JBOSS - EAP 6.x Windows new service


Configure JBoss EAP 6 as a Service in Windows 

Summary
JBoss EAP 6 as a service on Windows
  1. Create system environment variables
    Create two system environment variables:
    • JBOSS_HOME pointing to the JBoss EAP 6 installation directory.
    • NOPAUSE=1
  2. Open a terminal, and change directories to EAP_HOME\modules\system\layers\base\native\sbin
    A new service can be created with the service install command, with the available options shown in the following table.
    service install options
    Argument or Switch
    /controller HOST:PORT
    /host [DOMAIN_HOST]
    /loglevel LEVEL
    /name SERVICE_NAME
    /desc "DESCRIPTION"
    /serviceuser DOMAIN\USERNAME
    /servicepass PASSWORD
    /jbossuser USERNAME
    /jbosspass PASSWORD

    Below are basic examples of an install command to create a new service in either standalone or domain mode. 
    • Standalone mode:
      service.bat install /loglevel INFO
    • Domain mode:
      If you are not using the default master for your JBoss EAP 6 domain controller, replace master with the correct host name or alias of the JBoss EAP 6 domain controller.
      service.bat install /controller host:port /host{master /loglevel INFO
  3. Verify the new service in the Services console
    If the default service name was used, in the list of Windows services, the new service will have the display name: JBoss Enterprise Application Platform 6. From the Services console you can start and stop the service, as well change its settings on how and when it starts.

spacer

IBM HTTPServer - HTTP 메소드 차단

IBM HTTPServer 에서 보안상의 이유로 HTTP 메소드 차단 요청이 들어와 테스트한 내용 정리.


IHS의 경우 apache 기반이기 때문에 해당 설정은 apache에서도 같이 적용이 가능.

httpd.conf 파일 수정
GET, POST를 제외한 메소드 제한
<Directory />
     Options FollowSymLinks
     AllowOverride None
    <LimitExcept GET POST>
            Order allow,deny
            Deny from all
    </LimitExcept>

</Directory>
보통 디렉토리 속성안에 넣어서 사용하지만 디렉토리 속성을 안사용할경우 로케이션을 사용.

<Location "/*">
     <LimitExcept GET POST>
             Order deny,allow
             Deny from all
      </LimitExcept>

</Location>

다른 방안으로 rewrite 사용하는 방법도 있다.
httpd.conf
LoadModule rewrite_module modules/mod_rewrite.so
<IfModule mod_rewrite.c>
    RewriteEngine On

    # GET, POST를 제외하고 모두 405 페이지로 이동
    RewriteCond %{REQUEST_METHOD} !^(GET|POST)
    RewriteRule .* - [R=405,L] 

</IfModule>


메소드 차단 테스트로는 해당 메소드 파일을 만들어서 요청하는 방법도 있지만, 간단하게 telnet으로 테스트 가능.

$telnet {domain_address} 80
OPTIONS http://{domain_address}/ HTTP/1.0
OPTIONS http://google.com/ HTTP/1.0

Enter Enter

모든 메소드 허용의 경우
HTTP/1.1 200 OK
Date: Wed, 04 Jul 2018 01:44:40 GMT
Allow: GET,HEAD,POST,OPTIONS
Content-Length: 0
Connection: close
Content-Type: text/html

메소드가 차단된 경우
HTTP/1.0 405 Method Not Allowed
Allow: GET, HEAD
혹은
HTTP/1.1 403 Forbidden
Allow: GET, HEAD

위와 같은 방법으로 안대는 경우 
web.xml에 secutity-constraint 속성으로 해당 메소드 제한을 걸어줘야 함.
예를 들면
web.xml
<security-constraint>
    <web-resource-collection>
        <web-resource-name></web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>HEAD</http-method>
        <http-method>DELETE</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
</security-constraint>


spacer

IBM HTTPServer version info

IHS v8.5, v9.0 apache version Info


PS E:\app\was\HTTPServer\bin> .\apache.exe -V
Server version: IBM_HTTP_Server/8.5.5.0 (Win32)
Apache version: 2.2.8 (with additional fixes)
Server built:   Feb 20 2013 13:50:05
Build level:    IHS90/webIHS1307.02
Server's Module Magic Number: 20051115:21
Server loaded:  APR 1.2.12, APR-Util 1.2.12
Compiled using: APR 1.2.12, APR-Util 1.2.12
Architecture:   32-bit
Server MPM:     WinNT
  threaded:     yes (fixed thread count)
    forked:     no
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/winnt"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/apache"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error.log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
Apache vulnerability fixes included:
  CVE-2005-3352  CVE-2005-3357  CVE-2006-3918  CVE-2006-3747
  CVE-2007-4465  CVE-2007-1862  CVE-2006-5752  CVE-2007-3304
  CVE-2007-1863  CVE-2007-3847  CVE-2008-0005  CVE-2007-5000
  CVE-2007-6388  CVE-2007-6422  CVE-2007-6421  CVE-2006-7225
  CVE-2007-6420  CVE-2008-2364  CVE-2008-2939  CVE-2009-1195
  CVE-2009-1955  CVE-2009-0023  CVE-2009-1956  CVE-2009-1890
  CVE-2009-1891  CVE-2009-2412  CVE-2009-1191  CVE-2009-3094
  CVE-2009-3095  CVE-2009-3555  CVE-2010-0408  CVE-2010-0434
  CVE-2010-1452  CVE-2010-1623  CVE-2009-3560  CVE-2009-3720
  CVE-2011-0419  CVE-2011-1928  CVE-2011-3192  CVE-2011-3348
  CVE-2011-3368  CVE-2011-3639  CVE-2011-4317  CVE-2011-3607
  CVE-2012-0717  CVE-2012-0031  CVE-2012-0053  CVE-2012-0883
  CVE-2012-2190  CVE-2012-2191  CVE-2012-2687  CVE-2012-4558
  CVE-2012-3499  CVE-2012-4557  


PS E:\software\IBM\HTTPServer9\bin> .\apache.exe -V
Server version: IBM_HTTP_Server/9.0.0.0-PI56034 (Win32)
Apache version: 2.4.12 (with additional fixes)
Server built:   Apr 18 2016 20:28:53
Build level:    RIHSX.IHS/webIHS1616.01
Server's Module Magic Number: 20120211:57
Server loaded:  APR 1.5.1, APR-UTIL 1.5.2
Compiled using: APR 1.5.1, APR-UTIL 1.5.2
Architecture:   32-bit
Operating System: Windows
Server MPM:     WinNT
  threaded:     yes (fixed thread count)
    forked:     no
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/apache"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error.log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
Apache vulnerability fixes included:
  CVE-2009-1191  CVE-2009-1890  CVE-2009-3094  CVE-2009-3095
  CVE-2010-0434  CVE-2010-0425  CVE-2010-0408  CVE-2009-3555
  CVE-2010-1452  CVE-2010-1623  CVE-2011-3368  CVE-2011-3607
  CVE-2011-3192  CVE-2011-3348  CVE-2011-4317  CVE-2012-0021
  CVE-2012-0031  CVE-2012-0053  CVE-2012-0883  CVE-2012-2687
  CVE-2012-3502  CVE-2012-4558  CVE-2012-3499  CVE-2013-2249
  CVE-2013-1896  CVE-2013-4352  CVE-2013-6438  CVE-2014-0098
  CVE-2014-0963  CVE-2014-0231  CVE-2014-0118  CVE-2014-0226
  CVE-2014-3523  CVE-2014-0117  CVE-2013-5704  CVE-2014-8109
  CVE-2014-3581  CVE-2014-3583  CVE-2015-0253  CVE-2015-3185
  CVE-2015-3183  CVE-2015-1829  CVE-2014-8730  CVE-2015-0228
  CVE-2015-4947  CVE-2015-1283  CVE-2015-7420  CVE-2016-0201

spacer

IBM Liberty core 정리

설치  liberty core sdk 설치

imcl install com.ibm.websphere.liberty.v85_8.5.16002.20160526_2338 com.ibm.websphere.liberty.IBMJAVA.v80_8.0.3020.20161124_1304 -repositories  "D:\Liberty\16.0.0.2-WS-LIBERTY-CORE,D:\work_file\was_install\v8.5.5\SDK\8.0.3.20" -installationDirectory F:\app\IBM\wlpcore\AppServer -acceptLicense -sP
* 주의 IM 패키지 설치시 GUI의 경우에는 온라인설치만 가능해 보이며, 설치 이후에는 IM 업데이트 롤백 가능.

서버 생성 
[wlp_home]/bin
server.bat create test01

서버 기동 
server start [server_name]

서버 server.xml 주로 사용하는 예제
<?xml version="1.0" encoding="UTF-8"?><server description="jsp">

   <!-- Enable features -->
   <featureManager>
#admin console 사용을 위한 모듈
      <feature>adminCenter-1.0</feature>
      <feature>websocket-1.1</feature>
      <feature>jsp-2.2</feature>
      <feature>jdbc-4.0</feature>
      <feature>localConnector-1.0</feature>
      <feature>restConnector-1.0</feature>
   </featureManager>
   
   <variable name="defaultHostName" value="localhost"/>
   <!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
   <httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9060" httpsPort="9043" />
   <tcpOptions soReuseAddr="true" />
   <pluginConfiguration webserverPort="80" webserverSecurePort="443"/>
   
   <quickStartSecurity userName="admin" userPassword="admin"/>
   <keyStore id="defaultKeyStore" password="Liberty"/>
   <!-- Automatically expand WAR files and EAR files -->
   <applicationManager autoExpand="true"/>
   
   <dataSource id="WorklightDS" jndiName="jdbc/WorklightDS">
        <jdbcDriver libraryRef="OracleLib"/>
        <properties.oracle driverType="thin" databaseName="WRKLGHT" serverName="localhost" portNumber="1521" user="WORKLIGHT" password="{xor}KDAtNDM2ODcr"/>
    </dataSource>
   

   <remoteFileAccess>
         <writeDir>${server.config.dir}</writeDir>
   </remoteFileAccess>
   
    <logging maxFiles="5" consoleLogLevel="INFO"/>
</server>

# Use a specific Java binary
#JAVA_HOME=
 JAVA_HOME=c:\Java

WLP_SKIP_MAXPERMSIZE=true
LOG_DIR=F:\app\IBM\wlpcore\AppServer\usr\logs\test02

default.http.port=9080
default.https.port=9443
com.ibm.ws.logging.log.directory="F:\app\IBM\wlpcore\AppServer\usr\logs/test02"
com.ibm.ws.logging.max.file.size=1
com.ibm.ws.logging.max.files=3
com.ibm.ws.logging.console.log.level=OFF
com.ibm.ws.logging.message.file.name=loggingMessages.log

# Set the maximum heap size to 1024m.
-Xmx1024m
# Set a system property.
-Dcom.ibm.example.system.property=ExampleValue
# Enable verbose output for class loading.
-verbose:class
# Enable verbose garbage collection.
-verbose:gc
# Specify an alternate verbose garbage collection log on IBM Java Virtual Machines only.
-Xverbosegclog:verbosegc.log
# Specify additional verbose garbage collection options on HotSpot Java Virtual Machines only.
-Xloggc:verbosegc.log
-XX:+PrintGCDetails
-XX:+PrintGCTimeStamps
-XX:+PrintHeapAtGC

<server description="new server">
<featureManager>
#로컬
<feature>localConnector-1.0</feature>
#원격
<feature>restConnector-1.0</feature>
<feature>jsp-2.2</feature>
</featureManager>
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080">
<tcpOptions soReuseAddr="true" />
</httpEndpoint>
#플러그인 정보
<pluginConfiguration webserverPort="80" webserverSecurePort="443"/></server>




샘플 애플리케이션이 WAR EAR 로 되어 있는 경우에도 동일하게 애플리케이션을 배포할 수 있으며 wlp/dropins WAR EAR 을 옮겨두기만 해도 추가적인 server.xml 설정 없이 자동으로 애플리케이션을 인식해서 구동시킬 수 있습니다.adminCenter-1.0 모듈 활성화시 사용 가능
https://www.ibm.com/support/knowledgecenter/en/SSD28V_9.0.0/com.ibm.websphere.wlp.core.doc/ae/twlp_ui_setup.html


링크 참조

Liberty WAS 이기 때문에 당연히 실행환경으로 Java 가 필요합니다. IBM Java, Oracle Java, Open JDK 모두 지원이 가능하며 사전에 JAVA_HOME 패스 설정만을 해두시면 됩니다.


*주의 경우에 Context Root 는 별도로 변경하지 않는한 WAR EAR 파일의 이름이 자동으로 Context Root 가 됩니다





JAVA_HOME 지정
Log_DIR 지정
F:\app\IBM\wlpcore\AppServer\usr\servers\test02]$ vi server.env

Log 설정
F:\app\IBM\wlpcore\AppServer\usr\servers\test02]$ bootstrap.properties

jvm options 설정
$ {wlp.install.dir} /usr/shared/jvm.options
$ {server.config.dir} /configDropins/defaults/jvm.options
$ {server.config.dir} /jvm.options
$ {server.config.dir} /configDropins/overrides/jvm.options
적용 위치
${wlp.install.dir}/etc/jvm.option

플러그인 생성 관련
server.xml 파일 수정

pluginUtility 명령어로 생성 및 머지 가능
해당 명령어는 패치 16.0.0.4 부터 가능



#로컬
pluginUtility generate –server=myServer --targetpath=./pluginFiles/plugin-cfg.xml
#원격
pluginUtility generate –server=userName:mypassword@testHost:9443 --targetpath=./pluginFiles/plugin-cfg.xml

