Red Hat Training

A Red Hat training course is available for Red Hat JBoss Enterprise Application Platform

Appendix A. Reference Material

A.1. Server Runtime Arguments

The application server startup script accepts arguments and switches at runtime. This allows the server to start under alternative configurations to those defined in the standalone.xml, domain.xml, and host.xml configuration files.

Alternative configurations might include starting the server with an alternative socket bindings set or a secondary configuration.

The available parameters list can be accessed by passing the help switch -h or --help at startup.

Table A.1. Runtime Switches and Arguments

Argument or SwitchOperating ModeDescription

--admin-only

Standalone

Set the server’s running type to ADMIN_ONLY. This will cause it to open administrative interfaces and accept management requests, but not start other runtime services or accept end user requests. Note that it is recommended to use --start-mode=admin-only instead.

--admin-only

Domain

Set the host controller’s running type to ADMIN_ONLY causing it to open administrative interfaces and accept management requests but not start servers or, if this host controller is the master for the domain, accept incoming connections from slave host controllers.

-b=<value>, -b <value>

Standalone, Domain

Set system property jboss.bind.address, which is used in configuring the bind address for the public interface. This defaults to 127.0.0.1 if no value is specified. See the -b<interface>=<value> entry for setting the bind address for other interfaces.

-b<interface>=<value>

Standalone, Domain

Set system property jboss.bind.address.<interface> to the given value. For example, -bmanagement=IP_ADDRESS

--backup

Domain

Keep a copy of the persistent domain configuration even if this host is not the domain controller.

-c=<config>, -c <config>

Standalone

Name of the server configuration file to use. The default is standalone.xml.

-c=<config>, -c <config>

Domain

Name of the server configuration file to use. The default is domain.xml.

--cached-dc

Domain

If the host is not the domain controller and cannot contact the domain controller at boot, boot using a locally cached copy of the domain configuration.

--debug [<port>]

Standalone

Activate debug mode with an optional argument to specify the port. Only works if the launch script supports it.

-D<name>[=<value>]

Standalone, Domain

Set a system property.

--domain-config=<config>

Domain

Name of the server configuration file to use. The default is domain.xml.

-h, --help

Standalone, Domain

Display the help message and exit.

--host-config=<config>

Domain

Name of the host configuration file to use. The default is host.xml.

--interprocess-hc-address=<address>

Domain

Address on which the host controller should listen for communication from the process controller.

--interprocess-hc-port=<port>

Domain

Port on which the host controller should listen for communication from the process controller.

--master-address=<address>

Domain

Set system property jboss.domain.master.address to the given value. In a default slave host controller configuration, this is used to configure the address of the master host controller.

--master-port=<port>

Domain

Set system property jboss.domain.master.port to the given value. In a default slave host controller configuration, this is used to configure the port used for native management communication by the master host controller.

--read-only-server-config=<config>

Standalone

Name of the server configuration file to use. This differs from --server-config and -c in that the original file is never overwritten.

--read-only-domain-config=<config>

Domain

Name of the domain configuration file to use. This differs from --domain-config and -c in that the initial file is never overwritten.

--read-only-host-config=<config>

Domain

Name of the host configuration file to use. This differs from --host-config in that the initial file is never overwritten.

-P=<url>, -P <url>, --properties=<url>

Standalone, Domain

Load system properties from the given URL.

--pc-address=<address>

Domain

Address on which the process controller listens for communication from processes it controls.

--pc-port=<port>

Domain

Port on which the process controller listens for communication from processes it controls.

-S<name>[=<value>]

Standalone

Set a security property.

-secmgr

Standalone, Domain

Runs the server with a security manager installed.

--server-config=<config>

Standalone

Name of the server configuration file to use. The default is standalone.xml.

--start-mode=<mode>

Standalone

Set the start mode of the server. This option cannot be used in conjunction with --admin-only. Valid values are:

  • normal: The server will start normally.
  • admin-only: The server will only open administrative interfaces and accept management requests but not start other runtime services or accept end user requests.
  • suspend: The server will start in suspended mode and will not service requests until it has been resumed.

-u=<value>, -u <value>

Standalone, Domain

Set system property jboss.default.multicast.address, which is used in configuring the multicast address in the socket-binding elements in the configuration files. This defaults to 230.0.0.4 if no value is specified.

-v, -V, --version

Standalone, Domain

Display the application server version and exit.

Warning

The configuration files that ship with JBoss EAP are set up to handle the behavior of the switches, for example, -b and -u. If you change your configuration files to no longer use the system property controlled by the switch, then adding it to the launch command will have no effect.

A.2. RPM Service Configuration Files

The RPM installation of JBoss EAP includes two additional configuration files compared to a ZIP or installer installation. These files are used by the service init script to specify the JBoss EAP launch environment. The location of these service configuration files differ for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Important

For Red Hat Enterprise Linux 7, RPM service configuration files are loaded using systemd, so variable expressions are not expanded.

Table A.2. RPM Configuration Files for Red Hat Enterprise Linux 6

FileDescription

/etc/sysconfig/eap7-standalone

Settings specific to standalone JBoss EAP servers on Red Hat Enterprise Linux 6.

/etc/sysconfig/eap7-domain

Settings specific to JBoss EAP running as a managed domain on Red Hat Enterprise Linux 6.

Table A.3. RPM Configuration Files for Red Hat Enterprise Linux 7

FileDescription

/etc/opt/rh/eap7/wildfly/eap7-standalone.conf

Settings specific to standalone JBoss EAP servers on Red Hat Enterprise Linux 7.

/etc/opt/rh/eap7/wildfly/eap7-domain.conf

Settings specific to JBoss EAP running as a managed domain on Red Hat Enterprise Linux 7.

A.3. RPM Service Configuration Properties

The following table shows a list of available configuration properties for the JBoss EAP RPM service along with their default values.

Note

If a property has the same name in both the RPM service configuration file, such as /etc/sysconfig/eap7-standalone, and in the JBoss EAP startup configuration file, such as EAP_HOME/bin/standalone.conf, the value that takes precedence is the one in the JBoss EAP startup configuration file. One such property is JAVA_HOME.

Table A.4. RPM Service Configuration Properties

PropertyDescription

JAVA_HOME

The directory where your Java Runtime Environment is installed.

Default value: /usr/lib/jvm/jre

JAVAPTH

The path where the Java executable files are installed.

Default value: $JAVA_HOME/bin

WILDFLY_STARTUP_WAIT

The number of seconds that the init script will wait until confirming that the server has launched successfully after receiving a start or restart command. This property only applies to Red Hat Enterprise Linux 6.

Default value: 60

WILDFLY_SHUTDOWN_WAIT

The number of seconds that the init script will wait for the server to shutdown before continuing when it receives a stop or restart command. This property only applies to Red Hat Enterprise Linux 6.

Default value: 20

WILDFLY_CONSOLE_LOG

The file that the CONSOLE log handler will be redirected to.

Default value: /var/opt/rh/eap7/log/wildfly/standalone/console.log for a standalone server, or /var/opt/rh/eap7/log/wildfly/domain/console.log for a managed domain.

WILDFLY_SH

The script which is used to launch to JBoss EAP server.

Default value: /opt/rh/eap7/root/usr/share/wildfly/bin/standalone.sh for a standalone server, or /opt/rh/eap7/root/usr/share/wildfly/bin/domain.sh for a managed domain.

WILDFLY_SERVER_CONFIG

The server configuration file to use.

There is no default for this property. Either standalone.xml or domain.xml can be defined at start.

WILDFLY_HOST_CONFIG

For a managed domain, this property allows a user to specify the host configuration file, such as host.xml. It has no value set as the default.

WILDFLY_MODULEPATH

The path of the JBoss EAP module directory.

Default value: /opt/rh/eap7/root/usr/share/wildfly/modules

WILDFLY_BIND

Sets the jboss.bind.address system property, which is used to configure the bind address for the public interface. This defaults to 0.0.0.0 if no value is specified.

WILDFLY_OPTS

Additional arguments to include on startup. For example:

-Dorg.wildfly.openssl.path=PATH_TO_OPENSSL_LIBS

A.4. Overview of JBoss EAP Subsystems

The table below gives a brief description of the JBoss EAP subsystems.

Table A.5. JBoss EAP Subsystems

JBoss EAP SubsystemDescription

batch-jberet

Configure an environment for running batch applications and manage batch jobs.

bean-validation

Configure bean validation for validating Java object data.

core-management

Register listeners for server lifecycle events and track configuration changes.

datasources

Create and configure datasources and manage JDBC database drivers.

deployment-scanner

Configure deployment scanners to monitor particular locations for applications to deploy.

ee

Configure common functionality in the Java EE platform, such as defining global modules, enabling descriptor-based property replacement, and configuring default bindings.

ejb3

Configure Enterprise JavaBeans (EJBs), including session and message-driven beans.

More information for the ejb3 subsystem can be found in Developing EJB Applications for JBoss EAP.

elytron

Configure server and application security.

More information on the elytron subsystem can be found in Security Architecture for JBoss EAP.

iiop-openjdk

Configure Common Object Request Broker Architecture (CORBA) services for JTS transactions and other ORB services, including security. In JBoss EAP 6, this functionality was contained in the jacorb subsystem.

infinispan

Configure caching functionality for JBoss EAP high availability services.

io

Define workers and buffer pools to be used by other subsystems.

jaxrs

Enable the deployment and functionality of JAX-RS applications.

jca

Configure the general settings for the Java EE Connector Architecture (JCA) container and resource adapter deployments.

jdr

Enable the gathering of diagnostic data to aid in troubleshooting. JBoss EAP subscribers can provide this information to Red Hat when requesting support.

jgroups

Configure the protocol stacks and communication mechanisms for how servers in a cluster talk to each other.

jmx

Configure remote Java Management Extensions (JMX) access.

jpa

Manages the Java Persistence API (JPA) 2.1 container-managed requirements and allows you to deploy persistent unit definitions, annotations, and descriptors.

More information for the jpa subsystem can be found in the JBoss EAP Development Guide.

jsf

Manage JavaServer Faces (JSF) implementations.

jsr77

Provide Java EE management capabilities defined by the JSR-77 specification.

logging

Configure system and application-level logging through a system of log categories and log handlers.

mail

Configure mail server attributes and custom mail transports to create a mail service that allows applications deployed to JBoss EAP to send mail using that service.

messaging-activemq

Configure JMS destinations, connection factories, and other settings for Artemis, the integrated messaging provider. In JBoss EAP 6, messaging functionality was contained in the messaging subsystem.

More information for the messaging-activemq subsystem can be found in Configuring Messaging for JBoss EAP.

modcluster

Configure the server-side mod_cluster worker node.

naming

Bind entries into global JNDI namespaces and configure the remote JNDI interface.

picketlink-federation

Configure PicketLink SAML-based single sign-on (SSO).

More information on the picketlink-federation subsystem can be found in How To Set Up SSO with SAML v2 for JBoss EAP.

picketlink-identity-management

Configure PicketLink identity management services. This subsystem is unsupported.

pojo

Enable deployment of applications containing JBoss Microcontainer services, as supported by previous versions of JBoss EAP.

remoting

Configure settings for inbound and outbound connections for local and remote services.

request-controller

Configure settings to suspend and shut down servers gracefully.

resource-adapters

Configure and maintain resource adapters for communication between Java EE applications and an Enterprise Information System (EIS) using the Java Connector Architecture (JCA) specification.

rts

Unsupported implementation of REST-AT.

sar

Enable deployment of SAR archives containing MBean services, as supported by previous versions of JBoss EAP.

security

Legacy method to configure application security settings.

More information on the security subsystem can be found in Security Architecture for JBoss EAP.

security-manager

Configure Java security policies to be used by the Java Security Manager.

More information on the security-manager subsystem can be found in How to Configure Server Security for JBoss EAP.

singleton

Define singleton policies to configure the behavior of singleton deployments or to create singleton MSC services.

More information on the singleton subsystem can be found in the JBoss EAP Development Guide.

transactions

Configure transaction manager options, such as timeout values, transaction logging, and whether to use Java Transaction Service (JTS).

undertow

Configure JBoss EAP’s web server and servlet container settings. In JBoss EAP 6, this functionality was contained in the web subsystem.

webservices

Configure published endpoint addresses and endpoint handler chains, as well as the host name, ports, and WSDL address for the web services provider.

More information for the webservices subsystem can be found in Developing Web Services Applications for JBoss EAP.

weld

Configure Contexts and Dependency Injection (CDI) functionality for JBoss EAP.

xts

Configure settings for coordinating web services in a transaction.

A.5. Add-User Utility Arguments

The following table describes the arguments available for the add-user.sh or add-user.bat script, which is a utility for adding new users to the properties file for out-of-the-box authentication.

Table A.6. Add-User Command Arguments

Command Line ArgumentDescription

-a

Create a user in the application realm. If omitted, the default is to create a user in the management realm.

-dc <value>

The domain configuration directory that will contain the properties files. If it is omitted, the default directory is EAP_HOME/domain/configuration/.

-sc <value>

An alternative standalone server configuration directory that will contain the properties files. If omitted, the default directory is EAP_HOME/standalone/configuration/.

-up, --user-properties <value>

The name of the alternative user properties file. It can be an absolute path or it can be a file name used in conjunction with the -sc or -dc argument that specifies the alternative configuration directory.

-g, --group <value>

A comma-separated list of groups to assign to this user.

-gp, --group-properties <value>

The name of the alternative group properties file. It can be an absolute path or it can be a file name used in conjunction with the -sc or -dc argument that specifies the alternative configuration directory.

-p, --password <value>

The password of the user.

-u, --user <value>

The name of the user. User names can only contain the following characters, in any number and in any order:

  • Alphanumeric characters (a-z, A-Z, 0-9)
  • Dashes (-), periods (.), commas (,), at sign (@)
  • Backslash (\)
  • Equals (=)

-r, --realm <value>

The name of the realm used to secure the management interfaces. If omitted, the default is ManagementRealm.

-s, --silent

Run the add-user script with no output to the console.

-e, --enable

Enable the user.

-d, --disable

Disable the user.

-cw, --confirm-warning

Automatically confirm warning in interactive mode.

-h, --help

Display usage information for the add-user script.

-ds, --display-secret

Print the secret value in non-interactive mode.

A.6. Management Audit Logging Attributes

Note

Attribute names in these tables are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/wildfly-config_5_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.7. Logger Attributes

AttributeDescription

enabled

Whether audit logging is enabled.

log-boot

Whether operations should be logged on server boot.

log-read-only

Whether operations that do not modify the configuration or any runtime services should be logged.

Table A.8. Log Formatter Attributes

AttributeDescription

compact

If true, it will format the JSON on one line. There may still be values containing new lines, so if having the whole record on one line is important, set escape-new-line or escape-control-characters to true.

date-format

The date format to use as understood by java.text.SimpleDateFormat. This is ignored if include-date is set to false.

date-separator

The separator between the date and the rest of the formatted log message. This is ignored if include-date is set to false.

escape-control-characters

If true, it will escape all control characters, ASCII entries with a decimal value greater than 32, with the ASCII code in octal. For example, a new line becomes #012. If true, this will override escape-new-line=false.

escape-new-line

If true, it will escape all new lines with the ASCII code in octal: #012.

include-date

Whether or not to include the date in the formatted log record.

Table A.9. File Handler Attributes

AttributeDescription

disabled-due-to-failure

Whether this handler has been disabled due to logging failures (read-only).

failure-count

The number of logging failures since the handler was initialized (read-only).

formatter

The JSON formatter used to format the log messages.

max-failure-count

The maximum number of logging failures before disabling this handler.

path

The path of the audit log file.

relative-to

The name of another previously named path, or of one of the standard paths provided by the system. If relative-to is provided, the value of the path attribute is treated as relative to the path specified by this attribute.

rotate-at-startup

Whether the old log file should be rotated at server startup.

Table A.10. Syslog Handler Attributes

AttributeDescription

app-name

The application name to add to the syslog records as defined in section 6.2.5 of RFC-5424. If not specified it will default to the name of the product.

disabled-due-to-failure

Whether this handler has been disabled due to logging failures (read-only).

facility

The facility to use for syslog logging as defined in section 6.2.1 of RFC-5424 and section 4.1.1 of RFC-3164.

failure-count

The number of logging failures since the handler was initialized (read-only).

formatter

The JSON formatter used to format the log messages.

max-failure-count

The maximum number of logging failures before disabling this handler.

max-length

The maximum length in bytes a log message, including the header, is allowed to be. If undefined, it will default to 1024 bytes if the syslog-format is RFC3164, or 2048 bytes if the syslog-format is RFC5424.

protocol

The protocol to use for the syslog handler. Must be one and only one of udp, tcp or tls.

syslog-format

The syslog format: RFC5424 or RFC3164.

truncate

Whether or not a message, including the header, should truncate the message if the length in bytes is greater than the value of the max-length attribute. If set to false, messages will be split and sent with the same header values.

Note

Syslog servers vary in their implementation, so not all settings are applicable to all syslog servers. Testing has been conducted using the rsyslog syslog implementation.

This table lists only the high-level attributes. Each attribute has configuration parameters, and some have child configuration parameters.

A.7. Interface Attributes

Note

Attribute names in this table are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/wildfly-config_5_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.11. Interface Attributes and Values

Interface ElementDescription

any

Element indicating that part of the selection criteria for an interface should be that it meets at least one, but not necessarily all, of the nested set of criteria.

any-address

Empty element indicating that sockets using this interface should be bound to a wildcard address. The IPv6 wildcard address (::) will be used unless the java.net.preferIPv4Stack system property is set to true, in which case the IPv4 wildcard address (0.0.0.0) will be used. If a socket is bound to an IPv6 anylocal address on a dual-stack machine, it can accept both IPv6 and IPv4 traffic; if it is bound to an IPv4 (IPv4-mapped) anylocal address, it can only accept IPv4 traffic.

inet-address

Either an IP address in IPv6 or IPv4 dotted decimal notation, or a host name that can be resolved to an IP address.

link-local-address

Empty element indicating that part of the selection criteria for an interface should be whether or not an address associated with it is link-local.

loopback

Empty element indicating that part of the selection criteria for an interface should be whether or not it is a loopback interface.

loopback-address

A loopback address that may not actually be configured on the machine’s loopback interface. Differs from inet-address type in that the given value will be used even if no NIC can be found that has the IP address associated with it.

multicast

Empty element indicating that part of the selection criteria for an interface should be whether or not it supports multicast.

name

The name of the interface.

nic

The name of a network interface (e.g. eth0, eth1, lo).

nic-match

A regular expression against which the names of the network interfaces available on the machine can be matched to find an acceptable interface.

not

Element indicating that part of the selection criteria for an interface should be that it does not meet any of the nested set of criteria.

point-to-point

Empty element indicating that part of the selection criteria for an interface should be whether or not it is a point-to-point interface.

public-address

Empty element indicating that part of the selection criteria for an interface should be whether or not it has a publicly routable address.

site-local-address

Empty element indicating that part of the selection criteria for an interface should be whether or not an address associated with it is site-local.

subnet-match

A network IP address and the number of bits in the address' network prefix, written in slash notation, for example, 192.168.0.0/16.

up

Empty element indicating that part of the selection criteria for an interface should be whether or not it is currently up.

virtual

Empty element indicating that part of the selection criteria for an interface should be whether or not it is a virtual interface.

A.8. Socket Binding Attributes

Note

Attribute names in these tables are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/wildfly-config_5_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

The following tables show the attributes that can be configured for each of the three types of socket bindings.

Table A.12. Inbound Socket Binding (socket-binding) Attributes

AttributeDescription

client-mappings

Specifies the client mappings for this socket binding. A client connecting to this socket should use the destination address specified in the mapping that matches its desired outbound interface. This allows for advanced network topologies that use either network address translation, or have bindings on multiple network interfaces to function. Each mapping should be evaluated in declared order, with the first successful match used to determine the destination.

fixed-port

Whether the port value should remain fixed even if numeric offsets are applied to the other sockets in the socket group.

interface

Name of the interface to which the socket should be bound, or, for multicast sockets, the interface on which it should listen. This should be one of the declared interfaces. If not defined, the value of the default-interface attribute from the enclosing socket binding group will be used.

multicast-address

Multicast address on which the socket should receive multicast traffic. If unspecified, the socket will not be configured to receive multicast.

multicast-port

Port on which the socket should receive multicast traffic. Must be configured if multicast-address is configured.

name

The name of the socket. Services needing to access the socket configuration information will find it using this name. This attribute is required.

port

Number of the port to which the socket should be bound. Note that this value can be overridden if servers apply a port-offset to increment or decrement all port values.

