Upload
api-27341052
View
107
Download
0
Tags:
Embed Size (px)
DESCRIPTION
JBoss Production Installation
Citation preview
Professional Open Source™
© JBoss, Inc. 2003-2005. 1June 16, 2005
Real-life installation scenarios
JBoss Production Installation
© JBoss, Inc. 2003-2005 2
Professional Open Source™
Objectives
In this section we cover:– JBoss port configurations
– Installation issues with
• Firewalls
• Native web server front-ends
– Installing JBoss to run as a service
Professional Open Source™
© JBoss, Inc. 2003-2005. 3June 16, 2005
JBoss Port Configuration
© JBoss, Inc. 2003-2005 4
Professional Open Source™
EISEIS
EIS
JBoss Application as Service Framework
JBoss Application Server is a service platform– Hosts multiple services
– Some services bind to physical ports
– Depending on which services are hosted, different combination of listening socket ports may be opened
Service
Service
Service
ServiceHTTP
RMI
TCP/IP
IIOP
Port 8080
Port 4444
Port 3528
Port 4445
Service
Service
Service
Service
JBoss M
icrokernel
Ref : %JBoss_home%\server\default\conf\jboss-service.xml
Professional Open Source™
© JBoss, Inc. 2003-2005. 5June 16, 2005
Tomcat Connectors
© JBoss, Inc. 2003-2005 6
Professional Open Source™
Tomcat Connectors
Web tier has three main connectors– HTTP 1.1 (TCP port 8080)
• Direct HTTP requests to the application server
– HTTPS (not enabled by default)
• Direct encrypted HTTP requests to the application server
– AJP13 (TCP port 8009)
• Apache Java Protocol from a native web server to the JBoss application server
– Depending on your deployment scenario you may want to enable/disable some of these
Ref : %Jboss_home%\server\default\deploy\jbossweb-tomcat50.sar\server.xml
© JBoss, Inc. 2003-2005 7
Professional Open Source™
Web Tier Connectors
Locate the configuration file:
Notice a version change starting from JBoss 4.0.2 which embeds Tomcat 5.5 – the package name is ”jbossweb-tomcat55.sar”, accordingly.
© JBoss, Inc. 2003-2005 8
Professional Open Source™
Web Tier Connectors
jbossweb-tomcat50.sar/server.xml
<!-- A HTTP/1.1 Connector on port 8080 --> <Connector port="8080" address="${jboss.bind.address}" maxThreads="150" maxHttpHeaderSize="8192" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"/>
<!-- A AJP 1.3 Connector on port 8009 --> <Connector port="8009" address="${jboss.bind.address}" enableLookups="false" redirectPort="8443" debug="0" protocol="AJP/1.3"/>
Notice the use of system properties in configuration files.
– If all your incoming connections are proxied through a native web server with mod_jk, you may disable the HTTP connector
– Attribute ”maxThreads”:• Maximum number of concurrent requests handled by this container
– Attribute ”acceptCount”:• The length of queued requests when all threads are processing requests
Professional Open Source™
© JBoss, Inc. 2003-2005. 9June 16, 2005
Naming ServiceJ2EE Phone Directory
© JBoss, Inc. 2003-2005 10
Professional Open Source™
Naming Service
Naming Service– Java Naming and Directory Interface (JNDI)
– Primary lookup point for J2EE applications
• ”All applications start from naming.” – location transparency
– Redundancy required for high availability
• Provided by JBoss Clustering framework (more on this later).
JBoss Microkernel
Naming Service Other Serviceslookup
proxy
Remote calls
© JBoss, Inc. 2003-2005 11
Professional Open Source™
Naming Service
How does the client find the naming service?– Client machine usually has jndi.properties
java.naming.factory.initial = org.jnp.interfaces.NamingContextFactoryjava.naming.provider.url = jnp://localhost:1099java.naming.factory.url.pkgs = org.jboss.naming
– This is usually the first access to the server a client makes
– Defaults to TCP port 1099• Uses TCP/IP to communicate to port 1099 to retrieve a naming service proxy
(Java RMI based)• Uses then Java Remote Method Invocations to interact with naming service
– E.g. lookup, naming context access, etc.
