[standalone@localhost:9999 /] /subsystem=logging/periodic-rotating-filehandle=HOURLY_DEBUG:change-file(file={"path"=>"daily-debug.log", "relative-to"=>"jboss.server.log.dir"}) {"outcome" => "success"} [standalone@localhost:9999 /]
Set the Formatter Use the write-attribute operation with the following syntax.
/subsystem=logging/periodic-rotating-file-handle=HANDLER:writeattribute(name="formatter", value="FORMAT")
Replace HANDLER with the name of the periodic log handler. Replace FORMAT with the required formatter string.
Set the suffix for rotated logs Use the write-attribute operation with the following syntax.
/subsystem=logging/periodic-rotating-file-handle=HANDLER:writeattribute(name="suffix", value="SUFFIX")
Replace HANDLER with the name of the console log handler. Replace SUFFIX with the required suffix string.
Example 11.37.
[standalone@l/subsystem=logging/periodic-rotating-filehandle=HOURLY_DEBUG:write-attribute(name="suffix", value=".yyyy-MM-ddHH")) {"outcome" => "success"} [standalone@localhost:9999 /]
219
Remove a periodic log handler Use the rem ove operation with the following syntax.
/subsystem=logging/periodic-rotating-file-handler=HANDLER:remove
Report a bug 11.3.6. Configure a Size Log Handler in the CLI Size rotated file log handlers can be added, removed and edited in the CLI. T he tasks you will perform to configure a size rotated file log handler are: Display the configuration of the log handler Add a new log handler. Set the handler's log level. Set the handler's appending behaviour. Set whether the handler uses autoflush or not. Set the encoding used for the handler's output. Specify the file to which the log handler will write. Set the formatter used for the handler's output. Set the maximum size of each log file Set the maximum number of backup logs to keep Remove a log handler. Each of these tasks are described below. Display the configuration of the log handler Use the read-resource operation with the following syntax.
/subsystem=logging/size-rotating-file-handler=HANDLER:read-resource
220
Add a new log handler Use the add operation with the following syntax.
/subsystem=logging/size-rotating-filehandler=HANDLER:add(file={"path"=>"accounts_trace.log", "relativeto"=>"jboss.server.log.dir"})
Replace HANDLER with the name of the log handler. Replace PATH with the filename for the file that the log is being written to. Replace DIR with the name of the directory where the file is to be located. T he value of DIR can be a path variable.
Set the handler's log level Use the change-log-level operation with the following syntax.
/subsystem=logging/size-rotating-file-handler=HANDLER:change-loglevel(level="TRACE")
Replace HANDLER with the name of the log handler. Replace LEVEL with the log level that is to be set.
Set the handler's appending behaviour Use the write-attribute operation with the following syntax.
221
Replace HANDLER with the name of the log handler. Replace BOOLEAN with false if you required that a new log file be created each time the application server is launched. Replace BOOLEAN with true if the application server should continue to use the same file. JBoss Enterprise Application Platform 6 must be restarted for this change to take effect.
Set whether the handler uses autoflush or not Use the write-attribute operation with the following syntax.
/subsystem=logging/size-rotating-file-handler=HANDLER:writeattribute(name="autoflush", value="BOOLEAN")
Replace HANDLER with the name of the log handler. Replace BOOLEAN with true if this handler is to immediately write its output.
Set the encoding used for the handler's output Use the write-attribute operation with the following syntax.
/subsystem=logging/size-rotating-file-handler=HANDLER:writeattribute(name="encoding", value="ENCODING")
Replace HANDLER with the name of the log handler. Replace ENCODING with the name of the required character encoding system.
Example 11.4 4 . Set the encoding used for the handler's output
[standalone@localhost:9999 /] /subsystem=logging/size-rotating-filehandler=ACCOUNTS_TRACE:write-attribute(name="encoding", value="utf-8") {"outcome" => "success"} [standalone@localhost:9999 /]
Specify the file to which the log handler will write Use the change-file operation with the following syntax.
/subsystem=logging/size-rotating-file-handler=HANDLER:changefile(file={"path"=>"PATH", "relative-to"=>"DIR"})
222
Example 11.4 5. Specify the file to which the log handler will write
[standalone@localhost:9999 /] /subsystem=logging/size-rotating-filehandler=ACCOUNTS_TRACE:change-file(file={"path"=>"accounts_trace.log", "relative-to"=>"jboss.server.log.dir"}) {"outcome" => "success"} [standalone@localhost:9999 /]
Set the formatter used for the handler's output Use the write-attribute operation with the following syntax.
/subsystem=logging/size-rotating-file-handler=HANDLER:writeattribute(name="formatter", value="FORMATTER")
Replace HANDLER with the name of the log handler. Replace FORMAT with the required formatter string.
Example 11.4 6. Set the formatter used for the handler's output
[standalone@localhost:9999 /] /subsystem=logging/size-rotating-filehandler=ACCOUNTS_TRACE:write-attribute(name="formatter", value="%d{HH:mm:ss,SSS} %-5p (%c) [%t] %s%E%n") {"outcome" => "success"} [standalone@localhost:9999 /]
Set the maximum size of each log file Use the write-attribute operation with the following syntax.
/subsystem=logging/size-rotating-file-handler=HANDLER:writeattribute(name="rotate-size", value="SIZE")
Replace HANDLER with the name of the log handler. Replace SIZE with maximum file size.
Set the maximum number of backup logs to keep Use the write-attribute operation with the following syntax.
/subsystem=logging/size-rotating-file-handler=HANDLER:writeattribute(name="max-backup-index", value="NUMBER")
Replace HANDLER with the name of the log handler. Replace NUMBER with the required number of log files to keep.
223
Remove a log handler Use the rem ove operation with the following syntax.
/subsystem=logging/size-rotating-file-handler=HANDLER:remove
Report a bug 11.3.7. Configure a Async Log Handler in the CLI Async log handlers can be added, removed and edited in the CLI. T he tasks you will perform to configure an async log handler are: Display the configuration of an async log handler Add a new async log handler Change the log level Set the queue length Set the overflow action Add sub-handlers Remove sub-handlers Remove an async log handler Each of these tasks are described below. Display the configuration of an async log handler Use the read-resource operation with the following syntax.
/subsystem=logging/async-handler=HANDLER:read-resource
224
Example 11.50.
[standalone@localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:read-resource { "outcome" => "success", "result" => { "encoding" => undefined, "filter" => undefined, "formatter" => "%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n", "level" => undefined, "overflow-action" => "BLOCK", "queue-length" => "50", "subhandlers" => undefined } } [standalone@localhost:9999 /]
Add a new async log handler Use the add operation with the following syntax.
/subsystem=logging/async-handler=HANDLER:add(queue-length="LENGTH")
Replace HANDLER with the name of the log handler. Replace LENGTH with value of the maximum number of log requests that can be held in queue.
Example 11.51.
[standalone@localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:add(queue-length="10") {"outcome" => "success"} [standalone@localhost:9999 /]
Change the log level Use the change-log-level operation with the following syntax.
/subsystem=logging/async-handler=HANDLER:change-log-level(level="LEVEL")
Replace HANDLER with the name of the log handler. Replace LEVEL with the log level that is to be set.
Example 11.52.
[standalone@localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:change-log-level(level="INFO") {"outcome" => "success"} [standalone@localhost:9999 /]
Set the queue length Use the write-attribute operation with the following syntax.
/subsystem=logging/async-handler=HANDLER:write-attribute(name="queuelength", value="LENGTH")
Replace HANDLER with the name of the log handler. Replace LENGTH with value of the maximum number of log requests that can be held in queue. JBoss Enterprise Application Platform 6 must be restarted for this change to take effect.
225
Example 11.53.
[standalone@localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:write-attribute(name="queue-length", value="150") { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } [standalone@localhost:9999 /]
Set the overflow action Use the write-attribute operation with the following syntax.
/subsystem=logging/async-handler=HANDLER:write-attribute(name="overflowaction", value="ACTION")
Replace HANDLER with the name of the log handler. Replace ACTION with either DISCARD or BLOCK.
Example 11.54 .
[standalone@localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:write-attribute(name="overflow-action", value="DISCARD") {"outcome" => "success"} [standalone@localhost:9999 /]
Add sub-handlers Use the assign-subhandler operation with the following syntax.
/subsystem=logging/async-handler=HANDLER:assignsubhandler(name="SUBHANDLER")
Replace HANDLER with the name of the log handler. Replace SUBHANDLER with the name of the log handler that is to be added as a sub-handler of this async handler.
Example 11.55.
[standalone@localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:assign-subhandler(name="NFS_FILE") {"outcome" => "success"} [standalone@localhost:9999 /]
Remove sub-handlers Use the unassign-subhandler operation with the following syntax.
/subsystem=logging/async-handler=HANDLER:unassignsubhandler(name="SUBHANDLER")
Replace HANDLER with the name of the log handler. Replace SUBHANDLER with the name of the sub-handler to remove.
226
Example 11.56.
[standalone@localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:unassign-subhandler(name="NFS_FILE") {"outcome" => "success"} [standalone@localhost:9999 /]
Remove an async log handler Use the rem ove operation with the following syntax.
/subsystem=logging/async-handler=HANDLER:remove
Example 11.57.
[standalone@localhost:9999 /] /subsystem=logging/asynchandler=NFS_LOGS:remove {"outcome" => "success"} [standalone@localhost:9999 /]
Report a bug
Report a bug 11.4 .2. Log Category Properties T able 11.6. Property level handlers use-parenthandlers category Datatype string list of strings boolean string Description T he maximum level of log message that the log category records. A list of log handlers that are used by the root logger. If set to true, this category will use the log handlers of the root logger in addition to any other assigned handlers. T he log category from which log messages will be captured.
227
autoflush name
boolean string
Report a bug 11.4 .4 . File Log Handler Properties T able 11.8. File Log Handler Properties Property level encoding formatter append T ype string string string boolean Description T he maximum level of log message the log handler records. T he character encoding scheme to be used for the output. T he log formatter used by this log handler. If set to true then all messages written by this handler will be appended to the file if it already exists. If set to false a new file will be created each time the application server launches. Changes to append require a server reboot to take effect. If set to true the log messages will be sent to the handlers assigned file immediately upon receipt. Changes to autoflush require a server reboot to take effect. T he unique identifier for this log handler. T he object that represents the file where the output of this log handler is written to. It has two configuration properties, relative-to and path . T his is a property of the file object and is the directory where the log file is written to. JBoss Enterprise Application Platform 6 file path variables can be specified here. T he jboss.server.log.dir variable points to the log/ directory of the server. T his is a property of the file object and is the name of the file where the log messages will be written. It is a relative path name that is appended to the value of the relative-to property to determine the complete path.
autoflush
boolean
name file
string object
relative-to
string
path
string
228
T able 11.9. Periodic Log Handler Properties Property append T ype boole an Description If set to true then all messages written by this handler will be appended to the file if it already exists. If set to false a new file will be created each time the application server launches. Changes to append require a server reboot to take effect. If set to true the log messages will be sent to the handlers assigned file immediately upon receipt. Changes to append require a server reboot to take effect. T he character encoding scheme to be used for the output. T he log formatter used by this log handler. T he maximum level of log message the log handler records. T he unique identifier for this log handler. Object that represents the file where the output of this log handler is written to. It has two configuration properties, relative-to and path . T his is a property of the file object and is the directory where the log file is written to. File path variables can be specified here. T he jboss.server.log.dir variable points to the log/ directory of the server. T his is a property of the file object and is the name of the file where the log messages will be written. It is a relative path name that is appended to the value of the relative-to property to determine the complete path. T his is a string with is both appended to filename of the rotated logs and is used to determine the frequency of rotation. T he format of the suffix is a dot (.) followed by a date string which is parsable by the java.text.Sim pleDateForm at class. T he log is rotated on the basis of the smallest time unit defined by the suffix. For example the suffix .yyyyMM-dd will result in daily log rotation. Refer to http://docs.oracle.com/javase/6/docs/api/index.html? java/text/SimpleDateFormat.html
autoflush
path
strin g strin g
suffix
229
autoflush
relative-to
path
strin g
rotate-size
integ er
m ax-backupindex
integ er
Report a bug 11.4 .7. Async Log Handler Properties T able 11.11. Async Log Handler Properties Property level nam e Queue-length overflowaction T ype string string integer string Description T he maximum level of log message the log handler records. T he unique identifier for this log handler. Maximum number of log messages that will be held by this handler while waiting for sub-handlers to respond. How this handler responds when its queue length is exceeded. T his can be set to BLOCK or DISCARD . BLOCK makes the logging application wait until there is available space in the queue. T his is the same behaviour as an non-async log handler. DISCARD allows the logging application to continue but the log message is deleted. T his is the list of log handlers to which this async handler passes its log messages.
subhandlers
list of strings
Report a bug
230
<subsystem xmlns="urn:jboss:domain:logging:1.1"> <root-logger> <level name="INFO"/> <handlers> <handler name="CONSOLE"/> <handler name="FILE"/> </handlers> </root-logger> </subsystem>
Report a bug 11.5.3. Sample XML Configuration for a Console Log Handler
<subsystem xmlns="urn:jboss:domain:logging:1.1"> <console-handler name="CONSOLE"> <level name="INFO"/> <formatter> <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/> </formatter> </console-handler> </subsystem>
Report a bug 11.5.4 . Sample XML Configuration for a File Log Handler
<file-handler name="accounts-rec-trail" autoflush="true"> <level name="INFO"/> <file relative-to="jboss.server.log.dir" path="accounts-rec-trail.log"/> <append value="true"/> </file-handler>
Report a bug 11.5.5. Sample XML Configuration for a Periodic Log Handler
<periodic-rotating-file-handler name="FILE"> <formatter> <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/> </formatter> <file relative-to="jboss.server.log.dir" path="server.log"/> <suffix value=".yyyy-MM-dd"/> <append value="true"/> </periodic-rotating-file-handler>
Report a bug 11.5.6. Sample XML Configuration for a Size Log Handler
231
Report a bug 11.5.7. Sample XML Configuration for a Async Log Handler
<async-handler name="Async_NFS_handlers"> <level name="INFO"/> <queue-length value="512"/> <overflow-action value="block"/> <subhandlers> <handler name="FILE"/> <handler name="accounts-record"/> </subhandlers> </async-handler>
Report a bug
232
Example 12.1. JVM settings in the domain configuration file T he following example shows a JVM declaration for a server group in the dom ain.xm l configuration file.
<server-groups> <server-group name="main-server-group" profile="default"> <jvm name="default"> <heap size="64m" max-size="512m"/> </jvm> <socket-binding-group ref="standard-sockets"/> </server-group> <server-group name="other-server-group" profile="default"> <jvm name="default"> <heap size="64m" max-size="512m"/> </jvm> <socket-binding-group ref="standard-sockets"/> </server-group> </server-groups>
In this instance a server group called m ain-server-group is declaring a heap size of 64 megabytes, and a maximum heap size of 512 megabytes. Any server that belongs to this group will inherit these settings. You can change these settings for the group as a whole, by the host, or the individual server.
233
Example 12.2. Domain settings in the host configuration file T he following example shows a JVM declaration for a server group in the host.xm l configuration file.
<servers> <server name="server-one" group="main-server-group" auto-start="true"> <jvm name="default"/> </server> <server name="server-two" group="main-server-group" auto-start="true"> <jvm name="default"> <heap size="64m" max-size="256m"/> </jvm> <socket-binding-group ref="standard-sockets" port-offset="150"/> </server> <server name="server-three" group="other-server-group" autostart="false"> <socket-binding-group ref="standard-sockets" port-offset="250"/> </server> </servers>
In this instance, a server named server-two belongs to the server group named m ain-servergroup , inheriting the JVM settings from the default JVM group. In the previous example, the main heap size for m ain-server-group was set at 512 megabytes. By declaring the lower maximum heap size of 256 megabytes, server-two can override the dom ain.xm l settings to fine-tune performance as desired.
Standalone server settings at runtime T he JVM settings for standalone server instances can be declared at runtime by setting the JAVA_OPT S environment variable before starting the server. An example of setting the JAVA_OPT S environment variable at the Linux command-line is:
[user@host bin]$ export JAVA_OPTS="-Xmx1024M"
Alternatively, JVM settings can be added to the standalone.conf file found in the EAP_HOME/bin folder, which contains examples of options to pass to the JVM. Report a bug 12.1.2. Display the JVM Status in the Management Console Prerequisites Section 2.6.2, Start JBoss Enterprise Application Platform 6 as a Standalone Server Section 2.6.3, Start JBoss Enterprise Application Platform 6 as a Managed Domain Section 3.2.2, Log in to the Management Console Java Virtual Machine (JVM) status can be displayed in the Management Console for either the standalone server or a managed domain. T he console shows the heap usage, non heap usage, and thread usage of the server in units of megabytes. While the statistics are not displayed in real-time, you can refresh the console display to provide an up-to-date overview of JVM resources. T he JVM status shows the following values.
234
T ype Max Used
T able 12.1. JVM Status Attributes Description T he maximum amount of memory in bytes that can be used for memory management. T he amount of used memory in mega bytes. T he amount of memory in bytes that is committed for the Java virtual machine to use. T he amount of memory in bytes that the Java virtual machine initially requests from the operating system for memory management.
Committed Init
Display the JVM status You can view the JVM status in either the standalone server instance or a managed domain. A. Display the JVM status for a standalone server instance Select JVM Status from the Server Status menu on the Runtime screen.
Figure 12.1. JVM status for a standalone server instance B. Display the JVM status for a managed domain Select JVM Status from the Domain Status menu on the Runtime screen. C. T he managed domain can provide visibility of all server instances in the server group, but will only allow you to view one server at a time by selecting from the server menu. T o view the status of other servers in your server group, click on the drop-down box at the top left of the screen to select from the host and servers displayed in your group and click the Done button to load the results. Result T he status of the JVM settings for the server instance are displayed. Report a bug
235
236
JBoss Enterprise Application Platform worker nodes. Each of these modules varies in how it works and how it is configured. T he modules are configured to balance work loads across multiple JBoss Enterprise Application Platform server nodes, to move work loads to alternate servers in case of a failure event, or both. T hese two abilities are called Load Balancing and High Availability (HA). T he JBoss Enterprise Application Platform supports several different HT T P connectors. T he one you choose depends on the HT T PD you connect to and the other functionality you need. T he table below lists the differences between the different HT T P connectors which are compatible with the JBoss Enterprise Application Platform. For the most up-to-date information about supported configurations for HT T P connectors, refer to https://access.redhat.com/kb/docs/DOC-34454. T able 13.1. HT T P connector features and constraints Conn ector Web server Supported operating systems Supported protocols Adapts to deployment status Supp orts stick y sessi on Yes
mod_ cluste r
HT T P, HT T PS, AJP
Yes. Detects deployment and undeployment of applications and dynamically decides whether to direct client requests to a server based on whether the application is deployed on that server. No. Directs client requests to the container as long as the container is available, regardless of application status. No. Directs client requests to the container as long as the container is available, regardless of application status. No. Directs client requests to the container as long as the container is available, regardless of application status. No. Directs client requests to the container as long as the container is available, regardless of application status.
mod_j k
JBoss Enterprise Web Server HT T PD, Apache HT T PD JBoss Enterprise Web Server HT T PD, Apache HT T PD Microsoft IIS
Red Hat Enterprise Linux, Microsoft Windows Server if using JBoss Enterprise Web Server, Solaris Red Hat Enterprise Linux, Microsoft Windows Server if using JBoss Enterprise Web Server, Solaris Microsoft Windows Server
AJP
Yes
mod_ proxy
HT T P, HT T PS
Yes
ISAPI
AJP
Yes
NSAP I
Oracle Solaris
AJP
Yes
Learn more about each HT T P Connector Section 13.3.1, About the m od_cluster HT T P Connector Section 13.4.1, About the Apache mod_jk HT T P Connector Section 13.5.1, About the Apache mod_proxy HT T P Connector Section 13.6.1, About the Internet Server API (ISAPI) HT T P Connector Section 13.7.1, About the Netscape Server API (NSAPI) HT T P Connector Report a bug 13.1.4 . Worker Node HT T P connector node A worker node, sometimes referred to as simply a node, is a JBoss Enterprise Application Platform server which accepts requests from one or more client-facing HT T PD servers. T he JBoss Enterprise Application Platform can accept requests from its own HT T PD, the HT T PD shipped with JBoss
237
238
selection box at the top left. Expand the Subsystem s menu, then expand the Web menu. Each configurable part of the Web subsystem is shown.
Note
T he m od_cluster component is only available if your profile is ha or full-ha , in a managed domain, or if you start your standalone server with the standalone-ha profile. m od_cluster configuration is covered in Section 13.3.2, Configure the m od_cluster Subsystem.
Configure the JSP Container, HT T P Connectors, and Virtual HT T P Servers T o configure the JSP Container, HT T P connectors, and virtual HT T P servers, click the Servlet/HT T P menu entry. Click the Edit button to change any values. Click the Advanced button to view advanced options. T he options are explained below. Options for HT T P connectors and virtual servers are shown in separate tables. T able 13.2. Servlet/HT T P Configuration Options Option Disabled? Description If true , disables the Java ServerPages (JSP) container. Defaults to false . T his is useful if you do not use any Java ServerPages (JSPs). CLI Command
/profile=fullha/subsystem=web/config uration=jspconfiguration/:writeattribute(name=disabled, value=false)
Development?
If true, enables Development Mode, which produces more verbose debugging information. Defaults to false .
Keep Generated?
Click Advanced to see this option, if it is hidden. If true keeps generated Servlets. Enabled by default.
/profile=fullha/subsystem=web/config uration=jspconfiguration/:writeattribute(name=keepgenerated,value=true)
Check Interval?
Click Advanced to see this option, if it is hidden. A value in seconds, which determines how often to check for JSP updates using a background process. Defaults to 0 . Click Advanced to see this option, if it is hidden. If true , the JSP source fragment is displayed when a runtime error occurs. Defaults to true .
/profile=fullha/subsystem=web/config uration=jspconfiguration/:writeattribute(name=checkinterval,value=0)
Display Source?
/profile=fullha/subsystem=web/config uration=jspconfiguration/:writeattribute(name=displaysourcefragment,value=true)
HT T P connectors are used by for load balancing and High Availability clusters such as m od_cluster , m od_jk, m od_proxy, ISAPI, and NSAPI. T o configure a HT T P connector, select the Connectors tab and click Add . T o remove a HT T P connector, select its entry and click Rem ove . T o edit a HT T P connector, select its entry and click Edit. When you create a new connector using the Management CLI, its options are all set at once, as in the following command:
239
T able 13.3. Connector Options Option Name Description A unique name for the connector, for display purposes. CLI Command
/profile=fullha/subsystem=web/connect or=ajp/:writeattribute(name=name,valu e=ajp)
Socket Binding
T he named socket binding the connector should bind to. A socket binding is a mapping between a socket name and a network port. Socket bindings are configured for each standalone server, or via socket binding groups in a managed domain. A socket binding group is applied to a server group. T he web connector scheme, such as HT T P or HT T PS.
/profile=fullha/subsystem=web/connect or=ajp/:writeattribute(name=socketbinding,value=ajp)
Scheme
Protocol
Enabled
T o configure virtual servers, click the Virtual Servers tab. Use the Add button to add a new virtual server. T o edit or remove a virtual server, select its entry and click the Edit or Rem ove button. When you add a new virtual server using the Management CLI, all required options are set at once, as in the following command.
