Posted: 13 Jan 2016 9:38 EST Last activity: 19 Jan 2016 11:40 EST
SMA on JBOSS 6.x
I wanted to provide some information I have found while configuring Pega 7.1.9 on JBOSS 6.4.4, specifically related to SMA.
Firstly, the JMX url example provided within SMA is incorrect for JBOSS 6. The URL provided is: service:jmx:rmi:///jndi/rmi://HOST:9004/jmxrmi however the CORRECT JMX url for JBOSS 6.4 is:
service:jmx:remoting-jmx://HOST:4447 OR service:jmx:remoting-jmx://HOST:9999 depending on which interface you have JMX bound to. (9999 by default, for management interface, or 4447 otherwise) This part is important as it determines what authentication method is used. By default, JMX is configured to use the management security realm for authentication. This means that if you have your JBOSS admin console authenticated through LDAP, your JMX connection will be authenticated through LDAP as well. If this is your case (as it was with me) adding a local management user would not work.
You can prevent JMX from using the management interface with this CLI command and a server reload.
The url issue is likely a bug, I have pinged the relevant team to confirm and hopefully fix that in the future. Regarding LDAP authentication, not sure that is the scenario we even support at the moment. Will check with the team and report back.
Thanks Kevin. We ran into this because we configure our JBOSS console to be authenticated via LDAP. I have not found a way to have the jboss console authenticated via LDAP with a fallback to local user configuration.
Because of this, adding a management user is pointless if LDAP is enabled. The system will never try to authenticate with it. This is why we either need to disable the management endpoint for JMX, (allowing a local APPLICATION user to be utilized) or use an authorized LDAP account when connecting to the node in SMA.