`
yangzb
  • 浏览: 3499773 次
  • 性别: Icon_minigender_1
  • 来自: 北京
社区版块
存档分类
最新评论

How GlassFish DAS communicates with Node Agents an

阅读更多

Question : Explain the communication details between Domain Admin Server, node-agents and server instances in Sun's Application Server 8.x and 9.x (GlassFish V2).

Terminology :

DAS : Domain Admin Server (One per domain) -- The process that controls the management of the entire domain.

NA : Node Agent -- Generally, one per box or Solaris container -- The process that controls the life cycle of server instances.

SI : Server Instance --  The real Java EE instances that run user applications in an enterprise.

Answer :

1. Background : The domain.xml controls the configuration. At every node-agent, there are also a few configuration files that are consulted by every NA. See NA section at docs.sun.com for details. Following are the points in time when the communication (for administration/management purpose) happens:

  • DAS communicates with each NA : Only when DAS needs to know NA's running status.
  • DAS communicates with each SI : When DAS needs to know SI's running status and when it needs to cascade the SI MBeans into the DAS's MBenServer.
  • NA communicates with DAS : During initial rendezvous (which may happen during creation of NA), synchronization of the NA itself and synchronization of each SI that NA is responsible for.
  • SI communicates with the DAS : Never, explicitly.

Thus, the communication is mainly driven by DAS. When the domain is created, the administration is configured to use an authentication realm named admin-realm . This realm points to what's called a FileRealm which is nothing but the implementation of a security realm implementation that uses admin-keyfile . If you see the domain's configuration, you'll find this file in config folder of that domain.

The communication happens over two channels. One is the HTTP channel and the other is RMI channel. For this purpose, there is a SynchronizationServlet and a System JMX Connector (standard in JDK 5) that is provided. Every DAS and SI, including the NA start a JMX RMI ConnectorServer that can be optionally configured to use transport layer security.

Every NA communicates with DAS multiple times, but the key points are of initial hand-shake and synchronization. The initial hand-shake is when NA makes DAS aware of its own existence and DAS correspondingly responds if it has the correct credentials. When the DAS is configured to have secure access (this is the default in enterprise profile domain), both the HTTP and JMX/RMI channels use Transport Layer Security with SSL/v3.  Note that during the initial hand-shake, the DAS knows about NA's existence alone. DAS does not release the contents of the domain's repository during this phase. This happens over HTTP channel since creation of node-agent takes the DAS's admin-port (default: 4848) as an option.

After an NA is created, the most natural step is to start that NA. This is done by executing the asadmin start-node-agent command. Since this is the first-time startup of the NA, NA syncs up with the DAS. Note that startup of NA requires the correct credentials (admin user name and admin password) to be supplied. The DAS compares them against its own admin-keyfile and the communication succeeds only when this succeeds. The NA startup also requires the master password to be provided on the command line because in order to start, the NA has to be able to unlock the security store (e.g. keystore.jks) that it synced from the DAS. Note that master password is never put on the wire! It has to be provided at the time of both DAS startup and every NA startup. For advanced use cases, there is an unattended boot scenario that is handled by using the option --savemasterpassword which should be used with care.

The reason NA needs the master password is also to pass it on to the SI's it starts (as part of start-instance or start-cluster) so that these instances are able to unlock the security store to get the primary keys and certificates. 

The NA always communicates with the DAS over JMX/RMI channel. Thus NA opens an RMI connection to the DAS where DAS is listening for RMI/JMX Connections. This is where the RMI Registry in DAS (default port 8686 ) comes into picture.

When the domain is created, it uses the self-signed certificate aliased s1as which is used for internal communication. This certificate is created anew every time a domain is created. The master password of a domain is what locks the server's keystore. In enterprise profile domain, NSS is used to manage the secure store, whereas in cluster profile domain, JKS manages the secure store. The semantics of the master password are unchanged in both the cases.

The Server Instances are synced with the DAS as part of either:

  1. start-instance, or
  2. start-cluster, or
  3. start-node-agent --syncinstances procedure.

For this synchronization, they use the HTTP layer and communicate with the SynchronizationServlet that's listening for sync requests. This servlet is (of course) running in the DAS.

The server instances get the admin credentials from the node-agent process in a secure manner (using stdin). This also evident when you try to use the startserv script that's located in instance's bin folder.

The process of DAS communicating with the NA and SI's is identical in that it communicates with them over RMI/JMX in the other direction.

2. Transport Layer Security :

This is achieved when we enable the security-enabled flag on the admin-listener and jmx-connector named system on the DAS and server instances. Note that  admin-listener (HTTP/S) is started only in the DAS. There is no admin-listener in server instances.

It's of course possible to use another CA-signed certificate for this purpose. It needs additional configuration after importing those certs in the store.