24 0
Option Name
T able 13.4 . Virtual Servers Options Description A unique name for the virtual server, for display purposes. CLI Command
/profile=fullha/subsystem=web/virtual -server=defaulthost/:writeattribute(name=name,valu e=default-host)
Alias
A list of hostnames which should match this virtual server. In the Management Console, use one hostnamem per line.
Default Module
T he module whose web application should be deployed at the root node of this virtual server, and will be displayed when no directory is given in the HT T P request.
/profile=fullha/subsystem=web/virtual -server=defaulthost/:writeattribute(name=defaultwebmodule,value=ROOT.war)
Configure Web Services Options T o configure Web Services options, click the Web Services menu item. T he options are explained in the table below.
24 1
WSDL Host
T he WSDL contract of a JAXWS Web Service includes a <soap:address<element which points to the location of the endpoint. If the value of <soap:address> is a valid URL, it is not overwritten unless m odify-wsdl-address is set to true . If the value of <soap:address> is not a valid URL, it is overwritten using the values of wsdl-host and either wsdl-port or wsdl-secureport. If wsdl-host is set to jbossws.undefined.host, the requester's host address is used when the <soap-address> is rewritten. Defaults to ${jboss.bind.address:12 7.0.0.1} , which uses 127.0.0.1 if no bind address is specified when JBoss Enterprise Application Platform is started. T he non-secure port that is used to rewrite the SOAP address. If this is set to 0 (the default), the port is identified by querying the list of installed connectors. T he secure port that is used to rewrite the SOAP address. If this is set to 0 (the default), the port is identified by querying the list of installed connectors.
WSDL Port
/profile=fullha/subsystem=webservice s/:writeattribute(name=wsdlport,value=80)
/profile=fullha/subsystem=webservice s/:writeattribute(name=wsdlsecure-port,value=443)
Report a bug 13.2.3. Implement SSL Encryption for the JBoss Enterprise Application Platform Web Server Introduction Many web applications require a SSL-encryoted connection between clients and server, also known as a HT T PS connection. You can use this procedure to enable HT T PS on your server or server group. Prerequisites You need a set of SSL encryption keys and a SSL encryption certificate. You may purchase these from a certificate-signing authority, or you can generate them yourself using command-line utilities. T o generate encryption keys using Red Hat Enterprise Linux utilities, refer to Section 13.2.4, Generate a SSL Encryption Key and Certificate. You need to know the following details about your specific environment and set-up: T he full directory name and path to your certificate files T he encryption password for your encryption keys. You need to run the Management CLI and connect it to your domain controller or standalone server.
24 2
Note
T his procedure uses commands appropriate for a JBoss Enterprise Application Platform configuration that uses a managed domain. If you use a standalone server, modify Management CLI commands by removing the /profile=default from the beginning of any Management CLI commands.
Procedure 13.1. Configure the JBoss Web Server to use HT T PS 1. Add a new HT T PS connector. Execute the following Management CLI command, changing the profile as approriate. T his creates a new secure connector, called HT T PS , which uses the https scheme, the https socket binding (which defaults to 84 4 3 ), and is set to be secure. Example 13.3. Management CLI Command
/profile=default/subsystem=web/connector=https/:add(socketbinding=https,scheme=https,protocol=HTTP/1.1,secure=true)
2. Configure the SSL encryption certificate and keys. Execute the following CLI commands to configure your SSL certificate, substituting your own values for the example ones. T his example assumes that the keystore is copied to the server configuration directory, which is EAP_HOME/dom ain/configuration/ for a managed domain. Example 13.4 . Management CLI Command
/profile=default/subsystem=web/connector=https/ssl=configuration:add(name=ht tps,certificate-keyfile=${jboss.server.config.dir}/keystore.jks,password=SECRET, keyalias=KEY_ALIAS)
For a full listing of parameters you can set for the SSL properties of the connector, refer to Section 13.2.5, SSL Connector Reference. 3. Deploy an application. Deploy an application to a server group which uses the profile you have configured. If you use a standalone server, deploy an application to your server. HT T P requests to it use the new SSLencrypted connection. Report a bug 13.2.4 . Generate a SSL Encryption Key and Certificate T o use a SSL-encrypted HT T P connection (HT T PS), as well as other types of SSL-encrypted communication, you need a signed encryption certificate. You can purchase a certificate from a Certificate Authority (CA), or you can use a self-signed certificate. Self-signed certificates are not considered trustworthy by many third parties, but are appropriate for internal testing purposes. T his procedure enables you to create a self-signed certificate using utilities which are available on Red Hat Enterprise Linux. Prerequisites You need the keytool utility, which is provided by any Java Development Kit implementation. OpenJDK on Red Hat Enterprise Linux installs this command to /usr/bin/keytool . Understand the syntax and parameters of the keytool command. T his procedure uses extremely generic instructions, because further discussion of the specifics of SSL certificates or the keytool command are out of scope for this documentation. Procedure 13.2. T ask 1. Generate a keystore with public and private keys. Run the following command to generate a keystore named server.keystore with the alias jboss in your current directory.
24 3
T he following table describes the parameters used in the keytool command: Parameter -genkey -alias Description T he keytool command to generate a key pair containing a public and private key. T he alias for the keystore. T his value is arbitrary, but the alias jboss is the default used by the JBoss Web server. T he key pair generation algorithm. In this case it is RSA. T he name and location of the keystore file. T he default location is the current directory. T he name you choose is arbitrary. In this case, the file will be named server.keystore . T his password is used to authenticate to the keystore so that the key can be read. T he password must be at least 6 characters long and must be provided when the keystore is accessed. In this case, we used m ykeystorepass. If you omit this parameter, you will be prompted to enter it when you execute the command. T his is the password for the actual key.
-keyalg -keystore
-storepass
-keypass
Note
Due to an implementation limitation this must be the same as the store password.
--dname
A quoted string describing the distinguished name for the key, for example: "CN=jsmith,OU=Engineering,O=mycompany.co m,L=Raleigh,C=US". T his string is a concatenation of the following components: CN - T he common name or host name. If the hostname is "jsmith.mycompany.com", the CN is "jsmith". OU - T he organizational unit, for example "Engineering" O - T he organization name, for example "mycompany.com". L - T he locality, for example "Raleigh" or "London" S - T he state or province, for example "NC". T his parameter is optional. C - T he 2 letter country code, for example "US" or "UK",
When you execute the above command, you are prompted for the following information: If you did not use the -storepass parameter on the command line, you are asked to enter the keystore password. Re-enter the new password at the next prompt. If you did not use the -keypass parameter on the command line, you are asked to enter the key password. Press Enter to set this to the same value as the keystore password. When the command completes, the file server.keystore now contains the single key with the alias jboss. 2. Verify the key. Verify that the key works propertly by using the following command.
keytool -list -keystore server.keystore
24 4
3. Generate a certificate signing request. Run the following command to generate a certificate signing request using the public key from the keystore you created in step 1.
keytool -certreq -keyalg RSA -alias jboss -keystore server.keystore -file certreq.csr
You are prompted for the password in order to authenticate to the keystore. T he keytool command then creates a new certificate signing request called certreq.csr in the current working directory. 4. T est the newly generated certificate. T est the contents of the certificate by using the following command.
openssl req -in certreq.csr -noout -text
T he certificate details are shown. 5. Optional: Submit your certificate to a Certificate Authority (CA). A Certificate Authority (CA) can authenticate your certificate so that it is considered trustworthy by third-party clients. T he CA supplies you with a signed certificate, and optionally with one or more intermediate certificates. 6. Optional: Export a self-signed certificate from the keystore. If you only need it for testing or internal purposes, you can use a self-signed certificate. You can export one from the keystore you created in step 1 as follows:
keytool -export -alias jboss -keystore server.keystore -file server.crt
You are prompted for the password in order to authenticate to the keystore. A self-signed certificate, named server.crt, is created in the current working directory. 7. Import the signed certificate, along with any intermediate certificates. Import each certificate, in the order that you are instructed by the CA. For each certificate to import, replace interm ediate.ca or server.crt with the actual file name. If your certificates are not provided as separate files, create a separate file for each certificate, and paste its contents into the file.
Note
Your signed certificate and certificate keys are valuable assets. Be cautious with how you transport them between servers.
keytool -import -keystore server.keystore -alias intermediateCA -file intermediate.ca keytool -import -alias jboss -keystore server.keystore -file server.crt
8. T est that your certificates imported successfully. Run the following command, and enter the keystore password when prompted. T he contents of your keystore are displayed, and the certificates are part of the list.
keytool -list -keystore server.keystore
Result Your signed certificate is now included in your keystore and is ready to be used to encrypt SSL connections, including HT T PS web server communications. Report a bug 13.2.5. SSL Connector Reference JBoss Web connectors may include the following SSL configuration attributes. T he CLI commands provided are designed for a managed domain using profile default. Change the profile name to the one you wish to configure, for a managed domain, or omit the /profile=default portion of the
24 5
24 6
T able 13.6. SSL Connector Attributes Attribute Name Description T he display name of the SSL connector. CLI Command
/profile=default/subsys tem=web/connector=HTTPS /ssl=configuration/:writ eattribute(name=name,valu e=https)
verify-client
Set to true to require a valid certificate chain from the client before accepting a connection. Set to want if you want the SSL stack to request a client Certificate, but not fail if one is not presented. Set to false (the default) to not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT -CERT authentication. T he maximum number of intermediate certificate issuers checked before deciding that the clients do not have a valid certificate. T he default value is 10 . T he full file path and file name of the keystore file where the signed server certificate is stored. With JSSE encryption, this certificate file will be the only one, while OpenSSL uses several files. T he default value is the .keystore file in the home directory of the user running JBoss Enterprise Application Platform. If your keystoreT ype does not use a file, set the parameter to an empty string. If you use OpenSSL encryption, set the value of this parameter to the path to the file containing the server certificate.
verify-depth
certificate-key-file
certificate-file
password
T he password for both the trustore and keystore. T he default value is changeit, so you must change it to match the password of your keystore for your configuration to work. T he version of the SSL protocol to use. Supported values include SLv2 , SSLv3 , T LSv1 , SSLv2+SSLv3 , and ALL. the default is ALL.
protocol
cipher-suite
24 7
key-alias
T he alias used to for the server certificate in the keystore. T he default value is jboss.
truststore-type
T he type of the truststore. Various types of keystores are available, including PKCS12 and Java's standard JKS .
keystore-type
T he type of the keystore, Various types of keystores are available, including PKCS12 and Java's standard JKS .
ca-certificate-file
T he file containing the CA certificates. T his is the truststoreFile , in the case of JSSE, and uses the same password as the keystore. T he ca-certificate-file file is used to validate client certificates. T he Certificate password for the ca-certificate-file . In the example below, replace the password with your own masked password.
ca-certificate-password
ca-revocation-url
A file or URL which contains the revocation list. It refers to the crlFile for JSSE or the SSLCARevocationFile for SSL.
session-cache-size
T he size of the SSLSession cache. the default is 0 , which disables the session cache.
session-timeout
24 8
session-timeout
Report a bug 13.2.6. About Web Service Endpoints Web service endpoints are exposed in JBoss Enterprise Application Platform 6 through the deployments that provide the endpoint implementation. T his allows the endpoints to be queried as deployment resources. Each endpoint requires a web context and a WSDL URL to facilitate web service requests, indicating a specific location for associating the binding attributes and an instance of a service. T he web service subsystem is provided by the JBossWS project. For a detailed description of the available configuration properties, please consult the project documentation. JBossWS homepage: http://www.jboss.org/jbossws Project Documentation: https://docs.jboss.org/author/display/JBWS Report a bug 13.2.7. Replace the Default Welcome Web Application JBoss Enterprise Application Platform 6 includes a Welcome application, which displays when you open the URL of the server at port 8080. You can replace this application with your own web application by following this procedure. Procedure 13.3. T ask 1. Disable the Welcome application. Use the Management CLI script EAP_HOME/bin/jboss-cli.sh to run the following command. You may need to change the profile to modify a different managed domain profile, or remove the /profile=default portion of the command for a standalone server.
/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value=false)
2. Configure your Web application to use the root context. T o configure your web application to use the root context (/) as its URL address, modify its jboss-web.xm l , which is located in the MET A-INF/ or WEB-INF/ directory. Replace its <context-root> directive with one that looks like the following.
<jboss-web> <context-root>/</context-root> </jboss-web>
3. Deploy your application. Deploy your application to the server group or server you modified in the first step. T he application is now available on http://SERVER_URL:PORT/. Report a bug 13.2.8. About the Stand-Alone HT T PD JBoss Enterprise Application Platform is tested and supported with the Apache HT T PD which is included with certified versions of Red Hat Enterprise Linux 6. Apache HT T PD is also available for other configurations, such as Microsoft Windows Server. However, since Apache HT T PD is a separate product produced by the Apache Foundation, it used to be difficult to be sure that the version of Apache HT T PD a customer used was compatible with JBoss Enterprise Application Platform. A stand-alone Apache HT T PD bundle is now included as a separate download with JBoss Enterprise Application Platform 6. T his simplifies installation and configuration in environments other than Red Hat Enterprise Linux, or on systems which already have a configured HT T PD and want to use a separate instance for web applications. You can download this HT T PD as a separate download in the Customer
24 9
6. Stop the HT T PD. T o stop the HT T PD, issue the following command:
EAP_HOME/sbin/apachectl stop
Report a bug 13.2.10. Use an External HT T PD as the Web Front-end for JBoss Enterprise Application Platform Applications Overview For reasons to use an external HT T PD as the web front-end, as well as advantages and disadvantages of the different HT T P connectors supported by the JBoss Enterprise Application Platform, refer to Section 13.1.3, Overview of HT T P Connectors. In some situations, you can use the HT T PD that comes with your operating system. Otherwise, you can use the HT T PD that ships as part of JBoss Enterprise Web Server. After you have decided which HT T PD and HT T P connector to use, refer to one of the following procedures: Section 13.2.9, Install the Apache HT T PD included with JBoss Enterprise Application Platform 6 Section 13.3.3, Install the mod_cluster Module Into Apache HT T PD or Enterprise Web Server HT T PD Section 13.4.3, Install the Mod_jk Module Into Apache HT T PD or Enterprise Web Server HT T PD Section 13.6.2, Configure Microsoft IIS to Use the ISAPI Redirector Section 13.7.2, Configure the NSAPI Connector on Oracle Solaris Section 13.2.11, Configure the JBoss Enterprise Application Platform to Accept Requests From an External HT T PD
250
Report a bug 13.2.11. Configure the JBoss Enterprise Application Platform to Accept Requests From an External HT T PD Overview T he JBoss Enterprise Application Platform does not need to know which proxy it is accepting requests from, only the port and protocol to look for. T his is not true of m od_cluster , which is more tightly coupled to the configuration of the JBoss Enterprise Application Platform. But the following task works for m od_jk, m od_proxy, ISAPI, and NSAPI. Substitute the protocols and ports you need to configure with the ones in the examples. T o configure the JBoss Enterprise Application Platform for m od_cluster , refer to Section 13.3.5, Configure a mod_cluster Worker Node. Prerequisites Section 13.5.2, Install the Mod_proxy HT T P Connector Into Apache HT T PD You need to be logged into the Management CLI or Management Console to perform this task. T he exact steps in the task use the Management CLI, but the same basic procedure is used in the Management Console. You need a list of which protocols you will be using, whether HT T P, HT T PS, or AJP. Procedure 13.5. T ask 1. Configure the jvm Route and useJK system properties. Use the following two commands to configure the jvm Route and useJK system properties, which are necessary for HT T P connectors to work properly. Replace JVM_ROUTE with your own node name.
[user@localhost:9999 /] /systemproperty=jvmRoute/:add(value= JVM_ROUTE,boot-time=true) [user@localhost:9999 /] /system-property=UseJK/:add(value=true,boottime=true)
Note
T his step is only necessary if you are not using the standalone.ha.xm l configuration for a standalone server, or the ha or full-ha profiles for a server group in a managed domain. T hose configurations already include all of the necessary connectors. In order for an external HT T PD to be able to connect to the JBoss Enterprise Application Platform's web server, the web subsystem needs a connector. Each protocol needs its own connector, which is tied to a socket group. T o list the connectors currently available, issue the following command:
[standalone@localhost:9999 /] /subsystem=web:read-children-names(childtype=connector)
If there is no line indicating the connector your need (HT T P, HT T PS, AJP), you need to add the connector. 3. Read the configuration of a connector. T o see the details of how a connector is configured, you can read its configuration. T he following command reads the configuration of the AJP connector. T he other connectors have similar configuration output.
251
4. Add the necessary connectors to the web subsystem. T o add a connector to the web subsystem, it needs to have a socket binding. T he socket binding is added to the socket binding group used by your server or server group. T he following steps assume that your server group is server-group-one and that your socket binding group is standard-sockets. a. Add a socket to the socket binding group. T o add a socket to the socket binding group, issue the following command, replacing the protocol and port with the ones you need.
[standalone@localhost:9999 /] /socket-binding-group=standardsockets/socket-binding=ajp:add(port=8009)
b. Add the socket binding to the web subsystem. Issue the following command to add a connector to the web subsystem, substituting the socket binding name and protocol with the ones you need.
[standalone@localhost:9999 /] /subsystem=web/connector=ajp:add(socketbinding=ajp, protocol="AJP/1.3", enabled=true, scheme="http")
Report a bug 13.2.12. Use T CP Communication for the Clustering Subsystem By default, cluster nodes monitor each other's status using the UDP protocol. Some networks only allow T CP to be used. In this situation, you can add the T CPPING protocol stack to your configuration and use it as the default mechanism. T hese configuration options are available in the command-line based Management CLI. T he m od_cluster subsystem also uses UDP communication by default, and you can choose to use T CP here as well. Refer to the following two procedures to configure JGroups and mod_cluster subsystems to use T CP for network communication: Section 13.2.13, Configure the JGroups Subsystem to Use T CP Section 13.2.14, Configure the m od_cluster Subsystem to Use T CP Report a bug 13.2.13. Configure the JGroups Subsystem to Use T CP T he m od_cluster subsystem relies upon the JGroups subsystem to manage and track nodes leaving, joining, and failing over in the cluster. By default, the JGroups subsystem communicates using multicast UDP. Use the following procedure to configure the JGroups subsystem to use unicast T CP instead. T o configure the m od_cluster subsystem to use T CP as well, refer to Section 13.2.14, Configure the m od_cluster Subsystem to Use T CP. 1. Run the Management CLI. Launch the Management CLI, using the EAP_HOME/bin/jboss-cli.sh command in Linux or the EAP_HOME\bin\jboss-cli.bat command in Microsoft Windows Server. T ype connect to
252
2. Modify the following script to suit your environment. Copy the following script into a text editor. If you use a different profile on a managed domain, change the profile name. If you use a standalone server, remove the /profile=full-ha portion of the commands. Modify the properties listed at the bottom of the command as follows. Each of these properties is optional. initial_hosts A comma-separated list of the hosts which are considered well-known, and will be available to look up the initial membership. port_range If desired, you can assign a port range. If you assign a port range of 2, and the initial port is 7600, then T CPPING will attempt to contact each host on ports 7600-7601. T his property is optional. timeout An optional timeout value, in milliseconds, for cluster members. num_initial_members T he number of nodes before the cluster is considered to be complete. T his property is optional.
/profile=full-ha/subsystem=jgroups/stack=tcpping:add(transport={"type" => "TCP", "socket-binding" => "jgroups-tcp"}) /profile=full-ha/subsystem=jgroups/stack=tcpping/:addprotocol(type=FD_SOCK,socket-binding=jgroups-tcp-fd) /profile=full-ha/subsystem=jgroups/stack=tcpping/:addprotocol(type=pbcast.FLUSH) /profile=full-ha/subsystem=jgroups/stack=tcpping/:add-protocol(type=FD) /profile=full-ha/subsystem=jgroups/stack=tcpping/:addprotocol(type=VERIFY_SUSPECT) /profile=full-ha/subsystem=jgroups/stack=tcpping/:add-protocol(type=BARRIER) /profile=full-ha/subsystem=jgroups/stack=tcpping/:add-protocol(type=FRAG2) /profile=full-ha/subsystem=jgroups/stack=tcpping/:add-protocol(type=MERGE2) /profile=full-ha/subsystem=jgroups/stack=tcpping/:addprotocol(type=pbcast.GMS) /profile=full-ha/subsystem=jgroups/stack=tcpping/:addprotocol(type=pbcast.STATE_TRANSFER) /profile=full-ha/subsystem=jgroups/stack=tcpping/:add-protocol(type=UNICAST2) /profile=full-ha/subsystem=jgroups/stack=tcpping/:add-protocol(type=TCPPING) /profile=full-ha/subsystem=jgroups/stack=tcpping/:add-protocol(type=UFC) /profile=full-ha/subsystem=jgroups/stack=tcpping/:add-protocol(type=MFC) /profile=full-ha/subsystem=jgroups/stack=tcpping/:addprotocol(type=pbcast.NAKACK) /profile=full-ha/subsystem=jgroups/stack=tcpping/:addprotocol(type=pbcast.STABLE) /profile=full-ha/subsystem=jgroups:write-attribute(name=defaultstack,value=tcpping) /profile=fullha/subsystem=jgroups/stack=tcpping/protocol=TCPPING/property=initial_hosts/:ad d(value="HostA[7600],HostB[7600]") /profile=fullha/subsystem=jgroups/stack=tcpping/protocol=TCPPING/property=port_range/:add(v alue=0) /profile=fullha/subsystem=jgroups/stack=tcpping/protocol=TCPPING/property=timeout/:add(valu e=3000) /profile=fullha/subsystem=jgroups/stack=tcpping/protocol=TCPPING/property=num_initial_memb ers/:add(value=3)
Warning
T he servers runnning the profile have to be shutdown before executing the batch file. At the Management CLI prompt, type batch and press the Enter key. T he prompt changes to include a hash (# ) symbol to indicate that you are in batch mode. T his allows you to enter a series
253
2. Disable advertising within the m od_cluster subsystem of JBoss Enterprise Application Platform, and provide a list of proxies. You can disable advertising for the m od_cluster subsystem and provide a list of proxies, by using the web-based Management Console or the command-line Management CLI. T he list of proxies is necessary because the m od_cluster subsystem will not be able to automatically discover proxies if advertising is disabled. A. Management Console a. If you use a managed domain, you can only configure m od_cluster in profiles where it is enabled, such as the ha and full-ha profiles. b. Log in to the Management Console and select the Profiles label at the top right of the screen. If you use a managed domain, select either the ha or full-ha profile from the Profiles selection box at the top left of the Profiles page. c. Click the Subsystem s menu to expand it. Expand the Web sub-menu, and select Modcluster . d. Click the Edit button at the top, to edit the options which pertain to the entire m od_cluster subsystem. Change the value of Advertise to false . Use the Save button to save the settings. e. Click the tab labeled Proxies near the bottom of the screen. Click the Edit button in the Proxies sub-page, and enter a list of proxy servers. T he correct syntax is a comma-separated list of HOST NAME:PORT strings, like the following.
10.33.144.3:6666,10.33.144.1:6666
Click the Save button to save your changes. B. Management CLI T he following two Management CLI commands create the same configuration as the Management Console instructions above. T hey assume that you run a managed domain and
254
Note
T he Modcluster configuration page is only visible for profiles with the HA Clustering subsystem enabled. T hese profiles are ha and full-ha for a managed domain, or standalone-ha for a standalone server.
