I'm trying to setup Keycloak for my company and have run into some issues that I can't solve. I currently have keycloak installed on two servers in standalone clustered mode. I have these servers behind and external load balancer owned by another group. I've created two realms, one for Jenkins and one for Grafana. When I configure each of them to point directly to the server, it works with no problem. The issue comes into play when I try to authenticate through the load balanced url. Below are some logs from Keycloak, grafana and Jenksins. Both servers are configured with standalone-ha.xml and are configured exactly the same.
Keycloak Log:
2020-02-19 06:30:19,599 WARN [org.keycloak.events] (default task-1) type=CODE_TO_TOKEN_ERROR, realmId=CICD, clientId=grafana, userId=null, ipAddress=24.43.182.84, error=invalid_code, grant_type=authorization_code, code_id=08c751b6-d6a1-4b55-9f69-4b4c28c0c9c4, client_auth_method=client-secret
Grafana Log:
t=2020-02-19T14:32:09+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=302 remote_addr=172.23.0.5 time_ms=0 size=345 referer=https://example.com/grafana/login
t=2020-02-19T14:32:52+0000 lvl=info msg="state check" logger=oauth queryState=0c5576040cb0984602e4e5a8ccc891e425065c740f9c6e4b3331494ad5c69b9b cookieState=0c5576040cb0984602e4e5a8ccc891e425065c740f9c6e4b3331494ad5c69b9b
t=2020-02-19T14:32:52+0000 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error="oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_grant\",\"error_description\":\"Code not valid\"}"
t=2020-02-19T14:32:52+0000 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/generic_oauth status=500 remote_addr=172.23.0.5 time_ms=21 size=1751 referer="https://load_balanced_example.com/auth/realms/CICD/protocol/openid-connect/auth?access_type=online&client_id=grafana&redirect_uri=https%3A%2F%2Fexample.com%2Fgrafana%2Flogin%2Fgeneric_oauth&response_type=code&scope=openid+email+profile&state=kyersRiz2wsAryohnLlZPPdtQjA6MJO8wanOnDaXgaY%3D"
Response from Jenkins:
com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request
{
"error" : "invalid_grant",
"error_description" : "Code not valid"
}
Keycloak service:
[Unit]
Description=Keycloak
After=network.target
[Service]
Type=idle
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/current/bin/standalone.sh --server-config=standalone-ha.xml -b 0.0.0.0
TimeoutStartSec=600
TimeoutStopSec=600
[Install]
WantedBy=multi-user.target
Screenshots of my client setup within keycloak:
My configuration in Grafana:
GF_AUTH_GENERIC_OAUTH_ENABLED=True
GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=True
GF_AUTH_GENERIC_OAUTH_NAME=KeyCloakOAuth
GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=MYSECRETKEY
GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile
GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://load_balanced_example/auth/realms/CICD/protocol/openid-connect/auth
GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://load_balanced_example.com/auth/realms/CICD/protocol/openid-connect/token
GF_AUTH_GENERIC_OAUTH_API_URL=https://load_balanced_example.com/auth/realms/CICD/protocol/openid-connect/userinfo
GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE=True
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(roles[*], 'Admin') && 'Admin' || contains(roles[*], 'Editor') && 'Editor' || 'Viewer'
Some of my standalone-ha.xml config:
<subsystem xmlns="urn:jboss:domain:datasources:5.0">
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
<driver>h2</driver>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</datasource>
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:mariadb://example_db.com:3306/keycloak</connection-url>
<driver>mariadb</driver>
<security>
<user-name>keycloak</user-name>
<password>mydbpassword</password>
</security>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
<driver name="mariadb" module="org.mariadb">
<xa-datasource-class>org.mariadb.jdbc.MariaDbDataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="jgroups-mping" interface="private" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
<socket-binding name="jgroups-tcp" interface="private" port="7600"/>
<socket-binding name="jgroups-tcp-fd" interface="private" port="57600"/>
<socket-binding name="jgroups-udp" interface="private" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
<socket-binding name="jgroups-udp-fd" interface="private" port="54200"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<socket-binding name="proxy-https" port="443"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
Another thing that might be worth pointing out is I've setup the keycloak servers behind a apache reverse proxy and pointed the load balancer to that, and I've taken apache out of the equation and had the load balancer point directly to the keycloak service on port 8443.
I've also verified from the team doing the load balancing that X-Forwarded-For and X-Forwarded-Proto are enabled and they are forwarding the client IP. If there are other settings to look for on the LB, let me know.
If anyone could help point me in the right direction that would be great! If there is a log that wasn't included or a config that could help troubleshoot, please let me know.
I got it working. The issue was with the clustering of the two nodes. I had to configure the jgroups to use TCP instead of UDP and added TCPPING.
