WebSphere 6.1 admin Course 3

WebSphere Administration Course

Copyright © Oded Nissan 2009

Agenda

• Trouble Shooting and Monitoring• WebSphere Security• Cell Management• Scalability and Clustering

– Scalability and Failover Overview– WebSphere Scalability – Creating a Cluster

• Summary


Trouble Shooting and Monitoring


Trouble Shooting

• We need to determine the problem using a divide and conquer approach.

• What kind of problem do I have ?• What component is causing the problem ?• Use the appropriate resource for identifying

the problem.


Trouble Shooting

• The trouble shooting menu contains the following options:– Logs and Trace configure logging and tracing for the

server.– Class Loader Viewer view the class loader hierarchy in

each application.– Configuration validation errors an warnings related to

configuration problems.– Diagnostic provider choose a diagnostic provider available

for the server.– Runtime messages events published by application server

classes.

Diagnostic Provider

• From the navigation menu choose App servers->server1->Performance and Diagnostic Advisor Configuration.

• Enable the diagnostic provider.• From the navigation menu choose

troublshooting-> Diagnostic provider.• Choose the server and choose the diagnostic

test to run.


Diagnostic Provider


Log files

• SystemOut.log – the JVM output log, contains all WAS and application messages logged to the standard output.

• SystemErr.log – contains all WAS and application messages logged to standard error.

• startServer.log and stopServer.log – log messages related to server startup and shutdown.

• Native_stderr.log and native_stdout.log – contains log messages from native libraries logged to standard output and standard error.

• activity.log events that how history of activities.• trace.log – output from diagnostic trace.


Trace

• Trace messages can be set on different components at different trace levels.

• Tracing needs to be manually activated. Tracing a server is very demanding on system resources and we need to shut down trace once we are done with diagnostics.

• To enable trace on a running system make changes on the runtime tab in

Troublshooting->Logging and tracing->server1 ->Diagnostic trace


Trace – changing the trace level


First Failure Data Capture too (FFDC)

• Saves the information generated from a processing failure.

• This tool is meant to be used by IBM support, administrators cannot start or stop it.

• Saved data is saved in log files on the <WAS HOME>/profiles/<profile>/logs/ffdc directory.


Collector Tool

• IBM support will ask you to run it to collect information about your server in order to solve a problem.

• To run collector: <WAS_HOME/profiles/<profile>/bin/collector.bat

• Gathers information about the WAS installation and packages it in a jar file.


Performance Monitoring Infrastructure

• Performance Monitoring Infrastructure (PMI) is the core monitoring infrastructure for WebSphere Application Server

• Using PMI data, the performance bottlenecks in the application server can be identified and fixed.

• PMI data can also be used to monitor the health of the application server. Some of the health indicators are CPU usage, Servlet response time, and JDBC query time. Performance management tools like Tivoli Monitoring for Web Infrastructure and other third party tools can monitor the PMI data and generate alerts based on some predefined thresholds.


PMI Architecture


Performance Data Terminology

• Performance data classifications– Numeric – simple values such as sizes and counters.– Stat – data on a sample space.– Load – values as a function of time.

• Performance Data Hierarchy– Node - a physical machine.– Server - an instance providing a service– Module - a resource category– SubModule – a sub category of module. – Instance – an instance of a class– Method – class method– Counter – data type holding performance data.


Performance Monitoring Infrastructure

• To enable performance monitoring: from the navigation menu choose Servers->Apllication Servers->server1

• Click the Configuration tab. • Click Performance Monitoring Infrastructure (PMI)

under Performance. • Select the Enable Performance Monitoring

Infrastructure (PMI) check box. • Optionally, select the check box Use sequential

counter updates to enable precise statistic update.


Tivoli Performance Viewer

• Tivoli Performance Viewer (TPV) enables administrators and programmers to monitor the overall health of WebSphere Application Server from within the administrative console.

• You can view real-time data on the current performance activity of a server using TPV in the administrative console.

• Use TPV to view summary reports on servlets, Enterprise JavaBeans (EJB) methods, connections pools and thread pools in WebSphere Application Server.

• TPV show graphs and of various performance data on system resources such as CPU utilization, on WebSphere pools and queues such as database connection pools, and on customer application data such as servlet response time.



• To use TPV from the navigation menu choose Monitoring and tuning->Performance viewer->Current Activity.

• Choose the server and click start monitoring.• Click on the server to view performance

metrics.• Use the view logs menu to view the

performance log files directly.




Performance Tips

WebSphere Security


What is security ?

• Authentication – Who am I ? – Authenticate a user connecting to the Application

Server or an application.– Authenticate data passed over the wire.

• Authorization – What am I allowed to do ?– Administrative security – what administrative

actions can I perform on the application server.– Application security – what kind of actions can I

perform in the application


Security the Big Picture


Administrative Security

• The term administrative security represents the security configuration which affects the entire security domain. The security domain consists of all the servers that are configured with the same user registry realm name.