255
Balancer
T he name of the balancer. T his should match the configuration of the HT T PD proxy.
Advertise Socket
Advertise Key
Advertise
256
T able 13.8. m od_cluster Session Configuration Options Option Sticky Session Description Whether to use sticky sessions for requests. T his means that after the client makes a connection to a specific cluster node, further communication is routed to that same node unless it becomes unavailable. T his defaults to true , which is the recommended setting. If true , a request is not redirected to a new cluster node if its initial node becomes unavailable. Instead, it fails. T his defaults to false . CLI Command
/profile=fullha/subsystem=modcluster /mod-clusterconfig=configuration/:w riteattribute(name=stickysession,value=true)
T able 13.9. m od_cluster Web Context Configuration Options Option Auto Enable Contexts Description Whether to add new contexts to m od_cluster by default or not. T his defaults to true . If you change the default and need to enable context manually, the Web Application can enable its context using the enable() MBean method, or via the m od_cluster manager, which is a web application which runs on the HT T PD proxy on a named virtual host or port which is specified in that HT T PD's configuration. A comma-separated list of contexts that m od_cluster should ignore. If no host is indicated, the host is assumed to be localhost. ROOT indicates the root context of the Web Application. T he default value is ROOT ,invoker,jbossws,jud di,console . CLI Command
/profile=fullha/subsystem=modcluster /mod-clusterconfig=configuration/:w riteattribute(name=autoenablecontexts,value=true)
Excluded Contexts
257
Proxy List
A comma-separated list of HT T PD proxy addresses, in the format hostnam e:port. T his indicates the list of proxies that the m od_cluster process will attempt to communicate with initially.
Configure SSL Communication for m od_cluster By default, m od_cluster communication happens over an unencrypted HT T P link. If you set the connector scheme to HT T PS (refer to T able 13.8, m od_cluster Session Configuration Options), the settings below tell m od_cluster where to find the information to encrypt the connection.
258
T able 13.11. m od_cluster SSL Configuration Options Option Key Alias Description T he key alias, which was chosen when the certificate was created. CLI Command
/profile=fullha/subsystem=modcluster /mod-clusterconfig=configuration/ss l=configuration/:writeattribute(name=keyalias,value=jboss)
Password
Cert File
Key File
Cipher Suite
Revocation URL
Protocol
259
T he available m od_cluster networking options control several different timeout behaviors for different types of services that the m od_cluster service communicates with.
260
T able 13.12. m od_cluster Networking Configuration Options Option Node T imeout Description T imeout (in seconds) for proxy connections to a node. T hat is the time m od_cluster will wait for the back-end response before returning error. T hat corresponds to timeout in the worker mod_proxy documentation. A value of -1 indicates no timeout. Note that m od_cluster always uses a cping/cpong before forwarding a request and the connectiontim eout value used by m od_cluster is the ping value. Number of milliseconds to wait for a response from an httpd proxy to MCMP commands before timing out, and flagging the proxy as in error. CLI Command
/profile=fullha/subsystem=modcluster /mod-clusterconfig=configuration/:w riteattribute(name=nodetimeout,value=-1)
Socket T imeout
T he amount of time, measure in units specified by stopContextT imeoutUnit, for which to wait for clean shutdown of a context (completion of pending requests for a distributable context; or destruction/expiration of active sessions for a non-distributable context). Number of times an HT T PD proxy will attempt to send a given request to a worker before giving up. T he minimum value is 1 , meaning try only once. T he m od_proxy default is also 1, which means that no retry occurs. Whether or not to enable packet flushing to the HT T PD server. Defaults to false .
Max Attempts
Flush Packets
Flush Wait
How long, in seconds, to wait before flushing packets to the HT T PD server. Defaults to -1 . A value of -1 means to wait forever before flushing packets.
Ping
How long, in seconds, to wait for a response to a ping from a cluster node. Defaults to 10 seconds.
261
TTL
T ime to live (in seconds) for idle connections above smax, default is 60 When nodeT im eout is not defined the ProxyT im eout directive Proxy is used. If ProxyT im eout is not defined the server timeout T im eout is used. T his defaults to 300 seconds. nodeT im eout, ProxyT im eout, are T im eout are set at the socket level.
Worker T imeout
How long, in seconds, to wait for an available worker process from the external HT T PD server to process a request. Defaults to -1 , which means that Modcluster waits indefinitely for the HT T PD worker to process the request.
m od_cluster Load Provider Configuration Options T he following m od_cluster configuration options are not available in the web-based Management Console, but can only be set using the command-line Management CLI. T he simple load processor is used if no dynamic load processor is present. It gives each cluster member a load factor of 1 , and distributes work evenly without taking any sort of load balancing algorithm into account. T o add it, use the following CLI command: /profile=fullha/subsystem =m odcluster/m od-cluster-config=configuration/sim ple-loadprovider:add A dynamic load provider can be configured to use a variety of different algorithms, in combination, to determine which cluster node receives the next request. T he default dynamic load provider uses busyness as the determining factor. T he list of possible factors is shown below. You can create your own load provider to suit your own environment, as well. T he following options of the dynamic load provider can be changed. .
262
T able 13.13. m od_cluster Dynamic Load Provider Options Option Decay Description T he factor by which historical metrics should decay in significance. CLI Command
/profile=fullha/subsystem=modcluster /mod-clusterconfig=configuration/dy namic-loadprovider=configuration/ :writeattribute(name=decay,val ue=2)
History
T he number of historic load metric records to consider when determining the load.
Load Metric
T he only load metric included in the dynamic load provider is busyness, which tries to send each new request to the least busy worker. You can set the capacity of your worker (1 means 100% capacity) and the weight assigned to the busyness metric overall. .
/profile=fullha/subsystem=modcluster /mod-clusterconfig=configuration/dy namic-loadprovider=configuration/ loadmetric=busyness/:writeattribute(name=capacity, value=1.0) /profile=fullha/subsystem=modcluster /mod-clusterconfig=configuration/dy namic-loadprovider=configuration/ loadmetric=busyness/:writeattribute(name=type,valu e=busyness) /profile=fullha/subsystem=modcluster /mod-clusterconfig=configuration/dy namic-loadprovider=configuration/ loadmetric=busyness/:writeattribute(name=weight,va lue=1)
Load Metric Algorithms cpu T he cpu load metric uses average CPU load to determine which cluster node receives the next work load. mem T he mem load metric uses free native RAM as a load factor. Usage of this metric is discouraged because it provides a value that includes buffers and cache, so it is always a very low figure on every decent system with a good memory management.
263
Report a bug 13.3.3. Install the mod_cluster Module Into Apache HT T PD or Enterprise Web Server HT T PD Prerequisites T o perform this task, you must be using Apache HT T PD installed in Red Hat Enterprise Linux 6, or JBoss Enterprise Web Server, or the stand-alone HT T PD included as a separate downloadable component of JBoss Enterprise Application Platform 6. If you need to install Apache HT T PD in Red Hat Enterprise Linux 6, use the instructions from the Red Hat Enterprise Linux 6 Deployment Guide, available from https://access.redhat.com/knowledge/docs/. If you need to install the stand-alone HT T PD included as a separate downloadable component of JBoss Enterprise Application Platform 6, refer to Section 13.2.9, Install the Apache HT T PD included with JBoss Enterprise Application Platform 6. If you need to install JBoss Enterprise Web Server, use the instructions from the JBoss Enterprise Web Server Installation Guide, available from https://access.redhat.com/knowledge/docs/. Download the Webserver Connecter Natives package for your operating system and architecture from the Red Hat Customer Portal at https://access.redhat.com. T his package contains the mod_cluster binary HT T PD modules precompiled for your operating system. After you extract the archive, the modules are located in the m odules/native/lib/httpd/m odules/ directory. T he etc/ contains some example configuration files, and the share/ directory contains some supplemental documentation. You must be logged in with administrative (root) privileges.
264
Procedure 13.7. T ask 1. Determine your HT T PD configuration location. Your HT T PD configuration location will be different depending on whether you are using Red Hat Enterprise Linux's Apache HT T PD, the stand-alone HT T PD included as a separate downloadable component with JBoss Enterprise Application Platform 6, or the HT T PD available in JBoss Enterprise Web Server. It is one of the following three options, and is referred to in the rest of this task as HTTPD_HOME. Apache HT T PD - /etc/httpd/ JBoss Enterprise Application Platform HT T PD - T his location is chosen by you, based on the requirements of your infrastructure. JBoss Enterprise Web Server HT T PD - EWS_HOME/httpd/ 2. Copy the modules to the HT T PD modules directory. Copy the four modules (the files ending in .so ) from the m odules/native/lib/httpd/m odules/ directory of the extracted Webserver Natives archive to the HTTPD_HOME/m odules/ directory. 3. For Enterprise Web Server, disable the m od_proxy_balancer module. If you use JBoss Enterprise Web Server, the m od_proxy_balancer module is enabled by default. It is incompatible with mod_cluster. T o disable it, edit the HTTPD_HOME/conf/httpd.conf and comment out the following line by placing a # (hash) symbol before the line which loads the module. T he line is shown without the comment and then with it, below.
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so # LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
Save and close the file. 4. Configure the mod_cluster module. a. Open HTTPD_HOME/conf/httpd.conf in a text editor and add the following to the end of the file:
# Include mod_cluster's specific configuration file Include conf/JBoss_HTTP.conf
Save and exit the file. b. Create a new file called HTTPD_HOME/httpd/conf/JBoss_HT T P.conf and add the following to it.
LoadModule LoadModule LoadModule LoadModule slotmem_module modules/mod_slotmem.so manager_module modules/mod_manager.so proxy_cluster_module modules/mod_proxy_cluster.so advertise_module modules/mod_advertise.so
T his causes Apache HT T PD to automatically load the modules that m od_cluster needs in order to function. 5. Create a proxy server listener. Continue editing HTTPD_HOME/httpd/conf/JBoss_HT T P.conf and add the following minimal configuration, replacing the values in capital letters with sensible ones for your system.
Listen IP_ADDRESS:PORT <VirtualHost IP_ADDRESS:PORT> <Location /> Order deny,allow Deny from all Allow from *.MYDOMAIN.COM </Location> KeepAliveTimeout 60 MaxKeepAliveRequests 0 EnableMCPMReceive On ManagerBalancerName mycluster ServerAdvertise On </VirtualHost>
T hese directives create a new virtual server which listens on IP_ADDRESS:PORT , allows
265
B. JBoss Enterprise Web Server HT T PD JBoss Enterprise Web Server runs on both Red Hat Enterprise Linux and Microsoft Windows Server. T he method for restarting the HT T PD is different for each. A. Red Hat Enterprise Linux In Red Hat Enterprise Linux, Enterprise Web Server installs its HT T PD as a service. T o restart the HT T PD, issue the following two commands:
[root@host ~]# service httpd stop [4oot@host ~]# service httpd start
B. Microsoft Windows Server Issue the following commands in a command prompt with administrative privileges:
C:\> net stop httpd C:\> net start httpd
Result T he Apache HT T PD is now configured as a load balancer, and can work with the m od_cluster subsystem running JBoss Enterprise Application Platform 6. T o configure the JBoss Enterprise Application Platform to be aware of mod_cluster, refer to Section 13.3.5, Configure a mod_cluster Worker Node. Report a bug 13.3.4 . Configure Server Advertisement Properties for Your mod_cluster-enabled HT T PD Overview For instructions on configuring your HT T PD to interact with the mod_cluster load balancer, refer to Section 13.3.3, Install the mod_cluster Module Into Apache HT T PD or Enterprise Web Server HT T PD. One aspect of the configuration which needs more explanation is server advertisement. When server advertisement is active, the HT T PD broadcasts messages containing the IP address and port number specified in the mod_cluster virtual host. T o configure these values, refer to Section 13.3.3, Install the mod_cluster Module Into Apache HT T PD or Enterprise Web Server HT T PD. If UDP multicast is not available on your network, or you prefer to configure worker nodes with a static list of proxy servers, you can disable server advertisement and manually configure the worker nodes. Refer to Section 13.3.5, Configure a mod_cluster Worker Node for information on configuring a worker node. T he changes in this procedure need to be made to the httpd.conf associated with your Apache HT T PD instance. T his is often /etc/httpd/conf/httpd.conf in Red Hat Enterprise Linux, or may be in the etc/ directory of your stand-alone Apache HT T PD instance. Procedure 13.8. T ask 1. Disable the AdvertiseFrequency parameter, if it exists. If you have a line like the following in your <VirtualHost> statement, comment it out by putting a # (hash) character before the first character. T he value may be different from 5 .
AdvertiseFrequency 5
266
2. Add the directive to disable server advertisement. Add the following directive inside the <VirtualHost> statement, to disable server advertisement.
ServerAdvertise Off
3. Enable the ability to receive MCPM messages. Add the following directive to allow the HT T PD server to receive MCPM messages from the worker nodes.
EnableMCPMReceive On
4. Restart the HT T PD server. Restart the HT T PD server by issuing one of the following, depending on whether you use Red Hat Enterprise Linux or Microsoft Windows Server. A. Red Hat Enterprise Linux
[root@host ]# service httpd restart
Result T he HT T PD no longer advertises the IP address and port of your mod_cluster proxy. T o reiterate, you need to configure your worker nodes to use a static address and port to communicate with the proxy. Refer to Section 13.3.5, Configure a mod_cluster Worker Node for more details. Report a bug 13.3.5. Configure a mod_cluster Worker Node Configure a mod_cluster worker node A mod_cluster worker node consists of an JBoss Enterprise Application Platform server. T his server can be part of a server group in a Managed Domain, or a standalone server. A separate process runs within JBoss Enterprise Application Platform, which manages all of the nodes of the cluster. T his is called the master. For more conceptual information about worker nodes, refer to Section 13.1.4, Worker Node. For an overview of HT T PD load balancing, refer to Section 13.1.3, Overview of HT T P Connectors. T he master is only configured once, via the m od_cluster subsystem. T o configure the m od_cluster subsystem, refer to Section 13.3.2, Configure the m od_cluster Subsystem. Each worker node is configured separately, so repeat this procedure for each node you wish to add to the cluster. If you use a managed domain, each server in a server group is a worker node which shares an identical configuration. T herefore, configuration is done to an entire server group. In a standalone server, configuration is done to a single JBoss JBoss Enterprise Application Platform instance. T he configuration steps are otherwise identical. Worker Node Configuration If you use a standalone server, it must be started with the standalone-ha profile. If you use a managed domain, your server group must use the ha or full-ha profile, and the hasockets or full-ha-sockets socket binding group. JBoss Enterprise Application Platform ships with a cluster-enabled server group called other-server-group which meets these requirements.
Note
Where Management CLI commands are given, they assume you use a managed domain. If you use a standalone server, remove the /profile=full-ha portion of the commands.
267
f. Save the file and exit. 2. Configure authentication for each slave server. Each slave server needs a username and password created in the domain controller's or standalone master's Managem entRealm . On the domain controller or standalone master, run the EAP_HOME/add-user.sh command. Add a user with the same username as the slave, to the Managem entRealm . When asked if this user will need to authenticate to an external JBoss AS instance, answer yes. An example of the input and output of the command is below, for a slave called slave1 , with password changem e .
user:bin user$ ./add-user.sh What type of user do you wish to add? a) Management User (mgmt-users.properties) b) Application User (application-users.properties) (a): a Enter the details of the new user to add. Realm (ManagementRealm) : Username : slave1 Password : changeme Re-enter Password : changeme About to add user 'slave1' for realm 'ManagementRealm' Is this correct yes/no? yes Added user 'slave1' to file '/home/user/jboss-eap6.0/standalone/configuration/mgmt-users.properties' Added user 'slave1' to file '/home/user/jboss-eap6.0/domain/configuration/mgmt-users.properties' Is this new user going to be used for one AS process to connect to another AS process e.g. slave domain controller? yes/no? yes To represent the user add the following to the server-identities definition <secret value="Y2hhbmdlbWU=" />
3. Copy the <secret> element from the add-user.sh output. Copy the value from the last line of the add-user.sh output. You need to add this value to your slave's configuration file in the next step. 4. Modify the slave host's security realm to use the new authentication. Re-open the slave host's host.xm l or standalone-ha.xm l file and locate the <securityrealm s> element. Add the following block of XML code directly below the <security-realm nam e="Managem entRealm "> line, replacing the <secret value="Y2hhbm dlbWU="/> line
268
Save and exit the file. 5. Restart the server. T he slave will now authenticate to the master using the its host name as the username and the encrypted string as its password. Result Your standalone server, or servers within a server group of a managed domain, are now configured as mod_cluster worker nodes. If you deploy a clustered application, its sessions are replicated to all cluster nodes for failover, and it can accept requests from an external HT T PD server or load balancer. Each node of the cluster discovers the other nodes using automatic discovery, by default. T o configure automatic discovery, and the other specific settings of the m od_cluster subsystem, refer to Section 13.3.2, Configure the m od_cluster Subsystem. T o configure the Apache HT T PD server, refer to Section 13.2.10, Use an External HT T PD as the Web Front-end for JBoss Enterprise Application Platform Applications. Report a bug
269
Report a bug 13.4 .3. Install the Mod_jk Module Into Apache HT T PD or Enterprise Web Server HT T PD Prerequisites T o perform this task, you must be using Apache HT T PD installed in Red Hat Enterprise Linux, or the HT T PD installed in JBoss Enterprise Web Server. If you need to install Apache HT T PD, use the instructions from the Red Hat Enterprise Linux Deployment Guide, available from https://access.redhat.com/knowledge/docs/. If you need to install JBoss Enterprise Web Server, use the instructions from the JBoss Enterprise Web Server Installation Guide, available from https://access.redhat.com/knowledge/docs/. If you are using Apache HT T PD, download the JBoss Enterprise Application Platform Native Components package for Red Hat Enterprise Linux from the Red Hat Customer Service Portal at https://access.redhat.com. T his package contains both the mod_jk and mod_cluster binaries precompiled for Red Hat Enterprise Linux. If you are using JBoss Enterprise Web Server, it already includes the binary for mod_jk. You must be logged in with administrative (root) privileges. Procedure 13.10. T ask 1. Determine your HT T PD configuration location. Your HT T PD configuration location will be different depending on whether you are using Red Hat Enterprise Linux's Apache HT T PD or the HT T PD available in JBoss Enterprise Web Platform. It is one of the following two options, and is referred to in the rest of this task as HTTPD_HOME. Apache HT T PD - /etc/httpd/ JBoss Enterprise Web Server HT T PD - EWS_HOME/httpd/ 2. Configure the mod_jk module. a. Open HTTPD_HOME/conf/httpd.conf in a text editor and add the following to the end of the file:
# Include mod_jk's specific configuration file Include conf/mod-jk.conf
b. Create a new file called HTTPD_HOME/etc/httpd/conf/m od-jk.conf and add the following to it:
270
Look over the values and make sure they are reasonable for your set-up. When you are satisfied, save the file. c. Specify a JKMountFile directive In addition to the JKMount directive in the m od-jk.conf , you can specify a file which contains multiple URL patterns to be forwarded to mod_jk. a. Add the following to the HTTPD_HOME/conf/m od-jk.conf file:
# You can use external file for mount points. # It will be checked for updates each 60 seconds. # The format of the file is: /url=worker # /examples/*=loadbalancer JkMountFile conf/uriworkermap.properties
b. Create a new file called HTTPD_HOME/conf/uriworkerm ap.properties, with a line for each URL pattern to be matched. T he following example shows examples of the syntax of the file.
# Simple worker configuration file /*=loadbalancer
Note
T his is only necessary if your HT T PD does not have m od_jk.so in its m odules/ directory. You can skip this step if you are using the Apache HT T PD server included as a download as part of JBoss Enterprise Application Platform 6. Extract the Native Components Z IP package. Locate the m od_jk.so file in either the native/lib/httpd/m odules/ or native/lib64 /httpd/m odules/ directory, depending on whether your operating system is 32-bit or 64-bit.
271
For a detailed description of the syntax of the workers.properties file, and advanced configuration options, refer to Section 13.4.4, Configuration Reference for Apache Mod_jk Workers. 4. Restart the HT T PD. T he way to restart the HT T PD depends on whether you are using Red Hat Enterprise Linux's Apache HT T PD or the HT T PD included in JBoss Enterprise Web Server. Choose one of the two methods below. A. Red Hat Enterprise Linux's Apache HT T PD Issue the following command:
[root@host]# service httpd restart
B. JBoss Enterprise Web Server HT T PD JBoss Enterprise Web Server runs on both Red Hat Enterprise Linux and Microsoft Windows Server. T he method for restarting the HT T PD is different for each. A. Red Hat Enterprise Linux In Red Hat Enterprise Linux, Enterprise Web Server installs its HT T PD as a service. T o restart the HT T PD, issue the following two commands:
[root@host ~]# service httpd stop [root@host ~]# service httpd start
B. Microsoft Windows Server Issue the following commands in a command prompt with administrative privileges:
C:\> net stop httpd C:\> net start httpd
Result T he Apache HT T PD is now configured to use the mod_jk load balancer. T o configure the JBoss Enterprise Application Platform to be aware of mod_jk, refer to Section 13.2.11, Configure the JBoss Enterprise Application Platform to Accept Requests From an External HT T PD. Report a bug
272
13.4 .4 . Configuration Reference for Apache Mod_jk Workers T he workers.properties file defines the behavior of the worker nodes which mod_jk passes client requests to. In Red Hat Enterprise Linux, the file resides in /etc/httpd/conf/workers.properties. T he workers.properties file defines where the different servlet containers are located, and the way the work load should be balanced across them. T he configuration is divided into three sections. T he first section deals with global properties, which apply to all worker nodes. T he second section contains settings which apply to a specific worker. T he third section contains settings which apply to a specific node balanced by the worker. T he general structure of a property is worker.WORKER_NAME.DIRECTIVE, where WORKER_NAME is a unique name for the worker, and DIRECTIVE is the setting to be applied to the worker. Configuration reference for Apache mod_jk workers Node templates specify default per-node settings. You can override the template within the node settings itself. You can see an example of node templates in Example 13.6, Example workers.properties file. T able 13.14 . Global properties Property worker.list Description T he list of worker names used by mod_jk. T hese workers are available to receive requests.
