WebSphere Administration Course Copyright © Oded Nissan 2009
Jan 21, 2015
WebSphere Administration Course
Copyright © Oded Nissan 2009
Agenda
• Trouble Shooting and Monitoring• WebSphere Security• Cell Management• Scalability and Clustering
– Scalability and Failover Overview– WebSphere Scalability – Creating a Cluster
• Summary
Copyright © Oded Nissan 2009
Trouble Shooting and Monitoring
Copyright © Oded Nissan 2009
Trouble Shooting
• We need to determine the problem using a divide and conquer approach.
• What kind of problem do I have ?• What component is causing the problem ?• Use the appropriate resource for identifying
the problem.
Copyright © Oded Nissan 2009
Trouble Shooting
• The trouble shooting menu contains the following options:– Logs and Trace configure logging and tracing for the
server.– Class Loader Viewer view the class loader hierarchy in
each application.– Configuration validation errors an warnings related to
configuration problems.– Diagnostic provider choose a diagnostic provider available
for the server.– Runtime messages events published by application server
classes.
Diagnostic Provider
• From the navigation menu choose App servers->server1->Performance and Diagnostic Advisor Configuration.
• Enable the diagnostic provider.• From the navigation menu choose
troublshooting-> Diagnostic provider.• Choose the server and choose the diagnostic
test to run.
Copyright © Oded Nissan 2009
Diagnostic Provider
Copyright © Oded Nissan 2009
Log files
• SystemOut.log – the JVM output log, contains all WAS and application messages logged to the standard output.
• SystemErr.log – contains all WAS and application messages logged to standard error.
• startServer.log and stopServer.log – log messages related to server startup and shutdown.
• Native_stderr.log and native_stdout.log – contains log messages from native libraries logged to standard output and standard error.
• activity.log events that how history of activities.• trace.log – output from diagnostic trace.
Copyright © Oded Nissan 2009
Trace
• Trace messages can be set on different components at different trace levels.
• Tracing needs to be manually activated. Tracing a server is very demanding on system resources and we need to shut down trace once we are done with diagnostics.
• To enable trace on a running system make changes on the runtime tab in
Troublshooting->Logging and tracing->server1 ->Diagnostic trace
Copyright © Oded Nissan 2009
Trace – changing the trace level
Copyright © Oded Nissan 2009
First Failure Data Capture too (FFDC)
• Saves the information generated from a processing failure.
• This tool is meant to be used by IBM support, administrators cannot start or stop it.
• Saved data is saved in log files on the <WAS HOME>/profiles/<profile>/logs/ffdc directory.
Copyright © Oded Nissan 2009
Collector Tool
• IBM support will ask you to run it to collect information about your server in order to solve a problem.
• To run collector: <WAS_HOME/profiles/<profile>/bin/collector.bat
• Gathers information about the WAS installation and packages it in a jar file.
Copyright © Oded Nissan 2009
Performance Monitoring Infrastructure
• Performance Monitoring Infrastructure (PMI) is the core monitoring infrastructure for WebSphere Application Server
• Using PMI data, the performance bottlenecks in the application server can be identified and fixed.
• PMI data can also be used to monitor the health of the application server. Some of the health indicators are CPU usage, Servlet response time, and JDBC query time. Performance management tools like Tivoli Monitoring for Web Infrastructure and other third party tools can monitor the PMI data and generate alerts based on some predefined thresholds.
Copyright © Oded Nissan 2009
PMI Architecture
Copyright © Oded Nissan 2009
Performance Data Terminology
• Performance data classifications– Numeric – simple values such as sizes and counters.– Stat – data on a sample space.– Load – values as a function of time.
• Performance Data Hierarchy– Node - a physical machine.– Server - an instance providing a service– Module - a resource category– SubModule – a sub category of module. – Instance – an instance of a class– Method – class method– Counter – data type holding performance data.
