Chapter 10. Web, HTTP Connectors, and HTTP Clustering
10.1. Configure a mod_cluster Worker Node
The master is only configured once, via the
mod_cluster
subsystem. To configure the mod_cluster
subsystem, refer to Configure the mod_cluster Subsystem in the Administration and Configuration Guide. Each worker node is configured separately, so repeat this procedure for each node you wish to add to the cluster.
If you use a managed domain, each server in a server group is a worker node which shares an identical configuration. Therefore, configuration is done to an entire server group. In a standalone server, configuration is done to a single JBoss EAP 6 instance. The configuration steps are otherwise identical.
Worker Node Configuration
- If you use a standalone server, it must be started with the
standalone-ha
profile. - If you use a managed domain, your server group must use the
ha
orfull-ha
profile, and theha-sockets
orfull-ha-sockets
socket binding group. JBoss EAP 6 ships with a cluster-enabled server group calledother-server-group
which meets these requirements.
Note
Where Management CLI commands are given, they assume you use a managed domain. If you use a standalone server, remove the
/profile=full-ha
portion of the commands.
Procedure 10.1. Configure a Worker Node
Configure the network interfaces.
By default, the network interfaces all default to127.0.0.1
. Every physical host which hosts either a standalone server or one or more servers in a server group needs its interfaces to be configured to use its public IP address, which the other servers can see.To change the IP address of a JBoss EAP 6 host, you need to shut it down and edit its configuration file directly. This is because the Management API which drives the Management Console and Management CLI relies on a stable management address.Follow these steps to change the IP address on each server in your cluster to the master's public IP address.- Shut down the server completely.
- Edit either the
host.xml
, which is inEAP_HOME/domain/configuration/
for a managed domain, or thestandalone-ha.xml
file, which is inEAP_HOME/standalone/configuration/
for a standalone server. - Locate the
<interfaces>
element. Three interfaces are configured,management
,public
, andunsecured
. For each of these, change the value127.0.0.1
to the external IP address of the host. - For hosts that participate in a managed domain but are not the master, locate the
<host
element. Note that it does not have the closing>
symbol, because it contains attributes. Change the value of its name attribute frommaster
to a unique name, a different one per slave. This name will also be used for the slave to identify to the cluster, so make a note of it. - For newly-configured hosts which need to join a managed domain, find the
<domain-controller>
element. Comment out or remove the<local />
element, and add the following line, changing the IP address (X.X.X.X
) to the address of the domain controller. This step does not apply for a standalone server.<remote host="X.X.X.X" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm"/>
- Save the file and exit.
Configure authentication for each slave server.
Each slave server needs a username and password created in the domain controller's or standalone master'sManagementRealm
. On the domain controller or standalone master, run theEAP_HOME/add-user.sh
command. Add a user with the same username as the slave, to theManagementRealm
. When asked if this user will need to authenticate to an external JBoss AS instance, answeryes
. An example of the input and output of the command is below, for a slave calledslave1
, with passwordchangeme
.user:bin user$ ./add-user.sh What type of user do you wish to add? a) Management User (mgmt-users.properties) b) Application User (application-users.properties) (a):
a
Enter the details of the new user to add. Realm (ManagementRealm) : Username :slave1
Password :changeme
Re-enter Password :changeme
About to add user 'slave1' for realm 'ManagementRealm' Is this correct yes/no?yes
Added user 'slave1' to file '/home/user/jboss-eap-6.0/standalone/configuration/mgmt-users.properties' Added user 'slave1' to file '/home/user/jboss-eap-6.0/domain/configuration/mgmt-users.properties' Is this new user going to be used for one AS process to connect to another AS process e.g. slave domain controller? yes/no? yes To represent the user add the following to the server-identities definition <secret value="Y2hhbmdlbWU=" />Copy the Base64-encoded
<secret>
element from theadd-user.sh
output.If you plan to specify the Base64-encoded password value for authentication, copy the<secret>
element value from the last line of theadd-user.sh
output as you will need it in the step below.Modify the slave host's security realm to use the new authentication.
- Re-open the slave host's
host.xml
orstandalone-ha.xml
file. - Locate the
<security-realms>
element. This is where you configure the security realm. - You can specify the secret value in one of the following ways:
Specify the Base64-encoded password value in the configuration file.
- Add the following block of XML code directly below the
<security-realm name="ManagementRealm">
line,<server-identities> <secret value="Y2hhbmdlbWU="/> </server-identities>
- Replace the "Y2hhbmdlbWU=" with the secret value returned from the
add-user.sh
output in the previous step.
Configure the host to get the password from the vault.
- Use the
vault.sh
script to generate a masked password. It will generate a string like the following:VAULT::secret::password::ODVmYmJjNGMtZDU2ZC00YmNlLWE4ODMtZjQ1NWNmNDU4ZDc1TElORV9CUkVBS3ZhdWx0
.You can find more information on the vault in the Password Vaults for Sensitive Strings section of this guide starting here: Section 3.8.1, “About Securing Sensitive Strings in Clear-Text Files”. - Add the following block of XML code directly below the
<security-realm name="ManagementRealm">
line.<server-identities> <secret value="${VAULT::secret::password::ODVmYmJjNGMtZDU2ZC00YmNlLWE4ODMtZjQ1NWNmNDU4ZDc1TElORV9CUkVBS3ZhdWx0}"/> </server-identities>
Be sure to replace the secret value with the masked password generated in the previous step.Note
When creating a password in the vault, it must be specified in plain text, not Base64-encoded.
Specify the password as a system property.
- Add the following block of XML code directly below the
<security-realm name="ManagementRealm">
line<server-identities> <secret value=${server.identity.password}/> </server-identities>
- When you specify the password as a system property, you can configure the host in either of the following ways:
- Start the server entering the password in plain text as a command line argument, for example:
-Dserver.identity.password=changeme
Note
The password must be entered in plain text and will be visible to anyone who issues aps -ef
command. - Place the password in a properties file and pass the properties file URL as a command line argument.
- Add the key/value pair to a properties file. For example:
server.identity.password=changeme
- Start the server with the command line arguments
--properties=URL_TO_PROPERTIES_FILE
.
- Save and exit the file.
Restart the server.
The slave will now authenticate to the master using its host name as the username and the encrypted string as its password.