T able 13.15. Per-worker properties Property type Description T he type of the worker. T he default type is ajp13 . Other possible values are ajp14 , lb , status. For more information on these directives, refer to the Apache T omcat Connector AJP Protocol Reference at http://tomcat.apache.org/connectorsdoc/ajp/ajpv13a.html. balance_workers Specifies the worker nodes that the load balancer must manage. You can use the directive multiple times for the same load balancer. It consists of a comma-separated list of worker names. T his is set per worker, not per node. It affects all nodes balanced by that worker type. Specifies whether requests from the same session are always routed to the same worker. T he default is 0 , meaning that sticky sessions are disabled. T o enable sticky sessions, set it to 1 . Sticky sessions should usually be enabled, unless all of your requests are truly stateless. T his is set per worker, not per node. It affects all nodes balanced by that worker type.
sticky_session
273
ping_mode
Specifies the load-balancing factor for an individual worker, and only applies to a member worker of a load balancer. T his is useful to give a more powerful server more of the work load. T o give a worker 3 times the default load, set this to 3 : worker.m y_worker.lbfactor=3
Further configuration details for Apache mod_jk are out of the scope of this document. Refer to the Apache documentation at http://tomcat.apache.org/connectors-doc/ for further instructions. Report a bug
274
13.5.1. About the Apache mod_proxy HT T P Connector Apache provides two different proxying and load balancing modules for its HT T PD: m od_proxy and m od_jk. T o learn more about m od_jk, refer to Section 13.4.1, About the Apache mod_jk HT T P Connector. T he JBoss Enterprise Application Platform supports use of either of these, although m od_cluster , the JBoss HT T P connector, more closely couples the JBoss Enterprise Application Platform and the external HT T PD, and is the recommended HT T P connector. Refer to Section 13.1.3, Overview of HT T P Connectors for an overview of all supported HT T P connectors, including advantages and disadvantages. Unlike m od_jk, m od_proxy supports connections over HT T P and HT T PS protocols. Each of them also support the AJP protocol. m od_proxy can be configured in standalone or load-balanced configurations, and it supports the notion of sticky sessions. T he m od_proxy module requires JBoss Enterprise Application Platform to have the HT T P or HT T PS web connector configured. T his is part of the Web subsystem. Refer to Section 13.2.2, Configure the Web Subsystem for information on configuring the Web subsystem. Report a bug 13.5.2. Install the Mod_proxy HT T P Connector Into Apache HT T PD Overview m od_proxy is a load-balancing module provided by Apache. T his task presents a basic configuration. For more advanced configuration, or additional details, refer to Apache's m od_proxy documentation at https://httpd.apache.org/docs/2.2/mod/mod_proxy.html. For more details about m od_proxy from the perspective of the JBoss Enterprise Application Platform, refer to Section 13.5.1, About the Apache mod_proxy HT T P Connector and Section 13.1.3, Overview of HT T P Connectors. Prerequisites Either Enterprise Web Server HT T PD or Apache HT T PD needs to be installed. A standalone HT T PD is provided as a separate download in the Red Hat Customer Portal at https://access.redhat.com, in the JBoss Enterprise Application Platform 6 download area. Refer to Section 13.2.9, Install the Apache HT T PD included with JBoss Enterprise Application Platform 6 for information about this HT T PD if you wish to use it. T he m od_proxy modules need to be installed. Apache HT T PD typically comes with the m od_proxy modules already included. T his is the case on Red Hat Enterprise Linux, the HT T PD that comes with JBoss Enterprise Web Server, and the Apache HT T PD that comes with Microsoft Windows. You need root or administrator privileges to modify the HT T PD configuration. Determine the HT T PD configuration directory. T his is the directory containing the conf/ and m odules/ directories for Apache HT T PD. T his will be referred to as HTTPD_CONF for the remainder of this task. T ypical values include the following: /etc/httpd/ EWS_HOME/httpd/, starting from where Enterprise Web Server is installed JBoss Enterprise Application Platform must be configured with the HT T P or HT T PS web connector. T his is part of the Web subsystem configuration. Refer to Section 13.2.2, Configure the Web Subsystem for information about configuring the Web subsystem. 1. Enable the m od_proxy modules in the HT T PD Look for the following lines in your HTTPD_CONF/conf/httpd.conf file. If they are not present, add them to the bottom. If they are present but the lines begin with a comment (#) character, remove the character. Save the file afterward. Usually, the modules are already present and enabled.
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_http_module modules/mod_proxy_http.so # Uncomment these to proxy FTP or HTTPS #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so #LoadModule proxy_connect_module modules/mod_proxy_connect.so
2. Add a non-load-balancing proxy. Add the following configuration to your HTTPD_CONF/conf/httpd.conf file, directly beneath any
275
After making your changes, save the file. 3. Add a load-balancing proxy. T o use m od_proxy as a load balancer, and send work to multiple JBoss Enterprise Application Platform servers, add the following configuration to your HTTPD_CONF/conf/httpd.conf file.
<Proxy balancer://mycluster> Order deny,allow Allow from all # Add each JBoss Enterprise Application Server by IP address and port. # If the route values are unique like this, one node will not fail over to the other. BalancerMember http://127.0.0.1:8080 route=node1 BalancerMember http://127.0.0.1:8180 route=node2 </Proxy> # Use the balancer as a single proxy, as in the <VirtualHost> example above. ProxyPass /://mycluster ProxyPassReverse / http://127.0.0.1:8080/ ProxyPassReverse / http://127.0.0.1:8180/ # Only proxy a specific application # ProxyPass /MyApp://mycluster # ProxyPassReverse /MyApp http://host3:8280/MyApp Starting the httpd ends with Syntax error on line 1023 of /etc/httpd/conf/httpd.conf: ProxyPass|ProxyPassMatch needs a path when not defined in a location Ends with Syntax error on line 1023 of /etc/httpd/conf/httpd.conf: ProxyPass|ProxyPassMatch needs a path when not defined in a location Start of Httpd without errors is expected.
T he examples above all communicate using the HT T P protocol. You can use AJP or HT T PS protocols instead, if you load the appropriate m od_proxy modules. Refer to the Apache mod_cluster documentation for more details. 4. Enable sticky sessions. Sticky sessions mean that if a client request originally goes to a specific JBoss Enterprise Application Platform node, all future requests will be sent to the same node, unless the node becomes unavailable. T his is almost always the correct behavior. T o enable sticky sessions for m od_proxy, add the stickysession parameter to the ProxyPass statement. T his example also shows some other parameters which you can use. Refer to Apache's m od_proxy documentation at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html for more information on them.
276
5. Restart the HT T PD. Restart the HT T PD server for your changes to take effect. Result Your HT T PD is configured to use m od_proxy to send client requests to JBoss Enterprise Application Platform servers or clusters, either in a standard or load-balancing configuration. T o configure the JBoss Enterprise Application Platform to respond to these requests, refer to Section 13.2.11, Configure the JBoss Enterprise Application Platform to Accept Requests From an External HT T PD. Report a bug
277
278
Enterprise Application Platform to Accept Requests From an External HT T PD, then Section 13.6.3, Configure the ISAPI Redirector to Send Client Requests to the JBoss Enterprise Application Platform or Section 13.6.4, Configure ISAPI to Balance Client Requests Across Multiple JBoss Enterprise Application Platform Servers. Report a bug 13.6.3. Configure the ISAPI Redirector to Send Client Requests to the JBoss Enterprise Application Platform Overview T his task configures a group of JBoss Enterprise Application Platform servers to accept requests from the ISAPI redirector. It does not include configuration for load-balancing or high-availability failover. If you need these capabilities, refer to Section 13.6.4, Configure ISAPI to Balance Client Requests Across Multiple JBoss Enterprise Application Platform Servers. T his configuration is done on the IIS server, and assumes that the JBoss Enterprise Application Platform is already configured, as per Section 13.2.11, Configure the JBoss Enterprise Application Platform to Accept Requests From an External HT T PD. Prerequisites You need full administrator access to the IIS server Section 13.2.11, Configure the JBoss Enterprise Application Platform to Accept Requests From an External HT T PD Section 13.6.2, Configure Microsoft IIS to Use the ISAPI Redirector Procedure 13.13. T ask 1. Create a directory to store logs, property files, and lock files. T he rest of this procedure assumes that you are using the directory C:\connectors\ for this purpose. If you use a different directory, modify the instructions accordingly. 2. Create the isapi_redirect.properties file. Create a new file called C:\connectors\isapi_redirect.properties. Copy the following contents into the file. Substitute the value JBOSS_NAT IVE_HOME with the actual location where you installed the JBoss Native components when you performed the task Section 13.6.2, Configure Microsoft IIS to Use the ISAPI Redirector.
# Configuration file for the ISAPI Redirector # Extension uri definition extension_uri=JBOSS_NATIVE_HOME/sbin/isapi_redirect.dll # Full path to the log file for the ISAPI Redirector log_file=c:\connectors\isapi_redirect.log # Log level (debug, info, warn, error or trace) # Use debug only testing phase, for production switch to info log_level=debug # Full path to the workers.properties file worker_file=c:\connectors\workers.properties # Full path to the uriworkermap.properties file worker_mount_file=c:\connectors\uriworkermap.properties #Full path to the rewrite.properties file rewrite_rule_file=c:\connectors\rewrite.properties
If you do not want to use a rewrite.properties file, comment out the last line by placing a # character at the beginning of the line. See Step 5 for more information. 3. Create the uriworkerm ap.properties file T he uriworkerm ap.properties file contains mappings between deployed application URLs and which worker handles requests to them. T he following example file shows the syntax of the file. Place your uriworkerm ap.properties file into C:\connectors\.
279
4. Create the workers.properties file. T he workers.properties file contains mapping definitions between worker labels and server instances. T he following example file shows the syntax of the file. Place this file into the C:\connectors\ directory.
# An entry that lists all the workers defined worker.list=worker01, worker02 # Entries that define the host and port associated with these workers # First JBoss Enterprise Application Platform server definition, port 8009 is standard port for AJP in EAP worker.worker01.host=127.0.0.1 worker.worker01.port=8009 worker.worker01.type=ajp13 # Second JBoss Enterprise Application Platform server definition worker.worker02.host= 127.0.0.100 worker.worker02.port=8009 worker.worker02.type=ajp13
5. Create the rewrite.properties file. T he rewrite.properties file contains simple URL rewriting rules for specific applications. T he rewritten path is specified using name-value pairs, as shown in the example below. Place this file into the C:\connectors\ directory.
#Simple example # Images are accessible under abc path /app-01/abc/=/app-01/images/
6. Restart the IIS server. Follow the appropriate procedure for restarting your IIS server, depending on its version. A. IIS 6
C:\> net stop iisadmin /Y C:\> net start w3svc
B. IIS 7
C:\> net stop was /Y C:\> net start w3svc
Result T he IIS server is configured to send client requests to the specific JBoss Enterprise Application Platform servers you have configured, on an application-specific basis. Report a bug 13.6.4 . Configure ISAPI to Balance Client Requests Across Multiple JBoss Enterprise Application Platform Servers
280
Overview T his configuration balances client requests across the JBoss Enterprise Application Platform servers you specify. If you prefer to send client requests to specific JBoss Enterprise Application Platform servers on a per-deployment basis, refer to Section 13.6.3, Configure the ISAPI Redirector to Send Client Requests to the JBoss Enterprise Application Platform instead. T his configuration is done on the IIS server, and assumes that the JBoss Enterprise Application Platform is already configured, as per Section 13.2.11, Configure the JBoss Enterprise Application Platform to Accept Requests From an External HT T PD. Prerequisites Full adminostrator access on the IIS server. Section 13.2.11, Configure the JBoss Enterprise Application Platform to Accept Requests From an External HT T PD Section 13.6.2, Configure Microsoft IIS to Use the ISAPI Redirector Procedure 13.14 . T ask 1. Create a directory to store logs, property files, and lock files. T he rest of this procedure assumes that you are using the directory C:\connectors\ for this purpose. If you use a different directory, modify the instructions accordingly. 2. Create the isapi_redirect.properties file. Create a new file called C:\connectors\isapi_redirect.properties. Copy the following contents into the file. Substitute the value JBOSS_NAT IVE_HOME with the actual location where you installed the JBoss Native components when you performed the task Section 13.6.2, Configure Microsoft IIS to Use the ISAPI Redirector.
# Configuration file for the ISAPI Redirector # Extension uri definition extension_uri=JBOSS_NATIVE_HOME/sbin/isapi_redirect.dll # Full path to the log file for the ISAPI Redirector log_file=c:\connectors\isapi_redirect.log # Log level (debug, info, warn, error or trace) # Use debug only testing phase, for production switch to info log_level=debug # Full path to the workers.properties file worker_file=c:\connectors\workers.properties # Full path to the uriworkermap.properties file worker_mount_file=c:\connectors\uriworkermap.properties #OPTIONAL: Full path to the rewrite.properties file rewrite_rule_file=c:\connectors\rewrite.properties
If you do not want to use a rewrite.properties file, comment out the last line by placing a # character at the beginning of the line. See Step 5 for more information. 3. Create the uriworkerm ap.properties file. T he uriworkerm ap.properties file contains mappings between deployed application URLs and which worker handles requests to them. T he following example file shows the syntax of the file, with a load-balanced configuration. T he wildcard (* ) character sends all requests for various URL sub-directories to the load-balancer called router . T he configuration of the load-balancer is covered in Step 4. Place your uriworkerm ap.properties file into C:\connectors\.
281
4. Create the workers.properties file. T he workers.properties file contains mapping definitions between worker labels and server instances. T he following example file shows the syntax of the file. T he load balancer is configured near the end of the file, to comprise workers worker01 and worker02 . T he workers.properties file follows the syntax of the same file used for Apache mod_jk configuration. For more information about the syntax of the workers.propertie file, refer to Section 13.4.4, Configuration Reference for Apache Mod_jk Workers. Place this file into the C:\connectors\ directory.
# The advanced router LB worker worker.list=router,status # # # # # # # First EAP server definition, port 8009 is standard port for AJP in EAP lbfactor defines how much the worker will be used. The higher the number, the more requests are served lbfactor is useful when one machine is more powerful ping_mode=A all possible probes will be used to determine that connections are still working
worker.worker01.port=8009 worker.worker01.host=127.0.0.1 worker.worker01.type=ajp13 worker.worker01.ping_mode=A worker.worker01.socket_timeout=10 worker.worker01.lbfactor=3 # Second EAP server definition worker.worker02.port=8009 worker.worker02.host= 127.0.0.100 worker.worker02.type=ajp13 worker.worker02.ping_mode=A worker.worker02.socket_timeout=10 worker.worker02.lbfactor=1 # Define the LB worker worker.router.type=lb worker.router.balance_workers=worker01,worker02 # Define the status worker for jkmanager worker.status.type=status
5. Create the rewrite.properties file. T he rewrite.properties file contains simple URL rewriting rules for specific applications. T he rewritten path is specified using name-value pairs, as shown in the example below. Place this file into the C:\connectors\ directory.
#Simple example # Images are accessible under abc path /app-01/abc/=/app-01/images/
6. Restart the IIS server. Follow the appropriate procedure for restarting your IIS server, depending on its version. A. IIS 6
282
B. IIS 7
C:\> net stop was /Y C:\> net start w3svc
Result T he IIS server is configured to send client requests to the JBoss Enterprise Application Platform servers referenced in the workers.properties file, balancing the load equally across the servers. Report a bug
283
Save and exit the file. 3. Configure the iPlanet Web Server to load the NSAPI connector module. Add the following lines to the end of the IPLANET_CONFIG/m agnus.conf file, modifying file paths to suit your configuration. T hese lines define the location of the nsapi_redirector.so module, as well as the workers.properties file, which lists the worker nodes and their properties.
Init fn="load-modules" funcs="jk_init,jk_service" shlib="IPLANET_CONFIG/connectors/lib/nsapi_redirector.so" shlib_flags="(global|now)" Init fn="jk_init" worker_file="IPLANET_CONFIG/connectors/workers.properties" log_level="debug" log_file="IPLANET_CONFIG/config/connectors/nsapi.log" shm_file="IPLANET_CONFIG/conf/connectors/jk_shm"
T he configuration above is for a 32-bit architecture. If you use 64-bit Solaris, change the string lib/nsapi_redirector.so to lib64 /nsapi_redirector.so . Save and exit the file. 4. Configure the NSAPI connector. You can configure the NSAPI connector for a basic configuration, with no load balancing, or a loadbalancing configuration. Choose one of the following options, after which your configuration will be complete. Section 13.7.3, Configure NSAPI as a Basic HT T P Connector Section 13.7.4, Configure NSAPI as a Load-balancing Cluster Report a bug 13.7.3. Configure NSAPI as a Basic HT T P Connector Overview T his task configures the NSAPI connector to redirect client requests to JBoss Enterprise Application Platform servers with no load-balancing or fail-over. T he redirection is done on a per-deployment (and hence per-URL) basis. For a load-balancing configuration, refer to Section 13.7.4, Configure NSAPI as a Load-balancing Cluster instead. Prerequisites You must complete Section 13.7.2, Configure the NSAPI Connector on Oracle Solaris before continuing with the current task. Procedure 13.16. T ask 1. Define the URL paths to redirect to the JBoss Enterprise Application Platform servers. Edit the IPLANET_CONFIG/obj.conf file. Locate the section which starts with <Object nam e="default"> , and add each URL pattern to match, in the format shown by the example file below. T he string jknsapi refers to the HT T P connector which will be defined in the next step. T he example shows the use of wild-cards for pattern matching.
284
from="/status" name="jknsapi" from="/images(|/*)" name="jknsapi" from="/css(|/*)" name="jknsapi" from="/nc(|/*)" name="jknsapi" from="/jmx-console(|/*)" name="jknsapi"
2. Define the worker which serves each path. Continue editing the IPLANET_CONFIG/obj.conf file. Add the following directly after the closing tag of the section you have just finished editing: </Object> .
<Object name="jknsapi"> ObjectType fn=force-type type=text/plain Service fn="jk_service" worker="worker01" path="/status" Service fn="jk_service" worker="worker02" path="/nc(/*)" Service fn="jk_service" worker="worker01" </Object>
T he example above redirects requests to the URL path /status to the worker called worker01 , and all URL paths beneath /nc/ to the worker called worker02 . T he third line indicates that all URLs assigned to the jknsapi object which are not matched by the previous lines are served to worker01 . Save and exit the file. 3. Define the workers and their attributes. Create a file called workers.properties in the IPLANET _CONFIG/connectors/ directory. Paste the following contents into the file, and modify them to suit your environment.
# An entry that lists all the workers defined worker.list=worker01, worker02 # Entries that define the host and port associated with these workers worker.worker01.host=127.0.0.1 worker.worker01.port=8009 worker.worker01.type=ajp13 worker.worker02.host=127.0.0.100 worker.worker02.port=8009 worker.worker02.type=ajp13
T he workers.properties file uses the same syntax as Apache mod_jk. For information about which options are available, refer to Section 13.4.4, Configuration Reference for Apache Mod_jk Workers. Save and exit the file. 4. Restart the iPlanet Web Server. Choose one of the following procedures, depending on whether you run iPlanet Web Server 6.1 or 7.0. A. iPlanet Web Server 6.1
IPLANET_CONFIG/../stop IPLANET_CONFIG/../start
Result iPlanet Web Server now sends client requests to the URLs you have configured to deployments on the JBoss Enterprise Application Platform. Report a bug 13.7.4 . Configure NSAPI as a Load-balancing Cluster Overview
285
from="/status" name="jknsapi" from="/images(|/*)" name="jknsapi" from="/css(|/*)" name="jknsapi" from="/nc(|/*)" name="jknsapi" from="/jmx-console(|/*)" name="jknsapi" from="/jkmanager/*" name="jknsapi"
2. Define the worker that serves each path. Continue editing the IPLANET_CONFIG/obj.conf file. Directly after the closing tag for the section you modified in the previous step (</Object> ), add the following new section and modify it to your needs:
<Object name="jknsapi"> ObjectType fn=force-type type=text/plain Service fn="jk_service" worker="status" path="/jkmanager(/*)" Service fn="jk_service" worker="router" </Object>
T his jksnapi object defines the worker nodes used to serve each path that was mapped to the nam e="jksnapi" mapping in the default object. Everything except for URLs matching /jkm anager/* is redirected to the worker called router . 3. Define the workers and their attributes. Create a file called workers.properties in IPLANET _CONFIG/conf/connector/. Paste the following contents into the file, and modify them to suit your environment.
286
T he workers.properties file uses the same syntax as Apache mod_jk. For information about which options are available, refer to Section 13.4.4, Configuration Reference for Apache Mod_jk Workers. Save and exit the file. 4. Restart the iPlanet Web Server. Choose one of the following procedures, depending on whether you run iPlanet Web Server 6.1 or 7.0. A. iPlanet Web Server 6.1
IPLANET_CONFIG/../stop IPLANET_CONFIG/../start
Result T he iPlanet Web Server redirects the URL patterns you have configured to your JBoss Enterprise Application Platform servers in a load-balancing configuration. Report a bug
287
Report a bug 14 .1.4 . About Acceptors and Connectors HornetQ uses the concept of connectors and acceptors as a key part of the messaging system. Acceptors and Connectors Acceptor
288
T here are two types of connectors and acceptors, relating to the whether the matched connector and acceptor pair occur within same JVM or not. Invm and Netty Invm Invm is short for Intra Virtual Machine. It can be used when both the client and the server are running in the same JVM. Netty T he name of a JBoss project. It must be used when the client and server are running in different JVMs.
A HornetQ client must use a connector that is compatible with one of the server's acceptors. Only an Invm connector can connect to an Invm acceptor, and only a netty connector can connect to a netty acceptor. T he connectors and acceptors are both configured on the server in a standalone.xm l and dom ain.xm l . You can use either the Management Console or the Management CLI to define them.
T he example configuration also shows how the JBoss Enterprise Application Platform 6 implementation of HornetQ uses socket bindings in the acceptor and connector configuration. T his differs from the standalone verson of HornetQ, which requires you to declare the specific hosts and ports. Report a bug 14 .1.5. About Bridges T he function of a bridge is to consume messages from a source queue, and forward them to a target address, typically on a different HornetQ server. Bridges cope with unreliable connections, automatically reconnecting when the connections become available again. HornetQ bridges can be configured with filter expressions to only forward certain messages. Report a bug 14 .1.6. Work with Large Messages HornetQ supports the use of large messages even when either the client or server has limited amounts of memory. Large messages can be streamed as they are, or compressed further for more efficient transferral.
289
Important
HornetQ HA only supports shared stores on GFS2 on SAN.
Report a bug 14 .1.8. Embed HornetQ in Applications T o implement messaging functionality internally within an application, you can directly instantiate HornetQ clients and servers in the application code. T his is called embedding HornetQ. 1. Instantiate the configuration object Instantiate the configuration object either from a configuration file, or by setting configuration parameters programmatically. A. Create the configuration object from a file Use the FileConfigurationIm pl class to set a configuration object based on a file.
import org.hornetq.core.config.Configuration; import org.hornetq.core.config.impl.FileConfiguration; ... Configuration config = new FileConfiguration(); config.setConfigurationUrl(<replaceable>file-url</replaceable>); config.start();
B. Create the configuration object programmatically a. Use the ConfigurationIm pl class to create a configuration object.
import org.hornetq.core.config.Configuration; import org.hornetq.core.config.impl.FileConfiguration; ... Configuration config = new ConfigurationImpl();
2. Instantiate and start the server Use the org.hornetq.api.core.server.HornetQ static methods to create and start a server based on the configuration object.
import org.hornetq.api.core.server.HornetQ; import org.hornetq.core.server.HornetQServer; ... HornetQServer server = HornetQ.newHornetQServer(config); server.start();
Result: An embedded HornetQ instance is instantiated for internal messaging. T o connect clients to the embedded HornetQ, create factories as normal. Report a bug 14 .1.9. Configure the JMS Server
290
T o configure the JMS Server for HornetQ, edit the server configuration file. T he server configuration is contained in the EAP_HOME/dom ain/configuration/dom ain.xm l file for domain servers, or in the EAP_HOME/standalone/configuration/standalone.xm l file for standalone servers. T he <subsystem xm lns="urn:jboss:dom ain:m essaging:1.2"> element contains all JMS configuration. Add any JMS ConnectionFactory, Queue , or T opic instances required for the JNDI. 1. Enable the JMS subsystem in the JBoss Enterprise Application Platform. In the <extensions> element, verify that the following line is present and is not commented out:
<extension module="org.jboss.as.messaging"/>
2. Add the basic JMS subsystem. If the Messaging subsystem is not present in your configuration file, add it. a. Look for the <profile> which corresponds to the profile you use, and locate its <subsystem s> tag. b. Add a new line just beneath the <subsystem s> tag. Paste the following into it:
<subsystem xmlns="urn:jboss:domain:messaging:1.2"> </subsystem>
All further configuration will be added to the empty line above. 3. Add basic configuration for JMS.