Table A.13. Remote Outbound Socket Binding (remote-destination-outbound-socket-binding) Attributes

AttributeDescription

fixed-source-port

Whether the port value should remain fixed even if numeric offsets are applied to the other outbound sockets in the socket group.

host

The host name or IP address of the remote destination to which this outbound socket will connect.

port

The port number of the remote destination to which the outbound socket should connect.

source-interface

The name of the interface that will be used for the source address of the outbound socket.

source-port

The port number that will be used as the source port of the outbound socket.

Table A.14. Local Outbound Socket Binding (local-destination-outbound-socket-binding) Attributes

AttributeDescription

fixed-source-port

Whether the port value should remain fixed even if numeric offsets are applied to the other outbound sockets in the socket group.

socket-binding-ref

The name of the local socket binding that will be used to determine the port to which this outbound socket connects.

source-interface

The name of the interface that will be used for the source address of the outbound socket.

source-port

The port number that will be used as the source port of the outbound socket.

A.9. Default Socket Bindings

The following tables show the default socket bindings for each socket binding group.

Table A.15. standard-sockets

Socket BindingPortDescription

ajp

8009

Apache JServ Protocol. Used for HTTP clustering and load balancing.

http

8080

The default port for deployed web applications.

https

8443

SSL-encrypted connection between deployed web applications and clients.

management-http

9990

Used for HTTP communication with the management layer.

management-https

9993

Used for HTTPS communication with the management layer.

txn-recovery-environment

4712

The JTA transaction recovery manager.

txn-status-manager

4713

The JTA / JTS transaction manager.

Table A.16. ha-sockets

Socket BindingPortMulticast PortDescription

ajp

8009

 

Apache JServ Protocol. Used for HTTP clustering and load balancing.

http

8080

 

The default port for deployed web applications.

https

8443

 

SSL-encrypted connection between deployed web applications and clients.

jgroups-mping

 

45700

Multicast. Used to discover initial membership in a HA cluster.

jgroups-tcp

7600

 

Unicast peer discovery in HA clusters using TCP.

jgroups-udp

55200

45688

Multicast peer discovery in HA clusters using UDP.

management-http

9990

 

Used for HTTP communication with the management layer.

management-https

9993

 

Used for HTTPS communication with the management layer.

modcluster

 

23364

Multicast port for communication between JBoss EAP and the HTTP load balancer.

txn-recovery-environment

4712

 

The JTA transaction recovery manager.

txn-status-manager

4713

 

The JTA / JTS transaction manager.

Table A.17. full-sockets

Socket BindingPortDescription

ajp

8009

Apache JServ Protocol. Used for HTTP clustering and load balancing.

http

8080

The default port for deployed web applications.

https

8443

SSL-encrypted connection between deployed web applications and clients.

iiop

3528

CORBA services for JTS transactions and other ORB-dependent services.

iiop-ssl

3529

SSL-encrypted CORBA services.

management-http

9990

Used for HTTP communication with the management layer.

management-https

9993

Used for HTTPS communication with the management layer.

txn-recovery-environment

4712

The JTA transaction recovery manager.

txn-status-manager

4713

The JTA / JTS transaction manager.

Table A.18. full-ha-sockets

NamePortMulticast PortDescription

ajp

8009

 

Apache JServ Protocol. Used for HTTP clustering and load balancing.

http

8080

 

The default port for deployed web applications.

https

8443

 

SSL-encrypted connection between deployed web applications and clients.

iiop

3528

 

CORBA services for JTS transactions and other ORB-dependent services.

iiop-ssl

3529

 

SSL-encrypted CORBA services.

jgroups-mping

 

45700

Multicast. Used to discover initial membership in a HA cluster.

jgroups-tcp

7600

 

Unicast peer discovery in HA clusters using TCP.

jgroups-udp

55200

45688

Multicast peer discovery in HA clusters using UDP.

management-http

9990

 

Used for HTTP communication with the management layer.

management-https

9993

 

Used for HTTPS communication with the management layer.

modcluster

 

23364

Multicast port for communication between JBoss EAP and the HTTP load balancer.

txn-recovery-environment

4712

 

The JTA transaction recovery manager.

txn-status-manager

4713

 

The JTA / JTS transaction manager.

Table A.19. load-balancer-sockets

NamePortMulticast PortDescription

http

8080

 

The default port for deployed web applications.

https

8443

 

SSL-encrypted connection between deployed web applications and clients.

management-http

9990

 

Used for HTTP communication with the management layer.

management-https

9993

 

Used for HTTPS communication with the management layer.

mcmp-management

8090

 

The port for the Mod-Cluster Management Protocol (MCMP) connection to transmit lifecycle events.

modcluster

 

23364

Multicast port for communication between JBoss EAP and the HTTP load balancer.

A.10. Module Command Arguments

The following arguments can be passed to the module add management CLI command:

Table A.20. Module Command Arguments

ArgumentDescription

--absolute-resources

Use this argument to specify a list of absolute file system paths to reference from its module.xml file. The files specified are not copied to the module directory.

See --resource-delimiter for delimiter details.

--allow-nonexistent-resources

Use this argument to create empty directories for resources specified by --resources that do not exist. The module add command will fail if there are resources that do not exist and this argument is not used.

--dependencies

Use this argument to provide a comma-separated list of module names that this module depends on.

--export-dependencies

Use this argument to specify exported dependencies.

module add --name=com.mysql --resources=/path/to/mysql-connector-java-5.1.36-bin.jar --export-dependencies=javax.api,javax.transaction.api

--main-class

Use this argument to specify the fully qualified class name that declares the module’s main method.

--module-root-dir

Use this argument if you have defined an external JBoss EAP module directory to use instead of the default EAP_HOME/modules/ directory.

module add --module-root-dir=/path/to/my-external-modules/ --name=com.mysql --resources=/path/to/mysql-connector-java-5.1.36-bin.jar --dependencies=javax.api,javax.transaction.api

--module-xml

Use this argument to provide a file system path to a module.xml to use for this new module. This file is copied to the module directory. If this argument is not specified, a module.xml file is generated in the module directory.

--name

Use this argument to provide the name of the module to add. This argument is required.

--properties

Use this argument to provide a comma-separated list of PROPERTY_NAME=PROPERTY_VALUE pairs that define module properties.

--resource-delimiter

Use this argument to set a user-defined file path separator for the list of resources provided to the --resources or absolute-resources argument. If not set, the file path separator is a colon (:) for Linux and a semicolon (;) for Windows.

--resources

Use this argument to specify the resources for this module by providing a list of file system paths. The files are copied to this module directory and referenced from its module.xml file. If you a provide a path to a directory, the directory and its contents are copied to the module directory. Symbolic links are not preserved; linked resources are copied to the module directory. This argument is required unless --absolute-resources or --module-xml is provided.

See --resource-delimiter for delimiter details.

--slot

Use this argument to add the module to a slot other than the default main slot.

module add --name=com.mysql --slot=5.1 --resources=/path/to/mysql-connector-java-5.1.36-bin.jar --dependencies=javax.api,javax.transaction.api

A.11. Deployment Scanner Marker Files

Marker files are used by the deployment scanner to mark the status of an application within the deployment directory of the JBoss EAP server instance. A marker file has the same name as the deployment, with the file suffix indicating the state of the application’s deployment.

For example, a successful deployment of test-application.war would have a marker file named test-application.war.deployed.

The following table lists the available marker file types and their meanings.

Table A.21. Marker File Types

Filename SuffixOriginDescription

.deployed

System-generated

Indicates that the content has been deployed. The content will be undeployed if this file is deleted.

.dodeploy

User-generated

Indicates that the content should be deployed or redeployed.

.failed

System-generated

Indicates deployment failure. The marker file contains information about the cause of failure. If the marker file is deleted, the content will be eligible for auto-deployment again.

.isdeploying

System-generated

Indicates that the deployment is in progress. This marker file will be deleted upon completion.

.isundeploying

System-generated

Triggered by deleting a .deployed file, this indicates that the content is being undeployed. This marker file will be deleted upon completion.

.pending

System-generated

Indicates that the deployment scanner recognizes the need to deploy content, but an issue is currently preventing auto-deployment (for example, if content is in the process of being copied). This marker serves as a global deployment road-block, meaning that the scanner will not instruct the server to deploy or undeploy any content while this marker file exists.

.skipdeploy

User-generated

Disables auto-deploy of an application while present. Useful as a method of temporarily blocking the auto-deployment of exploded content, preventing the risk of incomplete content edits being pushed. Can be used with zipped content, although the scanner detects in-progress changes to zipped content and waits until completion.

.undeployed

System-generated

Indicates that the content has been undeployed. Deletion of this marker file has no impact to content redeployment.

A.12. Deployment Scanner Attributes

The deployment scanner contains the following configurable attributes.

Note

Attribute names in this table are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/jboss-as-deployment-scanner_2_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.22. Deployment Scanner Attributes

NameDefaultDescription

auto-deploy-exploded

false

Allows the automatic deployment of exploded content without requiring a .dodeploy marker file. Recommended for only basic development scenarios to prevent exploded application deployment from occurring during changes by the developer or operating system.

auto-deploy-xml

true

Allows the automatic deployment of XML content without requiring a .dodeploy marker file.

auto-deploy-zipped

true

Allows the automatic deployment of zipped content without requiring a .dodeploy marker file.

deployment-timeout

600

The time value in seconds for the deployment scanner to allow a deployment attempt before being canceled.

path

deployments

The actual file system path to be scanned. Treated as an absolute path, unless the relative-to attribute is specified, in which case the value is treated as relative to that path.

relative-to

jboss.server.base.dir

Reference to a file system path defined as a path in the server configuration.

runtime-failure-causes-rollback

false

Whether a runtime failure of a deployment causes a rollback of the deployment as well as all other (possibly unrelated) deployments as part of the scan operation.

scan-enabled

true

Allows the automatic scanning for applications by scan-interval and at startup.

scan-interval

5000

The time interval in milliseconds that the repository should be scanned for changes. A value of less than 1 causes the scan to occur only at initial startup.

A.13. Managed Domain JVM Configuration Attributes

The following JVM configuration options can be set for a managed domain at the host, server group, or server level. Note that valid values for some of these attributes are dependent upon your JVM. See your JDK vendor’s documentation for additional information.

Note

Attribute names in this table are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/wildfly-config_5_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.23. JVM Configuration Attributes

AttributeDescription

agent-lib

Sets the value of the -agentlib java option, which specifies the Java agent library.

agent-path

Sets the value of the -agentpath java option, which specifies the Java agent path.

debug-enabled

Whether to enable debug. This attribute only applies to JVM configurations at the server level.

debug-options

Specifies the JVM options to use when debug is enabled. This attribute only applies to JVM configurations at the server level.

env-classpath-ignored

Whether to ignore the CLASSPATH environment variable.

environment-variables

Specifies key/value pair environment variables.

heap-size

Sets the value of the -Xms option, which specifies the initial heap size allocated by the JVM.

java-agent

Sets the value of the -javaagent java option, which specifies the Java agent.

java-home

Sets the value of the JAVA_HOME variable.

jvm-options

Specifies any additional JVM options needed.

launch-command

Specifies an operating system level command to prefix before the java command used to launch the server process. For example, you could use the sudo command to run the Java process as another user.

max-heap-size

Sets the value of the -Xmx option, which specifies the maximum heap size allocated by the JVM.

max-permgen-size

Sets the maximum size of the permanent generation. Deprecated: The JVM no longer provides a separate permanent generation space.

permgen-size

Sets the initial permanent generation size. Deprecated: The JVM no longer provides a separate permanent generation space.

stack-size

Sets the value of the -Xss option, which specifies the JVM stack size.

type

Specifies which vendor provided the JVM in use. Available options are ORACLE, IBM, SUN, or OTHER.

A.14. Mail Subsystem Attributes

The following tables describe the attributes in the mail subsystem for mail sessions and the following mail server types:

Note

Attribute names in these tables are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/wildfly-mail_3_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.24. Mail Session Attributes

AttributeDescription

debug

Whether to enable JavaMail debugging.

from

The default "from" address to use if not set when sending.

jndi-name

The JNDI name to which the mail session should be bound.

Table A.25. IMAP Mail Server Attributes

AttributeDescription

credential-reference

Credential, from a credential store, to authenticate on the server.

outbound-socket-binding-ref

Reference to the outbound socket binding for the mail server.

password

The password to authenticate on the server.

ssl

Whether the server requires SSL.

tls

Whether the server requires TLS.

username

The username to authenticate on the server.

Table A.26. POP3 Mail Server Attributes

AttributeDescription

credential-reference

Credential, from a credential store, to authenticate on the server.

outbound-socket-binding-ref

Reference to the outbound socket binding for the mail server.

password

The password to authenticate on the server.

ssl

Whether the server requires SSL.

tls

Whether the server requires TLS.

username

The username to authenticate on the server.

Table A.27. SMTP Mail Server Attributes

AttributeDescription

credential-reference

Credential, from a credential store to authenticate on the server.

outbound-socket-binding-ref

Reference to the outbound socket binding for the mail server.

password

The password to authenticate on the server.

ssl

Whether the server requires SSL.

tls

Whether the server requires TLS.

username

The username to authenticate on the server.

Table A.28. Custom Mail Server Attributes

AttributeDescription

credential-reference

Credential, from a credential store, to authenticate on the server.

outbound-socket-binding-ref

Reference to the outbound socket binding for the mail server.

password

The password to authenticate on the server.

properties

The JavaMail properties for this server.

ssl

Whether the server requires SSL.

tls

Whether the server requires TLS.

username

The username to authenticate on the server.

A.15. Root Logger Attributes

Note

Attribute names in this table are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/jboss-as-logging_3_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.29. Root Logger Attributes

AttributeDescription

filter

Defines a simple filter type. Deprecated in favor of filter-spec.

filter-spec

An expression value that defines a filter. The following expression defines a filter that excludes log entries that do not match a pattern: not(match("WFLY.*"))

handlers

A list of log handlers that are used by the root logger.

level

The lowest level of log message that the root logger records.

Note

A filter-spec specified for the root logger is not inherited by other handlers. Instead a filter-spec must be specified per handler.

A.16. Log Category Attributes

Note

Attribute names in this table are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/jboss_as_logging_3_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.30. Log Category Attributes

AttributeDescription

category

The log category from which log messages will be captured.

filter

Defines a simple filter type. Deprecated in favor of filter-spec.

filter-spec

An expression value that defines a filter. The following expression defines a filter that does not match a pattern: not(match("WFLY.*"))

handlers

A list of log handlers associated with the logger.

level

The lowest level of log message that the log category records.

use-parent-handlers

If set to true, this category will use the log handlers of the root logger in addition to any other assigned handlers.

A.17. Log Handler Attributes

Note

Attribute names in these tables are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/jboss_as_logging_3_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.31. Console Log Handler Attributes

AttributeDescription

autoflush

If set to true, the log messages will be sent to the handlers assigned file immediately upon receipt.

enabled

If set to true, the handler is enabled and functioning as normal. If set to false, the handler is ignored when processing log messages.

encoding

The character encoding scheme to be used for the output.

filter

Defines a simple filter type. Deprecated in favor of filter-spec.

filter-spec

An expression value that defines a filter. The following expression defines a filter that does not match a pattern: not(match("WFLY.*"))

formatter

The log formatter used by this log handler.

level

The lowest level of log message the log handler records.

name

The name of the log handler. Deprecated since the handler’s address contains the name.

named-formatter

The name of the defined formatter to be used on the handler.

target

The system output stream where the output of the log handler is sent. This can be one of the following:

  • System.err: Log handler output goes to the system error stream.
  • System.out: Log handler output goes to the standard output stream.
  • console: Log hander output goes to the java.io.PrintWriter class.

Table A.32. File Log Handler Attributes

AttributeDescription

append

If set to true, all messages written by this handler will be appended to the file if it already exists. If set to false, a new file will be created each time the application server launches.

autoflush

If set to true, the log messages will be sent to the handlers assigned file immediately upon receipt.

enabled

If set to true, the handler is enabled and functioning as normal. If set to false, the handler is ignored when processing log messages.

encoding

The character encoding scheme to be used for the output.

file

The object that represents the file where the output of this log handler is written to. It has two configuration properties, relative-to and path.

filter

Defines a simple filter type. Deprecated in favor of filter-spec.

filter-spec

An expression value that defines a filter. The following expression defines a filter that does not match a pattern: not(match("WFLY.*"))

formatter

The log formatter used by this log handler.

level

The lowest level of log message the log handler records.

name

The name of the log handler. Deprecated since the handler’s address contains the name.

named-formatter

The name of the defined formatter to be used on the handler.

Table A.33. Periodic Log Handler Attributes

AttributeDescription

append

If set to true, all messages written by this handler will be appended to the file if it already exists. If set to false, a new file will be created each time the application server launches.

autoflush

If set to true, the log messages will be sent to the handlers assigned file immediately upon receipt.

enabled

If set to true, the handler is enabled and functioning as normal. If set to false, the handler is ignored when processing log messages.

encoding

The character encoding scheme to be used for the output.

file

Object that represents the file to which the output of this log handler is written. It has two configuration properties, relative-to and path.

filter

Defines a simple filter type. Deprecated in favor of filter-spec.

filter-spec

An expression value that defines a filter. The following expression defines a filter that does not match a pattern: not(match("WFLY.*")).

formatter

The log formatter used by this log handler.

level

The lowest level of log message the log handler records.

name

The name of the log handler. Deprecated since the handler’s address contains the name.

named-formatter

The name of the defined formatter to be used on the handler.

suffix

This string is included in the suffix appended to rotated logs. The format of the suffix is a dot (.) followed by a date string which is able to be parsed by the SimpleDateFormat class.

Table A.34. Size Log Handler Attributes

AttributeDescription

append

If set to true, all messages written by this handler will be appended to the file if it already exists. If set to false, a new file will be created each time the application server launches.

autoflush

If set to true the log messages will be sent to the handlers assigned file immediately upon receipt.

enabled

If set to true, the handler is enabled and functioning as normal. If set to false, the handler is ignored when processing log messages.

encoding

The character encoding scheme to be used for the output.

file

Object that represents the file where the output of this log handler is written to. It has two configuration properties, relative-to and path.

filter

Defines a simple filter type. Deprecated in favor of filter-spec.

filter-spec

An expression value that defines a filter. The following expression defines a filter that does not match a pattern: not(match("WFLY.*"))

formatter

The log formatter used by this log handler.

level

The lowest level of log message the log handler records.

max-backup-index

The maximum number of rotated logs that are kept. When this number is reached, the oldest log is reused. The default is 1.

If the suffix attribute is used, the suffix of rotated log files is included in the rotation algorithm. When the log file is rotated, the oldest file whose name starts with name+suffix is deleted, the remaining rotated log files have their numeric suffix incremented and the newly rotated log file is given the numeric suffix 1.

name

The name of the log handler. Deprecated since the handler’s address contains the name.

named-formatter

The name of the defined formatter to be used on the handler.

rotate-on-boot

If set to true, a new log file will be created on server restart. The default is false.

rotate-size

The maximum size that the log file can reach before it is rotated. A single character appended to the number indicates the size units: b for bytes, k for kilobytes, m for megabytes, g for gigabytes. For example, 50m for 50 megabytes.

suffix

This string is included in the suffix appended to rotated logs. The format of the suffix is a dot (.) followed by a date string which is able to be parsed by the SimpleDateFormat class.

Table A.35. Periodic Size Log Handler Attributes

AttributeDescription

append

If set to true, all messages written by this handler will be appended to the file if it already exists. If set to false, a new file will be created each time the application server launches.

autoflush

If set to true, the log messages will be sent to the handlers assigned file immediately upon receipt.

enabled

If set to true, the handler is enabled and functioning as normal. If set to false, the handler is ignored when processing log messages.

encoding

The character encoding scheme to be used for the output.

file

Object that represents the file where the output of this log handler is written to. It has two configuration properties, relative-to and path.

filter-spec

An expression value that defines a filter. The following expression defines a filter that does not match a pattern: not(match("WFLY.*"))

formatter

The log formatter used by this log handler.

level

The lowest level of log message the log handler records.

max-backup-index

The maximum number of rotated logs that are kept. When this number is reached, the oldest log is reused. The default is 1.

