If you are using AIX®,
tune the following operating system settings:- TCP_KEEPINTVL
- The TCP_KEEPINTVL setting is part of a socket keep-alive protocol
that enables detection of network outage. The property specifies the
interval between packets that are sent to validate the connection.
When you are using WebSphere
eXtreme Scale,
set the value to 10. To check the current setting,
run the following command:
# no –o tcp_keepintvl
To
change the current setting, run the following command:# no –o tcp_keepintvl=10
The
TCP_KEEPINTVL setting is in half seconds.
- TCP_KEEPINIT
- The TCP_KEEPINIT setting is part of a socket keep-alive protocol
that enables detection of network outage. The property specifies the
initial timeout value for TCP connection. When you are using WebSphere
eXtreme Scale, set the value
to 40. To check the current setting, run the
following commands:
# no –o tcp_keepinit
To
change the current setting, run the following command:# no –o tcp_keepinit=40
The
TCP_KEEPINIT setting is in half seconds.
|
|
Update the orb.properties file
to modify the transport behavior of the grid. The orb.properties file
is in the java/jre/lib directory. |
ORB properties file |
Use parameters in the startOgServer script.
In particular, use the following parameters: - Set heap settings with the -jvmArgs parameter.
- Set application class path and properties with the -jvmArgs parameter.
- Set -jvmArgs parameters for configuring agent
monitoring.
- Port settings
- WebSphere
eXtreme Scale has to
open ports for communications for some transports. These ports are
all dynamically defined. However, if a firewall is in use between
containers then you must specify the ports. Use the following information
about the ports:
- Listener port
- You can use the -listenerPort argument to
specify the port that is used for communication between processes.
- Core group port
- You can use the -haManagerPort argument to
specify the port that is used for failure detection. This argument
is the same as peerPort. Note that core groups do not
need to communicate across zones, so you might not need to set this
port if the firewall is open to all the members of a single zone.
- JMX service port
- You can use the -JMXServicePort argument
to specify the port that the JMX service should use.
- SSL port
- Passing -Dcom.ibm.CSI.SSLPort=1234 as a -jvmArgs argument
sets the SSL port to 1234. The SSL port is
the secure port peer to the listener port.
- Client port
- Used in the catalog service only. You can specify this value with
the -catalogServiceEndPoints argument. The format
of the value of this parameter is in the format: serverName:hostName:clientPort:peerPort
|
startOgServer script |
Verify that security settings are configured
correctly: - Transport (SSL)
- Application (Authentication and Authorization)
To verify your security settings, you can try to use a malicious
client to connect to your configuration. For example, when the SSL-Required
setting is configured, a client that has a TCP_IP setting with or
a client with the wrong trust store should not be able to connect
to the server. When authentication is required, a client with no
credential, such as a user ID and password, should not be able to
connect to the sever. When authorization is enforced, a client with
no access authorization should not be granted the access to the server
resources. |
Securing the deployment environment |
Choose how you are going to monitor your environment. - xsAdmin
- The JMX ports of the catalog servers need to be visible to the
XSAdmin tool. The container ports also need to be accessible for some
commands that gather information from the containers.
- You can choose between the following vendor monitoring tools:
- Tivoli® Enterprise Monitoring
Agent
- CA Wily Introscope
- Hyperic HQ
|
|