Does anyone know how to check in runtime from code if configuration has defined e.g. 'any-address' tag?
...
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<any-address/>
</interface>
</interfaces>
...
For "jboss.bind.address" i can get system property - but what in "any-address" case?
You can try to run a co-located management client from within your application.
Related
Small question about WildFly 10 domain mode and HTTPS.
My host-master.xml parameters:
<management>
<security-realms>
<security-realm name="ManagementRealm">
<server-identities>
<ssl>
<keystore path="..." relative-to="jboss.domain.config.dir" keystore-password="..." alias="..." key-password="..." generate-self-signed-certificate-host="localhost"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
</authorization>
</security-realm>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket interface="management" port="${jboss.management.native.port:9999}"/>
</native-interface>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket interface="management" secure-port="${jboss.management.http.port:9990}"/>
</http-interface>
</management-interfaces>
My host-slave.xml parameters:
<security-realms>
<security-realm name="SlaveRealm">
<server-identities>
<secret value="..." />
</server-identities>
<domain-controller>
<remote protocol="remote" host="..." port="9999" username='slave' security-realm="SlaveRealm"/>
</domain-controller>
Domain server starts without any errors and Management conole is available by HTTPS.
But the slave node will not start and I receive an error message:
2017-02-23 17:35:05,149 WARN [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0001: Could not connect to remote domain controller remote://...:9999 -- java.lang.IllegalStateException: WFLYHC0110: Unable to connect due to SSL failure.
2017-02-23 17:35:05,149 WARN [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0147: No domain controller discovery options remain.
2017-02-23 17:35:05,150 ERROR [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0002: Could not connect to master. Aborting. Error was: java.lang.IllegalStateException: WFLYHC0120: Tried all domain controller discovery option(s) but unable to connect
2017-02-23 17:35:05,150 FATAL [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0178: Aborting with exit code 99
I've tried to add "<server-identities><ssl><keystore..." part to "SlaveRealm" in host-slave.xml but recieve the same error.
How to configure domain and host-slave properly and simple? Thank you.
In the host.xml you have to specify <interfaces>. You can also pass interfaces values as command line argument while starting wildfly.
Master's host.xml
<interfaces>
<interface name="management">
<inet-address value="${wildfly.bind.address.management:##master.host.name##}"/>
</interface>
<interface name="public">
<inet-address value="${wildfly.bind.address:##master.host.name##}"/>
</interface>
<interface name="unsecure">
<!-- Used for IIOP sockets in the standard configuration.
To secure JacORB you need to setup SSL -->
<inet-address value="${wildfly.bind.address.unsecure:##master.host.name##}"/>
</interface>
</interfaces>
Slave host.xml
<management>
<security-realms>
<security-realm name="ManagementRealm">
<server-identities>
<secret value="##slave.encrypted.password##" />
</server-identities>
....
....
....
<domain-controller>
<!--<local/>-->
<!-- Alternative remote domain controller configuration with a host and port -->
<remote protocol="remote" host="##master.host.name##" port="9999" username="##slave.account.name##" security-realm="ManagementRealm"/>
</domain-controller>
<interfaces>
<interface name="management">
<inet-address value="${wildfly.bind.address.management:##slave.host.name##}"/>
</interface>
<interface name="public">
<inet-address value="${wildfly.bind.address:##slave.host.name##}"/>
</interface>
<interface name="unsecure">
<!-- Used for IIOP sockets in the standard configuration.
To secure JacORB you need to setup SSL -->
<inet-address value="${wildfly.bind.address.unsecure:##slave.host.name##}"/>
</interface>
</interfaces>
This configuration works for our Dev/QA/Production environments.
I know we can deploy multiple web applications on JBoss 7 or Wildfly. But how can we access different web application with a different port? Where do we set that port for a web application?
For example,
application1 is accessible on x.x.x.x:8080
application2 is accessible on x.x.x.x:30000
application3 is accessible on x.x.x.x:35000
In your standalone you have to set up a different server and host for each application.
<subsystem xmlns="urn:jboss:domain:undertow:1.2">
<server name="server1">
<http-listener name="default" socket-binding="http-server1"/>
<host name="webapp1" default-web-module="webapp1.war" alias="webapp1.com">
</host>
</server>
<server name="server2">
<http-listener name="default" socket-binding="http-server2"/>
<host name="webapp2" default-web-module="webapp2.war" alias="webapp2.com">
</host>
</server>
<!-- Other Settings -->
</subsystem>
For the socketbinding:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="http-server1" port="${jboss.http.port:8080}"/>
<socket-binding name="http-server2" port="${jboss.http.port:8081}"/>
<!-- Other ports -->
</socket-binding-group>
And then finally, you can have your .war files in the deployments directory but for configurations like this I sometimes find it easier to set the runtime names explicitly:
<deployments>
<deployment name="webapp1" runtime-name="webapp1.war">
<fs-archive path="/path/to/webapp1.war" />
</deployment>
<deployment name="webapp2" runtime-name="webapp2.war">
<fs-archive path="/path/to/webapp2.war" />
</deployment>
</deployments>
I can't connect to CLI Jboss 7.1.1.FINAL in Ubuntu, i wonder why?
