JMX Access to Domain Mode EAP 7 Server Node

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

External

Internal

Overview

A generic JMX client connects to a domain mode server node using the remoting endpoint, which will have to be explicitly declared, as it is missing from the default configuration.

Unlike a standalone server node, a domain mode server node does not expose a management interface native endpoint, nor a management interface HTTP endpoint so the server node has to be explicitly configured to allow JMX access over the general purpose remoting connector. More details on how that is configured is available in the "Configuring the Remote Connector for JMX Access" section.

Specific JBoss libraries must be added to the generic client's classpath, and we will show how those can be added for Visual VM and jconsole. Also, the access must be secured by adding a specific user (or using an existing user) to the applications realm associated with the remoting connector.

Server Endpoint

Configuring the Remote Connector for JMX Access

A domain mode server node does not expose a management interface native endpoint, nor a management interface HTTP endpoint so a generic JMX client will use the general purpose remoting connector, defined by the Remoting subsystem.

For that, the remoting connector must be explicitly configured to allow JMX access, by setting its domain.xml use-management-endpoint attribute to false: 

<subsystem xmlns="urn:jboss:domain:jmx:1.3">
    ...
    <remoting-connector use-management-endpoint="false"/>
</subsystem>

The remoting connector is not declared by default for a server node, so it has to be added: 

<subsystem xmlns="urn:jboss:domain:remoting:3.0">
    ...
    <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
</subsystem>

Make sure to add the remoting connector declaration to the profile used by the server node you want to access over JMX

The remoting socket binding is not declared by default, so it has to be added: 

<socket-binding-groups>
    <socket-binding-group name="standard-sockets" default-interface="public">
        ...
        <socket-binding name="remoting" port="4447"/>
    </socket-binding-group>
</socket-binding-groups>

Make sure to add the socket binding to the socket binding group used by the server node you want to access over JMX

Server Endpoint Bind Address and Port

The host address and port binding for the remoting connector are specified as part of the "remoting" socket binding, as declared above. The default port value is 4447.


If the server node runs with a specific port offset, the port value must account for that offset.

The corresponding "public" interface bind address is configured in the <interfaces> section in the host.xml configuration file of the host controller that manages the server node: 

<interfaces>
    ...
    <interface name="public">
        <inet-address value="${jboss.bind.address:127.0.0.1}"/>
    </interface>
    ...
</interfaces>

Unless explicitly re-configured, the default bind address for the public interface is 127.0.0.1.

The bind address and the port are reported as INFO in the corresponding server node log, as follows: 

2016-10-19 01:53:14,906 INFO  [org.jboss.as.remoting] (MSC service thread 1-3) WFLYRMT0001: Listening on 127.0.0.1:4447

The bind address and port will be needed when assembling the URL to be used by the JMX client, below.

Server Endpoint Authentication

A generic JMX client usually provides a username and a password when connecting. Those values must be explicitly added to the Application Realm of the server node we connect to, because the remoting connector authenticates by default against the ApplicationRealm security realm. For more details on remoting security see Remoting Concepts - Security.

The procedure to add a user to the Application Realm is presented in detail here:

Adding a User to the Application Realm.

Note that no specific group is necessary to be specified during the procedure.

JMX Client

The generic JMX client must add client JBoss libraries to its class path and must set up JBoss specific system properties, as shown below. It also must use a specific URL to connect, and the user and the password configured on the server, as described in the "Server Endpoint Authentication" section.

JMX Client Classpath and Startup Options

The JBoss JAR $JBOSS_HOME/bin/client/jboss-cli-client.jar must be added to the JMX client classpath. Also, the JMX client must be started with -Dmodule.path=${JBOSS_HOME}/modules. Specific details for a number of clients are available below:

URL

Use: 

service:jmx:remote://<server-node-host>:4447

where <server-node-host> is the interface the public interface of the server node is bound to.

A deprecated version is: 

service:jmx:remoting-jmx://<server-node-host>:4447

Authentication

Use the username and the password configured on the server, as described in the "Server Endpoint Authentication" section.

SSL Connection Configuration


TODO, come up with the full procedure, until then, more details are available here: https://access.redhat.com/solutions/632773

Retrieved from "https://kb.novaordis.com/index.php?title=JMX_Access_to_Domain_Mode_EAP_7_Server_Node&oldid=12288"