Situation: Windows 10 Host machine needs to communicate with Fedora 26 virtual machine. Windows 10 is my host in domain, fedora is slave. VirtualBox machine has 2 adapters, one is Bridged, and the other is Internal Network Adapter.
IPv4 of my host machine is: 192.168.0.17
Slave machine IP is: 192.168.0.35
When running domain on Windows, and accessing 192.168.0.17:9990 I can bring up management console. But when starting domain on Fedora, it says Connection timeout, cant connect to remote://192.168.0.17:9990
Picture below is my current situation.
What have I done: I have disabled and stopped firewalld on fedora, iptables aren't running, as I can't even disable them.
I have enabled firewall rule on windows that lets me communicate between host and vm.
I have tried pinging Host machine from Fedora, and it is all good.
I have tried changing ports on <static-discovery/> tag, but it won't ping 9990, nor 9999.
I have tried connecting to host management console via jboss-cli on host machine, and it is working.
I have tried connecting to host management console via jboss-cli on slave machine, and it is working.
My host.xml file on Windows:
<management-interfaces>
<http-interface security-realm="ManagementRealm">
<http-upgrade enabled="true"/>
<socket interface="management" port="${jboss.management.http.port:9990}"/>
</http-interface>
</management-interfaces>
<domain-controller>
<local/>
</domain-controller>
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:192.168.0.17}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:192.168.0.17}"/>
</interface>
<interface name="unsecured">
<inet-address value="192.168.0.17"/>
</interface>
</interfaces>
My host.xml file on slave:
<domain-controller>
<remote security-realm="ManagementRealm">
<discovery-options>
<static-discovery name="master-native" protocol="remote" host="192.168.0.17" port="9999" />
<static-discovery name="master-https" protocol="https-remoting" host="192.168.0.17" port="9993" security-realm="ManagementRealm"/>
<static-discovery name="master-http" protocol="http-remoting" host="192.168.0.17" port="9990" />
</discovery-options>
</remote>
</domain-controller>
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:10.211.55.2}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:10.211.55.2}"/>
</interface>
<interface name="unsecured">
<inet-address value="10.211.55.2" />
</interface>
</interfaces>
I have followed this tutorial: https://docs.jboss.org/author/display/WFLY10/Clustering+and+Domain+Setup+Walkthrough
Following picture is the output on Fedora when starting domain.sh, and output on windows when starting domain.bat
9990 port is for http-remoting not remote protocol (port 9999), change it and try again.
See: Domain Configuration
Related
I am fixing some issues while upgrading from PAM/JBPM 7.9 to 7.12 and with JBoss EAP going from 7.3 to 7.4. To make sure my environment mimics the test server, I tried to downgrade from the Java 11 on my machine to the test server's Openjdk version 8. After changing the Java version, I compensated for a few old certificates, reimported them into keystores and debugged a few errors in the the JBoss logs. However, I seem stuck on what seems like a security issue that has the following symptoms:
At the JBoss console the address of the console (https://127.0.0.1:9993/console/index.html) is being noted in the browser as "Not secure".
I cannot log in to Business Central (Login failed: Not Authorized) despite having used add-user to update the password in application-users.properties. I did this in case the file copied from 7.3 was made using a different level of security than the security in my 7.4 installation.
Kieserver cannot interact with Business Central. I used add-user to update the password for the kieserver account as well. The error message for this is
11:28:15,352 WARN [org.kie.server.services.impl.controller.DefaultRestControllerImpl] (KieServer-ControllerConnect) Exception encountered while syncing with controller at http://localhost:8080/business-central/rest/controller/server/default-kieserver error Error while sending PUT request to http://localhost:8080/business-central/rest/controller/server/default-kieserver response code 405
I have seen similar warning when kie-server cannot reach the backend database but the datasource tests fine and I can connect to the database using the kieserver's credentials.
