WebSphere 6.1 admin Course 3


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

WebSphere 6.1 admin Course 3

  1. 1. WebSphere Administration Course Copyright © Oded Nissan 2009
  2. 2. Agenda • • • • Trouble Shooting and Monitoring WebSphere Security Cell Management Scalability and Clustering – Scalability and Failover Overview – WebSphere Scalability – Creating a Cluster • Summary Copyright © Oded Nissan 2009
  3. 3. Trouble Shooting and Monitoring Copyright © Oded Nissan 2009
  4. 4. Trouble Shooting • We need to determine the problem using a divide and conquer approach. • What kind of problem do I have ? • What component is causing the problem ? • Use the appropriate resource for identifying the problem. Copyright © Oded Nissan 2009
  5. 5. Trouble Shooting • The trouble shooting menu contains the following options: – Logs and Trace configure logging and tracing for the server. – Class Loader Viewer view the class loader hierarchy in each application. – Configuration validation errors an warnings related to configuration problems. – Diagnostic provider choose a diagnostic provider available for the server. – Runtime messages events published by application server classes.
  6. 6. Diagnostic Provider • From the navigation menu choose App servers->server1->Performance and Diagnostic Advisor Configuration. • Enable the diagnostic provider. • From the navigation menu choose troublshooting-> Diagnostic provider. • Choose the server and choose the diagnostic test to run.
  7. 7. Diagnostic Provider Copyright © Oded Nissan 2009
  8. 8. Log files • SystemOut.log – the JVM output log, contains all WAS and application messages logged to the standard output. • SystemErr.log – contains all WAS and application messages logged to standard error. • startServer.log and stopServer.log – log messages related to server startup and shutdown. • Native_stderr.log and native_stdout.log – contains log messages from native libraries logged to standard output and standard error. • activity.log events that how history of activities. • trace.log – output from diagnostic trace. Copyright © Oded Nissan 2009
  9. 9. Trace • Trace messages can be set on different components at different trace levels. • Tracing needs to be manually activated. Tracing a server is very demanding on system resources and we need to shut down trace once we are done with diagnostics. • To enable trace on a running system make changes on the runtime tab in Troublshooting->Logging and tracing->server1 ->Diagnostic trace Copyright © Oded Nissan 2009
  10. 10. Trace – changing the trace level Copyright © Oded Nissan 2009
  11. 11. First Failure Data Capture too (FFDC) • Saves the information generated from a processing failure. • This tool is meant to be used by IBM support, administrators cannot start or stop it. • Saved data is saved in log files on the <WAS HOME>/profiles/<profile>/logs/ffdc directory. Copyright © Oded Nissan 2009
  12. 12. Collector Tool • IBM support will ask you to run it to collect information about your server in order to solve a problem. • To run collector: <WAS_HOME/profiles/<profile>/bin/collector. bat • Gathers information about the WAS installation and packages it in a jar file. Copyright © Oded Nissan 2009
  13. 13. Performance Monitoring Infrastructure • Performance Monitoring Infrastructure (PMI) is the core monitoring infrastructure for WebSphere Application Server • Using PMI data, the performance bottlenecks in the application server can be identified and fixed. • PMI data can also be used to monitor the health of the application server. Some of the health indicators are CPU usage, Servlet response time, and JDBC query time. Performance management tools like Tivoli Monitoring for Web Infrastructure and other third party tools can monitor the PMI data and generate alerts based on some predefined thresholds. Copyright © Oded Nissan 2009
  14. 14. PMI Architecture Copyright © Oded Nissan 2009
  15. 15. Performance Data Terminology • Performance data classifications – Numeric – simple values such as sizes and counters. – Stat – data on a sample space. – Load – values as a function of time. • Performance Data Hierarchy – – – – – – – Node - a physical machine. Server - an instance providing a service Module - a resource category SubModule – a sub category of module. Instance – an instance of a class Method – class method Counter – data type holding performance data. Copyright © Oded Nissan 2009
  16. 16. Performance Monitoring Infrastructure • To enable performance monitoring: from the navigation menu choose Servers->Apllication Servers->server1 • Click the Configuration tab. • Click Performance Monitoring Infrastructure (PMI) under Performance. • Select the Enable Performance Monitoring Infrastructure (PMI) check box. • Optionally, select the check box Use sequential counter updates to enable precise statistic update. Copyright © Oded Nissan 2009