• The basic requirement for a security domain is that the access ID returned by the registry from one server be the same access ID as that returned from the registry on any other servers within the same security domain


Administrative Security

• Enabling administrative security activates a wide variety of security settings for WebSphere Application Server. They take effect only when administrative security is activated.

• These settings include authentication of users, the use of Secure Sockets Layer (SSL), the choice of user account repository, and application security.


Enabling Administrative Security

• From the navigation menu, choose Security → Secure administration, applications and infrastructure.

• In the Secure administration, applications, and infrastructure window select Enable administrative security


Enabling Administrative Security


Authentication mechanism

• The WebSphere Application Server uses Lightweight Third Party Authentication (LTPA) as the default authentication mechanism LTPA supports forwardable credentials and, for security reasons, a configurable expiration time is set on the credentials.

• The use of LTPA allows you to enable single sign-on (SSO) for your security domain.

• Additional Information at: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp.


http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp


User account repository

• WebSphere support four types of user repositories:– Local operating system– Stand-alone Lightweight Directory Access Protocol

(LDAP) registry– Stand-alone custom registry– The Federated repositories


Local OS Registry

• With the local operating system user registry implementation, the WebSphere Application Server authentication mechanism can use the user accounts database of the local operating system.

• The respective operating system APIs are called by the product processes (servers) for authenticating a user


Required privileges in Windows

• For a stand-alone machine:– Is a member of the administrative group– Has the Act as part of the operating system privilege– Has the Log on as a service privilege, if the server is run as a service

• For a machine on the domain:– Is a member of the domain administrative groups.– Has the Act as part of the operating system privilege in the Domain– Has the Act as part of the operating system privilege in the Local

security policy on the local machine– Has the Log on as a service privilege on the local machine, if the server

is running as a service


Stand alone LDAP Registry

• LDAP is a distributed directory server used to store organizational data.

• Entries are organized in a tree-like structure called the Directory Information Tree. Entries contain attibutes and are identified based on their distinguished name (DN).

• An LDAP server contains standard entries.


LDAP Information Tree


Custom Registry

• WebSphere supports authenticating against a custom registry.

• In order to authenticate against a custom registry we need to implement the UserRegistry interface so that WebSphere can use the existing registry for all of the security-related operations.

• It is expected that the implementation does not depend on other WebSphere resources, such as datasources, for its operation.


Federated Registry

• A federated repository enables you to use multiple repositories with WebSphere. These repositories, which can be file-based repositories, LDAP repositories etc., are defined and theoretically combined under single realm.

• All of the user repositories configured under the federated repository functionality are transparent to WebSphere.


WebSphere Authentication Mechanism


Configuring the OS Registry

• Click Security → Secure administration, application, and infrastructure. Under User account repository, select Local operating system and click Configure.

• Enter a valid user name in the Primary administrative user name field. This value is the name of the user with administrative privileges that is defined in the registry and is used to access the administrative console.

• Click Apply.



• Select either the Automatically generated server identity or Server identity that is stored in the repository option. If you select the Server identity that is stored in the repository option, enter the following information:– For Server user ID or administrative user, specify the short

name of the account that you chose – For Server user password, enter the password of

the account that you chose• Click OK





• Ensure that the Active User Registry option is set to Local Operating System and that Security is enabled. Click Apply to validate the settings.

• Save the configuration for WebSphere.• Restart your WebSphere Application Server• Login to the Admin Console using your

credentials.


Disabling Administrative Security

• To disable Administrative security:– Use the Admin Console – If the server is down or we cannot login to the

Admin console use wsadmin :• <WebSphere_home>\bin\wsadmin.bat -conntype

NONE• Type the command: securityoff• Restart the server.


Administrative Roles


Mapping a user to an administrative role

• From the Administrative Console, select Users and Groups →Administrative User Roles.

• Click Add.• Under General Properties: a. In the User field, enter

a user name. This user must be defined in the user account repository that is to be active when administrative security is enabled.

• Select the appropriate administrative role. More than one role may be selected.


Mapping a user to an administrative role

• Click OK and save.


Application Security

• Application security provides authentication and authorization support for JEE applications.

• Application security must be enabled if we intend to use declarative security, which binds into the WebSphere security architecture.

• Alternatively we could use our programmatic security.


Enabling Application Security

• From the navigation menu choose Security->Secure administration

• In the application security section choose enable application security.

• Click apply then save. • Restart the server for the change to take

effect.


Testing Application Security

• Try to access the following URL: http://localhost:9080/snoop

• You will be prompted with a login dialog. Enter the a user and password stored in the user registry to login.

• If login is successful the snoop servlet will be activated.


http://localhost:9080/snoop

Mapping users and groups to roles in application security.