I see a logged error about the same port, but I am not sure if it is related to the EAP console or PAM
11:28:23,080 INFO [org.xnio.nio] (pool-28-thread-1) XNIO NIO Implementation Version 3.8.4.Final-redhat-00001
11:28:23,210 ERROR [org.kie.workbench.common.screens.datasource.management.backend.integration.wildfly.WildflyBaseClient] (pool-28-thread-1) It was not possible to open connection to Wildfly/EAP server.: java.io.IOException: java.net.ConnectException: WFLYPRT0053: Could not connect to http-remoting://127.0.0.1:9990. The connection failed
at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:149)
at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:80)
at org.kie.workbench.common.screens.datasource.management.backend.integration.wildfly.WildflyBaseClient.testConnection(WildflyBaseClient.java:158)
at org.kie.workbench.common.screens.datasource.management.backend.integration.wildfly.WildflyBaseClient.testConnection(WildflyBaseClient.java:147)
at org.kie.workbench.common.screens.datasource.management.backend.core.wildfly.WildflyDriverProvider.hasStarted(WildflyDriverProvider.java:210)
at org.kie.workbench.common.screens.datasource.management.backend.core.wildfly.WildflyDriverProvider$Proxy$_$$_WeldClientProxy.hasStarted(Unknown Source)
at org.kie.workbench.common.screens.datasource.management.backend.core.impl.DataSourceRuntimeManagerImpl.hasStarted(DataSourceRuntimeManagerImpl.java:199)
at org.kie.workbench.common.screens.datasource.management.backend.core.impl.DataSourceRuntimeManagerImpl$Proxy$_$$_WeldClientProxy.hasStarted(Unknown Source)
at org.kie.workbench.common.screens.datasource.management.backend.DataSourceManagementBootstrap.lambda$getInitializeDeploymentsTask$0(DataSourceManagementBootstrap.java:172)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.net.ConnectException: WFLYPRT0053: Could not connect to http-remoting://127.0.0.1:9990. The connection failed
at org.jboss.as.protocol.ProtocolConnectionUtils.checkFuture(ProtocolConnectionUtils.java:145)
at org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:125)
at org.jboss.as.protocol.ProtocolConnectionManager$EstablishingConnection.connect(ProtocolConnectionManager.java:259)
at org.jboss.as.protocol.ProtocolConnectionManager.connect(ProtocolConnectionManager.java:70)
at org.jboss.as.protocol.mgmt.ManagementClientChannelStrategy$Establishing.getChannel(ManagementClientChannelStrategy.java:167)
at org.jboss.as.controller.client.impl.RemotingModelControllerClient.getOrCreateChannel(RemotingModelControllerClient.java:132)
at org.jboss.as.controller.client.impl.RemotingModelControllerClient$2.getChannel(RemotingModelControllerClient.java:85)
at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:135)
at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:110)
at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeRequest(AbstractModelControllerClient.java:263)
at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:168)
at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:147)
... 15 more
Caused by: org.xnio.http.RedirectException: XNIO000816: Redirect encountered establishing connection
at org.xnio.http.HttpUpgrade$HttpUpgradeState.handleRedirect(HttpUpgrade.java:513)
at org.xnio.http.HttpUpgrade$HttpUpgradeState.access$1300(HttpUpgrade.java:165)
at org.xnio.http.HttpUpgrade$HttpUpgradeState$UpgradeResultListener.handleEvent(HttpUpgrade.java:468)
at org.xnio.http.HttpUpgrade$HttpUpgradeState.flushUpgradeChannel(HttpUpgrade.java:369)
at org.xnio.http.HttpUpgrade$HttpUpgradeState.access$900(HttpUpgrade.java:165)
at org.xnio.http.HttpUpgrade$HttpUpgradeState$ConnectionOpenListener.handleEvent(HttpUpgrade.java:340)
at org.xnio.http.HttpUpgrade$HttpUpgradeState$ConnectionOpenListener.handleEvent(HttpUpgrade.java:320)
at org.xnio.http.HttpUpgrade$HttpUpgradeState.upgradeExistingConnection(HttpUpgrade.java:315)
at org.xnio.http.HttpUpgrade.performUpgrade(HttpUpgrade.java:144)
at org.jboss.remoting3.remote.HttpUpgradeConnectionProvider$UpgradeListener.handleEvent(HttpUpgradeConnectionProvider.java:174)
at org.jboss.remoting3.remote.HttpUpgradeConnectionProvider$UpgradeListener.handleEvent(HttpUpgradeConnectionProvider.java:153)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.nio.WorkerThread$ConnectHandle.handleReady(WorkerThread.java:333)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:599)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:561)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:549)
at org.jboss.as.protocol.ProtocolConnectionUtils.connect(ProtocolConnectionUtils.java:227)
at org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:121)
... 25 more
These are my interfaces and socket binding's in standalone.xml
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:0.0.0.0}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="iiop" interface="unsecure" port="3538"/>
<socket-binding name="iiop-ssl" interface="unsecure" port="3539"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
</socket-binding-group>
What is the best way to investigate or fix this security issue?