<journal-file-size>102400</journal-file-size> <journal-min-files>2</journal-min-files> <journal-type>NIO</journal-type> <!-- disable messaging persistence --> <persistence-enabled>false</persistence-enabled>
Customize the values above to meet your needs. 4. Add connection factory instances to HornetQ T he client uses a JMS ConnectionFactory object to make connections to the server. T o add a JMS connection factory object to HornetQ, include a single <jm s-connection-factories> tag and <connection-factory> element for each connection factory as follows:
<subsystem xmlns="urn:jboss:domain:messaging:1.2"> ... <jms-connection-factories> <connection-factory name="myConnectionFactory"> <connectors> <connector-ref connector-name="netty"/> </connectors> <entries> <entry name="/ConnectionFactory"/> </entries> </connection-factory> </jms-connection-factories> ... </subsystem>
5. Configure the netty connector T his JMS connection factory uses a netty connector. T his is a reference to a connector object deployed in the server configuration file. T he connector object defines the transport and parameters used to actually connect to the server. T o configure the netty connector, include the following settings:
<subsystem xmlns="urn:jboss:domain:messaging:1.2"> ... <connectors> <netty-connector name="netty" socket-binding="messaging"/> <netty-connector name="netty-throughput" socket-binding="messagingthroughput"> <param key="batch-delay" value="50"/> </netty-connector> <in-vm-connector name="in-vm" server-id="0"/> </connectors> ... </subsystem>
291
6. Add queue instances to HornetQ T he client uses a JMS Queue object to stage sent messages for delivery to the server. T o add a JMS queue object to HornetQ, include a <jm s-queue> element as follows:
<subsystem xmlns="urn:jboss:domain:messaging:1.2"> ... <jms-destinations> <jms-queue name="myQueue"> <entry name="/queue/myQueue"/> </jms-queue> </jms-destinations> ...
7. Optional: Add topic instances to HornetQ T he client uses a JMS T opic object to manage messages for multiple subscribers. T o add a JMS topic object, include a <topic> element as follows:
<subsystem xmlns="urn:jboss:domain:messaging:1.2"> ... <jms-topic name="myTopic"> <entry name="/topic/myTopic"/> </jms-topic> ...
8. Perform additional configuration If you need additional settings, review the DT D in EAP_HOME/docs/schem a/jbossm essaging_1_2.xsd . Report a bug 14 .1.10. About Java Naming and Directory Interface (JNDI) T he Java Naming and Directory Interface (JNDI) is a standard Java API for naming and directory services. It allows Java-based technologies to discover and organize named components in a distributed computing environment. Report a bug 14 .1.11. Configure JNDI for HornetQ Prerequisites Section 2.6.2, Start JBoss Enterprise Application Platform 6 as a Standalone Server Section 3.3.4, Connect to a Managed Server Instance Using the Management CLI Procedure 14 .1. T ask When the JBoss Enterprise Application Platform runs as a managed domain, a JNDI server is provided and does not need configuration. Follow this procedure to configure the JNDIServer bean for HornetQ when the JBoss Enterprise Application Server is running as a standalone server. 1. Set the JNDI properties on the client side T he JNDI properties tell the JNDI client where to locate the JNDI server. T he properties can be specified in a file named jndi.properties on the client classpath, or declared directly when
292
hostname is the hostname or IP address of the JNDI server. 2. Configure the JNDI server ports a. Navigate to the Socket Binding Groups panel in the Management Console Select the General Configuration Socket Binding Groups option from the menu on the left of the console. T he Socket Binding Groups panel for the selected server appears. b. Edit the JNDI Socket Binding Select jndi from the Socket Binding Declarations table, then select the Edit button in the Socket Binding section below. Configure the following settings: and Multicast Port settings. Select the Save button when done. Port:1099 Multicast Port:1098 Result T he JNDI server is now configured for HornetQ. Report a bug 14 .1.12. Configure JMS Address Settings T he JMS subsystem has several configurable options which control aspects of how and when a message is delivered, how many attempts should be made, and when the message expires. T hese configuration options all exist within the <address-settings> configuration element. A common feature of address configurations is the syntax for matching multiple addresses, also known as wild cards. Wildcard Syntax Address wildcards can be used to match multiple similar addresses with a single statement, similar to how many systems use the asterisk ( * ) character to match multiple files or strings with a single search. T he following characters have special significance in a wildcard statement. T able 14 .1. JMS Wildcard Syntax Character . (a single period) # (a pound or hash symbol) * (an asterisk) Description Denotes the space between words in a wildcard expression. Matches any sequence of zero or more words. Matches a single word.
T able 14 .2. JMS Wildcard Examples Example news.europe.# Description Matches news.europe , news.europe.sport, news.europe.politic , but not news.usa or europe . Matches news.europe but not news.europe.sport. Matches news.europe.sport and news.usa.sport, but not news.europe.politics.
news. news.*.sport
293
Example 14 .2. Default Address Setting Configuration T he values in this example are used to illustrate the rest of this topic.
<address-settings> <!--default for catch all--> <address-setting match="#"> <dead-letter-address>jms.queue.DLQ</dead-letter-address> <expiry-address>jms.queue.ExpiryQueue</expiry-address> <redelivery-delay>0</redelivery-delay> <max-size-bytes>10485760</max-size-bytes> <address-full-policy>BLOCK</address-full-policy> <message-counter-history-day-limit>10</message-counter-history-daylimit> </address-setting> </address-settings>
294
Element
T able 14 .3. Description of JMS Address Settings Description Determines what happens when an address where maxsize-bytes is specified becomes full. If a dead letter address is specified, messages are moved to the dead letter address if m axdelivery-attem pts delivery attempts have failed. Otherwise, these undelivered messages are discarded. Wildcards are allowed. If the expiry address is present, expired messages are sent to the address or addresses matched by it, instead of being discarded. Wildcards are allowed. Defines whether a queue only uses last values or not. T he maximum number of times to attempt to re-deliver a message before it is sent to dead-letteraddress or discarded. T he maximum bytes size. Day limit for the message counter history. T he number of page files to keep in memory to optimize IO during paging navigation. T he paging size. T ime to delay between re-delivery attempts of messages, expressed in milliseconds. If set to 0 , re-delivery attempts occur indefinitely. Defines how long to wait when the last consumer is closed on a queue before redistributing any messages. A parameter for an address that sets the condition of a message not ruoted to any queues to instead be sent the to the dead letter address (DLA) indicated for that address. Default Value PAGE T ype ST RING address-fullpolicy
dead-letteraddress
jms.queue.DLQ
ST RING
expiry-address
jms.queue.ExpiryQueue
ST RING
last-value-queue
false
BOOLEAN
m ax-deliveryattem pts
10
INT
10485760L 10
LONG INT
INT
page-size-bytes redelivery-delay
5 0L
INT LONG
redistributiondelay
-1L
LONG
send-to-dla-onno-route
false
BOOLEAN
295
Configure Address Setting and Pattern Attributes Choose either the Management CLI or the Management Console to configure your pattern attributes as required. A. Configure the Address Settings Using the Management CLI Use the Management CLI to configure address settings. 1. Add a New Pattern Use the add operation to create a new address setting if required. You can run this command from the root of the Management CLI session, which in the following examples creates a new pattern titled patternname, with a m ax-delivery-attem pts attribute declared as 5. T he examples for both Standalone Server and a Managed Domain editing on the full profile are shown.
[domain@localhost:9999 /] /profile=full/subsystem=messaging/hornetqserver=default/address-setting=patternname/:add(max-delivery-attempts=5) [standalone@localhost:9999 /] /subsystem=messaging/hornetqserver=default/address-setting=patternname/:add(max-delivery-attempts=5)
2. Edit Pattern Attributes Use the write operation to write a new value to an attribute. You can use tab completion to help complete the command string as you type, as well as to expose the available attributes. T he following example updates the m ax-delivery-attem pts value to 10
[domain@localhost:9999 /] /profile=full/subsystem=messaging/hornetqserver=default/address-setting=patternname/:write-attribute(name=maxdelivery-attempts,value=10) [standalone@localhost:9999 /] /subsystem=messaging/hornetqserver=default/address-setting=patternname/:write-attribute(name=maxdelivery-attempts,value=10)
3. Confirm Pattern Attributes Confirm the values are changed by running the read-resource operation with the include-runtim e=true parameter to expose all current values active in the server model.
[domain@localhost:9999 /] /profile=full/subsystem=messaging/hornetqserver=default/address-setting=patternname/:read-resource [standalone@localhost:9999 /] /subsystem=messaging/hornetqserver=default/address-setting=patternname/:read-resource
B. Configure the Address Settings Using the Management Console Use the Management Console to configure address settings. 1. Log into the Management Console. Log into the Management Console of your Managed Domain or Standalone Server. 2. If you use a Managed Domain, choose the correct profile. Select the Profiles tab at the top right, and then select the correct profile from the Profile menu at the top left of the next screen. Only the full and full-ha profiles have the m essaging subsystem enabled. 3. Select the Messaging item from the navigation menu. Expand the Messaging menu item from the navigation menu, and click Destinations. 4. View the JMS Provider. A list of JMS Providers is shown. In the default configuration, only one provider, called default, is shown. Click the View link to view the detailed settings for this provider. 5. View the Address Settings. Click the Addressing tab. Either add a new pattern by clicking the Add button, or edit an existing one by clicking its name and clicking the Edit button. 6. Configure the options. If you are adding a new pattern, the Pattern field refers to the m atch parameter of the address-setting element. You can also edit the Dead Letter Address, Expiry Address, Redelivery Delay, and Max Delivery Attem pts. Other options need to be configured using the Management CLI.
296
Report a bug 14 .1.13. Reference for HornetQ Configuration Attributes T he JBoss Enterprise Application Platform 6 implementation of HornetQ exposes the following attributes for configuration. You can use the Management CLI in particular to exposure the configurable or viewable attributes with the read-resource operation.
297
-1 25 false 10 10000
298
m essage-expiryscan-period m essage-expirythread-priority page-m axconcurrent-io perf-blast-pages persist-deliverycount-beforedelivery persist-id-cache persistenceenabled rem otinginterceptors run-sync-speedtest scheduled-threadpool-m ax-size security-dom ain security-enabled securityinvalidationinterval server-dum pinterval shared-store started thread-pool-m axsize transactiontim eout transactiontim eout-scanperiod version
ST RING
wild-cardrouting-enabled
BOOLEAN
Report a bug 14 .1.14 . Configure Messaging with HornetQ T he recommended method of configuring messaging in JBoss Enterprise Application Platform 6 is in either the Management Console or Management CLI. You can make persistent changes with either of these management tools without needing to manually edit the standalone.xm l or dom ain.xm l configuration files. It is useful however to familiarise yourself with the messaging components of the default configuration files, where documentation examples using management tools give configuration file snippets for reference. Report a bug 14 .1.15. Configure Delayed Redelivery Introduction Delayed redelivery is defined in the <redelivery-delay> element, which is a child element of the <address-setting> configuration element in the Java Messaging Service (JMS) subsystem configuration.
299
<!-- delay redelivery of messages for 5s --> <address-setting match="jms.queue.exampleQueue"> <redelivery-delay>5000</redelivery-delay> </address-setting>
If a redelivery delay is specified, the JMS system waits for the duration of this delay before redelivering the messages. If <redelivery-delay> is set to 0 , there is no redelivery delay. Address wildcards can be used on the <address-setting-m atch> element to configure the redelivery delay for addresses which match the wildcard. Report a bug 14 .1.16. Configure Dead Letter Addresses Introduction A dead letter address is defined in the <address-setting> element of the Java Messaging Service (JMS) subsystem configuration.
<!-- undelivered messages in exampleQueue will be sent to the dead letter address deadLetterQueue after 3 unsuccessful delivery attempts --> <address-setting match="jms.queue.exampleQueue"> <dead-letter-address>jms.queue.deadLetterQueue</dead-letter-address> <max-delivery-attempts>3</max-delivery-attempts> </address-setting>
If a <dead-letter-address> is not specified, messages are removed after trying to deliver <m axdelivery-attem pts> times. By default, messages delivery is attempted 10 times. Setting <m axdelivery-attem pts> to -1 allows infinite redelivery attempts. For example, a dead letter can be set globally for a set of matching addresses and you can set <m ax-delivery-attem pts> to -1 for a specific address setting to allow infinite redelivery attempts only for this address. Address wildcards can also be used to configure dead letter settings for a set of addresses. Report a bug 14 .1.17. Configure Message Expiry Addresses Introduction Message expiry addresses are defined in the address-setting configuration of the Java Messaging Service (JMS). For example:
<!-- expired messages in exampleQueue will be sent to the expiry address expiryQueue --> <address-setting match="jms.queue.exampleQueue"> <expiry-address>jms.queue.expiryQueue</expiry-address> </address-setting>
If messages are expired and no expiry address is specified, messages are simply removed from the queue and dropped. Address wildcards can also be used to configure specific ranges of an expiry address for a set of addresses. Address Wildcards Address wildcards can be used to match multiple similar addresses with a single statement, similar to how many systems use the asterisk (* ) character to match multiple files or strings with a single search. T he following characters have special significance in a wildcard statement. T able 14 .5. JMS Wildcard Syntax Character . (a single period) # (a pound or hash symbol) * (an asterisk) Description Denotes the space between words in a wildcard expression. Matches any sequence of zero or more words. Matches a single word.
300
T able 14 .6. JMS Wildcard Examples Example news.europe.# Description Matches news.europe , news.europe.sport, news.europe.politic , but not news.usa or europe . Matches news.europe but not news.europe.sport. Matches news.europe.sport and news.usa.sport, but not news.europe.politics.
news. news.*.sport
Report a bug 14 .1.18. Set Message Expiry Introduction Using HornetQ Core API, the expiration time can be set directly on the message. For example:
// message will expire in 5000ms from now message.setExpiration(System.currentTimeMillis() + 5000);
JMS MessageProducer JMS MessageProducer includes a T im eT oLive parameter which controls message expiry for the messages it sends::
// messages sent by this producer will be retained for 5s (5000ms) before expiration producer.setTimeToLive(5000);
Expired messages which are consumed from an expiry address have the following properties: _HQ_ORIG_ADDRESS A string property containing the original address of the expired message. _HQ_ACT UAL_EXPIRY A long property containing the actual expiration time of the expired message. Report a bug
301
Note
In order for the T M options to be visible in the Management Console or Management CLI, the transactions subsystem must be enabled. It is enabled by default, and required for many other subsystems to function properly, so it is very unlikely that it would be disabled.
Configure the T M Using the Management Console T o configure the T M using the web-based Management Console, select the Runtim e tab from the list in the upper left side of the Management Console screen. If you use a managed domain, you have the choice of several profiles. Choose the correct one from the Profile selection box at the upper right of the Profiles screen. Expand the Container menu and select T ransactions. Most options are shown in the T ransaction Manager configuration page. T he Recovery options are hidden by default. Click the Recovery header to expand them. Click the Edit button to edit any of the options. Changes take effect immediately. Click the Need Help? label to display in-line help text. Configure the T M using the Management CLI In the Management CLI, you can configure the T M using a series of commands. T he commands all begin with /profile=default/subsystem =transactions/ for a managed domain with profile default, or /subsystem =transactions for a Standalone Server.
302
Option
T able 15.1. T M Configuration Options Description Whether to enable transaction statistics. T hese statistics can be viewed in the Management Console in the Subsystem Metrics section of the Runtim e tab. Whether to enable the transaction status manager (T SM) service, which is used for out-of-process recovery. T he default transaction timeout. T his defaults to 300 seconds. You can override this programmatically, on a pertransaction basis. T he relative or absolute filesystem path where the transaction manager core stores data. By default the value is a path relative to the value of the relative-to attribute. References a global path configuration in the domain model. T he default value is the data directory for JBoss Enterprise Application Platform 6, which is the value of the property jboss.server.data.dir , and defaults to EAP_HOME/dom ain/data/ for a Managed Domain, or EAP_HOME/standalone/data / for a Standalone Server instance. T he value of the path T M attribute is relative to this path. Use an empty string to disable the default behavior and force the value of the path attribute to be treated as an absolute path. A relative or absolute filesystem path where the T M object store stores data. By default relative to the object-storerelative-to parameter's value. References a global path configuration in the domain model. T he default value is the data directory for JBoss Enterprise Application Platform 6, which is the value of the property jboss.server.data.dir , and defaults to EAP_HOME/dom ain/data/ for a Managed Domain, or EAP_HOME/standalone/data / for a Standalone Server instance. T he value of the path T M attribute is relative to this path. Use an empty string to disable the default behavior and CLI Command /profile=default/subsyst em =transactions/:writeattribute(nam e=enablestatistics,value=true) Enable Statistics
Enable T SM Status
/profile=default/subsyst em =transactions/:writeattribute(nam e=enabletsm -status,value=false) /profile=default/subsyst em =transactions/:writeattribute(nam e=defaulttim eout,value=300) /profile=default/subsyst em =transactions/:writeattribute(nam e=path,val ue=var)
Default T imeout
Path
Relative T o
303
Recovery Listener
Whether or not the T ransaction Recovery process should listen on a network socket. Defaults to false .
T he following options are for advanced use and can only be modified using the Management CLI. Be cautious when changing them from the default configuration. Contact Red Hat Global Support Services for more information.
304
Option jts
T able 15.2. Advanced T M Configuration Options Description Whether to use Java T ransaction Service (JT S) transactions. Defaults to false , which uses JT A transactions only. T he node identifier for the JT S service. T his should be unique per JT S service, because the T ransaction Manager uses this for recovery. T he T ransaction Manager creates a unique identifier for each transaction log. T wo different mechanisms are provided for generating unique identifiers: a socket-based mechanism and a mechanism based on the process identifier of the process. In the case of the socket-based identifier, a socket is opened and its port number is used for the identifier. If the port is already in use, the next port is probed, until a free one is found. T he process-id-socketm ax-ports represents the maximum number of sockets the T M will try before failing. T he default value is 10 . process-id-uuid Set to true to use the process identifier to create a unique identifier for each transaction. Otherwise, the socket-based mechanism is used. Defaults to true . Refer to process-idsocket-m ax-ports for more information. Use HornetQ's journaled storage mechanisms instead of file-based storage, for the transaction logs. T his is disabled by default, but can improve I/O performance. It is not recommended for JT S transactions on separate T ransaction Managers. If you enable this, also change the log-store value to hornetq . Set to default if you use the file-system-based object store, or hornetq if you use the HornetQ journaling storage mechanism. If you set this to hornetq , also set usehornetq-store to true . /profile=default/subsyst em =transactions/:writeattribute(nam e=processid-uuid,value=true) CLI Command /profile=default/subsyst em =transactions/:writeattribute(nam e=jts,value =false) /profile=default/subsyst em =transactions/:writeattribute(nam e=nodeidentifier,value=1) /profile=default/subsyst em =transactions/:writeattribute(nam e=processid-socket-m axports,value=10)
node-identifier
process-id-socket-max-ports
use-hornetq-store
log-store
Report a bug 15.1.3. Configure Your Datasource to Use JT A T ransactions T ask Summary
305
3. Set the jta attribute to true . Add the following to the contents of your <datasource> tag, as they appear in the previous step: jta="true" 4. Save the configuration file. Save the configuration file and exit the text editor. 5. Start the JBoss Enterprise Application Platform. Relaunch the JBoss Enterprise Application Platform 6 server. Result: T he JBoss Enterprise Application Platform starts, and your datasource is configured to use JT A transactions. Report a bug 15.1.4 . Configure an XA Datasource T ask Prerequisites: In order to add an XA Datasource, you need to log into the Management Console. See Section 3.2.2, Log in to the Management Console for more information. 1. Add a new datasource. Add a new datasource to the JBoss Enterprise Application Platform. Follow the instructions in Section 6.3.1, Create a Non-XA Datasource with the Management Interfaces, but click the XA Datasource tab at the top. 2. Configure additional properties as appropriate. All datasource parameters are listed in Section 6.6.1, Datasource Parameters. Result:
306
Your XA Datasource is configured and ready to use. Report a bug 15.1.5. About T ransaction Log Messages T o track transaction status while keeping the log files readable, use the DEBUG log level for the transaction logger. For detailed debugging, use the T RACE log level. Refer to Section 15.1.6, Configure Logging for the T ransaction Subsystem for information on configuring the transaction logger. T he transaction manager can generate a lot of logging information when configured to log in the T RACE log level. Following are some of the most commonly-seen messages. T his list is not comprehensive, so you may see other messages than these. T able 15.3. T ransaction State Change T ransaction Begin When a transaction begins the following code is executed:
com.arjuna.ats.arjuna.coordinator.Basic Action::Begin:1342 tsLogger.logger.trace("BasicAction::Be gin() for action-id "+ get_uid());
T ransaction Commit
T ransaction Rollback
T ransaction T imeout
Report a bug 15.1.6. Configure Logging for the T ransaction Subsystem T ask Summary Use this procedure to control the amount of information logged about transactions, independent of other logging settings in the JBoss Enterprise Application Platform. T he main procedure shows how to do this in the web-based Management Console. T he Management CLI command is given afterward.
307
Example 15.1. Refresh the Log Store T his command refreshes the Log Store for server groups which use the profile default in a managed domain. For a standalone server, remove the profile=default from the command.
/profile=default/subsystem=transactions/log-store=log-store/:probe
308
Example 15.2. View All Prepared T ransactions T o view all prepared transactions, first refresh the log store (see Example 15.1, Refresh the Log Store), then run the following command, which functions similarly to a filesystem ls command.
ls /profile=default/subsystem=transactions/log-store=log-store/transactions
Each transaction is shown, along with its unique identifier. Individual operations can be run against an individual transaction (see Manage a T ransaction).
Manage a T ransaction View a transaction's attributes. T o view information about a transaction, such as its JNDI name, EIS product name and version, or its status, use the :read-resource CLI command.
/profile=default/subsystem=transactions/log-store=logstore/transactions=0\:ffff7f000001\:-b66efc2\:4f9e6f8f\:9:read-resource
View the participants of a transaction. Each transaction log contains a child element called participants. Use the readresource CLI command on this element to see the participants of the transaction. Participants are identified by their JNDI names.
/profile=default/subsystem=transactions/log-store=logstore/transactions=0\:ffff7f000001\:b66efc2\:4f9e6f8f\:9/participants=java\:\/JmsXA:read-resource
T he outcome status shown here is in a HEURIST IC state and is eligible for recover. Refer to Recover a transaction. for more details. Delete a transaction. Each transaction log supports a :delete operation, to delete the transaction log representing the transaction.
/profile=default/subsystem=transactions/log-store=logstore/transactions=0\:ffff7f000001\:-b66efc2\:4f9e6f8f\:9:delete
Recover a transaction. Each transaction log supports recovery via the :recover CLI command. Recovery of Heuristic T ransactions and Participants If the transaction's status is HEURIST IC , the recovery operation changes the state to PREPARE and triggers a recovery. If one of the transaction's participants is heuristic, the recovery operation tries to reply the com m it operation. If successful, the participant is removed from the transaction log. You can verify this by re-running the :probe operation on the log-store and checking that the participant is no longer listed. If this is the last participant, the transaction is also deleted.
309
Refresh the status of a transaction which needs recovery. If a transaction needs recovery, you can use the :refresh CLI command to be sure it still requires recovery, before attempting the recovery.
