Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Workload migration on the cloud


Published on

Describes how to migrate applications deployed to virtual machines on the cloud

Published in: Technology

Workload migration on the cloud

  1. 1. Alex Amies, ArchitectOctober, 2012IBM SmartCloud EnterpriseWorkload Migration for the CloudSCE Developers Group presentation © 2012 IBM Corporation
  2. 2. Agenda  Workload migration overview and concepts  Best practices  Applications kinds and challenges  Migrating data  Tools for workload migration  Case studies – Migrating a WebSphere application with wsadmin and DNS – Synchronising files for a database application with rsync – Migrating with WebSphere profiles and administration scripting – X.509 Certificate management  Next steps and resources2 © 2012 IBM Corporation
  3. 3. Overview Motivation  Minimize service disruption while application or infrastructure is under maintenance This presentation  Understand challenges and tasks associated with workload migration  Best practices and tools  Recipes for simple applications What is workload migration for planned maintenance?  Migration of the service provided by application to a secondary location while the primary system is unavailable due to maintenance or other business reaason  Includes moving the application to the secondary location with the system configured in the same way and the data complete and in a consistent state  Reasons for maintenance cloud service upgrade or maintenance by virtual machine owner  Differs from high availability and disaster recovery in that workload migration activities are primarily for planned reasons3 © 2012 IBM Corporation
  4. 4. Overview: business context Lightly used applications  Usually only a single server  Want to migrate application to a secondary location during a maintenance activity to avoid inconvenience caused to used  Primary focus of this presentation  Cloud enables economic way to continue operations Heavily used applications  High availability and disaster recovery justified  Use DR site as secondary in case of maintenance  Cloud enables economical disaster recovery at a secondary site Critical applications  Cloud enables multiple active servers distributed globally  Need specialised techniques for active-active data replication between different data centers4 © 2012 IBM Corporation
  5. 5. Overview: migration concepts Data Center 1 Primary HTTP(S) Web Application Server Server Database Redirect Port User application Export data Data Center 2 Secondary Web Application Server Server Database5 © 2012 IBM Corporation
  6. 6. Overview: related scenarios Migration from outside SCE into SCE  Very similar to migrating within SCE  Need to factor in differences in the way virtual machine instances are created High availability  High availability is mostly concerned with maintaining availability in the event of a hardware failure  Some overlap of tools but many HA tools do not work over a high latency network connection (eg over the Internet in a different geographic area)  Example: WebSphere clustering needs to operate over a low latency network Disaster recovery  Similar goals and set of tools to application migration  Since DR tools and literature are more focussed on mission critical applications, this presentation is focussed on less critical applications and economic methods6 © 2012 IBM Corporation
  7. 7. Some best practices Base instances on standard images available at multiple data centers with an automated, repeatable install procedure to ensure portability. Disadvantages of using image capture in a simple way for migration  Downtime due to saving instances to images and time to copy images between data centers.  The primary hostname and IP address are embedded in WebSphere, DB2, and other software configuration files that may be frozen in images  Advantage: easy to do, uses standard features, OK for single system user Refer to servers via DNS aliases (CNAMEs)  There are more portable than primary hostname and IP address  Multiple aliases can be added for servers and changed when needed  The primary hostname and IP address are embedded in configuration files so cannot be changed  Example: alias, primary hostname Use HTML / HTTP redirect and maintenance message on server to be taken offline  Clients may cache old DNS names depending on DNS Time to Live7 © 2012 IBM Corporation
  8. 8. Simple use of image capture: leads to long downtime Data Center 1 Primary Application Image 1. Normal use Server library User (1, 11) 2. Quiesce system 10. Redirect 3. Save image 4. Copy image Volume 11. Use secondary 5. Clone volume Data Center 2 Secondary Application Administrator Server Volume (2-10) Key Image Downtime is text in red 7. Create instance 8. Configure library 6. Image import 9. Test8 © 2012 IBM Corporation
  9. 9. Best practices and trade-offsTransitioning from a primary to a secondary systemQuiescing versus zero downtime In order to avoid losing data entered by users at the point when a server is brought down formaintenance it is a best practice to have a quiescing period. That is the server should notallow any further transactions to begin but gracefully complete all ongoing transactions. If the goal is zero downtime then we want to immediately transfer from the primary to thesecondary system. However, this cannot easily done without loosing ongoing transactionsrunning on the primary, at least not without a more advanced active-active configuration.High availability versus portability High availability configurations are generally within a single data center and involve additionof permanently deployed secondary systems. If you need to move a whole set of primary and secondary servers to an alternate data centerthen the work to do that is considerably greater9 © 2012 IBM Corporation
  10. 10. Best practices: tool selectionReduce dependency on network latency when working across data centers Some software, especially software made to manage clusters, needs low network latency. Examples of tools that do not need low latency are WebSphere Job Manager, DB2 HADR forkeeping databases synchronized, and rsync for keeping directory trees synchronizedUse secure tools Prefer tools that can be used in a secure mode or operate the whole system in a secure zoneusing VPNsUse tools that are reliable Tunnelling or proxifying over SSH can make the connection secure but SSH tunnels can beprone to break Prefer application specific SSL connections or a VPNUse tools that reduce down time WebSphere profile management tools can migrate an entire application profile to anothersystem but you need to shut down WebSphere to do this The WebSphere wsadmin scripting tool can allow more granular management10 © 2012 IBM Corporation
  11. 11. Best Practices: portabilityPortable approach to building highly available systemsTraditional approach to high availability Try to build and maintain redundant components for any part of the system that might fail Expensive and requires lots of expertisePortable approach to high availability Treat any node in a system as disposable and immediately replaceable by other nodes in a large cluster Not applicable to many business systemsPortable approach emphasizing automation and repeatability Recognize that most causes of down time are due to maintenance and within our control Easier for applications that are simple, single node systems but more difficult for complex applications Be ready to re-instantiate the application and reload data when needed using cloud-based automationtechniques This approach can also function as a highly available system if some tolerance for downtime can beaccepted in the event of an unexpected system failure  Maybe be acceptable in many business contextsDisadvantage: requires administrator expertise or development effort11 © 2012 IBM Corporation
