We Keep Coding

Jboss ServiceBindingManager and server.xml: ports and certificate

Using the ServiceBindingManager referencing the "sample-bindings.xml" configuration in the /conf/jboss-service.xml:
<mbean code="org.jboss.services.binding.ServiceBindingManager"
name="jboss.system:service=ServiceBindingManager">
<attribute name="ServerName">myserver</attribute>
<attribute name="StoreURL">${jboss.home.url}/docs/examples/binding-manager/sample-bindings.xml</attribute>
<attribute name="StoreFactoryClassName">
org.jboss.services.binding.XMLServicesStoreFactory
</attribute>
</mbean>
1) Having enabled the ServiceBindingManager does it mean the "server.xml" ports are overwritten by the sample-bindings.xml defined ports?
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/javascript,application/x-javascript,text/css,text/plain"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" server="server1" />
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="250" scheme="https" secure="true"
maxHttpHeaderSize="8192"
emptySessionPath="true"
address="${jboss.bind.address}"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="xx"
truststoreFile="${jboss.server.home.dir}/conf/server.keystore"
truststorePass="xx"
clientAuth="false" sslProtocol="TLS" server="server1" />
2) If the server.xml ports are not relevant any more, how can the TLS server certificate still be used?

After some googling, it does look like sample-bindings.xml ports will override server.xml ports related settings and is mainly used for running multiple instances of JBoss on the same server/machine. On the SSL scertificate, if the keystores appear to be no longer found - you can add them as program arguments either in the JAVA_OPTS section of run.conf (I'm assuming you're using an older version of JBoss) or you can add them to the command line or script you use to start JBoss, for example:
/home/jboss/jboss-eap-5.1/jboss-as/bin/./run.sh -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.trustStore=server.keystore -Djavax.net.ssl.trustStorePassword=xx -Djavax.net.ssl.keyStorePassword=xx > /dev/null 2>&1 &
Note, you'd need the correct paths to the files.
We use the same keystore/truststore program arguments at work on many Jboss instances.

HAProxy https on Openshift ends in redirect loop on non-local gears

I have a Tomcat 7 (JBoss EWS 2.0) app with HAProxy Web Load Balancer. Https works fine when there is only one server running but as soon as I add another one (by setting minimum number of gears to 2), a problem occurs.
I have checked out the GEAR cookie when connecting and as soon as it is the local gear local-569aaabf0c1e661db1000004 the connection is established, but the 569aadaa89f5cff3c9000058-petrfox GEAR cookie makes trouble.
The problem is that every attempt to connect, which is redirected (by the load balancer) to the newly started gear, ends in 302 redirect loop (by accessing https://dftestapp-petrfox.rhcloud.com/ I get 302 with header Location:https://dftestapp-petrfox.rhcloud.com/).
You can try it on the link above - if the page loads, just remove the GEAR cookie and refresh, you will be most probably redirected to the other one gear this time.
Generated HAProxy configuration (haproxy.cfg) is
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
#log 127.0.0.1 local2
maxconn 256
# turn on stats unix socket
stats socket /var/lib/openshift/569aaabf0c1e661db1000004/haproxy//run/stats level admin
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
#option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 128
listen stats 127.7.244.3:8080
mode http
stats enable
stats uri /
listen express 127.7.244.2:8080
cookie GEAR insert indirect nocache
option httpchk GET /
http-check expect rstatus 2..|3..|401
balance leastconn
server gear-569aadaa89f5cff3c9000058-petrfox ex-std-node827.prod.rhcloud.com:56761 check fall 2 rise 3 inter 2000 cookie 569aadaa89f5cff3c9000058-petrfox
server local-gear 127.7.244.1:8080 check fall 2 rise 3 inter 2000 cookie local-569aaabf0c1e661db1000004
I tried to turn off forcing https in my app (by removing <intercept-url pattern="/**" requires-channel="https"/> in applicationContext-security.xml), used just http and it worked. Therefore I assume there must be some more https configuration needed. But my question is where and what do I need to configure? I find it strange that it doesn't work with the generated configuration, because load balancing is something why one chooses Openshift and https is in some circumstances a must have. It is also strange to me that everything goes well when you are redirected to the local-gear.
I didn't find any material which would be any of help. Could you please help me with this problem?
UPDATE: I don't know where the problem is, but it could be in settings of the server. Here is the config file server.xml (which I had never changed)
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="-1" shutdown="SHUTDOWN">
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector address="${OPENSHIFT_JBOSSEWS_IP}"
port="${OPENSHIFT_JBOSSEWS_HTTP_PORT}"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"/>
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /-->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="false" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- RemoteIp valve, pass protocol header from proxy. -
http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
-->
<Valve
className="org.apache.catalina.valves.RemoteIpValve"
protocolHeader="x-forwarded-proto"
/>
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<!--
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
-->
</Host>
</Engine>
</Service>
</Server>