<subsystem xmlns="urn:jboss:domain:jgroups:7.0">
<channels default="ee">
<channel name="ee" stack="tcp" cluster="ejb"/>
</channels>
<stacks>
<stack name="udp">
<transport type="UDP" socket-binding="jgroups-udp"/>
<protocol type="PING"/>
<protocol type="MERGE3"/>
<socket-protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
<protocol type="FD_ALL"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2"/>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS"/>
<protocol type="UFC"/>
<protocol type="MFC"/>
<protocol type="FRAG3"/>
</stack>
<stack name="tcp">
<transport type="TCP" socket-binding="jgroups-tcp"/>
<protocol type="TCPPING">
<property name="initial_hosts">server1_IP[7600],server2_IP[7600]</property>
<property name="ergonomics">false</property>
</protocol>
<protocol type="MERGE3"/>
<protocol type="MERGE3"/>
<socket-protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
<protocol type="FD_ALL"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2"/>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS"/>
<protocol type="MFC"/>
<protocol type="FRAG3"/>
</stack>
</stacks>
</subsystem>
I then had to change the service to bind my private IP.
[Unit]
Description=Keycloak
After=network.target
[Service]
Type=idle
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/current/bin/standalone.sh --server-config=standalone-ha.xml -b 0.0.0.0 -bprivate PRIVATEIP
TimeoutStartSec=600
TimeoutStopSec=600
[Install]
WantedBy=multi-user.target
Related
after migrating Wildfly 8.2.1.Final to 21.0.0.Final I tried to run the app on the new server (21.0.0)
but I got an error
Standalone.xml
<stacks default="tcp">
<stack name="udp">
<transport type="UDP" socket-binding="jgroups-udp">
<property name="port_range">50</property>
</transport>
<protocol type="PING" module="org.jgroups"/>
<protocol type="MERGE3" module="org.jgroups"/>
<socket-protocol type="FD_SOCK" module="org.jgroups" socket-binding="jgroups-udp-fd"/>
<protocol type="FD_ALL" module="org.jgroups"/>
<protocol type="VERIFY_SUSPECT" module="org.jgroups"/>
<protocol type="pbcast.NAKACK2" module="org.jgroups"/>
<protocol type="UNICAST3" module="org.jgroups"/>
<protocol type="pbcast.STABLE" module="org.jgroups"/>
<protocol type="pbcast.GMS" module="org.jgroups"/>
<protocol type="UFC" module="org.jgroups"/>
<protocol type="MFC" module="org.jgroups"/>
<protocol type="FRAG3"/>
<protocol type="RSVP" module="org.jgroups"/>
</stack>
<stack name="tcp">
<transport type="TCP" socket-binding="jgroups-tcp">
<property name="port_range">50</property>
</transport>
<protocol type="org.jgroups.protocols.TCPPING" module="org.jgroups">
<property name="timeout">3000</property>
<property name="initial_hosts">127.0.0.1[7600]</property>
<property name="port_range">0</property>
<property name="num_initial_members">1</property>
</protocol>
<protocol type="MERGE3" module="org.jgroups"/>
<socket-protocol type="FD_SOCK" module="org.jgroups" socket-binding="jgroups-udp-fd"/>
<protocol type="FD" module="org.jgroups"/>
<protocol type="VERIFY_SUSPECT" module="org.jgroups"/>
<protocol type="pbcast.NAKACK2" module="org.jgroups"/>
<protocol type="UNICAST3" module="org.jgroups"/>
<protocol type="pbcast.STABLE" module="org.jgroups"/>
<protocol type="pbcast.GMS" module="org.jgroups"/>
<protocol type="MFC" module="org.jgroups"/>
<protocol type="FRAG3"/>
<protocol type="RSVP" module="org.jgroups"/>
</stack>
</stacks>
Standalone-ha.xml
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="jgroups-mping" interface="private" port="0" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
<socket-binding name="jgroups-tcp" interface="private" port="7600"/>
<socket-binding name="jgroups-tcp-fd" interface="private" port="57600"/>
<socket-binding name="jgroups-udp" interface="private" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
<socket-binding name="jgroups-udp-fd" interface="private" port="54200"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="modcluster" port="0" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
the error log
18:57:05,340 ERROR [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0362: Capabilities required by resource '/subsystem=jgroups/stack=tcp/transport=TCP' are not available:
org.wildfly.network.socket-binding.jgroups-tcp; Possible registration points for this capability:
/socket-binding-group=*/socket-binding=*
18:57:05,340 ERROR [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0362: Capabilities required by resource '/subsystem=jgroups/stack=udp/protocol=FD_SOCK' are not available:
org.wildfly.network.socket-binding.jgroups-udp-fd; Possible registration points for this capability:
/socket-binding-group=*/socket-binding=*
18:57:05,340 ERROR [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0362: Capabilities required by resource '/subsystem=jgroups/stack=udp/transport=UDP' are not available:
org.wildfly.network.socket-binding.jgroups-udp; Possible registration points for this capability:
/socket-binding-group=*/socket-binding=*
18:57:05,341 ERROR [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0362: Capabilities required by resource '/subsystem=jgroups/stack=tcp/protocol=FD_SOCK' are not available:
org.wildfly.network.socket-binding.jgroups-udp-fd; Possible registration points for this capability:
/socket-binding-group=*/socket-binding=*
18:57:05,343 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
I figure it out I should include missing socket binding definition inside Standalone.xml itself
</server>
.......
.....