  12. 12. Automation approach: minimizes downtime, less data to transfer Data Center 1 Primary Application 1. Normal use Server User (1, 10) 3. Export configuration data 9.Redirect 5. Quiesce system 6. Export application data10. Use secondary Data Center 2 Secondary Application Administrator 2. Create instance Server (2-9) Image Key 4. Import configuration data library Downtime is text in red 7. Import application data 8. Test12 © 2012 IBM Corporation
  13. 13. Simple applications and problems in migrating them • Web servers and application servers – WebSphere Application Server • Machine name embedded in profile configuration files • Can be migrated without special steps sometimes but not others • WebSphere image in catalog has functions in script to overcome this problem – Tomcat – Apache HTTP server • Database systems – DB2 • Fully qualified host name embedded in configuration • X.509 certificates (SSL) – Server host name should match common name (CN) in subject of certificate, otherwise it will not be trusted – Browsers will refuse to allow you to use a web site where the cert does not match the server • Software licenses – Licenses of many IBM and Microsoft software products can be applied to SCE virtual machines – Licenses for other commercial software is often based on either IP address of MAC13 © 2012 IBM Corporation
  14. 14. Composite applications and problems in migrating them• Composite systems, eg application server and database, monitoring systems – With ability to specify host names when provisioning virtual machines these systems may be able to be migrated more easily• Complex systems in one VM or multiple with – Load balancers, firewalls, DNS servers – These systems are very sensitive to exact values of IP addresses Sources of data that become unavailable – For example, REST services on another system that become unavailable – Make a local cache and store messages that arrive for processing later14 © 2012 IBM Corporation
  15. 15. Migrating data• Kinds of data – Configuration data – Application data – Encrypted and hashed data (keys, passwords)• Problems – Relationships with environment • Host names, network, IP address, data center name, etc – Unique IDs  Universally unique (UUID / GUID)  System / random generated or database auto-increment – Salting of passwords • Passwords are combined with a random number before hashing to prevent reversing• Approaches – Copy data bit-for-bit • Virtual machine image copy / import falls into this category • May need to extract and replace certain parameters at the secondary location. See Image Developers Guide. – Regenerate data in an predictable way • Considerable effort to automate15 © 2012 IBM Corporation
  16. 16. Tools for workload migration: overview• Cloud infrastructure – Multiple data centers – Application APIs and self service user interface – Image library, import copy and export, volume cloning• System virtualization – Enables portability of systems – Ability to save instance to images – Build the system so that it can be ported to a base image in the catalog at an alternate data center – Network resources• Operating system and network level tools – SSH / SCP – DNS – Traffic management tools – rsync Middleware tools – Web server HTTP and HTML page redirects – WebSphere and other application server utilities16 – Database utilities © 2012 IBM Corporation
  17. 17. Tools for workload migration: cloud infrastructure• Multiple data centers – The availability of multiple data centers to run workloads on provides an alternate location to avoid a number of causes for service disruption• Self service user interface – Can be used to provision new resources quickly and for a short time – Even if the self service interface becomes unavailable then virtual machines themselves rarely become unavailable• Application APIs and command line tool – Can be used to automate provisioning and management of virtual resources Image capture and the image catalog – Image capture is useful in many contexts – Provides a large selection of images available at all data centers to provide a base – In the demo we use a WebSphere Application Server in the public image catalog. This reduces the amount of installation and configuration needed. In particular, scripts in the image remove the machine name embedded in WebSphere configuration files Image clones and software bundles – Systematic tools that separate software bundles as re-usable assets that can be installed into base image binaries – Software bundles can enable you to create templates that can be used to replicate17 similar virtual machines at different data centers © 2012 IBM Corporation
  18. 18. Tools for workload migration: system virtualization• Copy, clone, and import of images – Images can be copied from the image library to a volume – Storage volume cloning is used to transfer from one data center to another – Image import is used at the other data center to import from the cloned volume• Ability to save instance to images – Create a base image that can be easily ported. This may involve developing start-up scripts that extract and modify key parameters that may change when provisioning a new virtual machine – Build the system so that it can be ported to a base image in the catalog at an alternate data center – This enables the workload to be moved without having to clone the image, which can be a large copy operations (>5 GB) across the Internet• Network resources – Virtual IP addresses – not portable between data centers18 © 2012 IBM Corporation
  19. 19. Tools for workload migration: operating system level tools• SSH / SCP – Fundamental tools for working in the cloud to remote login and copy data securely – Can be used either interactively or in scripts• DNS – Important for directing users and systems without being tied to IP addresses – Can move servers without making it apparent to clients – Requires registration or configuration to point to a nameserver at the client – Compared to virtual IP addresses the advantages of DNS names are • Portable between data centers • Multiple host names can map to one server – BIND is the most widely used DNS system and the one that we will use for the demo – See backup slides for more detail• rsync – Remote synchronization of file systems between Linux server, copies differences only – Standard utility on Linux servers on SCE• Traffic management tools – Virtual appliances in the SCE image catalog – Riverbed Traffic Manager19 – Dyn © 2012 IBM Corporation
  20. 20. Tools for workload migration: middleware tools• HTML page redirects in HTML <head> element <meta http-equiv="Refresh" content="0; url=" />• Web server HTTP redirects – 302 used for temporary redirect HTTP/1.1 302 Found Location: – Use Apache module mod_rewrite to send this for all URLs served by the system being maintained• WebSphere and other application server utilities – Many commands and tools enable portability of both application code and application server configuration settings – WebSphere wsadmin scripting tool allows for automation of management operations in WebSphere written in Jython – Written using the Bean Scripting Framework and can be extended Database utilities – Tools should not be sensitive to network latency if you hope to migrate to other data centers – DB2 HADR – Table export and import20 © 2012 IBM Corporation
  21. 21. Tools: Approaches to migrating WebSphere applicationsOther application servers similar but may not have all optionsLeverage base WebSphere images Leverage base WebSphere images at different data centers, template extracting variable parameters hasalready been created by the WebSphere image development team Re-installing the application requires only copying the application binaries and configuration files Configuration files can be profile, properties, or individual tracking of parameters Deployment and configuration can be manual, commands, script, or monitored directory Use techniques in the SCE Customizing Images and Software BundlesSave image, transfer, and modify Need to copy a large binary file across the Internet and adjust for frozen properties or create your owntemplate UseWebSphere administrative tasks changeHostname and renameNodeOwn installation of WebSphere software WebSphere images in catalog are the Base Edition If you need Network Deployment Edition then you will need to install it yourself and create your owntemplate to extract and modify variable parameters Install binaries in base image and defer creation of profiles until activation time [Willenborg 2007]Liberty profile21 © 2012 IBM Corporation A lightweight WebSphere profile based on simple XML files
