We bundle WebSphere Liberty as the default application server with ELM and this article will focus on configuring a distributed deployment of ELM using WebSphere Liberty. Here are a couple of scenarios where we would need a distributed setup.
The steps in this article is to be used as a guideline to help setup and configure a distributed deployment of ELM on Liberty Profile. We have included additional links within this article that will help in configuring LDAP, SSO for Liberty and additional IHS configurations.
For the purposes of this article we will use three separate servers configured as follows:
Install ELM applications on different machines using IBM Installation Manager
[JAZZ_HOME]\server\liberty\servers\clm\conf\application.xml
and comment out the application lines for those that were not installed on Server 2
[JAZZ_HOME]\server\liberty\servers\clm\conf\application.xml
and comment out the application lines for those that were not installed on Server 1
[JAZZ_HOME]\server\liberty\servers\clm\conf\application.xml
and comment out the application lines for those that were not installed on Server 3
If your organization has a copy of the WebSphere Application Server Supplements repository downloaded via passport advantage, you can use that repo and install IBM HTTP Server and WebSphere Plugins using IBM IM on Server1
OR
JAVA_HOME to jre folder
postinstall
from IHS home
Post install, we have to create a new key database and a self signed certificate, enable SSL directives within the IBM HTTP Server's configuration file (httpd.conf), enable support modules and create a key database for certificates. We then complete the configuration using one of the methods for traffic redirection to the Liberty profiles.
New Keystore
security.provider.10=com.ibm.security.cmskeystore.CMSProviderIn Java 8, the java.security file is located in this directory:
.../java/8.0/jre/lib/security/java.securityIn Java 11, the java.security file is located in this directory:
.../java/11.0/jre/conf/security/java.security
gskcapicmd.bat -keydb -create -db key.p12 -pw secret -stash -type PKCS12
gskcapicmd.bat -cert -create -db key.p12 -pw secret -dn CN=elm7031,DC=fyre,DC=ibm,DC=com -label IHS -size 2048
gskcapicmd.bat -cert -list -db key.p12 -pw secret gskcapicmd.bat -cert -details -db key.p12 -pw secret -label IHS
The steps to configure includes generating plug-ins from each Liberty server hosting ELM applications, Merge the plugins into one and include the path to the merged plugin file in IHS.
From version 6.0.5 the plugin-cfg.xml file for each application server instance is auto generated during startup. It would be created in the following location:
[JAZZ_HOME]\server\liberty\servers\clm\logs\state
Follow the steps to copy plugin file and ELM certificate to IHS Server
[JAZZ_HOME]\server\liberty\servers\clm\resources\security
(All Application Servers) to [WebSphere_PluginInstall]\Plugins\config\WebServer1
(IHS plugin folder) and rename it. [JAZZ_HOME]\server\liberty\servers\logs\state\plugin-cfg.xml
to [WebSphere_PluginInstall]\Plugins\config\WebServer1\plugin-cfg.xml
You need to run clm once to generate the plugin
<?xml version="1.0" encoding="UTF-8"?><!--HTTP server plugin config file for WebServer1 generated on 2016.05.17 at 16:14:49 PDT--> <Config ASDisableNagle="false" AcceptAllContent="false" AppServerPortPreference="HostHeader" ChunkedResponse="false" FIPSEnable="false" IISDisableNagle="false" IISPluginPriority="High" IgnoreDNSFailures="false" RefreshInterval="60" ResponseChunkSize="64" SSLConsolidate="false" TrustedProxyEnable="false" VHostMatchingCompat="false"> <Log LogLevel="Error" Name="C:\IBM\WebShere\Plugins\logs\WebServer1\http_plugin.log"/> <Property Name="ESIEnable" Value="true"/> <Property Name="ESIMaxCacheSize" Value="1024"/> <Property Name="ESIInvalidationMonitor" Value="false"/> <Property Name="ESIEnableToPassCookies" Value="false"/> <Property Name="PluginInstallRoot" Value="C:\IBM\WebShere\Plugins"/> <!-- Configuration generated using httpEndpointRef=defaultHttpEndpoint--> <!-- The default_host contained only aliases for endpoint defaultHttpEndpoint. The generated VirtualHostGroup will contain only configured web server ports: webserverPort=80 webserverSecurePort=443 --> <VirtualHostGroup Name="default_host"> <VirtualHost Name="*:80"/> <VirtualHost Name="*:443"/> </VirtualHostGroup> <ServerCluster CloneSeparatorChange="false" GetDWLMTable="false" IgnoreAffinityRequests="true" LoadBalance="Round Robin" Name="WebServer1_default_node_Cluster" PostBufferSize="0" PostSizeLimit="-1" RemoveSpecialHeaders="true" RetryInterval="60"> <Server CloneID="8192ea2e-0dc3-4d34-9766-dc7240d46b43" ConnectTimeout="5" ExtendedHandshake="false" MaxConnections="-1" Name="default_node_WebServer1" ServerIOTimeout="900" WaitForContinue="false"> <Transport Hostname="192.168.199.254" Port="9080" Protocol="http"/> <Transport Hostname="192.168.199.254" Port="9443" Protocol="https"> <Property Name="keyring" Value="keyring.kdb"/> <Property Name="stashfile" Value="keyring.sth"/> <Property Name="certLabel" Value="LibertyCert"/> </Transport> </Server>
Examine the contents of the XML file and look for the following line:
<Log LogLevel="Error" Name= ************
<Log LogLevel="Error" Name="C:\IBM\WebShere\Plugins\logs\WebServer1\http_plugin.log"/>
<Property Name="keyring" Value="keyring.kdb"/> <Property Name="stashfile" Value="keyring.sth"/> <Property Name="certLabel" Value="LibertyCert"/>
<Property Name="keyring" Value="C:\IBM\WebSphere\Plugins\config\WebServer1\jts_ibm-team-ssl.p12"/> <Property Name="stashfile" Value="C:\IBM\WebSphere\Plugins\config\WebServer1\jts_ibm-team-ssl.sth"/> <Property Name="certLabel" Value="default"/>
<Property Name="keyring" Value="/opt/IBM/WebSphere/Plugins/config/WebServer1/jts_ibm-team-ssl.kdb"/> <Property Name="stashfile" Value="/opt/IBM/WebSphere/Plugins/config/WebServer1/jts_ibm-team-ssl.sth"/> <Property Name="certLabel" Value="default"/>
As with ELM 703 ikeyman is no longer shipped you can use the following command to stash the password of default or new keystore created from ELM applications and use the same values while updating the plugin files.
./gskcmd -keydb -stashpw -db ../ibm-team-ssl.p12 -pw ibm-team
IHS can only recognize one plugin file. When you have a distributed deployment, you need to merge the plugin files into a single plugin. This can be accomplished either manually or with the Plugin Merge Tool. To merge the plugins from all application server profile instances, you can use the PluginUtility command which is available on the Liberty version bundled with CLM version 6.0.4 onwards. Steps to Merge the Plugins:
c:/plugins
\server\liberty\wlp\bin
pluginUtility merge --sourcePath=C:/plugins --targetPath=C:/targetDir/myMergedPluginCfg.xml
EXAMPLE
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 ## IPv6 support: <VirtualHost *:443> SSLEnable SSLProtocolDisable SSLv2 SSLv3 KeyFile C:\IBM\IHS\conf\key.p12 SSLStashFile C:\IBM\IHS\conf\key.sth </VirtualHost>
LoadModule was_ap22_module "C:\IBM\WebSphere\Plugins\bin\32bits\mod_was_ap22_http.dll" WebSpherePluginConfig "C:\IBM\WebSphere\Plugins\config\WebServer1\plugin-cfg.xml"
LoadModule was_ap22_module "/opt/IBM/WebSphere/Plugins/bin/32bits/mod_was_ap22_http.so" WebSpherePluginConfig "/opt/IBM/WebSphere/Plugins/config/WebServer1/plugin-cfg.xml"
Each instance of WebSphere Liberty Profile should be configured with the same user registry (ideally LDAP). The user registry settings must be identical on all servers for SSO to work. You can complete running JTS Setup during this process.
Instructions to configure the Liberty Profile with LDAP
Instructions to configure Single Sign On (SSO) across the Liberty Profiles
Status icon key: