JMX Access to Domain Mode EAP 6 Server Node: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(19 intermediate revisions by the same user not shown)
Line 10: Line 10:
=Overview=
=Overview=


A generic JMX client connects to a domain mode server node using the remoting endpoint.
A generic JMX client connects to a domain [[WildFly_Domain_Mode_Concepts#Server_Instance|server node]] using the server node's remoting endpoint. Unlike a standalone server node, a domain mode server node does not expose a [[WildFly_Management_Interfaces#The_Native_API_Endpoint|management interface native endpoint]], so the server node has to be explicitly configured to allow JMX access over the general purpose remoting connector. More details on how that is configured is available [[#Configuring_the_Remote_Connector_for_JMX_Access|below]]. Specific JBoss libraries must be added to the generic client's classpath, and we will show how those can be added for Visual VM and jconsole. The access must be secured by adding a new user to the applications realm associated with the remoting connector. An existing user with proper credentials can also be used.


Unlike a standalone server node, a domain mode server node does not expose a [[WildFly_Management_Interfaces#The_Native_API_Endpoint|management interface native endpoint]], so the server node has to be explicitly configured to allow JMX access over the general purpose remoting connector. More details on how that is configured is available in the "[[#Configuring_the_Remote_Connector_for_JMX_Access|Configuring the Remote Connector for JMX Access]]" section.
=Server Endpoint=
 
==Configuring the Remote Connector for JMX Access==


Specific JBoss libraries must be added to the generic client's classpath, and we will show how those can be added for Visual VM and jconsole. Also, the access must be secured by adding a specific user (or using an existing user) to the applications realm associated with the remoting connector.
A domain mode server node does not expose a [[WildFly_Management_Interfaces#The_Native_API_Endpoint|management interface native endpoint]] so a generic JMX client must use the general purpose remoting connector, defined by the [[Remoting_WildFly_Subsystem_Concepts#Remoting_and_JMX_Access|Remoting subsystem]]. The remoting connector must be explicitly configured to allow JMX access, by setting the <tt>use-management-endpoint</tt> attribute to false in the corresponding profiled from [[domain.xml]]:


=Server Endpoint=
<subsystem xmlns="urn&#58;jboss:domain:jmx:...">
    ...
    <remoting-connector use-management-endpoint="false"/>
</subsystem>


The generic JMX client must connect to [[WildFly_Management_Interfaces#The_Native_API_Endpoint|the native endpoint of the standalone instance's management interface]].
==Server Endpoint Bind Address and Port==


The host address and port binding for the endpoint are specified as "management-native" socket binding, in [[standalone.xml]] configuration file:
The host address and port binding for the remoting connector are specified as part of the "remoting" socket binding in [[domain.xml]]:


<pre>
<pre>
<socket-binding-group name="standard-sockets" ...>
<socket-binding-groups>
    ...
    <socket-binding-group name="standard-sockets" default-interface="public">
    <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
        ...
</socket-binding-group>
        <socket-binding name="remoting" port="4447"/>
    </socket-binding-group>
  ...
</socket-binding-groups>
</pre>
</pre>


The port value is 9999.
The default port value is 4447.


<blockquote style="background-color: Gold; border: solid thin Goldenrod;">
<blockquote style="background-color: Gold; border: solid thin Goldenrod;">
:<br>If the standalone instance runs with a specific port offset, the management endpoint port value must account for that offset.<br><br>
:<br>If the server node runs with a specific port offset, the port value must account for that offset.<br><br>
</blockquote>
</blockquote>


The actual value for the management interface bind address is specified under the related "management" interface specification:
The corresponding "public" interface bind address is configured in the <interfaces> section in the [[host.xml]] configuration file of the host controller that manages the server node:


<pre>
<pre>
<interfaces>
<interfaces>
     <interface name="management">
    ...
         <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
     <interface name="public">
         <inet-address value="${jboss.bind.address:127.0.0.1}"/>
     </interface>
     </interface>
  ...
    ...
</interfaces>
</interfaces>
</pre>
</pre>


Unless explicitly re-configured, the default bind address for the management interface is 127.0.0.1.
Unless explicitly re-configured, the default bind address for the public interface is 127.0.0.1.