  22. 22. Tools: WebSphere wsadmin scripting toolThe wsadmin tool is ideal for automating management actions for WAS.The If you are unsure of the command to use try the action on the WebSphere administrationUI and copy the script action or use the help command, as shown below. Jython is thepreferred language for scripting. Enter virtuser and the password you provided in the previousstep when prompted by wsadmin. If you are making changes interactively, use the save()command before exiting with the exit command.$ su - virtuser$ /opt/IBM/WebSphere/AppServer/bin/ -lang jython. . .wsadmin> print . .wsadmin> print Help.AdminConfig(). . .wsadmin>print"list"). . .print"-commands", "list*"). . .wsadmin>> exit22 © 2012 IBM Corporation
  23. 23. Tools: WebSphere administration scripting helpEnable this in the System | Console Preference dialogLog saved in/opt/IBM/WebSphere/Profiles/AppSrv01/logs/server1/commandAssistanceJythonCommands_virtuser.log23 © 2012 IBM Corporation
  24. 24. Tools: WebSphere wsadmin scripting tool (continued)Certificates Executing scripts in batch modeIt can be even move effective to automate with batch scripts. In this way a Jython script canbe copied and executed without any interaction. For example to get a list of certificate storeswith the wsadmin Jython script below. Save the file to a script called AdminTask.listKeyStores([-all true -keyStoreUsage SSLKeys ])You can execute this from the wsadmin console, as shown below.$ /opt/IBM/WebSphere/Profiles/AppSrv01/bin/ -lang jython -f/home/virtuser/ . .NodeDefaultKeyStore(cells/BaseAppSrvCell|security.xml#KeyStore_BaseAppSrvNode_1)NodeDefaultTrustStore(cells/BaseAppSrvCell|security.xml#KeyStore_BaseAppSrvNode_2)This also demonstrates how to execute wsadmin scripts in batch mode. Many of the followingslides simply list the Jython commands and assume that they are executed in batch mode, asabove.24 © 2012 IBM Corporation
  25. 25. Tools: WebSphere wsadmin scripting tool (continued)Configuration with properties filesProperties files can be extracted from a primary server edited, and imported into a secondaryserver. This can simplify migration considerably. There is no need to start and stop theWebSphere process as with exporting and importing a profile. Profiles are supposed to stripenvironment information but, in some cases, still embed environment settings like IPaddresses and hostnames, which need to be changed. The properties approach mitigatesthese problems. However, it is not possible to modify every configuration setting with thisapproach. The command to extract the properties from a server isAdminTask.extractConfigProperties(-configData Server=server1 -propertiesFileName/home/virtuser/myProperties.props)This will export all the properties for server1 to the file /home/virtuser/myProperties.props. Thefile can be edited with a text editor or program, copied to the secondary server, and importedwith the command below. You will need to save the changes afterwards.AdminTask.applyConfigProperties(-propertiesFileName /home/virtuser/myProperties.props-validate true) © 2012 IBM Corporation
  26. 26. Case Study Migration of a stand-alone WebSphere application with wsadmin and DNS26 © 2012 IBM Corporation
  27. 27. Case study: Migration for a J2EE applicationBased on a WAS stand-alone topologyGoal: workload migration from one data center to another to avoid downtime caused byplanned maintenance on SCE, based on features available today – The maintenance plan does not guarantee that one of any two given data centers will always be up at the same time • Base plan on being able to instantiate a new WAS server at a secondary data center and migrating application and – Using WAS 8.5 image in catalog as a image to base the case study on for a stand- alone WAS topology with web server in front • The image is WebSphere Application Server Base Edition • Use tools available in the WAS 8.0 image to migrate the J2EE application • Prefer command line tools to enable automation and avoid need to use GUI over the Internet – DNS service to point users to the secondary server at the new data center - need an external service • Configure BIND server to do this • Redirection at the IP of the primary to the secondary to allow for DNS cache refresh27 © 2012 IBM Corporation
  28. 28. Case study: Schematic Diagram Data Center 1 Primary HTTP(S) IBM HTTP HTTP WAS App Server Server DNS EAR User export Data Center 2 Secondary IBM HTTP HTTP WAS App Server Server DNS Server28 © 2012 IBM Corporation
  29. 29. Steps in case studySetup primary environment1)Provision primary server on an instance of WebSphere Application Server 8.52)Deploy application to WAS3)Configure IBM HTTP Server4)Setup DNS system on an instance in the cloud5)Test applicationSetup secondary system1)Repeat deployment of application as for primary system2)Redirect traffic to secondary system with DNS3)Post maintenance message on primaryTest switch over to secondary system1)Test secondary system acts as a replacement transparently to client29 © 2012 IBM Corporation
  30. 30. Demo prerequisites1) User account on SCE2) Command line tool setup3) SSH key defined4) Basic knowledge of Linux, SCE, and WebSphere5) SSH client (PuTTY) and secure copy (WinSCP) installed6) Simple J2EE application created with Rational Application Server. The sample application is shown in the next slide.30 © 2012 IBM Corporation
  31. 31. Example Enterprise Application31 © 2012 IBM Corporation
  32. 32. Limitations and assumptions of tools used in case study1) Not a complete and automate cut over2) Loss of data and finite down time during cut over. In particular, loss of user session.3) There is no quiescing period to allow users to complete their transactions gracefully but this is recommended.4) Application is a stateless application5) Normal practice is to have primary and secondary DNS nameservers.32 © 2012 IBM Corporation
  33. 33. Step 1a: Provision WAS 8.0 instanceSearch on the string WebSphere Application Server V8.0 or use the describe-images command to find the image33 © 2012 IBM Corporation
  34. 34. Step 1b: Provision WAS 8.5 instanceFind instance provisioning parametersThe image ID of the IBM WebSphere Application Server V8.5 - BYOL image in the Singaporedata center is 20056246. To find out the supported virtual machine instance sizes use thedescribe-image command, as shown below.> ic-describe-image.cmd -u <user_id> -g <password_file> -w <passphrase> -k20027636Executing action: DescribeImage ...ID: 20056246Name: IBM WebSphere Application Server Version 8.5 32b - BYOL. . .Location: 141Image Size: 15.143166 Gib----------------------------------InstanceType ID: COP64.2/4096/60Label: Copper 64 bitDetail: Copper - 64 bit (vCPU: 2, RAM: 4 GiB, Disk: 60 GiB). . .34 © 2012 IBM Corporation
  35. 35. Step 1c: Provision WAS 8.5 instanceSubmit instance provisioning requestTo provision an instance use the create-instance command, as shown below.> ic-create-instance.cmd -u <user_id> -g <password_file> -w <passphrase> -k20056229 -n <instance_name> -t "COP32.1/2048/60" -L 141 -m"{WASAdminPassword:***,WASProfileType:production}"Executing action: CreateInstance ...The request has been submitted successfully.1 instances!----------------------------------ID: 293212Name: WAW85SingHostname:InstanceType: COP64.2/4096/60IP:KeyName: <key_name>Owner: <user_id>RequestID: 293212RequestName: <instance_name>Status: NEW35 © 2012 IBM Corporation
