Subordinate WildFly Host Controller Post-Install Configuration
Internal
Overview
This procedure is part of WildFly Unzip Installation. Once completed, return to WildFly Unzip Installation to continue the post-install procedure.
For more details on subordinate host controllers, see:
Prerequisites
The domain controller must be fully configured and up and running when configuring subordinated host controllers, since we need to interact with the domain controller during the subordinated host controller installation (create users, etc.)
host.xml Host Name
A subordinate host controller uses its host name as username when authenticating against the Management Realm of the domain controller, so the host name it is configured with is important. The host name can be hardcoded in host.xml or specified as a system property. For more details see:
Specify the Master Domain Controller
Modify $JBOSS_HOME/domain/configuration/host.xml as follows:
...
<domain-controller>
<remote host="1.2.3.4" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm"/>
</domain-controller>
...
Note that the management functionality can be exposed over 9999 (native) or 9990 (http).
It is possible to expose the master domain controller address externally as 'jboss.domain.master.address' system property. In this case, you'd have to add the following to domain.conf:
HOST_CONTROLLER_JAVA_OPTS="${HOST_CONTROLLER_JAVA_OPTS} -Djboss.domain.master.address=1.2.3.4"
However, this is NOT a good idea. If we go through a domain controller failover, promotion and unpromotion, the IP address will be written into the host.xml file directly, so the 'jboss.domain.master.address' will lose its usefulness and it will suddenly become confusing - we used a system property but also we have hardcode in the file.
For more details on jboss.domain.master.address see:
Connection Failure Symptoms
In $JBOSS_HOME/domain/log/host-controller.log:
22:36:16,823 WARN [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller at remote://10.155.78.202:9999 -- java.net.ConnectException: JBAS012174: Could not connect to remote://10.155.78.202:9999. The connection failed 22:36:16,828 WARN [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller at remote://10.155.78.202:9999 -- java.lang.IllegalStateException: JBAS010951: Could not connect to master in 11 attempts within 30000 ms 22:36:16,828 WARN [org.jboss.as.host.controller] (Controller Boot Thread) JBAS016581: No domain controller discovery options remain. 22:36:16,829 ERROR [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010901: Could not connect to master. Aborting. Error was: java.lang.IllegalStateException: JBAS016519: Tried all domain controller discovery option(s) but unable to connect
The Host Controller's Management Interface
A subordinate host controller does not need to expose its management interface.
Specify the Backup Domain Controllers
Configure the Host Controller Identity
Host controller identity is explained here:
Add a Domain Controller Management Realm User
Add a Management Realm user on the domain controller. The user name should be the subordinated host controller host name as specified in <host name="..."> of the subordinated host controller's host.xml. The procedure must be executed on the domain controller, and it is described here:
Use the password value specified there for the Configure Server Identity Secret step.
Domain Controller High Availability and Security
In order to create "equivalent" domain controller, you could configure the users corresponding to the hosts on the primary, and then just copy the relevant content of mgmt-users.properties to the backup controllers. The passwords and their corresponding "secret" values will stay the same.
Configure Server Identity Secret
Manual Procedure
Calculate the secret's value by sending the clear text password into openssl:
echo -n "password-in-clear" | openssl enc -base64
Then copy the resulted string as secret's "value" in a <server-identities> element to host.xml of the subordinate host controller:
<host ...>
<management>
<security-realms>
<security-realm name="ManagementRealm">
...
</authorization>
<server-identities>
<secret value="YXAwMm11MTIzIQ=="/>
</server-identities>
</security-realm>
...
</security-realms>
...
</management>
...
</host>
CLI Procedure
Symptoms of Failure to Authenticate with the Domain Controller
22:40:23,855 WARN [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller at remote://10.155.78.202:9999 -- java.lang.IllegalStateException: JBAS010942: Unable to connect due to authentication failure.
Registration Success
In the domain controller's log:
21:43:39,412 INFO [org.jboss.as.domain] (Host Controller Service Threads - 34) JBAS010918: Registered remote slave host "n1", JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21)
Configure the Servers that are Running on this Host
Update host.xml accordingly, specify the server names and their association with a server group defined in domain.xml.
Example:
<servers>
<server name="app1" group="web-apps" auto-start="true">
...
</server>
</servers>
Configure the Network Interface Server Nodes Use to Deliver Business Content
Server nodes exists to process requests, and they must be able to receive those requests and return responses over a network interface that is publicly accessible. More details on how to configure this is available here:
Since EAP 7, "jboss.bind.address.private" must also be configured:
Optionally Remove domain.xml
You could remove domain.xml to eliminate confusion, but only if you don't plan to run this host controller as a backup domain controller. If you plan to run this host controller as a backup domain controller, domain.xml has to be in place or the promotion procedure will fail (alternatively, you could set JBOSS_DOMAIN_CONFIG=domain.cached-remote.xml in jboss-host-controller, but this is an undocumented procedure and I am not sure how stable/safe it is).