Chapter 13. Web, HTTP Connectors, and HTTP Clustering

13.1. Configure a mod_cluster Worker Node

Summary

A mod_cluster worker node consists of an JBoss EAP server. This server can be part of a server group in a Managed Domain, or a standalone server. A separate process runs within JBoss EAP, which manages all of the nodes of the cluster. This is called the master. For more conceptual information about worker nodes, refer to Worker Node in the Red Hat JBoss Enterprise Application Platform 6.1 Administration and Configuration Guide. For an overview of HTTPD load balancing, refer to Overview of HTTP Connectors in the Administration and Configuration Guide.

The master is only configured once, via the mod_cluster subsystem. To configure the mod_cluster subsystem, refer to Configure the mod_cluster Subsystem in the Administration and Configuration Guide. Each worker node is configured separately, so repeat this procedure for each node you wish to add to the cluster.
If you use a managed domain, each server in a server group is a worker node which shares an identical configuration. Therefore, configuration is done to an entire server group. In a standalone server, configuration is done to a single JBoss EAP 6 instance. The configuration steps are otherwise identical.

Worker Node Configuration

  • If you use a standalone server, it must be started with the standalone-ha profile.
  • If you use a managed domain, your server group must use the ha or full-ha profile, and the ha-sockets or full-ha-sockets socket binding group. JBoss EAP 6 ships with a cluster-enabled server group called other-server-group which meets these requirements.

Note

Where Management CLI commands are given, they assume you use a managed domain. If you use a standalone server, remove the /profile=full-ha portion of the commands.

Procedure 13.1. Configure a Worker Node

  1. Configure the network interfaces.

    By default, the network interfaces all default to 127.0.0.1. Every physical host which hosts either a standalone server or one or more servers in a server group needs its interfaces to be configured to use its public IP address, which the other servers can see.
    To change the IP address of a JBoss EAP 6 host, you need to shut it down and edit its configuration file directly. This is because the Management API which drives the Management Console and Management CLI relies on a stable management address.
    Follow these steps to change the IP address on each server in your cluster to the master's public IP address.
    1. Shut down the server completely.
    2. Edit either the host.xml, which is in EAP_HOME/domain/configuration/ for a managed domain, or the standalone-ha.xml file, which is in EAP_HOME/standalone/configuration/ for a standalone server.
    3. Locate the <interfaces> element. Three interfaces are configured, management, public, and unsecured. For each of these, change the value 127.0.0.1 to the external IP address of the host.
    4. For hosts that participate in a managed domain but are not the master, locate the <host element. Note that it does not have the closing > symbol, because it contains attributes. Change the value of its name attribute from master to a unique name, a different one per slave. This name will also be used for the slave to identify to the cluster, so make a note of it.
    5. For newly-configured hosts which need to join a managed domain, find the <domain-controller> element. Comment out or remove the <local /> element, and add the following line, changing the IP address (X.X.X.X) to the address of the domain controller. This step does not apply for a standalone server.
      <remote host="X.X.X.X" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm"/>
      
    6. Save the file and exit.
  2. Configure authentication for each slave server.

    Each slave server needs a username and password created in the domain controller's or standalone master's ManagementRealm. On the domain controller or standalone master, run the EAP_HOME/bin/add-user.sh command. Add a user with the same username as the slave, to the ManagementRealm. When asked if this user will need to authenticate to an external JBoss AS instance, answer yes. An example of the input and output of the command is below, for a slave called slave1, with password changeme.
    user:bin user$ ./add-user.sh
    
    What type of user do you wish to add? 
     a) Management User (mgmt-users.properties) 
     b) Application User (application-users.properties)
    (a): a
    
    Enter the details of the new user to add.
    Realm (ManagementRealm) : 
    Username : slave1
    Password : changeme
    Re-enter Password : changeme
    About to add user 'slave1' for realm 'ManagementRealm'
    Is this correct yes/no? yes
    Added user 'slave1' to file '/home/user/jboss-eap-6.0/standalone/configuration/mgmt-users.properties'
    Added user 'slave1' to file '/home/user/jboss-eap-6.0/domain/configuration/mgmt-users.properties'
    Is this new user going to be used for one AS process to connect to another AS process e.g. slave domain controller?
    yes/no? yes
    To represent the user add the following to the server-identities definition <secret value="Y2hhbmdlbWU=" />
    
  3. Copy the Base64-encoded <secret> element from the add-user.sh output.

    If you plan to specify the Base64-encoded password value for authentication, copy the <secret> element value from the last line of the add-user.sh output as you will need it in the step below.
  4. Modify the slave host's security realm to use the new authentication.

    1. Re-open the slave host's host.xml or standalone-ha.xml file.
    2. Locate the <security-realms> element. This is where you configure the security realm.
    3. You can specify the secret value in one of the following ways:
      • Specify the Base64-encoded password value in the configuration file.

        1. Add the following block of XML code directly below the <security-realm name="ManagementRealm"> line,
          <server-identities>
              <secret value="Y2hhbmdlbWU="/>
          </server-identities>
                          
          
          
        2. Replace the "Y2hhbmdlbWU=" with the secret value returned from the add-user.sh output in the previous step.
      • Configure the host to get the password from the vault.

        1. Use the vault.sh script to generate a masked password. It will generate a string like the following: VAULT::secret::password::ODVmYmJjNGMtZDU2ZC00YmNlLWE4ODMtZjQ1NWNmNDU4ZDc1TElORV9CUkVBS3ZhdWx0.
          You can find more information on the vault in the Password Vaults for Sensitive Strings section of this guide starting here: Section 10.11.1, “About Securing Sensitive Strings in Clear-Text Files”.
        2. Add the following block of XML code directly below the <security-realm name="ManagementRealm"> line.
          <server-identities>
              <secret value="${VAULT::secret::password::ODVmYmJjNGMtZDU2ZC00YmNlLWE4ODMtZjQ1NWNmNDU4ZDc1TElORV9CUkVBS3ZhdWx0}"/>
          </server-identities>
                          
          
          
          Be sure to replace the secret value with the masked password generated in the previous step.

          Note

          When creating a password in the vault, it must be specified in plain text, not Base64-encoded.
      • Specify the password as a system property.

        1. Add the following block of XML code directly below the <security-realm name="ManagementRealm"> line
          <server-identities>
              <secret value="${server.identity.password}"/>
          </server-identities>
                          
          
          
        2. When you specify the password as a system property, you can configure the host in either of the following ways:
          • Start the server entering the password in plain text as a command line argument, for example:
            -Dserver.identity.password=changeme

            Note

            The password must be entered in plain text and will be visible to anyone who issues a ps -ef command.
          • Place the password in a properties file and pass the properties file URL as a command line argument.
            1. Add the key/value pair to a properties file. For example:
              server.identity.password=changeme
              
            2. Start the server with the command line arguments
              --properties=URL_TO_PROPERTIES_FILE
              .
    4. Save and exit the file.
  5. Restart the server.

    The slave will now authenticate to the master using its host name as the username and the encrypted string as its password.
Result

Your standalone server, or servers within a server group of a managed domain, are now configured as mod_cluster worker nodes. If you deploy a clustered application, its sessions are replicated to all cluster nodes for failover, and it can accept requests from an external HTTPD server or load balancer. Each node of the cluster discovers the other nodes using automatic discovery, by default.To configure automatic discovery, and the other specific settings of the mod_cluster subsystem, refer to Configure the mod_cluster Subsystem in the Administration and Configuration Guide. To configure the Apache HTTPD server, refer to Use an External HTTPD as the Web Front-end for JBoss EAP 6 Applications in the Administration and Configuration Guide.