in console i put :
mastervodoo#vodoo-Studio-1558:/opt/jboss-as-7.1.1.Final/bin$ ./jboss-cli.sh
You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] connect
The controller is not available at localhost:9999
[disconnected /] connect 127.0.0.1
The controller is not available at 127.0.0.1:9999
[disconnected /] connect 127.0.1.1
The controller is not available at 127.0.1.1:9999
[disconnected /] connect 192.168.1.33
The controller is not available at 192.168.1.33:9999
[disconnected /]
is a standalone configuration, why i cannot enter?
Check your XML configuration, e.g. standalone.xml or domain.xml, and look <interfaces/> section. Make sure you're binding to 127.0.0.1 for the management interface. Also have a look at your management-native port in the <socket-binding/> section and make sure it's set to 9999. These are the defaults.
It should look something like the following:
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
...
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
...
</socket-binding-group>
You could also pass properties to change the values if the expression values are being used.
$JBOSS_HOME/bin/standalone.sh -Djboss.bind.address.management=127.0.0.1 -Djboss.management.native.port=9999
If it's still not connecting it's likely a local issue. Most likely a firewall getting in the way or possibly you don't have localhost set-up in your hosts.
Check your hosts file!
/etc/hosts
Your localhost must be specified as 127.0.0.1.
In case your jboss instance is not binding to 127.0.0.1, you may use --controller option as follows:
./jboss-cli.sh --controller=YOUR_IP:9999
Just for the next guy to stumble on this, if you're on Mac, THIS will solve it:
http://saltnlight5.blogspot.com.au/2012/07/getting-jboss-clish-to-work-on-macosx.html
In case link goes down:
Start the server with: bin/standalone.sh -Djava.nio.channels.spi.SelectorProvider=sun.nio.ch.KQueueSelectorProvider
On the client side, first run: export JAVA_OPTS="-Djava.nio.channels.spi.SelectorProvider=sun.nio.ch.KQueueSelectorProvider"
Then run bin/jboss-cli.sh --connect
You should now be connected!
To me this happen due to JBoss being under heavy load while processing an erroneous task which caused Hibernate exceptions at a high rate.
I managed to connect after ~20 retries, after which I couldn't connect again.
I am using JBoss 7 AS. I am deploying the projects via the linux box by the cmd like so
bin/standalone.sh -b [ipaddress]
This works fine only when i am on the network, however it doesn't work when i'm outside the network or over the internet.
How do i launch it so people can access it over the internet?
I tried this but it doesnt work.
bin/standalone.sh -b 0.0.0.0
It says:
Google Chrome could not load the webpage because took too long to respond. The website may be down, or you may be experiencing issues with your Internet connection.
Your first step is to understand and configure your interface and port bindings. Before we get to that, it should be clarified that the -b runtime switch has been active since JBoss AS7.0.2, but wasn't present in previous releases of AS 7. Refer to the following link for more information via the JBoss Application Server 7 community forums.
https://community.jboss.org/thread/168789
For your question, you will need to consider both the interface and the port attribute of the socket binding group. Assuming that you're using the standalone instance, you can find the socket binding groups declared in the standalone.xml configuration file as follows.
Socket Groups and Port Bindings
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
<socket-binding name="ajp" port="8009"/>
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
<socket-binding name="osgi-http" interface="management" port="8090"/>
<socket-binding name="remoting" port="4447"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
You can see that the http connector is bound to port 8080, and you can also see that the management API port bindings are bound to java tokens. These are values that you can override (hence the "${thing:value}" syntax), but you lose the power to override them if you hardcode them. This is relevant because the default interface is a java token, allowing you to use the -b switch to override it.
Interfaces
Here's the default public interface in the standalone.xml file. The word "public" is just a relative handle. You can "call" it anything that you want, just as long as it means something to you and you can associate server groups and socket bindings to it later. This is a great feature of AS 7, allowing you to declare a set of attributes in one element, and inherit their attributes elsewhere by referencing that element name.
The following example allows you to reference the public interface elsewhere without needing to know what the actual Inet Address value is.
<interfaces>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
</interfaces>
Getting Gooey
You can change these values either via the Management CLI or the Management Console (keeping with the workflow guidance that it's better to use the Management APIs and leave the XML alone). Like most GUIs, Management Console is the easiest to jump into first. Here's the socket binding screen. Notice that there's only really one "socket binding group" in the standalone instance, in this case the standard-sockets group.
You can edit the http binding if you need, but you should also think about the interface that you are using to connect to the internet. I'm going to assume that you have set up your webserver to suit your needs (which is probably more a question for apache than JBoss). Here's the console view for interface settings.
This shows the public interface that the standard-sockets binding group is relating itself to in the config file. Advanced configurations can use the Advanced section to create ordered conditions for partitioning traffic. You can even enable the <any-address/> element that is described in the first link I posted above.
From these two screens, you should be able to configure the required interface and port bindings to expose your application to the internet.
The binding -b 0.0.0.0 does not work in JBoss AS7. Instead you have to configure the interfaces in standalone/configuration/standalone.xml.
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:<your-public-ip>}"/>
</interface>
</interfaces>
As I cannot comment to drri's answer, I'm adding a note as an answer.
When you configure more port bindings, you have also to add a connector to it inside
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
in following way:
when you add binding named some-binding on port 10000, you specify it like:
<socket-binding name="some-binding" port="10000"/>
and then you add a connector accordingly:
<connector name="some-binding" protocol="HTTP/1.1" scheme="http" socket-binding="some-binding"/>
I followed all the steps in this blogpost http://virgo47.wordpress.com/2010/08/23/tomcat-web-application-with-ssl-client-certificates/ except for the fact that I'm using JBoss7.0.2 and not the 6.x version.
The goal is to ask any clients to provide a client certificate and achieve mutual authentication between the client and the server.
I have created a certification authority (CA) to sign the client and server certificates.
I have imported the server certificate into the keystore and added an HTTPS connector to the standalone.xml configuration file to serve HTTPS requests on the 8443 port.
I have imported the CA root certificate into the Certificate Manager under Authorities in client's Firefox.
Everything works fine and when I request https://localhost:8443 I get a page with a valid server certificate.
The problem is, when I import the client certificate into the Certificate Manager in Firefox and set the server configuration to verify client certificates (verify-client="true" in standalone.xml) I get a browser error:
Secure Connection Failed:
An error occurred during a connection to localhost:8443.
SSL peer cannot verify your certificate.
(Error code: ssl_error_bad_cert_alert)
while the jboss log on the server states:
11:01:31,142 DEBUG [org.apache.tomcat.util.net.JIoEndpoint] (http-localhost-127.0.0.1-8443-1) Handshake failed: java.io.IOException: SSL handshake failed. Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:191) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:1144) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:952) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
at java.lang.Thread.run(Thread.java:662) [:1.6.0_30]
Do you have any idea how to resolve this problem?
My setup:
Localhost server:
sovo#sovo-pc:~$ cat /etc/issue
Ubuntu 10.10
JBoss 7.0.2 Final standalone.xml (relevant parts):
<management>
<security-realms>
<security-realm name="PropertiesMgmtSecurityRealm">
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface interface="management" port="9999"/>
<http-interface interface="management" port="9990"/>
</management-interfaces>
</management>
<profile>
<subsystem xmlns="urn:jboss:domain:security:1.0">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Disabled" flag="required"/>
</authentication>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">
<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">
<ssl name="ssl" key-alias="sercer" password="changeit" certificate-key-file="/usr/share/jboss7.0.2/standalone/configuration/certificates/keystore.jks" protocol="TLSv1" verify-client="true" ca-certificate-file="/usr/share/jboss7.0.2/standalone/configuration/certificates/cacerts.jks"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:1.0"/>
</profile>
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
<inet-address value="${jboss.bind.address:localhost}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public">
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
<socket-binding name="jmx-connector-registry" port="1090" interface="management"/>
<socket-binding name="jmx-connector-server" port="1091" interface="management"/>
<socket-binding name="jndi" port="1099"/>
<socket-binding name="osgi-http" port="8090" interface="management"/>
<socket-binding name="remoting" port="4447"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
</socket-binding-group>
Java version:
sovo#sovo-pc:~$ java -version
java version "1.6.0_30"
Java(TM) SE Runtime Environment (build 1.6.0_30-b12)
Java HotSpot(TM) Server VM (build 20.5-b03, mixed mode)
sovo#sovo-pc:~$ javac -version
javac 1.6.0_30
I'll be happy to provide other relevant information if needed.
You might want to give a try by adding cipher suite you your ssl connector:
<ssl name="ssl" key-alias="sercer" password="changeit" certificate-key-file="/usr/share/jboss7.0.2/standalone/configuration/certificates/keystore.jks" protocol="TLSv1" verify-client="true" ca-certificate-file="/usr/share/jboss7.0.2/standalone/configuration/certificates/cacerts.jks" cipher-suite="AES+RSA"/>