Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 16. Configuring remoting and connections

You can configure the remoting subsystem and manage various connection types within JBoss EAP. This includes setting up endpoints, connectors, and outbound connections to facilitate communication between servers and applications. You can configure HTTP connectors, remote and local outbound connections, and explore additional remoting configuration options, providing you with the tools needed to manage remoting and connections effectively in JBoss EAP.

16.1. Remoting subsystem configuration

The remoting subsystem configures inbound and outbound connections for local and remote services, along with the settings for those connections.

The JBoss EAP remoting subsystem includes several configurable elements:

For most use cases, you might not need to configure the remoting subsystem. However, if your application uses custom connectors, you must configure it. Applications that act as remoting clients, such as Jakarta Enterprise Beans, require separate configuration to connect to a specific connector.

The default remoting subsystem configuration is as follows: 

<subsystem xmlns="urn:jboss:domain:remoting:4.0">
    <endpoint worker="default"/>
    <http-connector name="http-remoting-connector"
                    connector-ref="default"
                    sasl-authentication-factory="application-sasl-authentication"/>
</subsystem>

Additional resources

16.1.1. The remoting endpoint

The remoting endpoint uses the XNIO worker declared and configured by the io subsystem. This worker facilitates non-blocking I/O operations, enhancing the performance and scalability of remoting connections.

Additional resources

16.1.2. http-connector configuration element

The http-connector element is a default configuration element that enables external clients to connect to the server by using the HTTP upgrade feature of undertow.

With this configuration, the client first establishes a connection with the server by using the HTTP protocol and then switches to the remote protocol over the same connection. This enables clients by using different protocols to connect over the same port, such as the default port 8080 of undertow, reducing the number of open ports on the server.

Clients that need to connect to the server by using HTTP upgrade must use the remoting remote+http protocol for unencrypted connections or the remoting remote+https protocol for encrypted connections.

16.1.3. Outbound connections

Outbound connections in the remoting subsystem enable your applications to communicate with external resources.

You can specify three different types of outbound connections:

16.2. Configuring the endpoint

You can configure the remoting endpoint in JBoss EAP to establish connections for your applications. JBoss EAP includes a default endpoint configuration that you can update by using management CLI commands.

As a JBoss EAP administrator or developer, you might need to:

  • Configure endpoint settings to tailor communication for specialized services or environments. For example, you can adjust authentication and security settings to separate administrative traffic from regular application traffic.
  • Update an existing endpoint configuration to meet security or performance requirements. For example, adjusting settings like authentication retries or timeouts can improve security and ensure optimal performance under varying loads.
Important

In JBoss EAP 8.0, the endpoint configuration in the remoting subsystem uses a worker from the io subsystem. This worker manages the thread pool for remoting operations.

The default endpoint configuration provided by JBoss EAP is as follows: 

<subsystem xmlns="urn:jboss:domain:remoting:4.0">
  <endpoint worker="default"/>
  ...
</subsystem>

Prerequisites

  • JBoss EAP is running.

Procedure

  1. Update the existing endpoint configuration by using the following command: 

    /subsystem=remoting:write-attribute(name=authentication-retries,value=2)

  2. Reload the server to apply the changes by using the following command: 

    reload

Additional resources

16.3. Configuring an HTTP connector

You can configure the HTTP connector in JBoss EAP to establish connections by using the HTTP upgrade-based remoting protocol. JBoss EAP provides a default HTTP connector configuration that you can easily update, create, or delete by using management CLI commands.

As a JBoss EAP administrator or developer, you might need to:

  • Create a new HTTP connector to establish remote communication using the HTTP upgrade-based remoting protocol. This enables secure and efficient remote access to JBoss EAP services.
  • Update an existing HTTP connector to optimize performance, enhance security, or integrate with specific network configurations. Adjusting attributes such as authentication mechanisms or connection timeouts improves reliability and ensures compliance with security policies.
  • Delete unnecessary HTTP connectors to simplify configuration and reduce security risks. Deleting unused connectors helps maintain a clean and secure environment by minimizing exposure to unauthorized access.