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="ajp" port="${jboss.ajp.port:8010}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="jgroups-mping" port="0" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
<socket-binding name="jgroups-tcp" port="7600"/>
<socket-binding name="jgroups-tcp-fd" port="57600"/>
<socket-binding name="jgroups-udp" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
<socket-binding name="jgroups-udp-fd" port="54200"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="txn-recovery-environment" port="4714"/>
<socket-binding name="txn-status-manager" port="4715"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
<outbound-socket-binding name="messaging">
<remote-destination host="localhost" port="5445"/>
</outbound-socket-binding>
</socket-binding-group>
</server>
I am fairly new to the JBoss configuration and I have been asked to import a certificate into the JBoss App server. Based on what I have read around on the forums I think I did what was necessary but we still keep seeing the "None of the TrustManagers allowed for trust of the SSL certificate(s) provided by the remote server to which this client attempted a connection" error message. We have hosted a Pega application on our JBoss server and the Pega application makes a 1-way outbound call to consume services from IBM Datapower. We are using Red Hat JBoss Middleware (EWS+EAP) on Red Hat Enterprise Linux 7.1 and have setup the JBoss in Domain mode.
JBoss Enterprise Application Platform version 6.4 is installed under /opt/jboss folder owned by jboss system user configured running in Domain mode only. The environment is pre-configured with one Domain controller and one or more Host controllers. All host controllers can be managed by the domain controller. The environment is also tailored to operate in full-HA profile exclusively.
We have a SGWSGateway-sscert.pem certificate for Datapower that I was asked to import into JBoss. The steps I took were. If I can get any help on what I have setup incorrectly or what I need to change, I will be greatly obliged.
1) Import it into the jbossTrust.jks in /host-controller/configuration/keystores using an alias -sgwsgateway.
2) The domain.xml configuration is:
<subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl/>
</connector>
<connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
</virtual-server>
</subsystem>
<interfaces>
<interface name="management"/>
<interface name="public"/>
<interface name="unsecure"/>
</interfaces>
<socket-binding-groups>
<socket-binding-group name="full-ha-sockets" default-interface="public">
<socket-binding name="ajp" port="8009"/>
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
<socket-binding name="jacorb" interface="unsecure" port="3528"/>
<socket-binding name="jacorb-ssl" interface="unsecure" port="3529"/>
<socket-binding name="jgroups-mping" port="0" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
<socket-binding name="jgroups-tcp" port="7600"/>
<socket-binding name="jgroups-tcp-fd" port="57600"/>
<socket-binding name="jgroups-udp" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
<socket-binding name="jgroups-udp-fd" port="54200"/>
<socket-binding name="messaging" port="5445"/>
<socket-binding name="messaging-group" port="0" multicast-address="${jboss.messaging.group.address:231.7.7.7}" multicast-port="${jboss.messaging.group.port:9876}"/>
<socket-binding name="messaging-throughput" port="5455"/>
<socket-binding name="modcluster" port="0" multicast-address="224.0.1.105" multicast-port="23364"/>
<socket-binding name="remoting" port="4447"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
</socket-binding-groups>
<server-groups>
<server-group name="jboss-server-group" profile="full-ha">
<jvm name="pega_default">
<heap size="4096m" max-size="8192m"/>
<permgen size="768m" max-size="1536m"/>
<jvm-options>
<option value="-Xms8192m"/>
<option value="-Xmx8192m"/>
<option value="-XX:NewSize=1536m"/>
<option value="-XX:MaxNewSize=1536m"/>
<option value="-XX:PermSize=768m"/>
<option value="-XX:MaxPermSize=1536m"/>
<option value="-Djboss.as.management.blocking.timeout=60000"/>
<option value="-Djava.net.preferIPv4Stack=true"/>
<option value="-XX:TargetSurvivorRatio=90"/>
<option value="-XX:+UseParNewGC"/>
<option value="-XX:+UseConcMarkSweepGC"/>
<option value="-XX:+UseCMSInitiatingOccupancyOnly"/>
<option value="-XX:CMSInitiatingOccupancyFraction=80"/>
<option value="-XX:+CMSClassUnloadingEnabled"/>
<option value="-XX:ReservedCodeCacheSize=768m"/>
<option value="-XX:+UseCodeCacheFlushing"/>
<option value="-XX:+DisableExplicitGC"/>
<option value="-XX:+PrintGCDetails"/>
<option value="-verbose:gc"/>
<option value="-Xloggc:/opt/jboss/host-controller/log/gc.%t.%p.log"/>
<option value="-XX:+UseGCLogFileRotation"/>
<option value="-XX:NumberOfGCLogFiles=10"/>
<option value="-XX:GCLogFileSize=1M"/>
<option value="-Djava.awt.headless=true"/>
<option value="-Djboss.modules.policy-permissions=true"/>
</jvm-options>
</jvm>
<socket-binding-group ref="full-ha-sockets"/>
<deployments>
<deployment name="example.war" runtime-name="example.war"/>
<deployment name="prhelp.war" runtime-name="prhelp.war"/>
<deployment name="prsysmgmt_jboss.war" runtime-name="prsysmgmt_jboss.war"/>
<deployment name="prpc_j2ee14_jboss61JBM.ear" runtime-name="prpc_j2ee14_jboss61JBM.ear"/>
</deployments>
</server-group>
</server-groups>
3) The host-master.xml configuration is:
<security-realms>
<security-realm name="ManagementRealm">
<server-identities>
<ssl protocol="TLSv1">
<keystore path="keystores/jbossIdentity.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::dc_ident_keystore_password::1}" alias="jboss_domain"/>
</ssl>
</server-identities>
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
</authorization>
</security-realm>
4) The host-slave.xml configuration is:
<security-realms>
<security-realm name="ManagementRealm">
<server-identities>
<ssl protocol="TLSv1">
<keystore path="keystores/jbossIdentity.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::hc_identity_keystore_password::1}" alias="jboss_host"/>
</ssl>
<secret value="U2NvdGlhYmFua0Ax"/>
</server-identities>
<authentication>
<truststore path="keystores/jbossTrust.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::hc_trust_keystore_password::1}"/>
<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
</authorization>
</security-realm>
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
</interface>
</interfaces>
<servers>
<server name="jboss-server-one" group="jboss-server-group" auto-start="true">
<jvm name="pega_default"/>
<socket-bindings port-offset="100"/>
</server>
</servers>
Regards
Ali.
