EditAttachPrintable
r8 - 2016-08-22 - 13:47:14 - ShubjitNaikYou are here: TWiki >  Deployment Web > DeploymentInstallingUpgradingAndMigrating > CLMDistributedSetupUsingLibertyProfile

uc.png Distributed Deployment of CLM 6.0.x Using Liberty Profile

Authors: ShubjitNaik, DineshKumar
Build basis: Rational solution for Collaborative Lifecycle Management 6.0.x, Websphere Liberty 8.5.x, IBM HTTP Server 8.5.x


A common installation topology is a distributed deployment of a Rational solution for Collaborative Lifecycle Management (CLM), Enterprise topology, which means CLM applications can be setup and configured individually on separate servers.


From CLM 6.0.1 onwards we bundle WebSphere Liberty as the default application server with CLM and this article will focus on configuring a distributed deployment of CLM using WebSphere Liberty. Here are a couple of scenarios where we would need a distributed setup.

  • Deploy a distributed setup using WebSphere Liberty where each CLM application is setup on its own Liberty Profile
  • Deploy one or a set of applications (example Reporting components LQE, DCC and JRS) on a separate Liberty Profile (This specific scenario will be used in this article)
  • Adding additional application instances such as CCM1 / RQM1 / RM1 with the bundled Liberty Profile connecting to JTS/CCM/RQM residing on a separate Liberty Profile

The steps in this article is to be used as a guideline to help setup and configure a distributed deployment of CLM on Liberty Profile. We have included additional links within this article that will help in configuring LDAP, SSO for Liberty and additional IHS configurations.

Prerequisites and Assumptions

  • Liberty Profile bundled with the installation is used (ie. not the Liberty Profile downloaded separately)
  • Each of the Liberty profile is configured to use the same LDAP server with domain "example.org" for authentication (We will not consider the basic user registry in this example)
  • A separate database server is available and setup for CLM, instructions available on our Infocenter
  • IBM HTTP Server installation is available or a trail version can be setup using this Technote
  • License configuration would not be covered in this article

Example server configuration

For the purposes of this article we will use three separate servers configured as follows:

  • Server 1 (Hostname: ihs.example.org): IBM HTTP Server (IHS) listening on port 80 / 443 , GC/LDX installed with bundled Liberty Profile_
  • Server 2 (Hostname: clm.example.org): JTS/RTC/RQM/RDNG installed with the bundled Liberty Profile (Default HTTPS port : 9443)
  • Server 3 (Host-name: reporting.example.org): JRS/DCC/LQE installed with bundled default Liberty Profile (Default HTTPS port : 9443)

Overview of the Setup

  • Install CLM applications on Server 1, 2 and 3
  • Install and configure IHS Server on Server 1
  • Import Certificates from each Liberty profile to IHS Key database
  • Configure Plugins / ProxyPass redirection from IHS to CLM
  • Configure user registry on each Liberty Profile
  • Configure SSO across the Liberty Profiles

The Setup

Application Installation

Install CLM applications on different machines using IBM Installation Manager

  • Download and Install IBM Installation Manager (IM) on each Server
  • Download CLM application installer from Passport Advantage or from jazz.net
  • Install JTS/CCM/QM/RM applications on Server 2 using WAS Liberty
    • Edit [JAZZ_HOME]\server\liberty\servers\clm\conf\application.xml and comment out the application lines for those that were not installed on Server 2
  • Install GC/LDX applications on Server 1
    • Edit [JAZZ_HOME]\server\liberty\servers\clm\conf\application.xml and comment out the application lines for those that were not installed on Server 1
  • Install Reporting components, JRS, DCC and LQE on Server 3
    • Edit [JAZZ_HOME]\server\liberty\servers\clm\conf\application.xml and comment out the application lines for those that were not installed on Server 3

Install IBM HTTP Server

If your organization has a copy of the WebSphere Application Server Supplements repository downloaded via passport advantage, you can use that repo and install IBM HTTP Server using IBM IM on Server1

If you don't have access to the repo, you can download and install no-charge trail IBM HTTP Server using the instructions on this Technote
Trial versions of IBM HTTP Server are not eligible for customer or product support. For best-effort/community support, see the ibmhttpserver tag on stack overflow

Steps to Install IHS (Trail)

Post install, we have to create a new key database and a self signed certificate, enable SSL directives within the IBM HTTP Server's configuration file (httpd.conf), enable support modules and create a key database for certificates. We then complete the configuration using one of the methods for traffic redirection to the Liberty profiles.

Create a key database and self-signed certificate for IHS

  • Using ikeyman UI
    • Open ikeyman.bat file within [IHS Home]\bin folder
    • Click Key Database File > New , select type CMS, enter the filename (ihskeys.kdb) and path to store it (C:\IBM\HTTPServer\)
      newkeydatabase.png
    • Click Ok, enter a password for your keystore and check "stash password to a file"
      passwordstash.png
    • Click on "New Self-Signed" and make sure you enter the IHS URI host as the Common Name (ihs.example.org) and create the certificate
      newselfsigned.png

  • Using gskcmd, command line
    • On the IHS machine, Open a command terminal and cd to /bin, e.g. /opt/IBM/HTTPServer/bin, and run the following commands
    • Create the key database
      ./gskcmd -keydb -create -db ihskeys.kdb -pw xxxxx -expire 3650 -stash -type cms 
    • Create the self-signed certificate for IHS URL
      ./gskcmd -cert -create -db ihskeys.kdb  -label default -expire 3650 -size 2048 -dn "CN=xxxxx" -default_cert yes -pw xxxxx 
      where dn denotes the Distinguished Name for the IHS server, use a fully qualified name for CN. For example -dn CN=ihs.example.org

Enable SSL directives within the IBM HTTP Server's configuration file (httpd.conf)

  • Navigate to C:\IBM\HTTPServer\conf\ and edit httpd.conf
  • Make the changes to the variables as seen below
    ServerName clm.example.org
    Listen 80
    Listen 443
    #
    #
    ##### Following Modules are needed for mod_proxy method
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_connect_module modules/mod_proxy_connect.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    
    # optional: if you want to rewrite urls to public url below
    LoadModule rewrite_module modules/mod_rewrite.so
    #
        
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 0.0.0.0:443
    ## Uncomment for IPv6 support:
    #Listen [::]:443
    <VirtualHost *:443>
           SSLEnable
    </VirtualHost>
    KeyFile C:\IBM\HTTPServer\ihskeys.kdb
    SSLStashFile C:\IBM\HTTPServer\ihskeys.sth
    SSLDisable   
    #
    #

  • Save the file and restart IHS server.
  • Access the IHS URL and confirm SSL and certificates are working (https://ihs.example.org/)

Setup SSL Handshake between the Liberty profiles and IHS

To setup the SSL Handshake you would need to import the certificates from each liberty profile into the newly created IHS key database file (ihskeys.kdb). Following are the steps.
  • Copy the certificate keystore from each liberty profile to Server1 hosting IHS
  • Default certificate path: [JAZZ_HOME]\server\liberty\servers\clm\resources\security\ibm-team-ssl.keystore
    You should now have 3 certificates, from server1 GC_ibm-team-ssl.keystore, server2 JTS_ibm-team-ssl.keystore and server 3 JRS_ibm-team-ssl.keystore

  • Import the JTS_ibm-team-ssl.keystore into the ihskeys.kdb file
    • Open ikeyman [HTTPServer Home]\bin\ikeyman
    • Set type to CMS, filename as ihskeys.kdb and location to where the ihskeys.kdb file is created
      OpenKeydatabase.png
    • Enter the password that you set when creating the ihskeys.kdb file and click ok
    • Click Export/Import to import the certificate from Liberty profile hosting JTS
      importkeystore.png
      Enter the default password ibm-team and click OK
    • Change the label, example from default to defaultjts
      changelabels.png

  • Similarly import GC_ibm-team-ssl.keystore and JRS_ibm-team-ssl.keystore

Configure Web Server Plug-ins OR Mod_Proxy directive on IHS

This configuration is to route requests for dynamic content, such as servlets, from web applications. We will look into the web server plugin and mod_proxy method to configure reverse proxy.

Configure IHS with Web Server Plugins

The Web server plug-in works with a web server to route requests for dynamic content, such as servlets, from web applications. The web servers (IHS), are necessary for directing traffic from browsers to the applications that run on an application server (Liberty profile). The web server plug-in uses the XML configuration file to determine whether a request is for an application server.