I tried to connect to jboss with jboss cli client in the some server it works perfect , but from outside the server it show the message error :
Failed to connect to the controller: The controller is not available at ip:9990: java.net.ConnectException: WFLYPRT0023: Could not connect to http-remoting://ip:9990. The connection timed out: WFLYPRT0023: Could not connect to http-remoting://ip:9990 Connection refused
I launch this command :
java -jar jboss-cli-client.jar --connect --controller=serverIp:9990 --user=userNameJboss --password=passwordJboss
file standalone.xml
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:0.0.0.0}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:0.0.0.0}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
jboos-cli.xml
<jboss-cli xmlns="urn:jboss:cli:3.3">
<default-protocol use-legacy-override="true">remote+http</default-protocol>
<!-- The default controller to connect to when 'connect' command is executed w/o arguments -->
<default-controller>
<protocol>remote+http</protocol>
<host>localhost</host>
<port>9990</port>
</default-controller>
<!-- Example controller alias named 'Test'
<controllers>
<controller name="Test">
<protocol>remote+http</protocol>
<host>localhost</host>
<port>9990</port>
</controller>
</controllers>
-->
<validate-operation-requests>true</validate-operation-requests>
<!-- Command and operation history log configuration -->
<history>
<enabled>true</enabled>
<file-name>.jboss-cli-history</file-name>
<file-dir>${user.home}</file-dir>
<max-size>500</max-size>
</history>
<!-- whether to resolve system properties specified as command argument or operation parameter values
in the CLI VM before sending the operation requests to the controller -->
<resolve-parameter-values>false</resolve-parameter-values>
<!-- Whether to write info and error messages to the terminal output -->
<silent>false</silent>
<!-- Whether to filter out commands and attributes based on user's permissions -->
<access-control>false</access-control>
<!-- Include the prompt with the command into the output for each command executed in non-interactive mode -->
<echo-command>false</echo-command>
<!-- Uncomment to set the command timeout. Element value is in seconds -->
<!-- <command-timeout>30</command-timeout> -->
<!-- Uncomment to display operation responses using JSON syntax.
By default responses are displayed using DMR string syntax. -->
<!-- <output-json>true</output-json> -->
<!-- Configuration of CLI colors. To disable, change <enabled> to false.
Available colors: black, blue, cyan, green, magenta, red, white, yellow and default, which is the terminal's default
foreground color-->
<color-output>
<enabled>true</enabled>
<error-color>red</error-color>
<warn-color>yellow</warn-color>
<success-color>default</success-color>
<required-color>magenta</required-color>
<workflow-color>green</workflow-color>
<prompt-color>blue</prompt-color>
</color-output>
<connection-timeout>30</connection-timeout>
</jboss-cli>
Try increasing the timeout.
./jboss-cli.sh --connect --controller=yourIP:managementHttpPort --timeout=2000
By default cli is configured to connect in 5 sec(500ms) but sometimes due to firewall and latency it takes more than that so I suggest you try 20sec(20000)
Hi I try to start an standalone keycloak Server within a Docker container.
I set an "env" variable for production, local oder test for that the server connects to the correct MySQL DB.
But upon start up on AWS it seems to ignore the env vars. Localy Dockermachine works fine.
Here is the config setup:
in standalone.xml:
...for (empty) local
<datasource jndi-name="java:/jboss/datasources/KeycloakMysqlDS-default" pool-name="KeycloakMysqlDS-default" enabled="true">
...for production
<datasource jndi-name="java:/jboss/datasources/KeycloakMysqlDS-production" pool-name="KeycloakMysqlDS-production" enabled="true">
...
<provider name="default" enabled="true">
<properties>
<property name="dataSource" value="java:jboss/datasources/KeycloakMysqlDS-${env.env}"/>
....
The 'env' var is verified set to "production" on AWS and empty on local and also reacts in local dockermachine changes.
Just on starting on the AWS dockermachine it uses the default instead of the {env.env} var.
Anyone saw the behaviour before? Or have an idea how to correct it?
Thanks in advance
Gregor
UPDATE:
Well the error does not happen on startup.
It happens several minutes afterwards:
...
WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (JCA PoolFiller) IJ000610: Unable to fill pool: java:/jboss/datasources/KeycloakMysqlDS-default: ... Connection refused.
...
So it probably not a problem with the env var.
Instead Keycloak seems to try to open connection to setted datasource... is it true?
Completley another problem...
Keycloak bid to another IP by default. Had to set the ip to 0.0.0.0 to work inside a Docker container.
in configuration.xml...
