Red Hat

Running an Embedded WildFly Host Controller in the CLI

WildFly supports running a standalone server in Offline mode as an embedded server. An analogous capability has been added for domain mode in the form of running an offline host controller. This article discusses some of the details and possible applications of this feature.


For those not familiar with the existing embedded standalone server, see: Offline mode Running an Embedded WildFly 9 Server in the CLI · WildFly. One of the major use cases of this feature was to allow local administration of a WIldFly / JBoss EAP instance without requiring a socket based connection, or opening any local ports but still enabling configuration and administration operations. The embedded approach also allows for a fast boot that will allow multiple concurrent running instances to co-exist without configuring any additional socket offsets or interfaces to avoid port conflicts etc.

Using and the embed-host-controller command enables a fast and flexible means of configuring host controller instances and servers.

Embedded Host Controller

In a similar way to the standalone embed-server command, the embed-host-controller command is provided, to start an embedded host controller running in the CLI. This host controller is started in admin-only mode, and no servers are started. [See below for more details on admin-only restrictions].

Starting an embedded Host Controller:

$ ./bin/

You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] embed-host-controller --std-out=echo
11:07:46,723 INFO  [org.jboss.modules] (AeshProcess: 1) JBoss Modules version 1.6.0.Final
11:07:46,825 INFO  [org.jboss.msc] (AeshProcess: 1) JBoss MSC version 1.2.7.SP1
11:07:46,870 INFO  [] (MSC service thread 1-7) WFLYSRV0049: WildFly Full 11.0.0 (WildFly Core 3.0.1.Final) starting
[ Note: some startup output omitted for brevity. ]
11:07:48,845 INFO  [] (Controller Boot Thread) WFLYSRV0025: WildFly Full 11.0.0 (WildFly Core 3.0.1.Final) (Host Controller) started in 2105ms - Started 56 of 61 services (18 services are lazy, passive or on-demand)

[domain@embedded /] ls -l
ATTRIBUTE                VALUE           TYPE
domain-organization      undefined       STRING
launch-type              EMBEDDED        STRING
local-host-name          master          STRING
management-major-version 5               INT
management-micro-version 0               INT
management-minor-version 0               INT
name                     Unnamed Domain  STRING
namespaces               []              OBJECT
process-type             Host Controller STRING
product-name             WildFly Full    STRING
product-version          11.0.0          STRING
release-codename         Kenny           STRING
release-version          3.0.1.Final     STRING
schema-locations         []              OBJECT

CHILD                     MIN-OCCURS MAX-OCCURS
core-service              n/a        n/a
deployment                n/a        n/a
deployment-overlay        n/a        n/a
extension                 n/a        n/a
host                      n/a        n/a
host-exclude              n/a        n/a
interface                 n/a        n/a
management-client-content n/a        n/a
path                      n/a        n/a
profile                   n/a        n/a
server-group              n/a        n/a
socket-binding-group      n/a        n/a
system-property           n/a        n/a

The non-modular client may also be used from the bin/client WildFly distribution:

$ java -jar bin/client/jboss-cli-client.jar
You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] embed-host-controller --jboss-home=/wildfly-11.0.0
Warning! The CLI is running in a non-modular environment and cannot load commands from management extensions.
[domain@embedded /] cd /host=master/server-config=server-one
[domain@embedded server-config=server-one] ls -l
ATTRIBUTE                            VALUE             TYPE
auto-start                           true              BOOLEAN
cpu-affinity                         undefined         STRING
group                                main-server-group STRING
name                                 server-one        STRING
priority                             undefined         INT
socket-binding-default-interface     undefined         STRING
socket-binding-group                 undefined         STRING
socket-binding-port-offset           0                 INT
status                               STOPPED           STRING
update-auto-start-with-server-status false             BOOLEAN

interface       n/a        n/a
jvm             n/a        n/a
path            n/a        n/a
ssl             n/a        n/a
system-property n/a        n/a
[domain@embedded server-config=server-one]

See Modular vs Non-Modular Classloading and JBOSS_HOME in the original embedded server news article for details.