If the suffix attribute is used, the suffix of rotated log files is included in the rotation algorithm. When the log file is rotated, the oldest file whose name starts with name+suffix is deleted, the remaining rotated log files have their numeric suffix incremented and the newly rotated log file is given the numeric suffix 1.

name

The name of the log handler. Deprecated since the handler’s address contains the name.

named-formatter

The name of the defined formatter to be used on the handler.

rotate-on-boot

If set to true, a new log file will be created on server restart. The default is false.

rotate-size

The maximum size that the log file can reach before it is rotated. A single character appended to the number indicates the size units: b for bytes, k for kilobytes, m for megabytes, g for gigabytes. For example, 50m for 50 megabytes.

suffix

This string is included in the suffix appended to rotated logs. The format of the suffix is a dot (.) followed by a date string which is able to be parsed by the SimpleDateFormat class.

Table A.36. Syslog Handler Attributes

AttributeDescription

app-name

The app name used when formatting the message in RFC5424 format. By default the app name is java.

enabled

If set to true, the handler is enabled and functioning as normal. If set to false, the handler is ignored when processing log messages.

facility

The facility as defined by RFC-5424 and RFC-3164.

hostname

The name of the host from which the messages are being sent. For example, the name of the host the application server is running on.

level

The lowest level of log message the log handler records.

port

The port on which the syslog server is listening.

server-address

The address of the syslog server.

syslog-format

Formats the log message according to the RFC specification.

Table A.37. Custom Log Handler Attributes

AttributeDescription

class

The logging handler class to be used.

enabled

If set to true, the handler is enabled and functioning as normal. If set to false, the handler is ignored when processing log messages.

encoding

The character encoding scheme to be used for the output.

filter

Defines a simple filter type. Deprecated in favor of filter-spec.

filter-spec

An expression value that defines a filter. The following expression defines a filter that does not match a pattern: not(match("WFLY.*"))

formatter

The log formatter used by this log handler.

level

The lowest level of log message the log handler records.

module

The module one which the logging handler depends.

name

The name of the log handler. Deprecated since the handler’s address contains the name.

named-formatter

The name of the defined formatter to be used on the handler.

properties

The properties used for the logging handler.

Table A.38. Async Log Handler Attributes

AttributeDescription

enabled

If set to true, the handler is enabled and functioning as normal. If set to false, the handler is ignored when processing log messages.

filter

Defines a simple filter type. Deprecated in favor of filter-spec.

filter-spec

An expression value that defines a filter. The following expression defines a filter that does not match a pattern: not(match("WFLY.*"))

level

The lowest level of log message the log handler records.

name

The name of the log handler. Deprecated since the handler’s address contains the name.

overflow-action

How this handler responds when its queue length is exceeded. This can be set to BLOCK or DISCARD. BLOCK makes the logging application wait until there is available space in the queue. This is the same behavior as an non-async log handler. DISCARD allows the logging application to continue but the log message is deleted.

queue-length

Maximum number of log messages that will be held by this handler while waiting for sub-handlers to respond.

subhandlers

The list of log handlers to which this async handler passes its log messages.

A.18. Datasource Connection URLs

Table A.39. Datasource Connection URLs

DatasourceConnection URL

IBM DB2

jdbc:db2://SERVER_NAME:PORT/DATABASE_NAME

MariaDB

jdbc:mariadb://SERVER_NAME:PORT/DATABASE_NAME

MariaDB Galera Cluster

jdbc:mariadb://SERVER_NAME:PORT,SERVER_NAME:PORT/DATABASE_NAME

Microsoft SQL Server

jdbc:sqlserver://SERVER_NAME:PORT;DatabaseName=DATABASE_NAME

MySQL

jdbc:mysql://SERVER_NAME:PORT/DATABASE_NAME

Oracle

jdbc:oracle:thin:@SERVER_NAME:PORT:ORACLE_SID

PostgreSQL

jdbc:postgresql://SERVER_NAME:PORT/DATABASE_NAME

Sybase

jdbc:sybase:Tds:SERVER_NAME:PORT/DATABASE_NAME

A.19. Datasource Attributes

Note

Attribute names in this table are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/wildfly-datasources_5_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.40. Datasource Attributes

AttributeDatasource TypeDescription

allocation-retry

Non-XA, XA

The number of times that allocating a connection should be tried before throwing an exception. The default is 0, so an exception is thrown upon the first failure.

allocation-retry-wait-millis

Non-XA, XA

The amount of time, in milliseconds, to wait between retrying to allocate a connection. The default is 5000 ms.

allow-multiple-users

Non-XA, XA

Whether multiple users will access the datasource through the getConnection(user, password) method and if the internal pool type accounts for this behavior.

authentication-context

Non-XA, XA

The Elytron authentication context which defines the javax.security.auth.Subject that is used to distinguish connections in the pool.

background-validation

Non-XA, XA

Whether connections should be validated on a background thread versus being validated prior to use. Background validation is typically not to be used with validate-on-match or there will be redundant checks. With background validation, there is an opportunity for a connection to go bad between the time of the validations can and being handed to the client, so the application must account for this possibility.

background-validation-millis

Non-XA, XA

The frequency, in milliseconds, that background validation will run.

blocking-timeout-wait-millis

Non-XA, XA

The maximum time, in milliseconds, to block while waiting for a connection before throwing an exception. Note that this blocks only while waiting for locking a connection, and will never throw an exception if creating a new connection takes an inordinately long time.

capacity-decrementer-class

Non-XA, XA

Class defining the policy for decrementing connections in the pool.

capacity-decrementer-properties

Non-XA, XA

Properties to be injected in the class defining the policy for decrementing connections in the pool.

capacity-incrementer-class

Non-XA, XA

Class defining the policy for incrementing connections in the pool.

capacity-incrementer-properties

Non-XA, XA

Properties to be injected in the class defining the policy for incrementing connections in the pool.

check-valid-connection-sql

Non-XA, XA

An SQL statement to check validity of a pool connection. This may be called when a managed connection is obtained from the pool.

connectable

Non-XA, XA

Enable the use of CMR, which means that a local resource can reliably participate in an XA transaction.

connection-listener-class

Non-XA, XA

Specifies class name extending org.jboss.jca.adapters.jdbc.spi.listener.ConnectionListener. This class listens for connection activation and passivation in order to perform actions before the connection is returned to the application or to the pool. The specified class must be bundled together with the JDBC driver in one module using two resource jars, as seen in Install a JDBC Driver as a Core Module, or in a separate global module, as seen in Define Global Modules.

connection-listener-property

Non-XA, XA

Properties to be injected into the class specified in the connection-listener-class. The properties injected are compliant with the JavaBeans conventions. For example, if you specify a property named foo, then the connection listener class needs to have a method setFoo that accepts String as argument.

connection-properties

Non-XA Only

Arbitrary string name/value pair connection properties to pass to the Driver.connect(url, props) method.

connection-url

Non-XA Only

The JDBC driver connection URL.

credential-reference

Non-XA, XA

Credential, from a credential store, to authenticate on datasource.

datasource-class

Non-XA Only

The fully-qualified name of the JDBC datasource class.

driver-class

Non-XA Only

The fully-qualified name of the JDBC driver class.

driver-name

Non-XA, XA

Defines the JDBC driver the datasource should use. It is a symbolic name matching the name of installed driver. If the driver is deployed as JAR, the name is the name of the deployment.

elytron-enabled

Non-XA, XA

Enables Elytron security for handling authentication of connections. The Elytron authentication-context to be used will be current context if no context is specified. See authentication-context for additional information.

enabled

Non-XA, XA

Whether the datasource should be enabled.

enlistment-trace

Non-XA, XA

Whether enlistment traces should be recorded. This is false by default.

exception-sorter-class-name

Non-XA, XA

An instance of org.jboss.jca.adapters.jdbc.ExceptionSorter that provides a method to validate if an exception should broadcast an error.

exception-sorter-properties

Non-XA, XA

The exception sorter properties.

flush-strategy

Non-XA, XA

Specifies how the pool should be flushed in case of an error. Valid values are:

FailingConnectionOnly
Only the failing connection is removed. This is the default setting.
InvalidIdleConnections
The failing connection and idle connections that share the same credentials and are returned as invalid by the ValidatingManagedConnectionFactory.getInvalidConnections(…​) method are removed.
IdleConnections
The failing connection and idle connections that share the same credentials are removed.
Gracefully
The failing connection and idle connections that share the same credentials are removed. Active connections that share the same credentials are destroyed upon return to the pool.
EntirePool
The failing connection and idle and active connections that share the same credentials are removed. This setting is not recommended for production systems.
AllInvalidIdleConnections
The failing connection and idle connections that are returned as invalid by the ValidatingManagedConnectionFactory.getInvalidConnections(…​) method are removed.
AllIdleConnections
The failing connection and all idle connections are removed.
AllGracefully
The failing connection and all idle connections are removed. Active connections are destroyed upon return to the pool.
AllConnections
The failing connection and all idle and active connections are removed. This setting is not recommended for production systems.

idle-timeout-minutes

Non-XA, XA

The maximum time, in minutes, a connection may be idle before being closed. If not specified, the default is 30 minutes. The actual maximum time also depends on the IdleRemover scan time, which is half of the smallest idle-timeout-minutes value of any pool.

initial-pool-size

Non-XA, XA

The initial number of connections a pool should hold.

interleaving

XA Only

Whether to enable interleaving for XA connections.

jndi-name

Non-XA, XA

The unique JNDI name for the datasource.

jta

Non-XA Only

Enable JTA integration.

max-pool-size

Non-XA, XA

The maximum number of connections that a pool can hold.

mcp

Non-XA, XA

The ManagedConnectionPool implementation. For example, org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool

min-pool-size

Non-XA, XA

The minimum number of connections that a pool can hold.

new-connection-sql

Non-XA, XA

An SQL statement to execute whenever a connection is added to the connection pool.

no-recovery

XA Only

Whether the connection pool should be excluded from recovery.

no-tx-separate-pool

XA Only

Whether to create a separate sub-pool for each context. This may be required for some Oracle datasources, which may not allow XA connections to be used both inside and outside of a JTA transaction. Using this option will cause your total pool size to be twice the max-pool-size, because two actual pools will be created.

pad-xid

XA Only

Whether to pad the Xid.

password

Non-XA, XA

The password to use when creating a new connection.

pool-fair

Non-XA, XA

Defines if pool should be fair. This setting is part of a Semaphore class used to manage the connection pools in JCA, which provides a performance benefit in some use cases where the order of leasing connections is not required.

pool-prefill

Non-XA, XA

Whether the pool should be prefilled.

pool-use-strict-min

Non-XA, XA

Whether min-pool-size should be considered strictly.

prepared-statements-cache-size

Non-XA, XA

The number of prepared statements per connection in a Least Recently Used (LRU) cache.

query-timeout

Non-XA, XA

The timeout for queries, in seconds. The default is no timeout.

reauth-plugin-class-name

Non-XA, XA

The fully-qualified class name of the reauthentication plugin implementation to reauthenticate physical connections.

reauth-plugin-properties

Non-XA, XA

The properties for the reauthentication plugin.

recovery-authentication-context

XA Only

The Elytron authentication context which defines the javax.security.auth.Subject that is used to distinguish connections in the pool.

recovery-credential-reference

XA Only

Credential, from a credential store, to authenticate on datasource.

recovery-elytron-enabled

XA Only

Enables Elytron security for handling authentication of connections for recovery. The Elytron authentication-context used will be the current context if no authentication-context is specified. See authentication-context for additional information.

recovery-password

XA Only

The password to use to connect to the resource for recovery.

recovery-plugin-class-name

XA Only

The fully-qualified class name of the recovery plugin implementation.

recovery-plugin-properties

XA Only

The properties for the recovery plugin.

recovery-security-domain

XA Only

The security domain to use to connect to the resource for recovery.

recovery-username

XA Only

The user name to use to connect to the resource for recovery.

same-rm-override

XA Only

Whether the javax.transaction.xa.XAResource.isSameRM(XAResource) class returns true or false.

security-domain

Non-XA, XA

The name of a JAAS security-manager which handles authentication. This name correlates to the application-policy/name attribute of the JAAS login configuration.

set-tx-query-timeout

Non-XA, XA

Whether to set the query timeout based on the time remaining until transaction timeout. Any configured query timeout will be used if no transaction exists.

share-prepared-statements

Non-XA, XA

Whether JBoss EAP should cache, instead of close or terminate, the underlying physical statement when the wrapper supplied to the application is closed by application code. The default is false.

spy

Non-XA, XA

Enable spy functionality on the JDBC layer. This logs all JDBC traffic to the datasource. Note that the logging category jboss.jdbc.spy must also be set to the log level DEBUG in the logging subsystem.

stale-connection-checker-class-name

Non-XA, XA

An instance of org.jboss.jca.adapters.jdbc.StaleConnectionChecker that provides an isStaleConnection(SQLException) method. If this method returns true, then the exception is wrapped in an org.jboss.jca.adapters.jdbc.StaleConnectionException.

stale-connection-checker-properties

Non-XA, XA

The stale connection checker properties.

statistics-enabled

Non-XA, XA

Whether runtime statistics are enabled. The default is false.

track-statements

Non-XA, XA

Whether to check for unclosed statements when a connection is returned to a pool and a statement is returned to the prepared statement cache. If false, statements are not tracked. Valid values:

  • true: Statements and result sets are tracked, and a warning is issued if they are not closed.
  • false: Neither statements or result sets are tracked.
  • nowarn: Statements are tracked but no warning is issued (default).

tracking

Non-XA, XA

Whether to track connection handles across transaction boundaries.

transaction-isolation

Non-XA, XA

The java.sql.Connection transaction isolation level. Valid values:

  • TRANSACTION_READ_UNCOMMITTED
  • TRANSACTION_READ_COMMITTED
  • TRANSACTION_REPEATABLE_READ
  • TRANSACTION_SERIALIZABLE
  • TRANSACTION_NONE

url-delimiter

Non-XA, XA

The delimiter for URLs in connection-url for High Availability (HA) datasources.

url-property

XA Only

The property for the URL property in the xa-datasource-property values.

url-selector-strategy-class-name

Non-XA, XA

A class that implements org.jboss.jca.adapters.jdbc.URLSelectorStrategy.

use-ccm

Non-XA, XA

Enable the cached connection manager.

use-fast-fail

Non-XA, XA

If true, fail a connection allocation on the first attempt if the connection is invalid. If false, keep trying until the pool is exhausted.

use-java-context

Non-XA, XA

Whether to bind the datasource into global JNDI.

use-try-lock

Non-XA, XA

A timeout value for internal locks. This attempts to obtain the lock for the configured number of seconds, before timing out, rather than failing immediately if the lock is unavailable. Uses tryLock() instead of lock().

user-name

Non-XA, XA

The user name to use when creating a new connection.

valid-connection-checker-class-name

Non-XA, XA

An implementation of org.jboss.jca.adaptors.jdbc.ValidConnectionChecker which provides a SQLException.isValidConnection(Connection e) method to validate a connection. An exception means the connection is destroyed. This overrides the attribute check-valid-connection-sql if it is present.

valid-connection-checker-properties

Non-XA, XA

The valid connection checker properties.

validate-on-match

Non-XA, XA

Whether connection validation is performed when a connection factory attempts to match a managed connection. This should be used when a client must have a connection validated prior to use. Validate-on-match is typically not to be used with background-validation or there will be redundant checks.

wrap-xa-resource

XA Only

Whether to wrap the XAResource in an org.jboss.tm.XAResourceWrapper instance.

xa-datasource-class

XA Only

The fully-qualified name of the javax.sql.XADataSource implementation class.

xa-datasource-properties

XA Only

String name/value pair of XA datasource properties.

xa-resource-timeout

XA Only

If non-zero, this value is passed to the XAResource.setTransactionTimeout method.

A.20. Datasource Statistics

Table A.41. Core Pool Statistics

NameDescription

ActiveCount

The number of active connections. Each of the connections is either in use by an application or available in the pool.

AvailableCount

The number of available connections in the pool.

AverageBlockingTime

The average time spent blocking on obtaining an exclusive lock on the pool. This value is in milliseconds.

AverageCreationTime

The average time spent creating a connection. This value is in milliseconds.

AverageGetTime

The average time spent obtaining a connection.

AveragePoolTime

The average time that a connection spent in the pool.

AverageUsageTime

The average time spent using a connection.

BlockingFailureCount

The number of failures trying to obtain a connection.

CreatedCount

The number of connections created.

DestroyedCount

The number of connections destroyed.

IdleCount

The number of connections that are currently idle.

InUseCount

The number of connections currently in use.

MaxCreationTime

The maximum time it took to create a connection. This value is in milliseconds.

MaxGetTime

The maximum time for obtaining a connection.

MaxPoolTime

The maximum time for a connection in the pool.

MaxUsageTime

The maximum time using a connection.

MaxUsedCount

The maximum number of connections used.

MaxWaitCount

The maximum number of requests waiting for a connection at the same time.

MaxWaitTime

The maximum time spent waiting for an exclusive lock on the pool.

TimedOut

The number of timed out connections.

TotalBlockingTime

The total time spent waiting for an exclusive lock on the pool. This value is in milliseconds.

TotalCreationTime

The total time spent creating connections. This value is in milliseconds.

TotalGetTime

The total time spent obtaining connections.

TotalPoolTime

The total time spent by connections in the pool.

TotalUsageTime

The total time spent using connections.

WaitCount

The number of requests that had to wait to obtain a connection.

XACommitAverageTime

The average time for an XAResource commit invocation.

XACommitCount

The number of XAResource commit invocations.

XACommitMaxTime

The maximum time for an XAResource commit invocation.

XACommitTotalTime

The total time for all XAResource commit invocations.

XAEndAverageTime

The average time for an XAResource end invocation.

XAEndCount

The number of XAResource end invocations.

XAEndMaxTime

The maximum time for an XAResource end invocation.

XAEndTotalTime

The total time for all XAResource end invocations.

XAForgetAverageTime

The average time for an XAResource forget invocation.

XAForgetCount

The number of XAResource forget invocations.

XAForgetMaxTime

The maximum time for an XAResource forget invocation.

XAForgetTotalTime

The total time for all XAResource forget invocations.

XAPrepareAverageTime

The average time for an XAResource prepare invocation.

XAPrepareCount

The number of XAResource prepare invocations.

XAPrepareMaxTime

The maximum time for an XAResource prepare invocation.

XAPrepareTotalTime

The total time for all XAResource prepare invocations.

XARecoverAverageTime

The average time for an XAResource recover invocation.

XARecoverCount

The number of XAResource recover invocations.

XARecoverMaxTime

The maximum time for an XAResource recover invocation.

XARecoverTotalTime

The total time for all XAResource recover invocations.

XARollbackAverageTime

The average time for an XAResource rollback invocation.

XARollbackCount

The number of XAResource rollback invocations.

XARollbackMaxTime

The maximum time for an XAResource rollback invocation.

XARollbackTotalTime

The total time for all XAResource rollback invocations.

XAStartAverageTime

The average time for an XAResource start invocation.

XAStartCount

The number of XAResource start invocations.

XAStartMaxTime

The maximum time for an XAResource start invocation.

XAStartTotalTime

The total time for all XAResource start invocations.

Table A.42. JDBC Statistics

NameDescription

PreparedStatementCacheAccessCount

The number of times that the statement cache was accessed.

PreparedStatementCacheAddCount

The number of statements added to the statement cache.

PreparedStatementCacheCurrentSize

The number of prepared and callable statements currently cached in the statement cache.

PreparedStatementCacheDeleteCount

The number of statements discarded from the cache.

PreparedStatementCacheHitCount

The number of times that statements from the cache were used.

PreparedStatementCacheMissCount

The number of times that a statement request could not be satisfied with a statement from the cache.