/profile=default/subsystem=transactions/log-store=logstore/transactions=0\:ffff7f000001\:-b66efc2\:4f9e6f8f\:9:refresh
View T ransaction Statistics You can view statistics about the T ransaction Manager and transaction subsystem either via the webbased Management Console or the command-line Management CLI. In the web-based Management Console, T ransaction statistics are available via Runtime Subsystem Metrics T ransactions. T ransaction statistics are available for each server in a managed domain, as well. You can specify the server in the Server selection box at the top left. T he following table shows each available statistic, its description, and the CLI command to view the statistic.
310
T able 15.4 . T ransaction Subsystem Statistics Statistic T otal Description T he total number of transactions processed by the T ransaction Manager on this server. CLI Command
/host=master/server=ser verone/subsystem=transactio ns/:readattribute(name=numberof-transactions,includedefaults=true)
Committed
Aborted
T imed Out
T he number of timed out transactions processed by the T ransaction Manager on this server.
Heuristics
In-Flight T ransactions
Not available in the Management Console. Number of transactions which have begun but not yet terminated.
T he number of failed
311
Report a bug
Note
In a managed domain, the JacORB subsystem is available in full and full-ha profiles only. In a standalone server, it is available when you use the standalone-full.xm l or standalone-full-ha.xm l configurations.
Procedure 15.3. Configure the ORB using the Management Console 1. View the profile settings. Select Profiles (managed domain) or Profile (standalone server) from the top right of the management console. If you use a managed domain, select either the full or full-ha profile from the selection box at the top left. 2. Modify the Initializers Settings
312
3. Advanced ORB Configuration Refer to the other sections of the form for advanced configuration options. Each section includes a Need Help? link with detailed information about the parameters. Configure the ORB using the Management CLI You can configure each aspect of the ORB using the Management CLI. T he following commands configure the initializers to the same values as the procedure above, for the Management Console. T his is the minimum configuration for the ORB to be used with JT S. T hese commands are configured for a managed domain using the full profile. If necessary, change the profile to suit the one you need to configure. If you use a standalone server, omit the /profile=full portion of the commands.
Report a bug
313
Figure 16.1. EJB Configuration Options in the Management Console (Standalone Server)
Report a bug 16.1.3. Enterprise Beans Enterprise beans are server-side application components as defined in the Enterprise JavaBeans (EJB) 3.1 specification, JSR-318. Enterprise beans are designed for the implementation of application business logic in a decoupled manner to encourage reuse.
314
Enterprise beans are written as Java classes and annotated with the appropriate EJB annotations. T hey can be deployed to the application server in their own archive (a JAR file) or be deployed as part of a Java EE application. T he application server manages the lifecycle of each enterprise bean and provides services to them such as security, transactions, and concurrency management. An enterprise bean can also define any number of business interfaces. Business interfaces provide greater control over which of the bean's methods are available to clients and can also allow access to clients running in remote JVMs. T here are three types of Enterprise Bean: Session beans, Message-driven beans and Entity beans.
Important
Entity beans are now deprecated in EJB 3.1 and Red Hat recommends the use of JPA entities instead. Red Hat only recommends the use of Entity beans for backwards compatibility with legacy systems.
Report a bug 16.1.4 . Session Beans Session Beans are Enterprise Beans that encapsulate a set of related business processes or tasks and are injected into the classes that request them. T here are three types of session bean: stateless, stateful, and singleton. Report a bug 16.1.5. Message-Driven Beans Message-driven Beans (MDBs) provide an event driven model for application development. T he methods of MDBs are not injected into or invoked from client code but are triggered by the receipt of messages from a messaging service such as a Java Messaging Service (JMS) server. T he Java EE 6 specification requires that JMS is supported but other messaging systems can be supported as well. Report a bug
315
Figure 16.2. EJB3 Bean Pools Panel 3. Click the Add button. T he Add EJB3 Bean Pools dialog appears. 4. Specify the required details, Nam e , Max Pool Size , T im eout value, and T im eout unit. 5. Click on the Save button to save the new bean pool or click the Cancel link to abort the procedure. If you click the Save button, the dialog will close and the new bean pool will appear in the list. If you click Cancel , the dialog will close and no new bean pool will be created. Procedure 16.2. Create a bean pool using the CLI 1. Launch the CLI tool and connect to your server. Refer to Section 3.3.4, Connect to a Managed Server Instance Using the Management CLI. 2. Use the add operation with the following syntax.
/subsystem=ejb3/strict-max-bean-instance-pool=BEANPOOLNAME:add(max-poolsize=MAXSIZE, timeout=TIMEOUT, timeout-unit="UNIT")
Replace BEANPOOLNAME with the required name for the bean pool. Replace MAXSIZE with the maximum size of the bean pool. Replace TIMEOUT Replace UNIT with the required time unit. Allowed values are: NANOSECONDS , MICROSECONDS , MILLISECONDS , SECONDS , MINUT ES , HOURS , and DAYS . 3. Use the read-resource operation to confirm the creation of the bean pool.
/subsystem=ejb3/strict-max-bean-instance-pool=BEANPOOLNAME:read-resource
316
Report a bug 16.2.3. Remove a Bean Pool Unused bean pools can be removed using the Management Console. Prerequisites: T he bean pool that you want to remove cannot be in use. Refer to Section 16.2.5, Assign Bean Pools for Session and Message-Driven Beans to ensure that it is not being used. Procedure 16.3. Remove a bean pool using the Management Console 1. Login to the Management Console. Refer to Section 3.2.2, Log in to the Management Console. 2. Click on Profile in the top right, expand the Container item in the Profile panel on the left and select EJB 3. T hen select the Bean Pools tab from the main panel.
Figure 16.3. EJB3 Bean Pools Panel 3. Select the bean pool to remove in the list. 4. Click the Rem ove button. T he Rem ove Item dialog appears. 5. Click the OK button to confirm deletion or click the Cancel link to abort the operation. If you click the Ok button, the dialog will close and the bean pool will be deleted and removed from the list. If you click Cancel, the dialog will close and no changes will be made. Procedure 16.4 . Remove a bean pool using the CLI 1. Launch the CLI tool and connect to your server. Refer to Section 3.3.4, Connect to a Managed
317
Replace BEANPOOLNAME with the required name for the bean pool.
Report a bug 16.2.4 . Edit a Bean Pool Bean pools can be edited using the Management Console. Procedure 16.5. Edit a bean pool using the Management Console 1. Login to the Management Console. Section 3.2.2, Log in to the Management Console 2. Click on Profile in the top right, expand the Container item in the Profile panel on the left and select EJB 3. T hen select the Bean Pools tab from the main panel.
Figure 16.4 . EJB3 Bean Pools Panel 3. Click on the bean pool you wish to edit from the list. 4. Click the Edit button. T he fields in the Details area are now editable. 5. Edit the details you want to change. Only Max Pool Size , T im eout value, and T im eout unit can be changed. 6. Click the Save button if you are satisfied with the changes, or click the Cancel link if you want to discard the changes. If you click the Ok button, the Details area will change back to it's non-editable form and the bean pool will be updated with the new details. If you click the Cancel link, the Details area will change back to it's non-editable form and no changes will be made. Procedure 16.6. Edit a bean pool using the CLI 1. Launch the CLI tool and connect to your server. Refer to Section 3.3.4, Connect to a Managed Server Instance Using the Management CLI. 2. Use the write_attribute operation with the following syntax for each attribute of the bean pool to be changed.
/subsystem=ejb3/strict-max-bean-instance-pool=BEANPOOLNAME:writeattribute(name="ATTRIBUTE", value="VALUE")
318
3. Use the read-resource operation to confirm the changes to the bean pool.
/subsystem=ejb3/strict-max-bean-instance-pool=BEANPOOLNAME:read-resource
Example 16.4 . Set the T imeout Value of a Bean Pool using the CLI
[standalone@localhost:9999 /] /subsystem=ejb3/strict-max-bean-instancepool=HSBeanPool:write-attribute(name="timeout", value="1500") {"outcome" => "success"} [standalone@localhost:9999 /]
Report a bug 16.2.5. Assign Bean Pools for Session and Message-Driven Beans JBoss Administrators can assign individual bean pools for use by session beans and message-driven beans. Bean pools can be assigned by using the Management Console or the CLI tool. By default two bean pools are provided, slsb-strict-m ax-pool and m db-strict-m ax-pool for stateless session beans and message-driven beans respectively. T o create or edit bean pools, refer to Section 16.2.2, Create a Bean Pool and Section 16.2.4, Edit a Bean Pool. Procedure 16.7. Assign Bean Pools for Session and Message-Driven Beans using the Management Console 1. Login to the Management Console. Section 3.2.2, Log in to the Management Console 2. Navigate to the EJB3 Container Configuration panel.
Figure 16.5. EJB3 Container Configuration panel in the Management Console (Standalone Server) 3. Click the Edit button. T he fields in the Details area are now editable. 4. Select the bean pool to use for each type of bean from the appropriate combo-box. 5. Click the Save button to keep the changes, or click the Cancel link to discard them. 6. T he Details area will now be non-editable and display the correct bean pool selection. Procedure 16.8. Assign Bean Pools for Session and Message-Driven Beans using the CLI 1. Launch the CLI tool and connect to your server. Refer to Section 3.3.4, Connect to a Managed Server Instance Using the Management CLI. 2. Use the write-attribute operation with the following syntax.
319
Replace BEANTYPE with default-m db-instance-pool for Message-Driven Beans or default-slsb-instance-pool for stateless session beans. Replace BEANPOOL with the name of the bean pool to assign. 3. Use the read-resource operation to confirm the changes.
/subsystem=ejb3:read-resource
Example 16.5. Assign a Bean Pool for Session Beans using the CLI
[standalone@localhost:9999 /] /subsystem=ejb3:write-attribute(name="default-slsbinstance-pool", value="LV_SLSB_POOL") {"outcome" => "success"} [standalone@localhost:9999 /]
</subsystem>
Report a bug
320
Figure 16.6. EJB3 T hread Pools Panel 3. Click the Add button. T he Add EJB3 T hread Pools dialog appears. 4. Specify the required details, Nam e , Max. T hreads, and Keep-Alive T im eout value. 5. Click on the Save button to save the new thread pool or click the Cancel link to abort the procedure. If you click the Save button, the dialog will close and the new thread pool will appear in the list. If you click Cancel , the dialog will close and no new thread pool will be created. Procedure 16.10. Create a T hread Pool using the CLI 1. Launch the CLI tool and connect to your server. Refer to Section 3.3.4, Connect to a Managed Server Instance Using the Management CLI. 2. Use the add operation with the following syntax.
/subsystem=ejb3/thread-pool=THREADPOOLNAME:add(max-threads=MAXSIZE, keepalive-time={"time"=>"TIME", "unit"=>UNIT"})
Replace THREADPOOLNAME with the required name for the thread pool. Replace MAXSIZE with the maximum size of the thread pool. Replace UNIT with the required time unit to be used for the required keep-alive time. Allowed values are: NANOSECONDS , MICROSECONDS , MILLISECONDS , SECONDS , MINUT ES , HOURS , and DAYS . Replace TIME with the integer value of the required keep-alive time. T his value is a number of UNITs. 3. Use the read-resource operation to confirm the creation of the bean pool.
/subsystem=ejb3/strict-max-bean-instance-pool=THREADPOOLNAME:read-resource
321
Report a bug 16.3.3. Remove a T hread Pool Unused EJB thread pools can be removed using the Management Console. Prerequisites T he thread pool that you want to remove cannot be in use. Refer to the following tasks to ensure that the thread pool is not in use: Section 16.6.2, Configure the EJB3 timer Service Section 16.7.2, Configure the EJB3 Asynchronous Invocation Service T hread Pool Section 16.8.2, Configure the EJB3 Remote Service Procedure 16.11. Remove an EJB thread pool using the Management Console 1. Login to the Management Console. Section 3.2.2, Log in to the Management Console. 2. Click on Profile in the top right, expand the Container item in the Profile panel on the left and select EJB 3. T hen select the T hread Pools tab from the main panel.
Figure 16.7. EJB3 T hread Pools Panel 3. Select the thread pool to remove in the list. 4. Click the Rem ove button. T he Rem ove Item dialog appears. 5. Click the OK button to confirm deletion or click the Cancel link to abort the operation. If you click the Ok button, the dialog will close and the thread pool will be deleted and removed from the list. If you click Cancel , the dialog will close and no changes will be made. Procedure 16.12. Remove a thread pool using the CLI 1. Launch the CLI tool and connect to your server. Refer to Section 3.3.4, Connect to a Managed Server Instance Using the Management CLI. 2. Use the rem ove operation with the following syntax.
/subsystem=ejb3/thread-pool=THREADPOOLNAME:remove
322
JBoss Administrators can edit T hread Pools using the Management Console and the CLI. Procedure 16.13. Edit a T hread Pool using the Management Console 1. Login Login to the Management Console. 2. Navigate to the EJB3 T hread Pools T ab Click on Profile in the top right, expand the Container item in the Profile panel on the left and select EJB 3. T hen select the T hread Pools tab from the main panel.
Figure 16.8. EJB3 T hread Pools T ab 3. Select the T hread Pool to Edit Select the thread pool you wish to edit from the list. 4. Click the Edit button T he fields in the Details area are now editable. 5. Edit Details Edit the details you want to change. Only the T hread Factory, Max T hreads, Keepalive T im eout, and Keepalive T im eout Unit values can be edited. 6. Save or Cancel Click the Save button if you are satisfied with the changes, or click the Cancel link if you want to discard the changes. Procedure 16.14 . Edit a thread pool using the CLI 1. Launch the CLI tool and connect to your server. Refer to Section 3.3.4, Connect to a Managed Server Instance Using the Management CLI. 2. Use the write_attribute operation with the following syntax for each attribute of the thread pool to be changed.
/subsystem=ejb3/thread-pool=THREADPOOLNAME:write-attribute(name="ATTRIBUTE", value="VALUE")
Replace THREADPOOLNAME with the name of the thread pool. Replace ATTRIBUTE with the name of the attribute to be edited. T he attributes that can be edited in this way are keepalive-tim e , m ax-threads, and thread-factory. Replace VALUE with the required value of the attribute. 3. Use the read-resource operation to confirm the changes to the thread pool.
/subsystem=ejb3/thread-pool=THREADPOOLNAME:read-resource
323
Important
When changing the value of the keepalive-tim e attribute with the CLI the required value is an object representation. It has the following syntax.
/subsystem=ejb3/thread-pool=THREADPOOLNAME:write-attribute(name="keepalivetime", value={"time" => "VALUE","unit" => "UNIT"}
Example 16.10. Set the Maxsize Value of a T hread Pool using the CLI
[standalone@localhost:9999 /] /subsystem=ejb3/thread-pool=HSThreads:writeattribute(name="max-threads", value="50") {"outcome" => "success"} [standalone@localhost:9999 /]
Example 16.11. Set the keepalive-tim e T ime Value of a T hread Pool using the CLI
[standalone@localhost:9999 /] /subsystem=ejb3/thread-pool=HSThreads:writeattribute(name="keepalive-time", value={"time"=>"150"}) {"outcome" => "success"} [standalone@localhost:9999 /]
Report a bug
324
Figure 16.9. EJB3 Container Configuration panel in the Management Console (Standalone Server) 3. Click the Edit button. T he fields in the Details area are now editable. 4. Enter the required values in the Stateful Access T im eout and/or Singleton Access T im eout text boxes. 5. Click the Save button to keep the changes, or click the Cancel link to discard them. 6. T he Details area will now be non-editable and display the correct timeout values. Procedure 16.16. Set Session Bean Access T imeout Values Using the CLI 1. Launch the CLI tool and connect to your server. Refer to Section 3.3.4, Connect to a Managed Server Instance Using the Management CLI. 2. Use the write-attribute operation with the following syntax.
/subsystem=ejb3:write-attribute(name="BEANTYPE", value=TIME)
Replace BEANTYPE with default-stateful-bean-access-tim eout for Stateful Session Beans, or default-singleton-bean-access-tim eout for Singleton Session Beans. Replace TIME with the required timeout value. 3. Use the read-resource operation to confirm the changes.
/subsystem=ejb3:read-resource
Example 16.12. Setting the Default Stateful Bean Access T imeout value to 9000 with the CLI
[standalone@localhost:9999 /] /subsystem=ejb3:write-attribute(name="defaultstateful-bean-access-timeout", value=9000) {"outcome" => "success"} [standalone@localhost:9999 /]
Report a bug
325
Figure 16.10. EJB3 Container Configuration panel in the Management Console (Standalone Server) 3. Click the Edit button. T he fields in the Details area are now editable. 4. Enter the name of the resource adapter to be used in the Default Resource Adapter text box. 5. Click the Save button to keep the changes, or click the Cancel link to discard them. 6. T he Details area will now be non-editable and display the correct resource adapter name. Procedure 16.18. Set the Default Resource Adapter for Message-Driven Beans using the CLI 1. Launch the CLI tool and connect to your server. Refer to Section 3.3.4, Connect to a Managed Server Instance Using the Management CLI. 2. Use the write-attribute operation with the following syntax.
/subsystem=ejb3:write-attribute(name="default-resource-adapter-name", value="RESOURCE-ADAPTER")
Replace RESOURCE-ADAPTER with name of the resource adapter to be used. 3. Use the read-resource operation to confirm the changes.
/subsystem=ejb3:read-resource
Example 16.14 . Set the Default Resource Adapter for Message-Driven Beans using the CLI
[standalone@localhost:9999 subsystem=ejb3] /subsystem=ejb3:writeattribute(name="default-resource-adapter-name", value="EDIS-RA") {"outcome" => "success"} [standalone@localhost:9999 subsystem=ejb3]
326
</subsystem>
Report a bug
Figure 16.11. T imer Service tab of the EJB3 Services panel 3. Enter Edit Mode Click the Edit Button. T he fields become editable. 4. Make the Required Changes. You can select a different EJB3 thread pool used for the T imer Service if additional thread pools have been configured, and you can change the directory used to save the T imer Service data. T he T imer Service data directory configuration consists of two values: Path , the directory that data is stored in; and Relative T o , the directory which contains Path . By default Relative
327
Figure 16.12. T he Async Service tab of the EJB3 Services panel 3. Enter Edit Mode Click the Edit Button. T he fields become editable. 4. Select the thread pool Select the EJB3 thread pool to use from the list. T he thread pool must have been already created. 5. Save or Cancel Click the Save button to keep the changes, or click the Cancel link to discard them. Report a bug
328
Report a bug 16.8.2. Configure the EJB3 Remote Service JBoss Administrators can configure the EJB3 Remote Service in the JBoss Enterprise Application Platform 6 Management Console. T he features that can be configured are the thread pool that is used for remote bean invocation and the connector on which the EJB3 remoting channel is registered. Procedure 16.21. Configure the EJB3 Remote Service 1. Login Login to the Management Console. 2. Open the Remote Service tab Click on Profile in the top right, expand the Container item in the Profile panel on the left and select EJB 3. Select the Services tab from the main panel, and then the Remote Service tab.
Figure 16.13. T he Remote Service tab of the EJB3 Services panel 3. Enter Edit Mode Click the Edit Button. T he fields become editable. 4. Make the required changes You can select a different EJB3 thread pool used for the Remote Service if additional thread pools have been configured. You can change the connector used to register the EJB remoting channel. 5. Save or Cancel Click the Save button to keep the changes, or click the Cancel link to discard them. Report a bug
329
T o disable CMP in a server configuration, remove the extension entry for the org.jboss.as.cm p module. Report a bug 16.9.4 . Configure EJB 2.x Container-Managed Persistence T he EJB 2.x Container Managed Persistence (CMP) subsystem can be configured to specify any number of key generators. Key generators are used to generate unique keys to identify each entity persisted by the CMP service. T wo types of key generator can be defined: UUID-based and HiLo key generators. UUID-based key generators A UUID-based key generator creates keys using Universally Unique Identifiers. UUID key generators only need to have a unique name, they have no other configuration. UUID-based key generators can be added using the CLI using the following command syntax.
/subsystem=cmp/uuid-keygenerator=UNIQUE_NAME:add
Example 16.16. Add UUID Key Generator T o add a UUID-based key generator with the name of uuid_identities, use this CLI command:
/subsystem=cmp/uuid-keygenerator=uuid_identities:add
HiLo Key Generators HiLo key generators use a database to create and store entity identity keys. HiLo Key generators must have unique names and are configured with properties that specify the datasource used to stored the data as well as the names of the table and columns that store the keys. HiLo key generators can be added using the CLI using the following command syntax:
/subsystem=cmp/hilo-keygenerator=UNIQUE_NAME/:add(property=value, property=value, ...)
330
Report a bug 16.9.5. CMP Subsystem Properties for HiLo Key Generators T able 16.1. CMP Subsystem Properties for HiLo Key Generators Property block-size create-table create-tableddl data-source drop-table id-colum n select-hi-ddl sequencecolum n sequence-nam e table-nam e Data type long boolean string token boolean token string token token token Description If set to T RUE , a table called table-nam e will be created using the contents of create-table-ddl if that table is not found. T he DDL commands used to create the table specified in tablenam e if the table is not found and create-table is set to T RUE . T he data source used to connect to the database. T he SQL command which will return the largest key currently stored. T he name of the table used to store the key information.
Report a bug
331
332
T able 17.1. Archive validation attributes Attribute enabled fail-onerror fail-onwarn Default Value true true false Description Specifies whether archive validation is enabled. Specifies whether an archive validation error report fails the deployment. Specifies whether an archive validation warning report fails the deployment.
If an archive does not implement the Java EE Connector Architecture specification correctly and archive validation is enabled, an error message will display during deployment describing the problem. For example:
Severity: ERROR Section: 19.4.2 Description: A ResourceAdapter must implement a "public int hashCode()" method. Code: com.mycompany.myproject.ResourceAdapterImpl Severity: ERROR Section: 19.4.2 Description: A ResourceAdapter must implement a "public boolean equals(Object)" method. Code: com.mycompany.myproject.ResourceAdapterImpl
If archive validation is not specifed, it is considered present and the enabled attribute defaults to true. Bean validation T his setting determines whether bean validation (JSR-303) will be performed on the deployment units. T he following table describes the attributes you can set for bean validation. T able 17.2. Bean validation attributes Attribute enabled Default Value true Description Specifies whether bean validation is enabled.
If bean validation is not specifed, it is considered present and the enabled attribute defaults to true. Work managers T here are two types of work managers: Default work manager T he default work manager and its thread pools. Custom work manager A custom work manager definition and its thread pools. T he following table describes the attributes you can set for work managers. T able 17.3. Work manager attributes Attribute nam e short-runningthreads long-runningthreads Description Specifies the name of the work manager. T his is required for custom work managers. T hread pool for standard Work instances. Each work manager has one short-running thread pool. T hread pool for JCA 1.6 Work instances that set the LONG_RUNNING hint. Each work manager can have one optional long-running thread pool.
T he following table describes the attributes you can set for work manager thread pools.
333
Bootstrap contexts Used to define custom bootstrap contexts. T he following table describes the attributes you can set for bootstrap contexts. T able 17.5. Bootstrap context attributes Attribute nam e workm anager Description Specifies the name of the bootstrap context. Specifies the name of the work manager to use for this context.