  17. 17. Tivoli Performance Viewer • Tivoli Performance Viewer (TPV) enables administrators and programmers to monitor the overall health of WebSphere Application Server from within the administrative console. • You can view real-time data on the current performance activity of a server using TPV in the administrative console. • Use TPV to view summary reports on servlets, Enterprise JavaBeans (EJB) methods, connections pools and thread pools in WebSphere Application Server. • TPV show graphs and of various performance data on system resources such as CPU utilization, on WebSphere pools and queues such as database connection pools, and on customer application data such as servlet response time. Copyright © Oded Nissan 2009
  18. 18. Tivoli Performance Viewer • To use TPV from the navigation menu choose Monitoring and tuning->Performance viewer>Current Activity. • Choose the server and click start monitoring. • Click on the server to view performance metrics. • Use the view logs menu to view the performance log files directly. Copyright © Oded Nissan 2009
  19. 19. Tivoli Performance Viewer Copyright © Oded Nissan 2009
  20. 20. Performance Tips Copyright © Oded Nissan 2009
  21. 21. WebSphere Security Copyright © Oded Nissan 2009
  22. 22. What is security ? • Authentication – Who am I ? – Authenticate a user connecting to the Application Server or an application. – Authenticate data passed over the wire. • Authorization – What am I allowed to do ? – Administrative security – what administrative actions can I perform on the application server. – Application security – what kind of actions can I perform in the application Copyright © Oded Nissan 2009
  23. 23. Security the Big Picture Copyright © Oded Nissan 2009
  24. 24. Administrative Security • The term administrative security represents the security configuration which affects the entire security domain. The security domain consists of all the servers that are configured with the same user registry realm name. • The basic requirement for a security domain is that the access ID returned by the registry from one server be the same access ID as that returned from the registry on any other servers within the same security domain Copyright © Oded Nissan 2009
  25. 25. Administrative Security • Enabling administrative security activates a wide variety of security settings for WebSphere Application Server. They take effect only when administrative security is activated. • These settings include authentication of users, the use of Secure Sockets Layer (SSL), the choice of user account repository, and application security. Copyright © Oded Nissan 2009
  26. 26. Enabling Administrative Security • From the navigation menu, choose Security → Secure administration, applications and infrastructure. • In the Secure administration, applications, and infrastructure window select Enable administrative security Copyright © Oded Nissan 2009
  27. 27. Enabling Administrative Security Copyright © Oded Nissan 2009
  28. 28. Authentication mechanism • The WebSphere Application Server uses Lightweight Third Party Authentication (LTPA) as the default authentication mechanism LTPA supports forwardable credentials and, for security reasons, a configurable expiration time is set on the credentials. • The use of LTPA allows you to enable single sign-on (SSO) for your security domain. • Additional Information at: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp. Copyright © Oded Nissan 2009
  29. 29. User account repository • WebSphere support four types of user repositories: – Local operating system – Stand-alone Lightweight Directory Access Protocol (LDAP) registry – Stand-alone custom registry – The Federated repositories Copyright © Oded Nissan 2009
  30. 30. Local OS Registry • With the local operating system user registry implementation, the WebSphere Application Server authentication mechanism can use the user accounts database of the local operating system. • The respective operating system APIs are called by the product processes (servers) for authenticating a user Copyright © Oded Nissan 2009
  31. 31. Required privileges in Windows • For a stand-alone machine: – Is a member of the administrative group – Has the Act as part of the operating system privilege – Has the Log on as a service privilege, if the server is run as a service • For a machine on the domain: – Is a member of the domain administrative groups. – Has the Act as part of the operating system privilege in the Domain – Has the Act as part of the operating system privilege in the Local security policy on the local machine – Has the Log on as a service privilege on the local machine, if the server is running as a service Copyright © Oded Nissan 2009
  32. 32. Stand alone LDAP Registry • LDAP is a distributed directory server used to store organizational data. • Entries are organized in a tree-like structure called the Directory Information Tree. Entries contain attibutes and are identified based on their distinguished name (DN). • An LDAP server contains standard entries. Copyright © Oded Nissan 2009