The default http-connector configuration provided by JBoss EAP is as follows: 

<subsystem xmlns="urn:jboss:domain:remoting:4.0">
    ...
    <http-connector name="http-remoting-connector"
                    connector-ref="default"
                    sasl-authentication-factory="application-sasl-authentication"/>
</subsystem>

By default, this HTTP connector connects to an HTTP listener named default, which is configured in the undertow subsystem.

Prerequisites

  • JBoss EAP is running.

Procedure

  1. Create a new HTTP connector by using the following command: 

    /subsystem=remoting/http-connector=new-connector:add(connector-ref=new-connector-ref)
    Note

    You must use a unique connector-ref that is not already in use by another connector. The connector-ref must point to a new or unused connector in Undertow, or you may choose to use the predefined https connector instead.

  2. Update the existing HTTP connector configuration by using the following command: 

    /subsystem=remoting/http-connector=new-connector:write-attribute(name=connector-ref,value=new-connector-ref)

  3. Reload the server to apply the changes by using the following command: 

    reload

  4. If needed, delete an HTTP connector by using the following command: 

    /subsystem=remoting/http-connector=new-connector:remove

Additional resources

16.4. Configuring an outbound connection

You can configure an outbound connection in JBoss EAP to establish a generic remoting outbound connection specified by a URI. This enables your applications to communicate effectively with external services.

You can easily manage these connections by updating, creating, or deleting configurations by using management CLI commands.

As a JBoss EAP administrator or developer, you might need to:

  • Create a new outbound connection to establish communication with external services. This enables seamless data exchange and integration with remote systems.
  • Update an existing outbound connection to enhance performance, strengthen security, or align with network configurations. Adjusting attributes such as the target URI improves reliability and ensures compatibility with system requirements.
  • Delete unnecessary outbound connections to streamline configuration and reduce security risks. Deleting unused connections helps maintain a clean and secure environment by minimizing exposure to unauthorized access.

Prerequisites

  • JBoss EAP is running.

Procedure

  1. Create a new outbound connection by using the following command: 

    /subsystem=remoting/outbound-connection=new-outbound-connection:add(uri=http://example.com)

  2. Update the existing outbound connection by using the following command: 

    /subsystem=remoting/outbound-connection=new-outbound-connection:write-attribute(name=uri,value=http://example.com)

  3. If needed, delete an outbound connection by using the following command: 

    /subsystem=remoting/outbound-connection=new-outbound-connection:remove

  4. Reload the server to apply the changes after deleting the outbound connection by using the following command: 

    reload

Additional resources

16.5. Configuring a remote outbound connection

You can specify a remote outbound connection with a protocol, an outbound socket binding, a username, and a security realm. The protocol can be remote, http-remoting, or https-remoting. You can manage these connections easily by updating, creating, or deleting configurations using management CLI commands.

As a JBoss EAP administrator or developer, you might need to:

  • Create a new remote outbound connection to enable secure communication with external services. This ensures applications can interact with remote systems using specified protocols and authentication methods.
  • Update an existing remote outbound connection to enhance security, improve performance, or integrate with specific network configurations. Adjusting attributes such as outbound socket bindings or authentication settings ensures stability and compliance with security policies.
  • Delete unnecessary remote outbound connections to simplify configuration and reduce security risks. Deleting unused connections helps maintain a clean and secure environment by minimizing exposure to unauthorized access.

Prerequisites

  • JBoss EAP is running.

Procedure

  1. Create a new remote outbound connection by using the following command: 

    /subsystem=remoting/remote-outbound-connection=new-remote-outbound-connection:add(outbound-socket-binding-ref=outbound-socket-binding)
    Note

    Ensure that the outbound-socket-binding is defined in your configuration before executing these commands. For more information, see Outbound socket binding.

