24.6. Clustered JBoss EAP 6

24.6.1. About Clustered Instances

A clustered instance is an Amazon EC2 instance running JBoss EAP 6 with clustering enabled. Another instance running the Apache HTTP server will be acting as the proxy for the instances in the cluster.
The JBoss EAP 6 AMIs include two configuration files for use in clustered instances, standalone-ec2-ha.xml and standalone-mod_cluster-ec2-ha.xml. Each of these configuration files provides clustering without the use of multicast because Amazon EC2 does not support multicast. This is done by using TCP unicast for cluster communications and S3_PING as the discovery protocol. The standalone-mod_cluster-ec2-ha.xml configuration also provides easy registration with mod_cluster proxies.
Similarly, the domain-ec2.xml configuration file provides two profiles for use in clustered managed domains: ec2-ha, and mod_cluster-ec2-ha.

24.6.2. About Virtual Private Clouds

An Amazon Virtual Private Cloud (Amazon VPC) is a feature of Amazon Web Services (AWS) that allows you to isolate a set of AWS resources in a private network. The topology and configuration of this private network can be customized to your needs.
Refer to the Amazon Virtual Private Cloud website for more information http://aws.amazon.com/vpc/.

24.6.3. Create a Virtual Private Cloud (VPC)

Summary

This topic covers the steps required to create a Virtual Private Cloud, using a database external to the VPC as an example. Your security policies may require connection to the database to be encrypted. Please refer to Amazon's RDS FAQ for details about encrypting the database connections.

Important

VPC is recommended for a JBoss EAP 6 cluster setup as it greatly simplifies secure communication between cluster nodes, a JON Server and the mod_cluster proxy. Without a VPC, these communication channels need to be encrypted and authenticated.
For detailed instructions on configuring SSL, refer to the Core Management Security Guide .
  1. Go to the VPC tab in the AWS console.
  2. Subscribe to the service if needed.
  3. Click on "Create new VPC".
  4. Choose a VPC with one public and one private subnet.
    1. Set the public subnet to be 10.0.0.0/24.
    2. Set the private subnet to be 10.0.1.0/24.
  5. Go to Elastic IPs.
  6. Create an elastic IP for use by the mod_cluster proxy/NAT instance.
  7. Go to Security groups and create a security group to allow all traffic in and out.
  8. Go to Network ACLs
    1. Create an ACL to allow all traffic in and out.
    2. Create an ACL to allow all traffic out and traffic in on only TCP ports 22, 8009, 8080, 8443, 9443, 9990 and 16163.
Result

The Virtual Private Cloud has been successfully created.

24.6.4. Launch an Apache HTTP Server Instance to Serve as a mod_cluster Proxy and a NAT Instance for the VPC

Summary

This topic covers the steps required to launch an Apache HTTP server instance to serve as a mod_cluster proxy and a NAT instance for the Virtual Private Cloud.

Procedure 24.8. Launch an Apache HTTP server Instance to Serve as a mod_cluster proxy and a NAT Instance for the VPC

  1. Create an elastic IP for this instance.
  2. Select an AMI.
  3. Go to Security Group and allow all traffic (use Red Hat Enterprise Linux's built-in firewall capabilities to restrict access if desired).
  4. Select "running" in the public subnet of the VPC.
  5. Select a static IP (e.g. 10.0.0.4).
  6. Put the following in the User Data: field:
    JBOSSCONF=disabled
    
    cat > $USER_SCRIPT << "EOS"
    
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
    
    iptables -I INPUT 4 -s 10.0.1.0/24 -p tcp --dport 7654 -j ACCEPT
    iptables -I INPUT 4 -p tcp --dport 80 -j ACCEPT
    
    iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -I FORWARD -s 10.0.1.0/24 -j ACCEPT
    iptables -t nat -A POSTROUTING -o eth0 ! -s 10.0.0.4 -j MASQUERADE
    
    # balancer module incompatible with mod_cluster
    sed -i -e 's/LoadModule proxy_balancer_module/#\0/' /etc/httpd/conf/httpd.conf
    
    cat > /etc/httpd/conf.d/mod_cluster.conf << "EOF"
    #LoadModule proxy_module modules/mod_proxy.so
    #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
    LoadModule slotmem_module modules/mod_slotmem.so
    LoadModule manager_module modules/mod_manager.so
    LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
    LoadModule advertise_module modules/mod_advertise.so
    
    Listen 7654
    
    # workaround JBPAPP-4557
    MemManagerFile /var/cache/mod_proxy/manager
    
    <VirtualHost *:7654>
       <Location /mod_cluster-manager>
          SetHandler mod_cluster-manager
          Order deny,allow
          Deny from all
          Allow from 127.0.0.1
       </Location>
    
       <Location />
          Order deny,allow
          Deny from all
          Allow from 10.
          Allow from 127.0.0.1
       </Location>
    
       KeepAliveTimeout 60
       MaxKeepAliveRequests 0
       ManagerBalancerName mycluster
       ServerAdvertise Off
       EnableMCPMReceive
    </VirtualHost>
    EOF
    
    echo "`hostname | sed -e 's/ip-//' -e 'y/-/./'`        `hostname`" >> /etc/hosts
    
    semanage port -a -t http_port_t -p tcp 7654 #add port in the apache port list for the below to work
    setsebool -P httpd_can_network_relay 1 #for mod_proxy_cluster to work
    chcon -t httpd_config_t -u system_u /etc/httpd/conf.d/mod_cluster.conf
    
    #### Uncomment the following line when launching a managed domain ####
    # setsebool -P httpd_can_network_connect 1
    
    service httpd start
    
    EOS
    
  7. Disable the Amazon EC2 cloud source/destination checking for this instance so it can act as a router.
    1. Right-click on the running Apache HTTP server instance and choose "Change Source/Dest check".
    2. Click on Yes, Disable.
  8. Assign the elastic IP to this instance.
Result

The Apache HTTP server instance has been launched successfully.

