Connecting To JBoss EAP 7 Via JConsole in Domain Mode

Solution Verified - Updated

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 7.x

Issue

  • How to connect the JBoss EAP 7 via JConsole in domain mode?
  • How does one access the JMX info for a managed server instance in domain mode?

Resolution

JBoss EAP 7 JConsole to Domain Mode

Follow the instructions to connect to JBoss EAP From jconsole :

  1. Define an Application User via the $JBOSS_HOME/bin/add-user.sh script. (Make sure $JAVA_HOME is set correctly)

  2. Set the remoting-connector in the JMX subsystem to not use the management endpoint. In domain mode only the host controller has a management port, the individual servers do not. So, for this reason, set use-management-endpoint=false implies when using the remote endpoint instead of connecting to the individual servers.

    Example using the full profile:

    /profile=full/subsystem=jmx/remoting-connector=jmx:add(use-management-endpoint=false)

    Resulting XML block in domain.xml:

    <subsystem xmlns="urn:jboss:domain:jmx:1.3">
     <expose-resolved-model/>
     <expose-expression-model/>
     <remoting-connector use-management-endpoint="false"/> <!-- add this -->
</subsystem>

3 Start up $JBOSS_HOME/bin/jconsole.sh and connect to the server instance within the domain with the JMX connection URL service:jmx:remote+http://<hostname>:<http-connector-port like 8080>. (Notes : <hostname> will be IP address or hostname of the server instance and <http-connector-port> will be http port defined in undertow subsystem which is 8080 by default.)

Appendix: (Optional) Use the native remoting connector (4447) instead of the http connector port (8080)

By default, EAP 7 is configured to use HTTP upgrade and the connector is http-remoting-connector (8080). If you would like to connect via the native remoting connector (4447 port) like JBoss EAP 6, you need to enable the native remoting connector inside the remoting subsystem in domain.xml as follow:

<subsystem xmlns="urn:jboss:domain:remoting:3.0">
    <endpoint/>
    <!-- this is the default http-remoting connector configuration -->
    <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
    <!-- the following is the native remoting connector. this also requries "remoting" socket-binding -->
    <!-- for EAP 7.0.x -->
    <!-- <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/> -->
    <!-- for EAP 7.1.x or later -->
    <connector name="native-remoting-connector" socket-binding="remoting" sasl-authentication-factory="application-sasl-authentication"/>
</subsystem>
...
<socket-binding-group ...>
    ...
    <socket-binding name="remoting" port="4447" /> <!-- add this definition with 4447 port for native remoting connector -->
    ...
</socket-binding-group>

Then, you can connect to the server instance with the JMX connection url service:jmx:remote://<hostname>:<native-remoting-port like 4447>. (Notes : <hostname> will be IP address or hostname of the server instance and <native-remoting-port> will be remoting port which was defined as 4447 in the above example.)

HTTPS connection

Besides the instruction above, do the following changes:

  1. Change the http-connector name to https-remoting-connector

     <subsystem xmlns="urn:jboss:domain:remoting:3.0">
         <http-connector name="https-remoting-connector" connector-ref="default-https" security-realm="ApplicationRealm"/> <-- https remoting
 </subsystem>

  2. UsingSSL in the Application Realm 

          <security-realm name="ApplicationRealm">
            <server-identities>
                <ssl protocol="TLSv1"> <--- ssl protocol
                    <keystore path="eap7console.jks" relative-to="jboss.domain.config.dir" keystore-password="changeit" alias="jboss"/>
                 </ssl>
            </server-identities>
            <authentication>
                <properties path="application-users.properties" relative-to="jboss.domain.config.dir"/>
            </authentication>
            <authorization>
                <properties path="application-roles.properties" relative-to="jboss.domain.config.dir"/>
            </authorization>
        </security-realm>

3.Edit the jconsole script to have the TrustStore set it up and the debug=ssl:

```
$JAVA_HOME/bin/jconsole -J-Djava.class.path="$CLASSPATH" -J-Djavax.net.ssl.trustStorePassword=changeit -J-Djavax.net.ssl.trustStore=domain/configuration/eap7console.jks -J-Djavax.net.debug=ssl "$@"
```

Root Cause

  • By default the property use-management-endpoint=true is true. If the value of use-management-endpoint is true then this connector will use the management endpoint.
  • JBoss EAP 7 has consolidated a lot of ports, so for JBoss EAP 7 the port associated with the HTTP socket binding (8080) should be used.
  • In EAP 6 the protocol was remoting-jmx. In EAP 7 the protocol has been changed to remote+http.
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.