Copyright © Oded Nissan 2009
Performance Monitoring Infrastructure
• To enable performance monitoring: from the navigation menu choose Servers->Apllication Servers->server1
• Click the Configuration tab. • Click Performance Monitoring Infrastructure (PMI)
under Performance. • Select the Enable Performance Monitoring
Infrastructure (PMI) check box. • Optionally, select the check box Use sequential
counter updates to enable precise statistic update.
Copyright © Oded Nissan 2009
Tivoli Performance Viewer
• Tivoli Performance Viewer (TPV) enables administrators and programmers to monitor the overall health of WebSphere Application Server from within the administrative console.
• You can view real-time data on the current performance activity of a server using TPV in the administrative console.
• Use TPV to view summary reports on servlets, Enterprise JavaBeans (EJB) methods, connections pools and thread pools in WebSphere Application Server.
• TPV show graphs and of various performance data on system resources such as CPU utilization, on WebSphere pools and queues such as database connection pools, and on customer application data such as servlet response time.
Copyright © Oded Nissan 2009
Tivoli Performance Viewer
• To use TPV from the navigation menu choose Monitoring and tuning->Performance viewer->Current Activity.
• Choose the server and click start monitoring.• Click on the server to view performance
metrics.• Use the view logs menu to view the
performance log files directly.
Copyright © Oded Nissan 2009
Tivoli Performance Viewer
Copyright © Oded Nissan 2009
Performance Tips
WebSphere Security
Copyright © Oded Nissan 2009
What is security ?
• Authentication – Who am I ? – Authenticate a user connecting to the Application
Server or an application.– Authenticate data passed over the wire.
• Authorization – What am I allowed to do ?– Administrative security – what administrative
actions can I perform on the application server.– Application security – what kind of actions can I
perform in the application
Copyright © Oded Nissan 2009
Security the Big Picture
Copyright © Oded Nissan 2009
Administrative Security
• The term administrative security represents the security configuration which affects the entire security domain. The security domain consists of all the servers that are configured with the same user registry realm name.
• The basic requirement for a security domain is that the access ID returned by the registry from one server be the same access ID as that returned from the registry on any other servers within the same security domain
Copyright © Oded Nissan 2009
Administrative Security
• Enabling administrative security activates a wide variety of security settings for WebSphere Application Server. They take effect only when administrative security is activated.
• These settings include authentication of users, the use of Secure Sockets Layer (SSL), the choice of user account repository, and application security.
Copyright © Oded Nissan 2009
Enabling Administrative Security
• From the navigation menu, choose Security → Secure administration, applications and infrastructure.
• In the Secure administration, applications, and infrastructure window select Enable administrative security
Copyright © Oded Nissan 2009
Enabling Administrative Security
Copyright © Oded Nissan 2009
Authentication mechanism
• The WebSphere Application Server uses Lightweight Third Party Authentication (LTPA) as the default authentication mechanism LTPA supports forwardable credentials and, for security reasons, a configurable expiration time is set on the credentials.
• The use of LTPA allows you to enable single sign-on (SSO) for your security domain.
• Additional Information at: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp.
Copyright © Oded Nissan 2009
User account repository
• WebSphere support four types of user repositories:– Local operating system– Stand-alone Lightweight Directory Access Protocol
(LDAP) registry– Stand-alone custom registry– The Federated repositories
Copyright © Oded Nissan 2009
Local OS Registry
• With the local operating system user registry implementation, the WebSphere Application Server authentication mechanism can use the user accounts database of the local operating system.
• The respective operating system APIs are called by the product processes (servers) for authenticating a user
Copyright © Oded Nissan 2009
Required privileges in Windows
• For a stand-alone machine:– Is a member of the administrative group– Has the Act as part of the operating system privilege– Has the Log on as a service privilege, if the server is run as a service
• For a machine on the domain:– Is a member of the domain administrative groups.– Has the Act as part of the operating system privilege in the Domain– Has the Act as part of the operating system privilege in the Local
security policy on the local machine– Has the Log on as a service privilege on the local machine, if the server
is running as a service
Copyright © Oded Nissan 2009
Stand alone LDAP Registry
• LDAP is a distributed directory server used to store organizational data.
