Chapter 13. Web, HTTP Connectors, and HTTP Clustering
13.1. Configure a mod_cluster Worker Node
A mod_cluster worker node consists of an JBoss EAP server. This server can be part of a server group in a Managed Domain, or a standalone server. A separate process runs within JBoss EAP, which manages all of the nodes of the cluster. This is called the master. For more conceptual information about worker nodes, refer to Worker Node in the Red Hat JBoss Enterprise Application Platform 6.1 Administration and Configuration Guide. For an overview of HTTPD load balancing, refer to Overview of HTTP Connectors in the Administration and Configuration Guide.
mod_cluster
subsystem. To configure the mod_cluster
subsystem, refer to Configure the mod_cluster Subsystem in the Administration and Configuration Guide. Each worker node is configured separately, so repeat this procedure for each node you wish to add to the cluster.
Worker Node Configuration
- If you use a standalone server, it must be started with the
standalone-ha
profile. - If you use a managed domain, your server group must use the
ha
orfull-ha
profile, and theha-sockets
orfull-ha-sockets
socket binding group. JBoss EAP 6 ships with a cluster-enabled server group calledother-server-group
which meets these requirements.
Note
/profile=full-ha
portion of the commands.
Procedure 13.1. Configure a Worker Node
Configure the network interfaces.
By default, the network interfaces all default to127.0.0.1
. Every physical host which hosts either a standalone server or one or more servers in a server group needs its interfaces to be configured to use its public IP address, which the other servers can see.To change the IP address of a JBoss EAP 6 host, you need to shut it down and edit its configuration file directly. This is because the Management API which drives the Management Console and Management CLI relies on a stable management address.Follow these steps to change the IP address on each server in your cluster to the master's public IP address.- Shut down the server completely.
- Edit either the
host.xml
, which is inEAP_HOME/domain/configuration/
for a managed domain, or thestandalone-ha.xml
file, which is inEAP_HOME/standalone/configuration/
for a standalone server. - Locate the
<interfaces>
element. Three interfaces are configured,management
,public
, andunsecured
. For each of these, change the value127.0.0.1
to the external IP address of the host. - For hosts that participate in a managed domain but are not the master, locate the
<host
element. Note that it does not have the closing>
symbol, because it contains attributes. Change the value of its name attribute frommaster
to a unique name, a different one per slave. This name will also be used for the slave to identify to the cluster, so make a note of it. - For newly-configured hosts which need to join a managed domain, find the
<domain-controller>
element. Comment out or remove the<local />
element, and add the following line, changing the IP address (X.X.X.X
) to the address of the domain controller. This step does not apply for a standalone server.<remote host="X.X.X.X" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm"/>
- Save the file and exit.
Configure authentication for each slave server.
Each slave server needs a username and password created in the domain controller's or standalone master'sManagementRealm
. On the domain controller or standalone master, run theEAP_HOME/bin/add-user.sh
command. Add a user with the same username as the slave, to theManagementRealm
. When asked if this user will need to authenticate to an external JBoss AS instance, answeryes
. An example of the input and output of the command is below, for a slave calledslave1
, with passwordchangeme
.user:bin user$ ./add-user.sh What type of user do you wish to add? a) Management User (mgmt-users.properties) b) Application User (application-users.properties) (a):
a
Enter the details of the new user to add. Realm (ManagementRealm) : Username :slave1
Password :changeme
Re-enter Password :changeme
About to add user 'slave1' for realm 'ManagementRealm' Is this correct yes/no?yes
Added user 'slave1' to file '/home/user/jboss-eap-6.0/standalone/configuration/mgmt-users.properties' Added user 'slave1' to file '/home/user/jboss-eap-6.0/domain/configuration/mgmt-users.properties' Is this new user going to be used for one AS process to connect to another AS process e.g. slave domain controller? yes/no? yes To represent the user add the following to the server-identities definition <secret value="Y2hhbmdlbWU=" />Copy the Base64-encoded
<secret>
element from theadd-user.sh
output.If you plan to specify the Base64-encoded password value for authentication, copy the<secret>
element value from the last line of theadd-user.sh
output as you will need it in the step below.Modify the slave host's security realm to use the new authentication.
- Re-open the slave host's
host.xml
orstandalone-ha.xml
file. - Locate the
<security-realms>
element. This is where you configure the security realm. - You can specify the secret value in one of the following ways:
Specify the Base64-encoded password value in the configuration file.
- Add the following block of XML code directly below the
<security-realm name="ManagementRealm">
line,<server-identities> <secret value="Y2hhbmdlbWU="/> </server-identities>
- Replace the "Y2hhbmdlbWU=" with the secret value returned from the
add-user.sh
output in the previous step.
Configure the host to get the password from the vault.
- Use the
vault.sh
script to generate a masked password. It will generate a string like the following:VAULT::secret::password::ODVmYmJjNGMtZDU2ZC00YmNlLWE4ODMtZjQ1NWNmNDU4ZDc1TElORV9CUkVBS3ZhdWx0
.You can find more information on the vault in the Password Vaults for Sensitive Strings section of this guide starting here: Section 10.11.1, “About Securing Sensitive Strings in Clear-Text Files”. - Add the following block of XML code directly below the
<security-realm name="ManagementRealm">
line.<server-identities> <secret value="${VAULT::secret::password::ODVmYmJjNGMtZDU2ZC00YmNlLWE4ODMtZjQ1NWNmNDU4ZDc1TElORV9CUkVBS3ZhdWx0}"/> </server-identities>
Be sure to replace the secret value with the masked password generated in the previous step.Note
When creating a password in the vault, it must be specified in plain text, not Base64-encoded.
Specify the password as a system property.
- Add the following block of XML code directly below the
<security-realm name="ManagementRealm">
line<server-identities> <secret value="${server.identity.password}"/> </server-identities>
- When you specify the password as a system property, you can configure the host in either of the following ways:
- Start the server entering the password in plain text as a command line argument, for example:
-Dserver.identity.password=changeme
Note
The password must be entered in plain text and will be visible to anyone who issues aps -ef
command. - Place the password in a properties file and pass the properties file URL as a command line argument.
- Add the key/value pair to a properties file. For example:
server.identity.password=changeme
- Start the server with the command line arguments
--properties=URL_TO_PROPERTIES_FILE
.
- Save and exit the file.
Restart the server.
The slave will now authenticate to the master using its host name as the username and the encrypted string as its password.
Your standalone server, or servers within a server group of a managed domain, are now configured as mod_cluster worker nodes. If you deploy a clustered application, its sessions are replicated to all cluster nodes for failover, and it can accept requests from an external HTTPD server or load balancer. Each node of the cluster discovers the other nodes using automatic discovery, by default.To configure automatic discovery, and the other specific settings of the mod_cluster
subsystem, refer to Configure the mod_cluster Subsystem in the Administration and Configuration Guide. To configure the Apache HTTPD server, refer to Use an External HTTPD as the Web Front-end for JBoss EAP 6 Applications in the Administration and Configuration Guide.