  36. 36. Step 1d: Provision WAS 8.5 instanceWait for instance provisioning to completeYou need to wait until the status becomes ACTIVE before being able to use the instance. You can do thatwith the describe-instance command, as shown below, supplying the instance ID from the output of thecommand above.>ic-describe-instance.cmd -u <user_id> -g <password_file> -w <passphrase> -l291017Executing action: DescribeInstance ...ID: 293212Name: <instance_name>Image ID: 20056246Hostname: COP64.2/4096/60IP: <key_name>Owner: <user_id>RequestID: 293512RequestName: was85SingStatus: ACTIVELocation: 141. . .36 © 2012 IBM Corporation
  37. 37. Step 1e: Check WebSphere server statusUse the WebSphere command like to check server statusThe WebSphere server should start by default when the virtual machine boots. However, it can take sometime to start up. We can check the status via command line with the serverStatus command. Executethe command shown below as the WebSphere virtuser via SSH.$ /opt/IBM/WebSphere/AppServer/bin/ -all. . .ADMU0508I: The Application Server "server1" is STARTEDIf the server is not started then you can start it with the startServer command below.$ /opt/IBM/WebSphere/AppServer/bin/ server137 © 2012 IBM Corporation
  38. 38. Step 2a: Deploy application to WASUse the WAS Admin Scripting tool to configure directory monitoringThe WAS directory monitoring feature allows you to deploy applications by copying enterprisearchive files to a certain directory. Logon to the server with PuTTY, change to virtuser, andexecute the commands below. Enter virtuser and the password you provided in the previousstep when prompted by wsadmin.$ su - virtuser$ /opt/IBM/WebSphere/AppServer/bin/ -lang jythonwsadmin> AdminConfig.modify((cells/BaseAppSrvCell|cell.xml#MonitoredDirectoryDeployment_1), [[enabled "true"][monitoredDirectory "${USER_INSTALL_ROOT}/monitoredDeployableApps"][pollingInterval "5"]])wsadmin>> exit38 © 2012 IBM Corporation
  39. 39. Step 2a: Deploy application to WASUse the WAS Integrated Solution Console to configure directory monitoringYou need to restart the server before these changes will take effect. To do that logon to theserver with PuTTY, change to virtuser, and restart the server with the commands below.> su - virtuser> /opt/IBM/WebSphere/AppServer/bin/ server1> /opt/IBM/WebSphere/AppServer/bin/ server139 © 2012 IBM Corporation
  40. 40. Step 2a: Deploy application to WASUse the WAS Integrated Solution Console to check that directory monitoring is configured. Log onto theWAS administrative console (Ingrated Solution Console / ISC) at the address below.https://<ip_address>:9043/ibm/console/logon.jsp and to to Applications | Global Deployment Settings.40 © 2012 IBM Corporation
  41. 41. Step 2b: Deploy application to WASCopy the EAR file to the monitored directoryDemo uses a simple enterprise application packages as an EAR file, called migrationEAR.ear.Copy the EAR file to the primary server using PuTTY pscp program as idcuser, as shownbelow.> pscp -i <key_file> migrationEAR.ear idcuser@<primary_server>:migrationEAR.earAs idcuser, change owner and copy to monitored directory$ sudo chown virtuser:users migrationEAR.ear$ sudo mv migrationEAR.ear/opt/IBM/WebSphere/Profiles/AppSrv01/monitoredDeployableApps/servers/server1/.The application will show up in the WebSphere administrative console (next page)41 © 2012 IBM Corporation
  42. 42. Step 2c: Deploy application to WASCheck that the example enterprise application is show in the Enterprise Applicationin ISC42 © 2012 IBM Corporation
  43. 43. Step 2c: Deploy application to WASUse the WAS Admin Scripting tool to verify application statusRather than using the WebSphere administrive console you can use the wsadmin scripting toolto verify the application status. To do that change to virtuser, and execute the commandsbelow.> su - virtuser> /opt/IBM/WebSphere/AppServer/bin/ -lang jythonwsadmin> AdminApp.list()migrationEARqueryWsadmin> exit43 © 2012 IBM Corporation
  44. 44. Step 2d: Deploy application to WASTest the application by pointing your browser directly to WebSphere at the IP andport address of primary server44 © 2012 IBM Corporation
  45. 45. Step 3c: Deploy application to WASHTTP Server Plug-inThe IBM HTTP Server is bundled with the WebSphere image and configured by default.Generate the plug-in by selecting the check box for the web server and click the GeneratePlug-in button.45 © 2012 IBM Corporation
  46. 46. Step 3b: Deploy application to WASAlternative - start the HTTP Server from the command lineIf the IBM HTTP server is not already running start it with the apachectl command and checkthat it is running and accessible with the curl command.$ sudo /opt/IBM/HTTPServer/bin/apachectl start$ curl localhost46 © 2012 IBM Corporation
  47. 47. Step 4: Test ApplicationPoint browser at IP address of web server (port 80)47 © 2012 IBM Corporation
  48. 48. Step 5a: Setup DNS SystemInstall the BIND named serviceProvision a RHEL 6.2 (64-bit) system with the command>ic-create-instance.cmd -u <user_id> -g <password_file> -w <passphrase> -k20025211 -n BIND_RHEL6 -t "COP64.2/4096/60" -L 141Install BIND from the yum repository with the commands below$ sudo /bin/bash# yum install bindStart server and verify installation (see backup slides for nslookup and dig tools)# service named start# dig nslookup localhost48 © 2012 IBM Corporation
  49. 49. Step 5b: Setup DNS SystemConfigure BIND for our test domainWe will make our server the primary name server for the domain mymigration.test. We willadd a zone statement for this and include a zone file that will contain the individual ResourceRecords for the domain. Edit the main configuration file /etc/named.conf and add thefollowing sectionzone "" { type master; file "";};Edit the lines that related to the listener and query restrictions.listen-on port 53 { any; };. . .allow-query { any; };49 © 2012 IBM Corporation
  50. 50. Step 5b: Setup DNS SystemAdd DNS recordsCreate the include file /etc/named/mymigration.test for the domain and add a name text asshown below. It includes Time to Live ($TTL), root name ($ORIGIN), start of Authority (SOA)entries, and some Address (A) Resource Records. Use your own host name and IP address.$TTL 1h$ORIGIN 1D IN SOA ns hostmaster ( 2006100201 ; se = serial number 1h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 3h ; min = minimum ) IN NS IN A IN A IN CNAME vhost0773db IN CNAME vhost077350 © 2012 IBM Corporation
  51. 51. Step 5c: Setup DNS SystemStart the BIND named serviceSet the service on by default and start it with the commands below# chkconfig named on# service named startOpen the port 53 in the firewall for both UDP and TCP with the commands below.# vi /etc/sysconfig/iptables# Add line allowing any port if accessed from the local machine.. . .-A INPUT -p udp -m udp --dport 53 -j ACCEPT-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT. . .# /sbin/service iptables restart51 © 2012 IBM Corporation
  52. 52. Step 5c: Setup DNS SystemConfigure your DNS clientOn a Linux system edit the /etc/resolv.conf file adding a line like shown below. Use the IPaddress of your own DNS server.nameserver it out using the dig command on the VM with the BIND server# dig;; ANSWER 3600 IN CNAME 3600 IN A . .# nslookup www.mymigrationtest.comServer: canonical name = vhost0773.mymigrationtest.comAddress: © 2012 IBM Corporation
  53. 53. Step 5c: Test ApplicationConfigure Windows client to use the nameserver53 © 2012 IBM Corporation
  54. 54. Step 5c: Test ApplicationPoint browser at hostname of web server( Sometimes the DNS resolution can be cached for a long time on Windows. If you have trouble try on Linux. If you do not have access to a Linux desktop try using curl: $ curl Hello migration test - from vhost077354 © 2012 IBM Corporation
  55. 55. Step 6a: Setup Secondary SystemRepeat steps from Step 1c provisioning primary system but in secondary data centerThe ID of the RTP data center is 41. The image ID of the IBM WebSphere Application ServerV8.5 - BYOL image in the RTP data center is 20056236.> ic-create-instance.cmd -u <user_id> -g <password_file> -w <passphrase> -k20056236 -n <instance_name> -t "COP32.1/2048/60" -L 41 -m"{WASAdminPassword:***,WASProfileType:production}"Either repeat application deployment install and configuration steps for the primary steps asexplained above or export the profile of the primary and import into the secondary system. Ifyou decide to export the profile then you will need to stop the server while you export theprofile.55 © 2012 IBM Corporation