The steps to configure includes generating plug-ins from each Liberty server hosting CLM applications, Merge the plugins into one and include the path to the merged plugin file in IHS. For detailed instructions on generating plugins from Liberty Profile and configuring IHS with it, visit the article Creating IHS Plugin for Liberty Profile
Note: To merge the plugins you would need MergePlugins.bat/sh file from WAS Full Profile installation

Configure IHS with mod_proxy directive

The example below is a basic idea to help you get started. For details on mod_proxy, visit here
This usage configuration may not be supported by IBM

  • First confirm if the following modules are enabled via the httpd.conf file.
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_connect_module modules/mod_proxy_connect.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
  • Modify the VirtualHost configuration to include the parameters
    
    <VirtualHost *:443>
      SSLEnable
      SSLProtocolDisable SSLv2
      ServerName ihs.example.org
      
      <IfModule mod_proxy.c>
       ProxyRequests off
       ProxyPreserveHost on
    
       <Proxy https://ihs.example.org/*>
          Order deny,allow
          Allow from all
       </Proxy>
       ProxyVia On
    
       </IfModule>
    
     # Reverse Proxy Info:
       SSLProxyEngine on
       
       #### In case there is a change in context root, replace the new context root below
       #### Include only the applications you have installed
       
       #### In our example, GC and LDX are installed on Server1, ihs.example.org, liberty profile port is 9443
       
       ProxyPass /gc https://ihs.example.org:9443/gc
       ProxyPassreverse /gc https://ihs.example.org:9443/gc
      
       ProxyPass /ldx https://ihs.example.org:9443/ldx
       ProxyPassreverse /ldx https://ihs.example.org:9443/ldx
       
       #### In our example, JTS/RTC/RQM/RDNG are installed on Server2, ccm.example.org, liberty profile port is 9443
       
       ProxyPass /jts https://clm.example.org:9443/jts
       ProxyPassreverse /jts https://clm.example.org:9443/jts
       
       ProxyPass /ccm https://clm.example.org:9443/ccm
       ProxyPassreverse /ccm https://clm.example.org:9443/ccm
       
       ProxyPass /qm https://clm.example.org:9443/qm
       ProxyPassreverse /qm https://clm.example.org:9443/qm
    
       ProxyPass /rm https://clm.example.org:9443/rm
       ProxyPassreverse /qm https://clm.example.org:9443/qm
       
       ProxyPass /converter https://clm.example.org:9443/converter
       ProxyPassreverse /converter https://clm.example.org:9443/converter
       
       ProxyPass /clmhelp https://clm.example.org:9443/clmhelp
       ProxyPassreverse /clmhelp https://clm.example.org:9443/clmhelp
       
       #### In our example, JRS/DCC/LQE are installed on Server3, reporting.example.org, liberty profile port is 9443
    
       ProxyPass /rs https://reporting.example.org:9443/rs
       ProxyPassreverse /rs https://reporting.example.org:9443/rs
       
       ProxyPass /dcc https://reporting.example.org:9443/dcc
       ProxyPassreverse /dcc https://reporting.example.org:9443/dcc
    
       ProxyPass /lqe https://reporting.example.org:9443/lqe
       ProxyPassreverse /lqe https://reporting.example.org:9443/lqe
       
    </VirtualHost>
    
    KeyFile C:\IBM\HTTPServer\ihskeys.kdb
    SSLStashFile C:\IBM\HTTPServer\ihskeys.sth
    SSLDisable
    

Configuring Liberty Profiles with LDAP

Each instance of WebSphere Liberty Profile should be configured with the same user registry (ideally LDAP). The user registry settings must be identical on all servers for SSO to work. You can complete running JTS Setup during this process.

Instructions to configure the Liberty Profile with LDAP

Configuring SSO Across the Liberty Profiles

It is critical to configure Single Sign-On between these application servers such that a user only needs to log into one of the application and subsequent access to the other applications will not require re-authentication.

Instructions to configure Single Sign On (SSO) across the Liberty Profiles

General Guidelines for distributed setup of CLM on Liberty Profile

  • To be able to configure reverse proxy using Web server plug-ins, an installation of WebSphere Application server is mandatory, as the MergePlugin.bat/sh file is not available out of this installation.
  • To be able to use a no-charge IBM HTTP Server with CLM without a need to obtain the Full installation media for WebSphere application server, you would have to configure the Reverse proxy using the mod_proxy method
  • A ProxyPass and ProxyPassreverse directive combination is required for each application to route traffic from IHS to specific CLM application

Related topics: Configure Liberty with LDAP, Configure SSO For Liberty, Generating Web server Plug-ins on Liberty Profile, Deployment web home

External links:

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r17 | r10 < r9 < r8 < r7 | More topic actions...
 
This site is powered by the TWiki collaboration platformCopyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.