You can configure the DMZ Secure Proxy Server for IBM® WebSphere® Application Server to
route requests statically or dynamically.
Before you begin
Configure your profiles and security properties before you
configure routing. See the topic Tuning the security properties for
the
DMZ Secure Proxy Server for IBM WebSphere Application Server.
Decide whether you want to configure static or dynamic routing.
About this task
Static routing is performed using a flat configuration
file. Static routing is considered more secure than dynamic routing.
With dynamic routing, requests are routed through a best match mechanism
that determines the installed application or routing rule that corresponds
to a specific request. The secure proxy server will dynamically discover
the best route to a destination and distribute to servers with like
protocols.
The secure routing options are:
- Use static routing with the exportTargetTree command.
- Use dynamic routing by setting up a core group bridge tunnel.
See the topic Configuring communication with a core group that resides
on a DMZ Secure Proxy Server for IBM WebSphere Application Server.
Avoid trouble: Because the DMZ secure
proxy server resides in a different cell from the application servers,
it must be configured to trust the application server cell in order
for Secure Sockets Layer (SSL) to work properly. See the third step
in this procedure.
gotcha
Use the following procedure to configure
static or dynamic secure routing.
Procedure
- To configure static routing, follow these steps:
Avoid trouble: The server(s) that are involved in
the proxy configuration must be active when the wsadmin tool is used
to query and export the TargetTree.XML file.
gotcha
- Set the secure proxy server to use static routing, which
is the default level after installation. You can do this by either
setting the overall security level to high or by
setting the custom security level for the routing property to static.
- Use the wsadmin tool to query for the TargetTreeMbean
mbean.
mbean=AdminControl.queryNames('*:*,type=TargetTreeMbean,process=dmgr')
- If your application uses Servlet 3.0 dynamic cookies,
start the application that uses dynamic cookies.
- Invoke the exportTargetTree method on the TargetTree
mbean to a specified XML file.
AdminControl.invoke(mbean, 'exportTargetTree', '/opt/IBM/WebSphere/AppServer/targetTree.xml')
The
static routing file is a special type of routing file that the proxy
server uses to route a request from the proxy server directly to an
application server. It is not used to route requests from the Web
server plug-in to an application server.
- Using the deployment manager command line, transfer
the targetTree.xml file from the deployment manager
to the profile_root/staticRoutes directory
for the proxy server.
The file is transferred from the
deployment manager to the proxy server by FTP or some other protocol.
If
your secure proxy server is interfacing with multiple cells, you can
add the static routing file for each cell to the profile_root/staticRoutes directory.
The secure proxy server considers any xxx.xml file
that is included in the in the profile_root/staticRoutes directory
a static routing file. The file does not have to be named targetTree.xml.
When
you add multiple xxx.xml files
to the profile_root/staticRoutes directory
for a secure proxy server, the secure proxy server merges the content
of all of these files. The result of this merge is a single static
routing file that the secure proxy server can use to route requests
to servers in any of the cells.
Avoid trouble: The
merger process does not include any files in subdirectories of the
profile_root/staticRoutes directory.
Therefore the secure proxy server does not use any content that is
contained in files located in any subdirectory when it routes requests
to a servers.
gotcha
Any attribute change that affects the content
of the static routing file, such as a virtual host change, addition
or deletion of a proxy server cluster member, a change in weight of
a proxy server cluster member, or the installation or uninstallation
of an application, automatically regenerates the static routing file.
- Start the proxy server from the system command line:
profile_root/startServer proxy_server_name
- To configure dynamic routing, follow these steps:
- Configure the core group bridge in the application server
cell. See the topic Configuring communication with a core group that
resides on a DMZ Secure Proxy Server for IBM WebSphere Application Server.
- Export the tunnel template settings to a file. From
the wsadmin tool, use the exportTunnelTemplate command to export the
settings, as in the following example:
AdminTask.exportTunnelTemplate('[-tunnelTemplateName exportedTunnelTemplate
-outputFileName tunnelTemplate1.props]')
- Import the tunnel template settings into the DMZ proxy
configuration, as in the following example:
AdminTask.importTunnelTemplate('[-inputFileName tunnelTemplate1.props
-bridgeInterfaceNodeName DMZNode01 -bridge InterfaceServerName DMZProxyServer01]')
- Start the proxy server from the system command line:
profile_root/startServer proxy_server_name
- To configure SSL communications, follow these steps:
- Configure the ssl.client.props properties
file using the retrieveSigners command. See the information center
topic on using the retrieveSigners command for more details.
- The com.ibm.ssl.trustStore property should be set to
point to the secure proxy server trust.p12 file.
For example:
${user.root}/config/cells/SecureProxyCell1/nodes/SecureProxyNode1/trust.p12
- Specify the truststore name of the cell in which the
application servers reside when running the command. By default, its
name is CellDefaultTrustStore. The retrieveSigners command can then
be used to update the secure proxy server to trust the application
server cell:
retrieveSigners CellDefaultTrustStore AnotherTrustStore -host mybackendDmgr.location.com -port 8879
Results
Completing this procedure results in configuring secure routing
for a
DMZ Secure Proxy Server for IBM WebSphere Application Server.
What to do next
You can now start and begin to use the
DMZ Secure Proxy Server for IBM WebSphere Application Server.