We resolved this by adding the certificate at the Java level. In my question scenario above we were importing the certificate into the JBoss keystore. That application was not finding the certificate because of the different JVM's we had setup. So instead, we imported the certificate into the Java cacerts keystore in the jre folder.
I have an infinispan cluster running 3 nodes in distributed mode, with numOwners=2. But the server upon startup is not recognize consistent-hash-factory attribute. Here is my clustered.xml:
<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:2.1">
<extensions>
<extension module="org.infinispan.server.endpoint"/>
<extension module="org.jboss.as.clustering.infinispan"/>
<extension module="org.jboss.as.clustering.jgroups"/>
<extension module="org.jboss.as.connector"/>
<extension module="org.jboss.as.deployment-scanner"/>
<extension module="org.jboss.as.jdr"/>
<extension module="org.jboss.as.jmx"/>
<extension module="org.jboss.as.logging"/>
<extension module="org.jboss.as.modcluster"/>
<extension module="org.jboss.as.naming"/>
<extension module="org.jboss.as.remoting"/>
<extension module="org.jboss.as.security"/>
<extension module="org.jboss.as.threads"/>
<extension module="org.jboss.as.transactions"/>
<extension module="org.wildfly.extension.io"/>
<extension module="org.wildfly.extension.undertow"/>
</extensions>
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
<audit-log>
<formatters>
<json-formatter name="json-formatter"/>
</formatters>
<handlers>
<file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
</handlers>
<logger log-boot="true" log-read-only="false" enabled="false">
<handlers>
<handler name="file"/>
</handlers>
</logger>
</audit-log>
<management-interfaces>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
<access-control provider="simple">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
</include>
</role>
</role-mapping>
</access-control>
</management>
<profile>
<subsystem xmlns="urn:jboss:domain:logging:2.0">
<console-handler name="CONSOLE">
<level name="DEBUG"/>
<formatter>
<named-formatter name="COLOR-PATTERN"/>
</formatter>
</console-handler>
<periodic-rotating-file-handler name="FILE" autoflush="true">
<formatter>
<named-formatter name="PATTERN"/>
</formatter>
<file relative-to="jboss.server.log.dir" path="server.log"/>
<suffix value=".yyyy-MM-dd"/>
<append value="true"/>
</periodic-rotating-file-handler>
<logger category="com.arjuna">
<level name="WARN"/>
</logger>
<logger category="org.apache.tomcat.util.modeler">
<level name="WARN"/>
</logger>
<logger category="org.jboss.as.config">
<level name="DEBUG"/>
</logger>
<logger category="sun.rmi">
<level name="WARN"/>
</logger>
<logger category="jacorb">
<level name="WARN"/>
</logger>
<logger category="jacorb.config">
<level name="ERROR"/>
</logger>
<root-logger>
<level name="DEBUG"/>
<handlers>
<handler name="CONSOLE"/>
<handler name="FILE"/>
</handlers>
</root-logger>
<formatter name="PATTERN">
<pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
</formatter>
<formatter name="COLOR-PATTERN">
<pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
</formatter>
</subsystem>
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000"/>
</subsystem>
<subsystem xmlns="urn:infinispan:server:endpoint:7.0">
<hotrod-connector cache-container="clustered" socket-binding="hotrod">
<topology-state-transfer lazy-retrieval="false" lock-timeout="1000" replication-timeout="5000"/>
</hotrod-connector>
<memcached-connector cache-container="clustered" socket-binding="memcached"/>
<rest-connector cache-container="clustered" auth-method="BASIC" security-domain="other" virtual-server="default-host"/>
<websocket-connector cache-container="clustered" socket-binding="websocket"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:datasources:2.0">
<datasources/>
</subsystem>
<subsystem xmlns="urn:infinispan:server:core:7.1">
<cache-container name="clustered" default-cache="default" statistics="true">
<transport executor="infinispan-transport" lock-timeout="60000"/>
<distributed-cache name="default" mode="SYNC" segments="20" owners="2" remote-timeout="30000" start="EAGER">
<locking acquire-timeout="30000" concurrency-level="1000" striping="false"/>
<transaction mode="NONE"/>
</distributed-cache>
<distributed-cache name="memcachedCache" mode="SYNC" segments="20" owners="2" remote-timeout="30000" start="EAGER" consistent-hash-factory="org.infinispan.distribution.ch.TopologyAwareConsistentHashFactory">
<locking acquire-timeout="30000" concurrency-level="1000" striping="false"/>
<transaction mode="NONE"/>
</distributed-cache>
<distributed-cache name="namedCache" mode="SYNC" start="EAGER"/>
<distributed-cache name="transactionalCache" mode="SYNC" start="EAGER">
<transaction mode="NON_XA" locking="PESSIMISTIC"/>
</distributed-cache>
</cache-container>
<cache-container name="security"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:io:1.1">
<worker name="default"/>
<buffer-pool name="default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jca:2.0">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/>
<default-workmanager>
<short-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</short-running-threads>
<long-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</long-running-threads>
</default-workmanager>
<cached-connection-manager/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jdr:1.0"/>
<subsystem xmlns="urn:infinispan:server:jgroups:7.0" default-stack="${jboss.default.jgroups.stack:udp}">
<stack name="udp">
<transport type="UDP" socket-binding="jgroups-udp"/>
<protocol type="PING"/>
<protocol type="MERGE3"/>
<protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
<protocol type="FD_ALL"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2"/>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS"/>