  33. 33. LDAP Information Tree Copyright © Oded Nissan 2009
  34. 34. Custom Registry • WebSphere supports authenticating against a custom registry. • In order to authenticate against a custom registry we need to implement the UserRegistry interface so that WebSphere can use the existing registry for all of the security-related operations. • It is expected that the implementation does not depend on other WebSphere resources, such as datasources, for its operation. Copyright © Oded Nissan 2009
  35. 35. Federated Registry • A federated repository enables you to use multiple repositories with WebSphere. These repositories, which can be file-based repositories, LDAP repositories etc., are defined and theoretically combined under single realm. • All of the user repositories configured under the federated repository functionality are transparent to WebSphere. Copyright © Oded Nissan 2009
  36. 36. WebSphere Authentication Mechanism Copyright © Oded Nissan 2009
  37. 37. Configuring the OS Registry • Click Security → Secure administration, application, and infrastructure. Under User account repository, select Local operating system and click Configure. • Enter a valid user name in the Primary administrative user name field. This value is the name of the user with administrative privileges that is defined in the registry and is used to access the administrative console. • Click Apply. Copyright © Oded Nissan 2009
  38. 38. Configuring the OS Registry • Select either the Automatically generated server identity or Server identity that is stored in the repository option. If you select the Server identity that is stored in the repository option, enter the following information: – For Server user ID or administrative user, specify the short name of the account that you chose – For Server user password, enter the password of the account that you chose • Click OK Copyright © Oded Nissan 2009
  39. 39. Configuring the OS Registry Copyright © Oded Nissan 2009
  40. 40. Configuring the OS Registry • Ensure that the Active User Registry option is set to Local Operating System and that Security is enabled. Click Apply to validate the settings. • Save the configuration for WebSphere. • Restart your WebSphere Application Server • Login to the Admin Console using your credentials. Copyright © Oded Nissan 2009
  41. 41. Disabling Administrative Security • To disable Administrative security: – Use the Admin Console – If the server is down or we cannot login to the Admin console use wsadmin : • <WebSphere_home>binwsadmin.bat -conntype NONE • Type the command: securityoff • Restart the server. Copyright © Oded Nissan 2009
  42. 42. Administrative Roles Copyright © Oded Nissan 2009
  43. 43. Mapping a user to an administrative role • From the Administrative Console, select Users and Groups →Administrative User Roles. • Click Add. • Under General Properties: a. In the User field, enter a user name. This user must be defined in the user account repository that is to be active when administrative security is enabled. • Select the appropriate administrative role. More than one role may be selected. Copyright © Oded Nissan 2009
  44. 44. Mapping a user to an administrative role • Click OK and save. Copyright © Oded Nissan 2009
  45. 45. Application Security • Application security provides authentication and authorization support for JEE applications. • Application security must be enabled if we intend to use declarative security, which binds into the WebSphere security architecture. • Alternatively we could use our programmatic security. Copyright © Oded Nissan 2009
  46. 46. Enabling Application Security • From the navigation menu choose Security>Secure administration • In the application security section choose enable application security. • Click apply then save. • Restart the server for the change to take effect. Copyright © Oded Nissan 2009
  47. 47. Testing Application Security • Try to access the following URL: http://localhost:9080/snoop • You will be prompted with a login dialog. Enter the a user and password stored in the user registry to login. • If login is successful the snoop servlet will be activated. Copyright © Oded Nissan 2009
  48. 48. Mapping users and groups to roles in application security. • Every application has its own roles and therefore its own mappings. Therefore we need to assign users and groups to roles at the application level. • Role assignment is usually done in the deployment descriptor of the application. • Role assignment can also be done using the Admin Console. Copyright © Oded Nissan 2009
  49. 49. Mapping users and groups to roles in application security. • Select Applications → Enterprise Application → <your_application> →Security role to users/group mapping Copyright © Oded Nissan 2009