3. Authentication and Credentials :

Please see: http://wiki.glassfish.java.net/attach/GlassFishAdministrationPages/admincreds.html

 

<!-- <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:trackback="http://madskills.com/public/xml/rss/module/trackback/" xmlns:dc="http://purl.org/dc/elements/1.1/"> <rdf:Description rdf:about="http://blogs.sun.com/bloggerkedar/entry/how_das_communicates_with_node" trackback:ping="http://blogs.sun.com/bloggerkedar/entry/how_das_communicates_with_node" dc:title="How GlassFish DAS communicates with Node Agents and Instances ..." dc:identifier="http://blogs.sun.com/bloggerkedar/entry/how_das_communicates_with_node" dc:subject="appserverfaq" dc:description="How GlassFish DAS communicates with Node Agents and Instances ..." dc:creator="bloggerkedar" dc:date="2008-04-28 17:11:32.0" /> </rdf:RDF> -->
<!-- Begin SiteCatalyst code version: G.5. -->

<script type="text/javascript"> &lt;!-- if(typeof s_channel=='undefined'){var s_channel=&quot;bloggerkedar&quot;;} //--&gt;</script><script src="http://blogs.sun.com/omniture/s_code_remote.js" type="text/javascript"></script><script src="http://www-cdn.sun.com/share/metrics/metrics_group1.js" type="text/javascript"></script>

<!-- End SiteCatalyst code version: G.5. -->

Comments:

Thanks for this. It's useful to understand the communication that takes place between the DAS, node agents and server instances.

Ismael

Posted by Ismael Juma on October 17, 2008 at 11:58 PM PDT #

Hi Kedar!

Is it possible for a DAS and NAs to talk over RMI-IIOP? For some setups it's desirable to have NAs in less secure nets, and the DASes in more secure nets with firewalls between them. In this case plain RMI can cause headaches, no?

Posted by sysprv on January 09, 2009 at 04:30 AM PST #

Hi Kedar

I'm fairly new to glassfish and I'm wondering why nobody talks clustering of 2 or more DAS. I know I can cluster nodes but if I can have only one DAS per domain and that box becomes unavailable do I have no fail over at all ?

Posted by Alex on April 14, 2009 at 12:38 AM PDT #

sysprv,

Yes, that's an issue with GlassFish v2.

Alex,

Yes, admin availability is affected if DAS goes down. But the user applications will continue to have failover even if DAS does not run. Do you think you need a highly available DAS?

-Kedar

Posted by Kedar Mhaswade on April 14, 2009 at 02:44 PM PDT #

Kedar

I was just wondering if DAS clustering existed at all. Let's say I loose the DAS for a longer period of time would it be enough to point all agents to a new DAS that I created. Could you describe a poor-man's DAS failover ?

Posted by Alex Stuck on April 14, 2009 at 04:45 PM PDT #

Ah, that's a slightly different thing. Here's what you can do --

- Always take backup of your domain after reaching a stable configuration. This can be done using "asadmin backup-domain". This creates a zip file with proper date-stamp etc.

- Assuming you have a reasonably recent backup and your DAS machine (A) goes down, you quickly restore the backed up zip file on a new machine (B). Start this new incarnation of the DAS on machine B.

- Stop all node-agents and instances and edit the node-agent-folder/agent/config/das.properties and change the DAS location to B from A. Restart the node-agents. The hand-shake should occur and DAS should recognize the node-agents and instances.

This is poor-man's DAS resurrection (not really a fail-over).

Let me know (by sending an e-mail to kedar.mhaswade@sun.com) if this works for you.

Posted by Kedar Mhaswade on April 14, 2009 at 05:03 PM PDT #

Kedar

Thanks I will try that. Sounds about right.
Hey do you know why my agents still ask me for username/masterpassword when I start them although I created them like this :

asadmin create-node-agent --host {dashost} --secure=true --savemasterpassword=true {host}_agent

From the docs:

"To enable the node agent to be started without prompting the user for a password, save the node agent's master password to a file when you create the node agent"

The file "master-password" exists. Any ideas ?

Posted by Alex Stuck on April 14, 2009 at 07:07 PM PDT #

Got it to work - wow that took some messing around.
Still trying to understand the architecture better.
I found your post on how agents need to sync with the DAS one time first before they can use the password-alias.

Thx

Posted by Alex Stuck on April 15, 2009 at 07:51 PM PDT #

分享到:
评论

相关推荐

    glassfish集群搭建手册

    标题《Glassfish集群搭建手册》指的是利用Oracle提供的Glassfish应用服务器软件进行集群配置的详细指南。此手册涵盖了在不同场景下通过图形化界面和命令行方式搭建集群的整个过程,并且描述了如何配置集群环境以支持...

    java ee 6 with glassfish 3

    《Apress - Beginning Java EE 6 Platform with GlassFish 3: From Novice to Professional》和《Beginning Java™ EE 6 Platform with GlassFish™ 3: From Novice to Professional》这两本书籍可以作为深入学习的...

    glassfish v3 集群搭建完全手册(自己写的教程)

    DAS(Domain Administration Server)是管理Glassfish服务器的核心工具。首先,你需要在主服务器上安装Glassfish,然后通过DAS进行集群的管理和配置。 #### 1.2 创建节点 节点是集群的基本组成部分,每个物理机或...

    Beginning Java EE 6 with GlassFish 3, 2nd Edition

    ### 关于《Beginning Java EE 6 with GlassFish 3, 2nd Edition》的知识点解析 #### 一、Java EE 6 平台概述 **Java Enterprise Edition (Java EE)** 是Oracle公司(前身为Sun Microsystems)开发的一个企业级Java...

    Java EE 6 with GlassFish 3 Application Server

    在"Java EE 6 with GlassFish 3 Application Server"中,我们可以学习到以下几个关键知识点: 1. **模块化**:Java EE 6引入了模块化的概念,允许开发者根据需要选择要使用的Java EE组件,如EJB(Enterprise ...

    glassfish安装配置文档

    GlassFish 安装配置文档 GlassFish 是一个基于 Java 的开源应用服务器,提供了一个强大且灵活的平台来部署和管理基于 Java 的应用程序。本文档将指导 readers 通过安装和配置 GlassFish 服务器,并将其与 Eclipse ...

    GlassFish4(GlassFish3)安装

    GlassFish4的下载和安装的详细步骤,下载地址,配置等。附带有GlassFish3的安装简述

    Glassfish部署web项目

    ### Glassfish部署Web项目知识点详解 #### 一、概述 **Glassfish** 是一款开源的Java EE应用服务器,由Oracle公司维护。它基于Java EE标准,支持多种Java EE技术,如EJB、JPA、JSF等。由于其强大的功能和良好的...

    linux下实现glassfish自动启动

    在Linux环境下,Glassfish服务器的自动化启动是系统管理员和开发者常用的需求,这有助于提升服务器管理效率,确保服务的持续性和稳定性。Glassfish是Oracle公司提供的一个开源Java EE应用服务器,它支持各种Web应用...

    glassfish-3.1.2.2.zip

    《深入解析Glassfish 3.1.2.2与Java EE 6的融合应用》 Glassfish 3.1.2.2是一款由Oracle公司开发的开源应用服务器,它是Java EE 6规范的重要实现者,提供了全面的支持和丰富的功能,为开发者提供了构建企业级Web...

    Glassfish安装和启动

    ### Glassfish安装与启动详解 #### 一、简介 GlassFish 是一款开源的应用服务器,它遵循Java EE标准,被广泛应用于开发、测试和生产环境中。本文档将详细介绍如何安装和启动GlassFish应用服务器。 #### 二、安装前...

    Apress.Beginning.Java.EE.6.with.GlassFish.3.2nd.Edition

    Beginning Java EE 6 with GlassFish 3, Second Edition Java Enterprise Edition (Java EE) continues to be one of the leading Java technologies and platforms from Oracle (previously Sun). Beginning Java ...

    glassfish-ose-4.0 白皮书

    《glassfish-ose-4.0 白皮书》是一份详尽的文档,它深入介绍了GlassFish 4.0服务器的各项特性和功能。GlassFish是Oracle公司开发的一款开源的应用服务器,基于Java EE(Java Platform, Enterprise Edition)标准,为...

    glassfish单机集群jk_little

    在IT行业中,Glassfish是一款开源的应用服务器,由Sun Microsystems开发并维护,后来成为Oracle Corporation的一部分。Glassfish支持Java EE(现在称为Jakarta EE)规范,为开发者提供了构建企业级Web应用的平台。当...

    glassfish网络开发服务器

    GlassFish网络开发服务器是一款强大的开放源代码应用服务器,主要用于运行Java EE(Java Platform, Enterprise Edition)应用程序。由Oracle公司维护,它支持各种企业级服务,包括Web服务、EJB(Enterprise ...

    GlassFish5.0安装包

    【GlassFish 5.0 安装与配置详解】 GlassFish,由Oracle公司主导的开源项目,是一款功能强大的Web服务器和应用服务器,以其卓越的性能和丰富的特性在开发者社区中备受推崇。相比于Tomcat,GlassFish提供了更全面的...

    GlassFish2.0的安装

    【GlassFish 2.0 安装详解】 GlassFish 2.0 是 Sun Microsystems 推出的一款免费且开源的 Java EE 服务器,它基于 Java Platform, Enterprise Edition (Java EE) 5规范,提供了包括EJB 3.0、JSF 1.2、Servlet 2.5、...

    Glassfish关于tomcat的文档

    ### Glassfish与Tomcat对比分析 #### 执行摘要 对于Web 2.0初创公司、应用服务提供商以及提供动态Web应用的独立软件供应商(ISVs)而言,应用即业务,而应用服务器中的Web容器技术能够直接影响业务成果。Web容器是...

    GlassFish安装向导

    GlassFish安装向导 本文主要讲述了 GlassFish 的安装、配置和服务管理等内容。GlassFish 是一个基于 Java 的 middleware,具有高可扩展性和可靠性,是企业级应用的首选。 一、准备工作 在安装 GlassFish 之前,...

Global site tag (gtag.js) - Google Analytics