<protocol type="UFC"/>
<protocol type="MFC"/>
<protocol type="FRAG2"/>
</stack>
<stack name="tcp">
<transport type="TCP" socket-binding="jgroups-tcp"/>
<protocol type="TCPPING">
<property name="initial_hosts">
192.168.196.132[7800],192.168.196.133[7802],192.168.196.134[7800]
</property>
</protocol>
<protocol type="MERGE3"/>
<protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
<protocol type="FD_ALL"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2">
<property name="use_mcast_xmit">
false
</property>
</protocol>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS"/>
<protocol type="MFC"/>
<protocol type="FRAG2"/>
<protocol type="RSVP"/>
</stack>
<stack name="s3">
<transport type="TCP" socket-binding="jgroups-tcp"/>
<protocol type="S3_PING">
<property name="location">
${jgroups.s3.bucket:}
</property>
<property name="access_key">
${jgroups.s3.access_key:}
</property>
<property name="secret_access_key">
${jgroups.s3.secret_access_key:}
</property>
<property name="pre_signed_delete_url">
${jgroups.s3.pre_signed_delete_url:}
</property>
<property name="pre_signed_put_url">
${jgroups.s3.pre_signed_put_url:}
</property>
<property name="prefix">
${jgroups.s3.prefix:}
</property>
</protocol>
<protocol type="MERGE3"/>
<protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
<protocol type="FD_ALL"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2">
<property name="use_mcast_xmit">
false
</property>
</protocol>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS"/>
<protocol type="MFC"/>
<protocol type="FRAG2"/>
</stack>
<stack name="google">
<transport type="TCP" socket-binding="jgroups-tcp"/>
<protocol type="GOOGLE_PING">
<property name="location">
${jgroups.google.bucket:}
</property>
<property name="access_key">
${jgroups.google.access_key:}
</property>
<property name="secret_access_key">
${jgroups.google.secret_access_key:}
</property>
</protocol>
<protocol type="MERGE3"/>
<protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
<protocol type="FD_ALL"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2">
<property name="use_mcast_xmit">
false
</property>
</protocol>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS"/>
<protocol type="MFC"/>
<protocol type="FRAG2"/>
</stack>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:modcluster:1.2">
<mod-cluster-config advertise-socket="modcluster" connector="ajp">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:2.0">
<endpoint worker="default"/>
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:threads:1.1">
<thread-factory name="infinispan-factory" group-name="infinispan" thread-name-pattern="%G %f-%t" priority="5"/>
<unbounded-queue-thread-pool name="infinispan-transport">
<max-threads count="25"/>
<keepalive-time time="0" unit="milliseconds"/>
<thread-factory name="infinispan-factory"/>
</unbounded-queue-thread-pool>
</subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:2.0">
<core-environment>
<process-id>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<host name="default-host" alias="localhost">
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default"/>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
</profile>
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:192.168.196.132}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:192.168.196.132}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="hotrod" port="11222"/>
<socket-binding name="http" port="${jboss.http.port:8082}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="jgroups-mping" port="0" multicast-address="${jboss.default.multicast.address:234.99.54.14}" multicast-port="45700"/>
<socket-binding name="jgroups-tcp" port="7800"/>
<socket-binding name="jgroups-tcp-fd" port="57600"/>
<socket-binding name="jgroups-udp" port="55200" multicast-address="${jboss.default.multicast.address:234.99.54.14}" multicast-port="45688"/>
<socket-binding name="jgroups-udp-fd" port="54200"/>
<socket-binding name="memcached" port="11211"/>
<socket-binding name="modcluster" port="0" multicast-address="224.0.1.115" multicast-port="23364"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<socket-binding name="websocket" port="8181"/>
</socket-binding-group>
and the log is as follows:
14:42:40,138 ERROR [org.jboss.as.server] (Controller Boot Thread) JBAS015956: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014676: Failed to parse configuration
at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:112) [wildfly-controller-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.as.server.ServerService.boot(ServerService.java:331) [wildfly-server-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:256) [wildfly-controller-8.1.0.Final.jar:8.1.0.Final]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]
Caused by: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[144,17]
Message: JBAS014788: Unexpected attribute 'consistent-hash-factory' encountered
at org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:104) [wildfly-controller-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsystemXMLReader_7_1.parseCacheAttribute(InfinispanSubsystemXMLReader_7_1.java:361)
at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsystemXMLReader_7_1.parseClusteredCacheAttribute(InfinispanSubsystemXMLReader_7_1.java:390)
at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsystemXMLReader_7_1.parseDistributedCache(InfinispanSubsystemXMLReader_7_1.java:458)
at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsystemXMLReader_7_1.parseContainer(InfinispanSubsystemXMLReader_7_1.java:158)
at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsystemXMLReader_7_1.readElement(InfinispanSubsystemXMLReader_7_1.java:54)