Executing commands:

[domain@embedded /]  /host=master/interface=public:write-attribute(name=inet-address, value=
    "outcome" => "success",
    "result" => undefined,
    "server-groups" => undefined,
    "response-headers" => {"process-state" => "reload-required"}


[domain@embedded /] reload --host=master --admin-only=true
11:17:20,092 INFO  [] (Controller Boot Thread) WFLYSRV0025: WildFly Full 11.0.0 (WildFly Core 3.0.1.Final) (Host Controller) started in 279ms - Started 56 of 61 services (18 services are lazy, passive or on-demand)
[domain@embedded /]

Note that currently, the embedded host controller may only be started / reloaded in admin-only mode. In domain mode, servers are started and stopped via use of the process controller which is not currently supported as part of embedded mode.


[domain@embedded /] stop-embedded-host-controller
11:08:29,925 INFO  [] (MSC service thread 1-7) WFLYSRV0050: WildFly Full 11.0.0 (WildFly Core 3.0.1.Final) stopped in 13ms

Command usage:

The embed-host-controller command has several options that behave in the same way as the previously mentioned standalone embedded server, which will not be discussed again here. The relevant embed-host-controller parameters are:

-c                - Name of the domain configuration file to use
                     (default is "domain.xml")
                     (Same as --domain-config)

--domain-config   - Name of the domain configuration file to use
                     (default is "domain.xml")
                     (Same as -c)

--host-config     - Name of the host configuration file to use
                     (default is "host.xml")

As mentioned above, --jboss-home, --std-out and --timeout may also be provided and function in the same manner as the embed-server command. The configuration files mentioned above (domain.xml, host.xml) above should be located in the $JBOSS_HOME/domain/configuration directory (or under the location pointed to by the system property jboss.domain.config.dir.) [See Command Line Properties for additional details on those properties.]

For example, to start an embedded host controller with configuration files contained in the otherdomain/configuration directory:

[wildfly-11]$ ./bin/ -Djboss.domain.config.dir=/wildfly-11/otherdomain/configuration
You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] embed-host-controller --std-out=echo
11:26:44,122 INFO  [] (Controller Boot Thread) WFLYSRV0025: WildFly Full 11.0.0 (WildFly Core 3.0.1.Final) (Host Controller) started in 1894ms - Started 56 of 61 services (18 services are lazy, passive or on-demand)
[domain@embedded /]

Configuration may then proceed and will be persisted to the otherdomain/configuration directory. This directory must already exist and contain base copies of the required configuration files (host.xml, domain.xml etc.).

Scripted configuration

The embedded host controller may be useful for configuration from a prepared file of scripted CLI commands. For example:

$ cat commands.cli
/server-group=main-server-group:write-attribute(name=socket-binding-port-offset, value=100)
/host=master/server-config=server-one:write-attribute(name=auto-start, value=false)
deploy --all-server-groups test.war

$ ./bin/ --file=commands.cli
    "outcome" => "success",
    "result" => undefined,
    "server-groups" => undefined

This approach may be used for a variety of setup and configuration tasks, for example setting up unit or integration tests quickly using the embedded host controller, then restarting in domain mode using may require less time than starting the host controller normally using, performing configuration and deployment etc, then restarting.

Other examples

Set server socket-binding-port-offset

In order to allow more than one running instance on the same host, a common configuration for testing (or any scenario needing to run a domain controller and a slave host controller (with servers) on the same host), a socket-binding-port-offset is commonly used. The slave host is configured to have a port offset so that the ports already in use by the domain controller’s servers do not conflict with those of the slave.

[domain@embedded /] /server-group=main-server-group:write-attribute(name=socket-binding-port-offset, value=100)
    "outcome" => "success",
    "result" => undefined,
    "server-groups" => undefined

Configure connection to remote domain controller

When configuring a slave host controller, configure the connection to the domain controller.

[domain@embedded /] /host=master:write-remote-domain-controller(host=remotedc.somedomain.tld, security-realm=ManagementRealm)
    "outcome" => "success",
    "result" => undefined,
    "server-groups" => undefined,
    "response-headers" => {"process-state" => "reload-required"}

System property

This can be useful as an initial configuration step before the host controller is started with

[domain@embedded /] /server-group=main-server-group/system-property=foo:add(value=bar)
    "outcome" => "success",
    "result" => undefined,
    "server-groups" => undefined

Future Direction

In the future we’d like to allow for starting the embedded host controller with some additional features, such as empty configurations in host and domain configuration files (similar to standalone embedded), and also re-examine the meaning and usage of --admin-only in the context of the embedded host controller.

OpenSSL support with WildFly

The upcoming WildFly 11 release includes support for OpenSSL. This provides two main advantages over JSSE:

  • Support for ALPN on all JDK’s

  • Significantly improved performance compared to JSSE

Setting up OpenSSL

In general for Linux based systems all that is required is to install a recent version of OpenSSL using your systems package manager. The OpenSSL support will search the library path, and use whatever version of OpenSSL it finds. The same applies to MacOS when OpenSSL has been installed using brew (the system default OpenSSL installation is too old).

For windows and for custom OpenSSL locations you need to specify the location via a system property, org.wildfly.openssl.path. If this is set then Wildfly will search for OpenSSL in the directory specified. If you have multiple versions of OpenSSL in the same directory and need to specify the precise file to use you can instead use org.wildfly.openssl.path.ssl and org.wildfly.openssl.path.crypto to specify the path to libssl and libcrypto respectively.

As Wildfly uses dynamic linking this should work with any OpenSSL version from 1.0.1 onwards (however for security reasons it is recommended to always use the most up to date 1.1.x or 1.0.x version that is available, as older versions may have unpatched vulnerabilities).

Setting up Wildfly with Security Realms

As Wildfly supports SSL out of the box with dynamically generated self signed certificates all that is required is to change the protocol in use. Doing this is as simple as running a single command in the CLI:

/core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol, value=openssl.TLS)

Other valid values are openssl.TLSv1.1 and openssl.TLSv1.2, which limit the minimum TLS version to 1.1 and 1.2 respectively.

Once this is done you can use OpenSSL by simply pointing your browser to https://localhost:8443. You should see the following message in the log that tells you that OpenSSL is in use:

09:01:04,150 INFO  [org.wildfly.openssl.SSL] (MSC service thread 1-6) WFOPENSSL0002 OpenSSL Version OpenSSL 1.0.2l  25 May 2017

Setting up Wildfly with Elytron

As Elytron is not used by default there is a little bit more work involved in setting it up. Elytron does not support auto generation of SSL certificates, so for the sake of this example I am going to assume that the keystore is located at standalone/configuration/application.keystore (the same location that the auto generated keystore is placed, if you just want a self signed certificate for testing purposes you can simply connect to https://localhost:8443 with the default configuration and one will be generated for you).

In order to set up SSL using Elytron run the following commands (note that this is just to use JSSE, the OpenSSL config will come later).

/subsystem=elytron/key-store=server:add(path=application.keystore, relative-to=jboss.server.config.dir, credential-reference={clear-text=password}, type=jks)
/subsystem=elytron/key-manager=server:add(key-store=server, credential-reference={clear-text=password}, algorithm=SunX509)
/subsystem=elytron/server-ssl-context=server:add(key-manager=server, protocols=[TLSv1.2])
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=server)

If you point your browser at https://localhost:8443 you should now have a working Elytron based SSL config. Once you have verified that this has worked we now need to change it to use OpenSSL. To do this we change the ordering of the providers in the elytron combined-providers, which means that OpenSSL will now take precedence:

/subsystem=elytron/aggregate-providers=combined-providers:list-add(index=0, name=providers, value=openssl)
/subsystem=elytron/aggregate-providers=combined-providers:list-remove(index=2, name=providers)

You should now have OpenSSL working with Elytron.

Messaging features in WildFly 11

WildFly 11 is integrating Apache ActiveMQ Artemis 1.5 to provides its messaging features.

New features

With the integration of Artemis 1.5, WildFly has udpated its messaging-activemq subsystem to provides new Artemis features through WildFly management model.

The two new main features are the JDBC Store and the configuration for ActiveMQ client thread pools.

JDBC Store

The JDBC store is an alternative to Artemis File journal that uses a SQL database to store broker state (messages, addresses and other application state) instead of files.

It relies on a data-source resource configured in the datasources subsystem to connect to the database.

To use a JDBC store in WildFly, you need to configure the journal-datasource attribute on its server resource that corresponds to a JDBC DataSource configured in the datasources subsystem:

[standalone@localhost:9990 /] /subsystem=messaging-activemq/server=default:write-attribute(name=journal-datasource, value=ExampleDS)

Configuration of ActiveMQ client thread pools

Artemis uses thread pools for its clients that are running inside the application server. They can now be configured in the messaging-activemq subsystem to ensure that their sizes fit the application deployed in WildFly:

<subsystem xmlns="urn:jboss:domain:messaging-activemq:1.1">
  <global-client thread-pool-max-size="${}"
    scheduled-thread-pool-max-size="${}" />
  <server ...>
By default, the maximum size for client thread pool is not defined. In that case, Artemis will configure them to be 8 x the number of available processors.

Message-Driven Beans Features

We have also added new features for Message-Driven Beans (MDBs) related to their use in a cluster of Artemis brokers.

Full support for Clustered Singleton MDB

When an MDB is identified as a clustered singleton and deployed in a cluster, it will always be active only on one node at a time. When the server node fails or is shut down, the clustered singleton MDB is activated on a different node and starts consuming messages on that node.

The messaging-clustering-singleton quickstart demonstrates how to setup and configure MDB to support clustered singleton.

Rebalancing of all inbound MDB connections

WildFly 11 provides the rebalanceConnections activation configuration property for MDBs. This parameter allows for rebalancing of all inbound MDB connections when the underlying Artemis cluster topology changes so that when nodes are added/removed from the cluster, the MDB can connect to them instead of being stuck to the topology when the MDB initially connected to the cluster. This property can also be configured on the messaging-activemq’s `pooled-connection-factory resources using the rebalance-connections attribute:

[standalone@localhost:9990 /] /subsystem=messaging-activemq/server=default/pooled-connection-factory=activemq-ra:write-attribute(name=rebalance-connections, value=true)

Generic JMS Resource Adapter 2.0

WildFly supports messaging with Artemis out of the box. It also provides the Generic JMS Resource Adapter that allows to use out of the box JMS brokers that does not provides a resource adapter (such as TIBCO EMS for example). MDBs can the connect to these external JMS brokers through the use of the Generic JMS RA. This component has been updated to support the JMS 2.0 API (provided that the external JMS broker behind it supports it).


There were also many improvements to the messaging features that were in WildFly 10.

Monitoring of JMS pooled connections

The messaging-activemq pooled-connection-factory resources now offers statistics on their pools. They must first be enabled by setting the statistics-enabled attribute to true:

[standalone@localhost:9990 /] /subsystem=messaging-activemq/server=default/pooled-connection-factory=activemq-ra:write-attribute(name=statistics-enabled, value=true)

Once statistics are enabled, the pooled-connection-factory resource will have a statistics=pool child resource that will returns metrics on the pool used by the pooled-connection-factory:

[standalone@localhost:9990 /] /subsystem=messaging-activemq/server=default/pooled-connection-factory=activemq-ra/statistics=pool:read-resource(include-runtime)
    "outcome" => "success",
    "result" => {
        "ActiveCount" => 15,
        "AvailableCount" => 20,

Web console improvements

The management Web console that is bundled with WildFly 11 has been substantially improved to be able to manage messaging resources more efficiently.

  • JMS Bridges can now be added and managed using the Web console.

  • The Web console now displays prepared transactions for integrated Artemis brokers. You can then commit or rollback these prepared transactions from the Web console too.

Elytron integration with the messaging-activemq subsystem

The WildFly Elytron project is a security framework used to unify security across the entire application server. The elytron subsystem enables a single point of configuration for securing both applications and the management interfaces and replaces the legacy security subsystem.

The messaging-activemq subsystem has been integrated with Elytron to provide its security features (authentication and authorization).

Bug fixes

There were also many many messaging bug fixes since last WildFly release. However if you find any new issues or want to request enhancements, do not hesitate to use WildFly issue tracker.

back to top