brooklyn-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [1/2] brooklyn-docs git commit: Winrm4j client diagnostics
Date Wed, 26 Oct 2016 05:42:19 GMT
Repository: brooklyn-docs
Updated Branches:
  refs/heads/master aff38f0ec -> fb34d4cdb

Winrm4j client diagnostics


Branch: refs/heads/master
Commit: 6d88209a3b408b88d43b081ea8d6e495507c953b
Parents: 906f43f
Author: Valentin Aitken <>
Authored: Fri Oct 21 12:10:58 2016 +0100
Committer: Valentin Aitken <>
Committed: Tue Oct 25 11:11:13 2016 +0300

 guide/yaml/winrm/ | 125 ++++++++++++++++++++++++++++++++++++++++
 guide/yaml/winrm/  |   2 +
 2 files changed, 127 insertions(+)
diff --git a/guide/yaml/winrm/ b/guide/yaml/winrm/
new file mode 100644
index 0000000..e02c092
--- /dev/null
+++ b/guide/yaml/winrm/
@@ -0,0 +1,125 @@
+title: Winrm4j Client
+layout: website-normal
+## Winrm4j parameters
+Check [org.apache.brooklyn.location.winrm.WinRmMachineLocation](
+parameters available for WinRM.
+* host <String>: Host to connect to (required).Default value `null`
+* port <Integer>: WinRM port to use when connecting to the remote machine.<br>
+  If no port is specified then it defaults to a port depending on the `winrm.useHttps` flag.
+* winrm.useHttps <Boolean>: The parameter tells the machine sensors whether the winrm
port is over https. If the parameter is true then 5986 will be used as a winrm port.<br>
+  Default value: `false`
+* retriesOfNetworkFailures <Integer>: The parameter sets the number of retries for
connection failures. If you use high value, consider taking care for the machine's network.<br>
+  Default value: `4`
+* winrm.useNtlm <Boolean>: The parameter configures tells the machine sensors whether
the winrm port is over https. If the parameter is true then 5986 will be used as a winrm port.<br>
+  Default value: `true`
+* winrm.computerName <String>: Windows Computer Name to use for authentication.<br>
+  Default value: `null`
+* user <String>: User to connect as<br>
+  Default value: `null`
+* password <String>: Password to use to connect.<br>
+  Default value: `null`
+* waitWindowsToStart <Duration>: By default Brooklyn will return the machine immediately
after Brooklyn is able to WinRM. Sometimes restart could happen after a Windows VM is provisioned.
+  This could be because of System Upgrade or other.
+  By setting this config key to 60s, 5m or other X Duration of time Brooklyn will wait X
amount of time for disconnect to occur.
+  If connection failure occurs it will wait X amount of time for the machine to come up.<br>
+  Default value: `null`
+If there are location config keys prefixed with `brooklyn.winrm.config.` prefix will be removed
+and it will be used to instantiate a `org.apache.brooklyn.util.core.internal.winrm.WiRmTool`
+## WinRM Connectivity Diagnostics
+If you are experiencing problems with a windows blueprint against a jclouds location 
+where Apache Brooklyn complains about failing to connect to the IP you should check those
+1. Apache Brooklyn is using correct username and password
+1. Apache Brooklyn can reach the IP of the provisioned machine. WinRM port 5985 or 5986 is
also reachable from Apache Brooklyn.
+1. Check whether `WinRmMachineLocation#getDefaultUserMetadataString(ConfigurationSupportInternal)`
is applied on the VM.
+   This script should be passed to the cloud and executed in order to configure WinRM according
to Apache Brooklyn requirements for authentication.
+   So far windows startup script are known to be supported on AWS EC2 and VCloud Director.
+   If your cloud doesn't use this script then tune WinRM parameters accordingly.
+1. Check whether you use winrm over http or over https.
+  1. If you are using WinRM over http then make sure WinRM service on target VM has `AllowUnencrypted
= true`
+If the quick list above doesn't help then follow the steps bellow.
+To speed up diagnosing the problem we advice to trigger a deployment with the JcloudsLocation
flag `destroyOnFailure: false` so you can check status of the provisioned machine
+or try later different WinRM parameters with a Apache Brooklyn [BYON Location](../../ops/locations/index.html#byon).
+After you determined what is the username and the password you can proceed with next steps.
+*(Notice that for cloud providers which use Auto Generated password will not be logged.
+For these cases use Java Debug to retrieve ot or provision a VM manually with the same parameters
when using Apache Brooklyn to provision a jclouds location.)*
+The first step is to find what is the winrm service configuration on the target host.
+1. If you have RDP access or KVM like access to the VM then check the winrm service status
with the command bellow.
+   `winrm get winrm/config/service`
+   If you are using http you should have AllowUnencrypted to false.
+   Encryption is supported only over https.
+   Sample output:
+        MaxConcurrentOperations = 4294967295
+        MaxConcurrentOperationsPerUser = 1500
+        EnumerationTimeoutms = 240000
+        MaxConnections = 300
+        MaxPacketRetrievalTimeSeconds = 120
+        AllowUnencrypted = true
+        Auth
+            Basic = false
+            Kerberos = true
+            Negotiate = true
+            Certificate = false
+            CredSSP = true
+            CbtHardeningLevel = Relaxed
+        DefaultPorts
+            HTTP = 5985
+            HTTPS = 5986
+        IPv4Filter = *
+        IPv6Filter = *
+        EnableCompatibilityHttpListener = false
+        EnableCompatibilityHttpsListener = false
+        CertificateThumbprint
+        AllowRemoteAccess = true
+Use an Apache Brooklyn BYON blueprint to try easily other connection options.
+    location:
+      byon:
+        hosts:
+        - winrm:
+          user: Administrator
+          password: pa55w0rd
+          osFamily: windows
+    services:
+    - type:
+      brooklyn.config:
+         checkRunning.command: echo checkRunning
+         install.command: echo installCommand
+1. Check IP is reachable from Apache Brooklyn instance
+   Check whether `telnet 5985` makes successfully a socket.
+1. If AllowUnencrypted is false and you are using winrm over http then apply `winrm set winrm/config/service
+   *If jclouds or the cloud provider doesn't support passing `sysprep-specialize-script-cmd`
then consider modifying Windows VM Image.* 
+1. Check your username and password. Notice in Windows passwords are case sensitive.
+   Here is how it looks log from a wrong password:
+        INFO: Authorization loop detected on Conduit "{}WinRmPort.http-conduit"
on URL "" with realm "null"
+        Oct 21, 2016 10:43:11 AM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
+        WARNING: Interceptor for {}WinRmService#{}Create
has thrown exception, unwinding now
+        org.apache.cxf.interceptor.Fault: Could not send Message.
+        at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
+1. When having wrong password you may want to try logging on a different domain
+   This is possible from `brooklyn.winrm.config.winrm.computerName` location config.
+1. If you want to configure Windows target host with https then check the article [Configuring
+1. If you are still seeing authorization errors then try connecting via winrm with the embedded
winrs client.
+   First make sure you have the server in trusted hosts.
+Then execute a simple command like
+    winrs -r: -unencrypted -u:Administrator -p:pa55w0rd ipconfig
diff --git a/guide/yaml/winrm/ b/guide/yaml/winrm/
index 4e7b71b..23ebb32 100644
--- a/guide/yaml/winrm/
+++ b/guide/yaml/winrm/
@@ -1,6 +1,8 @@
 title: Windows Blueprints
 layout: website-normal
 Brooklyn can deploy to Windows servers using WinRM to run commands. These deployments can

View raw message