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:0.0.0.0}"/>
<!--<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>-->
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:0.0.0.0}"/>
<!--<inet-address value="${jboss.bind.address:127.0.0.1}"/>-->
</interface>
</interfaces>
I installed eap7.1 on RHEL73, everything works fine, but failed to use jconsole to connect server instance, I didn't find anything related with how to set jmx component on eap7.1, but found something for eap6, here is main points I found:
Should disable management binding and enable an remote binding:
Add option as eap server startup option:
-Djavax.management.builder.initial=org.jboss.system.server.jmx.MBeanServerBuilderImpl
-Djboss.platform.mbeanserver
Use $JBOSS_HOME/bin/jconsole.sh to startup jconsole
But I always failed with jconsole reponse as " the connection to service:jmx:remote://192.168.56.11:4447 did not succeed"
Here is key point of domain.xml
...
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<endpoint/>
<connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
...
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector use-management-endpoint="false"/>
</subsystem>
...
<socket-binding-group name="ha-sockets" default-interface="public">
...
<socket-binding name="remoting" port="4447"/>
...
</socket-binding-group>
server startup successfully with the following log
"INFO [org.jboss.as.remoting] (MSC service thread 1-1) WFLYRMT0001: Listening on 192.168.56.11:4447"
netstat -an shows 4447 is ready.
The following is some guides on eap6 I followed:
https://access.redhat.com/solutions/149973
https://access.redhat.com/solutions/443033
https://access.redhat.com/solutions/413283
https://kb.novaordis.com/index.php/JMX_Access_to_Domain_Mode_EAP_7_Server_Node(this is for eap7)
Is there anything special on JMX for eap7.1?
Best regards
Lan
I have the same problems as you. My quick fix is:
change this:
<connector name="remoting-connector" socket-binding="remoting" **security-realm="ApplicationRealm"**/>
to this:
<connector name="remoting-connector" socket-binding="remoting" security-realm="ManagementRealm"/>
or remove realm:
<connector name="remoting-connector" socket-binding="remoting"/>
Probably I have a wrong user in ApplicationRealm or don't have the permission. I use this in zabbix jmx monitoring in domain mode with wildfly 10, 10.1 and 11.
You can connect the jconsole to EAP 7.1 with default configuration using the management realm. You just have to:
add a management user, via $JBOSS_HOME/bin/add-user.sh
start EAP
connect to jmx service address
service:jmx:remote+http://127.0.0.1:9990 via
$JBOSS_HOME/bin/jconsole.sh using credentials defined in above step
n.b.: The protokoll may differ from previous versions of eap
I'm trying to enable jmx remote in jboss 6.1. When I've added options like below
-Djboss.platform.mbeanserver
-Djavax.management.builder.initial=org.jboss.system.server.jmx.MBeanServerBuilderImpl
-Dcom.sun.management.jmxremote.port=12349
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false
, jboss can't start properly and I'got following error:
" Deployment "JBossLogService" is in error due to the following reason(s): java.lang.IllegalStateException: The LogManager was not properly installed (you must set the "java.util.logging.manager" system property to "org.jboss.logmanager.LogManager"), **ERROR**"
Do you have any ideas how to fix it ?
In Jboss EAP 6.1 JMX is enabled by default.
ensure you have:
<extension module="org.jboss.as.jmx"/> under <extensions>
<subsystem xmlns="urn:jboss:domain:jmx:1.2">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
</subsystem>
use -Djboss.bind.address.management=YOURSERVERIP as command line argument to start you AS or change it here:
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:**127.0.0.1**}"/>
</interface>
..
</interfaces>
use jconsole start script under JBOSS_HOME/bin/jconsole.sh (it loads JBoss remoting libraries on classpath )
to use jvisualvm instead refer to https://github.com/johnaoahra80/jboss-as-tool-integration/tree/master/visualvm
use that url in jconsole service:jmx:remoting-jmx://yourIP:magementport (default is 9999)
use user/password you crated using JBOSS_HOME/bin/add-user.sh
add next options
-Djava.util.logging.manager=org.jboss.logmanager.LogManager
-Xbootclasspath/p:$JBOSS_HOME/modules/system/layers/base/org/jboss/logmanager/main/jboss-logmanager-version.jar
-Xbootclasspath/p:$JBOSS_HOME/modules/system/layers/base/org/jboss/log4j/logmanager/main/log4j-jboss-logmanager-version.jar
-Xbootclasspath/p:$JBOSS_HOME/modules/system/layers/base/org/apache/log4j/main/log4j-jboss-logmanager-version.jar
-Dcom.sun.management.jmxremote