  50. 50. Mapping users and groups to roles in application security. • Role mapping can also be done during application installation. In the Map security roles to users or groups step you can select any of the roles and assign a user or a group from the user registry using one of the lookups. • You can also assign one of the special subjects (Everyone or All authenticated) to the role. Copyright © Oded Nissan 2009
  51. 51. Web Application Security • To use declarative security for web applications we need to give define security constraints on web application resources in the application deployment descriptor. We can define which role can access the resource. • When we access a secured resource for the first time we will get a login dialog and need to login. Copyright © Oded Nissan 2009
  52. 52. EJB Application Security • Authentication in an EJB application is achieved by passing the credentials to the InitialContext object when we connect to JNDI to lookup the EJB. • If we authenticated to the web application on the same server then the user identity is available to the EJB application. Copyright © Oded Nissan 2009
  53. 53. EJB Application Security • Declarative security is implemented by giving permission on EJBs or EJB methods to roles in the EJB deployment descriptor. • Mapping users and groups to roles is also implemented using deployment descriptors. Copyright © Oded Nissan 2009
  54. 54. Secure Socket Layer (SSL) • WebSphere Application Server uses the Secure Sockets Layer (SSL) protocol to provide Transport Layer Security (TLS), which allows for secure communication between a client and application server. • The SSL configuration options in WebSphere offer full end-to-end management, including certificate management, individual endpoint SSL mappings, and scoped association of SSL configurations and key stores Copyright © Oded Nissan 2009
  55. 55. Resources • Info center for WAS 6.1 http://publib.boulder.ibm.com/infocenter/wasi • IBM Redbook – sg246316 WAS Security Handbook • Admin Console context sensitive online help. Copyright © Oded Nissan 2009
  56. 56. Cell Management Copyright © Oded Nissan 2009
  57. 57. Cell Management • In order to manage a cell we need to create a deployment manager profile and add nodes to the cell. • Two approaches for creating a cell: – Add existing standalone nodes to the cell. – Create a custom profile on the node and add the node to the cell. This way we can dynamically create more than one server on the node. Copyright © Oded Nissan 2009
  58. 58. Cell Managment Copyright © Oded Nissan 2009
  59. 59. Creating a Cell • To create a cell: – Create a deployment manager profile and start the deployment manager process. – Create a custom profile on the node or a regular application server profile on the node. – Add the node to the cell. – Run the admin console on the deployment manager machine and manage the cell. Copyright © Oded Nissan 2009
  60. 60. Creating a Deployment manager profile • From the <WAS HOME>bin/ProfileManagment directory run PMT.bat • Choose to create a deployment manager profile. • Choose typical or advanced setup. • Press next Copyright © Oded Nissan 2009
  61. 61. Creating a Deployment manager profile • Give the profile a name and choose the profile directory (to override the default). Copyright © Oded Nissan 2009
  62. 62. Creating a Deployment manager profile • You can enter the cell name,node name and host name defaults are automatically filled. Copyright © Oded Nissan 2009
  63. 63. Creating a Deployment manager profile • You can change the ports to avoid collision with an existing server. Copyright © Oded Nissan 2009
  64. 64. Creating a Deployment manager profile • On windows systems you can run the profile as a windows service. Copyright © Oded Nissan 2009
  65. 65. Creating a Deployment manager profile • Press next, review settings and press finish to create the profile. • The First Steps console is started. • Now we can move to the profile directory and start the server using the startServer command from the bin directory. Copyright © Oded Nissan 2009
  66. 66. Deployment manager directory structure Copyright © Oded Nissan 2009
  67. 67. Deployment manager • All configuration data is stored in the config directory. • The deployment manager has the master configuration of the whole cell, each node has just the needed information to run that node. • Use the admin console to change configuration. http://localhost:9060/ibm/console Copyright © Oded Nissan 2009
  68. 68. Command line tools • In the bin directory of the deployment manager we have the following command line tools: – startManager – starts the deployment manager. – stopmanager – stops the deployment manager. Copyright © Oded Nissan 2009