This applies to ”stand-alone” clients. Web clients connect through HTTP port, and generally don’t use naming services remotely from the client.
jndi.properties
© JBoss, Inc. 2003-2005 12
Professional Open Source™
Naming Service Configuration
Locate the service configuration:– In ”static” bootup sequence from conf/jboss-service.xml
– Contents of ”conf” is not hot-deployable (it is not monitored for changes)
– It is read once right after the kernel has been bootstrapped
© JBoss, Inc. 2003-2005 13
Professional Open Source™
Naming Service
conf/jboss-service.xml
<mbean code = "org.jboss.naming.NamingService“ name = "jboss:service=Naming" xmbean-dd = "resource:xmdesc/NamingService-xmbean.xml"> <!-- The call by value mode. true if all lookups are unmarshalled using the caller's TCL, false if in VM lookups return the value by reference. --> <attribute name="CallByValue">false</attribute> <!-- The listening port for the bootstrap JNP service. Set this to -1 to run the NamingService without the JNP invoker listening port. --> <attribute name="Port">1099</attribute> <!-- The bootstrap JNP server bind address. This also sets the default RMI service bind address. Empty == all addresses --> <attribute name="BindAddress">${jboss.bind.address}</attribute> <!-- The port of the RMI naming service, 0 == anonymous --> <attribute name="RmiPort">1098</attribute> <!-- The RMI service bind address. Empty == all addresses --> <attribute name="RmiBindAddress">${jboss.bind.address}</attribute> ...</mbean>
© JBoss, Inc. 2003-2005 14
Professional Open Source™
Naming Service
Configuration options:– Attribute ”Port” (1099):
• Initial access point to naming services
• Can be disabled if:1. Only have HTTP clients (no remote naming access)
2. All remote naming access is tunneled through HTTP (port 8080)
3. Running replicated naming services (TCP 1100 is used instead)
– Attribute ”BindAddress”:
• The NIC to bind the listening port to (IP address)
• Notice the use of system property jboss.bind.address
– Attributes ”RmiPort” and ”RmiBindAddress”
• The Java Remote Method Invocation access points to naming service, and the NIC binding address
© JBoss, Inc. 2003-2005 15
Professional Open Source™
Naming Service HTTP Tunneling
– Default naming access through two ports: JNP Bootstrap and RMI protocol
Naming Service
JNP (TCP 1099)
RMI (TCP 1098)
Download RMI Stub
Execute Naming operations
Naming Service
Servlet Container
HTTP (TCP 8080)
HTTP Communication
HTTP Invoker Servlet– Default distribution contains a servlet
that can accept and route remote calls to services deployed on the microkernel.
© JBoss, Inc. 2003-2005 16
Professional Open Source™
JNDI Client Configuration
We don't need to specify any of the properties when we connectto the JNDI provider from within Jboss. Jboss reads the propertiesfrom \conf\jndi.properties file.
Configuring the client to access JNDI through JNP/RMI protocols :
Properties prop = new Properties();Prop.put(Context.INITIAL_CONTEXT_FACTORY, “org.jnp.interfaces.NamingContextFactory”);prop.put(Context.PROVIDER_URL, “jnp://localhost:1099”);prop.put(Context,URL_PKG_PREFIXES, “org.jboss.naming.org.jnp.interfaces”);
Create an initial context connecting to the Jboss naming provider:
InitialContext jbosscontext = new InitialContext(prop);
© JBoss, Inc. 2003-2005 17
Professional Open Source™
HTTP-Based JNDI
- Jboss provides an HTTP-based implementation for using JNDI contexts. JNDI implementation provided by RMI can pose problems if the clients that connect to the naming provider sit outside a firewall.
- Firewalls allow communication to a set of predefined ports. In such cases, communication based on RMI may not be possible. - HTTP is one of the protocols passed through by most firewalls, and they allow remote clients to connect to port 8080 of the internal servers.
- This is available as a SAR component called http-invoker.sar in the \deploy directory.
© JBoss, Inc. 2003-2005 18
Professional Open Source™
HTTP-Based JNDI
Configuring the client to access JNDI through HTTP protocols :
Properties prop = new Properties();
prop.put(Context.INITIAL_CONTEXT_FACTORY, “org.jboss.naming.HttpNamingContextFactory”);
prop.put(Context.PROVIDER_URL, “http://localhost:8080/invoker/JNDIFactory”);
Create an initial context connecting to the Jboss naming provider:
InitialContext jbosscontext = new InitialContext(prop);
© JBoss, Inc. 2003-2005 19
Professional Open Source™
Naming Service HTTP Tunneling
How do I configure the client to use HTTP tunneling?– Enable a HTTP proxy factory in the client jndi.properties configuration
– Point the provider URL to a HTTP servlet URL
jndi.properties
java.naming.factory.initial = org.jboss.naming.HttpNamingContextFactory java.naming.provider.url = http://localhost:8080/invoker/JNDIFactory java.naming.factory.url.pkgs = org.jboss.naming
– Encrypting the wire protocol is as easy as switching to HTTPS URL and HTTPS port
• We will see how to enable HTTPS access in the security section
Note that if all your clients are web clients (web browser access web applications), remote access to naming service is usually not necessary (sans applets that may try to connect back to the application server)
© JBoss, Inc. 2003-2005 20
Professional Open Source™
Naming Service and HTTP Tunneling(Fire-wall Free)
How to locate the HTTP invoker servlet?
