How to view/configure access logs of HTTP server Keycloak uses?
I'm trying to investigate connection_refused_error to Keycloak admin UI.
Try adding the following <access-log/> tag to your server configuration file, for example: standalone/configuration/standalone.xml.
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default"/>
<server name="default-server">
...
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<!-- Add the following one line -->
<access-log prefix="access." />
<http-invoker security-realm="ApplicationRealm"/>
<filter-ref name="proxy-peer"/>
</host>
</server>
You can see access.log in your standalone/log/ directory after restarting your Keycloak server and the log file is rotated daily with a name like access.2019-07-26.log.
EDIT:
You can also use JBoss CLI as follows:
$ ./jboss-cli.sh
You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] connect
[standalone#localhost:9990 /] /subsystem=undertow/server=default-server/host=default-host/setting=access-log:add
{"outcome" => "success"}
these commands adds the one line to standalone.xml:
<access-log/>
the next command shows the access log settings (default values):
[standalone#localhost:9990 /] /subsystem=undertow/server=default-server/host=default-host/setting=access-log:read-resource
{
"outcome" => "success",
"result" => {
"directory" => expression "${jboss.server.log.dir}",
"extended" => false,
"pattern" => "common",
"predicate" => undefined,
"prefix" => "access_log.",
"relative-to" => undefined,
"rotate" => true,
"suffix" => "log",
"use-server-log" => false,
"worker" => "default"
},
"response-headers" => {"process-state" => "reload-required"}
}
You can change an attribute (for example, prefix) by the command:
[standalone#localhost:9990 /] /subsystem=undertow/server=default-server/host=default-host/setting=access-log:write-attribute(name=prefix,value=access.)
To extend Kohei TAMURA answer:
In order configure the access log without reloading Keycloak:
Add line <access-log worker="default"
directory="${jboss.server.log.dir}" prefix="access." suffix="log"/>
to standalone/configuration/standalone.xml or
standalone/configuration/standalone-ha.xml if clustered configuration is used.
Reload Wildfly server configuration without restarting it:
jboss/keycloak/bin/jboss-cli.sh --connect
[standalone#localhost:9990 /] reload
Related
I already installed Apache ActiveMQ Artemis 2.26.0 and tried to create master slave cluster.
I create master slave cluster based on a Youtube video. Apache ActiveMQ Artemis 2.15.0 is used in that video.
When I try to create it in command prompt there is no notification that backup already announced, but I can open the live server in 8161 and backup server in 8162.
Then I create address and queue in localhost 8161. And already succeeded.
I got the problem when I try to send message in 8161. I got the notification:
Could not send message: java.lang.IllegalStateException : AMQ229031: Unable to validate user from Management. Username: null; SSL certificate subject DN: unavailable
For the information, I found that difference in bootsrap.xml (slave) that the script is different. The different is:
ActiveMQ Artemis 2.26.0
<!-- The web server is only bound to localhost by default -->
<web path="web" rootRedirectLocation="console">
<binding uri="http://localhost:8161">
<app url="activemq-branding" war="activemq-branding.war"/>
<app url="artemis-plugin" war="artemis-plugin.war"/>
<app url="console" war="console.war"/>
</binding>
</web>
ActiveMQ Artemis 2.15.0
<!-- The web server is only bound to localhost by default -->
<web bind="http://localhost:8161" path="web">
<app url="activemq-branding" war="activemq-branding.war"/>
<app url="artemis-plugin" war="artemis-plugin.war"/>
<app url="console" war="console.war"/>
</web>
Does the difference affect or not when create backup server in localhost 8162?
I try the steps on the Youtube video and searched for the solution in Google, but I don't find the solution. I expect to run live and backup server successfully, and I want to know the right steps to install master slave cluster.
I would like to change the default port of JBoss 7 in both standalone and domain mode to 5050:
http://localhost:5050
In standlone mode, I simply changed the below property in standlone.xml:
<socket-binding name="http" port="5050"/>
In domain mode, however, I have the option to only change the offset in host.xml:
<server name="server-one" group="main-server-group">
<!-- Remote JPDA debugging for a specific server
<jvm name="default">
<jvm-options>
<option value="-Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=n"/>
</jvm-options>
</jvm>
-->
<socket-bindings port-offset="5"/>
</server>
<server name="server-two" group="main-server-group" auto-start="true">
<!-- server-two avoids port conflicts by incrementing the ports in
the default socket-group declared in the server-group -->
<socket-bindings port-offset="10"/>
</server>
When I try setting a negative port-offset, the startup script throws an error. How can I change the port from 8080 to 5050 in domain mode?
Create system property in host.xml for "jboss.http.port" like :
<server name="server-two" group="main-server-group" auto-start="true">
<system-properties>
<property name="jboss.http.port" value="4950" boot-time="true"/>
</system-properties>
<socket-bindings port-offset="100"/>
</server>
Just make sure that port-offset value must be deducted from 5050.