  69. 69. Adding a node to the cell • To add an • To add an existing node to the cell run the following command from the node’s bin directory: – addNode <dep manager host> <port> – The port is the SOAP port of the deployment manager (default is 8879). – Run the startNode command to start the node agent. • Now the node is managed by the deployment manager. The node’s admin console is no longer available. Copyright © Oded Nissan 2009
  70. 70. Removing a node from the cell • Use the removeNode command from the bin directory to remove a node from the cell. – removeNode [options] – Options are optional without parameters removeNode removed the current node from the cell. – removeNode also stops the node manager and removes the node configuration from the deployment manager’s master configuration. Copyright © Oded Nissan 2009
  71. 71. Cell management • From the navigation menu choose System Administration->nodes to display the managed nodes. • Choose System Administration->Node Agents to display the node agents. • Choose System Administration->cells and choose the topology tab to display the cell structure. Copyright © Oded Nissan 2009
  72. 72. Custom Profile • When creating a custom profile we can dynamically create servers on the node. • A custom profile is useful especially when we want to create a cluster or run more than one server on a node. • A custom profile node must be added to the cell just like a regular node. Servers can then be created on the node from the deployment manager console. Copyright © Oded Nissan 2009
  73. 73. Creating a custom profile • From the <WAS HOME>bin/ProfileManagment directory run PMT.bat • Choose to create a custom profile. • Fill the profile name, node name and hostname just like when creating a regular profile. • In the last screen enter the name of the deployment manager host and the SOAP port for the deployment manager. • Choose whether you want to add the node to the cell now, or manually do it later. Copyright © Oded Nissan 2009
  74. 74. Creating a custom profile Copyright © Oded Nissan 2009
  75. 75. Creating a custom profile • Review your settings and press next to create the profile. Copyright © Oded Nissan 2009
  76. 76. Creating a Server • We can create servers on the custom node profile. • From the navigation menu choose Servers>Application servers. • Press new. • Select the custom node and give the server a name. • Press next Copyright © Oded Nissan 2009
  77. 77. Creating a Server (step 1) Copyright © Oded Nissan 2009
  78. 78. Creating a Server (step 2) • Select a template to use for the application server. Copyright © Oded Nissan 2009
  79. 79. Creating a Server (step 3) • We can generate unique ports for the server on the custom node. Copyright © Oded Nissan 2009
  80. 80. Creating a Server (step 4) • Review your settings and press Finish Copyright © Oded Nissan 2009
  81. 81. Cell Management • Using the admin console on the deployment manager we can: – Manage servers in the cell. – Install applications on different servers in the cell. – Administer resources on the cell at the cell, node or server level. – Manually force configuration synchronization with the cell nodes. Copyright © Oded Nissan 2009
  82. 82. Copyright © Oded Nissan 2009
  83. 83. Scalability and Clustering Copyright © Oded Nissan 2009
  84. 84. Scalability and Failover overview • Scalability is the ability of the system to grow and provide service for higher work load. • In JEE, scalability means adding more application servers that run either the same application or a different part of the application. • Scalability requires work load management to divide the work among the different servers. Copyright © Oded Nissan 2009
  85. 85. Scalability and Failover overview • Failover is the concept of providing a high availability for the system by automatically routing requests to another server if one of the server fails. • Scalability and failover are a requirement from JEE application servers. However, the implementation is up to the vendors. Copyright © Oded Nissan 2009
  86. 86. Cluster • Clusters are a set of application servers running the same application and grouped logically for workload management. • Applications installed to the cluster are distributed to all cluster members. • Cluster members can be centrally administered. Copyright © Oded Nissan 2009
  87. 87. Clusters and cluster members Copyright © Oded Nissan 2009
  88. 88. WebSphere Scalability • In WebSphere a cluster is managed using the deployment manager and is created using the admin console using either existing servers or newly created servers. (using the custom profile). • Starting or stopping the cluster starts or stops all cluster members. • Applications should be installed to the cluster not to a specific server or node. Copyright © Oded Nissan 2009
  89. 89. Vertical Scaling • Vertical scaling is the concept of creating cluster members on the same physical machine. This is useful when we have a strong machine and want to make use of its resources. Copyright © Oded Nissan 2009
  90. 90. Horizontal Scaling • Horizontal scaling is the concept of creating cluster members on different physical machines. Copyright © Oded Nissan 2009