  56. 56. Step 6b: Setup Secondary SystemExport the WebSphere profile from primary to the secondary machineIn our simple example we have not made any configuration changes to WebSphere. If wehad, we could extract the properties from the primary system with the command below.AdminTask.extractConfigProperties(-configData Server=server1 -propertiesFileName/home/virtuser/myProperties.props)This will export all the properties for server1 to the file /home/virtuser/myProperties.props. Thefile should be scanned for any IP addresses or host names associated with the primaryenvironment and changed with a text editor or program. Then it should be copied to thesecondary server, imported with the command below, and then the changes saved.AdminTask.applyConfigProperties(-propertiesFileName /home/virtuser/myProperties.props-validate true) © 2012 IBM Corporation
  57. 57. Step 7: Redirect traffic to secondary serverChange CNAME record to point at new web serverEdit the include file /etc/named/mymigration.test for the domain and add a name text asshown below. Use your own host name and IP address. Restart the nameserver after makingthe change.$TTL 1h$ORIGIN 1D IN SOA ns hostmaster ( 2006100201 ; se = serial number 1h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 3h ; min = minimum ) IN NS IN A IN A IN A IN CNAME vhost2242db IN CNAME vhost224257 © 2012 IBM Corporation
  58. 58. Step 8: Post maintenance message on primary serverCopy maintenance message in HTML file with message and redirect to index.html<html xmlns=""> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <meta http-equiv="Refresh" content="10; url=" /> <title>Maintenance message</title> </head> <body> <h1>Maintenance message</h1> <p> This server is under maintenance. Please go to <a href=></a> </p> </body></html>58 © 2012 IBM Corporation
  59. 59. Step 8: Post maintenance message on primary serverCopy maintenance message in HTML file with message and redirect to index.html59 © 2012 IBM Corporation
  60. 60. Step 9: Test secondary systemShow browser60 © 2012 IBM Corporation
  61. 61. Steps to extend to a more complex service1) Use a more professional redirect with HTTP server configuration2) Use DB2 HADR to migrate the database data3) Use rsync to synchronize files in the WAS monitored directory that may change4) Expand to a composite application with multiple instances – use DNS for system dependencies5) Use VLAN to avoid opening of ports on internet for communication between instances in composite system6) Migrate SSL certificates61 © 2012 IBM Corporation
  62. 62. Case Study Synchronizing files for a database application using rsync62 © 2012 IBM Corporation
  63. 63. Scenario: Synchronizing file systemsfrom primary to secondary virtual machines with rsyncThis scenario will demonstrate using rsync to synchronize a directory tree from a primary to a secondaryvirtual machine. rsync is an ideal tool for doing this. rsync efficiently detects changes in the directory tree inthe primary system then compresses and copies those changes on the secondary system, where they arere-assembled.In the scenario we will set up database on primary and secondary servers and use rsync to synchronize thedatabase files from the primary server to the secondary. It will use SSH to copy the files for security overthe Internet.Steps1) Setup Derby on the primary server2) Create a database3) Create a table and add a record4) Use rsync to copy the database files.5) Test that you can view the database records in the secondary system.6) Add more data to the primary database, synchronize, and test for the new data on the secondary.63 © 2012 IBM Corporation
  64. 64. Case study: Schematic Diagram Data Center 1 Primary SSH Derby DatabaseAdministrator SSH rsync Data Center 2 Secondary Derby Database64 © 2012 IBM Corporation
  65. 65. Step 1a: Installing the Apache Derby DatabaseConcepts – Apache Derby is a lightweight embedded database that we will use to demonstrate a scenario migrating a database application on the cloud – Derby can be freely downloaded from installation with download using cURL. Adjust for the latest version of Derby and mirrorclosest to you. Perform the commands below as root.# mkdir /opt/Apache# cd /opt/Apache# curl -o unzip export JAVA_HOME=/opt/IBM/WebSphere/AppServer/java# export PATH=$JAVA_HOME/bin:$PATH# export DERBY_HOME=/opt/Apache/db-derby- export CLASSPATH=$DERBY_HOME/lib/derby.jar:$DERBY_HOME/lib/derbytools.jar:.# cd $DERBY_HOME/bin# . ./setEmbeddedCP65 © 2012 IBM Corporation
  66. 66. Step 1b: Confirming the Derby installationVerify the Derby install with the command below# java Java Information ------------------Java Version: 1.6.0Java Vendor: IBM Corporation. . .66 © 2012 IBM Corporation
  67. 67. Step 2: Setting up a databaseUse the ij tool to create a database. We use a directory outside where the software is installed. Execute thefollowing commands as idcuser.$ export JAVA_HOME=/opt/IBM/WebSphere/AppServer/java$ export PATH=$JAVA_HOME/bin:$PATH$ export DERBY_HOME=/opt/Apache/db-derby-$ export CLASSPATH=$DERBY_HOME/lib/derby.jar:$DERBY_HOME/lib/derbytools.jar:.$ java version 10.9ij> connect jdbc:derby:MigrationTest;create=true;ij> exit;This will create the files shown below# lsMigrationTest derby.logThe MigrationTest directory contains the database data files.67 © 2012 IBM Corporation
  68. 68. Step 3: Creating a table and adding dataUse the ij tool to define a table and add data. We need to specify the location of the data directory with thederby.system.home system property when connecting if it is not the current directory.$ java -Dderby.system.home=/home/idcuser version 10.9ij> connect jdbc:derby:MigrationTest;ij> CREATE TABLE users(id INTEGER NOT NULL GENERATED ALWAYS AS IDENTITY (START WITH 1,INCREMENT BY 1), username VARCHAR(40));ij> INSERT INTO users(username) VALUES (a.user);ij> SELECT * FROM users;ID |USERNAME----------------------------------------------------1 |a.user1 row selectedij> disconnect;ij> exit;The generated value for id illustrates the introduction of a common challenge with migrating data.68 © 2012 IBM Corporation
  69. 69. Step 4: Use rsync to copy the database filesConcepts – rsync is a utility that copies differences in a directory tree from a source server to the destination server – The data is compressed and may be run over SSH – Optionally, can configure a machine to act as a hosting server for automated sync between multiple servers.Basic use. Run the command below from the primary system to the secondary system to copythe MigrationTest directory. You need to have the SSH key on the primary server in the .sshdirectory.$ rsync -avz -e "ssh -i .ssh/july26_key" /home/idcuser/MigrationTestidcuser@ incremental file listMigrationTest/MigrationTest/service.propertiesMigrationTest/log/MigrationTest/log/log.ctrl. . .69 © 2012 IBM Corporation
  70. 70. Step 5: Testing the database on the secondary serverTest that you can access the data in Derby on the secondary server. First, repeat step 1 on the secondarysystem to setup Derby.$ export JAVA_HOME=/opt/IBM/WebSphere/AppServer/java$ export PATH=$JAVA_HOME/bin:$PATH$ export DERBY_HOME=/opt/Apache/db-derby-$ export CLASSPATH=$DERBY_HOME/lib/derby.jar:$DERBY_HOME/lib/derbytools.jar:.$ java version 10.9ij> connect jdbc:derby:MigrationTest;ij> SELECT * FROM users;ID |USERNAME----------------------------------------------------1 |a.userij> disconnect;ij> exit;70 © 2012 IBM Corporation
  71. 71. Step 6: Use rsync to synchonize dataAdd a user to the primary server and use rysync again.$ java> connect jdbc:derby:MigrationTest;ij> INSERT INTO users(username) VALUES (b.user);ij> disconnect;ij> exit;$ rsync -avz -e "ssh -i .ssh/july26_key" /home/idcuser/MigrationTestidcuser@ incremental file list. . .Notice that there are far fewer files now. Check that the new data is now available on the secondarysystem. You will need to log out and log back into the database with ij to clear the data cache.71 © 2012 IBM Corporation