A.21. Transaction Manager Configuration Options

Note

Attribute names in this table are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/wildfly-txn_4_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.43. Transactions Subsystem Attributes

AttributeDescription

default-timeout

The default transaction timeout. This defaults to 300 seconds. You can override this programmatically, on a per-transaction basis.

enable-statistics

Deprecated in favor of statistics-enabled.

enable-tsm-status

Whether to enable the transaction status manager (TSM) service, which is used for out-of-process recovery. This option is not supported, as running an out-of-process recovery manager to contact the ActionStatusService from a different process, instead of in memory, is not supported.

hornetq-store-enable-async-io

Deprecated in favor of journal-store-enable-async-io.

jdbc-action-store-drop-table

Whether JDBC action store should drop tables. The default is false.

jdbc-action-store-table-prefix

Optional prefix for table used to write transaction logs in configured JDBC action store.

jdbc-communication-store-drop-table

Whether JDBC communication store should drop tables. The default is false.

jdbc-communication-store-table-prefix

Optional prefix for table used to write transaction logs in configured JDBC communication store.

jdbc-state-store-drop-table

Whether JDBC state store should drop tables. The default is false.

jdbc-state-store-table-prefix

Optional prefix for table used to write transaction logs in configured JDBC state store.

jdbc-store-datasource

JNDI name of non-XA datasource used. Datasource should be defined in the datasources subsystem.

journal-store-enable-async-io

Whether AsyncIO should be enabled for the journal store or not. Defaults to false. The server should be restarted for this setting to take effect.

jts

Whether to use Java Transaction Service (JTS) transactions. Defaults to false, which uses JTA transactions only.

node-identifier

The node identifier for the transaction manager. If this option is not set, you will see a warning upon server startup. This option is required in the following situations:

  • For JTS to JTS communications
  • When two transaction managers access shared resource managers
  • When two transaction managers access shared object stores

The node-identifier must be unique for each transaction manager as it is required to enforce data integrity during recovery. The node-identifier must also be unique for JTA because multiple nodes may interact with the same resource manager or share a transaction object store.

object-store-path

A relative or absolute file system path where the transaction manager object store stores data. By default relative to the object-store-relative-to parameter’s value. If object-store-relative-to is set to an empty string, this value is treated as an absolute path.

object-store-relative-to

References a global path configuration in the domain model. The default value is the data directory for JBoss EAP, which is the value of the property jboss.server.data.dir, and defaults to EAP_HOME/domain/data/ for a managed domain, or EAP_HOME/standalone/data/ for a standalone server instance. The value of the object store object-store-path transaction manager attribute is relative to this path. Set this attribute to an empty string to have object-store-path be treated as an absolute path.

process-id-socket-binding

The name of the socket binding configuration to use if the transaction manager should use a socket-based process ID. Will be undefined if process-id-uuid is true; otherwise must be set.

process-id-socket-max-ports

The transaction manager creates a unique identifier for each transaction log. Two different mechanisms are provided for generating unique identifiers: a socket-based mechanism and a mechanism based on the process identifier of the process.

In the case of the socket-based identifier, a socket is opened and its port number is used for the identifier. If the port is already in use, the next port is probed, until a free one is found. The process-id-socket-max-ports represents the maximum number of sockets the transaction manager will try before failing. The default value is 10.

process-id-uuid

Set to true to use the process identifier to create a unique identifier for each transaction. Otherwise, the socket-based mechanism is used. Defaults to true. See process-id-socket-max-ports for more information. To enable process-id-socket-binding, set process-id-uuid to false.

recovery-listener

Whether or not the transaction recovery process should listen on a network socket. Defaults to false.

socket-binding

Specifies the name of the socket binding used by the transaction periodic recovery listener when recovery-listener is set to true.

statistics-enabled

Whether statistics should be enabled. The default is false.

status-socket-binding

Specifies the socket binding to use for the transaction status manager. This configuration option is not supported.

use-hornetq-store

Deprecated in favor of use-journal-store.

use-jdbc-store

Use the JDBC store for writing transaction logs. Set to true to enable and to false to use the default log store type.

use-journal-store

Use Apache ActiveMQ Artemis journaled storage mechanisms instead of file-based storage for the transaction logs. This is disabled by default, but can improve I/O performance. It is not recommended for JTS transactions on separate transaction managers. When changing this option, the server has to be restarted using the shutdown command for the change to take effect.

Table A.44. Log Store Attributes

AttributeDescription

expose-all-logs

Whether to expose all logs. The default is false, meaning that only a subset of transaction logs is exposed.

type

Specifies the implementation type of the logging store. The default is default.

Table A.45. Commit Markable Resource Attributes

AttributeDescription

batch-size

The batch size for this CMR resource. The default is 100.

immediate-cleanup

Whether to perform immediate cleanup for this CMR resource. The default is true.

jndi-name

The JNDI name of this CMR resource.

name

The table name for storing XIDs. The default is xids.

A.22. IIOP Subsystem Attributes

Note

Attribute names in this table are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/wildfly-iiop-openjdk_3_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.46. IIOP Subsystem Attributes

AttributeDescription

add-component-via-interceptor

Indicates whether SSL components should be added by an IOR interceptor. Deprecated.

auth-method

The authentication method. Valid values are none and username_password.

authentication-context

The name of the authentication context used when the security initializer is set to elytron.

caller-propagation

Indicates whether the caller identity should be propagated in the SAS context. Valid values are none and supported.

client-requires

Value that indicates the client SSL required parameters. Valid values are None, ServerAuth, ClientAuth, and MutualAuth. Deprecated: Use client-requires-ssl instead.

client-requires-ssl

Indicates whether IIOP connections from the server require SSL.

client-ssl-context

The name of the SSL context used to create client-side SSL sockets.

client-supports

Value that indicates the client SSL supported parameters. Valid values are None, ServerAuth, ClientAuth, and MutualAuth. Deprecated: Use client-requires-ssl instead.

confidentiality

Indicates whether the transport must require confidentiality protection or not. Valid values are none, supported, and required. Deprecated: Use server-requires-ssl instead.

detect-misordering

Indicates whether the transport must require misordering detection or not. Valid values are none, supported, and required. Deprecated: Use server-requires-ssl instead.

detect-replay

Indicates whether the transport must require replay detection or not. Valid values are none, supported, and required. Deprecated: Use server-requires-ssl instead.

export-corbaloc

Indicates whether the root context should be exported as corbaloc::address:port/NameService.

giop-version

The GIOP version to be used.

high-water-mark

TCP connection cache parameter. Each time the number of connections exceeds this value, the ORB tries to reclaim connections. The number of reclaimed connections is specified by the number-to-reclaim property. If this property is not set, then the OpenJDK ORB default is used.

integrity

Indicates whether the transport must require integrity protection or not. Valid values are none, supported, and required. Deprecated: Use server-requires-ssl instead.

number-to-reclaim

TCP connection cache parameter. Each time the number of connections exceeds the high-water-mark property, then the ORB tries to reclaim connections. The number of reclaimed connections is specified by this property. If it is not set, then the OpenJDK ORB default is used.

persistent-server-id

Persistent ID of the server. Persistent object references are valid across many activations of the server and they identify it using this property. As a result of that, many activations of the same server should have this property set to the same value, and different server instances running on the same host should have different server IDs.

properties

A list of generic key/value properties.

realm

The authentication service realm name.

required

Indicates whether authentication is required.

root-context

The naming service root context.

security

Indicates whether the security interceptors are to be installed. Valid values are client, identity, elytron, and none.

security-domain

The name of the security domain that holds the keystores and truststores that will be used to establish SSL connections.

server-requires

Value that indicates the server SSL required parameters. Valid values are None, ServerAuth, ClientAuth, and MutualAuth. Deprecated: Use server-requires-ssl instead.

server-requires-ssl

Indicates whether IIOP connections to the server require SSL.

server-ssl-context

The name of the SSL context used to create server-side SSL sockets.

server-supports

Value that indicates the server SSL supported parameters. Valid values are None, ServerAuth, ClientAuth, and MutualAuth. Deprecated: Use server-requires-ssl instead.

socket-binding

The name of the socket binding configuration that specifies the ORB port.

ssl-socket-binding

The name of the socket binding configuration that specifies the ORB SSL port.

support-ssl

Indicates whether SSL is supported.

transactions

Indicates whether the transactions interceptors are to be installed or not. Valid values are full, spec, and none. A value of full enables JTS while a value of spec enables a non-JTS spec-compliant mode that rejects incoming transaction contexts.

trust-in-client

Indicates if the transport must require trust in client to be established. Valid values are none, supported, and required. Deprecated: Use server-requires-ssl instead.

trust-in-target

Indicates if the transport must require trust in target to be established. Valid values are none and supported. Deprecated: Use server-requires-ssl instead.

A.23. Resource Adapter Attributes

The following tables describe the resource adapter attributes.

Note

Attribute names in these tables are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/wildfly-resource-adapters_5_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.47. Main Attributes

AttributeDescription

archive

The resource adapter archive.

beanvalidationgroups

The bean validation groups that should be used.

bootstrap-context

The unique name of the bootstrap context that should be used.

config-properties

Custom defined config properties.

module

The module from which the resource adapter will be loaded.

statistics-enabled

Whether runtime statistics are enabled or not.

transaction-support

The transaction support level of the resource adapter. Valid values are NoTransaction, LocalTransaction, or XATransaction.

wm-elytron-security-domain

Defines the name of the Elytron security domain that should be used.

wm-security

Toggle on/off wm.security for this resource adapter. In case of false, all wm-security-* parameters are ignored, even the defaults.

wm-security-default-groups

A default groups list that should be added to the used Subject instance.

wm-security-default-principal

A default principal name that should be added to the used Subject instance.

wm-security-domain

The name of the security domain that should be used.

wm-security-mapping-groups

List of groups mappings.

wm-security-mapping-required

Defines if a mapping is required for security credentials.

wm-security-mapping-users

List of user mappings.

Note

If your resource adapter is using bootstrap-context along with a work manager that has elytron-enabled set to true, you must use the wm-elytron-security-domain attribute instead of the wm-security-domain attribute for security domain specification.

Table A.48. admin-objects Attributes

AttributeDescription

class-name

The fully qualified class name of an administration object.

enabled

Specifies if the administration object should be enabled.

jndi-name

The JNDI name for the administration object.

use-java-context

Setting this to false will bind the object into global JNDI.

Table A.49. connection-definitions Attributes

AttributeDescription

allocation-retry

Indicates the number of times that allocating a connection should be tried before throwing an exception.

allocation-retry-wait-millis

The amount of time, in milliseconds, to wait between retrying to allocate a connection.

authentication-context

The Elytron authentication context which defines the javax.security.auth.Subject that is used to distinguish connections in the pool.

authentication-context-and-application

Indicates that either application-supplied parameters, such as from getConnection(user, pw), or Subject, are used to distinguish connections in the pool. These parameters are provided by Elytron after authentication when using a configured authentication-context.

background-validation

Specifies that connections should be validated on a background thread versus being validated prior to use. Changing this value requires a server restart.

background-validation-millis

The amount of time, in milliseconds, that background validation will run. Changing this value requires a server restart.

blocking-timeout-wait-millis

The maximum time, in milliseconds, to block while waiting for a connection before throwing an exception. Note that this blocks only while waiting for locking a connection, and will never throw an exception if creating a new connection takes an inordinately long time.

capacity-decrementer-class

Class defining the policy for decrementing connections in the pool.

capacity-decrementer-properties

Properties to inject in class defining the policy for decrementing connections in the pool.

capacity-incrementer-class

Class defining the policy for incrementing connections in the pool.

capacity-incrementer-properties

Properties to inject in class defining the policy for incrementing connections in the pool.

class-name

The fully qualified class name of a managed connection factory or admin object.

connectable

Enable the use of CMR. This feature means that a local resource can reliably participate in an XA transaction.

elytron-enabled

Enables Elytron security for handling authentication of connections. The Elytron authentication-context to be used will be the current context if no context is specified. See authentication-context for additional information.

enabled

Specifies if the resource adapter should be enabled.

enlistment

Specifies if lazy enlistment should be used if supported by the resource adapter.

enlistment-trace

Specifies if JBoss EAP/IronJacamar should record enlistment traces. This is false by default.

flush-strategy

Specifies how the pool should be flushed in case of an error. Valid values are:

FailingConnectionOnly
Only the failing connection is removed. This is the default setting.
InvalidIdleConnections
The failing connection and idle connections that share the same credentials and are returned as invalid by the ValidatingManagedConnectionFactory.getInvalidConnections(…​) method are removed.
IdleConnections
The failing connection and idle connections that share the same credentials are removed.
Gracefully
The failing connection and idle connections that share the same credentials are removed. Active connections that share the same credentials are destroyed upon return to the pool.
EntirePool
The failing connection and idle and active connections that share the same credentials are removed. This setting is not recommended for production systems.
AllInvalidIdleConnections
The failing connection and idle connections that are returned as invalid by the ValidatingManagedConnectionFactory.getInvalidConnections(…​) method are removed.
AllIdleConnections
The failing connection and all idle connections are removed.
AllGracefully
The failing connection and all idle connections are removed. Active connections are destroyed upon return to the pool.
AllConnections
The failing connection and all idle and active connections are removed. This setting is not recommended for production systems.

idle-timeout-minutes

The maximum time, in minutes, a connection may be idle before being closed. The actual maximum time depends also on the IdleRemover scan time, which is half of the smallest idle-timeout-minutes value of any pool. Changing this value requires a server restart.

initial-pool-size

The initial number of connections a pool should hold.

interleaving

Specifies whether to enable interleaving for XA connections.

jndi-name

The JNDI name for the connection factory.

max-pool-size

The maximum number of connections for a pool. No more connections will be created in each sub-pool.

mcp

The ManagedConnectionPool implementation. For example: org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.

min-pool-size

The minimum number of connections for a pool.

no-recovery

Specifies if the connection pool should be excluded from recovery.

no-tx-separate-pool

Oracle does not like XA connections getting used both inside and outside a JTA transaction. To workaround the problem you can create separate sub-pools for the different contexts.

pad-xid

Specifies whether the Xid should be padded.

pool-fair

Specifies if pool use should be fair.

pool-prefill

Specifies if the pool should be prefilled. Changing this value requires a server restart.

pool-use-strict-min

Specifies if the min-pool-size should be considered strict.

recovery-authentication-context

The Elytron authentication context used for recovery. If no authentication-context is specified, then the current one will be used.

recovery-credential-reference

Credential, from a credential store, to authenticate on recovery of the connection.

recovery-elytron-enabled

Indicates that an Elytron authentication context will be used for recovery. The default is false.

recovery-password

The password used for recovery.

recovery-plugin-class-name

The fully qualified class name of the recovery plugin implementation.

recovery-plugin-properties

The properties for the recovery plugin.

recovery-security-domain

The security domain used for recovery.

recovery-username

The user name used for recovery.

same-rm-override

Unconditionally set whether javax.transaction.xa.XAResource.isSameRM(XAResource) returns true or false.

security-application

Indicates that application-supplied parameters, such as from getConnection(user, pw), are used to distinguish connections in the pool.

security-domain

The security domain which defines the javax.security.auth.Subject that is used to distinguish connections in the pool.

security-domain-and-application

Indicates that either application-supplied parameters, such as from getConnection(user, pw), or Subject, from the security domain, are used to distinguish connections in the pool.

sharable

Enable the use of sharable connections, which allows lazy association to be enabled if supported.

tracking

Specifies if IronJacamar should track connection handles across transaction boundaries.

use-ccm

Enable the use of a cached connection manager.

use-fast-fail

When set to true, fail a connection allocation on the first try if it is invalid. When set to false, keep trying until the pool is exhausted of all potential connections.

use-java-context

Setting this to false will bind the object into global JNDI.

validate-on-match

Specifies if connection validation should be done when a connection factory attempts to match a managed connection. This is typically exclusive to the use of background validation.

wrap-xa-resource

Specifies whether XAResource instances should be wrapped in an org.jboss.tm.XAResourceWrapper instance.

xa-resource-timeout

The value is passed to XAResource.setTransactionTimeout(), in seconds. The default is 0.

A.24. Resource Adapter Statistics

Table A.50. Resource Adapter Statistics

NameDescription

ActiveCount

The number of active connections. Each of the connections is either in use by an application or available in the pool

AvailableCount

The number of available connections in the pool.

AverageBlockingTime

The average time spent blocking on obtaining an exclusive lock on the pool. The value is in milliseconds.

AverageCreationTime

The average time spent creating a connection. The value is in milliseconds.

CreatedCount

The number of connections created.

DestroyedCount

The number of connections destroyed.

InUseCount

The number of connections currently in use.

MaxCreationTime

The maximum time it took to create a connection. The value is in milliseconds.

MaxUsedCount

The maximum number of connections used.

MaxWaitCount

The maximum number of requests waiting for a connection at the same time.

MaxWaitTime

The maximum time spent waiting for an exclusive lock on the pool.

TimedOut

The number of timed out connections.

TotalBlockingTime

The total time spent waiting for an exclusive lock on the pool. The value is in milliseconds.

TotalCreationTime

The total time spent creating connections. The value is in milliseconds.

WaitCount

The number of requests that had to wait for a connection.

A.25. Undertow Subsystem Attributes

See the tables below for the attributes of the various elements of the undertow subsystem.

Note

Attribute names in these tables are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/wildfly-undertow_4_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.51. Main undertow Attributes

AttributeDefaultDescription

default-security-domain

other

The default security domain used by web deployments.

default-server

default-server

The default server to use for deployments.

default-servlet-container

default

The default servlet container to use for deployments.

default-virtual-host

default-host

The default virtual host to use for deployments.

instance-id

${jboss.node.name}

The cluster instance ID.

statistics-enabled

false

Whether statistics are enabled.

Application Security Domain Attributes

The application security domain attributes has the following structure:

application-security-domain Attributes

Table A.52. application-security-domain Attributes

AttributeDefaultDescription

enable-jacc

false

Enable authorization using JACC.

http-authentication-factory

 

The HTTP Authentication Factory to be used by deployments that reference the mapped security domain.

override-deployment-config

false

Whether the authentication configuration in the deployment should be overridden by the factory.

referencing-deployments

 

The deployments currently referencing this mapping.

single-sign-on Attributes

Table A.53. single-sign-on Attributes

AttributeDefaultDescription

client-ssl-context

 

Reference to the SSL context used to secure back-channel logout connection.

cookie-name

JSESSIONIDSSO

Name of the cookie.

credential-reference

 

The credential reference to decrypt the private key entry.

domain

 

The cookie domain that will be used.

http-only

false

Set cookie httpOnly attribute.

key-alias

 

Alias of the private key entry used for signing and verifying back-channel logout connection.

key-store

 

Reference to keystore containing a private key entry.

path

/

Cookie path.

secure

false

Set cookie secure attribute.

Buffer Cache Attributes

Table A.54. buffer-cache Attributes

AttributeDefaultDescription

buffer-size

1024

The size of the buffers. Smaller buffers allow space to be utilized more effectively.

buffers-per-region

1024

The numbers of buffers per region.

max-regions

10

The maximum number of regions. This controls the maximum amount of memory that can be used for caching.

Servlet Container Attributes

The servlet container component has the following structure:

servlet-container Attributes

Table A.55. servlet-container Attributes

AttributeDefaultDescription

allow-non-standard-wrappers

false

Whether request and response wrappers that do not extend the standard wrapper classes can be used.

default-buffer-cache

default

The buffer cache to use for caching static resources.

default-encoding

 

Default encoding to use for all deployed applications.

default-session-timeout

30

The default session timeout in minutes for all applications deployed in the container.

directory-listing

 

If directory listing should be enabled for default servlets.

disable-caching-for-secured-pages

true

Whether to set headers to disable caching for secured paged. Disabling this can cause security problems, as sensitive pages may be cached by an intermediary.

disable-file-watch-service

false

If set to true, then the file watch service will not be used to monitor exploded deployments for changes. This attribute overrides the io.undertow.disable-file-system-watcher system property.

disable-session-id-reuse

false

If set to true, then an unknown session ID will never be reused and a new session ID will be generated. If set to false, then the session ID will be reused only if it is present in the session manager of another deployment to allow the same session ID to be shared between applications on the same server.

eager-filter-initialization

false

Whether to call filter init() on deployment start rather than when first requested.

ignore-flush

false

Ignore flushes on the servlet output stream. In most cases these just hurt performance for no good reason.

max-sessions

 

The maximum number of sessions that can be active at one time.

proactive-authentication

true

Whether proactive authentication should be used. If this is true, a user will always be authenticated if credentials are present.

session-id-length

30

The length of the generated session ID. Longer session ID’s are more secure.

stack-trace-on-error

local-only

If an error page with the stack trace should be generated on error. Values are all, none and local-only.

use-listener-encoding

false

Use encoding defined on listener.

mime-mapping Attributes

Table A.56. mime-mapping Attributes

AttributeDefaultDescription

value

 

The mime type for this mapping.

crawler-session-management Attributes

Configures special session handling for crawler bots.