Cached connection manager Used for debugging connections and supporting lazy enlistment of a connection in a transaction, tracking whether they are used and released properly by the application. T he following table describes the attributes you can set for the cached connection manager. T able 17.6. Cached connection manager attributes Attribute debug error Default Value false false Description Outputs warning on failure to explicity close connections. T hrows exception on failure to explicitly close connections.
Procedure 17.1. Configure the JCA subsystem using the Management Console 1. T he JCA subsystem of JBoss Enterprise Application Platform 6 can be configured in the Management Console. T he JCA configuration options are located in slightly different places in the Management Console depending on how the server is being run. A. If the server is running as a Standalone Server, follow these steps: a. Click on the Profile link on the top right to switch to the Profile view. b. Ensure the Profile section in the navigation panel to the left is expanded. c. Click on Connector to expand it, and then click on JCA. B. If the server is running as part of a Managed Domain, follow these steps: a. Click on the Profile link on the top right to switch to the Profile view b. Select the profile you are modifying from the Profile menu at the top of the navigation panel on the left. c. Click on Connector to expand it, and then click on JCA. 2. Configure the settings for the JCA subsystem using the three tabs. a. Common Config T he Com m on Config tab contains settings for the cached connection manager, archive validation and bean validation ((JSR-303). Each of these is contained in their own tab as well. T hese settings can be changed by opening the appropriate tab, clicking the edit button, making the required changes, and then clicking on the save button.
334
Figure 17.1. JCA Common Configuration b. Work Managers T he Work Manager tab contains the list of configured Work Managers. New Work Managers can be added, removed, and their thread pools configured here. Each Work Manager can have one short-running thread pool and an optional long-running thread pool.
Figure 17.2. Work Managers T he thread pool attributes can be configured here:
335
Report a bug
3. Deploy the resource adapter. A. T o deploy the resource adapter to a standalone server, enter the following at a command line:
$ deploy path/to/resource-adapter-name.rar
B. T o deploy the resource adapter to all server groups in a managed domain, enter the following at a command line:
$ deploy path/to/resource-adapter-name.rar --all-server-groups
Procedure 17.3. Deploy a resource adapter using the Web-based Management Console 1. Start your JBoss Enterprise Application Platform 6 server. 2. If you have not yet added a management user, add one now. For more information, refer to the Getting Started chapter of the Installation guide for JBoss Enterprise Application Platform 6. 3. Open a web browser and navigate to the Management Console. T he default location is http://localhost:9990/console/. For more information about the Management Console, see Section 3.2.2, Log in to the Management Console. 4. Click on the Runtim e link on the top right to switch to the Runtime view, then choose Manage
336
Figure 17.5. Manage Deployments - Add Content 5. Browse to the resource adapter archive and select it. T hen click Next.
Figure 17.6. Deployment Selection 6. Verify the deployment names, then click Save .
337
Figure 17.7. Verify Deployment Names 7. T he resource adapter archive should now appear in the list in a disabled state. Click the Enable link to enable it.
Figure 17.8. Enable the Deployment 8. A dialog asks "Are you sure?" you want to enable the listed RAR. Click Confirm . T he resource adapter archive should now appear as Enabled .
338
Procedure 17.4 . Deploy a resource adapter manually Copy the resource adapter archive to the server deployments directory, A. For a standalone server, copy the resource adapter archive to the EAP_HOME/standalone/deploym ents/ directory. B. For a managed domain, copy the resource adapter archive to the EAP_HOME/dom ain/deploym ents/ directory of the domain controller. Report a bug
339
34 0
Procedure 17.6. Configure a resource adapter using the Web-based Management Console 1. Start your JBoss Enterprise Application Platform 6 server. 2. If you have not yet added a management user, add one now. For more information, refer to the Getting Started chapter of the Installation guide for JBoss Enterprise Application Platform 6. 3. Open a web browser and navigate to the Management Console. T he default location is http://localhost:9990/console/. For more information about the Management Console, see Section 3.2.2, Log in to the Management Console. 4. Click on the Profile link on the top right to switch to the Profile view. Choose Resource Adapters in the left navigation panel, then click Add at the top right.
34 1
Figure 17.10. JCA Resource Adapters 5. Enter the archive name and choose transaction type XAT ransaction from the T X: drop-down box. T hen click Save .
Figure 17.11. Create Resource Adapter 6. Select the Properties tab, then click Add to add resource adapter properties.
34 2
Figure 17.12. Add Resource Adapter Properties 7. Enter server for the Nam e and the host name, for example localhost, for the Value . T hen click Save to save the property.
Figure 17.13. Add Resource Adapter Server Property 8. Enter port for the Nam e and the port number, for example 9000 , for the Value . T hen click Save to save the property.
34 3
Figure 17.14 . Add Resource Adapter Port Property 9. T he server and port properties now appear in the Properties panel. Click the View link under the Option column for the listed resource adapter to view the Connection Definitions.
Figure 17.15. Resource Adapter Server Properties Complete 10. Click Add in the upper right side of the page to add a connection definition.
34 4
Figure 17.16. Add a Connection Definition 11. Enter the JNDI Nam e and the fully qualified class name of the Connection Class. T hen click Next.
Figure 17.17. Create Connection Definition Property - Step 1 12. Click Add to enter the Key and Value data for this connection definition.
34 5
Figure 17.18. Create Connection Definition Property - Step 2 13. Click in the nam e field under the Key column to enable data entry for the field. T ype the property name and press enter when done. Click in the value field under the Value column to enable data entry for the field. Enter the value for the property and press enter when done. T hen click Save to save the property.
Figure 17.19. Create Connection Definition Property - Step 2 14. T he connection definition is complete, but disabled. Click Enable to enable the connection definition.
34 6
Figure 17.20. Create Connection Definition - Disabled 15. A dialog asks "Really modify Connection Definition?" for the JNDI name. Click Confirm . T he connection definition should now appear as Enabled .
Figure 17.21. Connection Definition Enabled 16. Click the Adm in Objects tab in top middle of the page to create and configure admin objects. T hen click Add .
34 7
Figure 17.22. Available Admin Objects 17. Enter the JNDI Nam e and the fully qualified Class Nam e for the admnin object. T hen click Save .
Figure 17.23. Create Admin Object 18. Select the Properties tab, then click Add to add admin object properties.
34 8
Figure 17.24 . Add Admin Object Properties 19. Enter an admin object configuration property, for example threshold , in the Nam e field. Enter the configuration property value, for example 10 , in the Value field. T hen click Save to save the property.
Figure 17.25. Create Admin Ojbect Configuration Property 20. T he admin object is complete, but disabled. Click Enable to enable the admin object.
34 9
Figure 17.26. Admin Object - Disabled 21. A dialog asks "Really modify Admin Ojbect?" for the JNDI name. Click Confirm . T he admin object should now appear as Enabled .
Figure 17.27. Connection Definition Enabled 22. You must reload the server configuration to complete the process. Click on the Runtim e link on the top right to switch to the Runtime view, then choose Configuration in the left navigation panel, and click Reload at the right.
350
Figure 17.28. Server Configuration Reload 23. A dialog asks "Do you want to reload the server configuration?" for the specified server. Click Confirm . T he server configuration is up to date.
Procedure 17.7. Configure a resource adapter manually 1. Stop the JBoss Enterprise Application Platform server.
Important
You must stop the server before editing the server configuration file for your change to be persisted on server restart. 2. Open the server configuration file for editing. A. For a standalone server, this is the
351
<subsystem xmlns="urn:jboss:domain:resource-adapters:1.0"/>
with this:
<subsystem xmlns="urn:jboss:domain:resource-adapters:1.0"> <resource-adapters> <!-- <resource-adapter> configuration listed below --> </resource-adapters> </subsystem>
5. Replace the <!-- <resource-adapter> configuration listed below --> with the XML definition for your resource adapter. T he following is the XML representation of the resource adapter configuration created using the Management CLI and Web-based Management Console described above.
<resource-adapter> <archive> eis.rar </archive> <transaction-support>XATransaction</transaction-support> <config-property name="server"> localhost </config-property> <config-property name="port"> 9000 </config-property> <connection-definitions> <connection-definition classname="com.acme.eis.ra.EISManagedConnectionFactory" jndi-name="java:/eis/AcmeConnectionFactory" pool-name="java:/eis/AcmeConnectionFactory"> <config-property name="name"> Acme Inc </config-property> </connection-definition> </connection-definitions> <admin-objects> <admin-object class-name="com.acme.eis.ra.EISAdminObjectImpl" jndi-name="java:/eis/AcmeAdminObject" pool-name="java:/eis/AcmeAdminObject"> <config-property name="threshold"> 10 </config-property> </admin-object> </admin-objects> </resource-adapter>
6. Start the server Relaunch the JBoss Enterprise Application Platform server to start it running with the new configuration. Report a bug
352
T able 17.7. Main elements Element bean-validation-groups bootstrap-context config-property transaction-support Desciption Specifies bean validation group that should be used Specifies the unique name of the bootstrap context that should be used T he config-property specifies resource adapter configuration properties. Define the type of transaction supported by this resource adapter. Valid values are: NoT ransaction, LocalT ransaction, XAT ransaction Specifies the connection definitions Specifies the administration objects
T able 17.8. Bean validation groups elements Element bean-validation-group Desciption Specifies the fully qualified class name for a bean validation group that should be used for validation
T able 17.9. Connection definition / admin object attributes Attribute class-nam e jndi-nam e enabled use-java-context pool-nam e use-ccm Desciption Specifies the fully qualified class name of a managed connection factory or admin object Specifies the JNDI name Should the object in question be activated Specifies if a java:/ JNDI context should be used Specifies the pool name for the object Enable the cache connection manager
T able 17.10. Connection definition elements Element config-property pool xa-pool security tim eout validation recovery Desciption T he config-property specifies managed connection factory configuration properties. Specifies pooling settings Specifies XA pooling settings Specifies security settings Specifies time out settings Specifies validation settings Specifies the XA recovery settings
T able 17.11. Pool elements Element m in-pool-size Desciption T he min-pool-size element indicates the minimum number of connections a pool should hold. T hese are not created until a Subject is known from a request for a connection. T his default to 0 T he max-pool-size element indicates the maximum number of connections for a pool. No more than max-pool-size connections will be created in each sub-pool. T his defaults to 20. Whether to attempt to prefill the connection pool. Default is false Specifies if the min-pool-size should be considered strictly. Default false Specifies how the pool should be flush in case of an error. Valid values are: FailingConnectionOnly (default), IdleConnections, EntirePool
m ax-pool-size
353
T able 17.12. XA pool elements Element m in-pool-size Desciption T he min-pool-size element indicates the minimum number of connections a pool should hold. T hese are not created until a Subject is known from a request for a connection. T his default to 0 T he max-pool-size element indicates the maximum number of connections for a pool. No more than max-pool-size connections will be created in each sub-pool. T his defaults to 20. Whether to attempt to prefill the connection pool. Default is false Specifies if the min-pool-size should be considered strictly. Default false Specifies how the pool should be flush in case of an error. Valid values are: FailingConnectionOnly (default), IdleConnections, EntirePool T he is-same-rm-override element allows one to unconditionally set whether the javax.transaction.xa.XAResource.isSameRM(XAResource) returns true or false An element to enable interleaving for XA connection factories Oracle does not like XA connections getting used both inside and outside a JT A transaction. T o workaround the problem you can create separate sub-pools for the different contexts Should the Xid be padded Should the XAResource instances be wrapped in a org.jboss.tm.XAResourceWrapper instance
m ax-pool-size
interleaving no-tx-separate-pools
pad-xid wrap-xa-resource
T able 17.13. Security elements Element application Desciption Indicates that application supplied parameters (such as from getConnection(user, pw)) are used to distinguish connections in the pool. Indicates Subject (from security domain) are used to distinguish connections in the pool. T he content of the security-domain is the name of the JAAS security manager that will handle authentication. T his name correlates to the JAAS login-config.xml descriptor application-policy/name attribute. Indicates that either application supplied parameters (such as from getConnection(user, pw)) or Subject (from security domain) are used to distinguish connections in the pool. T he content of the security-domain is the name of the JAAS security manager that will handle authentication. T his name correlates to the JAAS login-config.xml descriptor application-policy/name attribute.
security-dom ain
security-dom ain-andapplication
354
Element
T able 17.14 . T ime out elements Desciption T he blocking-timeout-millis element indicates the maximum time in milliseconds to block while waiting for a connection before throwing an exception. Note that this blocks only while waiting for a permit for a connection, and will never throw an exception if creating a new connection takes an inordinately long time. T he default is 30000 (30 seconds). T he idle-timeout-minutes elements indicates the maximum time in minutes a connection may be idle before being closed. T he actual maximum time depends also on the IdleRemover scan time, which is 1/2 the smallest idletimeout-minutes of any pool. T he allocation retry element indicates the number of times that allocating a connection should be tried before throwing an exception. T he default is 0. T he allocation retry wait millis element indicates the time in milliseconds to wait between retrying to allocate a connection. T he default is 5000 (5 seconds). Passed to XAResource.setT ransactionT imeout(). Default is zero which does not invoke the setter. Specified in seconds blocking-tim eout-m illis
allocation-retry
allocation-retry-wait-m illis
xa-resource-tim eout
T able 17.15. Validation elements Element background-validation background-validationm inutes use-fast-fail Desciption An element to specify that connections should be validated on a background thread versus being validated prior to use T he background-validation-minutes element specifies the amount of time, in minutes, that background validation will run. Whether fail a connection allocation on the first connection if it is invalid (true) or keep trying until the pool is exhausted of all potential connections (false). Default is false
T able 17.16. Admin object elements Element config-property Desciption Specifies an administration object configuration property.
T able 17.17. Recovery elements Element recover-credential recover-plugin Desciption Specifies the user name / password pair or security domain that should be used for recovery. Specifies an implementation of the org.jboss.jca.core.spi.recovery.RecoveryPlugin class.
T he deployment schemas are defined in jboss-as-resource-adapters_1_0.xsd and http://docs.jboss.org/ironjacamar/schema/ironjacamar_1_0.xsd for automatic activation. Report a bug
355
Note
In order to support transactions with the WebSphereMQ resource adapter, you must do the following: Repackage the wm q.jm sra-VERSION.rar archive to include the m qetclient.jar . You can use the following command - be sure to replace the VERSION the correct version number: jar -uf wm q.jm sra-VERSION.rar m qetclient.jar Change the <transaction-support> element to value to XAT ransaction .
Procedure 17.8. Deploy the Resource Adapter Manually 1. Copy the wm q.jm sra-VERSION.rar file to the EAP_HOME/standalone/deploym ents/ directory. 2. Add the resource adapter to the server configuration file. a. Open the EAP_HOME/standalone/configuration/standalone-full.xm l file in an editor. b. Find the urn:jboss:dom ain:resource-adapters subsystem in the configuration file. c. If there are no resource adapters defined for this subsystem, first replace:
<subsystem xmlns="urn:jboss:domain:resource-adapters:1.0"/>
with this:
<subsystem xmlns="urn:jboss:domain:resource-adapters:1.0"> <resource-adapters> <!-- <resource-adapter> configuration listed below --> </resource-adapters> </subsystem>
d. Replace the <!-- <resource-adapter> configuration listed below --> with the following:
356
<resource-adapter> <archive> wmq.jmsra-VERSION.rar </archive> <transaction-support>NoTransaction</transaction-support> <connection-definitions> <connection-definition classname="com.ibm.mq.connector.outbound.ManagedConnectionFactoryImpl" jndi-name="java:jboss/MQ.CONNECTIONFACTORY.NAME" pool-name="MQ.CONNECTIONFACTORY.NAME"> <config-property name="channel"> MQ.CHANNEL.NAME </config-property> <config-property name="transportType"> MQ.CLIENT </config-property> <config-property name="queueManager"> MQ.QUEUE.MANAGER </config-property> </connection-definition> </connection-definitions> <admin-objects> <admin-object classname="com.ibm.mq.connector.outbound.MQQueueProxy" jndi-name="java:jboss/MQ.QUEUE.NAME" pool-name="MQ.QUEUE.NAME"> <config-property name="baseQueueName"> MQ.QUEUE.NAME </config-property> </admin-object> </admin-objects> </resource-adapter>
Be sure to replace the VERSION with the actual version in the name of the RAR. e. If you want to change the default provider for the EJB3 messaging system in JBoss Enterprise Application Platform 6 from HornetQ to WebSphere MQ, modify the urn:jboss:dom ain:ejb3:1.2 subsystem as follows: Replace:
with:
Be sure to replace the VERSION with the actual version in the name of the RAR. Procedure 17.9. Modify the MDB code to use the resource adapter Configure the ActivationConfigProperty and ResourceAdapter in the MDB code as follows:
357
Be sure to replace the VERSION with the actual version in the name of the RAR. Report a bug
358
Important
JBoss Cloud Access currently only provides support for instances of JBoss Enterprise Application Platform 6 running as standalone servers with the standard profiles. T his applies to both single instances and clusters. Support for Domain Mode and the full profile will be added in a future release.
Report a bug 18.1.5. Supported Amazon EC2 Instance T ypes JBoss Cloud Access supports the following Amazon EC2 instance types. Refer to the Amazon EC2 User Guide for more details about each instance type,
359
Important
T he instance type Micro (t1.m icro) is not suitable for deployment of JBoss Enterprise Application Platform.
Report a bug 18.1.6. Supported Red Hat AMIs T he supported Red Hat AMIs can be identified by their AMI Name. T he JBoss Enterprise Application Platform 6 AMIs are named using the following syntax:
RHEL-osversion-JBEAP-6.0.0-arch-creationdate
osversion is the version number of Red Hat Enterprise Linux installed in the AMI. Example 6.2 . arch is the architecture of the AMI. T his will be x86_64 or i386 . creationdate is the date that the AMI was created in the format of YYYYMMDD. Example 20120501 . Example AMI name: RHEL-6.2-JBEAP-6.0.0-x86_64 -20120501 . Report a bug
360
18.2.2.1. About Non-clustered Instances A non-clustered instance is a single Amazon EC2 instance running JBoss Enterprise Application Platform 6. It is not part of a cluster. Report a bug 18.2.2.2. Non-clustered Instances 18.2.2.2.1. Launch a Non-clustered JBoss Enterprise Application Platform 6 Instance Summary T his topic covers the steps required to launch a non-clustered instance of JBoss Enterprise Application Platform 6 on a Red Hat AMI (Amazon Machine Image). Prerequisites A suitable Red Hat AMI. Refer to Section 18.1.6, Supported Red Hat AMIs. A pre-configured Security Group which allows incoming requests on at least ports 22, 8080, and 9990. Procedure 18.1. T ask 1. Configure the User Data field. T he configurable parameters are available here: Section 18.4.1, Permanent Configuration Parameters, Section 18.4.2, Custom Script Parameters. Example 18.1. Example User Data Field T he example shows the User Data field for a non-clustered JBoss Enterprise Application Platform 6 instance. T he password for the user adm in has been set to adm in .
JBOSSAS_ADMIN_PASSWORD=admin JBOSS_IP=0.0.0.0 #listen on all IPs and interfaces # In production, access to these ports needs to be restricted for security reasons PORTS_ALLOWED="9990 9443" cat> $USER_SCRIPT << "EOF" # Get the application to be deployed from an Internet URL # mkdir -p /usr/share/java/jboss-ec2-eap-applications # wget https://<your secure storage hostname>/<path>/<app name>.war -O /usr/share/java/jboss-ec2-eap-applications/<app name>.war # Create a file of CLI commands to be executed after starting the server cat> $USER_CLI_COMMANDS << "EOC" # deploy /usr/share/java/jboss-ec2-eap-applications/<app name>.war EOC EOF
2. For Production Instances For a production instance, add the following line beneath the USER_SCRIPT line of the User Data field, to ensure security updates are applied on boot.
yum -y update
Note
yum -y update should be run regularly, to apply security fixes and enhancements. 3. Launch the Red Hat AMI instance. Result
361
Example 18.2. Example User Data Field with Sample Application T his example uses the sample application provided on the Red Hat AMI. It also includes basic configuration for a non-clustered JBoss Enterprise Application Platform 6 instance. T he password for the user adm in has been set to adm in .
JBOSSAS_ADMIN_PASSWORD=admin JBOSS_IP=0.0.0.0 #listen on all IPs and interfaces # In production, access to these ports needs to be restricted for security reasons PORTS_ALLOWED="9990 9443" cat> $USER_SCRIPT << "EOF" # Create a file of CLI commands to be executed after starting the server cat> $USER_CLI_COMMANDS << "EOC" # Deploy the sample application from the local filesystem deploy --force /usr/share/java/jboss-ec2-eap-samples/hello.war EOC EOF
B. Deploy a Custom Application Add the following lines to the User Data field, configuring the application name and the URL:
# Get the application to be deployed from an Internet URL mkdir -p /usr/share/java/jboss-ec2-eap-applications wget https://<your secure storage hostname>/<path>/<app name>.war -O /usr/share/java/jboss-ec2-eap-applications/<app name>.war
362
Example 18.3. Example User Data Field with Custom Application T his example uses an application called MyApp , and includes basic configuration for a nonclustered JBoss Enterprise Application Platform 6 instance. T he password for the user adm in has been set to adm in .
JBOSSAS_ADMIN_PASSWORD=admin JBOSS_IP=0.0.0.0 #listen on all IPs and interfaces # In production, access to these ports needs to be restricted for security reasons PORTS_ALLOWED="9990 9443" cat> $USER_SCRIPT << "EOF" # Get the application to be deployed from an Internet URL mkdir -p /usr/share/java/jboss-ec2-eap-applications wget https://PATH_TO_MYAPP/MyApp.war -O /usr/share/java/jboss-ec2-eapapplications/MyApp.war # Create a file of CLI commands to be executed after starting the server cat> $USER_CLI_COMMANDS << "EOC" deploy /usr/share/java/jboss-ec2-eap-applications/MyApp.war EOC EOF
2. Launch the Red Hat AMI instance. Result T he application has been successfully deployed to JBoss Enterprise Application Platform 6. Report a bug 18.2.2.2.3. T est the Non-clustered JBoss Enterprise Application Platform 6 Instance Summary T his topic covers the steps required to test that the non-clustered JBoss Enterprise Application Platform 6 is running correctly. Procedure 18.2. T ask 1. Determine the instance's Public DNS , located in the instance's details pane. 2. Navigate to http://< public-DNS>:8080 . 3. Confirm that the JBoss Enterprise Application Platform home page appears, including a link to the Admin console. If the home page is not available, refer here: Section 18.5.1, About T roubleshooting Amazon EC2. 4. Click on the Adm in Console hyperlink. 5. Log in: Username: adm in Password: Specified in the User Data field here: Section 18.2.2.2.1, Launch a Non-clustered JBoss Enterprise Application Platform 6 Instance. 6. T est the Sample Application Navigate to http://< public-DNS>:8080/hello to test that the sample application is running successfully. T he text Hello World! should appear in the browser. If the text is not visible, refer here: Section 18.5.1, About T roubleshooting Amazon EC2. 7. Log out of the JBoss Enterprise Application Platform Admin Console. Result T he JBoss Enterprise Application Platform 6 instance is running correctly. Report a bug 18.2.3. Clustered JBoss Enterprise Application Platform 6
363
18.2.3.1. About Clustered Instances A clustered instance is an Amazon EC2 instance running JBoss Enterprise Application Platform 6 with clustering enabled. Another instance running Apache HT T PD will be acting as the proxy for the instances in the cluster. T he JBoss Enterprise Application Platform 6 AMIs include two configuration files for use in clustered instances, standalone-ec2-ha.xm l and standalone-m od_cluster-ec2-ha.xm l . Each of these configuration files provides clustering without the use of multicast because Amazon EC2 does not support multicast. T his is done by using T CP unicast for cluster communications and S3_PING as the discovery protocol. T he standalone-m od_cluster-ec2-ha.xm l configuration also provides easy registration with mod_cluster proxies. Report a bug 18.2.3.2. Create a Relational Database Service Database Instance Summary T his topic covers the steps to create a relational database service database instance, using MySQL as an example.
