Subordinate WildFly Host Controller Post-Install Configuration: Difference between revisions
(40 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
=Overview= | =Overview= | ||
This procedure is part of [[WildFly Unzip Installation#Subordinate_Host_Controller_Configuration|WildFly Unzip Installation]]. Once completed, return to [[WildFly Unzip Installation#Subordinate_Host_Controller_Configuration|WildFly Unzip Installation]] to continue the post-install procedure. | This procedure is part of [[WildFly Unzip Installation#Subordinate_Host_Controller_Configuration|WildFly Unzip Installation]]. Once completed, return to [[WildFly Unzip Installation#Subordinate_Host_Controller_Configuration|WildFly Unzip Installation]] to continue the post-install procedure. | ||
For more details on subordinate host controllers, see: | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[WildFly_Domain_Mode_Concepts#Subordinate_Host_Controller|Subordinate Host Controller]] | |||
</blockquote> | |||
=Prerequisites= | |||
<blockquote style="background-color: Gold; border: solid thin Goldenrod;"> | |||
:<br>The domain controller must be fully configured and up and running when configuring subordinated host controllers, since we need to interact with the domain controller during the subordinated host controller installation (create users, etc.)<br><br> | |||
</blockquote> | |||
=<tt>host.xml</tt> Host Name= | =<tt>host.xml</tt> Host Name= | ||
Line 27: | Line 39: | ||
</pre> | </pre> | ||
Note that the management functionality can be exposed over 9999 or 9990. | Note that the management functionality can be exposed over 9999 (native) or 9990 (http). | ||
It is possible to expose the master domain controller address externally as '<tt>jboss.domain.master.address</tt>' system property. In this case, you'd have to add the following to <tt>domain.conf</tt>: | It is possible to expose the master domain controller address externally as '<tt>jboss.domain.master.address</tt>' system property. In this case, you'd have to add the following to <tt>domain.conf</tt>: | ||
Line 35: | Line 47: | ||
</pre> | </pre> | ||
However, this is NOT a good idea. If we go through a domain controller failover, promotion and unpromotion, the IP address will be written into the <tt>host.xml</tt> file directly, so the '<tt>jboss.domain.master.address</tt>' will lose its usefulness and it will suddenly become confusing - we used a system property but also we have hardcode in the file. | <blockquote style="background-color: Gold; border: solid thin Goldenrod;"> | ||
:<br>However, this is NOT a good idea. If we go through a domain controller failover, promotion and unpromotion, the IP address will be written into the <tt>host.xml</tt> file directly, so the '<tt>jboss.domain.master.address</tt>' will lose its usefulness and it will suddenly become confusing - we used a system property but also we have hardcode in the file.<br><br> | |||
</blockquote> | |||
For more details on <tt>jboss.domain.master.address</tt> see: | For more details on <tt>jboss.domain.master.address</tt> see: | ||
Line 61: | Line 75: | ||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | <blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | ||
: | :[[WildFly High Availability Domain Controller]] | ||
</blockquote> | |||
=Configure the Host Controller Identity= | |||
Host controller identity is explained here: | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[WildFly_Security_Concepts#Subordinated_Host_Controller_Identity|Subordinated Host Controller Identity]] | |||
</blockquote> | |||
==Add a Domain Controller Management Realm User== | |||
Add a Management Realm user on the domain controller. The user name should be the subordinated host controller host name as specified in <tt><host name="..."></tt> of the subordinated host controller's <tt>host.xml</tt>. The procedure must be executed on the domain controller, and it is described here: | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[Adding Users to WildFly Security Realms#Add_a_User_to_the_Management_Realm|Adding a User to the Management Realm]] | |||
</blockquote> | |||
Use the password value specified there for the [[#Configure_Server_Identity_Secret|Configure Server Identity Secret]] step. | |||
==Domain Controller High Availability and Security== | |||