The bind address and the port are reported as INFO, as follows:
The bind address and the port are reported as INFO in the corresponding server node log, as follows:


<pre>
<pre>
16:15:51,187 INFO  [org.jboss.as.remoting] (MSC service thread 1-15) JBAS017100: Listening on 127.0.0.1:9999
18:00:03,095 INFO  [org.jboss.as.remoting] (MSC service thread 1-12) JBAS017100: Listening on 127.0.0.1:4447
</pre>
</pre>


The bind address and port will be needed when assembling [[#URL|the URL to be used by the JMX client]], below.
The bind address and port will be needed when assembling [[#URL|the URL to be used by the JMX client]], below.


==Configuring the Remote Connector for JMX Access==
==Server Endpoint Authentication==


==Server Endpoint Authentication==
A generic JMX client usually provides a username and a password when connecting. Those values must be explicitly added to the Application Realm of the server node we connect to, because the remoting connector authenticates by default against the  [[WildFly_Security_Realms#Application_Realm|ApplicationRealm]] [[WildFly Security Realms|security realm]]. For more details on remoting security see [[Remoting WildFly Subsystem Concepts#Security|Remoting Concepts - Security]].


A generic JMX client usually provides a username and a password when connecting. Those values must be explicitly added to the Management Realm of the server instance we connect to. The procedure to add a user to the Management Realm is presented in detail here:
The procedure to add a user to the Application Realm is presented in detail here:


<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[Adding_Users_to_WildFly_Security_Realms#Add_a_User_to_the_Management_Realm|Add a User to the Managment Realm]]
:[[Adding_Users_to_WildFly_Security_Realms#Add_a_User_to_the_Application_Realm|Adding a User to the Application Realm]].
</blockquote>
</blockquote>


Line 78: Line 87:
* [[Jconsole#jconsole_Classpath_and_Startup_Options|jconsole]]
* [[Jconsole#jconsole_Classpath_and_Startup_Options|jconsole]]
* [[Using VisualVM with WildFly|VisualVM]]
* [[Using VisualVM with WildFly|VisualVM]]
* [[Dynatrace#JMX_Connection_to_JBoss|Dynatrace]]
* [[Dynatrace_and_JMX#JMX_Integration_with_JBoss|Dynatrace]]
* [[DataDog]]
* [[DataDog_and_JMX#JMX_integration_with_JBoss|DataDog]]


==URL==
==URL==
Line 86: Line 95:


<pre>
<pre>
service:jmx:remoting-jmx://<server-host>:9999
service:jmx:remoting-jmx://<domain-mode-server-node-host>:4447
</pre>
</pre>


where <server-host> is the interface the native management endpoint is bound to. If the client and server are collocated, that is usually 127.0.0.1.
where <domain-mode-server-node-host> is the interface the public interface of the server node is bound to.


==Authentication==
==Authentication==
Line 97: Line 106:
==SSL Connection Configuration==
==SSL Connection Configuration==


<blockquote style="background-color: AliceBlue; border: solid thin LightSteelBlue;">
{{External|https://access.redhat.com/solutions/632773}}
:<br><font color=red>TODO, come up with the full procedure, until then, more details are available here: https://access.redhat.com/solutions/632773<br><br></font>
</blockquote>
 
 
 
 
<font color=red>
 
'''review'''
 
In order to expose the JMX bus of a server node in domain mode, the JMX subsystem instance on the nodes sharing the same profile must be configured to expose the JMX interface on the connector defined by the [[Remoting_WildFly_Subsystem_Concepts#Remoting_and_JMX_Access|Remoting subsystem]].
 