Note

When using the management CLI to manage the crawler-session-management element, it is available under settings in the servlet-container element. For example:

/subsystem=undertow/servlet-container=default/setting=crawler-session-management:add
/subsystem=undertow/servlet-container=default/setting=crawler-session-management:read-resource

Table A.57. crawler-session-management Attributes

AttributeDefaultDescription

session-timeout

 

The session timeout in seconds for sessions that are owned by crawlers.

user-agents

 

Regular expression that is used to match the user agent of a crawler.

jsp Attributes
Note

When using the management CLI to manage the jsp element, it is available under settings in the servlet-container element. For example:

/subsystem=undertow/servlet-container=default/setting=jsp:read-resource

Table A.58. jsp Attributes

AttributeDefaultDescription

check-interval

0

Check interval for JSP updates using a background thread. This has no effect for most deployments where JSP change notifications are handled using the file system notification API. This only takes effect if the file watch service is disabled.

development

false

Enable development mode which enables reloading JSP on-the-fly.

disabled

false

Enable the JSP container.

display-source-fragment

true

When a runtime error occurs, attempts to display corresponding JSP source fragment.

dump-smap

false

Write SMAP data to a file.

error-on-use-bean-invalid-class-attribute

false

Enable errors when using a bad class in useBean.

generate-strings-as-char-arrays

false

Generate String constants as char arrays.

java-encoding

UTF8

Specify the encoding used for Java sources.

keep-generated

true

Keep the generated servlets.

mapped-file

true

Map to the JSP source.

modification-test-interval

4

Minimum amount of time between two tests for updates, in seconds.

optimize-scriptlets

false

If JSP scriptlets should be optimized to remove string concatenation.

recompile-on-fail

false

Retry failed JSP compilations on each request.

scratch-dir

 

Specify a different work directory.

smap

true

Enable SMAP.

source-vm

1.8

Source VM level for compilation.

tag-pooling

true

Enable tag pooling.

target-vm

1.8

Target VM level for compilation.

trim-spaces

false

Trim some spaces from the generated servlet.

x-powered-by

true

Enable advertising the JSP engine in x-powered-by.

persistent-sessions Attributes
Note

When using the management CLI to manage the persistent-sessions element, it is available under settings in the servlet-container element. For example:

/subsystem=undertow/servlet-container=default/setting=persistent-sessions:add
/subsystem=undertow/servlet-container=default/setting=persistent-sessions:read-resource

Table A.59. persistent-sessions Attributes

AttributeDefaultDescription

path

 

The path to the persistent session data directory. If this is null, sessions will be stored in memory.

relative-to

 

The directory the path is relative to.

Note

When using the management CLI to manage the session-cookie element, it is available under settings in the servlet-container element. For example:

/subsystem=undertow/servlet-container=default/setting=session-cookie:add
/subsystem=undertow/servlet-container=default/setting=session-cookie:read-resource

Table A.60. session-cookie Attributes

AttributeDefaultDescription

comment

 

Cookie comment.

domain

 

Cookie domain.

http-only

 

Whether the cookie is http-only.

max-age

 

Maximum age of the cookie.

name

 

Name of the cookie.

secure

 

Whether the cookie is secure.

websockets Attributes
Note

When using the management CLI to manage the websockets element, it is available under settings in the servlet-container element. For example:

/subsystem=undertow/servlet-container=default/setting=websockets:read-resource

Table A.61. websockets Attributes

AttributeDefaultDescription

buffer-pool

default

The buffer pool to use for websocket deployments.

deflater-level

0

Configures the level of compression of the DEFLATE algorithm.

dispatch-to-worker

true

Whether callbacks should be dispatched to a worker thread. If this is false, then they will be run in the IO thread, which is faster however care must be taken not to perform blocking operations.

per-message-deflate

false

Enables websocket’s per-message compression extension.

worker

default

The worker to use for websocket deployments.

welcome-file Attributes

Defines a welcome file and has no options.

Filter Attributes

These components can be found at /subsystem=undertow/configuration=filter.

custom-filter Filters

Table A.62. custom-filter Attributes

AttributeDefaultDescription

class-name

 

Class name of HttpHandler.

module

 

Module name where class can be loaded from.

parameters

 

Filter parameters.

error-page Filters

The error pages

Table A.63. error-page Attributes

AttributeDefaultDescription

code

 

Error page code.

path

 

Error page path.

expression-filter Filters

A filter parsed from the Undertow expression language.

Table A.64. expression-filter Attributes

AttributeDefaultDescription

expression

 

The expression that defines the filter.

module

 

Module to use to load the filter definitions.

gzip Filters

Defines the gzip filter and has no attributes.

mod-cluster Filters

The mod-cluster filter component has the following structure:

Table A.65. mod-cluster Attributes

AttributeDefaultDescription

advertise-frequency

10000

The frequency in milliseconds that mod_cluster advertises itself on the network.

advertise-path

/

The path that mod_cluster is registered under.

advertise-protocol

http

The protocol that is in use.

advertise-socket-binding

 

The multicast group that is used to advertise.

broken-node-timeout

60000

The amount of time that must elapse before a broken node is removed from the table.

cached-connections-per-thread

5

The number of connections that will be kept alive indefinitely.

connection-idle-timeout

60

The amount of time a connection can be idle before it will be closed. Connections will not time out once the pool size is down to the configured minimum, which is configured by cached-connections-per-thread.

connections-per-thread

10

The number of connections that will be maintained to back-end servers, per IO thread.

enable-http2

false

Whether the load balancer should attempt to upgrade back-end connections to HTTP/2. If HTTP/2 is not supported, HTTP or HTTPS will be used as normal.

failover-strategy

LOAD_BALANCED

The attribute that determines how a failover node is chosen, in the event that the node to which a session has affinity is not available.

health-check-interval

10000

The frequency of health check pings to back-end nodes.

http2-enable-push

true

Whether push should be enabled for HTTP/2 connections.

http2-header-table-size

4096

The size of the header table used for HPACK compression, in bytes. This amount of memory will be allocated per connection for compression. Larger values use more memory but may give better compression.

http2-initial-window-size

65535

The flow control window size, in bytes, that controls how quickly the client can send data to the server.

http2-max-concurrent-streams

 

The maximum number of HTTP/2 streams that can be active at any time on a single connection.

http2-max-frame-size

16384

The maximum HTTP/2 frame size, in bytes.

http2-max-header-list-size

 

The maximum size, in bytes, of request headers the server is prepared to accept.

management-access-predicate

 

A predicate that is applied to incoming requests to determine if they can perform mod cluster management commands. Provides additional security on top of what is provided by limiting management to requests that originate from the management-socket-binding.

management-socket-binding

 

The socket binding of the mod_cluster management port. When using mod_cluster two HTTP listeners should be defined, a public one to handle requests, and one bound to the internal network to handle mod cluster commands. This socket binding should correspond to the internal listener, and should not be publicly accessible.

max-ajp-packet-size

8192

The maximum size, in bytes, for AJP packets. Increasing this will allow AJP to work for requests and responses that have a large amount of headers. This must be the same between load balancers and backend servers.

max-request-time

-1

The maximum amount of time that a request to a back-end node can take before it is killed.

max-retries

1

The number of times that an attempt to retry a request will be made, if the request fails.

Note

If a request is not considered idempotent, it will only be retried if the proxy can be sure that it was not sent to the backend server.

request-queue-size

10

The number of requests that can be queued if the connection pool is full before requests are rejected with a 503.

security-key

 

The security key that is used for the mod_cluster group. All members must use the same security key.

security-realm

 

The security realm that provides the SSL configuration. Deprecated: Use the ssl-context attribute to reference a configured SSLContext directly.

ssl-context

 

The reference to the SSLContext that is used by the filter.

use-alias

false

Whether an alias check is performed.

worker

default

The XNIO worker that is used to send the advertise notifications.

Table A.66. balancer Attributes

AttributeDefaultDescription

max-attempts

 

The number of attempts to send the request to a back-end server.

sticky-session

 

If sticky sessions are enabled.

sticky-session-cookie

 

The session cookie name.

sticky-session-force

 

If this is true, then an error will be returned if the request cannot be routed to the sticky node, otherwise it will be routed to another node.

sticky-session-path

 

The path of the sticky session cookie.

sticky-session-remove

 

Remove the session cookie if the request cannot be routed to the correct host.

wait-worker

 

The number of seconds to wait for an available worker.

load-balancing-group Attributes

Defines a load balancing group and has no options.

Table A.67. node Attributes

AttributeDefaultDescription

aliases

 

The nodes aliases.

cache-connections

 

The number of connections to keep alive indefinitely.

elected

 

The elected count.

flush-packets

 

If received data should be immediately flushed.

load

 

The current load of this node.

load-balancing-group

 

The load balancing group this node belongs to.

max-connections

 

The maximum number of connections per IO thread.

open-connections

 

The current number of open connections.

ping

 

The nodes ping.

queue-new-requests

 

If a request is received and there is no worker immediately available should it be queued.

read

 

The number of bytes read from the node.

request-queue-size

 

The size of the request queue.

status

 

The current status of this node.

timeout

 

The request timeout.

ttl

 

The time connections will stay alive with no requests before being closed, if the number of connections is larger than cache-connections.

uri

 

The URI that the load balancer uses to connect to the node.

written

 

The number of bytes transferred to the node.

Table A.68. context Attributes

AttributeDefaultDescription

requests

 

The number of requests against this context.

status

 

The status of this context.

request-limit Filters

Table A.69. request-limit Attributes

AttributeDefaultDescription

max-concurrent-requests

 

Maximum number of concurrent requests.

queue-size

 

Number of requests to queue before they start being rejected.

response-header Filters

Response header filter allows you to add custom headers.

Table A.70. response-header Attributes

AttributeDefaultDescription

header-name

 

The header name.

header-value

 

The header value.

rewrite Filters

Table A.71. rewrite Attributes

AttributeDefaultDescription

redirect

false

Whether a redirect will be done instead of a rewrite.

target

 

The expression that defines the target. If you are redirecting to a constant target put single quotes around the value.

Handler Attributes

These components can be found at /subsystem=undertow/configuration=handler.

file Attributes

Table A.72. file Attributes

AttributeDefaultDescription

cache-buffer-size

1024

Size of the buffers.

cache-buffers

1024

Number of buffers.

case-sensitive

true

Whether to use case-sensitive file handling. Note that setting this to false for case insensitivity will only work if the underlying file system is case insensitive.

directory-listing

false

Whether to enable directory listing.

follow-symlink

false

Whether to enable following symbolic links.

path

 

Path on the file system from where file handler will serve resources.

safe-symlink-paths

 

Paths that are safe to be targets of symbolic links.

Using WebDAV for Static Resources

Previous versions of JBoss EAP allowed for using WebDAV with the web subsystem, by way of the WebdavServlet, to host static resources and enable additional HTTP methods for accessing and manipulating those files. In JBoss EAP 7, the undertow subsystem does provide a mechanism for serving static files using a file handler, but the undertow subsystem does not support WebDAV. If you want to use WebDAV with JBoss EAP 7, you can write a custom WebDAV servlet.

reverse-proxy attributes

The reverse-proxy handler component has the following structure:

Table A.73. reverse-proxy Attributes

AttributeDefaultDescription

cached-connections-per-thread

5

The number of connections that will be kept alive indefinitely.

connection-idle-timeout

60

The amount of time a connection can be idle before it will be closed. Connections will not time out once the pool size is down to the configured minimum (as configured by cached-connections-per-thread).

connections-per-thread

40

The number of connections that will be maintained to back-end servers, per IO thread.

max-request-time

-1

The maximum time that a proxy request can be active for, before being killed. Defaults to unlimited.

max-retries

1

The number of times that an attempt to retry a request will be made, if the request fails.

Note

If a request is not considered idempotent, it will only be retried if the proxy can be sure that it was not sent to the backend server.

problem-server-retry

30

Time in seconds to wait before attempting to reconnect to a server that is down.

request-queue-size

10

The number of requests that can be queued if the connection pool is full before requests are rejected with a 503.

session-cookie-names

JSESSIONID

Comma-separated list of session cookie names. Generally this will just be JSESSIONID.

Table A.74. host Attributes

AttributeDefaultDescription

enable-http2

false

If true, then the proxy will attempt to use HTTP/2 to connect to the back end. If it is not supported, it will fall back to HTTP/1.1.

instance-id

 

The instance ID, or JVM route, that will be used to enable sticky sessions.

outbound-socket-binding

 

Outbound socket binding for this host.

path

/

Optional path if host is using non root resource.

scheme

http

The kind of scheme that is used.

security-realm

 

The security realm that provides the SSL configuration for the connection to the host.

ssl-context

 

Reference to the SSLContext to be used by this handler.

Server Attributes

The server component has the following structure:

server Attributes

Table A.75. server Attributes

AttributeDefaultDescription

default-host

default-host

The server’s default virtual host.

servlet-container

default

The server’s default servlet container.

ajp-listener Attributes

Table A.76. ajp-listener Attributes

AttributeDefaultDescription

allow-encoded-slash

false

If a request comes in with encoded characters, for example %2F, whether these will be decoded.

allow-equals-in-cookie-value

false

Whether to allow non-escaped equals characters in unquoted cookie values. Unquoted cookie values may not contain equals characters. If present the value ends before the equals sign. The remainder of the cookie value will be dropped.

always-set-keep-alive

true

Whether a Connection: keep-alive header will be added to responses, even when it is not strictly required by the specification.

buffer-pipelined-data

false

Whether to buffer pipelined requests.

buffer-pool

default

The AJP listener’s buffer pool.

decode-url

true

If this is true then the parser will decode the URL and query parameters using the selected character encoding, defaulting to UTF-8. If this is false they will not be decoded. This will allow a later handler to decode them into whatever charset is desired.

disallowed-methods

["TRACE"]

A comma-separated list of HTTP methods that are not allowed.

enabled

true

If the listener is enabled. Deprecated: Enabled attributes can cause problems in enforcement of configuration consistency.

max-ajp-packet-size

8192

The maximum supported size of AJP packets. If this is modified it has be increased on the load balancer and the back-end server.

max-buffered-request-size

16384

Maximum size of a buffered request, in bytesRequests are not usually buffered, the most common case is when performing SSL renegotiation for a POST request, and the post data must be fully buffered in order to perform the renegotiation.

max-connections

 

The maximum number of concurrent connections. If no value is set in the server configuration, the limit for the number of concurrent connections is Integer.MAX_VALUE.

max-cookies

200

The maximum number of cookies that will be parsed. This is used to protect against hash vulnerabilities.

max-header-size

1048576

The maximum size in bytes of a HTTP request header.

max-headers

200

The maximum number of headers that will be parsed. This is used to protect against hash vulnerabilities.

max-parameters

1000

The maximum number of parameters that will be parsed. This is used to protect against hash vulnerabilities. This applies to both query parameters, and to POST data, but is not cumulative. For example, you can potentially have max parameters * 2 total parameters.

max-post-size

10485760

The maximum size of a post that will be accepted

no-request-timeout

60000

The length of time in milliseconds that the connection can be idle before it is closed by the container.

read-timeout

 

Configure a read timeout for a socket, in milliseconds. If the given amount of time elapses without a successful read taking place, the socket’s next read will throw a ReadTimeoutException.

receive-buffer

 

The receive buffer size.

record-request-start-time

false

Whether to record the request start time, to allow for request time to be logged. This has a small but measurable performance impact.

redirect-socket

 

If this listener is supporting non-SSL requests, and a request is received for which a matching requires SSL transport, whether to automatically redirect the request to the socket binding port specified here.

request-parse-timeout

 

The maximum amount of time in milliseconds that can be spent parsing the request.

resolve-peer-address

false

Enables host DNS lookup.

scheme

 

The listener scheme, can be HTTP or HTTPS. By default the scheme will be taken from the incoming AJP request.

secure

false

If this is true, then requests that originate from this listener are marked as secure, even if the request is not using HTTPS.

send-buffer

 

The send buffer size.

socket-binding

 

The AJP listener’s socket binding.

tcp-backlog

 

Configure a server with the specified backlog.

tcp-keep-alive

 

Configure a channel to send TCP keep-alive messages in an implementation-dependent manner.

url-charset

UTF-8

URL charset.

worker

default

The listener’s XNIO worker.

write-timeout

 

Configure a write timeout for a socket, in milliseconds. If the given amount of time elapses without a successful write taking place, the socket’s next write will throw a WriteTimeoutException.

host Attributes

Table A.77. host Attributes

AttributeDefaultDescription

alias

 

Comma-separated list of aliases for the host.

default-response-code

404

If set, this will be response code sent back in case requested context does not exist on server.

default-web-module

ROOT.war

Default web module.

disable-console-redirect

false

If set to true, /console redirect will not be enabled for this host.

filter-ref Attributes

Table A.78. filter-ref Attributes

AttributeDefaultDescription

predicate

 

Predicates provide a simple way of making a true/false decision based on an exchange. Many handlers have a requirement that they be applied conditionally, and predicates provide a general way to specify a condition.

priority

1

Defines filter order. A lower number instructs the server to be included earlier in the handler chain than others above the same context. Values range from 1, indicating the filter will be handled first, to 2147483647, resulting in the filter being handled last.

location Attributes

Table A.79. location Attributes

AttributeDefaultDescription

handler

 

Default handler for this location.

filter-ref Attributes

Table A.80. filter-ref Attributes

AttributeDefaultDescription

predicate

 

Predicates provide a simple way of making a true/false decision based on an exchange. Many handlers have a requirement that they be applied conditionally, and predicates provide a general way to specify a condition.

priority

1

Defines filter order. It should be set to 1 or more. A higher number instructs the server to be included earlier in the handler chain than others under the same context.

access-log Attributes
Note

When using the management CLI to manage the access-log element, it is available under settings in the host element. For example:

/subsystem=undertow/server=default-server/host=default-host/setting=access-log:add
/subsystem=undertow/server=default-server/host=default-host/setting=access-log:read-resource

Table A.81. access-log Attributes

AttributeDefaultDescription

directory

${jboss.server.log.dir}

The directory in which to save logs.

extended

false

Whether the log uses the extended log file format.

pattern

common

The access log pattern.

Note

If you set the pattern to print the time taken to process the request, you must also enable the record-request-start-time attribute on the appropriate listeners; otherwise the time will not be recorded properly in the access log. For example:

/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=record-request-start-time,value=true)

predicate

 

Predicate that determines if the request should be logged.

prefix

access_log.

Prefix for the log file name.

relative-to

 

The directory the path is relative to.

rotate

true

Whether to rotate the access log every day.

suffix

log

Suffix for the log file name.

use-server-log

false

Whether the log should be written to the server log, rather than a separate file.

worker

default

Name of the worker to use for logging.

http-invoker Attributes

Table A.82. http-invoker Attributes

AttributeDefaultDescription

http-authentication-factory

 

The HTTP authentication factory to use for authentication.

path

wildfly-services

The path that the services are installed under.

security-realm

 

The legacy security realm to use for authentication.

single-sign-on Attributes
Note

When using the management CLI to manage the single-sign-on element, it is available under settings in the host element. For example:

/subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add
/subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:read-resource
Important

While distributed single sign-on is no different from an application perspective from previous versions of JBoss EAP, in JBoss EAP 7 the caching and distribution of authentication information is handled differently. For JBoss EAP 7, when running the ha profile, by default each host will have its own Infinispan cache which will store the relevant session and SSO cookie information. This cache is based on the default cache of the web cache container. JBoss EAP will also handle propagating information between all hosts' individual caches.

