Getting security or remoting Exceptions while deploying a clustered ejb application with an EJB outbound-connection in EAP6

Solution Verified - Updated 5 Aug 2024

Environment

Red Hat JBoss Enterprise Platform (EAP)
- 6
- 7.0

Issue

If an application is deployed to a cluster which is using a remote (outbound-connection) to another server why there is this error

ERROR [org.jboss.remoting.remote.connection] (Remoting "node2" read-1) JBREM000200: Remote connection failed: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
INFO  [org.jboss.as.ejb3.remote.RemotingConnectionClusterNodeManager] (ejb-client-cluster-node-connection-creation-4-thread-2) Could not create a connection for cluster node node1 in cluster ejb: java.lang.RuntimeException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

If an application is deployed to a cluster which is using a remote (outbound-connection) to another cluster why there is this error

JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

After modifying the cluster-passivation-store name within the configuration the out going ejb connections failed with an SSL message

ERROR [org.jboss.remoting.remote.connection] (Remoting "node2" read-1) JBREM000200: Remote connection failed: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

A standalone ejb client work without any error messages but if an application is used inside of a clustered server there are error messages in the logfile, what is the reason and how can the error avoided?

Resolution

Depend on the requirements there are the following solutions

no need to call EJB's with remote interface within the local cluster

all referenced remote EJB's are available via the remote-outbound-connection.
In this case the 'local' cluster can be excluded with exclude-local-receiver=true from the ejb-client context.
The EAR/META_INF/jboss-ejb-client.xml should exclude the context as followed

<jboss-ejb-client xmlns:xsi="urn:jboss:ejb-client:1.2" xsi:noNamespaceSchemaLocation="jboss-ejb-client_1_2.xsd">
  <client-context>
    <ejb-receivers exclude-local-receiver="true">
      <remoting-ejb-receiver outbound-connection-ref="example-outbound-connection" />
    </ejb-receivers>
  </client-context>
</jboss-ejb-client>

Need to use the own cluster to call EJB's via remote-interface, the foreign connection is not a cluster

The own cluster needs to be configured correctly in the same way as a remote cluster

The application/META-INF/jboss-ejb-client.xml

<jboss-ejb-client xmlns:xsi="urn:jboss:ejb-client:1.2" xsi:noNamespaceSchemaLocation="jboss-ejb-client_1_2.xsd">
  <client-context>
    <ejb-receivers exclude-local-receiver="false">
      <remoting-ejb-receiver outbound-connection-ref="example-outbound-connection" />
    </ejb-receivers>
    <clusters>
      <cluster name="ejb" security-realm="OwnClusterRealm" username="ownClusterUser" >
        <connection-creation-options>
          <property name="org.xnio.Options.SSL_ENABLED" value="false" />
          <property name="org.xnio.Options.SASL_POLICY_NOANONYMOUS" value="false" />
          <!-- other necessary properties -->
        </connection-creation-options>
      </cluster>
    </clusters>
  </client-context>
</jboss-ejb-client>

The security profil configuration for the own cluster

<management>  
    ....  
    <security-realms>  
        <security-realm name="OwnClusterRealm">  
            <server-identities>  
                <secret value="SecretValue for the ownClusterUser"/>  
            </server-identities>  
        </security-realm>  
    </security-realms>  
</management>

And all cluster members need to have the "ownClusterUser" added as application user.

Need to use the own cluster to call EJB's via remote-interface, the foreign connection is a cluster as well

If there are two clusters interacting the ejb-client need to separate them by the name.
It is necessary to change the name of one cluster, see the explanation in the Root cause section of this article where the cluster-name "ejb" is configured.

After the clusters use different names the jboss-ejb-client.xml need to define two cluster elements like followed, each of the clusters can use a different user and password.

<jboss-ejb-client xmlns:xsi="urn:jboss:ejb-client:1.2" xsi:noNamespaceSchemaLocation="jboss-ejb-client_1_2.xsd">
  <client-context>
    <ejb-receivers exclude-local-receiver="false">
      <remoting-ejb-receiver outbound-connection-ref="example-outbound-connection" />
    </ejb-receivers>
    <clusters>
      <cluster name="ejb" security-realm="OwnClusterRealm" username="ownClusterUser" >
        <connection-creation-options>
          ...
        </connection-creation-options>
      </cluster>
      <cluster name="ejb2" security-realm="ForeignClusterRealm" username="foreignClusterUser" >
        <connection-creation-options>
          ...
        </connection-creation-options>
      </cluster>
    </clusters>
  </client-context>
</jboss-ejb-client>

It is necessary to create two security-realm entries inside the management configuration with the appropriate secret-values for each cluster.

Root Cause

The ejb-client context is created by using the given remote-outbound connection and the self reference.
In this case the own cluster is added to the context and therefore the cluster-view of this cluster is added.

To simplify the clustering configuration there is a enhancement request Content from issues.jboss.org is not included.Simplify client configuration in case of clustered server

SBR

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.