The configuration change that enables this behavior must be applied in [[domain.xml]], as follows:
 
<pre>
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
    ...
    <remoting-connector use-management-endpoint="false"/>
</subsystem>
</pre>
 
The Remoting subsystem binds by default to port 4447 and authenticates against the [[WildFly_Security_Realms#Application_Realm|ApplicationRealm]] [[WildFly Security Realms|security realm]]. For more details on remoting security see [[Remoting WildFly Subsystem Concepts#Security|Remoting Concepts - Security]]. For details on how to add users to the ApplicationRealm, see [[Adding_Users_to_WildFly_Security_Realms#Add_a_User_to_the_Application_Realm|Adding a User to the Application Realm]].
 
 
 
</font>

Latest revision as of 07:33, 8 July 2017

External

Internal

Overview

A generic JMX client connects to a domain server node using the server node's remoting endpoint. Unlike a standalone server node, a domain mode server node does not expose a management interface native endpoint, so the server node has to be explicitly configured to allow JMX access over the general purpose remoting connector. More details on how that is configured is available below. Specific JBoss libraries must be added to the generic client's classpath, and we will show how those can be added for Visual VM and jconsole. The access must be secured by adding a new user to the applications realm associated with the remoting connector. An existing user with proper credentials can also be used.

Server Endpoint

Configuring the Remote Connector for JMX Access

A domain mode server node does not expose a management interface native endpoint so a generic JMX client must use the general purpose remoting connector, defined by the Remoting subsystem. The remoting connector must be explicitly configured to allow JMX access, by setting the use-management-endpoint attribute to false in the corresponding profiled from domain.xml: 

<subsystem xmlns="urn:jboss:domain:jmx:...">
    ...
    <remoting-connector use-management-endpoint="false"/>
</subsystem>

Server Endpoint Bind Address and Port

The host address and port binding for the remoting connector are specified as part of the "remoting" socket binding in domain.xml: 

<socket-binding-groups>
    <socket-binding-group name="standard-sockets" default-interface="public">
        ...
        <socket-binding name="remoting" port="4447"/>
    </socket-binding-group>
   ...
</socket-binding-groups>

The default port value is 4447.


If the server node runs with a specific port offset, the port value must account for that offset.

The corresponding "public" interface bind address is configured in the <interfaces> section in the host.xml configuration file of the host controller that manages the server node: 

<interfaces>
    ...
    <interface name="public">
        <inet-address value="${jboss.bind.address:127.0.0.1}"/>
    </interface>
    ...
</interfaces>

Unless explicitly re-configured, the default bind address for the public interface is 127.0.0.1.

The bind address and the port are reported as INFO in the corresponding server node log, as follows: 

18:00:03,095 INFO  [org.jboss.as.remoting] (MSC service thread 1-12) JBAS017100: Listening on 127.0.0.1:4447

The bind address and port will be needed when assembling the URL to be used by the JMX client, below.

Server Endpoint Authentication

A generic JMX client usually provides a username and a password when connecting. Those values must be explicitly added to the Application Realm of the server node we connect to, because the remoting connector authenticates by default against the ApplicationRealm security realm. For more details on remoting security see Remoting Concepts - Security.

The procedure to add a user to the Application Realm is presented in detail here:

Adding a User to the Application Realm.

Note that no specific group is necessary to be specified during the procedure.

JMX Client

The generic JMX client must add client JBoss libraries to its class path and must set up JBoss specific system properties, as shown below. It also must use a specific URL to connect, and the user and the password configured on the server, as described in the "Server Endpoint Authentication" section.

JMX Client Classpath and Startup Options

The JBoss JAR $JBOSS_HOME/bin/client/jboss-cli-client.jar must be added to the JMX client classpath. Also, the JMX client must be started with -Dmodule.path=${JBOSS_HOME}/modules. Specific details for a number of clients are available below:

URL

Use: 

service:jmx:remoting-jmx://<domain-mode-server-node-host>:4447

where <domain-mode-server-node-host> is the interface the public interface of the server node is bound to.

Authentication

Use the username and the password configured on the server, as described in the "Server Endpoint Authentication" section.

SSL Connection Configuration

https://access.redhat.com/solutions/632773
Retrieved from "https://kb.novaordis.com/index.php?title=JMX_Access_to_Domain_Mode_EAP_6_Server_Node&oldid=26659"