Table A.83. single-sign-on Attributes

AttributeDefaultDescription

cookie-name

JSESSIONIDSSO

Name of the cookie.

domain

 

The cookie domain that will be used.

http-only

false

Set cookie httpOnly attribute.

path

/

Cookie path.

secure

false

Set cookie secure attribute.

http-listener Attributes

Table A.84. http-listener Attributes

AttributeDefaultDescription

allow-encoded-slash

false

If a request comes in with encoded characters, for example %2F, whether these will be decoded.

allow-equals-in-cookie-value

false

Whether to allow non-escaped equals characters in unquoted cookie values. Unquoted cookie values may not contain equals characters. If present the value ends before the equals sign. The remainder of the cookie value will be dropped.

always-set-keep-alive

true

Whether a Connection: keep-alive header will be added to responses, even when it is not strictly required by the specification.

buffer-pipelined-data

false

Whether to buffer pipelined requests.

buffer-pool

default

The listener’s buffer pool.

certificate-forwarding

false

Whether certificate forwarding should be enabled. If this is enabled then the listener will take the certificate from the SSL_CLIENT_CERT attribute. This should only be enabled if behind a proxy, and the proxy is configured to always set these headers.

decode-url

true

Whether the parser will decode the URL and query parameters using the selected character encoding, defaulting to UTF-8. If this is false they will not be decoded. This will allow a later handler to decode them into whatever charset is desired.

disallowed-methods

["TRACE"]

A comma-separated list of HTTP methods that are not allowed.

enable-http2

false

Whether to enable HTTP/2 support for this listener.

enabled

true

Whether the listener is enabled. Deprecated: Enabled attributes can cause problems in enforcement of configuration consistency.

http2-enable-push

true

Whether server push is enabled for this connection.

http2-header-table-size

4096

The size, in bytes, of the header table used for HPACK compression. This amount of memory will be allocated per connection for compression. Larger values use more memory but may give better compression.

http2-initial-window-size

65535

The flow control window size, in bytes, that controls how quickly the client can send data to the server.

http2-max-concurrent-streams

 

The maximum number of HTTP/2 streams that can be active at any time on a single connection.

http2-max-frame-size

16384

The maximum HTTP/2 frame size, in bytes.

http2-max-header-list-size

 

The maximum size of request headers the server is prepared to accept.

max-buffered-request-size

16384

Maximum size of a buffered request, in bytesRequests are not usually buffered, the most common case is when performing SSL renegotiation for a POST request, and the post data must be fully buffered in order to perform the renegotiation.

max-connections

 

The maximum number of concurrent connections. If no value is set in the server configuration, the limit for the number of concurrent connections is Integer.MAX_VALUE.

max-cookies

200

The maximum number of cookies that will be parsed. This is used to protect against hash vulnerabilities.

max-header-size

1048576

The maximum size in bytes of a HTTP request header.

max-headers

200

The maximum number of headers that will be parsed. This is used to protect against hash vulnerabilities.

max-parameters

1000

The maximum number of parameters that will be parsed. This is used to protect against hash vulnerabilities. This applies to both query parameters, and to POST data, but is not cumulative. For example, you can potentially have max parameters * 2 total parameters).

max-post-size

10485760

The maximum size of a post that will be accepted.

no-request-timeout

60000

The length of time in milliseconds that the connection can be idle before it is closed by the container.

proxy-address-forwarding

false

Whether to enable x-forwarded-host and similar headers and set a remote IP address and host name.

read-timeout

 

Configure a read timeout for a socket, in milliseconds. If the given amount of time elapses without a successful read taking place, the socket’s next read will throw a ReadTimeoutException.

receive-buffer

 

The receive buffer size.

record-request-start-time

false

Whether to record the request start time, to allow for request time to be logged. This has a small but measurable performance impact.

redirect-socket

 

If this listener is supporting non-SSL requests, and a request is received for which a matching requires SSL transport, whether to automatically redirect the request to the socket binding port specified here.

request-parse-timeout

 

The maximum amount of time in milliseconds that can be spent parsing the request.

require-host-http11

false

It requires all HTTP/1.1 requests to have a Host header. If the request does not include this header it will be rejected with a 403 error.

resolve-peer-address

false

Enables host DNS lookup.

secure

false

If this is true, requests that originate from this listener are marked as secure, even if the request is not using HTTPS.

send-buffer

 

The send buffer size.

socket-binding

 

The listener’s socket binding

tcp-backlog

 

Configure a server with the specified backlog.

tcp-keep-alive

 

Configure a channel to send TCP keep-alive messages in an implementation-dependent manner.

url-charset

UTF-8

URL charset.

worker

default

The listener’s XNIO worker.

write-timeout

 

Configure a write timeout for a socket, in milliseconds. If the given amount of time elapses without a successful write taking place, the socket’s next write will throw a WriteTimeoutException.

https-listener Attributes

Table A.85. https-listener Attributes

AttributeDefaultDescription

allow-encoded-slash

false

If a request comes in with encoded characters, for example %2F, whether these will be decoded.

allow-equals-in-cookie-value

false

Whether to allow non-escaped equals characters in unquoted cookie values. Unquoted cookie values may not contain equals characters. If present the value ends before the equals sign. The remainder of the cookie value will be dropped.

always-set-keep-alive

true

Whether a Connection: keep-alive header will be added to responses, even when it is not strictly required by the specification.

buffer-pipelined-data

false

Whether to buffer pipelined requests.

buffer-pool

default

The listener’s buffer pool.

certificate-forwarding

false

Whether certificate forwarding should be enabled or not. If this is enabled then the listener will take the certificate from the SSL_CLIENT_CERT attribute. This should only be enabled if behind a proxy, and the proxy is configured to always set these headers.

decode-url

true

Whether the parser will decode the URL and query parameters using the selected character encoding, defaulting to UTF-8. If this is false they will not be decoded. This will allow a later handler to decode them into whatever charset is desired.

disallowed-methods

["TRACE"]

A comma-separated list of HTTP methods that are not allowed.

enable-http2

false

Enables HTTP/2 support for this listener.

enable-spdy

false

Enables SPDY support for this listener. Deprecated: SPDY has been replaced by HTTP/2.

enabled

true

If the listener is enabled. Deprecated: Enabled attributes can cause problems in enforcement of configuration consistency.

enabled-cipher-suites

 

Configures Enabled SSL ciphers. Deprecated: Where an SSLContext is referenced it should be configured with the cipher suites to be supported.

enabled-protocols

 

Configures SSL protocols. Deprecated: Where an SSLContext is referenced it should be configured with the cipher suites to be supported.

http2-enable-push

true

If server push is enabled for this connection.

http2-header-table-size

4096

The size, in bytes, of the header table used for HPACK compression. This amount of memory will be allocated per connection for compression. Larger values use more memory but may give better compression.

http2-initial-window-size

65535

The flow control window size, in bytes, that controls how quickly the client can send data to the server.

http2-max-concurrent-streams

 

The maximum number of HTTP/2 streams that can be active at any time on a single connection.

http2-max-frame-size

16384

The maximum HTTP/2 frame size, in bytes.

http2-max-header-list-size

 

The maximum size of request headers the server is prepared to accept.

max-buffered-request-size

16384

Maximum size of a buffered request, in bytesRequests are not usually buffered, the most common case is when performing SSL renegotiation for a POST request, and the post data must be fully buffered in order to perform the renegotiation.

max-connections

 

The maximum number of concurrent connections. If no value is set in the server configuration, the limit for the number of concurrent connections is Integer.MAX_VALUE.

max-cookies

100

The maximum number of cookies that will be parsed. This is used to protect against hash vulnerabilities.

max-header-size

1048576

The maximum size in bytes of a HTTP request header.

max-headers

200

The maximum number of headers that will be parsed. This is used to protect against hash vulnerabilities.

max-parameters

1000

The maximum number of parameters that will be parsed. This is used to protect against hash vulnerabilities. This applies to both query parameters, and to POST data, but is not cumulative. For example, you can potentially have max parameters * 2 total parameters.

max-post-size

10485760

The maximum size of a post that will be accepted.

no-request-timeout

60000

The length of time in milliseconds that the connection can be idle before it is closed by the container.

proxy-address-forwarding

false

Enables handling of x-forwarded-host header, and other x-forwarded-* headers, and uses this header information to set the remote address. This should only be used behind a trusted proxy that sets these headers otherwise a remote user can spoof their IP address.

read-timeout

 

Configure a read timeout for a socket, in milliseconds. If the given amount of time elapses without a successful read taking place, the socket’s next read will throw a ReadTimeoutException.

receive-buffer

 

The receive buffer size.

record-request-start-time

false

Whether to record the request start time, to allow for request time to be logged. This has a small but measurable performance impact.

request-parse-timeout

 

The maximum amount of time in milliseconds that can be spent parsing the request.

require-host-http11

false

Require that all HTTP/1.1 requests have a 'Host' header. If the request does not include this header it will be rejected with a 403.

resolve-peer-address

false

Enables host DNS lookup.

secure

false

If this is true then requests that originate from this listener are marked as secure, even if the request is not using HTTPS.

security-realm

 

The listener’s security realm. Deprecated: Use the ssl-context attribute to reference a configured SSLContext directly.

send-buffer

 

The send buffer size.

socket-binding

 

The listener’s socket binding.

ssl-context

 

Reference to the SSLContext to be used by this listener.

ssl-session-cache-size

 

The maximum number of active SSL sessions. Deprecated: This can now be configured on the Elytron security context.

ssl-session-timeout

 

The timeout for SSL sessions, in seconds. Deprecated: This can now be configured on the Elytron security context.

tcp-backlog

 

Configure a server with the specified backlog.

tcp-keep-alive

 

Configure a channel to send TCP keep-alive messages in an implementation-dependent manner.

url-charset

UTF-8

URL charset.

verify-client

NOT_REQUESTED

The desired SSL client authentication mode for SSL channels. Deprecated: Where an SSLContext is referenced it should be configured directly for the required mode of client verification.

worker

default

The listener’s XNIO worker.

write-timeout

 

Configure a write timeout for a socket, in milliseconds. If the given amount of time elapses without a successful write taking place, the socket’s next write will throw a WriteTimeoutException.

A.26. Undertow Subsystem Statistics

Table A.86. ajp-listener Statistics

NameDescription

bytes-received

The number of bytes that have been received by this listener.

bytes-sent

The number of bytes that have been sent out on this listener.

error-count

The number of 500 responses that have been sent by this listener.

max-processing-time

The maximum processing time taken by a request on this listener.

processing-time

The total processing time of all requests handed by this listener.

request-count

The number of requests this listener has served.

Table A.87. http-listener Statistics

NameDescription

bytes-received

The number of bytes that have been received by this listener.

bytes-sent

The number of bytes that have been sent out on this listener.

error-count

The number of 500 responses that have been sent by this listener.

max-processing-time

The maximum processing time taken by a request on this listener.

processing-time

The total processing time of all requests handed by this listener.

request-count

The number of requests this listener has served.

Table A.88. https-listener Statistics

NameDescription

bytes-received

The number of bytes that have been received by this listener.

bytes-sent

The number of bytes that have been sent out on this listener.

error-count

The number of 500 responses that have been sent by this listener.

max-processing-time

The maximum processing time taken by a request on this listener.

processing-time

The total processing time of all requests handed by this listener.

request-count

The number of requests this listener has served.

A.27. Default Behavior of HTTP Methods

Compared to the web subsystem in previous JBoss EAP releases, the undertow subsystem in JBoss EAP 7.1 has different default behaviors of HTTP methods. The following table outlines the default behaviors in JBoss EAP 7.1.

Table A.89. HTTP Method Default Behavior

HTTP MethodJSPStatic HTMLStatic HTML by File Handler

GET

OK

OK

OK

POST

OK

NOT_ALLOWED

OK

HEAD

OK

OK

OK

PUT

NOT_ALLOWED

NOT_ALLOWED

NOT_ALLOWED

TRACE

NOT_ALLOWED

NOT_ALLOWED

NOT_ALLOWED

DELETE

NOT_ALLOWED

NOT_ALLOWED

NOT_ALLOWED

OPTIONS

NOT_ALLOWED

OK

NOT_ALLOWED

Note

For servlets, the default behavior depends on its implementation, except for the TRACE method, which has a default behavior of NOT_ALLOWED.

A.28. Remoting Subsystem Attributes

Note

Attribute names in these tables are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/wildfly-remoting_4_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.90. remoting Attributes

AttributeDefaultDescription

worker-read-threads

1

The number of read threads to create for the remoting worker.

worker-task-core-threads

4

The number of core threads for the remoting worker task thread pool.

worker-task-keepalive

60

The number of milliseconds to keep non-core remoting worker task threads alive.

worker-task-limit

16384

The maximum number of remoting worker tasks to allow before rejecting.

worker-task-max-threads

16

The maximum number of threads for the remoting worker task thread pool.

worker-write-threads

1

The number of write threads to create for the remoting worker.

Important

The above attributes of the remoting element are deprecated. These attributes should now be configured using the io subsystem.

Table A.91. endpoint Attributes

AttributeDefaultDescription

auth-realm

 

The authentication realm to use if no authentication CallbackHandler is specified.

authentication-retries

3

Specify the number of times a client is allowed to retry authentication before closing the connection.

authorize-id

 

The SASL authorization ID. Used as authentication user name to use if no authentication CallbackHandler is specified and the selected SASL mechanism demands a user name.

buffer-region-size

 

The size of allocated buffer regions.

heartbeat-interval

2147483647

The interval to use for connection heartbeat, in milliseconds. If the connection is idle in the outbound direction for this amount of time, a ping message will be sent, which will trigger a corresponding reply message.

max-inbound-channels

40

The maximum number of concurrent inbound messages on a channel.

max-inbound-message-size

9223372036854775807

The maximum inbound message size to be allowed. Messages exceeding this size will cause an exception to be thrown on the reading side as well as the writing side.

max-inbound-messages

80

The maximum number of inbound channels to support for a connection.

max-outbound-channels

40

The maximum number of concurrent outbound messages on a channel.

max-outbound-message-size

9223372036854775807

The maximum outbound message size to send. No messages larger than this well be transmitted; attempting to do so will cause an exception on the writing side.

max-outbound-messages

65535

The maximum number of outbound channels to support for a connection.

receive-buffer-size

8192

The size of the largest buffer that this endpoint will accept over a connection.

receive-window-size

131072

The maximum window size of the receive direction for connection channels, in bytes.

sasl-protocol

remote

When a SaslServer or SaslClient is created, the protocol specified by default is remote. This attribute can be used to override this protocol.

send-buffer-size

8192

The size of the largest buffer that this endpoint will transmit over a connection.

server-name

 

The server side of the connection passes it’s name to the client in the initial greeting, by default the name is automatically discovered from the local address of the connection or it can be overridden using this.

transmit-window-size

131072

The maximum window size of the transmit direction for connection channels, in bytes.

worker

default

Worker to use

Note

When using the management CLI to update the endpoint element, it is available under configuration in the remoting element. For example: /subsystem=remoting/configuration=endpoint/.

Connector Attributes

The connector component has the following structure:

Table A.92. connector Attributes

AttributeDefaultDescription

authentication-provider

 

The authentication-provider element contains the name of the authentication provider to use for incoming connections.

sasl-authentication-factory

 

Reference to the SASL authentication factory to secure this connector.

sasl-protocol

remote

The protocol to pass into the SASL mechanisms used for authentication.

security-realm

 

The associated security realm to use for authentication for this connector.

server-name

 

The server name to send in the initial message exchange and for SASL based authentication.

socket-binding

 

The name (or names) of the socket binding(s) to attach to.

ssl-context

 

Reference to the SSL context to use for this connector.

Table A.93. property Attributes

AttributeDefaultDescription

value

 

The property value.

Security Attributes

The security component allows you to configure the security for the connector, but contains no direct configuration attributes. It can be configured using its nested components, such as sasl.

Table A.94. sasl Attributes

AttributeDefaultDescription

include-mechanisms

 

The optional nested include-mechanisms element contains a whitelist of allowed SASL mechanism names. No mechanisms will be allowed which are not present in this list.

qop

 

The optional nested qop element contains a comma-separated list of quality-of-protection values, in decreasing order of preference.

Quality-of-protection values for this list are:

  • auth: authentication only
  • auth-int: authentication, plus integrity protection
  • auth-conf: authentication, plus integrity protection and confidentiality protection

reuse-session

false

The optional nested reuse-session boolean element specifies whether or not the server should attempt to reuse previously authenticated session information. The mechanism may or may not support such reuse, and other factors may also prevent it.

server-auth

false

The optional nested server-auth boolean element specifies whether the server should authenticate to the client. Not all mechanisms may support this setting.

strength

 

The optional nested strength element contains a comma-separated list of cipher strength values, in decreasing order of preference.

Cipher strength values for this list are:

  • high
  • medium
  • low

sasl-policy Attributes

The sasl-policy component allows you to specify an optional policy to use to narrow down the available set of mechanisms, but contains no direct configuration attributes. It can be configured using its nested components, such as policy.

Table A.95. policy Attributes

AttributeDefaultDescription

forward-secrecy

true

The optional nested forward-secrecy element contains a boolean value which specifies whether mechanisms that implement forward secrecy between sessions are required. Forward secrecy means that breaking into one session will not automatically provide information for breaking into future sessions.

no-active

true

The optional nested no-active element contains a boolean value which specifies whether mechanisms susceptible to active (non-dictionary) attacks are not permitted. false to permit, true to deny.

no-anonymous

true

The optional nested no-anonymous element contains a boolean value which specifies whether mechanisms that accept anonymous login are permitted. false to permit, true to deny.

no-dictionary

true

The optional nested no-dictionary element contains a boolean value which specifies whether mechanisms susceptible to passive dictionary attacks are permitted. false to permit, true to deny.

no-plain-text

true

The optional nested no-plain-text element contains a boolean value which specifies whether mechanisms susceptible to simple plain passive attacks (for example, PLAIN) are not permitted. false to permit, true to deny.

pass-credentials

true

The optional nested pass-credentials element contains a boolean value which specifies whether mechanisms that pass client credentials are required.

HTTP Connector Attributes

The http-connector component has the following structure:

Table A.96. http-connector Attributes

AttributeDefaultDescription

authentication-provider

 

The authentication-provider element contains the name of the authentication provider to use for incoming connections.

connector-ref

 

The name (or names) of a connector in the undertow subsystem to connect to.

sasl-authentication-factory

 

Reference to the SASL authentication factory to secure this connector.

sasl-protocol

remote

The protocol to pass into the SASL mechanisms used for authentication.

security-realm

 

The associated security realm to use for authentication for this connector.

server-name

 

The server name to send in the initial message exchange and for SASL based authentication.

Outbound Connection Attributes

The outbound-connection component has the following structure:

Table A.97. outbound-connection Attributes

AttributeDefaultDescription

uri

 

The connection URI for the outbound connection.

Table A.98. property Attributes

AttributeDefaultDescription

value

 

The property value.

Note

The above property attributes are related to the XNIO Options that will be used during the connection creation.

Remote Outbound Connection

The remote-outbound-connection component has the following structure:

Table A.99. remote-outbound-connection Attributes

AttributeDefaultDescription

authentication-context

 

Reference to the authentication context instance containing the configuration for outbound connections.

outbound-socket-binding-ref

 

Name of the outbound-socket-binding which will be used to determine the destination address and port for the connection.

protocol

http-remoting

The protocol to use for the remote connection. Defaults to http-remoting. Deprecated: Outbound security settings should be migrated to an authentication-context definition.

security-realm

 

Reference to the security realm to use to obtain the password and SSL configuration. Deprecated: Outbound security settings should be migrated to an authentication-context definition.

username

 

The user name to use when authenticating against the remote server. Deprecated: Outbound security settings should be migrated to an authentication-context definition.

Local Outbound Connection Attributes

The local-outbound-connection component has the following structure:

Table A.100. local-outbound-connection Attributes

AttributeDefaultDescription

outbound-socket-binding-ref

 

Name of the outbound-socket-binding which will be used to determine the destination address and port for the connection.