Warning
It is highly recommended that the back-up and maintenance features remain enabled for production environments.
Important
It is good practice to create separate user/password pairs for each application accessing the database. T une other configuration options according to your application's requirements.
Procedure 18.3. T ask 1. Click on the RDS in the AWS console. 2. Subscribe to the service if needed. 3. Click on Launch DB instance . 4. Click on MySQL. a. Select a version. For example, 5.5.12 . b. Select sm all instance . c. Ensure Multi-AZ Deploym ent and Auto upgrade are off . d. Set Storage to 5GB . e. Define the database administrator's username and password and click Next. f. Select a database name to be created with the instance, and click Next. g. Disable back-ups and maintenance, if necessary. h. Confirm the settings. Result T he database is created. It will initialize and be ready for use after a few minutes. Report a bug 18.2.3.3. About Virtual Private Clouds An Amazon Virtual Private Cloud (Amazon VPC) is a feature of Amazon Web Services (AWS) that allows you to isolate a set of AWS resources in a private network. T he topology and configuration of this private network can be customized to your needs. Refer to the Amazon Virtual Private Cloud website for more information http://aws.amazon.com/vpc/. Report a bug
364
18.2.3.4 . Create a Virtual Private Cloud (VPC) Summary T his topic covers the steps required to create a Virtual Private Cloud, using a database external to the VPC as an example. Your security policies may require connection to the database to be encrypted. Please refer to Amazon's RDS FAQ for details about encrypting the database connections.
Important
VPC is recommended for a JBoss Enterprise Application Platform cluster setup as it greatly simplifies secure communication between cluster nodes, a JON Server and the mod_cluster proxy. Without a VPC, these communication channels need to be encrypted and authenticated. For detailed instructions on configuring SSL, refer here: Section 13.2.3, Implement SSL Encryption for the JBoss Enterprise Application Platform Web Server. 1. Go to the VPC tab in the AWS console. 2. Subscribe to the service if needed. 3. Click on " Create new VPC ". 4. Choose a VPC with one public and one private subnet. a. Set the public subnet to be 10.0.0.0/24 . b. Set the private subnet to be 10.0.1.0/24 . 5. Go to Elastic IPs. 6. Create an elastic IP for use by the mod_cluster proxy/NAT instance. 7. Go to Security groups and create a security group to allow all traffic in and out. 8. Go to Network ACLs a. Create an ACL to allow all traffic in and out. b. Create an ACL to allow all traffic out and traffic in on only T CP ports 22 , 8009 , 8080 , 84 4 3 , 94 4 3 , 9990 and 16163 . Result T he Virtual Private Cloud has been successfully created. Report a bug 18.2.3.5. Launch an Apache HT T PD instance to serve as a mod_cluster proxy and a NAT instance for the VPC Summary T his topic covers the steps required to launch an Apache HT T PD instance to serve as a mod_cluster proxy and a NAT instance for the Virtual Private Cloud. Prerequisites Section 18.2.3.2, Create a Relational Database Service Database Instance. Section 18.2.3.4, Create a Virtual Private Cloud (VPC) Procedure 18.4 . Launch an Apache HT T PD instance to serve as a mod_cluster proxy and a NAT instance for the VPC 1. Create an elastic IP for this instance. 2. Select an AMI. 3. Go to Security Group and allow all traffic (use Red Hat Enterprise Linux's built-in firewall capabilities to restrict access if desired). 4. Select " running " in the public subnet of the VPC. 5. Select a static IP (e.g. 10.0.0.4 ). 6. Put the following in the User Data: field:
365
semanage port -a -t http_port_t -p tcp 7654 #add port in the apache port list for the below to work setsebool -P httpd_can_network_relay 1 #for mod_proxy_cluster to work chcon -t httpd_config_t -u system_u /etc/httpd/conf.d/mod_cluster.conf service httpd start EOS
7. Disable the Amazon EC2 cloud source/destination checking for this instance so it can act as a router. a. Right-click on the running Apache HT T PD instance and choose " Change Source/Dest check". b. Click on Yes, Disable . 8. Assign the elastic IP to this instance. Result
366
T he Apache HT T PD instance has been launched successfully. Report a bug 18.2.3.6. Configure the VPC Private Subnet Default Route Summary T his topic covers the steps required to configure the VPC private subnet default route. T he JBoss Enterprise Application Platform cluster nodes will run in the private subnet of the VPC, but cluster nodes require Internet access for S3 connectivity. A default route needs to be set to go through the NAT instance. Procedure 18.5. Configure the VPC Private Subnet Default Route 1. Navigate to the Apache HT T PD instance in the Amazon AWS console. 2. Navigate to the VPC route tables. 3. Click on the routing table used by the private subnet. 4. In the field for a new route enter 0.0.0.0/0 . 5. Click on " Select a target". 6. Select " Enter Instance ID ". 7. Choose the ID of the running Apache HT T PD instance. Result T he default route has been successfully configured for the VPC subnet. Report a bug 18.2.3.7. About Identity and Access Management (IAM) Identity and Access Management (IAM) provides configurable security for your AWS resources. IAM can be configured to use accounts created in IAM or to provide identity federation between IAM and your own identity services. Refer to the AWS Identity and Access Management website for more information http://aws.amazon.com/iam/. Report a bug 18.2.3.8. Configure IAM Setup Summary T his topic covers the configuration steps required for setting up IAM for clustered JBoss Enterprise Application Platform instances. T he S3_PING protocol uses an S3 bucket to discover other cluster members. JGroups version 3.0.x requires Amazon AWS account access and secret keys to authenticate against the S3 service. It is a security risk to enter your main account credentials in the user-data field, store them online or in an AMI. T o circumvent this, a separate account can be created using the Amazon IAM feature which would be only granted access to a single S3 bucket. Procedure 18.6. Configure IAM Setup 1. Go to the IAM tab in the AWS console. 2. Click on users. 3. Select Create New Users. 4. Choose a name, and ensure the Generate an access key for each User option is checked. 5. Select Download credentials, and save them in a secure location. 6. Close the window. 7. Click on the newly created user. 8. Make note of the User ARM value. T his value is required to set up the S3 bucket, documented here: Section 18.2.3.10, Configure S3 Bucket Setup.
367
Result T he IAM user account has been successfully created. Report a bug 18.2.3.9. About the S3 Bucket S3 Buckets are the basic organization store unit in the Amazon Simple Storage System (Amazon S3). A bucket can store any number of arbitray objects and must have a unique name to identify it with Amazon S3.. Refer to the Amazon S3 website for more information, http://aws.amazon.com/s3/. Report a bug 18.2.3.10. Configure S3 Bucket Setup Summary T his topic covers the steps required to configure a new S3 bucket. Prerequisites Section 18.2.3.8, Configure IAM Setup. Procedure 18.7. Configure S3 Bucket Setup 1. Open the S3 tab in the AWS console. 2. Click on Create Bucket. 3. Choose a name for the bucket and click Create .
Note
Bucket names are unique across the entire S3. Names cannot be reused. 4. Right click on the new bucket and select Properties. 5. Click Add bucket policy in the permissions tab. 6. Click New policy to open the policy creation wizard. a. Copy the following content into the new policy, replacing arn:aws:iam ::05555555555:user/jbosscluster* with the value defined here: Section 18.2.3.8, Configure IAM Setup. Change both instances of clusterbucket123 to the name of the bucket defined in step 3 of this procedure.
368
Result A new S3 bucket has been created, and configured successfully. Report a bug 18.2.3.11. Clustered Instances 18.2.3.11.1. Launch Clustered JBoss Enterprise Application Platform 6 AMIs Summary T his topic covers the steps required to launch clustered JBoss Enterprise Application Platform 6 AMIs. Prerequisites Section 18.2.3.2, Create a Relational Database Service Database Instance. Section 18.2.3.4, Create a Virtual Private Cloud (VPC). Section 18.2.3.5, Launch an Apache HT T PD instance to serve as a mod_cluster proxy and a NAT instance for the VPC. Section 18.2.3.6, Configure the VPC Private Subnet Default Route. Section 18.2.3.8, Configure IAM Setup. Section 18.2.3.10, Configure S3 Bucket Setup.
Warning
Running JBoss Enterprise Application Platform cluster in a subnet with network mask smaller than 24 bits or spanning multiple subnets complicates acquiring a unique server peer ID for each cluster member. Refer to the JBOSS_CLUSTER_ID variable for information on how to make such a configuration work reliably: Section 18.4.1, Permanent Configuration Parameters.
369
Important
T he auto-scaling Amazon EC2 feature can be used with JBoss Enterprise Application Platform cluster nodes. However, ensure it is tested before deployment. You should ensure that your particular workloads scale to the desired number of nodes, and that the performance meets your needs for the instance type you are planning to use (different instance types receive a different share of the EC2 cloud resources). Furthermore, instance locality and current network/storage/host machine/RDS utilization can affect performance of a cluster. T est with your expected real-life loads and try to account for unexpected conditions.
Down-scaling a cluster
T he Amazon EC2 scale-down action terminates the nodes without any chance to gracefully shut down, and, as some transactions might be interrupted, other cluster nodes (and load balancers) will need time to fail over. T his is likely to impact your application users' experience. It is recommended that you either scale down the application cluster manually by disabling the server from the mod_cluster management interface until processed sessions are completed, or shut down the JBoss Enterprise Application Platform instance gracefully (SSH access to the instance or JON can be used). T est that your chosen procedure for scaling-down does not lead to adverse effects on your users' experience. Additional measures might be required for particular workloads, load balancers and setups.
Procedure 18.8. Launch Clustered JBoss Enterprise Application Platform 6 AMIs 1. Select an AMI. 2. Define the desired number of instances (the cluster size). 3. Select the VPC and instance type. 4. Click on Security Group . 5. Ensure that all traffic from the JBoss Enterprise Application Platform cluster subnet is allowed. 6. Define other restrictions as desired. 7. Add the following into the User Data field:
370
371
Result T he clustered JBoss Enterprise Application Platform 6 AMIs have been configured and launched successfully. Report a bug 18.2.3.11.2. T est the Clustered JBoss Enterprise Application Platform 6 Instance Summary T his topic covers the steps to confirm that the clustered JBoss Enterprise Application Platform 6 instances are running correctly. Procedure 18.9. T esting the Clustered Instance 1. Navigate to http://ELAST IC_IP_OF_APACHE_HT T PD in a browser to confirm the web server is running successfully. 2. T est the Clustered Nodes a. Navigate to http://ELAST IC_IP_OF_APACHE_HT T PD/cluster-demo/put.jsp in a browser. b. Verify that one of the cluster nodes logs the following message:
Putting date now
c. Stop the cluster node that logged the message in the previous step. d. Navigate to http://ELAST IC_IP_OF_APACHE_HT T PD/cluster-demo/get.jsp in a browser. e. Verify that the time shown is the same as the time that was PUT using put.jsp in Step 2a. f. Verify that one of the running cluster nodes logs the following message:
Getting date now
i. Navigate to http://localhost:7654/mod_cluster-manager to confirm all instances are running correctly. Result T he clustered JBoss Enterprise Application Platform 6 instance have been tested, and confirmed to be working correctly. Report a bug
372
T he JON Agent needs access to port 7080 on all JON servers, except in the case of SSL where port 7443 is used. Each JON server must be able to access each of the connected agents on a unique host and port pairing. T he agent port is usually 16163. If there are multiple clustered JON servers, make sure each agent can communicate with all servers in the JON cluster via the IP and hostname pairs as configured through the JON server administration console. T he JON server used by the agent to register may not be the server it tries to use after initialization. Report a bug 18.3.3. About Network Address T ranslation (NAT ) A corporate VPN gateway acting in routed mode greatly simplifies network configuration. If your corporate VPN gateway is acting in NAT mode however, the JON server does not have direct visibility of agents. In this case, port forwarding needs to be configured for each agent. NAT VPN configurations require a port on the gateway to be forwarded to the JON agent's address of port on the managed machine. T he JON agent also needs to be configured to tell the server the forwarded port number and IP address. You can find further information in the rhq.com m unications.connector.* description for the agent-configuration.xm l configuration file. Report a bug 18.3.4 . About Amazon EC2 and DNS JON servers and JON agents need to be able to resolve each others' hostnames. T he DNS resolution is more complicated in the case of a VPN configuration. Connected servers have multiple possible options. One option is to use either the Amazon EC2 or the corporate network's DNS servers. Another option is to use a split DNS configuration where the corporate DNS servers are used for resolving names in particular domains, and the Amazon EC2 DNS servers are used for resolving all other names. Report a bug 18.3.5. About Routing in EC2 All Amazon EC2 servers have a source/destination checking routing feature activated by default. T his feature drops any packets being sent to the server which have a destination different from the machine's IP address. If the VPN solution selected for connecting agents to the JON server includes a router, this feature needs to be turned off for the server or servers acting as routers or VPN gateways. T his configuration setting can be accessed via the Amazon AWS console. Disabled source/destination checking is also required in a Virtual Private Cloud (VPC). Some VPN configurations route general Internet traffic through the corporate VPN by default. It is recommended that you avoid this as it may be a slower and less efficient configuration for your particular needs. While the use of a proper addressing schema is not a concern specific to JON, poor schemas can affect it. Amazon EC2 assigns IP addresses from the 10.0.0.0/8 network. Instances usually have a public IP address also, but only network traffic on the internal IP address within the same availability zone is free. T o avoid using the 10.0.0.0/8 network in private addressing, there are a few things to consider. When creating a VPC, avoid allocating addresses already in use in the private network to avoid connectivity problems. If an instance needs access to availability zone local resources, make sure Amazon EC2 private addresses are used and traffic is not routed through the VPN. If an Amazon EC2 instance will access a small subset of corporate private network addresses (for example only JON servers), only these addresses should be routed through the VPN. T his increases security and lowers the chance of Amazon EC2 or private network address space collisions. Report a bug 18.3.6. About T erminating and Restarting with JON One of the benefits of a cloud environment is the ease by which you can terminate and launch a machine instance. You can also launch an instance identical to the initial one. T his may cause issues if the new instance tries to register with JON servers using the same agent name as the previously running agent. If this happens the JON server will not allow an agent to reconnect with a missing or non-matching
373
Report a bug
374
Name
T able 18.2. Configurable Parameters Description Amazon AWS user account access key for S3_PING discovery if clustering is used. Amazon AWS user account secret access key. Amazon S3 bucket to be used for S3_PING discovery. ID of cluster member nodes. Only used for clustering. Accepted values are (in order): A valid cluster ID number in the range 0 - 1023. A network interface name, where the last octet of the IP is used as the value. "S3" as a value would coordinate ID usage through the S3 bucket used by jgroups' S3_PING. It is recommended to use the last octet of the IP (the default) when all cluster nodes are located in the same 24 or more bit subnet (for example, in a VPC subnet). MOD_CLUST ER_PROXY_LIST Comma-delimited list of IPs/hostnames of mod_cluster proxies if mod_cluster is to be used. List of incoming ports to be allowed by firewall in addition to the default ones. Password for the adm in user. N/A Default N/A JBOSS_JGROUPS_S3_PING_A CCESS_KEY JBOSS_JGROUPS_S3_PING_S ECRET _ACCESS_KEY JBOSS_JGROUPS_S3_PING_B UCKET JBOSS_CLUST ER_ID
PORT S_ALLOWED
N/A
JBOSSAS_ADMIN_PASSWORD JON_SERVER_ADDR
N/A
JON server hostname or IP with N/A which to register. T his is only used for registration, after that the agent may communicate with other servers in the JON cluster. Port used by the agent to communicate with the server. Name of JON agent, must be unique. Port that the agent listens on. IP address that the JON agent is to be bound to. T his is used when the server has more than one public address, (e.g. VPN). Additional JON agent system properties which can be used for configuring SSL, NAT and other advanced settings. Name of JBoss EAP server configuration file to use. If JBOSS_DOMAIN_CONT ROLLE R=true, then dom ainec2.xm l is used. Otherwise: If S3 config is present, then standalone-ec2-ha.xm l is used. If 7080 Instance's ID 16163 JON agent chooses the IP of local hostname by default.
JON_AGENT _OPT S
N/A
JBOSS_SERVER_CONFIG
standalone.xm l , standalone-ec2-ha.xm l , standalone-m od_cluserec2-ha.xm l , dom ainec2.xm l depending on the other parameters.
375
JBOSS_IP JBOSSCONF
127.0.0.1 standalone
false
JBOSS_HOST _USERNAME
JBOSS_HOST _PASSWORD
N/A
JBOSS_HOST _CONFIG
Report a bug 18.4 .2. Custom Script Parameters Summary T he following parameters can be used in the user customization section of the User Data: field.
376
Name
T able 18.3. Configurable Parameters Description Deploy directory of the active profile (for example, /var/lib/jbossas/standalone/deploym ents/). Deployable archives placed in this directory will be deployed. Red Hat recommends using the Management Console or CLI tool to manage deployments instead of using the deploy directory. Config directory of the active profile (for example, /var/lib/jbossas/standalone/configuration ). Name of the active host configuration file (for example, hostm aster.xm l ). Red Hat recommends using the Management Console or CLI tools to configure the server instead of editing the configuration file. Name of the active server configuration file (for example, standalone-ec2-ha.xm l ). Red Hat recommends using the Management Console or CLI tools to configure the server instead of editing the configuration file. Path to the custom configuration script, which is available prior to sourcing user-data configuration. Path to a custom file of CLI commands, which is available prior to sourcing user-data configuration. JBOSS_DEPLOY_DIR
JBOSS_SERVER_CONFIG
USER_SCRIPT USER_CLI_COMMANDS
Report a bug
18.5. Troubleshooting
18.5.1. About T roubleshooting Amazon EC2 EC2 does not provide any method out of the box to indicate an instance has started correctly and services are running properly. Use of an external system for monitoring and management is recommended. JBoss Operations Network (JON) can automatically discover, monitor and manage many services on an EC2 instance with the JON agent installed, including JBoss Enterprise Application Platform and its services, T omcat, Httpd, PostgreSQL, etc. Since there's no difference between an EChosted or locally-hosted instance of JBoss Enterprise Application Platform, established JON monitoring of both types of deployments is identical. Report a bug 18.5.2. Diagnostic Information In case of a problem being detected by the JBoss Operations Network, Amazon CloudWatch or manual inspection, common sources of diagnostic information are: /var/log/jboss_user-data.out is the output of the jboss-ec2-eap init script and user custom configuration script. /var/cache/jboss-ec2-eap/ contains the actual user data, custom script, and custom CLI commands used at instance start-up. /var/log also contains all the logs collected from machine start up, JBoss Enterprise Application Platform, httpd and most other services. Access to these files is only available via an SSH session. Refer to the Amazon EC Getting Started Guide for details on how to configure and establish an SSH session with an Amazon EC2 instance. Report a bug
377
Note
It may not be necessary to do this step. Red Hat Enterprise Linux uses OpenJDK 1.6 as the default option. If this is what you want, and your system is working properly, you do not need to manually specify which JDK to use.
T ask Prerequisites In order to complete this task, you need to have superuser access, either through direct login or by means of the sudo command. 1. Determine the paths for your preferred java and javac binaries. You can use the command rpm -ql packagename |grep bin to find the locations of binaries installed from RPMs. T he default locations of the java and javac binaries on Red Hat Enterprise
378
2. Set the alternative you wish to use for each. Run the following commands to set your system to use a specific java and javac : /usr/sbin/alternatives --config java or /usr/sbin/alternatives --config javac . Follow the on-screen instructions. 3. Optional: Set the java_sdk_1.6.0 alternative choice. If you want to use Oracle JDK, you need to set the alternative for java_sdk_1.6.0. as well. Use the following command: /usr/sbin/alternatives --config java_sdk_1.6.0 . T he correct path is usually /usr/lib/jvm /java-1.6.0-sun . You can do a file listing to verify it. Result: T he alternative JDK is selected and active. Report a bug
379
Revision History
Revision 0.1-1 T ue Dec 18 2012 T om Wells JBoss Enterprise Application Platform 6.0.1 Administration and Configuration Guide. Revision 0.0-18 Fri Dec 14 2012 T om Wells Bugzilla fixes, new topics, and structural changes for the JBoss Enterprise Application Platform 6 Administration and Configuration Guide. Revision 0.0-17 T ue Dec 11 2012 T om Wells Updated build of the JBoss Enterprise Application Platform 6.0.1 Administration and Configuration Guide. Revision 0.0-16 Mon Dec 03 2012 T om Wells Updated build of the JBoss Enterprise Application Platform 6.0.1 Administration and Configuration Guide. Revision 0.0-15 Fri Nov 30 2012 T om Wells Updated build of the JBoss Enterprise Application Platform 6.0.1 Administration and Configuration Guide. Revision 0.0-14 T ue Nov 27 2012 T om Wells Bugzilla fixes, new topics, and structural changes for the JBoss Enterprise Application Platform 6 Administration and Configuration Guide. Revision 0.0-13 T ue Nov 13 2012 T om Wells Bugzilla fixes, new topics, and structural changes for the JBoss Enterprise Application Platform 6 Administration and Configuration Guide. Revision 0.0-13 T ue Nov 13 2012 T om Wells Bugzilla fixes, new topics, and structural changes for the JBoss Enterprise Application Platform 6 Administration and Configuration Guide. Revision 0.0-12 T ue Oct 09 2012 T om Wells Release update. Bugzilla fixes, new topics, and structural changes for the JBoss Enterprise Application Platform 6 Administration and Configuration Guide. Revision 0.0-11 Wed Oct 03 2012 T om Wells Updated documentation. Includes domain mode content for Amazon EC2 AMIs, bugzilla issue fixes, and updates. Revision 0.0-10 Fri Sept 28 2012 T om Wells Bugzilla fixes and updates for the Administration and Configuration guide. Revision 0.0-9 Fri Sept 21 2012 Bugzilla fixes for the Administration and Configuration guide. T om Wells
Revision 0.0-8 Wed Sept 12 2012 T om Wells Bugzilla fixes and updated documentation for the Administration and Configuration guide. Revision 0.0-7 Mon Sept 3 2012 T om Wells Bug fixes for the August asynchronous update to the Administration and Configuration guide. Revision 0.0-6 Fri Aug 31 2012 T om Wells August update of the Administration and Configuration guide for JBoss Enterprise Application Platform 6. Revision 0.0-5 Fri Aug 31 2012 T om Wells Updated edition of the Administration and Configuration guide for JBoss Enterprise Application Platform 6.0.0. Revision 0.0-4 Fri Aug 24 2012 Bugzilla fixes and final Amazon EC2 content update. Revision 0.0-3 Wed Aug 22 2012 Bugzilla fixes and final Amazon EC2 content update. Revision 0.0-2 Mon Aug 13 2012 T om Wells
T om Wells
T om Wells
380
Revision History
Bugzilla fix update for the EAP 6.0.0 Administration and Configuration guide. Revision 0.0-1 Wed Jun 20 2012 T om Wells First edition of the JBoss Enterprise Application Platform 6 Administration and Configuration Guide.