JBossProductionInstallation

Professional Open Source™

© JBoss, Inc. 2003-2005. 1June 16, 2005

Real-life installation scenarios

JBoss Production Installation

© JBoss, Inc. 2003-2005 2


Objectives

In this section we cover:– JBoss port configurations

– Installation issues with

• Firewalls

• Native web server front-ends

– Installing JBoss to run as a service


© JBoss, Inc. 2003-2005. 3June 16, 2005

JBoss Port Configuration

© JBoss, Inc. 2003-2005 4


EISEIS

EIS

JBoss Application as Service Framework

JBoss Application Server is a service platform– Hosts multiple services

– Some services bind to physical ports

– Depending on which services are hosted, different combination of listening socket ports may be opened

Service

Service

Service

ServiceHTTP

RMI

TCP/IP

IIOP

Port 8080

Port 4444

Port 3528

Port 4445

Service

Service

Service

Service

JBoss M

icrokernel

Ref : %JBoss_home%\server\default\conf\jboss-service.xml


© JBoss, Inc. 2003-2005. 5June 16, 2005

Tomcat Connectors

© JBoss, Inc. 2003-2005 6


Tomcat Connectors

Web tier has three main connectors– HTTP 1.1 (TCP port 8080)

• Direct HTTP requests to the application server

– HTTPS (not enabled by default)

• Direct encrypted HTTP requests to the application server

– AJP13 (TCP port 8009)

• Apache Java Protocol from a native web server to the JBoss application server

– Depending on your deployment scenario you may want to enable/disable some of these

Ref : %Jboss_home%\server\default\deploy\jbossweb-tomcat50.sar\server.xml

© JBoss, Inc. 2003-2005 7


Web Tier Connectors

Locate the configuration file:

Notice a version change starting from JBoss 4.0.2 which embeds Tomcat 5.5 – the package name is ”jbossweb-tomcat55.sar”, accordingly.

© JBoss, Inc. 2003-2005 8


Web Tier Connectors

jbossweb-tomcat50.sar/server.xml

 <Connector port="8080" address="${jboss.bind.address}" maxThreads="150" maxHttpHeaderSize="8192" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"/>

 <Connector port="8009" address="${jboss.bind.address}" enableLookups="false" redirectPort="8443" debug="0" protocol="AJP/1.3"/>

Notice the use of system properties in configuration files.

– If all your incoming connections are proxied through a native web server with mod_jk, you may disable the HTTP connector

– Attribute ”maxThreads”:• Maximum number of concurrent requests handled by this container

– Attribute ”acceptCount”:• The length of queued requests when all threads are processing requests


© JBoss, Inc. 2003-2005. 9June 16, 2005

Naming ServiceJ2EE Phone Directory

© JBoss, Inc. 2003-2005 10


Naming Service

Naming Service– Java Naming and Directory Interface (JNDI)

– Primary lookup point for J2EE applications

• ”All applications start from naming.” – location transparency

– Redundancy required for high availability

• Provided by JBoss Clustering framework (more on this later).

JBoss Microkernel

Naming Service Other Serviceslookup

proxy

Remote calls

© JBoss, Inc. 2003-2005 11


Naming Service

How does the client find the naming service?– Client machine usually has jndi.properties

java.naming.factory.initial = org.jnp.interfaces.NamingContextFactoryjava.naming.provider.url = jnp://localhost:1099java.naming.factory.url.pkgs = org.jboss.naming

– This is usually the first access to the server a client makes

– Defaults to TCP port 1099• Uses TCP/IP to communicate to port 1099 to retrieve a naming service proxy

(Java RMI based)• Uses then Java Remote Method Invocations to interact with naming service

– E.g. lookup, naming context access, etc.

