What pooling config is used if my standalone.xml is like below? Notice that only pool name is defined, but no <xa-pool> or <pool>. Thanks.
Are there any default values, or no pooling is actually used? What can I search in the logs?
<subsystem xmlns="urn:jboss:domain:resource-adapters:1.1">
<resource-adapters>
<resource-adapter id="activemq-ra.rar">
<archive>activemq-ra.rar</archive>
<transaction-support>XATransaction</transaction-support>
<config-property name="ServerUrl">
${jms.broker.url:tcp://amq:61616?jms.rmIdFromConnectionId=true}
</config-property>
<config-property name="UserName">
${jms.user:foo}
</config-property>
<config-property name="Password">
${jms.password:bar}
</config-property>
<connection-definitions>
<connection-definition class-name="org.apache.activemq.ra.ActiveMQManagedConnectionFactory"
jndi-name="java:/AMQConnectionFactory" pool-name="ActiveMQConnectionFactoryPool">
</connection-definition>
</connection-definitions>
</resource-adapter>
...
Related
I configure a wildfly 20 and i have a problem with the ManagementRealm (security-realm) on ldap SSL.
With LDAP, it's OK, but as soon as i switch to ldaps the authentication no longer works.
The login window opens and whatever account I indicate (even a true or false login) I turn back to the "Connect to Management Interface" screen (practically blank).
And I have no errors in any log.
I tried a WildFly 19 and 20, on centos 8.
The trustore does exist, I added it in the startup variable (as well as its password)
Here is an excerpt from my standalone.xml file
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<ldap connection="ldap_connection" base-dn="OU=Utilisateurs,DC=org">
<advanced-filter filter="(&(sAMAccountName={0})(memberOf=CN=APP-ADMIN,OU=Utilisateurs,DC=org))"/>
</ldap>
<truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="XXX" />
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="LdapSSLRealm">
<authentication>
<truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="XXX" />
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="ldap_connection" url="ldaps://serveurad:636" search-dn="user" search-credential="XXX"/>
</outbound-connections>
If anyone has an idea I would appreciate it.
A little late but I believe you have to also reference the security realm (containing the ref to the trust store) in your <outbound-connection />:
<outbound-connections>
<ldap name="ldap_connection" url="ldaps://serveurad:636" search-dn="user" search-credential="XXX" security-realm="LdapSSLRealm"/>
</outbound-connections>
Small question about WildFly 10 domain mode and HTTPS.
My host-master.xml parameters:
<management>
<security-realms>
<security-realm name="ManagementRealm">
<server-identities>
<ssl>
<keystore path="..." relative-to="jboss.domain.config.dir" keystore-password="..." alias="..." key-password="..." generate-self-signed-certificate-host="localhost"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
</authorization>
</security-realm>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket interface="management" port="${jboss.management.native.port:9999}"/>
</native-interface>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket interface="management" secure-port="${jboss.management.http.port:9990}"/>
</http-interface>
</management-interfaces>
My host-slave.xml parameters:
<security-realms>
<security-realm name="SlaveRealm">
<server-identities>
<secret value="..." />
</server-identities>
<domain-controller>
<remote protocol="remote" host="..." port="9999" username='slave' security-realm="SlaveRealm"/>
</domain-controller>
Domain server starts without any errors and Management conole is available by HTTPS.
But the slave node will not start and I receive an error message:
2017-02-23 17:35:05,149 WARN [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0001: Could not connect to remote domain controller remote://...:9999 -- java.lang.IllegalStateException: WFLYHC0110: Unable to connect due to SSL failure.
2017-02-23 17:35:05,149 WARN [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0147: No domain controller discovery options remain.
2017-02-23 17:35:05,150 ERROR [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0002: Could not connect to master. Aborting. Error was: java.lang.IllegalStateException: WFLYHC0120: Tried all domain controller discovery option(s) but unable to connect
2017-02-23 17:35:05,150 FATAL [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0178: Aborting with exit code 99
I've tried to add "<server-identities><ssl><keystore..." part to "SlaveRealm" in host-slave.xml but recieve the same error.
How to configure domain and host-slave properly and simple? Thank you.
In the host.xml you have to specify <interfaces>. You can also pass interfaces values as command line argument while starting wildfly.
Master's host.xml
<interfaces>
<interface name="management">
<inet-address value="${wildfly.bind.address.management:##master.host.name##}"/>
</interface>
<interface name="public">
<inet-address value="${wildfly.bind.address:##master.host.name##}"/>
</interface>
<interface name="unsecure">
<!-- Used for IIOP sockets in the standard configuration.
To secure JacORB you need to setup SSL -->
<inet-address value="${wildfly.bind.address.unsecure:##master.host.name##}"/>
</interface>
</interfaces>
Slave host.xml
<management>
<security-realms>
<security-realm name="ManagementRealm">
<server-identities>
<secret value="##slave.encrypted.password##" />
</server-identities>
....
....
....