at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsystemXMLReader_7_1.readElement(InfinispanSubsystemXMLReader_7_1.java:34)
at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) [staxmapper-1.1.0.Final.jar:1.1.0.Final]
at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69) [staxmapper-1.1.0.Final.jar:1.1.0.Final]
at org.jboss.as.server.parsing.StandaloneXml.parseServerProfile(StandaloneXml.java:1131) [wildfly-server-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:458) [wildfly-server-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:145) [wildfly-server-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:107) [wildfly-server-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) [staxmapper-1.1.0.Final.jar:1.1.0.Final]
at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) [staxmapper-1.1.0.Final.jar:1.1.0.Final]
at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:104) [wildfly-controller-8.1.0.Final.jar:8.1.0.Final]
... 3 more
14:42:40,140 FATAL [org.jboss.as.server] (Controller Boot Thread) JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
You are looking at schema for embedded (library) mode (urn:infinispan:config:7.1), while Infinispan server accepts schema with urn:infinispan:server:core:7.1 (can't find where it is published, here is the source location). These two schemas should be very close but are not equal.
If you think that this attribute should be supported for server as well, please file a feature request in JIRA.
kindly i need someone to help me in weird issue i am facing.
i am deploying a web application on Jboss eap 6.
i configured two JBoss nodes over the same machine ( server 1 - server 2 ) and configured them to become cluster environment.
also i configured Apache mod_cluster to work as load balancer.
when i tried to test the environment by different machines that call my application, everything worked fine, two nodes worked together and the load evenly distributed over the two nodes.
the problem occured when started using microsoft visual studio 2012 web load, it simulates concurrent request to the application. what i noticed that all requests recieved by 1 node while the other nodes stays idle !.
i tried to some trouble shooting like editing the standalone-ha.xml in both nodes and edited the following lines
<subsystem xmlns="urn:jboss:domain:modcluster:1.1">
<mod-cluster-config advertise-socket="modcluster" connector="ajp">
<simple-load-provider/>
<dynamic-load-provider history="20">
<load-metric type="busyness" weight="3"/>
<load-metric type="sessions" weight="3" capacity="2"/>
<load-metric type="heap" weight="2"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
nothing changed
this is exactly my standalone-ha.xml file for 1 node, infact both nodes same file
<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:1.5">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>
<extension module="org.jboss.as.clustering.jgroups"/>
<extension module="org.jboss.as.connector"/>
<extension module="org.jboss.as.deployment-scanner"/>
<extension module="org.jboss.as.ee"/>
<extension module="org.jboss.as.ejb3"/>
<extension module="org.jboss.as.jaxrs"/>
<extension module="org.jboss.as.jdr"/>
<extension module="org.jboss.as.jmx"/>
<extension module="org.jboss.as.jpa"/>
<extension module="org.jboss.as.jsf"/>
<extension module="org.jboss.as.logging"/>
<extension module="org.jboss.as.mail"/>
<extension module="org.jboss.as.modcluster"/>
<extension module="org.jboss.as.naming"/>
<extension module="org.jboss.as.pojo"/>
<extension module="org.jboss.as.remoting"/>
<extension module="org.jboss.as.sar"/>
<extension module="org.jboss.as.security"/>
<extension module="org.jboss.as.threads"/>
<extension module="org.jboss.as.transactions"/>
<extension module="org.jboss.as.web"/>
<extension module="org.jboss.as.webservices"/>
<extension module="org.jboss.as.weld"/>
</extensions>
<system-properties>
<property name="org.apache.catalina.connector.URI_ENCODING" value="UTF-8"/>
<property name="org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING" value="true"/>
</system-properties>
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<local default-user="$local" allowed-users="*"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
<audit-log>
<formatters>
<json-formatter name="json-formatter"/>
</formatters>
<handlers>
<file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
</handlers>
<logger log-boot="true" log-read-only="false" enabled="false">
<handlers>
<handler name="file"/>
</handlers>
</logger>
</audit-log>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ManagementRealm">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
<access-control provider="simple">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
</include>
</role>
</role-mapping>
</access-control>
</management>
<profile>
<subsystem xmlns="urn:jboss:domain:logging:1.3">
<console-handler name="CONSOLE">
<level name="INFO"/>
<formatter>
<pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
</formatter>
</console-handler>
<periodic-rotating-file-handler name="FILE" autoflush="true">
<formatter>
<pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
</formatter>
<file relative-to="jboss.server.log.dir" path="server.log"/>
<suffix value=".yyyy-MM-dd"/>
<append value="true"/>
</periodic-rotating-file-handler>
<logger category="com.arjuna">
<level name="WARN"/>
</logger>
<logger category="org.apache.tomcat.util.modeler">
<level name="WARN"/>
</logger>
<logger category="org.jboss.as.config">
<level name="DEBUG"/>
</logger>
<logger category="sun.rmi">
<level name="WARN"/>
</logger>
<logger category="jacorb">
<level name="WARN"/>
</logger>
<logger category="jacorb.config">
<level name="ERROR"/>
</logger>
<root-logger>
<level name="INFO"/>
<handlers>
<handler name="CONSOLE"/>
<handler name="FILE"/>
</handlers>