I had a similar problem with Too many redirects and the scalable Tomcat gear.
You can try to configure your server.xml and web.xml as the Technical FAQ suggests for Tomcat:
How do I redirect traffic to HTTPS.
Unfortunately, it didn't quite worked well for me. Everything was running ok if my app had only one gear - http traffic was being redirected to https. However, when I turned on the application scaling and the second gear was started, the Too many redirects error was appearing after every redeploy.
I was unable to resolve this. I've ended up in using the default Tomcat config and redirecting the unsecure traffic to https in my application's controllers (inspired by the Technical FAQ's answer for Node.js here). Everything works fine now.

why do I need port 8080 after localhost?

I've just downloaded a java application called "test-app" that I obtained from http://www.coreservlets.com/Apache-Tomcat-Tutorial/tomcat-7-with-eclipse.html and I setup tomcat 7 in eclipse.
When I started the server I navigated to http://localhost/test-app and got a page could not be found error, but when I went to http://localhost:8080/test-app/ the page came up correctly.
Why is this occurring? The tutorial I'm following states that I should be able to navigate to the page without the 8080.

I believe port 8080 is the default port for tomcat installations. There should be a file called conf/server.xml which you can change it from 8080 to 80.
Look in server.xml for this line:
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
And change Connector port="8080" to Connector port="80"

How do I Configure two https connector port in jboss 7?

I need to configure 2 https ports (5480 and 8443) in jboss 7 ( I did this jboss 5 adding one more connector port). I tried creating two https connector ports in standalone-full.xml but it did not work.
Following is my current configuration for 8443 https port and I need another port 5480 as well.
<subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false">
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl key-alias="tomcat" password="FOO#Bar-1" certificate-key-file="${jboss.server.config.dir}/keystore" cipher-suite="TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5" protocol="TLS" verify-client="false"/>
</ connector >
</subsystem>
<socket-binding name="https" port="8443"/>

Unless you changed some configuration, your standalone jboss container reads configuration from standalone.xml rather than from standalone-full.xml. The "full" version is like an example file.

Setting up multiple ports on a single JBoss instance?

Problem Context
Here's the situation. We are running a simulator servlet from a war. The servlet we are simulating has many instances on a single machine differentiated by port number. We would like to only deploy a single war which can be accessed by many ports.
What We Have So Far
Using a java Filter (see below for web.xml) we are able to forward to each servlet implementation based on port number (ports were added by adding extra connectors to deploy/jbossweb.sar/server.xml). This works for all web service calls, but not for wsdl requests like http://localhost:8092/simulator/sim?wsdl where 8092 is the desired version of the simulator out of many (8091, 8092, 8093, 8094). On that request the wsdl is returned correctly (each simulator implementation is slightly different) except that the URL soap:address tag always uses port 8091.
Note: We are using JBoss 5.0
relevant parts of web.xml:
<filter>
<filter-name>SimFilter</filter-name>
<filter-class>com.example.filter.MyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SimFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>

You need to modify Tomcat's configuration (JBoss uses an embedded version of Tomcat).
Relevant file is:
$ $JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml
There is a portion where you configure the binding ports. This is what comes by default:
<!-- A HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" address="${jboss.bind.address}"
maxThreads="250" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/>
You can add several "connectors". One for each port you need.
Then restart your JBoss.
You will see something like this on the LOG:
16:29:13,803 INFO [Http11BaseProtocol] Initializing Coyote HTTP/1.1 on http-0.0.0.0-8080
16:29:13,804 INFO [Http11BaseProtocol] Initializing Coyote HTTP/1.1 on http-0.0.0.0-8091
16:29:13,805 INFO [Http11BaseProtocol] Initializing Coyote HTTP/1.1 on http-0.0.0.0-8092
16:29:13,805 INFO [Http11BaseProtocol] Initializing Coyote HTTP/1.1 on http-0.0.0.0-8093
16:29:13,805 INFO [Http11BaseProtocol] Initializing Coyote HTTP/1.1 on http-0.0.0.0-8094
This is what you need to add on your server.xml file:
<Connector port="8091" address="${jboss.bind.address}"
maxThreads="250" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/>
<Connector port="8092" address="${jboss.bind.address}"
maxThreads="250" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/>
....
One XML tag for each new port.

One doubt, since all the connections are redirected to 8443, what is the point in giving multiple configuration? will it avoid port congestion?