• Every application has its own roles and therefore its own mappings. Therefore we need to assign users and groups to roles at the application level.

• Role assignment is usually done in the deployment descriptor of the application.

• Role assignment can also be done using the Admin Console.


Mapping users and groups to roles in application security.• Select Applications → Enterprise Application →

<your_application> →Security role to users/group mapping


Mapping users and groups to roles in application security.

• Role mapping can also be done during application installation. In the Map security roles to users or groups step you can select any of the roles and assign a user or a group from the user registry using one of the lookups.

• You can also assign one of the special subjects (Everyone or All authenticated) to the role.


Web Application Security

• To use declarative security for web applications we need to give define security constraints on web application resources in the application deployment descriptor. We can define which role can access the resource.

• When we access a secured resource for the first time we will get a login dialog and need to login.


EJB Application Security

• Authentication in an EJB application is achieved by passing the credentials to the InitialContext object when we connect to JNDI to lookup the EJB.

• If we authenticated to the web application on the same server then the user identity is available to the EJB application.



EJB Application Security

• Declarative security is implemented by giving permission on EJBs or EJB methods to roles in the EJB deployment descriptor.

• Mapping users and groups to roles is also implemented using deployment descriptors.


Secure Socket Layer (SSL)

• WebSphere Application Server uses the Secure Sockets Layer (SSL) protocol to provide Transport Layer Security (TLS), which allows for secure communication between a client and application server.

• The SSL configuration options in WebSphere offer full end-to-end management, including certificate management, individual endpoint SSL mappings, and scoped association of SSL configurations and key stores


Resources

• Info center for WAS 6.1 - http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp

• IBM Redbook – sg246316 WAS Security Handbook

• Admin Console context sensitive online help.




Cell Management

Cell Management

• In order to manage a cell we need to create a deployment manager profile and add nodes to the cell.

• Two approaches for creating a cell:– Add existing standalone nodes to the cell. – Create a custom profile on the node and add the

node to the cell. This way we can dynamically create more than one server on the node.


Cell Managment



Creating a Cell

• To create a cell:– Create a deployment manager profile and start

the deployment manager process.– Create a custom profile on the node or a regular

application server profile on the node.– Add the node to the cell.– Run the admin console on the deployment

manager machine and manage the cell.


Creating a Deployment manager profile

• From the <WAS HOME>bin/ProfileManagment directory run PMT.bat

• Choose to create a deployment manager profile.

• Choose typical or advanced setup. • Press next



• Give the profile a name and choose the profile directory (to override the default).



• You can enter the cell name,node name and host name defaults are automatically filled.



• You can change the ports to avoid collision with an existing server.



• On windows systems you can run the profile as a windows service.



• Press next, review settings and press finish to create the profile.

• The First Steps console is started.• Now we can move to the profile directory and

start the server using the startServer command from the bin directory.

Deployment manager directory structure


Deployment manager

• All configuration data is stored in the config directory.

• The deployment manager has the master configuration of the whole cell, each node has just the needed information to run that node.

• Use the admin console to change configuration. http://localhost:9060/ibm/console


http://localhost:9060/ibm/console

Command line tools

• In the bin directory of the deployment manager we have the following command line tools:– startManager – starts the deployment manager.– stopmanager – stops the deployment manager.


Adding a node to the cell

• To add an• To add an existing node to the cell run the following

command from the node’s bin directory:– addNode <dep manager host> <port>– The port is the SOAP port of the deployment manager

(default is 8879).– Run the startNode command to start the node agent.

• Now the node is managed by the deployment manager. The node’s admin console is no longer available.


Removing a node from the cell

• Use the removeNode command from the bin directory to remove a node from the cell.– removeNode [options] – Options are optional without parameters

removeNode removed the current node from the cell.

– removeNode also stops the node manager and removes the node configuration from the deployment manager’s master configuration.


Cell management

• From the navigation menu choose System Administration->nodes to display the managed nodes.

• Choose System Administration->Node Agents to display the node agents.

• Choose System Administration->cells and choose the topology tab to display the cell structure.



Custom Profile• When creating a custom profile we can

dynamically create servers on the node.• A custom profile is useful especially when we

want to create a cluster or run more than one server on a node.

• A custom profile node must be added to the cell just like a regular node. Servers can then be created on the node from the deployment manager console.

Creating a custom profile

• From the <WAS HOME>bin/ProfileManagment directory run PMT.bat

• Choose to create a custom profile.• Fill the profile name, node name and hostname just

like when creating a regular profile.• In the last screen enter the name of the deployment

manager host and the SOAP port for the deployment manager.

• Choose whether you want to add the node to the cell now, or manually do it later.





• Review your settings and press next to create the profile.


Creating a Server

• We can create servers on the custom node profile.

• From the navigation menu choose Servers->Application servers.