</root-logger>
</subsystem>
<subsystem xmlns="urn:jboss:domain:datasources:1.1">
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
<driver>h2</driver>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
</subsystem>
<subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ee:1.1">
<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
<jboss-descriptor-property-replacement>true</jboss-descriptor-property-replacement>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ejb3:1.4">
<session-bean>
<stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
</stateless>
<stateful default-access-timeout="5000" cache-ref="simple" clustered-cache-ref="clustered"/>
<singleton default-access-timeout="5000"/>
</session-bean>
<pools>
<bean-instance-pools>
<strict-max-pool name="slsb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
<strict-max-pool name="mdb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
</bean-instance-pools>
</pools>
<caches>
<cache name="simple" aliases="NoPassivationCache"/>
<cache name="passivating" passivation-store-ref="file" aliases="SimpleStatefulCache"/>
<cache name="clustered" passivation-store-ref="infinispan" aliases="StatefulTreeCache"/>
</caches>
<passivation-stores>
<file-passivation-store name="file"/>
<cluster-passivation-store name="infinispan" cache-container="ejb"/>
</passivation-stores>
<async thread-pool-name="default"/>
<timer-service thread-pool-name="default">
<data-store path="timer-service-data" relative-to="jboss.server.data.dir"/>
</timer-service>
<remote connector-ref="remoting-connector" thread-pool-name="default"/>
<thread-pools>
<thread-pool name="default">
<max-threads count="10"/>
<keepalive-time time="100" unit="milliseconds"/>
</thread-pool>
</thread-pools>
<default-security-domain value="other"/>
<default-missing-method-permissions-deny-access value="true"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:infinispan:1.4">
<cache-container name="singleton" aliases="cluster ha-partition" default-cache="default">
<transport lock-timeout="60000"/>
<replicated-cache name="default" mode="SYNC" batching="true">
<locking isolation="REPEATABLE_READ"/>
</replicated-cache>
</cache-container>
<cache-container name="web" aliases="standard-session-cache" default-cache="repl" module="org.jboss.as.clustering.web.infinispan">
<transport lock-timeout="60000"/>
<replicated-cache name="repl" mode="ASYNC" batching="true">
<file-store/>
</replicated-cache>
<replicated-cache name="sso" mode="SYNC" batching="true"/>
<distributed-cache name="dist" l1-lifespan="0" mode="ASYNC" batching="true">
<file-store/>
</distributed-cache>
</cache-container>
<cache-container name="ejb" aliases="sfsb sfsb-cache" default-cache="repl" module="org.jboss.as.clustering.ejb3.infinispan">
<transport lock-timeout="60000"/>
<replicated-cache name="repl" mode="ASYNC" batching="true">
<eviction strategy="LRU" max-entries="10000"/>
<file-store/>
</replicated-cache>
<replicated-cache name="remote-connector-client-mappings" mode="SYNC" batching="true"/>
<distributed-cache name="dist" l1-lifespan="0" mode="ASYNC" batching="true">
<eviction strategy="LRU" max-entries="10000"/>
<file-store/>
</distributed-cache>
</cache-container>
<cache-container name="hibernate" default-cache="local-query" module="org.jboss.as.jpa.hibernate:4">
<transport lock-timeout="60000"/>
<local-cache name="local-query">
<transaction mode="NONE"/>
<eviction strategy="LRU" max-entries="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<invalidation-cache name="entity" mode="SYNC">
<transaction mode="NON_XA"/>
<eviction strategy="LRU" max-entries="10000"/>
<expiration max-idle="100000"/>
</invalidation-cache>
<replicated-cache name="timestamps" mode="ASYNC">
<transaction mode="NONE"/>
<eviction strategy="NONE"/>
</replicated-cache>
</cache-container>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
<subsystem xmlns="urn:jboss:domain:jca:1.1">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/>
<default-workmanager>
<short-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</short-running-threads>
<long-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</long-running-threads>
</default-workmanager>
<cached-connection-manager/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jdr:1.0"/>
<subsystem xmlns="urn:jboss:domain:jgroups:1.1" default-stack="udp">
<stack name="udp">
<transport type="UDP" socket-binding="jgroups-udp"/>
<protocol type="PING"/>
<protocol type="MERGE3"/>
<protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
<protocol type="FD"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK"/>
<protocol type="UNICAST2"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS"/>
<protocol type="UFC"/>
<protocol type="MFC"/>
<protocol type="FRAG2"/>
<protocol type="RSVP"/>
</stack>
<stack name="tcp">
<transport type="TCP" socket-binding="jgroups-tcp"/>
<protocol type="TCPPING">
<property name="initial_hosts">
0.0.0.0[7600],0.0.0.0[7600]
</property>
<property name="num_initial_members">
2
</property>
<property name="port_range">
0
</property>
<property name="timeout">
2000
</property>
</protocol>
<protocol type="MPING" socket-binding="jgroups-mping"/>
<protocol type="MERGE2"/>
<protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
<protocol type="FD"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK"/>
<protocol type="UNICAST2"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS"/>
<protocol type="UFC"/>
<protocol type="MFC"/>
<protocol type="FRAG2"/>
<protocol type="RSVP"/>
</stack>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jsf:1.0"/>
<subsystem xmlns="urn:jboss:domain:mail:1.1">
<mail-session jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
<subsystem xmlns="urn:jboss:domain:modcluster:1.1">
<mod-cluster-config advertise-socket="modcluster" connector="ajp">