This applies to ”stand-alone” clients. Web clients connect through HTTP port, and generally don’t use naming services remotely from the client.

jndi.properties

© JBoss, Inc. 2003-2005 12


Naming Service Configuration

Locate the service configuration:– In ”static” bootup sequence from conf/jboss-service.xml

– Contents of ”conf” is not hot-deployable (it is not monitored for changes)

– It is read once right after the kernel has been bootstrapped

© JBoss, Inc. 2003-2005 13


Naming Service

conf/jboss-service.xml

<mbean code = "org.jboss.naming.NamingService“ name = "jboss:service=Naming" xmbean-dd = "resource:xmdesc/NamingService-xmbean.xml">  <attribute name="CallByValue">false</attribute>  <attribute name="Port">1099</attribute>  <attribute name="BindAddress">${jboss.bind.address}</attribute>  <attribute name="RmiPort">1098</attribute>  <attribute name="RmiBindAddress">${jboss.bind.address}</attribute> ...</mbean>

© JBoss, Inc. 2003-2005 14


Naming Service

Configuration options:– Attribute ”Port” (1099):

• Initial access point to naming services

• Can be disabled if:1. Only have HTTP clients (no remote naming access)

2. All remote naming access is tunneled through HTTP (port 8080)

3. Running replicated naming services (TCP 1100 is used instead)

– Attribute ”BindAddress”:

• The NIC to bind the listening port to (IP address)

• Notice the use of system property jboss.bind.address

– Attributes ”RmiPort” and ”RmiBindAddress”

• The Java Remote Method Invocation access points to naming service, and the NIC binding address

© JBoss, Inc. 2003-2005 15


Naming Service HTTP Tunneling

– Default naming access through two ports: JNP Bootstrap and RMI protocol

Naming Service

JNP (TCP 1099)

RMI (TCP 1098)

Download RMI Stub

Execute Naming operations

Naming Service

Servlet Container

HTTP (TCP 8080)

HTTP Communication

HTTP Invoker Servlet– Default distribution contains a servlet

that can accept and route remote calls to services deployed on the microkernel.

© JBoss, Inc. 2003-2005 16


JNDI Client Configuration

We don't need to specify any of the properties when we connectto the JNDI provider from within Jboss. Jboss reads the propertiesfrom \conf\jndi.properties file.

Configuring the client to access JNDI through JNP/RMI protocols :

Properties prop = new Properties();Prop.put(Context.INITIAL_CONTEXT_FACTORY, “org.jnp.interfaces.NamingContextFactory”);prop.put(Context.PROVIDER_URL, “jnp://localhost:1099”);prop.put(Context,URL_PKG_PREFIXES, “org.jboss.naming.org.jnp.interfaces”);

Create an initial context connecting to the Jboss naming provider:

InitialContext jbosscontext = new InitialContext(prop);

© JBoss, Inc. 2003-2005 17


HTTP-Based JNDI

- Jboss provides an HTTP-based implementation for using JNDI contexts. JNDI implementation provided by RMI can pose problems if the clients that connect to the naming provider sit outside a firewall.

- Firewalls allow communication to a set of predefined ports. In such cases, communication based on RMI may not be possible. - HTTP is one of the protocols passed through by most firewalls, and they allow remote clients to connect to port 8080 of the internal servers.

- This is available as a SAR component called http-invoker.sar in the \deploy directory.

© JBoss, Inc. 2003-2005 18


HTTP-Based JNDI

Configuring the client to access JNDI through HTTP protocols :

Properties prop = new Properties();

prop.put(Context.INITIAL_CONTEXT_FACTORY, “org.jboss.naming.HttpNamingContextFactory”);

prop.put(Context.PROVIDER_URL, “http://localhost:8080/invoker/JNDIFactory”);

Create an initial context connecting to the Jboss naming provider:

InitialContext jbosscontext = new InitialContext(prop);

© JBoss, Inc. 2003-2005 19


Naming Service HTTP Tunneling

How do I configure the client to use HTTP tunneling?– Enable a HTTP proxy factory in the client jndi.properties configuration

– Point the provider URL to a HTTP servlet URL

jndi.properties

java.naming.factory.initial = org.jboss.naming.HttpNamingContextFactory java.naming.provider.url = http://localhost:8080/invoker/JNDIFactory java.naming.factory.url.pkgs = org.jboss.naming

– Encrypting the wire protocol is as easy as switching to HTTPS URL and HTTPS port

• We will see how to enable HTTPS access in the security section

Note that if all your clients are web clients (web browser access web applications), remote access to naming service is usually not necessary (sans applets that may try to connect back to the application server)

© JBoss, Inc. 2003-2005 20


Naming Service and HTTP Tunneling(Fire-wall Free)

How to locate the HTTP invoker servlet?

http://localhost:8080/invoker/JNDIFactory

<servlet-name>JNDIFactory</servlet-name><description>A servlet that exposes the JBoss JNDI Naming service stubthrough http. The return content is a serialized MarshalledValuecontaining the org.jnp.interfaces.Naming stub. This configuration handlesrequests for the standard JNDI naming service. </description>...<servlet-mapping> <servlet-name>JNDIFactory</servlet-name> <url-pattern>/JNDIFactory/*</url-pattern></servlet-mapping>

Remember that the default context root of a web application is derived from its package name: invoker.war invoker

© JBoss, Inc. 2003-2005 21


Clustered Naming and Multicast Discovery

When enabling clustering for naming service– TCP 1100 for JNP initial bootstrap (stub)

• Instead of 1099 which can be closed

– RMI access port for naming operations

• For high availability naming this is an anonymous (random) port

• You will want to fix it for firewall

HA Naming (JNDI)

JNP (TCP 1100)

RMI (TCP 0)

HA Naming (JNDI)

JNP (TCP 1100)

RMI (TCP 0)

HA Naming (JNDI)

JNP (TCP 1100)

RMI (TCP 0)

Multicast DiscoveryAddress: 230.0.0.4Port: UDP 1102

– UDP port 1102 on multicast address

• Discovery of replicated naming service• ”Which IP addresses host a naming service?”


© JBoss, Inc. 2003-2005. 22June 16, 2005

EJB Invokers

© JBoss, Inc. 2003-2005 23


JRMP Invoker

EJB Invokers

Direct EJB component access from the client– Does not apply if you only have HTTP clients to

web applications

– Default is Java Remote Method Invocation access to TCP port 4444

– There’s an alternative (pooled) invoker implementation at TCP port 4445

– EJB communication can also be tunneled through HTTP

• Same HTTP Invoker web application• URL:

http://<host>:8080/invoker/EJBInvokerServlet– Embedded inside EJB HTTP proxies

RMI/JRMP (TCP 4444)

Pooled Invoker

Socket (TCP 4445)

© JBoss, Inc. 2003-2005 24


EJB Invoker Configuration

Locate the service configuration:– In ”static” bootup sequence from conf/jboss-service.xml

© JBoss, Inc. 2003-2005 25


EJB Invokers (RMI/JRMP)


 

 <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker“ name="jboss:service=invoker,type=jrmp"> <attribute name="RMIObjectPort">4444</attribute> <attribute name="ServerAddress">${jboss.bind.address}</attribute>  <depends>jboss:service=TransactionManager</depends> </mbean>

Default RMI Java Remote Method Protocol (JRMP) invoker– ”Invoker” is functionally equivalent to a ”Connector” – we use both terms

Used for encrypting the communication. We will cover this

in the security section.

© JBoss, Inc. 2003-2005 26


EJB Invokers (RMI)

Configuration options:– RMIObjectPort

• The TCP port clients connecting directly to EJB tier will attempt open a socket by default

– ServerAddress

• Bind address for multi-homed (multiple NICs) machine

If all clients connect via web tier (servlets and JSPs) then this invoker is not necessary – can be removed or the port blocked.

© JBoss, Inc. 2003-2005 27



EJB Invokers (TCP/IP)

  <mbean code="org.jboss.invocation.pooled.server.PooledInvoker“ name="jboss:service=invoker,type=pooled"> <attribute name="NumAcceptThreads">1</attribute> <attribute name="MaxPoolSize">300</attribute> <attribute name="ClientMaxPoolSize">300</attribute> <attribute name="SocketTimeout">60000</attribute> <attribute name="ServerBindAddress">${jboss.bind.address}</attribute> <attribute name="ServerBindPort">4445</attribute> <attribute name="ClientConnectAddress">${jboss.bind.address}</attribute> <attribute name="ClientConnectPort">0</attribute> <attribute name="EnableTcpNoDelay">false</attribute> ...</mbean>

Alternative socket level EJB invoker– May yield better performance in some scenarios

– Usually you don’t need both the RMI and pooled invoker

• Choose which one to use and disable the other


© JBoss, Inc. 2003-2005. 28June 16, 2005

Messaging Invocation Layers

© JBoss, Inc. 2003-2005 29


Messaging Connectivity

Messaging service (JMS) uses invocation layer– Yet another name for invokers/connectors

• We are cleaning up these, honest!

Split to three main categories– Socket based Unified Invocation Layer 2 (UIL2)

• Default TCP port 8093

– HTTP based invocation layer (servlet)

– A fast ”In-VM” invocation layer for messages between components in the same server instance

Unlike EJB usage, message service clients often access the service directly, rather than through the web tier.

© JBoss, Inc. 2003-2005 30



Locate service configuration:– Directory ”jms” under deploy (Java Messaging Service)

Messaging client access through HTTP tunnel

• Remove (undeploy) if not needed

Internal messaging layer

Messaging client access through multiplexing socket at TCP port 8093

• Remove (undeploy) if not needed

In some older JBoss 3.0.x and 3.2.x releases you may find additional invocation layers for messaging – RMI, UIL(1), OIL layers. These have been deprecated in favor of UIL2, which is the recommended production grade implementation.

© JBoss, Inc. 2003-2005 31



deploy/jms/uil2-service.xml

<mbean code="org.jboss.mq.il.uil2.UILServerILService" name="jboss.mq:service=InvocationLayer,type=UIL2"> <depends optional-attribute-name="Invoker">jboss.mq:service=Invoker</depends>  <attribute name="ConnectionFactoryJNDIRef">ConnectionFactory</attribute> <attribute name="XAConnectionFactoryJNDIRef">XAConnectionFactory</attribute>  <attribute name="BindAddress">${jboss.bind.address}</attribute>  <attribute name="ServerBindPort">8093</attribute> <attribute name="PingPeriod">60000</attribute> <attribute name="EnableTcpNoDelay">true</attribute>  <attribute name="ReadTimeout">120000</attribute> <attribute name="BufferSize">2048</attribute>  <attribute name="ChunkSize">1000000</attribute> </mbean>

© JBoss, Inc. 2003-2005 32



How to switch to HTTP tunneling for messaging clients?– Clients rely on a connection factory they find via a naming service

– Most messaging clients lookup the default ”ConnectionFactory”

• Connection factory is a proxy that mandates a wire protocol from the client to the server

• Defaults to UIL2 multiplexing socket implementation

– Undeploy UIL2 service or change the name binding to something other than ”ConnectionFactory”

• Clients will lookup a proxy that mandates HTTP protocol instead

© JBoss, Inc. 2003-2005 33



deploy/jms/uil2-service.xml

<mbean code="org.jboss.mq.il.uil2.UILServerILService" name="jboss.mq:service=InvocationLayer,type=UIL2">  <attribute name = "ConnectionFactoryJNDIRef">UILConnectionFactory</attribute> …</mbean>

deploy/jms/jbossmq-il.sar/META-INF/jboss-service.xml

<server> <mbean code="org.jboss.mq.il.http.HTTPServerILService" name="jboss.mq:service=InvocationLayer,type=HTTP"> <attribute name="ConnectionFactoryJNDIRef">ConnectionFactory</attribute>

</server>

© JBoss, Inc. 2003-2005 34


Ports Conclusion

Messaging UIL2TCP 8093

Class Downloading ServiceTCP 8083

Alternative Pooled EJB InvokerTCP 4445

EJB InvokerTCP 4444

Naming Remote Method InvocationTCP 1098

Naming Bootstrap (stub)TCP 1099

HTTP 1.1 ConnectorTCP 8080

Apache Java Protocol ConnectorTCP 8009

Defaults:

Naming DiscoveryUDP 1102

Clustered Naming ServiceTCP 1100

Clustering:

Documents

JBossProductionInstallation