  91. 91. Web Tier Scalability • Work load management at the web tier is performed using an load balancer that performs load balancing of HTTP requests between cluster members. • The load balancer needs to maintain session affinity to maintain application sessions. • A load balancer can be either IBM’s Edge components or a 3rd party commercial load balancer. Copyright © Oded Nissan 2009
  92. 92. Web Tier Scalability • IBM’s http server or IIS can also be used as a load balancer by using the http plugin Copyright © Oded Nissan 2009
  93. 93. Web Tier failover • Failover is detected by the load balancer, which then routs the request to another server. • We can configure WebSphere to distribute session information between nodes so that in case of a failover we can resume our session on another server. Copyright © Oded Nissan 2009
  94. 94. Web Tier Failover • To configure web session management choose Application Servers-><server>->web container>session management-> distributed environment settings. Copyright © Oded Nissan 2009
  95. 95. Load Balancer Failover • A Load Balancer provides a built-in high availability function. It allows you to configure a backup Load Balancer server. • if the primary Load Balancer server fails, the backup server will take over. • This topology is called an Active-Passive topology, where only one server is active at a time. Copyright © Oded Nissan 2009
  96. 96. Load Balancer Failover • Failover is supported by IBM’s Edge components and other 3rd party load balancers. Copyright © Oded Nissan 2009
  97. 97. EJB Scalability and Failover • EJB WLM is achieved by generating cluster-aware stubs at deployment time. • The cluster-aware stub performs the WLM and also handles failover. • The workload management service provides load balancing and high availability support for the following types of EJBs: – Homes of entity or session beans – Instances of entity beans – Instances of stateless session beans Copyright © Oded Nissan 2009
  98. 98. EJB Scalability and Failover • EJB Stateful session bean failover is also supported using memory to memory replication. • In the Administrative Console, select Servers → Application servers →<AppServer_Name>. • Expand EJB Container Settings, and then select EJB container. Select Enable stateful session bean failover using memory-to-memory replication, Copyright © Oded Nissan 2009
  99. 99. EJB Scalability and Failover • Failover is also supported by the naming service. We can put more than one server name in the naming URL and the naming service will perform failover if one of the servers is unavailable. Copyright © Oded Nissan 2009
  100. 100. EJB Scalability and Failover Copyright © Oded Nissan 2009
  101. 101. Creating a Cluster (step 1) • Select Servers →Cluster Click new • Enter basic cluster information Copyright © Oded Nissan 2009
  102. 102. Creating a Cluster (step 2) • Create first cluster member (settings will be applied to other cluster members) : – Enter member name and select its node. – Weight server weight for workload management. – Select the basis for the cluster member – Generate unique ports, if we intend to create more than one server on a machine. Copyright © Oded Nissan 2009
  103. 103. Creating a Cluster (step 2) Copyright © Oded Nissan 2009
  104. 104. Creating a Cluster (step 3) Copyright © Oded Nissan 2009
  105. 105. Creating a Cluster (step 3) • When all the servers have been entered, click Next. • A summary page shows you what will be created. • Click Finish to create the cluster and new servers. • Save the configuration. Copyright © Oded Nissan 2009
  106. 106. Viewing Cluster Topology • Select Servers →Cluster Topology Copyright © Oded Nissan 2009
  107. 107. Managing a Cluster • Select Servers →Clusters. • Check each cluster you want to work with and select one of the following options: – Start: Use this option to start all servers in the cluster. – Stop: Use this option to stops all servers in the cluster. This allows the server to finish existing requests and allows failover to another member of the cluster. – Ripplestart: Use this option to Stop, then start all servers in the cluster. – ImmediateStop: Stop all servers immediately. Copyright © Oded Nissan 2009
  108. 108. Installing applications on the Cluster Copyright © Oded Nissan 2009
  109. 109. Resources • Info center for WAS 6.1 http://publib.boulder.ibm.com/infocenter/wasinfo/v6 • IBM Redbook – sg247304 WAS 6.1 System Management and configuration. • IBM Redbook – sg246688 WAS ND High Availability Solutions. • IBM Redbook – sg246316 WAS Security Handbook • Admin Console context sensitive online help. Copyright © Oded Nissan 2009
  110. 110. Questions ? Copyright © Oded Nissan 2009
  111. 111. Summary • • • • Trouble Shooting and Monitoring WebSphere Security Cell Management Scalability and Clustering Copyright © Oded Nissan 2009