<simple-load-provider/>
<dynamic-load-provider history="20">
<load-metric type="busyness" weight="3"/>
<load-metric type="sessions" weight="3" capacity="2"/>
<load-metric type="heap" weight="2"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
<subsystem xmlns="urn:jboss:domain:naming:1.4">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:pojo:1.0"/>
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:resource-adapters:1.1"/>
<subsystem xmlns="urn:jboss:domain:sar:1.0"/>
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:threads:1.1"/>
<subsystem xmlns="urn:jboss:domain:transactions:1.4">
<core-environment>
<process-id>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
<coordinator-environment default-timeout="300"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:web:1.5" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
<subsystem xmlns="urn:jboss:domain:webservices:1.2">
<modify-wsdl-address>true</modify-wsdl-address>
<wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
<endpoint-config name="Standard-Endpoint-Config"/>
<endpoint-config name="Recording-Endpoint-Config">
<pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
<handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
</pre-handler-chain>
</endpoint-config>
<client-config name="Standard-Client-Config"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:1.0"/>
</profile>
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
<socket-binding name="ajp" port="8009"/>
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
<socket-binding name="jgroups-mping" port="0" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
<socket-binding name="jgroups-tcp" port="7600"/>
<socket-binding name="jgroups-tcp-fd" port="57600"/>
<socket-binding name="jgroups-udp" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
<socket-binding name="jgroups-udp-fd" port="54200"/>
<socket-binding name="modcluster" port="0" multicast-address="224.0.1.105" multicast-port="23364"/>
<socket-binding name="remoting" port="4447"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
</server>
this is the starting batch for server 1
title server1
bin/standalone.bat -Djboss.node.name=server1 -server-config=standalone-ha.xml -b 0.0.0.0 -Djgroups.bind_addr=127.0.0.1
this is the starting batch for server 2
title server2
bin/standalone.bat -Djboss.socket.binding.port-offset=100 -Djboss.node.name=server2 -server-config=standalone-ha.xml -b 0.0.0.0 -Djgroups.bind_addr=127.0.0.1
please someone helps me finding out what's missing or wrong configured in my testing environment.
thanks
finally i solved my problem, it turned out that when recorded the scenario of testing in Microsoft load test , it added jsessionid to the URL, which caused the problem because of the same sessionid for all requests.
the solution was removing this parameter from testing URLs :)
I'm running JBosss AS 7 in a domain mode. When I applied the changes to host.xml, I received the following errors.
[Host Controller] Message: JBAS014789: Unexpected element '{urn:jboss:domain:1.2}socket-binding' encountered
I followed this reference guide.
https://community.jboss.org/wiki/SecuringAdministrationConsoleWithHttps
host.xml
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
</authentication>
<server-identities>
<ssl>
<keystore path=".keystore" relative-to="jboss.home.dir" password="changeit"/>
</ssl>
</server-identities>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<properties path="application-users.properties" relative-to="jboss.domain.config.dir" />
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket interface="management" port="${jboss.management.native.port:9999}"/>
</native-interface>
<http-interface security-realm="ManagementRealm">
<socket interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding https="management-https"/>
</http-interface>
</management-interfaces>
</management>
Thanks!
Make correct changes in configuration file on particular row and column as shown in stack trace ParseError at [row,col]:[x,y]
I have been dealing with the same issue, and it's tricky for a number of reasons. I've listed the changes to standalone.xml that got me going. It goes without saying that you need to build a keystore to reference.
The most problematic part of this configuration is that the <ssl> element in management.security-realms.security-realm uses a different syntax than when configuring the <ssl> element in <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host">. I've listed both elements here to show the contrast. You don't actually need to configure SSL for web services to get secure your console. I added the extra detail to show how they differ.
<management>
<security-realms>
<security-realm name="ManagementRealm">
<server-identities>
<ssl protocol="TLS">
<keystore path="/my/path/to/certs/my_cert.jks" keystore-password="mypass"/>
</ssl>
</server-identities>
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ManagementRealm">
<socket-binding http="management-console-https"/>
</http-interface>
</management-interfaces>
</management>
.
.
.
<profile>
.
.
.
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
<ssl password="mypass" certificate-key-file="/my/path/to/certs/my_cert.jks" protocol="TLSv1" verify-client="false" certificate-file="/my/path/to/certs/my_cert.jks"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
.
.
.
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
.
.
.
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
<socket-binding name="management-console-https" interface="management" port="${jboss.management.console.https.port:9991}"/>
Also, since you won't be using it, remove the old socket-binding:
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
I hope that this helps.