I configured my Wildfly (in domain mode) to send e-mails using Mail Session and Remote Socket Bindings.
After fill with the SMTP server, port 587, username, password and etc, I receive an error when the Wildfly try to send the e-mail:
Client was not authenticated to send anonymous mail during MAIL FROM
My credentials to authenticate in the SMTP server are correct.
I already try to flag the Enable SSL? for true in the Web Console, but I can't even connect in the server when I enable SSL.
I thinking the problem is that I need to enable TLS and not SSL. In the old Jboss I can do this using property, like this:
<property name="mail.smtp.tls" value="true"></property>
<property name="mail.smtp.starttls.enable" value="true"></property>
But I can't see this possibility in Wildfly and I'm trying to not edit any XML.
So, how can I set the TLS for true in Wildfly?
Well, I find the right command to apply in the domain controller. The big problem here is that the Web Console doesn't show the Use TLS? option...
After enter in the domain server, with the Jboss Client, you can set the TLS for true:
/profile=full-ha/subsystem=mail/mail-session=MyMailSession/server=smtp:write-attribute(name=tls, value=true)
You can see the change with this command:
/profile=full-ha/subsystem=mail/mail-session=MyMailSession/server=smtp:read-resource()
{
"outcome" => "success",
"result" => {
"outbound-socket-binding-ref" => "mail-smtp",
"password" => "PASSWORD",
"ssl" => false,
"tls" => true,
"username" => "domain.com"
}
}
I need to configure 2 https ports (5480 and 8443) in jboss 7 ( I did this jboss 5 adding one more connector port). I tried creating two https connector ports in standalone-full.xml but it did not work.
Following is my current configuration for 8443 https port and I need another port 5480 as well.
<subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false">
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl key-alias="tomcat" password="FOO#Bar-1" certificate-key-file="${jboss.server.config.dir}/keystore" cipher-suite="TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5" protocol="TLS" verify-client="false"/>
</ connector >
</subsystem>
<socket-binding name="https" port="8443"/>
Unless you changed some configuration, your standalone jboss container reads configuration from standalone.xml rather than from standalone-full.xml. The "full" version is like an example file.
I am trying to run my application in jboss 7 from jboss 4. In jboss 4 we changed server.xml to configure keystoreFile and keystorePass etc. Can any one help me where to make these changes in jboss7.
The server.xml equivalent in Jboss 7 is a standalone/configuration/standalone.xml for a standalone installation and domain.xml for a domain aware one.
I'm not sure where those options are or how you're supposed to configure it in Jboss 7, but start with standalone.xml file first.
Edit the file standalone/configuration/standalone.xml:
<subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">
<connector name="http" scheme="http" protocol="HTTP/1.1" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost" />
<alias name="example.com" />
</virtual-server>
</subsystem>
Replace thew connector tag with following one:
<connector name="https" scheme="https" protocol="HTTP/1.1" secure =”true” socket- binding="https" ssl=”your certificate name”/>
You should avoid touching the config XMLs yourself.
Rather let it up to domain controller and host controller,
and configure your server through the means mentioned here:
JBoss AS 7 JMX Console
Update:
For manual configuration, try the Web UI - http://localhost:9990/.
For automated configuration, try CLI scripts.
To develop and debug CLI commands, try jboss-cli.sh --gui.
But if you really must, it's in standalone/configuration/standalone.xml:
<subsystem xmlns="urn:jboss:domain:web:1.0" ...>
The schema is here: http://www.jboss.org/schema/jbossas/jboss-as-web_1_2.xsd
(or later versions).
Recommended way to change the AS 7 model is anyway by means of the Command Line Interface.
For example, you can set the socket binding port of the HTTP port to 8090 with :
/socket-binding-group=standard-sockets/socket-binding=http:write-attribute(name="port", value="8090")
JBoss EAP 7 uses the Undertow web server and configures it via the undertow subsystem (which replaces the web subsystem used in previous versions). SSL/TLS setup using the CLI is described in Setting up an SSL/TLS for Applications. If you would like to directly modify the standalone.xml file, the instructions can be translated to:
Add and configure an HTTPS security realm. - under /server/management/security-realms add an HTTPS security-realm element, for example
<security-realm name="HTTPSRealm">
<server-identities>
<ssl>
<keystore path="/path/to/your/keystore/myKeystore.jks"
keystore-password="myKeystorePassword"
alias="mySSLKeyPairAlias"
key-password="mySSLKeyPairPassword" />
</ssl>
</server-identities>
</security-realm>
Update the undertow subsystem to use the HTTPS security realm. - under /server/profile find the Undertow subsystem element (e.g. <subsystem xmlns="urn:jboss:domain:undertow:3.1">). It has a server child element to which you add an https-listener element referencing your HTTPSRealm created in step 1 above, for example
<https-listener name="default-ssl" socket-binding="https" security-realm="HTTPSRealm" />
More details can be found at these related links:
Security Realms
Security Realm Detailed Configuration
https-listener Attributes