• Press new.• Select the custom node and give the server a

name.• Press next


Creating a Server (step 1)



• Select a template to use for the application server.



• We can generate unique ports for the server on the custom node.



• Review your settings and press Finish


Cell Management

• Using the admin console on the deployment manager we can:– Manage servers in the cell.– Install applications on different servers in the cell.– Administer resources on the cell at the cell, node

or server level.– Manually force configuration synchronization with

the cell nodes.




Scalability and Clustering


Scalability and Failover overview

• Scalability is the ability of the system to grow and provide service for higher work load.

• In JEE, scalability means adding more application servers that run either the same application or a different part of the application.

• Scalability requires work load management to divide the work among the different servers.


Scalability and Failover overview

• Failover is the concept of providing a high availability for the system by automatically routing requests to another server if one of the server fails.

• Scalability and failover are a requirement from JEE application servers. However, the implementation is up to the vendors.


Cluster

• Clusters are a set of application servers running the same application and grouped logically for workload management.

• Applications installed to the cluster are distributed to all cluster members.

• Cluster members can be centrally administered.


Clusters and cluster members


WebSphere Scalability

• In WebSphere a cluster is managed using the deployment manager and is created using the admin console using either existing servers or newly created servers. (using the custom profile).

• Starting or stopping the cluster starts or stops all cluster members.

• Applications should be installed to the cluster not to a specific server or node.


Vertical Scaling

• Vertical scaling is the concept of creating cluster members on the same physical machine. This is useful when we have a strong machine and want to make use of its resources.


Horizontal Scaling

• Horizontal scaling is the concept of creating cluster members on different physical machines.


Web Tier Scalability

• Work load management at the web tier is performed using an load balancer that performs load balancing of HTTP requests between cluster members.

• The load balancer needs to maintain session affinity to maintain application sessions.

• A load balancer can be either IBM’s Edge components or a 3rd party commercial load balancer.


Web Tier Scalability

• IBM’s http server or IIS can also be used as a load balancer by using the http plugin


Web Tier failover

• Failover is detected by the load balancer, which then routs the request to another server.

• We can configure WebSphere to distribute session information between nodes so that in case of a failover we can resume our session on another server.


Web Tier Failover

• To configure web session management choose Application Servers-><server>->web container->session management-> distributed environment settings.


Load Balancer Failover

• A Load Balancer provides a built-in high availability function. It allows you to configure a backup Load Balancer server.

• if the primary Load Balancer server fails, the backup server will take over.

• This topology is called an Active-Passive topology, where only one server is active at a time.


Load Balancer Failover

• Failover is supported by IBM’s Edge components and other 3rd party load balancers.


EJB Scalability and Failover

• EJB WLM is achieved by generating cluster-aware stubs at deployment time.

• The cluster-aware stub performs the WLM and also handles failover.

• The workload management service provides load balancing and high availability support for the following types of EJBs:– Homes of entity or session beans– Instances of entity beans– Instances of stateless session beans



• EJB Stateful session bean failover is also supported using memory to memory replication.

• In the Administrative Console, select Servers → Application servers →<AppServer_Name>.

• Expand EJB Container Settings, and then select EJB container. Select Enable stateful session bean failover using memory-to-memory replication,



• Failover is also supported by the naming service. We can put more than one server name in the naming URL and the naming service will perform failover if one of the servers is unavailable.




Creating a Cluster (step 1)

• Select Servers →Cluster Click new• Enter basic cluster information



• Create first cluster member (settings will be applied to other cluster members) :– Enter member name and select its node.– Weight server weight for workload management.– Select the basis for the cluster member– Generate unique ports, if we intend to create

more than one server on a machine.







• When all the servers have been entered, click Next.

• A summary page shows you what will be created.

• Click Finish to create the cluster and new servers.

• Save the configuration.


Viewing Cluster Topology

• Select Servers →Cluster Topology


Managing a Cluster

• Select Servers →Clusters.• Check each cluster you want to work with and select

one of the following options:– Start: Use this option to start all servers in the cluster.– Stop: Use this option to stops all servers in the cluster. This

allows the server to finish existing requests and allows failover to another member of the cluster.

– Ripplestart: Use this option to Stop, then start all servers in the cluster.

– ImmediateStop: Stop all servers immediately.


Installing applications on the Cluster


Resources

• Info center for WAS 6.1 - http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp

• IBM Redbook – sg247304 WAS 6.1 System Management and configuration.

• IBM Redbook – sg246688 WAS ND High Availability Solutions.

• IBM Redbook – sg246316 WAS Security Handbook• Admin Console context sensitive online help.




Questions ?


Summary

• Trouble Shooting and Monitoring• WebSphere Security• Cell Management• Scalability and Clustering

WebSphere 6.1 admin Course 3

Technology

various performance

pmi data

performance bottlenecks

trace trace messages

application server classes

saved data

application messages

server startup