24.6.5. Configure the VPC Private Subnet Default Route

Summary

This topic covers the steps required to configure the VPC private subnet default route. JBoss EAP 6 cluster nodes will run in the private subnet of the VPC, but cluster nodes require Internet access for S3 connectivity. A default route needs to be set to go through the NAT instance.

Procedure 24.9. Configure the VPC Private Subnet Default Route

  1. Navigate to the Apache HTTP server instance in the Amazon AWS console.
  2. Navigate to the VPC route tables.
  3. Click on the routing table used by the private subnet.
  4. In the field for a new route enter 0.0.0.0/0.
  5. Click on "Select a target".
  6. Select "Enter Instance ID".
  7. Choose the ID of the running Apache HTTP server instance.
Result

The default route has been successfully configured for the VPC subnet.

24.6.6. About Identity and Access Management (IAM)

Identity and Access Management (IAM) provides configurable security for your AWS resources. IAM can be configured to use accounts created in IAM or to provide identity federation between IAM and your own identity services.
Refer to the AWS Identity and Access Management website for more information http://aws.amazon.com/iam/.

24.6.7. Configure IAM Setup

Summary

This topic covers the configuration steps required for setting up IAM for clustered JBoss EAP 6 instances. The S3_PING protocol uses an S3 bucket to discover other cluster members. JGroups version 3.0.x requires Amazon AWS account access and secret keys to authenticate against the S3 service.

Because S3 domain controller discovery makes use of an S3 bucket, it requires Amazon AWS account access and secret keys to authenticate against the S3 service (similar to the S3_PING protocol used by JGroups). The IAM user and S3 bucket used for S3 discovery must be different from the IAM user and S3 bucket used for clustering.
It is a security risk to enter your main account credentials in the user-data field, store them online or in an AMI. To circumvent this, a separate account can be created using the Amazon IAM feature which would be only granted access to a single S3 bucket.

Procedure 24.10. Configure IAM Setup

  1. Go to the IAM tab in the AWS console.
  2. Click on users.
  3. Select Create New Users.
  4. Choose a name, and ensure the Generate an access key for each User option is checked.
  5. Select Download credentials, and save them in a secure location.
  6. Close the window.
  7. Click on the newly created user.
  8. Make note of the User ARM value. This value is required to set up the S3 bucket, documented here: Section 24.6.9, “Configure S3 Bucket Setup”.
Result

The IAM user account has been successfully created.

24.6.8. About the S3 Bucket

S3 Buckets are the basic organization store unit in the Amazon Simple Storage System (Amazon S3). A bucket can store any number of arbitrary objects and must have a unique name to identify it with Amazon S3..
Refer to the Amazon S3 website for more information, http://aws.amazon.com/s3/.

24.6.9. Configure S3 Bucket Setup

Summary

This topic covers the steps required to configure a new S3 bucket.

Procedure 24.11. Configure S3 Bucket Setup

  1. Open the S3 tab in the AWS console.
  2. Click on Create Bucket.
  3. Choose a name for the bucket and click Create.

    Note

    Bucket names are unique across the entire S3. Names cannot be reused.
  4. Right click on the new bucket and select Properties.
  5. Click Add bucket policy in the permissions tab.
  6. Click New policy to open the policy creation wizard.
    1. Copy the following content into the new policy, replacing arn:aws:iam::05555555555:user/jbosscluster* with the value defined here: Section 24.6.7, “Configure IAM Setup”. Change both instances of clusterbucket123 to the name of the bucket defined in step 3 of this procedure.
      {
          "Version": "2008-10-17",
          "Id": "Policy1312228794320",
          "Statement": [
              {
                  "Sid": "Stmt1312228781799",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": [
                          "arn:aws:iam::055555555555:user/jbosscluster"
                      ]
                  },
                  "Action": [
                      "s3:ListBucketVersions",
                      "s3:GetObjectVersion",
                      "s3:ListBucket",
                      "s3:PutBucketVersioning",
                      "s3:DeleteObject",
                      "s3:DeleteObjectVersion",
                      "s3:GetObject",
                      "s3:ListBucketMultipartUploads",
                      "s3:ListMultipartUploadParts",
                      "s3:PutObject",
                      "s3:GetBucketVersioning"
                  ],
                  "Resource": [
                      "arn:aws:s3:::clusterbucket123/*",
                      "arn:aws:s3:::clusterbucket123"
                  ]
              }
          ]
      }
      
Result

A new S3 bucket has been created, and configured successfully.