#병합
pluginUtility merge --sourcepath=../usr/plugin --targetpath=../usr/plugin



httpd.conf에 플러그인 정보 입력
Windows의 경우: LoadModule was_ap22_module "path\to\mod_was_ap22_http.dll"
         WebSpherePluginConfig "path\to\plugin-cfg.xml"
기타 분산 시스템의 경우: LoadModule was_ap22_module "path\to\mod_was_ap22_http.so"
              WebSpherePluginConfig "path\to\plugin-cfg.xml" 


spacer

JBOSS - context root 설정

Test Version - JBOSS EAP 6.4

jboss에서 context 루트를 /로 사용하고 싶은경우 두군데 수정을 해주어야 한다.

1. jboss-web.xml에 context-root 잡아주기
jboss-web.xml 파일 없으면 생성
*.war/WEB-INF
[root@localhost WEB-INF]# cat jboss-web.xml

vim jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
    <context-root>/</context-root>
</jboss-web>

2. domain.xml 파일의 enable-welcome-root true -> false 로 변경
domain.xml && standalone.xml
../configuration/domain.xml

vim domain.xml
domain의 경우 범위 확인 필요 (default, ha, full, full-ha)
            <subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
                <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
                <virtual-server name="default-host" enable-welcome-root="false">
                    <alias name="localhost"/>
                    <alias name="example.com"/>
                </virtual-server>
            </subsystem>

spacer

JBOSS - session config 관련 정리


Test Version - JBOSS EAP 6.4

progile 범위 ha, full-ha에서 세션 기본적으로 지원 

web.xml
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">

<distributable/>

</web-app>

WEB-INF/jboss-web.xml session 관련 파라미터
ex)
<jboss-web>
<replication-config>
    <cache-name>custom-session-cache</cache-name>
    <replication-trigger>SET</replication-trigger>
    <replication-granularity>ATTRIBUTE</replication-granularity>
    <replication-field-batch-mode>true</replication-field-batch-mode>
    <use-jk>false</use-jk>
    <max-unreplicated-interval>30</max-unreplicated-interval>
    <snapshot-mode>INSTANT</snapshot-mode>
    <snapshot-interval>1000</snapshot-interval>
    <session-notification-policy>com.example.CustomSessionNotificationPolicy</session-notification-policy>
</replication-config>

ex)
</jboss-web>
// <replication-field-batch-mode>true</replication-field-batch-mode> 설정시 오류         <replication-config>
     <replication-trigger>SET_AND_NON_PRIMITIVE_GET</replication-trigger>
     <replication-granularity>SESSION</replication-granularity>
     <replication-field-batch-mode>true</replication-field-batch-mode>
</replication-config>

ex)
<replication-config>
     <replication-trigger>SET_AND_NON_PRIMITIVE_GET</replication-trigger>
     <replication-granularity>SESSION</replication-granularity>
</replication-config>


<replication-trigger>
SET : 세션이 설정될때 복제
SET_AND_GET : 세션을 읽기만 해도 복제
SET_AND_NOT_PRIMITIVE_GET : 세션이 설정될 때와 java의 Primitive 타입이 아닌 타입은 읽을 때도 복제 (default)

WEB-INF/jboss-web.xml, web.xml  session time out 설정
        <session-config>
                <session-timeout>30</session-timeout>
        </session-config>

jvmRoute Name 설정 (console, host.xml)
host.xml
</system-properties>
<servers>
   <server name="testSrv01" group="test-group" auto-start="false">
       <system-properties>
            <property name="jvmRoute" value="testSrv01" boot-time="false"/>
//여기 jvmRoute 의 value 와 worker.properties 의 worker.node01 과 동일하여야 한다.
       </system-properties>
            <socket-bindings socket-binding-group="ha-sockets" port-offset="0"/>
    </server>
</servers>

domain.xml, standalone.xmlinstance-id="${jvmRoute}"
      <subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" instance-id="${jvmRoute}" native="false">
             <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
               <virtual-server name="default-host" enable-welcome-root="false">
                   <alias name="localhost"/>
                   <alias name="example.com"/>
               </virtual-server>
     </subsystem>


* UDP 설정에서 세션 클러스터링이 안될경우 TCP로 변경
domain.xml jgroups stack udp -> tcp 변경
<subsystem xmlns="urn:jboss:domain:jgroups:1.1" default-stack="tcp">
spacer