• Entries are organized in a tree-like structure called the Directory Information Tree. Entries contain attibutes and are identified based on their distinguished name (DN).
• An LDAP server contains standard entries.
Copyright © Oded Nissan 2009
LDAP Information Tree
Copyright © Oded Nissan 2009
Custom Registry
• WebSphere supports authenticating against a custom registry.
• In order to authenticate against a custom registry we need to implement the UserRegistry interface so that WebSphere can use the existing registry for all of the security-related operations.
• It is expected that the implementation does not depend on other WebSphere resources, such as datasources, for its operation.
Copyright © Oded Nissan 2009
Federated Registry
• A federated repository enables you to use multiple repositories with WebSphere. These repositories, which can be file-based repositories, LDAP repositories etc., are defined and theoretically combined under single realm.
• All of the user repositories configured under the federated repository functionality are transparent to WebSphere.
Copyright © Oded Nissan 2009
WebSphere Authentication Mechanism
Copyright © Oded Nissan 2009
Configuring the OS Registry
• Click Security → Secure administration, application, and infrastructure. Under User account repository, select Local operating system and click Configure.
• Enter a valid user name in the Primary administrative user name field. This value is the name of the user with administrative privileges that is defined in the registry and is used to access the administrative console.
• Click Apply.
Copyright © Oded Nissan 2009
Configuring the OS Registry
• Select either the Automatically generated server identity or Server identity that is stored in the repository option. If you select the Server identity that is stored in the repository option, enter the following information:– For Server user ID or administrative user, specify the short
name of the account that you chose – For Server user password, enter the password of
the account that you chose• Click OK
Copyright © Oded Nissan 2009
Configuring the OS Registry
Copyright © Oded Nissan 2009
Configuring the OS Registry
• Ensure that the Active User Registry option is set to Local Operating System and that Security is enabled. Click Apply to validate the settings.
• Save the configuration for WebSphere.• Restart your WebSphere Application Server• Login to the Admin Console using your
credentials.
Copyright © Oded Nissan 2009
Disabling Administrative Security
• To disable Administrative security:– Use the Admin Console – If the server is down or we cannot login to the
Admin console use wsadmin :• <WebSphere_home>\bin\wsadmin.bat -conntype
NONE• Type the command: securityoff• Restart the server.
Copyright © Oded Nissan 2009
Administrative Roles
Copyright © Oded Nissan 2009
Mapping a user to an administrative role
• From the Administrative Console, select Users and Groups →Administrative User Roles.
• Click Add.• Under General Properties: a. In the User field, enter
a user name. This user must be defined in the user account repository that is to be active when administrative security is enabled.
• Select the appropriate administrative role. More than one role may be selected.
Copyright © Oded Nissan 2009
Mapping a user to an administrative role
• Click OK and save.
Copyright © Oded Nissan 2009
Application Security
• Application security provides authentication and authorization support for JEE applications.
• Application security must be enabled if we intend to use declarative security, which binds into the WebSphere security architecture.
• Alternatively we could use our programmatic security.
Copyright © Oded Nissan 2009
Enabling Application Security
• From the navigation menu choose Security->Secure administration
• In the application security section choose enable application security.
• Click apply then save. • Restart the server for the change to take
effect.
Copyright © Oded Nissan 2009
Testing Application Security
• Try to access the following URL: http://localhost:9080/snoop
• You will be prompted with a login dialog. Enter the a user and password stored in the user registry to login.
• If login is successful the snoop servlet will be activated.
Copyright © Oded Nissan 2009
Mapping users and groups to roles in application security.
• Every application has its own roles and therefore its own mappings. Therefore we need to assign users and groups to roles at the application level.
• Role assignment is usually done in the deployment descriptor of the application.
• Role assignment can also be done using the Admin Console.
Copyright © Oded Nissan 2009
Mapping users and groups to roles in application security.• Select Applications → Enterprise Application →
<your_application> →Security role to users/group mapping
Copyright © Oded Nissan 2009
Mapping users and groups to roles in application security.
• Role mapping can also be done during application installation. In the Map security roles to users or groups step you can select any of the roles and assign a user or a group from the user registry using one of the lookups.
• You can also assign one of the special subjects (Everyone or All authenticated) to the role.
Copyright © Oded Nissan 2009
Web Application Security
• To use declarative security for web applications we need to give define security constraints on web application resources in the application deployment descriptor. We can define which role can access the resource.
• When we access a secured resource for the first time we will get a login dialog and need to login.
Copyright © Oded Nissan 2009
EJB Application Security
• Authentication in an EJB application is achieved by passing the credentials to the InitialContext object when we connect to JNDI to lookup the EJB.
• If we authenticated to the web application on the same server then the user identity is available to the EJB application.
Copyright © Oded Nissan 2009
Copyright © Oded Nissan 2009
EJB Application Security
• Declarative security is implemented by giving permission on EJBs or EJB methods to roles in the EJB deployment descriptor.
• Mapping users and groups to roles is also implemented using deployment descriptors.
Copyright © Oded Nissan 2009
Secure Socket Layer (SSL)
• WebSphere Application Server uses the Secure Sockets Layer (SSL) protocol to provide Transport Layer Security (TLS), which allows for secure communication between a client and application server.
• The SSL configuration options in WebSphere offer full end-to-end management, including certificate management, individual endpoint SSL mappings, and scoped association of SSL configurations and key stores
Copyright © Oded Nissan 2009
Resources
• Info center for WAS 6.1 - http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp
• IBM Redbook – sg246316 WAS Security Handbook
• Admin Console context sensitive online help.
Copyright © Oded Nissan 2009
Cell Management
Cell Management
• In order to manage a cell we need to create a deployment manager profile and add nodes to the cell.
• Two approaches for creating a cell:– Add existing standalone nodes to the cell. – Create a custom profile on the node and add the
node to the cell. This way we can dynamically create more than one server on the node.
Copyright © Oded Nissan 2009
Cell Managment
Copyright © Oded Nissan 2009
Copyright © Oded Nissan 2009
Creating a Cell
• To create a cell:– Create a deployment manager profile and start
the deployment manager process.– Create a custom profile on the node or a regular
application server profile on the node.– Add the node to the cell.– Run the admin console on the deployment
manager machine and manage the cell.
Copyright © Oded Nissan 2009
Creating a Deployment manager profile
• From the <WAS HOME>bin/ProfileManagment directory run PMT.bat
• Choose to create a deployment manager profile.
• Choose typical or advanced setup. • Press next
Copyright © Oded Nissan 2009
Creating a Deployment manager profile
• Give the profile a name and choose the profile directory (to override the default).
Copyright © Oded Nissan 2009
Creating a Deployment manager profile
• You can enter the cell name,node name and host name defaults are automatically filled.
Copyright © Oded Nissan 2009
Creating a Deployment manager profile
• You can change the ports to avoid collision with an existing server.
Copyright © Oded Nissan 2009
Creating a Deployment manager profile
• On windows systems you can run the profile as a windows service.
Copyright © Oded Nissan 2009
Creating a Deployment manager profile
• Press next, review settings and press finish to create the profile.
• The First Steps console is started.• Now we can move to the profile directory and
start the server using the startServer command from the bin directory.
Deployment manager directory structure
Copyright © Oded Nissan 2009
Deployment manager
• All configuration data is stored in the config directory.
• The deployment manager has the master configuration of the whole cell, each node has just the needed information to run that node.
• Use the admin console to change configuration. http://localhost:9060/ibm/console
Copyright © Oded Nissan 2009
Command line tools
• In the bin directory of the deployment manager we have the following command line tools:– startManager – starts the deployment manager.– stopmanager – stops the deployment manager.
Copyright © Oded Nissan 2009
Adding a node to the cell
• To add an• To add an existing node to the cell run the following
command from the node’s bin directory:– addNode <dep manager host> <port>– The port is the SOAP port of the deployment manager
(default is 8879).– Run the startNode command to start the node agent.
• Now the node is managed by the deployment manager. The node’s admin console is no longer available.
Copyright © Oded Nissan 2009
Removing a node from the cell
• Use the removeNode command from the bin directory to remove a node from the cell.– removeNode [options] – Options are optional without parameters
removeNode removed the current node from the cell.
– removeNode also stops the node manager and removes the node configuration from the deployment manager’s master configuration.
Copyright © Oded Nissan 2009
Cell management
• From the navigation menu choose System Administration->nodes to display the managed nodes.
• Choose System Administration->Node Agents to display the node agents.
• Choose System Administration->cells and choose the topology tab to display the cell structure.
Copyright © Oded Nissan 2009
Copyright © Oded Nissan 2009
Custom Profile• When creating a custom profile we can
dynamically create servers on the node.• A custom profile is useful especially when we
want to create a cluster or run more than one server on a node.
• A custom profile node must be added to the cell just like a regular node. Servers can then be created on the node from the deployment manager console.
Creating a custom profile
• From the <WAS HOME>bin/ProfileManagment directory run PMT.bat
• Choose to create a custom profile.• Fill the profile name, node name and hostname just
like when creating a regular profile.• In the last screen enter the name of the deployment
manager host and the SOAP port for the deployment manager.
• Choose whether you want to add the node to the cell now, or manually do it later.
Copyright © Oded Nissan 2009
Creating a custom profile
Copyright © Oded Nissan 2009
Creating a custom profile
• Review your settings and press next to create the profile.
Copyright © Oded Nissan 2009
Creating a Server
• We can create servers on the custom node profile.
• From the navigation menu choose Servers->Application servers.
• Press new.• Select the custom node and give the server a
name.• Press next
Copyright © Oded Nissan 2009
Creating a Server (step 1)
Copyright © Oded Nissan 2009
Creating a Server (step 2)
• Select a template to use for the application server.
Copyright © Oded Nissan 2009
Creating a Server (step 3)
• We can generate unique ports for the server on the custom node.
Copyright © Oded Nissan 2009
Creating a Server (step 4)
• Review your settings and press Finish
Copyright © Oded Nissan 2009
Cell Management
• Using the admin console on the deployment manager we can:– Manage servers in the cell.– Install applications on different servers in the cell.– Administer resources on the cell at the cell, node
or server level.– Manually force configuration synchronization with
the cell nodes.
Copyright © Oded Nissan 2009
Copyright © Oded Nissan 2009
Copyright © Oded Nissan 2009
Scalability and Clustering
Copyright © Oded Nissan 2009
Scalability and Failover overview
• Scalability is the ability of the system to grow and provide service for higher work load.
• In JEE, scalability means adding more application servers that run either the same application or a different part of the application.
• Scalability requires work load management to divide the work among the different servers.
Copyright © Oded Nissan 2009
Scalability and Failover overview
• Failover is the concept of providing a high availability for the system by automatically routing requests to another server if one of the server fails.
• Scalability and failover are a requirement from JEE application servers. However, the implementation is up to the vendors.
Copyright © Oded Nissan 2009
Cluster
• Clusters are a set of application servers running the same application and grouped logically for workload management.
• Applications installed to the cluster are distributed to all cluster members.
• Cluster members can be centrally administered.
Copyright © Oded Nissan 2009
Clusters and cluster members
Copyright © Oded Nissan 2009
WebSphere Scalability
• In WebSphere a cluster is managed using the deployment manager and is created using the admin console using either existing servers or newly created servers. (using the custom profile).
• Starting or stopping the cluster starts or stops all cluster members.
• Applications should be installed to the cluster not to a specific server or node.
Copyright © Oded Nissan 2009
Vertical Scaling
• Vertical scaling is the concept of creating cluster members on the same physical machine. This is useful when we have a strong machine and want to make use of its resources.
Copyright © Oded Nissan 2009
Horizontal Scaling
• Horizontal scaling is the concept of creating cluster members on different physical machines.
Copyright © Oded Nissan 2009
Web Tier Scalability
• Work load management at the web tier is performed using an load balancer that performs load balancing of HTTP requests between cluster members.
