A common installation topology is a distributed deployment of a Rational solution for Collaborative Lifecycle Management (CLM),
Enterprise topology, which means CLM applications can be setup and configured individually on separate servers.
From CLM 6.0.1 onwards we bundle WebSphere Liberty as the default application server with CLM and this article will focus on configuring a distributed deployment of CLM using WebSphere Liberty. Here are a couple of scenarios where we would need a distributed setup.
- Deploy a distributed setup using WebSphere Liberty where each CLM application is setup on its own Liberty Profile
- Deploy one or a set of applications (example Reporting components LQE, DCC and JRS) on a separate Liberty Profile (This specific scenario will be used in this article)
- Adding additional application instances such as CCM1 / RQM1 / RM1 with the bundled Liberty Profile connecting to JTS/CCM/RQM residing on a separate Liberty Profile
The steps in this article is to be used as a guideline to help setup and configure a distributed deployment of CLM on Liberty Profile. We have included additional links within this article that will help in configuring LDAP, SSO for Liberty and additional IHS configurations.
Prerequisites and Assumptions
- Liberty Profile bundled with the installation is used (ie. not the Liberty Profile downloaded separately)
- Each of the Liberty profile is configured to use the same LDAP server with domain "example.org" for authentication (We will not consider the basic user registry in this example)
- A separate database server is available and setup for CLM, instructions available on our Infocenter
- IBM HTTP Server installation is available or a trail version can be setup using this Technote
- License configuration would not be covered in this article
Example server configuration
For the purposes of this article we will use three separate servers configured as follows:
- Server 1 (Hostname: ihs.example.org): IBM HTTP Server (IHS) listening on port 80 / 443 , GC/LDX installed with bundled Liberty Profile_
- Server 2 (Hostname: clm.example.org): JTS/RTC/RQM/RDNG installed with the bundled Liberty Profile (Default HTTPS port : 9443)
- Server 3 (Host-name: reporting.example.org): JRS/DCC/LQE installed with bundled default Liberty Profile (Default HTTPS port : 9443)
Overview of the Setup
- Install CLM applications on Server 1, 2 and 3
- Install and configure IHS Server on Server 1
- Import Certificates from each Liberty profile to IHS Key database
- Configure Plugins / ProxyPass redirection from IHS to CLM
- Configure user registry on each Liberty Profile
- Configure SSO across the Liberty Profiles
The Setup
Application Installation
Install CLM applications on different machines using IBM Installation Manager
- Download and Install IBM Installation Manager (IM) on each Server
- Download CLM application installer from Passport Advantage or from jazz.net
- Install JTS/CCM/QM/RM applications on Server 2 using WAS Liberty
- Edit
[JAZZ_HOME]\server\liberty\servers\clm\conf\application.xml
and comment out the application lines for those that were not installed on Server 2
- Install GC/LDX applications on Server 1
- Edit
[JAZZ_HOME]\server\liberty\servers\clm\conf\application.xml
and comment out the application lines for those that were not installed on Server 1
- Install Reporting components, JRS, DCC and LQE on Server 3
- Edit
[JAZZ_HOME]\server\liberty\servers\clm\conf\application.xml
and comment out the application lines for those that were not installed on Server 3
Install IBM HTTP Server
If your organization has a copy of the WebSphere Application Server Supplements repository downloaded via passport advantage, you can use that repo and install IBM HTTP Server using IBM IM on Server1
If you don't have access to the repo, you can download and install no-charge trail IBM HTTP Server using the instructions on this
Technote
Trial versions of IBM HTTP Server are not eligible for customer or product support. For best-effort/community support, see the ibmhttpserver tag on stack overflow
Steps to Install IHS (Trail)
Post install, we have to create a new key database and a self signed certificate, enable SSL directives within the IBM HTTP Server's configuration file (httpd.conf), enable support modules and create a key database for certificates. We then complete the configuration using one of the methods for traffic redirection to the Liberty profiles.
Create a key database and self-signed certificate for IHS
- Using ikeyman UI
- Open ikeyman.bat file within [IHS Home]\bin folder
- Click Key Database File > New , select type CMS, enter the filename (ihskeys.kdb) and path to store it (C:\IBM\HTTPServer\)
- Click Ok, enter a password for your keystore and check "stash password to a file"
- Click on "New Self-Signed" and make sure you enter the IHS URI host as the Common Name (ihs.example.org) and create the certificate
- Using gskcmd, command line
Enable SSL directives within the IBM HTTP Server's configuration file (httpd.conf)
- Save the file and restart IHS server.
- Access the IHS URL and confirm SSL and certificates are working (https://ihs.example.org/)
Setup SSL Handshake between the Liberty profiles and IHS
To setup the SSL Handshake you would need to import the certificates from each liberty profile into the newly created IHS key database file (ihskeys.kdb). Following are the steps.