A.29. IO Subsystem Attributes

Note

Attribute names in these tables are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/wildfly-io_2_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.101. worker Attributes

AttributeDefaultDescription

io-threads

 

The number of I/O threads to create for the worker. If not specified, the number of threads is set to the number of CPUs × 2.

stack-size

0

The stack size, in bytes, to attempt to use for worker threads.

task-keepalive

60000

The number of milliseconds to keep non-core task threads alive. This attribute should not be used as it is currently ignored.

task-max-threads

 

The maximum number of threads for the worker task thread pool. If not specified, the maximum number of threads is set to the number of CPUs × 16, taking the MaxFileDescriptorCount JMX property, if set, into account.

Table A.102. buffer-pool Attributes

AttributeDefaultDescription

buffer-size

 

The size, in bytes, of each buffer slice. If not specified, the size is set based on the available RAM of your system:

  • 512 bytes for less than 64 MB RAM
  • 1024 bytes (1 KB) for 64 MB - 128 MB RAM
  • 16384 bytes (16 KB) for more than 128 MB RAM

For performance tuning advice on this attribute, see Configuring Buffer Pools in the JBoss EAP Performance Tuning Guide.

buffers-per-slice

 

How many slices, or sections, to divide the larger buffer into. This can be more memory efficient than allocating many separate buffers. If not specified, the number of slices is set based on the available RAM of your system:

  • 10 for less than 128 MB RAM
  • 20 for more than 128 MB RAM

direct-buffers

 

Whether the buffer pool uses direct buffers, which are faster in many cases with NIO. Note that some platforms do not support direct buffers.

A.30. JSF Module Templates

The following are example templates used for the various JSF modules required when installing a different JSF version for JBoss EAP. See Installing a JSF Implementation for full instructions.

Example: Mojarra JSF Implementation JAR module.xml

Note

Be sure to use the appropriate values for the following replaceable variables in the template:

  • JSF_IMPL_NAME
  • JSF_VERSION
<module xmlns="urn:jboss:module:1.5" name="com.sun.jsf-impl" slot="JSF_IMPL_NAME-JSF_VERSION">
    <properties>
        <property name="jboss.api" value="private"/>
    </properties>

    <dependencies>
        <module name="javax.faces.api" slot="JSF_IMPL_NAME-JSF_VERSION"/>
        <module name="javaee.api"/>
        <module name="javax.servlet.jstl.api"/>
        <module name="org.apache.xerces" services="import"/>
        <module name="org.apache.xalan" services="import"/>
        <module name="javax.xml.rpc.api"/>
        <module name="javax.rmi.api"/>
        <module name="org.omg.api"/>
    </dependencies>

    <resources>
        <resource-root path="jsf-impl-JSF_VERSION.jar"/>
    </resources>
</module>

Example: MyFaces JSF Implementation JAR module.xml

Note

Be sure to use the appropriate values for the following replaceable variables in the template:

  • JSF_IMPL_NAME
  • JSF_VERSION
<module xmlns="urn:jboss:module:1.5" name="com.sun.jsf-impl" slot="JSF_IMPL_NAME-JSF_VERSION">
    <properties>
        <property name="jboss.api" value="private"/>
    </properties>

    <dependencies>
        <module name="javax.faces.api" slot="JSF_IMPL_NAME-JSF_VERSION">
            <imports>
                <include path="META-INF/**"/>
            </imports>
        </module>
        <module name="javaee.api"/>
        <module name="javax.servlet.jstl.api"/>
        <module name="org.apache.xerces" services="import"/>
        <module name="org.apache.xalan" services="import"/>

        <!-- extra dependencies for MyFaces -->
        <module name="org.apache.commons.collections"/>
        <module name="org.apache.commons.codec"/>
        <module name="org.apache.commons.beanutils"/>
        <module name="org.apache.commons.digester"/>

        <!-- extra dependencies for MyFaces 1.1
        <module name="org.apache.commons.logging"/>
        <module name="org.apache.commons.el"/>
        <module name="org.apache.commons.lang"/> -->
        <module name="javax.xml.rpc.api"/>
        <module name="javax.rmi.api"/>
        <module name="org.omg.api"/>
    </dependencies>

    <resources>
        <resource-root path="JSF_IMPL_NAME-impl-JSF_VERSION.jar"/>
    </resources>
</module>

Example: Mojarra JSF API JAR module.xml

Note

Be sure to use the appropriate values for the following replaceable variables in the template:

  • JSF_IMPL_NAME
  • JSF_VERSION
<module xmlns="urn:jboss:module:1.5" name="javax.faces.api" slot="JSF_IMPL_NAME-JSF_VERSION">
    <dependencies>
        <module name="com.sun.jsf-impl" slot="JSF_IMPL_NAME-JSF_VERSION"/>
        <module name="javax.enterprise.api" export="true"/>
        <module name="javax.servlet.api" export="true"/>
        <module name="javax.servlet.jsp.api" export="true"/>
        <module name="javax.servlet.jstl.api" export="true"/>
        <module name="javax.validation.api" export="true"/>
        <module name="org.glassfish.javax.el" export="true"/>
        <module name="javax.api"/>
    </dependencies>

    <resources>
        <resource-root path="jsf-api-JSF_VERSION.jar"/>
    </resources>
</module>

Example: MyFaces JSF API JAR module.xml

Note

Be sure to use the appropriate values for the following replaceable variables in the template:

  • JSF_IMPL_NAME
  • JSF_VERSION
<module xmlns="urn:jboss:module:1.5" name="javax.faces.api" slot="JSF_IMPL_NAME-JSF_VERSION">
    <dependencies>
        <module name="javax.enterprise.api" export="true"/>
        <module name="javax.servlet.api" export="true"/>
        <module name="javax.servlet.jsp.api" export="true"/>
        <module name="javax.servlet.jstl.api" export="true"/>
        <module name="javax.validation.api" export="true"/>
        <module name="org.glassfish.javax.el" export="true"/>
        <module name="javax.api"/>

        <!-- extra dependencies for MyFaces 1.1
        <module name="org.apache.commons.logging"/>
        <module name="org.apache.commons.el"/>
        <module name="org.apache.commons.lang"/> -->
    </dependencies>

    <resources>
        <resource-root path="myfaces-api-JSF_VERSION.jar"/>
    </resources>
</module>

Example: Mojarra JSF Injection JAR module.xml

Note

Be sure to use the appropriate values for the following replaceable variables in the template:

  • JSF_IMPL_NAME
  • JSF_VERSION
  • INJECTION_VERSION
  • WELD_VERSION
<module xmlns="urn:jboss:module:1.5" name="org.jboss.as.jsf-injection" slot="JSF_IMPL_NAME-JSF_VERSION">
    <properties>
        <property name="jboss.api" value="private"/>
    </properties>

    <resources>
        <resource-root path="wildfly-jsf-injection-INJECTION_VERSION.jar"/>
        <resource-root path="weld-core-jsf-WELD_VERSION.jar"/>
    </resources>

    <dependencies>
        <module name="com.sun.jsf-impl" slot="JSF_IMPL_NAME-JSF_VERSION"/>
        <module name="javax.api"/>
        <module name="org.jboss.as.web-common"/>
        <module name="javax.servlet.api"/>
        <module name="org.jboss.as.ee"/>
        <module name="org.jboss.as.jsf"/>
        <module name="javax.enterprise.api"/>
        <module name="org.jboss.logging"/>
        <module name="org.jboss.weld.core"/>

        <module name="javax.faces.api" slot="JSF_IMPL_NAME-JSF_VERSION"/>
    </dependencies>
</module>

Example: MyFaces JSF Injection JAR module.xml

Note

Be sure to use the appropriate values for the following replaceable variables in the template:

  • JSF_IMPL_NAME
  • JSF_VERSION
  • INJECTION_VERSION
  • WELD_VERSION
<module xmlns="urn:jboss:module:1.5" name="org.jboss.as.jsf-injection" slot="JSF_IMPL_NAME-JSF_VERSION">
    <properties>
        <property name="jboss.api" value="private"/>
    </properties>

    <resources>
        <resource-root path="wildfly-jsf-injection-INJECTION_VERSION.jar"/>
        <resource-root path="weld-core-jsf-WELD_VERSION.jar"/>
    </resources>

    <dependencies>
        <module name="com.sun.jsf-impl" slot="JSF_IMPL_NAME-JSF_VERSION"/>
        <module name="javax.api"/>
        <module name="org.jboss.as.web-common"/>
        <module name="javax.servlet.api"/>
        <module name="org.jboss.as.ee"/>
        <module name="org.jboss.as.jsf"/>
        <module name="javax.enterprise.api"/>
        <module name="org.jboss.logging"/>
        <module name="org.jboss.weld.core"/>
        <module name="org.wildfly.security.elytron"/>

        <module name="javax.faces.api" slot="JSF_IMPL_NAME-JSF_VERSION"/>
    </dependencies>
</module>

Example: MyFaces commons-digester JAR module.xml

Note

Be sure to use the appropriate value for the VERSION replaceable variable in the template.

<module xmlns="urn:jboss:module:1.5" name="org.apache.commons.digester">
    <properties>
        <property name="jboss.api" value="private"/>
    </properties>

    <resources>
        <resource-root path="commons-digester-VERSION.jar"/>
    </resources>

    <dependencies>
        <module name="javax.api"/>
        <module name="org.apache.commons.collections"/>
        <module name="org.apache.commons.logging"/>
        <module name="org.apache.commons.beanutils"/>
    </dependencies>
</module>

A.31. JGroups Subsystem Attributes

See the tables below for the attributes of the various elements of the jgroups subsystem.

Note

Attribute names in these tables are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/jboss-as-jgroups_5_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.103. Main jgroups Attributes

AttributeDefaultDescription

default-channel

ee

The default JGroups channel.

default-stack

 

The default JGroups protocol stack.

Channel Attributes

The channel element has the following structure:

channel Attributes

Table A.104. channel Attributes

AttributeDefaultDescription

cluster

 

The cluster name of the JGroups channel. If undefined, the name of the channel will be used.

module

org.wildfly.clustering.server

The module from which to load channel services.

stack

 

The protocol stack of the JGroups channel.

statistics-enabled

false

Whether statistics are enabled.

stats-enabled

false

Whether statistics are enabled. Deprecated: Use the statistics-enabled attribute instead.

Stack Attributes

The stack element has the following structure:

stack Attributes

Table A.105. stack Attributes

AttributeDefaultDescription

statistics-enabled

false

Indicates whether or not all protocols in the stack will collect statistics.

protocol Attributes

For a list of commonly used protocols, see the JGroups Protocols section.

Table A.106. protocol Attributes

AttributeDefaultDescription

module

org.jgroups

The module with which to resolve the protocol type.

properties

 

Properties of this protocol.

statistics-enabled

false

Indicates whether or not this protocol will collect statistics, overriding the stack configuration.

relay Attributes

Table A.107. relay Attributes

AttributeDefaultDescription

module

org.jgroups

The module with which to resolve the protocol type.

properties

 

Properties of this protocol.

site

 

The name of the local site.

statistics-enabled

false

Indicates whether or not this protocol will collect statistics, overriding the stack configuration.

remote-site Attributes

Table A.108. remote-site Attributes

AttributeDefaultDescription

channel

 

The name of the bridge channel used to communicate with this remote site.

cluster

 

The cluster name of the bridge channel to this remote site. Deprecated: Use an explicitly defined channel instead.

stack

 

The stack from which to create a bridge to this remote site. Deprecated: Use an explicitly defined channel instead.

transport Attributes

Table A.109. transport Attributes

AttributeDefaultDescription

default-executor

 

The thread pool executor to handle incoming messages. Deprecated: Configure the predefined default thread pool instead.

diagnostics-socket-binding

 

The diagnostics socket binding specification for this protocol layer, used to specify IP interfaces and ports for communication.

machine

 

Machine, or host, identifier for this node. Used by Infinispan’s topology-aware consistent hash.

module

org.jgroups

Module with which to resolve the protocol type.

oob-executor

 

The thread pool executor to handle incoming out-of-band messages. Deprecated: Configure the predefined oob thread pool instead.

properties

 

Properties of this transport.

rack

 

Rack, such as the server rack, identifier for this node. Used by Infinispan’s topology-aware consistent hash.

shared

false

If true, the underlying transport is shared by all channels using this stack. Deprecated: Configure a fork of the channel instead.

site

 

Site, such as the data center, identifier for this node. Used by Infinispan’s topology-aware consistent hash.

socket-binding

 

The socket binding specification for this protocol layer, used to specify IP interfaces and ports for communication.

statistics-enabled

false

Indicates whether or not this protocol will collect statistics, overriding the stack configuration.

thread-factory

 

The thread factory to use for handling asynchronous transport-specific tasks. Deprecated: Configure the predefined internal thread pool instead.

timer-executor

 

The thread pool executor to handle protocol-related timing tasks. Deprecated: Configure the predefined timer thread pool instead.

thread-pool Attributes

Table A.110. thread-pool Attributes

AttributeDefaultDescription

keepalive-time

5000L

The amount of milliseconds that pool threads should be kept running when idle. If not specified, then threads will run until the executor is shut down.

max-threads

4

The maximum thread pool size.

min-threads

2

The core thread pool size, which is smaller than max-threads. If undefined, the core thread pool size is the same as max-threads.

queue-length

500

The queue length.

A.32. JGroups Protocols

ProtocolProtocol TypeDescription

ASYM_ENCRYPT

Encryption

Uses a secret key, stored in a coordinator on the cluster, for encrypting messages between cluster members.

AUTH

Authentication

Provides a layer of authentication to cluster members.

azure.AZURE_PING

Discovery

Supports node discovery using Microsoft Azure’s blob storage.

FD_ALL

Failure Detection

Provides failure detection based on a simple heartbeat protocol.

FD_SOCK

Failure Detection

Provides failure detection based on a ring of TCP sockets created between cluster members.

JDBC_PING

Discovery

Discovers cluster members by using a shared database where members write their address.

MERGE3

Merge

Merges the subclusters together in the event of a cluster split.

MFC

Flow Control

Provides multicast flow control between a sender and all cluster members.

MPING

Discovery

Discovers cluster members with IP multicast.

pbcast.GMS

Group Membership

Handles group membership, including new members joining the cluster, leave requests by existing members, and SUSPECT messages for crashed members.

pbcast.NAKACK2

Message Transmission

Ensures message reliability and order, guaranteeing that all messages sent by one sender will be received in the order they were sent.

pbcast.STABLE

Message Stability

Deletes messages that have been seen by all members.

PING

Discovery

Initial discovery of members, with support for dynamic discovery of cluster members.

SASL

Authentication

Provides a layer of authentication to cluster members using SASL mechanisms.

SYM_ENCRYPT

Encryption

Uses a shared keystore for encrypting messages between cluster members.

S3_PING

Discovery

Uses Amazon S3 to discover initial members.

TCPGOSSIP

Discovery

Discovers cluster members by using an external gossip router.

TCPPING

Discovery

Contains a static list of cluster member’s addresses to form the cluster.

UFC

Flow Control

Provides unicast flow control between a sender and all cluster members

UNICAST3

Message Transmission

Ensures message reliability and order for unicast messages, guaranteeing that all messages sent by one sender will be received in the order they were sent.

VERIFY_SUSPECT

Failure Detection

Verifies that a suspected member has died by pinging the member one final time before evicting it.

Generic Protocol Attributes

All of the protocols have access to the following attributes.

Table A.111. protocol Attributes

AttributeDefaultDescription

module

org.jgroups

The module with which to resolve the protocol type.

properties

 

Properties of this protocol.

statistics-enabled

false

Whether statistics are enabled.

Authentication Protocols

The authentication protocols are used to perform authentication, and are primarily responsible for ensuring that only authenticated members can join the cluster. These protocols sit below the GMS protocol, so that they may listen for requests to join the cluster.

AUTH Attributes

While the AUTH protocol contains no additional attributes, it must have a token defined as a child element.

Note

When defining this protocol, the auth-protocol element is used instead of the protocol element.

Token Types

When using Elytron for security, it is recommended to use one of the following authentication tokens. These authentication tokens were intentionally designed for use with Elytron, and may not be used with legacy security configurations.

Table A.112. Elytron Token Types

TokenDescription

cipher-token

An authentication token where the shared secret is transformed. RSA is the default algorithm used for the transformation.

digest-token

An authentication token where the shared secret is transformed. SHA-256 is the default algorithm used for the transformation.

plain-token

An authentication token with no additional transformations to the shared secret.

The following authentication tokens are inherited from JGroups, and are eligible for use in any configuration where authentication is desired.

Table A.113. JGroups Token Types

TokenDescription

MD5Token

An authentication token where the shared secret is encrypted using either an MD5 or SHA hash. MD5 is the default algorithm used for the encryption.

SimpleToken

An authentication token with no additional transformations to the shared secret. This token is case-insensitive, and case is not considered when determining if strings match.

X509Token

An authentication token where the shared secret is encrypted using an X509 certificate.

SASL Attributes

Table A.114. SASL Attributes

AttributeDefaultDescription

client_callback_handler

 

The class name of the CallbackHandler to use when a node acts as a client.

client_name

 

The name to use when a node acts as a client. This name will also be used to obtain the subject if using a JAAS login module.

client_password

 

The password to use when a node acts as a client. This password will also be used to obtain the subject if using a JAAS login module.

login_module_name

 

The name of the JAAS login module to use as a subject for creating the SASL client and server. This attribute is only required by certain mech values, such as GSSAPI.

mech

 

The name of the SASL authentication mechanism. This name can be any mechanism supported by the local SASL provider, and the JDK supplies CRAM-MD5, DIGEST-MD5, GSSAPI, and NTLM by default.

sasl_props

 

Properties of the defined mech.

server_callback_handler

 

The class name of the CallbackHandler to use when a node acts as a server.

server_name

 

The fully qualified server name.

timeout

5000

The number of milliseconds to wait for a response to a challenge.

Discovery Protocols

The following protocols are used to find an initial membership for the cluster, which can then be used to determine the current coordinator. A list of the discovery protocols are below.

AZURE_PING Attributes

Table A.115. AZURE_PING Attributes

AttributeDefaultDescription

container

 

The name of the blob container to use for PING data. This must be a valid DNS name.

storage_access_key

 

The secret access key for the storage account.

storage_account_name

 

The name of the Microsoft Azure storage account that contains your blob container.

JDBC_PING Attributes

Table A.116. JDBC_PING Attributes

AttributeDefaultDescription

data-source

 

Datasource reference, to be used instead of the connection and JNDI lookup properties.

Note

When defining a JDBC_PING protocol, the jdbc-protocol element is used instead of the protocol element.

S3_PING Attributes

Table A.117. S3_PING Attributes

AttributeDefaultDescription

access_key

 

The Amazon S3 access key used to access an S3 bucket.

host

s3.amazonaws.com

Destination of the S3 web service.

location

 

Name of the Amazon S3 bucket to use. The bucket must exist and use a unique name.

pre_signed_delete_url

 

The pre-signed URL to be used for the DELETE operation.

port

  • 443 if use_ssl is true.
  • 80 if use_ssl is false.

The port on which the web service is listening.

pre_signed_put_url

 

The pre-signed URL to be used for the PUT operation.

prefix

 

If set, and location is set, define the bucket name as PREFIX-LOCATION. If set, and a bucket does not exist at the specified PREFIX-LOCATION, then the bucket name becomes PREFIX followed by a random UUID.

secret_access_key

 

The Amazon S3 secret access key used to access an S3 bucket.

use_ssl

true

Determines if SSL is used when contacting the host and port combination.

TCPGOSSIP Attributes

Table A.118. TCPGOSSIP Attributes

AttributeDefaultDescription

socket-binding

 

The socket binding specification for this protocol layer. Deprecated: Use socket-bindings instead.

socket-bindings

 

The outbound socket bindings for this protocol.

Note

When defining a TCPGOSSIP protocol, the socket-discovery-protocol element is used instead of the protocol element.

TCPPING Attributes

Table A.119. TCPPING Attributes

AttributeDefaultDescription

socket-binding

 

The socket binding specification for this protocol layer. Deprecated: Use socket-bindings instead.

socket-bindings

 

The outbound socket bindings for this protocol.

Note

When defining a TCPPING protocol, the socket-discovery-protocol element is used instead of the protocol element.

Encrypt Protocols

The following protocols are used to secure the communication stack. Encryption is based on a shared secret key that all members of the cluster have. This key is either acquired from a shared keystore, when using SYM_ENCRYPT or from a public/private key exchange, when using ASYM_ENCRYPT. When defining any of the following protocols an encrypt-protocol element is created in the resulting XML.

Note

If using ASYM_ENCRYPT, then the same stack must have an AUTH protocol defined. The AUTH protocol is optional when using SYM_ENCRYPT.

ASYM_ENCRYPT Attributes

Table A.120. ASYM_ENCRYPT Attributes

AttributeDefaultDescription

key-alias

 

The alias of the encryption key from the specified keystore.

key-credential-reference

 

The credentials required to obtain the encryption key from the keystore.

key-store

 

A reference to a keystore containing the encryption key.

SYM_ENCRYPT Attributes

Table A.121. SYM_ENCRYPT Attributes

AttributeDefaultDescription

key-alias

 

The alias of the encryption key from the specified keystore.

key-credential-reference

 

The credentials required to obtain the encryption key from the keystore.

key-store

 

A reference to a keystore containing the encryption key.

Failure Detection Protocols

The following protocols are used to probe members of the cluster to determine if they are still alive. These protocols do not have any additional attributes beyond the generic attributes.

  • FD_ALL
  • FD_SOCK
  • VERIFY_SUSPECT

Flow Control Protocols

The following protocols are responsible for flow control, or the process of adjusting the rate of a message sender to the slowest receiver. If a sender continuously sends messages at a rate faster than the receiver, then the receivers will either queue up or discard messages, resulting in retransmissions. These protocols do not have any additional attributes beyond the generic attributes.

  • MFC - Multicast Flow Control
  • UFC - Unicast Flow Control

Group Membership Protocols

The pbcast.GMS protocol is responsible for new members joining the cluster, existing members leaving the cluster, and members that are suspected of having crashed. This protocol does not have any additional attributes beyond the generic attributes.

Merge Protocols

If the cluster becomes split, then the MERGE3 protocol is responsible for merging the subclusters back together. While this protocol is responsible for merging the cluster members back together, this will not merge the state of the cluster. The application is responsible for handling the callback to merge states. This protocol does not have any additional attributes beyond the generic attributes.

Message Stability

The pbcast.STABLE protocol is responsible for garbage collecting messages that have been seen by all members of the cluster. This protocol initiates a stable message containing message numbers for a given member, called a digest. Once all members of the cluster have received the others' digests, then the message may be removed from the retransmission table. This protocol does not have any additional attributes beyond the generic attributes.

Reliable Message Transmission

The following protocols provide reliable message delivery and FIFO properties for messages sent to all nodes in a cluster. Reliable delivery means that no messages sent by a sender will ever be lost, as all messages are numbered, and retransmission requests are sent if a sequence number is not received. These protocols do not have any additional attributes beyond the generic attributes.

  • pbcast.NAKACK2
  • pbcast.UNICAST3

Deprecated Protocols

The following protocols have been deprecated, and have been replaced by a protocol that contains only the class name. For instance, instead of specifying org.jgroups.protocols.ASYM_ENCRYPT, the protocol name would be ASYM_ENCRYPT.

  • org.jgroups.protocols.ASYM_ENCRYPT
  • org.jgroups.protocols.AUTH
  • org.jgroups.protocols.JDBC_PING
  • org.jgroups.protocols.SYM_ENCRYPT
  • org.jgroups.protocols.TCPGOSSIP
  • org.jgroups.protocols.TCPPING

A.33. Apache HTTP Server mod_cluster Directives

The mod_cluster connector is an Apache HTTP Server-based load balancer. It uses a communication channel to forward requests from the Apache HTTP Server to one of a set of application server nodes. The following directives can be set to configure mod_cluster.

Note

There is no need to use ProxyPass directives because mod_cluster automatically configures the URLs that must be forwarded to Apache HTTP Server.

Table A.122. mod_cluster Directives

DirectiveDescriptionValues

CreateBalancers

Defines how the balancers are created in the Apache HTTP Server VirtualHosts. This allows directives like: ProxyPass /balancer://mycluster1/.

  • 0: Create all VirtualHosts defined in Apache HTTP Server
  • 1: Do not create balancers (at least one ProxyPass or ProxyMatch is required to define the balancer names)
  • 2: Create only the main server (default)

UseAlias

Check that the alias corresponds to the server name.

  • 0: Ignore aliases (default)
  • 1: Check aliases

LBstatusRecalTime

Time interval in seconds for load-balancing logic to recalculate the status of a node.

Default: 5 seconds

WaitBeforeRemove

Time in seconds before a removed node is forgotten by httpd.

Default: 10 seconds

ProxyPassMatch/ProxyPass

ProxyPassMatch and ProxyPass are mod_proxy directives which, when using ! instead of the back-end URL, prevent reverse-proxy in the path. This is used to allow Apache HTTP Server to serve static content. For example: ProxyPassMatch ^(/.*\.gif)$ ! This example allows the Apache HTTP Server to serve the .gif files directly.

 
Note

Due to performance optimizations for sessions in JBoss EAP 7, configuring hot-standby nodes is not supported.

mod_manager

The context of a mod_manager directive is VirtualHost in all cases, except when mentioned otherwise. server config context implies that the directive must be outside a VirtualHost configuration. If not, an error message is displayed and the Apache HTTP Server does not start.

Table A.123. mod_manager Directives

DirectiveDescriptionValues

EnableMCPMReceive

Allow the VirtualHost to receive the MCPM from the nodes. Include EnableMCPMReceive in the Apache HTTP Server configuration to allow mod_cluster to work. Save it in the VirtualHost where you configure advertising.

 

MemManagerFile

The base name for the names that mod_manager uses to store configuration, generate keys for shared memory or locked files. This must be an absolute path name; the directories are created if needed. It is recommended that these files are placed on a local drive and not an NFS share. Context: server config

$server_root/logs/

Maxcontext

The maximum number of contexts supported by mod_cluster. Context: server config

Default: 100

Maxnode

The maximum number of nodes supported by mod_cluster. Context: server config

Default: 20

Maxhost

The maximum number of hosts, or aliases, supported by mod_cluster. It also includes the maximum number of balancers. Context: server config

Default: 20

Maxsessionid

The number of active sessionid stored to provide the number of active sessions in the mod_cluster-manager handler. A session is inactive when mod_cluster does not receive any information from the session within 5 minutes. Context: server config. This field is for demonstration and debugging purposes only.

0: the logic is not activated.

MaxMCMPMaxMessSize

The maximum size of MCMP messages from other Max directives

Calculated from other Max directives. Min: 1024

ManagerBalancerName

The name of balancer to use when the JBoss EAP instance does not provide a balancer name.

mycluster

PersistSlots

Tells mod_slotmem to persist nodes, aliases and contexts in files. Context: server config

Off

CheckNonce

Switch check of nonce when using mod_cluster-manager handler.

on/off Default: on - Nonce checked

AllowDisplay

Switch additional display on mod_cluster-manager main page.

on/off Default: off - only version is displayed

AllowCmd

Allow commands using mod_cluster-manager URL.

on/off Default: on - Commands allowed

ReduceDisplay

Reduce the information displayed on the main mod_cluster-manager page, so that more nodes can be displayed on the page.

on/off Default: off - full information is displayed

SetHandler mod_cluster-manager

Displays information about the node that mod_cluster sees from the cluster. The information includes generic information and additionally counts the number of active sessions.

<Location /mod_cluster-manager>
  SetHandler mod_cluster-manager
  Require ip 127.0.0.1
</Location>

on/off Default: off

Note

When accessing the location defined in httpd.conf:

  • Transferred: Corresponds to the POST data sent to the back-end server.
  • Connected: Corresponds to the number of requests that have been processed when the mod_cluster status page was requested.
  • Num_sessions: Corresponds to the number of sessions mod_cluster report as active (on which there was a request within the past 5 minutes). This field is not present when Maxsessionid is zero and is for demonstration and debugging purposes only.

A.34. ModCluster Subsystem Attributes

The modcluster subsystem has the following structure:

Note

Attribute names in these tables are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/jboss-as-mod-cluster_3_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.124. mod-cluster-config Configuration Options

AttributeDefaultDescription

advertise

true

Whether or not advertising is enabled.

advertise-security-key

 

String containing the security key for the Advertise logic.

advertise-socket

 

Name of Socket binding to use for the Advertise socket.

auto-enable-contexts

true

If set to false, contexts are registered with the reverse proxy as disabled. You can enable the context using the enable-context operation or by using the mod_cluster_manager console.

balancer

 

The name of the balancer on the reverse proxy to register with. If not set, the value is configured on the Apache HTTP Server side with the ManagerBalancerName directive, which defaults to mycluster.

connector

 

The name of Undertow listener that mod_cluster reverse proxy will connect to.

excluded-contexts

 

A list of contexts to exclude from registration with the reverse proxies. If no host is indicated, the host is assumed to be localhost. ROOT indicates the root context of the web application.

flush-packets

false

Whether or not to enable packet flushing to the web server.

flush-wait

-1

Time to wait before flushing packets in httpd. Max value is 2,147,483,647.

load-balancing-group

 

If set, requests are sent to the specified load balancing group on the load balancer.

max-attempts

1

The number of times the reverse proxy will attempt to send a given request to a worker before giving up.

node-timeout

-1

Timeout, in seconds, for proxy connections to a worker. This is the time that mod_cluster will wait for the back-end response before returning an error. If the node-timeout attribute is undefined, the httpd ProxyTimeout directive is used. If ProxyTimeout is undefined, the httpd Timeout directive is used, which defaults to 300 seconds.

ping

10

Time, in seconds, in which to wait for a pong answer to a ping.

proxies

 

List of proxies for mod_cluster to register with defined by outbound-socket-binding in socket-binding-group.

proxy-list

 

List of proxies. The format is HOST_NAME:PORT, separated with commas. Deprecated in favor of proxies.

proxy-url

/

Base URL for MCMP requests.

session-draining-strategy

DEFAULT

Session draining strategy used during undeployment of a web application. Valid values are DEFAULT, ALWAYS, or NEVER.

DEFAULT
Drain sessions before web application undeploy only if the web application is non-distributable.
ALWAYS
Always drain sessions before web application undeploy, even for distributable web applications.
NEVER
Do not drain sessions before web application undeploy.

simple-load-provider

 

A simple load provider to use if no dynamic load provider is present. It assigns each cluster member a load factor of 1, and distributes work evenly without applying a load balancing algorithm.

smax

-1

Soft maximum idle connection count in httpd.

socket-timeout

20

Number of seconds to wait for a response from an httpd proxy to MCMP commands before timing out, and flagging the proxy as in error.

ssl-context

 

Reference to the SSLContext to be used by mod_cluster.

status-interval

10

Number of seconds a STATUS message is sent from the application server to the reverse proxy. Allowed values are between 1 and 2,147,483,647.

sticky-session

true

Whether subsequent requests for a given session should be routed to the same node, if possible.

sticky-session-force

false

Whether the reverse proxy should return an error in the event that the balancer is unable to route a request to the node to which it is stuck. This setting is ignored if sticky sessions are disabled.

sticky-session-remove

false

Remove session information on failover.

stop-context-timeout

10

The maximum time, in seconds, to wait for a context to process pending requests, for a distributable context, or to destroy active sessions, for a non-distributable context.

ttl

-1

Time to live, in seconds, for idle connections above smax. Allowed values are between -1 and 2,147,483,647.

worker-timeout

-1

Timeout to wait in httpd for an available worker to process the requests. Allowed values are between -1 and 2,147,483,647.

Table A.125. dynamic-load-provider Configuration Options

AttributeDefaultDescription

decay

2

The decay.

history

9

The history.

Table A.126. custom-load-metric Attribute Options

AttributeDefaultDescription

capacity

1.0

The capacity of the metric.

class

 

The class name of the custom metric.

property

 

The properties for the metric.

weight

1

The weight of the metric.

Table A.127. load-metric Attribute Options

AttributeDefaultDescription

capacity

1.0

The capacity of the metric.

property

 

The properties for the metric.

type

 

The type of the metric. Valid values are cpu, mem, heap, sessions, receive-traffic, send-traffic, requests, or busyness.

weight

1

The weight of the metric.

Table A.128. ssl Attribute Options

AttributeDefaultDescription

ca-certificate-file

 

Certificate authority.

ca-revocation-url

 

Certificate authority revocation list.

certificate-key-file

${user.home}/.keystore

Key file for the certificate.

cipher-suite

 

The allowed cipher suite.

key-alias

 

The key alias.

password

changeit

Password.

protocol

TLS

The SSL protocols that are enabled.

A.35. mod_jk Worker Properties

The workers.properties file defines the behavior of the workers to which mod_jk passes client requests. The workers.properties file defines where the different application servers are located and the way the workload should be balanced across them.

The general structure of a property is worker.WORKER_NAME.DIRECTIVE. The WORKER_NAME is a unique name that must match the instance-id configured in the JBoss EAP undertow subsystem. The DIRECTIVE is the setting to be applied to the worker.

Configuration Reference for Apache mod_jk Load Balancers

Templates specify default per-load-balancer settings. You can override the template within the load-balancer settings itself.

Table A.129. Global properties

PropertyDescription

worker.list

A comma separated list of worker names that will be used by mod_jk.

Table A.130. Mandatory Directives

PropertyDescription

type

The type of worker. The default type is ajp13. Other possible values are ajp14, lb, status. For more information on these directives, see the Apache Tomcat Connectors Reference at https://tomcat.apache.org/connectors-doc/reference/workers.html.

Table A.131. Load Balancing Directives

PropertyDescription

balance_workers

Specifies the worker nodes that the load balancer must manage. You can use the directive multiple times for the same load balancer. It consists of a comma-separated list of worker node names.

sticky_session

Specifies whether requests from the same session are always routed to the same worker. The default is 1, meaning that sticky sessions are enabled. To disable sticky sessions, set it to 0. Sticky sessions should usually be enabled, unless all of your requests are truly stateless.

Table A.132. Connection Directives

PropertyDescription

host

The host name or IP address of the back-end server. The back-end server must support the ajp protocol stack. The default value is localhost.

port

The port number of the back-end server instance listening for defined protocol requests. The default value is 8009, which is the default listening port for AJP13 workers. The default value for AJP14 workers is 8011.

ping_mode

The conditions under which connections are probed for network status. The probe uses an empty AJP13 packet for CPing, and expects a CPong in response. Specify the conditions by using a combination of directive flags. The flags are not separated by a comma or any white-space. The ping_mode can be any combination of C, P, I, and A.

  • C - Connect. Probe the connection one time after connecting to the server. Specify the timeout using the value of connect_timeout. Otherwise, the value of ping_timeout is used.
  • P - Prepost. Probe the connection before sending each request to the server. Specify the timeout using the prepost_timeout directive. Otherwise, the value of ping_timeout is used.
  • I - Interval. Probe the connection at an interval specified by connection_ping_interval, if present. Otherwise, the value of ping_timeout is used.
  • A - All. A shortcut for CPI, which specifies that all connection probes are used.

ping_timeout, connect_timeout, prepost_timeout, connection_ping_interval

The timeout values for the connection probe settings above. The value is specified in milliseconds, and the default value for ping_timeout is 10000.

lbfactor

Specifies the load-balancing factor for an individual back-end server instance. This is useful to give a more powerful server more of the workload. To give a worker 3 times the default load, set this to 3: worker.my_worker.lbfactor=3

The example below demonstrates load balancing with sticky sessions between two worker nodes, node1 and node2, listening on port 8009.

Example: workers.properties File

# Define list of workers that will be used for mapping requests
worker.list=loadbalancer,status

# Define Node1
# modify the host as your host IP or DNS name.
worker.node1.port=8009
worker.node1.host=node1.mydomain.com
worker.node1.type=ajp13
worker.node1.ping_mode=A
worker.node1.lbfactor=1

# Define Node2
# modify the host as your host IP or DNS name.
worker.node2.port=8009
worker.node2.host= node2.mydomain.com
worker.node2.type=ajp13
worker.node2.ping_mode=A
worker.node2.lbfactor=1

# Load-balancing behavior
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=node1,node2
worker.loadbalancer.sticky_session=1

# Status worker for managing load balancer
worker.status.type=status

Further configuration details for Apache mod_jk are out of the scope of this document and can be found in the Apache documentation.

A.36. Security Manager Subsystem Attributes

The security-manager subsystem itself does not have configurable attributes, but it has one child resource with configurable attributes: deployment-permissions=default.

Note

Attribute names in this table are listed as they appear in the management model, for example, when using the management CLI. See the schema definition file located at EAP_HOME/docs/schema/wildfly-security-manager_1_0.xsd to view the elements as they appear in the XML, as there may be differences from the management model.

Table A.133. deployment-permissions Configuration Options

AttributeDescription

maximum-permissions

The maximum set of permissions that can be granted to a deployment or jars.

minimum-permissions

The minimum set of permissions to be granted to a deployment or jars.

A.37. Install OpenSSL from JBoss Core Services

The JBoss Core Services OpenSSL files can be installed either from the ZIP or from the RPM distributions. Follow the below steps depending on your installation method of choice.

Using JBoss Core Services OpenSSL ZIP File Distribution

Note

The path to libs/ directory in the ZIP archive is jbcs-openssl-1.0.2h/openssl/lib(64) for Linux and jbcs-openssl-1.0.2h/openssl/bin for Windows.

  1. Download the OpenSSL package from the Software Downloads page that pertains to your operating system and architecture.
  2. Extract the downloaded ZIP file to your installation directory.
  3. Notify JBoss EAP where to find the OpenSSL libaries.

    You can do this using either of the following methods. In each of the following commands, be sure to replace JBCS_OPENSSL_PATH with the path to the JBoss Core Services OpenSSL libraries, for example, /opt/rh/jbcs-httpd24/root/usr/lib64.

    • You can add the OpenSSL path to the JAVA_OPTS variable in the standalone.conf or domain.conf configuration file using the following argument.

      JAVA_OPTS="$JAVA_OPTS -Dorg.wildfly.openssl.path=JBCS_OPENSSL_PATH
    • You can define a system property that specifies the OpenSSL path using the following management CLI command.

      /system-property=org.wildfly.openssl.path:add(value=JBCS_OPENSSL_PATH)
      Important

      Regardless of the method you use, you must perform a server restart for either the JAVA_OPTS value or the system property to take effect. A server reload is not sufficient.

Using JBoss Core Services OpenSSL RPM Distribution

  1. Ensure that the system is registered to the JBoss Core Services channel:

    1. Determine the JBoss Core Services CDN repository name for your operating system version and architecture:

      • RHEL 6: jb-coreservices-1-for-rhel-6-server-rpms
      • RHEL 7: jb-coreservices-1-for-rhel-7-server-rpms
    2. Enable the repository on the system:

      # subscription-manager repos --enable REPO_NAME
    3. Ensure the following message is seen:

      Repository REPO_NAME is enabled for this system.
  2. Install OpenSSL from this channel:

    # yum install jbcs-httpd24-openssl
  3. Once the installation completes, the JBCS OpenSSL libraries will be available in /opt/rh/jbcs-httpd24/root/usr/lib64, or just /opt/rh/jbcs-httpd24/root/usr/lib on x86 architecture.
  4. Notify JBoss EAP where to find the OpenSSL libaries.

    You can do this using either of the following methods. In each of the following commands, be sure to replace JBCS_OPENSSL_PATH with the path to the JBoss Core Services OpenSSL libraries, for example, /opt/rh/jbcs-httpd24/root/usr/lib64.

    • You can update the WILDFLY_OPTS variable for the eap7-standalone or eap7-domain settings in the service configuration file.

      WILDFLY_OPTS="$WILDFLY_OPTS -Dorg.wildfly.openssl.path=JBCS_OPENSSL_PATH"
    • You can define a system property that specifies the OpenSSL path using the following management CLI command.

      /system-property=org.wildfly.openssl.path:add(value=JBCS_OPENSSL_PATH)
      Important

      Regardless of the method you use, you must perform a server restart for either the WILDFLY_OPTS value or the system property to take effect. A server reload is not sufficient.





Revised on 2018-10-11 12:32:06 UTC