If you are using AIX®,
tune the following operating system settings:- TCP_KEEPINTVL
- The TCP_KEEPINTVL setting is part of a socket keep-alive protocol
that enables detection of network outage. The property specifies the
interval between packets that are sent to validate the connection.
When you are using WebSphere eXtreme Scale,
set the value to 10. To check the current setting,
run the following command:
# no –o tcp_keepintvl
To
change the current setting, run the following command:# no –o tcp_keepintvl=10
The
TCP_KEEPINTVL setting is in half seconds.
- TCP_KEEPINIT
- The TCP_KEEPINIT setting is part of a socket
keep-alive protocol
that enables detection of network outage. The property specifies the
initial timeout value for TCP connection. When you are using WebSphere eXtreme Scale, set the value
to 40. To check the current setting, run the
following commands:
# no –o tcp_keepinit
To
change the current setting, run the following command:# no –o tcp_keepinit=40
The
TCP_KEEPINIT setting is in half seconds.
|
|
Update the orb.properties file
to modify the transport behavior of the grid. The orb.properties file
is in the java/jre/lib directory. |
ORB properties |
Use parameters in the startOgServer or startXsServer script.
In particular, use the following parameters: - Set heap settings
with the -jvmArgs parameter.
- Set application
class path and properties with the -jvmArgs parameter.
- Set -jvmArgs parameters for configuring agent
monitoring.
- Port settings
- WebSphere eXtreme Scale has to
open ports for communications for some transports. These ports are
all dynamically defined. However, if a firewall is in use between
containers then you must specify the ports. Use the following information
about the ports:
- Listener port
- You can use the -listenerPort argument to
specify the port that is used for communication between processes.
- Core group port
- You can use the -haManagerPort argument to
specify the port that is used for failure detection. This argument
is the same as peerPort. Note that core groups do not need to communicate
across zones, so you might not need to set this port if the firewall
is open to all the members of a single zone.
- JMX service port
- You can use the -JMXServicePort argument
to specify the port that the JMX service should use.
- SSL port
- Passing -Dcom.ibm.CSI.SSLPort=1234 as a -jvmArgs argument
sets the SSL port to 1234. The SSL port is
the secure port peer to the listener port.
- Client port
- Used in the catalog service only. You can specify
this value with
the -catalogServiceEndPoints argument. The format
of the value of this parameter is in the format: serverName:hostName:clientPort:peerPort
|
startOgServer script (ORB) startXsServer script (XIO)
|
Verify that security settings are configured
correctly: - Transport (SSL)
- Application (Authentication
and Authorization)
To verify your security settings, you
can try to use a malicious
client to connect to your configuration. For example, when the SSL-Required
setting is configured, a client that has a TCP_IP setting with or
a client with the wrong trust store should not be able to connect
to the server. When authentication is required, a client with no
credential, such as a user ID and password, should not be able to
connect to the sever. When authorization is enforced, a client with
no access authorization should not be granted the access to the server
resources. |
Security integration with external providers |
Choose how you are
going to monitor your environment.
|
|