- Copy the certificate keystore from each liberty profile to Server1 hosting IHS
- Default certificate path:
[JAZZ_HOME]\server\liberty\servers\clm\resources\security\ibm-team-ssl.keystore
You should now have 3 certificates, from server1 GC_ibm-team-ssl.keystore
, server2 JTS_ibm-team-ssl.keystore
and server 3 JRS_ibm-team-ssl.keystore
- Import the JTS_ibm-team-ssl.keystore into the ihskeys.kdb file
- Open ikeyman [HTTPServer Home]\bin\ikeyman
- Set type to CMS, filename as ihskeys.kdb and location to where the ihskeys.kdb file is created
- Enter the password that you set when creating the ihskeys.kdb file and click ok
- Click Export/Import to import the certificate from Liberty profile hosting JTS
Enter the default password ibm-team
and click OK
- Change the label, example from default to defaultjts
- Similarly import GC_ibm-team-ssl.keystore and JRS_ibm-team-ssl.keystore
Configure Web Server Plug-ins OR Mod_Proxy directive on IHS
This configuration is to route requests for dynamic content, such as servlets, from web applications. We will look into the web server plugin and mod_proxy method to configure reverse proxy.
Configure IHS with Web Server Plugins
The Web server plug-in works with a web server to route requests for dynamic content, such as servlets, from web applications. The web servers (IHS), are necessary for directing traffic from browsers to the applications that run on an application server (Liberty profile). The web server plug-in uses the XML configuration file to determine whether a request is for an application server.
The steps to configure includes generating plug-ins from each Liberty server hosting CLM applications, Merge the plugins into one and include the path to the merged plugin file in IHS.
For detailed instructions on generating plugins from Liberty Profile and configuring IHS with it, visit the article
Creating IHS Plugin for Liberty Profile
Note: To merge the plugins you would need MergePlugins.bat/sh file from WAS Full Profile installation
Configure IHS with mod_proxy directive
The example below is a basic idea to help you get started. For details on mod_proxy, visit
here
This usage configuration may not be supported by IBM
- First confirm if the following modules are enabled via the httpd.conf file.
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
- Modify the VirtualHost configuration to include the parameters
<VirtualHost *:443>
SSLEnable
SSLProtocolDisable SSLv2
ServerName ihs.example.org
<IfModule mod_proxy.c>
ProxyRequests off
ProxyPreserveHost on
<Proxy https://ihs.example.org/*>
Order deny,allow
Allow from all
</Proxy>
ProxyVia On
</IfModule>
# Reverse Proxy Info:
SSLProxyEngine on
#### In case there is a change in context root, replace the new context root below
#### Include only the applications you have installed
#### In our example, GC and LDX are installed on Server1, ihs.example.org, liberty profile port is 9443
ProxyPass /gc https://ihs.example.org:9443/gc
ProxyPassreverse /gc https://ihs.example.org:9443/gc
ProxyPass /ldx https://ihs.example.org:9443/ldx
ProxyPassreverse /ldx https://ihs.example.org:9443/ldx
#### In our example, JTS/RTC/RQM/RDNG are installed on Server2, ccm.example.org, liberty profile port is 9443
ProxyPass /jts https://clm.example.org:9443/jts
ProxyPassreverse /jts https://clm.example.org:9443/jts
ProxyPass /ccm https://clm.example.org:9443/ccm
ProxyPassreverse /ccm https://clm.example.org:9443/ccm
ProxyPass /qm https://clm.example.org:9443/qm
ProxyPassreverse /qm https://clm.example.org:9443/qm
ProxyPass /rm https://clm.example.org:9443/rm
ProxyPassreverse /qm https://clm.example.org:9443/qm
ProxyPass /converter https://clm.example.org:9443/converter
ProxyPassreverse /converter https://clm.example.org:9443/converter
ProxyPass /clmhelp https://clm.example.org:9443/clmhelp
ProxyPassreverse /clmhelp https://clm.example.org:9443/clmhelp
#### In our example, JRS/DCC/LQE are installed on Server3, reporting.example.org, liberty profile port is 9443
ProxyPass /rs https://reporting.example.org:9443/rs
ProxyPassreverse /rs https://reporting.example.org:9443/rs
ProxyPass /dcc https://reporting.example.org:9443/dcc
ProxyPassreverse /dcc https://reporting.example.org:9443/dcc
ProxyPass /lqe https://reporting.example.org:9443/lqe
ProxyPassreverse /lqe https://reporting.example.org:9443/lqe
</VirtualHost>
KeyFile C:\IBM\HTTPServer\ihskeys.kdb
SSLStashFile C:\IBM\HTTPServer\ihskeys.sth
SSLDisable
Configuring Liberty Profiles with LDAP
Each instance of WebSphere Liberty Profile should be configured with the same user registry (ideally LDAP). The user registry settings must be identical on all servers for SSO to work. You can complete running JTS Setup during this process.
Instructions to configure the Liberty Profile with LDAP
Configuring SSO Across the Liberty Profiles
It is critical to configure Single Sign-On between these application servers such that a user only needs to log into one of the application and subsequent access to the other applications will not require re-authentication.
Instructions to configure Single Sign On (SSO) across the Liberty Profiles
General Guidelines for distributed setup of CLM on Liberty Profile
- To be able to configure reverse proxy using Web server plug-ins, an installation of WebSphere Application server is mandatory, as the MergePlugin.bat/sh file is not available out of this installation.
- To be able to use a no-charge IBM HTTP Server with CLM without a need to obtain the Full installation media for WebSphere application server, you would have to configure the Reverse proxy using the mod_proxy method
- A ProxyPass and ProxyPassreverse directive combination is required for each application to route traffic from IHS to specific CLM application
External links: