Red Hat JBoss Enterprise Application Platform Administration I
Any application you deploy on Red Hat JBoss Enterprise Application Platform (JBoss EAP) uses a standard HTTP address.
For example, an application called app.war is available, by default, at http://<server>:8080/app.
The /app is defined as the context path according to the Jakarta Enterprise Edition (Jakarta EE) specifications.
If a HTTP request does not provide a context path , then JBoss EAP displays a default JBoss welcome application.
<subsystem xmlns="urn:jboss:domain:undertow:12.0"...> <buffer-cache name="default"/> <server name="default-server"> ...output omitted... <host name="default-host" alias="localhost"><location name="/" handler="welcome-content"/><http-invoker security-realm="ApplicationRealm"/> </host> </server> ...output omitted... <handlers><file name="welcome-content" path="${jboss.home.dir}/welcome-content"/></handlers> </subsystem>
Notice that the / root path uses a handler called welcome-content, and that this welcome-content handler defines the location of the JBoss welcome application.
The default application can be replaced in one of two ways:
Changing the
welcome-contentfile handler.Changing the
default-web-moduleattribute on thedefault-hosttag in the undertow subsystem.
You can change the file handler called welcome-content to have the application path.
It is possible to replace the welcome-content file handler by using the management CLI tool:
/subsystem=undertow/configuration=handler/file=welcome-content:\ write-attribute(name=path,value="/path/to/application")
The previous command defines a Jakarta EE application path. The application must be available in the file system on all the hosts that belong to the domain. This requirement makes the deployment more complicated when you use the managed domain mode.
Note
If you modify the welcome-content application, then you need to reload the instances for the changes to take effect.
/:reload-servers
To achieve the same goal using the managed domain, just add the /profile=full-ha level at the beginning of the CLI command.
You can use a deployed application to act as the default web application for the host by changing the default-web-module attribute.
This attribute makes easier to manage the deployment in a managed domain, than changing the file handler.
/subsystem=undertow/server=default-server/host=default-host write-attribute(name=default-web-module,value=myapp.war )
| JBoss EAP provides a default server called |
| JBoss EAP also provides a default host named |
| The |
| Define which deployed application should be displayed if a context path is not specified. |
In some scenarios, it is required to remove the JBoss welcome application without replacing the default root web application.
This can be accomplished by removing the / location entry for the default-host:
/subsystem=undertow/server=default-server/host=\ default-host/location=\/:remove
After reloading the server, any request using the root context receives a 404 error page.
The undertow subsystem can start several web servers or web containers in a single JBoss EAP instance.
Each <server> tag starts an instance of the undertow web engine.
A listener handles requests according to the request protocol. Three listener types are available for each server:
- HTTP
This listener type handles HTTP requests.
- HTTPS
This listener type handles HTTPS requests.
- AJP
This listener type handles Apache Java Protocol (AJP) requests. The AJP protocol communicates JBoss EAP instances with the load balancer.
Each server can define more than one listener for each listener type. The following command creates an HTTP listener:
/subsystem=undertow/server=default-server/http-listener=\ new-http:add(socket-binding=http-other)
The previous command generates the following XML configuration:
<subsystem xmlns="urn:jboss:domain:undertow:12.0"...> ...output omitted... <server name="default-server"> <http-listener name="default" redirect-socket="https" socket-binding="http" /><http-listener name="new-http" socket-binding="http-other" /><host name="default-host" alias="localhost"> <location name="/" handler="welcome-content" /> </host> </server> ...output omitted... </subsystem>
You must define a different socket-binding to avoid a port conflict.
In the previous configuration, the web application is available for HTTP requests on two different sockets:`http` or http-n.
The host configuration in the server element is responsible for creating virtual hosts. Virtual hosts groups web applications based on the DNS names. The following management CLI adds a host to the server:
/subsystem=undertow/server=default-server/host=\ version-host:add(alias=[version.myapp.com])
You can publish a default web application on a host listening to multiple addresses. The following command defines the default web application for the new host:
/subsystem=undertow/server=default-server/host=\ version-host:write-atribute(name=default-web-module, value=version.war)
In the previous example, the version.war application serves the requests to http://version.myapp.com.
The following XML reflects the previous modification:
<subsystem xmlns="urn:jboss:domain:undertow:12.0"...> ...output omitted... <server name="default-server"> <http-listener name="default" redirect-socket="https" socket-binding="http" /> <http-listener name="new-http" socket-binding="http-other" /> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content" /> </host><host name="version-host" default-web-module="version.war" alias="version.myapp.com"/></server> ...output omitted... </subsystem>
Note
From the application perspective, you must use the $WEBAPP/WEB-INF/jboss-web.xml file within the application to define the application context root, and to reference the virtual host and the server instance:
<jboss-web> <context-root>/</context-root> <virtual-host>version-host</virtual-host> <server-instance>default-server</server-instance> </jboss-web>
If the new host is no longer required, then you can delete it with the following command:
/subsystem=undertow/server=default-server/host=\ version-host:remove()
HTTPS is a protocol that encrypts network traffic. This protocol protects the communication between the web browser and the server. To configure HTTPS, you need a server certificate file to identify the server, and encrypt and decrypt the exchanged information.
JBoss EAP can encrypt the traffic in both HTTP ports: the management port, and the application serving port.
Since JBoss EAP 7.1, the default legacy security subsystem configuration generates a self-signed certificate to use the 8443 secure port to serve applications.
The following XML snippets remarks the HTTPS default configuration for the application port:
<server xmlns="urn:jboss:domain:16.0"> ...output omitted... <management> <security-realms> <security-realm name="ManagementRealm"> ...output omitted...<security-realm name="ApplicationRealm"><server-identities> <ssl><keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/></ssl> </server-identities> <authentication> ...output omitted... <profile><subsystem xmlns="urn:jboss:domain:undertow:12.0"default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}"> ...output omitted... <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/><https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/><host name="default-host"alias="localhost"> <location name="/" handler="welcome-content"/><http-invoker security-realm="ApplicationRealm"/></host> </server> ...output omitted...
For production environments, use certificates signed by recognized certificate authorities (CAs). You can use the elytron security subsystem, or the legacy security subsystem to configure an HTTPS port for serving applications. To learn more about configuring HTTPS by using the elytron security subsystem, see the references section.
The Java Standard Edition (Java SE) defines the format of the Java KeyStore. A Java KeyStore (JKS) is a storage facility for cryptographic keys and certificates. A JKS can store several types of public and private keys, such as the certificates used for a HTTPS connection.
The Java Development Kit (JDK) provides the keytool command to manage JKS repositories.
To create a new JKS by importing a CA signed certificate, use the following command:
keytool -v -importkeystore -srckeystore signed-cert.p12 -srcstoretype PKCS12 -destkeystore identity.jks -deststoretype JKS
After creating the keystore, you must create a security realm for each host:
/host=servera/core-service=management/security-realm=HTTPSRealm:add()
Configure the security realm to load the JKS:
/host=servera/core-service=management/security-realm=HTTPSRealm/server-identity=\ ssl:add(keystore-path=/path/identity.jks,keystore-password=changeit,alias=appserver)
Reload the server to apply the changes:
/:reload-servers
Create a HTTPS listener, which uses the new security realm:
/profile=full/subsystem=undertow/server=default-server/https-listener=https:\ add(socket-binding=https,security-realm=HTTPSRealm)
Note
Remember to open the HTTPS port in the firewall.
The default port for HTTPS is 8443.
As introduced in this chapter, the other core components on the undertow web engine are the buffer cache, the servlet container, handlers, and filters.
The buffer cache stores static files handled by the undertow subsystem.
<subsystem xmlns="urn:jboss:domain:undertow:12.0">
<buffer-cache name="default" buffer-size="1024" buffers-per-region="1024" max-regions="10">
...output omitted...
</subsystem>You can update the buffer size using the management CLI:
/subsystem=undertow/buffer-cache=default:\ write-attribute(name=buffer-size,value=2048)
If a cache is not required, then you can remove it:
/subsystem=undertow/buffer-cache=default:remove
A servlet container instance is defined by the <servlet-container> tag:
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" ...>
...output omitted...
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
...output omitted...You can use the read-resource operation from the CLI to inspect the available attributes for a servlet container:
/subsystem=undertow/servlet-container=default:read-resource
{
"outcome" => "success",
"result" => {
"allow-non-standard-wrappers" => false,
"default-buffer-cache" => "default",
"default-cookie-version" => 0,
"default-encoding" => undefined,
"default-session-timeout" => 30,
"directory-listing" => undefined,
"disable-caching-for-secured-pages" => true,
"disable-file-watch-service" => false,
"disable-session-id-reuse" => false,
"eager-filter-initialization" => false,
"file-cache-max-file-size" => 10485760,
"file-cache-metadata-size" => 100,
"file-cache-time-to-live" => undefined,
"ignore-flush" => false,
"max-sessions" => undefined,
"preserve-path-on-forward" => false,
"proactive-authentication" => true,
"session-id-length" => 30,
"stack-trace-on-error" => "local-only",
"use-listener-encoding" => false,
"mime-mapping" => undefined,
"setting" => {
"jsp" => undefined,
"websockets" => undefined
},
"welcome-file" => undefined
}
}Notice that is possible to define the default buffer cache with the default-buffer-cache attribute.
The session can be managed in the servlet container. Three properties are available for sessions configuration:
-
default-session-timeout The default session timeout (in minutes) for all applications deployed in the container.
-
max-sessions The maximum number of sessions that can be active at one time.
-
session-id-length The number of characters of the generated session ID. Longer session IDs are more secure.
To set the default session timeout to one hour, use the following operation:
/subsystem=undertow/servlet-container=default:write-attribute(name=default-session-timeout,value=60)
You can configure the JSP technology for the servlet container. To list the available attributes for the JSP configuration, use the following CLI command:
/subsystem=undertow/servlet-container=default/setting=jsp:read-resource
JBoss EAP provides two types of handlers:
File handler
Reverse proxy handler
File handlers serve static files. Each file handler must be attached to a location in a virtual host.
To create a new file handler, use the following CLI command:
/subsystem=undertow/configuration=handler/file=photos\ :add(path=/var/photos, directory-listing=true)
Attach the new file handler to a location in a virtual host:
/subsystem=undertow/server=default-server/host=default-host/location=photos\ :add(handler=photos)
This content is available by using the http://ip:port/context/photos URL.
The reverse proxy handler allows JBoss EAP to act as a high performance reverse proxy. This topic is discussed later in this course.
By default, JBoss EAP does not configure any filters. To include a new filter, use the following CLI command:
/subsystem=undertow/configuration=filter/gzip=gzip:add()
You can define the following types of filters:
custom-filtererror-pageexpression-filtergzipmod-clusterrequest-limitresponse-headerrewrite
The I/O subsystem configures the XNIO workers. A XNIO worker manages several kinds of threads.
The undertow subsystem depends on the I/O subsystem. An Undertow listener defines a worker:
/subsystem=undertow/server=default-server/http-listener=\
default:read-attribute(name=worker)
{
"outcome" => "success",
"result" => "default"
}The default worker is defined in the I/O subsystem.
Use the following command to list the worker attributes:
/subsystem=io/worker=default:read-resource
{
"outcome" => "success",
"result" => {
"io-threads" => undefined,
"stack-size" => undefined,
"task-core-threads" => undefined,
"task-keepalive" => undefined,
"task-max-threads" => undefined,
"outbound-bind-address" => undefined,
"server" => {
"/127.0.0.1:8080" => undefined,
"/127.0.0.1:8443" => undefined
}
}
}The XNIO worker is an abstraction layer for the Java NIO APIs.
Notice that you can define the number of I/O threads to use by setting the io-threads attribute.
You can specify the maximum number of threads for a task by setting the task-max-threads attribute.
References
To learn how to configure the HTTPS port for applications by using the elytron security subsystem, see the Configure One-way and Two-way SSL/TLS for Applications section in the How to Configure Server Security guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/how_to_configure_server_security/index#configure_one_way_and_two_way_ssl_tls_for_application
To learn deeper details about Undertow subsystem attributes and components, see the Configuring the Web Server (Undertow) chapter in the Configuration Guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/configuration_guide/index#configuring_the_web_server_undertow
To learn about the full list of the Undertow subsystem attributes for filters, handlers and the other components to configure, see the Undertow Subsystem Attributes section in the Configuration Guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/configuration_guide/index#undertow-attribute-refs
To learn more about undertow performance tuning, see the Undertow subsystem tuning chapter in the Performance Tuning Guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/performance_tuning_guide/index#assembly_undertow-subsystem-tuning_assembly_logging-subsystem-tuning