  72. 72. Problems and steps to extend to a more complex scenario1) It is difficult to synchronize data to a secondary system consistently without either using specialized HADR tools or shutting down the service for the period of the migration operation.2) The main problem with copying the underlying database files is that the database must be inactive at the time the synchronization is done. Otherwise, the files copied may not be consistent. To be sure, it is best to shut down down the database or disconnect, in the case of Derby.3) Use database tools for import and export instead of copying raw files. This will avoid the danger copying of inconsistent files but be careful of autogenerated sequences.4) Setup a cron job to automate synchronization of data5) Use specialized database tools, like DB2 HADR.72 © 2012 IBM Corporation
  73. 73. WebSphere application migration with profiles73 © 2012 IBM Corporation
  74. 74. WebSphere scripting and command line utilitiesTools and approach for migrating a more complex applicationPrimary system setup a) Setup Derby database • Enable user authentication • Run Derby in network mode • Run Derby client in network mode • Install example application a) WebSphere configuration with wsadmin Jython scripts • Create a JDBC provider • Create an authentication alias • Create and test a data sourceMigration StepsMore resources Sample scripts74 © 2012 IBM Corporation
  75. 75. Case study: Schematic Diagram Data Center 1 Primary WebSphere JDBC HTTP(S) Server User Profile rsync export Data Center 2 Secondary WebSphere JDBC Server Create Image instance library75 © 2012 IBM Corporation
  76. 76. Primary setup: Enable user authentication for DerbyWhen we access a database from an application we typically supply a user name andpassword. There are several options for managing users and enforcing authentication inDerby. We will use the simplest type: BUILTIN. To enable this create the file derby.propertiesin the Derby installation (system) directory, with the text shown below.derby.authentication.provider=BUILTINderby.user.virtuser=******derby.connection.requireAuthentication=trueThis sets the user repository to the der file and creates a user virtuser with the given password. Forconvenience put the environment variables in .bashrc, as shown below.$ vi /home/idcuser/.bashrc. . .export JAVA_HOME=/opt/IBM/WebSphere/AppServer/javaexport PATH=$JAVA_HOME/bin:$PATHexport DERBY_HOME=/opt/Apache/db-derby- CLASSPATH=$DERBY_HOME/lib/derby.jar:$DERBY_HOME/lib/derbytools.jar:.76 © 2012 IBM Corporation
  77. 77. Primary setup: Run Derby in network modeOne problem that we are very dependent on where the Derby database is installed, the userthat owns the files, and limited in the number of users that can connect. To overcome that wecan run Derby in network mode. Set JAVA_HOME, DERBY_HOME, PATH, and CLASSPATH asabove. Start up the server as idcuser, as shown below in the installation directory (not whereyou created the database before).$ sudo /bin/bash# cd /opt/Apache/db-derby- java -jar $DERBY_HOME/lib/derbyrun.jar server startTue Oct 23 01:40:45 UTC 2012 : Security manager installed using the Basic server securitypolicy.Tue Oct 23 01:40:45 UTC 2012 : Apache Derby Network Server - - (1344872) started andready to accept connections on port 1527The server start on port 1527 by default. Edit the firewall rules to allow a local connection and restart thefirewall. You may also need to add a rule explicitly for the IP address of the machine.$ sudo vi /etc/sysconfig/iptables. . .[edit]-A INPUT -p tcp -m tcp -s --dport 1527 -j ACCEPT. . .$ sudo /sbin/service iptables restart77 © 2012 IBM Corporation
  78. 78. Primary setup: Run the Derby client in network modeThe connect to the database as a client enter the following command.$ java -jar $DERBY_HOME/lib/derbyrun.jar ijThis will start the ij client in network mode. You will need to connect to the database from within ij. You cando that with the command below.ij> CONNECTjdbc:derby://localhost:1527/MigrationTest;create=true;user=virtuser;password=******;ij> CREATE TABLE users(id INTEGER NOT NULL GENERATED ALWAYS AS IDENTITY (START WITH 1,INCREMENT BY 1), username VARCHAR(40));ij> INSERT INTO users(username) VALUES (a.user);ij> SELECT * FROM users;The connection URL includes host, port, and database information. The database is recreated again, thistime with virtuser as the owner. This is important to associate a database SCHEMA with the database. Thefollowing select statement exercises the connection.78 © 2012 IBM Corporation
  79. 79. Primary setup: Defining a JDBC providerDefine a JDBC data source for the Derby database installed aboveThe Apache Derby JDBC driver is bundled with WebSphere.The Jython script to define a JDBC data source for Derby isAdminTask.createJDBCProvider([-scope Cell=BaseAppSrvCell -databaseType Derby-providerType "Derby Network Server Using Derby Client 40" -implementationType"Connection pool data source" -name "Derby Network Server Using Derby Client 40"-description "Derby Network Server Provider that uses the Derby Client 40."-classpath [${DERBY_JDBC_DRIVER_PATH}/derbyclient.jar ] -nativePath "" ]) defines a JDBC driver for Derby in network mode. The alternative is to runDerby in embedded mode.79 © 2012 IBM Corporation
  80. 80. Primary setup: Defining an authentication aliasDefine an authentication alias for the Derby database installed aboveAn authentication alias is a feature that stores a user name and passwordcombination in WebSphere, encrypting the password so that it cannot be read.The Jython script to define an authentication alias isAdminTask.createAuthDataEntry([-alias DerbyMigrationTest -user virtuser-password ******** -description "Connection to the Derby MigrationTest database"]) executing this script you will be able to use the alias when defining adatasource definition. It is visible under Global security > JAAS - J2C authenticationdata in the WebSphere console. Need to enable Derby for native authentication touse this.80 © 2012 IBM Corporation
  81. 81. Primary setup: Defining a data sourceDefine a data source for the Derby database installed aboveA data source encapsulates connection to a specific databaseThe Jython script to define a data source isAdminTask.createDatasource("Derby Network Server Using Derby Client40(cells/BaseAppSrvCell|resources.xml#JDBCProvider_1350960071099)", [-nameMigrationTest -jndiName MigrationTest false -componentManagedAuthenticationAliasBaseAppSrvNode/DerbyMigrationTest -configureResourceProperties [[databaseNamejava.lang.String MigrationTest]]]) default server hostname localhost and port will be used. It is visible underResources > Data sources in the WebSphere console. The difficult point about thiscommand is determining the ID of the JDBC provider, which is generated byWebSphere. You can use the AdminTask.listJDBCProviders() command to find it.81 © 2012 IBM Corporation
  82. 82. Primary setup: Testing the data sourceTest that data source is properly configuredA data source encapsulates connection to a specific databaseThe Jython script to test the data source isAdminControl.invoke(WebSphere:name=DataSourceCfgHelper,process=server1,platform=dynamicproxy,node=BaseAppSrvNode,version=,type=DataSourceCfgHelper,mbeanIdentifier=DataSourceCfgHelper,cell=BaseAppSrvCell,spec=1.0, testConnection,[cells/BaseAppSrvCell|resources.xml#DataSource_1350963565192],[java.lang.String])The output of this method should be 0.82 © 2012 IBM Corporation
  83. 83. Primary setup: example application (part 1)Application will exercise the data source that we have just configuredThe Servlet class definition and getConnection method provide a way to get a Connectionobject.package;import*;import java.sql.*;import java.util.*;import javax.naming.*;import javax.servlet.*;import javax.servlet.http.*;import javax.sql.DataSource;public class TestDataSourceServlet extends HttpServlet { private static final long serialVersionUID = 1L; private static String DS_NAME ="MigrationTest"; private Connection getConnection() throws NamingException, SQLException { InitialContext ic = new InitialContext(); DataSource ds = (DataSource) ic.lookup(DS_NAME); return ds.getConnection(); }. . .83 © 2012 IBM Corporation