• The load balancer needs to maintain session affinity to maintain application sessions.
• A load balancer can be either IBM’s Edge components or a 3rd party commercial load balancer.
Copyright © Oded Nissan 2009
Web Tier Scalability
• IBM’s http server or IIS can also be used as a load balancer by using the http plugin
Copyright © Oded Nissan 2009
Web Tier failover
• Failover is detected by the load balancer, which then routs the request to another server.
• We can configure WebSphere to distribute session information between nodes so that in case of a failover we can resume our session on another server.
Copyright © Oded Nissan 2009
Web Tier Failover
• To configure web session management choose Application Servers-><server>->web container->session management-> distributed environment settings.
Copyright © Oded Nissan 2009
Load Balancer Failover
• A Load Balancer provides a built-in high availability function. It allows you to configure a backup Load Balancer server.
• if the primary Load Balancer server fails, the backup server will take over.
• This topology is called an Active-Passive topology, where only one server is active at a time.
Copyright © Oded Nissan 2009
Load Balancer Failover
• Failover is supported by IBM’s Edge components and other 3rd party load balancers.
Copyright © Oded Nissan 2009
EJB Scalability and Failover
• EJB WLM is achieved by generating cluster-aware stubs at deployment time.
• The cluster-aware stub performs the WLM and also handles failover.
• The workload management service provides load balancing and high availability support for the following types of EJBs:– Homes of entity or session beans– Instances of entity beans– Instances of stateless session beans
Copyright © Oded Nissan 2009
EJB Scalability and Failover
• EJB Stateful session bean failover is also supported using memory to memory replication.
• In the Administrative Console, select Servers → Application servers →<AppServer_Name>.
• Expand EJB Container Settings, and then select EJB container. Select Enable stateful session bean failover using memory-to-memory replication,
Copyright © Oded Nissan 2009
EJB Scalability and Failover
• Failover is also supported by the naming service. We can put more than one server name in the naming URL and the naming service will perform failover if one of the servers is unavailable.
Copyright © Oded Nissan 2009
EJB Scalability and Failover
Copyright © Oded Nissan 2009
Creating a Cluster (step 1)
• Select Servers →Cluster Click new• Enter basic cluster information
Copyright © Oded Nissan 2009
Creating a Cluster (step 2)
• Create first cluster member (settings will be applied to other cluster members) :– Enter member name and select its node.– Weight server weight for workload management.– Select the basis for the cluster member– Generate unique ports, if we intend to create
more than one server on a machine.
Copyright © Oded Nissan 2009
Creating a Cluster (step 2)
Copyright © Oded Nissan 2009
Creating a Cluster (step 3)
Copyright © Oded Nissan 2009
Creating a Cluster (step 3)
• When all the servers have been entered, click Next.
• A summary page shows you what will be created.
• Click Finish to create the cluster and new servers.
• Save the configuration.
Copyright © Oded Nissan 2009
Viewing Cluster Topology
• Select Servers →Cluster Topology
Copyright © Oded Nissan 2009
Managing a Cluster
• Select Servers →Clusters.• Check each cluster you want to work with and select
one of the following options:– Start: Use this option to start all servers in the cluster.– Stop: Use this option to stops all servers in the cluster. This
allows the server to finish existing requests and allows failover to another member of the cluster.
– Ripplestart: Use this option to Stop, then start all servers in the cluster.
– ImmediateStop: Stop all servers immediately.
Copyright © Oded Nissan 2009
Installing applications on the Cluster
Copyright © Oded Nissan 2009
Resources
• Info center for WAS 6.1 - http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp
• IBM Redbook – sg247304 WAS 6.1 System Management and configuration.
• IBM Redbook – sg246688 WAS ND High Availability Solutions.
• IBM Redbook – sg246316 WAS Security Handbook• Admin Console context sensitive online help.
Copyright © Oded Nissan 2009
Questions ?
Copyright © Oded Nissan 2009
Summary
• Trouble Shooting and Monitoring• WebSphere Security• Cell Management• Scalability and Clustering