In order to create "equivalent" domain controller, you could configure the users corresponding to the hosts on the primary, and then just copy the relevant content of <tt>mgmt-users.properties</tt> to the backup controllers. The passwords and their corresponding "secret" values will stay the same. | |||
==Configure Server Identity Secret== | |||
===Manual Procedure=== | |||
Calculate the secret's value by sending the clear text password into openssl: | |||
<pre> | |||
echo -n "password-in-clear" | openssl enc -base64 | |||
</pre> | |||
Then copy the resulted string as <tt>secret</tt>'s "<tt>value</tt>" in a <tt><server-identities></tt> element to <tt>host.xml</tt> of the subordinate host controller: | |||
<pre> | |||
<host ...> | |||
<management> | |||
<security-realms> | |||
<security-realm name="ManagementRealm"> | |||
... | |||
</authorization> | |||
<server-identities> | |||
<secret value="YXAwMm11MTIzIQ=="/> | |||
</server-identities> | |||
</security-realm> | |||
... | |||
</security-realms> | |||
... | |||
</management> | |||
... | |||
</host> | |||
</pre> | |||
===CLI Procedure=== | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[WildFly CLI - Add Subordinate Host Controller Server Identity Secret Value|Add Subordinate Host Controller Server Identity Secret Value with CLI]] | |||
</blockquote> | </blockquote> | ||
==Symptoms of Failure to Authenticate with the Domain Controller== | |||
<pre> | |||
22:40:23,855 WARN [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller at remote://10.155.78.202:9999 -- java.lang.IllegalStateException: JBAS010942: Unable to connect due to authentication failure. | |||
</pre> | |||
=Registration Success= | |||
In the domain controller's log: | |||
<pre> | |||
21:43:39,412 INFO [org.jboss.as.domain] (Host Controller Service Threads - 34) JBAS010918: Registered remote slave host "n1", JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) | |||
</pre> | |||
=Configure the Servers that are Running on this Host= | |||
Update <tt>host.xml</tt> accordingly, specify the server names and their association with a server group defined in <tt>domain.xml</tt>. | |||
Example: | |||
<pre> | |||
<servers> | |||
<server name="app1" group="web-apps" auto-start="true"> | |||
... | |||
</server> | |||
</servers> | |||
</pre> | |||
==Configure the Network Interface Server Nodes Use to Deliver Business Content== | |||
Server nodes exists to process requests, and they must be able to receive those requests and return responses over a network interface that is publicly accessible. More details on how to configure this is available here: | |||
{{Internal|WildFly_System_Properties#jboss.bind.address_for_Host_Controller|jboss.bind.address for Host Controllers}} | |||
Since EAP 7, "jboss.bind.address.private" must also be configured: | |||
{{Internal|WildFly_System_Properties#jboss.bind.address.private|jboss.bind.address.private for Host Controllers}} | |||
=Optionally Remove <tt>domain.xml</tt>= | |||
You could remove <tt>domain.xml</tt> to eliminate confusion, but only if you don't plan to run this host controller as a backup domain controller. If you plan to run this host controller as a backup domain controller, <tt>domain.xml</tt> '''has to be in place''' or the promotion procedure will fail (alternatively, you could set <tt>JBOSS_DOMAIN_CONFIG=domain.cached-remote.xml</tt> in <tt>jboss-host-controller</tt>, but this is an undocumented procedure and I am not sure how stable/safe it is). |
Latest revision as of 03:56, 5 April 2017
Internal
Overview
This procedure is part of WildFly Unzip Installation. Once completed, return to WildFly Unzip Installation to continue the post-install procedure.
For more details on subordinate host controllers, see:
Prerequisites
The domain controller must be fully configured and up and running when configuring subordinated host controllers, since we need to interact with the domain controller during the subordinated host controller installation (create users, etc.)
host.xml Host Name
A subordinate host controller uses its host name as username when authenticating against the Management Realm of the domain controller, so the host name it is configured with is important. The host name can be hardcoded in host.xml or specified as a system property. For more details see:
Specify the Master Domain Controller
Modify $JBOSS_HOME/domain/configuration/host.xml as follows:
... <domain-controller> <remote host="1.2.3.4" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm"/> </domain-controller> ...
Note that the management functionality can be exposed over 9999 (native) or 9990 (http).
It is possible to expose the master domain controller address externally as 'jboss.domain.master.address' system property. In this case, you'd have to add the following to domain.conf:
HOST_CONTROLLER_JAVA_OPTS="${HOST_CONTROLLER_JAVA_OPTS} -Djboss.domain.master.address=1.2.3.4"
However, this is NOT a good idea. If we go through a domain controller failover, promotion and unpromotion, the IP address will be written into the host.xml file directly, so the 'jboss.domain.master.address' will lose its usefulness and it will suddenly become confusing - we used a system property but also we have hardcode in the file.
For more details on jboss.domain.master.address see:
Connection Failure Symptoms
In $JBOSS_HOME/domain/log/host-controller.log:
22:36:16,823 WARN [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller at remote://10.155.78.202:9999 -- java.net.ConnectException: JBAS012174: Could not connect to remote://10.155.78.202:9999. The connection failed 22:36:16,828 WARN [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller at remote://10.155.78.202:9999 -- java.lang.IllegalStateException: JBAS010951: Could not connect to master in 11 attempts within 30000 ms 22:36:16,828 WARN [org.jboss.as.host.controller] (Controller Boot Thread) JBAS016581: No domain controller discovery options remain. 22:36:16,829 ERROR [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010901: Could not connect to master. Aborting. Error was: java.lang.IllegalStateException: JBAS016519: Tried all domain controller discovery option(s) but unable to connect
The Host Controller's Management Interface
A subordinate host controller does not need to expose its management interface.
Specify the Backup Domain Controllers
Configure the Host Controller Identity
Host controller identity is explained here:
Add a Domain Controller Management Realm User
Add a Management Realm user on the domain controller. The user name should be the subordinated host controller host name as specified in <host name="..."> of the subordinated host controller's host.xml. The procedure must be executed on the domain controller, and it is described here:
Use the password value specified there for the Configure Server Identity Secret step.
Domain Controller High Availability and Security
In order to create "equivalent" domain controller, you could configure the users corresponding to the hosts on the primary, and then just copy the relevant content of mgmt-users.properties to the backup controllers. The passwords and their corresponding "secret" values will stay the same.
Configure Server Identity Secret
Manual Procedure
Calculate the secret's value by sending the clear text password into openssl:
echo -n "password-in-clear" | openssl enc -base64
Then copy the resulted string as secret's "value" in a <server-identities> element to host.xml of the subordinate host controller:
<host ...> <management> <security-realms> <security-realm name="ManagementRealm"> ... </authorization> <server-identities> <secret value="YXAwMm11MTIzIQ=="/> </server-identities> </security-realm> ... </security-realms> ... </management> ... </host>
CLI Procedure
Symptoms of Failure to Authenticate with the Domain Controller
22:40:23,855 WARN [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller at remote://10.155.78.202:9999 -- java.lang.IllegalStateException: JBAS010942: Unable to connect due to authentication failure.
Registration Success
In the domain controller's log:
21:43:39,412 INFO [org.jboss.as.domain] (Host Controller Service Threads - 34) JBAS010918: Registered remote slave host "n1", JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21)
Configure the Servers that are Running on this Host
Update host.xml accordingly, specify the server names and their association with a server group defined in domain.xml.
Example:
<servers> <server name="app1" group="web-apps" auto-start="true"> ... </server> </servers>
Configure the Network Interface Server Nodes Use to Deliver Business Content
Server nodes exists to process requests, and they must be able to receive those requests and return responses over a network interface that is publicly accessible. More details on how to configure this is available here:
Since EAP 7, "jboss.bind.address.private" must also be configured:
Optionally Remove domain.xml
You could remove domain.xml to eliminate confusion, but only if you don't plan to run this host controller as a backup domain controller. If you plan to run this host controller as a backup domain controller, domain.xml has to be in place or the promotion procedure will fail (alternatively, you could set JBOSS_DOMAIN_CONFIG=domain.cached-remote.xml in jboss-host-controller, but this is an undocumented procedure and I am not sure how stable/safe it is).