  84. 84. Primary setup: example application (part 2)Application will exercise the data source that we have just configuredThe listUsers method provides a way to get a list of user names. public List<String> listUsers() throws SQLException, NamingException { System.out.println("listUsers"); Connection con = getConnection(); Statement s = con.createStatement(); ResultSet rs = s.executeQuery("SELECT * FROM users"); List<String> users = new ArrayList<String>(); while ( { users.add(rs.getString(2)); } return users; }84 © 2012 IBM Corporation
  85. 85. Primary setup: example application (part 3)Application will exercise the data source that we have just configuredThe doGet method is the entry point for the HTTP request protected void doGet(HttpServletRequest request, HttpServletResponse response) throwsServletException, IOException { System.out.println("TestDataSourceServlet.doGet entered"); PrintWriter writer = response.getWriter(); try { List<String> users = listUsers(); for (String user : users) writer.println(user); } catch (SQLException e) { response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); e.printStackTrace(); } catch (NamingException e) { response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); e.printStackTrace(); } }}85 © 2012 IBM Corporation
  86. 86. Primary setup: invoking the example applicationPackage the application into the migrationEAR and copy to the monitored directoryas before. Invoke the Servlet using the URLhttp://<primary_ip>:9080/migrationWAR/TestDataSourceServlet.86 © 2012 IBM Corporation
  87. 87. Migration: OverviewAlternate approach based on profile export when migrating a J2EE applicationWebSphere profiles include the applications packaged in them and all other configurationsettings. We will use export of a profile to a configuration archive to migrate our upgradedexample application. These steps are already automated in the WebSphere images in SCEcatalog, except for the additional customization specific to deployed applications.Steps1) Export the profile configuration archive from the primary WebSphere system2) Copy files to the secondary server3) Test the database4) Import the profile5) Update profile for the new host name6) Perform additional customization for application specific settings, eg data sources87 © 2012 IBM Corporation
  88. 88. Migration 1: Exporting profile from primary systemAlternate step when migrating a WebSphere applicationThe profile contains all the configuration properties and topology settings fro the primarysystem, compared with properties, which only has configuration properties. However, exportingand importing profiles requires a restart. Use the manageprofiles command to export theprofile. First stop the web server and admin server from the idcuser login.$ sudo /opt/IBM/HTTPServer/bin/apachectl stop$ sudo /opt/IBM/HTTPServer/bin/adminctl stopStop the application server and use the manageprofiles command to find and export theprofile$ su - virtuser$ /opt/IBM/WebSphere/AppServer/bin/ server1$ /opt/IBM/WebSphere/AppServer/bin// -listProfiles[AppSrv01]$ /opt/IBM/WebSphere/AppServer/bin/ -backupProfile -profileNameAppSrv01 -backupFile /home/virtuser/AppSrv01.carINSTCONFSUCCESS: Success: The profile backup operation was successful.88 © 2012 IBM Corporation
  89. 89. Migration 2: Copy Derby and WebSphere filesUse rysnc as in case study to copy Derby directory treeShutdown the database and copy the directory tree with rsync$ sudo java -jar $DERBY_HOME/lib/derbyrun.jar server shutdown$ sudo rsync -avz -e "ssh -i /home/idcuser/.ssh/july26_key" /opt/Apache/db-derby- the WebSphere profile and .bashrc are just singles file use the scp command to copy it$ sudo scp -i /home/idcuser/.ssh/july26_key /home/virtuser/AppSrv01.caridcuser@$ scp -i /home/idcuser/.ssh/july26_key /home/idcuser/.bashrc idcuser@ into the secondary machine and move the files to the proper places, edit firewall rules, andchange owner of the configuration archive.# mv /tmp/db-derby- /opt/Apache/.# vi /etc/sysconfig/iptables# /sbin/service iptables restart# chown virtuser:users /tmp/AppSrv01.car89 © 2012 IBM Corporation
  90. 90. Migration 3: Test databaseTest Derby server and clientStart the Derby server$ sudo /bin/bash# cd /opt/Apache/db-derby- java -jar $DERBY_HOME/lib/derbyrun.jar server startStart the Derby client and check that the database can be used normally.$ java -jar $DERBY_HOME/lib/derbyrun.jar ijij> CONNECT jdbc:derby://localhost:1527/MigrationTest;user=virtuser;password=******;ij> SELECT * FROM users;. . .ij> exit;90 © 2012 IBM Corporation
  91. 91. Migration 4: Configure Secondary WebSphere SystemImport the WebSphere profile into secondary systemThe profile contains all the runtime settings fro the primary system. Use the manageprofilescommand to import the profile. First make sure that the web server and admin server arestopped.$ sudo /opt/IBM/HTTPServer/bin/apachectl stop$ sudo /opt/IBM/HTTPServer/bin/adminctl stopCopy the backed up profile from the previous step to the secondary server, stop the applicationserver, and use the manageprofiles command to delete the existing profile and import the newone.$ su - virtuser$ /opt/IBM/WebSphere/AppServer/bin/ server1$ /opt/IBM/WebSphere/AppServer/bin// –delete AppSrv01$ rm -rf /opt/IBM/WebSphere/Profiles/AppSrv01$ /opt/IBM/WebSphere/AppServer/bin/ -restoreProfile -backupFile/tmp/AppSrv01.carINSTCONFSUCCESS: Success: The profile was successfully restored.91 © 2012 IBM Corporation
  92. 92. Migration 5: Check application on secondary systemStartup WebSphere with the new profileStartup WebSphere with the command$ /opt/IBM/WebSphere/AppServer/bin/ server1Invoke the application in a browser with the URLhttp://<secondary_ip>:9080/migrationWAR/TestDataSourceServlet.92 © 2012 IBM Corporation
  93. 93. Migration issues foundProblems with importing the WebSphere profileThe profile contains the host name and IP address frozen in several parts of the profile  SSL certificates  Web server definitionThe SSL certificate can be ignored but the web server definition needs to be fixed before it canbe used. The files listed below need to be edited to replace the IP address with the IP addressof the secondary server. Stop the server before making the edits.$ cd /opt/IBM/WebSphere/Profiles/AppSrv01/config/cells/BaseAppSrvCell/nodes/BaseAppSrvNode$ grep *serverindex.xml:. . .$ cd/opt/IBM/WebSphere/Profiles/AppSrv01/config/cells/BaseAppSrvCell/nodes/BaseAppSrvNode/servers/webserver1$ grep *httpd.conf:ServerName <Transport Hostname="" Port="9080" Protocol="http"/>plugin-cfg.xml: <Transport Hostname="" Port="9443" Protocol="https">$ grep vhost0773 *Binary file plugin-key.kdb matches93 © 2012 IBM Corporation
  94. 94. More resources: Samples scriptsSample Scripts provide many examples using wsadmin Jython Import / export  Traverse all objects and exports to a file, import is in another script WebSphere administration scripts  Miscellaneous administrative tasks, start server, stop server, export an application, etc WebSphere automated deployment scripts  Deploy and manage applications94 © 2012 IBM Corporation
  95. 95. X.509 Certificate management with WebSphere wsadmin95 © 2012 IBM Corporation
  96. 96. X.509 Certificate management: OverviewCertificates are used by web servers to provide secure connections to end usersand to provide secure communications between systems. You cannot simply migrate certificates from one server to another. The CN of the subject incertificates must match the host name of the server that they are used on. You can sometimes avoid the problem by adding an exception in the browser, disabling hostname checking in code, or completely disabling checking in code You can to use a common certificate signing authority to avoid the need for exceptionsTools OpenSSL  An open source toolkit for implementing SSL and TLS  Includes tools for creating certificates, including processing certificate signing requests Ikeyman An open source toolkit for implementing SSL and TLS  Graphical tool for certificate management for the IBM WebSphere wsadmin • Helps to automate management of the certificates within the WebSphere Application Server system96 © 2012 IBM Corporation
