Subordinate WildFly Host Controller Post-Install Configuration

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Overview

This procedure is part of WildFly Unzip Installation. Once completed, return to WildFly Unzip Installation to continue the post-install procedure.

Prerequisites


The domain controller must be fully configured and up and running when configuring subordinated host controllers, since we need to interact with the domain controller during the subordinated host controller installation (create users, etc.)

host.xml Host Name

A subordinate host controller uses its host name as username when authenticating against the Management Realm of the domain controller, so the host name it is configured with is important. The host name can be hardcoded in host.xml or specified as a system property. For more details see:

host.xml host name

Specify the Master Domain Controller

Modify $JBOSS_HOME/domain/configuration/host.xml as follows:

    ...
    <domain-controller>
       <remote host="1.2.3.4" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm"/>
    </domain-controller>
    ...

Note that the management functionality can be exposed over 9999 or 9990.

It is possible to expose the master domain controller address externally as 'jboss.domain.master.address' system property. In this case, you'd have to add the following to domain.conf:

HOST_CONTROLLER_JAVA_OPTS="${HOST_CONTROLLER_JAVA_OPTS} -Djboss.domain.master.address=1.2.3.4"

However, this is NOT a good idea. If we go through a domain controller failover, promotion and unpromotion, the IP address will be written into the host.xml file directly, so the 'jboss.domain.master.address' will lose its usefulness and it will suddenly become confusing - we used a system property but also we have hardcode in the file.

For more details on jboss.domain.master.address see:

jboss.domain.master.address

Connection Failure Symptoms

In $JBOSS_HOME/domain/log/host-controller.log:

22:36:16,823 WARN  [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller at remote://10.155.78.202:9999 -- java.net.ConnectException: JBAS012174: Could not connect to remote://10.155.78.202:9999. The connection failed
22:36:16,828 WARN  [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller at remote://10.155.78.202:9999 -- java.lang.IllegalStateException: JBAS010951: Could not connect to master in 11 attempts within 30000 ms
22:36:16,828 WARN  [org.jboss.as.host.controller] (Controller Boot Thread) JBAS016581: No domain controller discovery options remain.
22:36:16,829 ERROR [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010901: Could not connect to master. Aborting. Error was: java.lang.IllegalStateException: JBAS016519: Tried all domain controller discovery option(s) but unable to connect

The Host Controller's Management Interface

A subordinate host controller does not need to expose its management interface.

Specify the Backup Domain Controllers

WildFly High Availability Domain Controller

Configure the Host Controller Identity

Host controller identity is explained here:

Subordinated Host Controller Identity

Add a Domain Controller Management Realm User

Add a Management Realm user on the domain controller. The user name should be the subordinated host controller host name as specified in <host name="..."> of the subordinated host controller's host.xml. The procedure must be executed on the domain controller, and it is described here:

Adding a User to the Management Realm

Use the password value specified there for the Configure Server Identity Secret step.

Domain Controller High Availability and Security

In order to create "equivalent" domain controller, you could configure the users corresponding to the hosts on the primary, and then just copy the relevant content of mgmt-users.properties to the backup controllers. The passwords and their corresponding "secret" values will stay the same.

Configure Server Identity Secret

Manual Procedure

Calculate the secret's value by sending the clear text password into openssl:

echo -n "password-in-clear" | openssl enc -base64

Then add the resulted string as secret's "value" in a <server-identities> element to host.xml of the subordinate host controller, as follows:

<host ...>
    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                ...
                </authorization>
                <server-identities>
                    <secret value="YXAwMm11MTIzIQ=="/>
                </server-identities>
            </security-realm>
            ...
        </security-realms>
        ...
    </management>
    ...
</host>

CLI Procedure

Symptoms of Failure to Authenticate with the Domain Controller

22:40:23,855 WARN  [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller at remote://10.155.78.202:9999 -- java.lang.IllegalStateException: JBAS010942: Unable to connect due to authentication failure.


Return Here

TODO