<domain-controller>
<!--<local/>-->
<!-- Alternative remote domain controller configuration with a host and port -->
<remote protocol="remote" host="##master.host.name##" port="9999" username="##slave.account.name##" security-realm="ManagementRealm"/>
</domain-controller>
<interfaces>
<interface name="management">
<inet-address value="${wildfly.bind.address.management:##slave.host.name##}"/>
</interface>
<interface name="public">
<inet-address value="${wildfly.bind.address:##slave.host.name##}"/>
</interface>
<interface name="unsecure">
<!-- Used for IIOP sockets in the standard configuration.
To secure JacORB you need to setup SSL -->
<inet-address value="${wildfly.bind.address.unsecure:##slave.host.name##}"/>
</interface>
</interfaces>
This configuration works for our Dev/QA/Production environments.
With WildFly 8.2.1, I am trying to make existing webservice (JAX-WS) use SSL, but I haven't seen any use of SSL in quickstarts and the information I was able to google is limited. So far I've added this to web.xml:
<security-constraint>
<display-name>Foo security</display-name>
<web-resource-collection>
<web-resource-name>FooService</web-resource-name>
<url-pattern>/foo/FooService</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
and this is in my standalone.xml:
<subsystem xmlns="urn:jboss:domain:webservices:1.2">
<wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
<endpoint-config name="Standard-Endpoint-Config"/>
<endpoint-config name="Recording-Endpoint-Config">
<pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
<handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
</pre-handler-chain>
</endpoint-config>
<client-config name="Standard-Client-Config"/>
</subsystem>
but apparently that's not enough; when I look into standalone/data/wsdl/foo.ear/foo.war/FooService/Bar.wsdl I see:
<service name="FooService">
<port binding="foowsb:FooBinding" name="FooBinding">
<soap:address location="http://localhost:8080/foo/FooService"/>
</port>
</service>
Note that in the EAR/WAR, the soap:address.location is filled just with a placeholder (I suppose that the value is ignored).
I've found some info about setting up security realm, and creating the self-signed certificate using keytool (which I did), but I completely miss how this should be linked together.
I've also tried to setup wsdl-uri-scheme=https, but this is supported only in later versions of CXF.
Seems that the soap:address.location value is not ignored when it's being replaced, since changing that from REPLACE_WITH_ACTUAL_URL to https://REPLACE_WITH_ACTUAL_URL did the trick - now the service got exposed on https://localhost:8443.
There is a couple of more steps I had to do in standalone.xml: in undertow, add https-listener:
<https-listener name="secure" socket-binding="https" security-realm="SslRealm"/>
define the SslRealm:
<security-realm name="SslRealm">
<server-identities>
<ssl>
<keystore path="foo.keystore" relative-to="jboss.server.config.dir" keystore-password="foo1234" alias="foo" key-password="foo1234"/>
</ssl>
</server-identities>
<authentication>
<truststore path="foo.truststore" relative-to="jboss.server.config.dir" keystore-password="foo1234"/>
</authentication>
</security-realm>
Note that I reuse the same keystore for server and clients here. And since my clients are ATM in the same WF node during development, I had to setup the client-side part there, too:
<system-properties>
<property name="javax.net.ssl.trustStore" value="${jboss.server.config.dir}/foo.keystore"/>
<property name="javax.net.ssl.trustStorePassword" value="foo1234"/>
<property name="org.jboss.security.ignoreHttpsHost" value="true"/>
</system-properties>
The last property should be replaced in WF 9+ with cxf.tls-client.disableCNCheck.
I know we can deploy multiple web applications on JBoss 7 or Wildfly. But how can we access different web application with a different port? Where do we set that port for a web application?
For example,
application1 is accessible on x.x.x.x:8080
application2 is accessible on x.x.x.x:30000
application3 is accessible on x.x.x.x:35000
In your standalone you have to set up a different server and host for each application.
<subsystem xmlns="urn:jboss:domain:undertow:1.2">
<server name="server1">
<http-listener name="default" socket-binding="http-server1"/>
<host name="webapp1" default-web-module="webapp1.war" alias="webapp1.com">
</host>
</server>
<server name="server2">
<http-listener name="default" socket-binding="http-server2"/>
<host name="webapp2" default-web-module="webapp2.war" alias="webapp2.com">
</host>
</server>
<!-- Other Settings -->
</subsystem>
For the socketbinding:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="http-server1" port="${jboss.http.port:8080}"/>
<socket-binding name="http-server2" port="${jboss.http.port:8081}"/>
<!-- Other ports -->
</socket-binding-group>
And then finally, you can have your .war files in the deployments directory but for configurations like this I sometimes find it easier to set the runtime names explicitly:
<deployments>
<deployment name="webapp1" runtime-name="webapp1.war">
<fs-archive path="/path/to/webapp1.war" />
</deployment>
<deployment name="webapp2" runtime-name="webapp2.war">
<fs-archive path="/path/to/webapp2.war" />
</deployment>
</deployments>
I'm trying to get the settings for redelivery of messages to work in a RedHat environment that uses JBoss EAP 6.2, A-MQ 5.9 standalone and a resource adapter between. The connection factory used is XaPooledConnectionFactory. The resource adapter is configured in the EAP standalone-full-ha.xml. The redelivery settings are set on the broker url.