  97. 97. X.509 Certificate management: Host name matching97 © 2012 IBM Corporation
  98. 98. Certificate management: Querying certificatesCertificates are stored in either a regular certificate store or a signer certificate store.You can get a list of certificate stores with the wsadmin Jython script below. Save the file to ascript called AdminTask.listKeyStores([-all true -keyStoreUsage SSLKeys ])You can execute this from the wsadmin console, as shown below.$ /opt/IBM/WebSphere/Profiles/AppSrv01/bin/ -lang jython -f/home/virtuser/ . .NodeDefaultKeyStore(cells/BaseAppSrvCell|security.xml#KeyStore_BaseAppSrvNode_1)NodeDefaultTrustStore(cells/BaseAppSrvCell|security.xml#KeyStore_BaseAppSrvNode_2)98 © 2012 IBM Corporation
  99. 99. Certificate management: Adding new certificatesCertificates are used by web servers to provide secure connections to end usersand to provide secure communications between systems.You can use the WebSphere administrative console, scripting tool, and command to dogenerate certificate signing requests and import certificates. The command to generate a newcertificate signing request is/opt/IBM/WebSphere/Profiles/AppSrv01/bin/createCertRequest.shYou will need to use a third party service or another tool, such as openSSL, to sign thecertificate request. That service will have its own signer certificate, which should be imported.The Jython script to import a signer certificate isAdminTask.addSignerCertificate([-keyStoreName NodeDefaultSignersStore -keyStoreScope(cell):BaseAppSrvCell:(node):BaseAppSrvNode -certificateFilePath /home/virtuser/my_signer.cer-base64Encoded true -certificateAlias my_signer ]) will import the signer certificate from the file /home/virtuser/my_signer.cer and give it thealias my_signer.99 © 2012 IBM Corporation
  100. 100. Resources1) Amies, Sluiman, Tong, Liu, 2012. Developing and Hosting Applications on the Cloud, ISBN- 13: 978-0-13-306684-5, Apache Foundation, 2012. Apache Module mod_rewrite, Apache Foundation 2012. Apache Derby Database project web site, Batla, M., 2012. WebSphere Application Server V8.5 Administration and Configuration Guide, IBM Redbook, Holve, M. 2005. A tutorial on using rsync, IBM 2010, WebSphere Application Server V7 Migration Guide, Red Paper, IBM 2012, IBM SmartCloud Enterprise Command Line Tool Reference, IBM, 2012. Sample Scripts for WebSphere Application Server, IBM, 2012. WebSphere Application Server 8.5 InfoCenter, 2012. Knowledge Collection: Migration planning for WebSphere Application Server, © 2012 IBM Corporation
  101. 101. Resources (continued)1) IBM, 2012. SmartCloud Enterprise Customizing Images and Software Bundles, IBM Authors, Preparing for IBM PureApplication System: Article series on onboarding your applications, developerWorks, .3) Internet Systems Consortium, BIND, web page, OpenSSL project web site, Red Hat, Red Hat Enterprise Linux, documentation page, rsync project, Willenborg, et al, 2008. Using virtual image templates to deploy WebSphere Application Server, © 2012 IBM Corporation
  102. 102. Backup102 © 2012 IBM Corporation
  103. 103. DNS troubleshooting tools103 © 2012 IBM Corporation
  104. 104. Tools for workload migration – DNSConcepts – Domain Name System (DNS) allows servers to change without affecting end users, who connect to a service via a URL that includes a hostname – A Resource Record (RR) is a mapping of a hostname to an IP addresses – Multiple hostnames may be associated with an IP address – Default port 53Client configuration – A DNS resolver is provided by the OS to eliminate need for applications to implement their own – Set nameserver in /etc/resolv.conf on Linux systems – In response to a non-recursive query the nameserver does not query other servers – In response to a recursive query the nameserver will query other servers – The length of time that a client will cache a record is called the Time to Live (TTL) – Common tool to discover more about names is nslookup, eg $ nslookup <name> [nameserver]Server (nameserver) – A caching server stores a cache of name to address mappings and queries root servers with a recursive request when it gets a ansked for a name that it does not have in its cache – An authoritative server stores the definitions for a zone of name to address mappings – DNS security extensions (DNSSEC) now includes cryptographic methods to prevent misuse of the system – Options include setting up your own server, a specialized appliance for traffic management (eg Riverbed Stingray), or third party service if providing DNS name resolution for public systems104 © 2012 IBM Corporation
  105. 105. Tools for workload migration – BIND• Concepts – BIND acts as a DNS namesever binding host names to IP addresses – BIND is an open source DNS nameserver and is the most popular in use – Difficult to configure – due to hacking of public DNS servers security has become more restrictive intrusive• Client configuration – We can configure clients to point to our own DNS service with or without registering our own DNS server• Server – Bundled with RHEL – Can act as either a caching server or an authoritative server or both – Stores host name to IP mappings in Resource Records – BIND includes a nameserver that runs as named and a remote administration utility called rndc105 © 2012 IBM Corporation
  106. 106. Tools for workload migration – DNS DataTypes of Resource Record (RR) – Address (A) records – Canonical names (CNAME) records – Start of Authority (SOA) – Mail (MX) records – Pointer (PTR) records – OthersAddress (A) records – Maps a host name to an IP addressCanonical names (CNAME) records – An alias of another hostname – Used to provide multiple hostnames for a given serverStart of Authority (SOA) – Used by an authoritative server to defines naming characteristics for a zone (domain), such as the domain name and time to live106 © 2012 IBM Corporation
  107. 107. Tools for workload migration – DNS Toolsnslookup – included with Linux Standard Base (LSB)Concepts – A common tool to discover more about names is nslookup, basic form is $ nslookup <name> [nameserver]Example# nslookup canonical name = canonical name = canonical name = canonical name = © 2012 IBM Corporation
  108. 108. Tools for workload migration – DNS Toolsdig – client tool included with BINDConcepts – Similar to nslookup but more useful, basic form is $ dig [@nameserver] <name>Example# dig;; QUESTION SECTION:; IN A;; ANSWER 300 IN CNAME 300 IN CNAME 60 IN CNAME 300 IN CNAME 60 IN A;; AUTHORITY 389035 IN NS 389035 IN NS;; ADDITIONAL 78789 IN A 78789 IN A;; Query time: 35 msec;; SERVER: © 2012 IBM Corporation
  109. 109. 109 109 © 2012 IBM Corporation
  110. 110. Trademarks and notes©IBM Corporation 2012IBM, the IBM logo,, Cognos, DB2, Informix, Lotus, Rational, SmartCloud, System x, Tivoli andWebSphere are trademarks or registered trademarks of International Business Machines Corporation in theUnited States, other countries, or both. If these and other IBM trademarked terms are marked on their firstoccurrence in this information with the appropriate symbol (® or ™), these symbols indicate US registered orcommon law trademarks owned by IBM at the time this information was published. Such trademarks mayalso be registered or common law trademarks in other countries. A current list of IBM trademarks isavailable on the web at “Copyright and trademark information” at is a trademark of Intel Corporation or its subsidiaries in the United States and other countries.Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, orboth.Other company, product and service names may be trademarks or service marks of others.References in this publication to IBM products or services do not imply that IBM intends to make themavailable in all countries in which IBM operates.110 © 2012 IBM Corporation