In this tutorial we will show all the steps to create and secure a JBoss EAP / WildFly domain.
In order to configure our domain we will at first configure the domain controller and its domain.xml configuration file. Next we will configure the single host where the application server will run.
Domain controller set up (domain.xml)
The server configuration of the domain is centralized in the domain.xml file of the domain controller. The domain.xml is located at domain/configuration/. It includes the main configuration for all server instances. This file is only required for the domain controller.
In the domain.xml file we will define the server group configuration (which can be anyway changed at runtime, as we will see in a minute).
<server-groups> <server-group name="main-server-group" profile="full"> <jvm name="default"> <heap size="64m" max-size="512m"/> </jvm> <socket-binding-group ref="full-sockets"/> </server-group> <server-group name="other-server-group" profile="full-ha"> <jvm name="default"> <heap size="64m" max-size="512m"/> </jvm> <socket-binding-group ref="full-sockets"/> </server-group> </server-groups>
This domain configuration reflects the following schema:
As you can see, we have two server groups: main-server-group and other-server-group. You can in turn associate each server group with a different profile.
The default configuration includes four preconfigured profiles:
- default - Support of Java EE Web-Profile plus some extensions like RESTFul Web Services or support for EJB3 remote invocations
- full - Support of Java EE Full-Profile and all server capabilities without clustering
- ha - default profile with clustering capabilities
- full-ha - full profile with clustering capabilities
A profile contains the configuration of the supported subsystems that is added by an extension. We choose the full profile which contains all JBoss AS capabilities, except for clustering which will be covered later in this book.
The referenced profile will be assigned by the server group to one socket-binding group. A socket-binding group references to logical interface names instead direct to the interfaces of a host. These logical interfaces are defined in the <interfaces> section of the domain.xml configuration file.
<interfaces> <interface name="management"/> <interface name="public"/> <interface name="unsecure"/> </interfaces>
The exact binding of the interfaces with the IP address is done into the host.xml file, however we will leave it with the default values and use start up properties to override these values.
Configuring the host.xml of the Domain controller
The first thing we need to check, is that the host controller acts as domain controller. This is stated by the following domain-controller stanza:
<domain-controller> <local/> </domain-controller>
Next, since we won't add any server on this host, we need to state it, using an empty servers element:
Last thing we need to do, is creating a management user which will be used to authenticate from the other host controllers, when connecting to the domain controller. For this purpose we will use the add-user.sh shell script which is located in the bin folder of JBOSS_HOME folder:
What type of user do you wish to add?
a) Management User (mgmt-users.properties)
b) Application User (application-users.properties)
Enter the details of the new user to add.
Realm (ManagementRealm) :
Username : admin1234
Re-enter Password :
Are you sure you want to add user 'domain' yes/no? y
About to add user admin1234 for realm 'ManagementRealm'
Is this correct yes/no? y
Added user 'admin1234' to file '/standalone/configuration/mgmt-users.properties'
Added user 'admin1234' to file '/domain/configuration/mgmt-users.properties'
Is this new user going to be used for one AS process to connect to another AS process e.g.
slave domain controller?
To represent the user add the following to the server-identities definition
<secret value="ZnJhbmsxMjMh" />
TIP! You can use the add-user.sh in non interactive mode to create the management user and show the secret. Ex: add-user.sh -u admin1234 -p Password1! -ds
Now we can start the domain controller with the following command. We will set the physical network bind address to the host configuration with the jboss.bind.address.management property. The management interface must be reachable for all hosts in the domain in order to establish a connection with the domain controller.
domain.sh -b 192.168.1.1 -Djboss.bind.address.management=192.168.1.1
(Please note the -b parameter is an alias for the -Djboss.bind.address parameter)
- Next >>