http://localhost:8080/invoker/JNDIFactory
<servlet-name>JNDIFactory</servlet-name><description>A servlet that exposes the JBoss JNDI Naming service stubthrough http. The return content is a serialized MarshalledValuecontaining the org.jnp.interfaces.Naming stub. This configuration handlesrequests for the standard JNDI naming service. </description>...<servlet-mapping> <servlet-name>JNDIFactory</servlet-name> <url-pattern>/JNDIFactory/*</url-pattern></servlet-mapping>
Remember that the default context root of a web application is derived from its package name: invoker.war invoker
© JBoss, Inc. 2003-2005 21
Professional Open Source™
Clustered Naming and Multicast Discovery
When enabling clustering for naming service– TCP 1100 for JNP initial bootstrap (stub)
• Instead of 1099 which can be closed
– RMI access port for naming operations
• For high availability naming this is an anonymous (random) port
• You will want to fix it for firewall
HA Naming (JNDI)
JNP (TCP 1100)
RMI (TCP 0)
HA Naming (JNDI)
JNP (TCP 1100)
RMI (TCP 0)
HA Naming (JNDI)
JNP (TCP 1100)
RMI (TCP 0)
Multicast DiscoveryAddress: 230.0.0.4Port: UDP 1102
– UDP port 1102 on multicast address
• Discovery of replicated naming service• ”Which IP addresses host a naming service?”
Professional Open Source™
© JBoss, Inc. 2003-2005. 22June 16, 2005
EJB Invokers
© JBoss, Inc. 2003-2005 23
Professional Open Source™
JRMP Invoker
EJB Invokers
Direct EJB component access from the client– Does not apply if you only have HTTP clients to
web applications
– Default is Java Remote Method Invocation access to TCP port 4444
– There’s an alternative (pooled) invoker implementation at TCP port 4445
– EJB communication can also be tunneled through HTTP
• Same HTTP Invoker web application• URL:
http://<host>:8080/invoker/EJBInvokerServlet– Embedded inside EJB HTTP proxies
RMI/JRMP (TCP 4444)
Pooled Invoker
Socket (TCP 4445)
© JBoss, Inc. 2003-2005 24
Professional Open Source™
EJB Invoker Configuration
Locate the service configuration:– In ”static” bootup sequence from conf/jboss-service.xml
© JBoss, Inc. 2003-2005 25
Professional Open Source™
EJB Invokers (RMI/JRMP)
conf/jboss-service.xml
<!-- ==================================================================== --> <!-- Invokers to the JMX node <!-- ==================================================================== -->
<!-- RMI/JRMP invoker --> <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker“ name="jboss:service=invoker,type=jrmp"> <attribute name="RMIObjectPort">4444</attribute> <attribute name="ServerAddress">${jboss.bind.address}</attribute> <!-- <attribute name="RMIClientSocketFactory">custom</attribute> <attribute name="RMIServerSocketFactory">custom</attribute> <attribute name="RMIServerSocketAddr">custom</attribute> <attribute name="SecurityDomain">ssl-domain-name</attribute> --> <depends>jboss:service=TransactionManager</depends> </mbean>
Default RMI Java Remote Method Protocol (JRMP) invoker– ”Invoker” is functionally equivalent to a ”Connector” – we use both terms
Used for encrypting the communication. We will cover this
in the security section.
© JBoss, Inc. 2003-2005 26
Professional Open Source™
EJB Invokers (RMI)
Configuration options:– RMIObjectPort
• The TCP port clients connecting directly to EJB tier will attempt open a socket by default
– ServerAddress
• Bind address for multi-homed (multiple NICs) machine
If all clients connect via web tier (servlets and JSPs) then this invoker is not necessary – can be removed or the port blocked.
© JBoss, Inc. 2003-2005 27
Professional Open Source™
conf/jboss-service.xml
EJB Invokers (TCP/IP)
<!-- ==================================================================== --> <!-- Invokers to the JMX node <!-- ==================================================================== --> <mbean code="org.jboss.invocation.pooled.server.PooledInvoker“ name="jboss:service=invoker,type=pooled"> <attribute name="NumAcceptThreads">1</attribute> <attribute name="MaxPoolSize">300</attribute> <attribute name="ClientMaxPoolSize">300</attribute> <attribute name="SocketTimeout">60000</attribute> <attribute name="ServerBindAddress">${jboss.bind.address}</attribute> <attribute name="ServerBindPort">4445</attribute> <attribute name="ClientConnectAddress">${jboss.bind.address}</attribute> <attribute name="ClientConnectPort">0</attribute> <attribute name="EnableTcpNoDelay">false</attribute> ...</mbean>
Alternative socket level EJB invoker– May yield better performance in some scenarios
– Usually you don’t need both the RMI and pooled invoker
• Choose which one to use and disable the other
Professional Open Source™
© JBoss, Inc. 2003-2005. 28June 16, 2005
Messaging Invocation Layers
© JBoss, Inc. 2003-2005 29
Professional Open Source™
Messaging Connectivity
Messaging service (JMS) uses invocation layer– Yet another name for invokers/connectors
• We are cleaning up these, honest!
Split to three main categories– Socket based Unified Invocation Layer 2 (UIL2)
• Default TCP port 8093
– HTTP based invocation layer (servlet)
– A fast ”In-VM” invocation layer for messages between components in the same server instance
Unlike EJB usage, message service clients often access the service directly, rather than through the web tier.
© JBoss, Inc. 2003-2005 30
Professional Open Source™
Messaging Connectivity
Locate service configuration:– Directory ”jms” under deploy (Java Messaging Service)
Messaging client access through HTTP tunnel
• Remove (undeploy) if not needed
Internal messaging layer
Messaging client access through multiplexing socket at TCP port 8093
• Remove (undeploy) if not needed
In some older JBoss 3.0.x and 3.2.x releases you may find additional invocation layers for messaging – RMI, UIL(1), OIL layers. These have been deprecated in favor of UIL2, which is the recommended production grade implementation.
© JBoss, Inc. 2003-2005 31
Professional Open Source™
Messaging Connectivity
deploy/jms/uil2-service.xml
<mbean code="org.jboss.mq.il.uil2.UILServerILService" name="jboss.mq:service=InvocationLayer,type=UIL2"> <depends optional-attribute-name="Invoker">jboss.mq:service=Invoker</depends> <!-- JNDI binding --> <attribute name="ConnectionFactoryJNDIRef">ConnectionFactory</attribute> <attribute name="XAConnectionFactoryJNDIRef">XAConnectionFactory</attribute> <!-- The bind address --> <attribute name="BindAddress">${jboss.bind.address}</attribute> <!-- The bind port --> <attribute name="ServerBindPort">8093</attribute> <attribute name="PingPeriod">60000</attribute> <attribute name="EnableTcpNoDelay">true</attribute> <!-- Used to disconnect the client if there is no activity. Ensure this is greater than the ping period --> <attribute name="ReadTimeout">120000</attribute> <attribute name="BufferSize">2048</attribute> <!-- Large messages may block the ping/pong. A pong is simulated after each chunk (in bytes) for both reading and writing. It must be larger than the buffer size --> <attribute name="ChunkSize">1000000</attribute> </mbean>
© JBoss, Inc. 2003-2005 32
Professional Open Source™
Messaging Connectivity
How to switch to HTTP tunneling for messaging clients?– Clients rely on a connection factory they find via a naming service
– Most messaging clients lookup the default ”ConnectionFactory”
• Connection factory is a proxy that mandates a wire protocol from the client to the server
• Defaults to UIL2 multiplexing socket implementation
– Undeploy UIL2 service or change the name binding to something other than ”ConnectionFactory”
• Clients will lookup a proxy that mandates HTTP protocol instead
© JBoss, Inc. 2003-2005 33
Professional Open Source™
Messaging Connectivity
deploy/jms/uil2-service.xml
<mbean code="org.jboss.mq.il.uil2.UILServerILService" name="jboss.mq:service=InvocationLayer,type=UIL2"> <!-- JNDI binding --> <attribute name = "ConnectionFactoryJNDIRef">UILConnectionFactory</attribute> …</mbean>
deploy/jms/jbossmq-il.sar/META-INF/jboss-service.xml
<server> <mbean code="org.jboss.mq.il.http.HTTPServerILService" name="jboss.mq:service=InvocationLayer,type=HTTP"> <attribute name="ConnectionFactoryJNDIRef">ConnectionFactory</attribute>
</server>
© JBoss, Inc. 2003-2005 34
Professional Open Source™
Ports Conclusion
Messaging UIL2TCP 8093
Class Downloading ServiceTCP 8083
Alternative Pooled EJB InvokerTCP 4445
EJB InvokerTCP 4444
Naming Remote Method InvocationTCP 1098
Naming Bootstrap (stub)TCP 1099
HTTP 1.1 ConnectorTCP 8080
Apache Java Protocol ConnectorTCP 8009
Defaults:
Naming DiscoveryUDP 1102
Clustered Naming ServiceTCP 1100
Clustering: