JBoss Instance Configuration to Support Deployed EJB Client Contexts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(14 intermediate revisions by the same user not shown)
Line 2: Line 2:


* [[Remoting_WildFly_Subsystem_Configuration#Configuring_Remoting_Subsystem_to_Support_Deployed_EJB_Client_Contexts|Remoting Subsystem Configuration]]
* [[Remoting_WildFly_Subsystem_Configuration#Configuring_Remoting_Subsystem_to_Support_Deployed_EJB_Client_Contexts|Remoting Subsystem Configuration]]
* [[Session EJB and Servlet on Different JBoss Instances]]


=Relevance=
=Relevance=
Line 21: Line 22:
</jboss-ejb-client>
</jboss-ejb-client>
</pre>
</pre>
For more details about EJB client contexts, see {{Internal|EJB_Concepts#EJB_Client_Context|EJB client context}}
For more details about jboss-ejb-client.xml, the deployment descriptor that configures the EJB client context, and which requires the above configuration changes, see {{Internal|Jboss-ejb-client.xml#Required_Server_Configuration|jboss-ejb-client.xml}}


=Procedure=
=Procedure=
Line 36: Line 41:
                                     username="ejb"  
                                     username="ejb"  
                                     security-realm="ejb-security-realm"  
                                     security-realm="ejb-security-realm"  
                                     protocol="http-remoting">
                                     [protocol="http-remoting"]>
             <properties>
             <properties>
                 <property name="SASL_POLICY_NOANONYMOUS" value="false"/>
                 <property name="SASL_POLICY_NOANONYMOUS" value="false"/>
Line 48: Line 53:
</pre>
</pre>


An "ejb" ApplicationRealm user will have to be created on each of the remote JBoss nodes we intend to invoke into. The procedure is described here: [[]].
Note that the "protocol" attribute is only necessary for EAP 7, and it should be "http-remoting". EAP 6.4 does not need it, and it will trigger a parsing error if specified.
 
An "ejb" ApplicationRealm user will have to be created on each of the ''remote'' JBoss nodes we intend to invoke into. No special groups the user need to belong to must specified. When asked if "is this new user going to be used for one AS process to connect to another AS process?", answer yes. The utility will provide the base-64 encoded credentials needed at the next step. The complete procedure is described here: {{Internal|Adding_Users_to_WildFly_Security_Realms#Add_a_User_to_the_Application_Realm|Adding a User to the Application Realm}}


We also need to declare a local "ejb-security-realm". The rationale and the procedure is describe here [[Declare_a_Local_EJB_Security_Realm|Declare a Local EJB Security Realm]].
We also need to declare a local "ejb-security-realm". The rationale and the procedure is describe here [[#Declare_a_Local_EJB_Security_Realm|Declare a Local EJB Security Realm]].
 
===xnio Options===
 
The outbound connections support the following options (declared as "properties"). These properties can be overridden from jboss-ejb-client.xml.
 
====SASL_POLICY_NOANONYMOUS====
 
====SSL_ENABLED====


==Declare a Local EJB Security Realm==
==Declare a Local EJB Security Realm==


The local "ejb-security-realm" referred from remote-outbound-connections provides the credentials required to authenticate against the remote JBoss nodes.
The local "ejb-security-realm" referred from remote-outbound-connections provides the credentials required to authenticate against the remote JBoss nodes. AS "secret value", use the hash generated at the previous step.


<pre>
<pre>
Line 62: Line 77:
         <security-realm name="ejb-security-realm">
         <security-realm name="ejb-security-realm">
             <server-identities>
             <server-identities>
                 <secret value="cGFzc3dvcmQxMjM0"/>
                 <secret value="ZWpiMTIz"/>
             </server-identities>
             </server-identities>
         </security-realm>
         </security-realm>
Line 76: Line 91:
<socket-binding-group ...>
<socket-binding-group ...>
     <outbound-socket-binding name="remote-ejb-container-socket-1">
     <outbound-socket-binding name="remote-ejb-container-socket-1">
         <remote-destination host="1.2.3.4" port="8080"/>
         <remote-destination host="1.2.3.4" port="4447|8080"/>
     </outbound-socket-binding>
     </outbound-socket-binding>
     <outbound-socket-binding name="remote-ejb-container-socket-2">
     <outbound-socket-binding name="remote-ejb-container-socket-2">
         <remote-destination host="1.2.3.5" port="8080"/>
         <remote-destination host="1.2.3.5" port="4447|8080"/>
     </outbound-socket-binding>
     </outbound-socket-binding>
   ...
   ...
Line 85: Line 100:
</pre>
</pre>


where remote-outbound-connection's "name" attribute should match the remoting-ejb-receiver's outbound-connection-ref declared in jboss-ejb-client.xml. For more details about EJB client contexts, see [[EJB_Concepts#EJB_Client_Context|EJB client context]]. For more details about jboss-ejb-client.xml, the deployment descriptor that configures the EJB client context, and which requires the above configuration changes, see [[Jboss-ejb-client.xml#Required_Server_Configuration|jboss-ejb-client.xml]].
where remote-outbound-connection's "name" attribute should match the remoting-ejb-receiver's outbound-connection-ref declared in jboss-ejb-client.xml.
 
Note that we need to use 4447 (the remoting port) for EAP 6.4 and 8080 (the http port) for EAP 7. Adjust for any port offsets the target instance may be using.
 