<subsystem xmlns="urn:jboss:domain:resource-adapters:1.1">
<resource-adapters>
<resource-adapter id="activemq-rar-5.9.0.redhat-610379.rar">
<module slot="5.9.0.redhat-610379" id="org.apache.activemq"/>
<transaction-support>XATransaction</transaction-support>
<admin-objects>
<admin-object class-name="org.apache.activemq.pool.XaPooledConnectionFactory" jndi-name="java:jboss/a/ConnectionFactory" enabled="true" use-java-context="true" pool-name="ConnectionFactory1">
<config-property name="brokerUrl">
failover:(tcp://localhost:36616,tcp://localhost:36616)?jms.prefetchPolicy.all=0&jms.rmIdFromConnectionId=true&jms.UserName=xxxxxxxx&jms.Password=xxxxxxxx&jms.redeliveryPolicy.useCollisionAvoidance=true&jms.redeliveryPolicy.collisionAvoidancePercent=50&jms.redeliveryPolicy.useExponentialBackOff=true&jms.redeliveryPolicy.initialRedeliveryDelay=2000
</config-property>
<config-property name="tmFromJndi">
true
</config-property>
</admin-object>
<admin-object class-name="org.apache.activemq.pool.XaPooledConnectionFactory" jndi-name="java:jboss/b/ConnectionFactory" enabled="true" use-java-context="true" pool-name="ConnectionFactory2">
<config-property name="brokerUrl">
failover:(tcp://localhost:36616,tcp://localhost:36616)?jms.prefetchPolicy.all=0&jms.rmIdFromConnectionId=true&jms.UserName=xxxxxxxx&jms.Password=xxxxxxxx&jms.redeliveryPolicy.useCollisionAvoidance=true&jms.redeliveryPolicy.collisionAvoidancePercent=50&jms.redeliveryPolicy.useExponentialBackOff=true&jms.redeliveryPolicy.initialRedeliveryDelay=2000
</config-property>
<config-property name="tmFromJndi">
true
</config-property>
</admin-object>
</admin-objects>
</resource-adapter>
</resource-adapters>
</subsystem>
When testing, messages are redelivered instantly with no regard to the initial 2 second delay or exponential backoff.
When setting up a test project, however, I'm able to get the settings to work using an ordinary ActiveMQManagedConnectionFactory instead, as follows:
<resource-adapter id="activemq-rar-5.9.0.redhat-610379.rar">
<archive>
activemq-rar-5.9.0.redhat-610379.rar
</archive>
<transaction-support>XATransaction</transaction-support>
<config-property name="Password">
xxxxxxxx
</config-property>
<config-property name="UserName">
xxxxxxxx
</config-property>
<config-property name="InitialRedeliveryDelay">
2000
</config-property>
<config-property name="MaximumRedeliveries">
5
</config-property>
<config-property name="RedeliveryUseExponentialBackOff">
true
</config-property>
<config-property name="RedeliveryBackOffMultiplier">
2
</config-property>
<config-property name="ServerUrl">
tcp://localhost:36616?jms.rmIdFromConnectionId=true
</config-property>
<connection-definitions>
<connection-definition class-name="org.apache.activemq.ra.ActiveMQManagedConnectionFactory" jndi-name="java:/ConnectionFactory" enabled="true" pool-name="ConnectionFactory">
<xa-pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>20</max-pool-size>
<prefill>false</prefill>
<is-same-rm-override>false</is-same-rm-override>
</xa-pool>
<recovery>
<recover-credential>
<user-name>xxxxxxxx</user-name>
<password>xxxxxxxx</password>
</recover-credential>
</recovery>
</connection-definition>
</connection-definitions>
<admin-objects>
<admin-object class-name="org.apache.activemq.command.ActiveMQQueue" jndi-name="java:/queue/HELLOWORLDMDBQueue" use-java-context="true" pool-name="HELLOWORLDMDBQueue">
<config-property name="PhysicalName">
HELLOWORLDMDBQueue
</config-property>
</admin-object>
<admin-object class-name="org.apache.activemq.command.ActiveMQTopic" jndi-name="java:/topic/HELLOWORLDMDBTopic" use-java-context="true" pool-name="HELLOWORLDMDBTopic">
<config-property name="PhysicalName">
HELLOWORLDMDBTopic
</config-property>
</admin-object>
</admin-objects>
</resource-adapter>
I'm not setting these settings programmatically anywhere in any of the projects. I need to use the XaPooledConnectionFactory, preferably with a configuration similar to the first if possible, but with redelivery settings that actually get applied. Are there any known issues with the XaPooledConnectionFactory regarding this? Or sending parameters through the amq url in general? Putting the properties from the test project into my XaPooled project makes no difference.
Thanks in advance!
According to the "Passing extra options to the nested URLs." section of http://activemq.apache.org/failover-transport-reference.html, any parameters you want to pass through the failover: transport into the underlying transport URIs should be prefixed with nested.. I haven't done this myself, so I can't say for sure that it's right, but it's definitely a place to start.