  2. Update an existing remote outbound connection by using the following command: 

    /subsystem=remoting/remote-outbound-connection=new-remote-outbound-connection:write-attribute(name=outbound-socket-binding-ref,value=outbound-socket-binding)

  3. If needed, you can delete a remote outbound connection by using the following command: 

    /subsystem=remoting/remote-outbound-connection=new-remote-outbound-connection:remove

Additional resources

16.6. Configuring a local outbound connection

You can specify a local outbound connection as a remoting outbound connection with a protocol of local, using only an outbound socket binding. You can manage these connections easily by updating, creating, or deleting configurations using management CLI commands.

As a JBoss EAP administrator or developer, you might need to:

  • Create a new local outbound connection to enable secure and efficient communication within the same server instance. This helps streamline internal interactions without requiring external networking.
  • Update an existing local outbound connection to improve performance, modify socket bindings, or align with specific configurations. Adjusting attributes such as outbound socket bindings ensures stability and compatibility.
  • Delete unnecessary local outbound connections to simplify configuration and reduce security risks. Deleting unused connections helps maintain a clean and secure environment by minimizing exposure to unauthorized access.

Prerequisites

  • JBoss EAP is running.

Procedure

  1. Create a new local outbound connection by using the following command: 

    /subsystem=remoting/local-outbound-connection=new-local-outbound-connection:add(outbound-socket-binding-ref=outbound-socket-binding)
    Note

    Ensure that the outbound-socket-binding is defined in your configuration before executing these commands. For more information,

  2. Update an existing local outbound connection by using the following command: 

    /subsystem=remoting/local-outbound-connection=new-local-outbound-connection:write-attribute(name=outbound-socket-binding-ref,value=outbound-socket-binding)

  3. If needed, you can delete a local outbound connection by using the following command: 

    /subsystem=remoting/local-outbound-connection=new-local-outbound-connection:remove

Additional resources

16.7. Additional remoting configurations

There are several remoting elements that are configured outside of the remoting subsystem.

As a JBoss EAP administrator or developer, you might need to:

  • Configure an IO worker for remoting to improve performance and manage remoting tasks efficiently. Ensure that the worker is defined in the IO subsystem.
  • Modify the network interface settings to align remoting with the required public, management, or unsecure interface. Configuring the correct interface ensures proper connectivity.
  • Adjust the socket binding for the remoting subsystem to specify the appropriate port and maintain compatibility with network and security policies.

  • Enable secure transport with STARTTLS to protect remoting communications. Ensure that your configuration verifies secure connections to prevent security risks, such as man-in-the-middle attacks.

    IO worker

    Use the following command to set the IO worker for remoting. Ensure that the worker is defined in the IO subsystem before running this command: 

    /subsystem=remoting:write-attribute(name=worker, value=WORKER_NAME)
    Network interface

    The network interface used by the remoting subsystem is the public interface. This interface is also used by other subsystems, so exercise caution when modifying it. 

    <interfaces>
   <interface name="management">
      <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
   </interface>
   <interface name="public">
      <inet-address value="${jboss.bind.address:127.0.0.1}"/>
   </interface>
   <interface name="unsecure">
      <inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
   </interface>
</interfaces>

    In a managed domain, the public interface is defined per host in its host.xml file.

    Socket binding
    The default socket binding for the remoting subsystem binds to port 8080.
    Secure transport configuration
    Remoting transports use STARTTLS to establish a secure connection, such as HTTPS or Secure Servlet, if the client requests it. The same socket binding, or network port, is used for secured and unsecured connections, so no additional server-side configuration is necessary. The client requests secure or unsecured transport as needed. JBoss EAP components that use remoting, such as Jakarta Enterprise Beans, ORB, and the Jakarta Messaging provider, request secure interfaces by default.
Warning

STARTTLS works by activating a secure connection if the client requests it, and otherwise defaults to an unsecured connection. It is inherently susceptible to man-in-the-middle exploits, where an attacker intercepts a client’s request and modifies it to request an unsecured connection. Clients must be written to fail appropriately if they do not receive a secure connection, unless an unsecured connection is an appropriate fall-back.

Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.