==Smoke Test==
 
Successful configuration and the deployment of an artifact that contains a jboss-ejb-client.xml descriptor generates logging similar to:
 
<pre>
17:00:34,344 INFO  [org.jboss.ejb.client.remoting] (default task-6) EJBCLIENT000017: Received server version 2 and marshalling strategies [river]
17:00:34,350 INFO  [org.jboss.ejb.client.remoting] (MSC service thread 1-4) EJBCLIENT000013: Successful version handshake completed for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@445eed00, receiver=Remoting connection EJB receiver [connection=Remoting connection <2aeadb06> on endpoint "ejb-invoker" <59072952>,channel=jboss.ejb,nodename=ejb-container]} on channel Channel ID 9b500865 (outbound) of Remoting connection 77223769 to /127.0.0.1:8180 of endpoint "ejb-invoker" <59072952>
</pre>

Latest revision as of 14:33, 1 May 2017

Internal

Relevance

  • EAP 7.0.4

Overview

This article describes the server-side configuration required to support deployed EJB client contexts, as declared in jboss-ejb-client.xml deployment descriptors. Assuming that jboss-ejb-client.xml content is the one listed below, the following configuration changes are necessary:

<jboss-ejb-client xmlns:xsi="urn:jboss:ejb-client:1.2" xsi:noNamespaceSchemaLocation="jboss-ejb-client_1_2.xsd">
    <client-context>
        <ejb-receivers>
            <remoting-ejb-receiver outbound-connection-ref="remote-ejb-container-1"/>
            <remoting-ejb-receiver outbound-connection-ref="remote-ejb-container-2"/>
        </ejb-receivers>
    </client-context>
</jboss-ejb-client>

For more details about EJB client contexts, see

EJB client context

For more details about jboss-ejb-client.xml, the deployment descriptor that configures the EJB client context, and which requires the above configuration changes, see

jboss-ejb-client.xml

Procedure

Remoting Subsystem Configuration

Declare remoting outbound connections corresponding to the "outbound-connection-ref" declared in the deployment descriptor:

<subsystem xmlns="urn:jboss:domain:remoting:3.0">
    ...
    <outbound-connections>
        <remote-outbound-connection name="remote-ejb-container-1" 
                                    outbound-socket-binding-ref="remote-ejb-container-socket-1" 
                                    username="ejb" 
                                    security-realm="ejb-security-realm" 
                                    [protocol="http-remoting"]>
            <properties>
                <property name="SASL_POLICY_NOANONYMOUS" value="false"/>
                <property name="SSL_ENABLED" value="false"/>
            </properties>
        </remote-outbound-connection>
        ...
    </outbound-connections>
    ...    
</subsystem>

Note that the "protocol" attribute is only necessary for EAP 7, and it should be "http-remoting". EAP 6.4 does not need it, and it will trigger a parsing error if specified.

An "ejb" ApplicationRealm user will have to be created on each of the remote JBoss nodes we intend to invoke into. No special groups the user need to belong to must specified. When asked if "is this new user going to be used for one AS process to connect to another AS process?", answer yes. The utility will provide the base-64 encoded credentials needed at the next step. The complete procedure is described here:

Adding a User to the Application Realm

We also need to declare a local "ejb-security-realm". The rationale and the procedure is describe here Declare a Local EJB Security Realm.

xnio Options

The outbound connections support the following options (declared as "properties"). These properties can be overridden from jboss-ejb-client.xml.

SASL_POLICY_NOANONYMOUS

SSL_ENABLED

Declare a Local EJB Security Realm

The local "ejb-security-realm" referred from remote-outbound-connections provides the credentials required to authenticate against the remote JBoss nodes. AS "secret value", use the hash generated at the previous step.

<management>
    <security-realms>
        ...
        <security-realm name="ejb-security-realm">
            <server-identities>
                <secret value="ZWpiMTIz"/>
            </server-identities>
        </security-realm>
    </security-realms>
</management>

Declare the Corresponding Socket Bindings

For each remote outbound connection, declare the corresponding outbound socket binding:

<socket-binding-group ...>
    <outbound-socket-binding name="remote-ejb-container-socket-1">
        <remote-destination host="1.2.3.4" port="4447|8080"/>
    </outbound-socket-binding>
    <outbound-socket-binding name="remote-ejb-container-socket-2">
        <remote-destination host="1.2.3.5" port="4447|8080"/>
    </outbound-socket-binding>
   ...
</socket-binding-group>

where remote-outbound-connection's "name" attribute should match the remoting-ejb-receiver's outbound-connection-ref declared in jboss-ejb-client.xml.

Note that we need to use 4447 (the remoting port) for EAP 6.4 and 8080 (the http port) for EAP 7. Adjust for any port offsets the target instance may be using.

Smoke Test

Successful configuration and the deployment of an artifact that contains a jboss-ejb-client.xml descriptor generates logging similar to:

17:00:34,344 INFO  [org.jboss.ejb.client.remoting] (default task-6) EJBCLIENT000017: Received server version 2 and marshalling strategies [river]
17:00:34,350 INFO  [org.jboss.ejb.client.remoting] (MSC service thread 1-4) EJBCLIENT000013: Successful version handshake completed for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@445eed00, receiver=Remoting connection EJB receiver [connection=Remoting connection <2aeadb06> on endpoint "ejb-invoker" <59072952>,channel=jboss.ejb,nodename=ejb-container]} on channel Channel ID 9b500865 (outbound) of Remoting connection 77223769 to /127.0.0.1:8180 of endpoint "ejb-invoker" <59072952>