Configuring communication with a core group that resides on a DMZ Secure Proxy Server for IBM WebSphere Application Server

This task describes the steps that you must perform to establish communication between a cell inside of a firewall, and a DMZ Secure Proxy Server for IBM® WebSphere® Application Server outside of the firewall.

Before you begin

About this task

Avoid trouble Avoid trouble: When configuring core group bridges, remember the following requirements:
  • Whenever a change is made in core group bridge configuration, including the addition of a new bridge, or the removal of an existing bridge, you must fully shutdown, and then restart all core group bridges in the affected access point groups.
  • There must be at least one running core group bridge in each core group. If you configure two bridges in each core group, a single server failure does not disrupt the bridge functionality. Also, configuring two bridges enables you to periodically cycle out one of the bridges. If all the core group bridges in a core group are shutdown, the core group state from all foreign core groups is lost.
gotcha
Best practice Best practice: It is also recommended that:
  • Core group bridges be configured in their own dedicated server process, and that these processes have their monitoring policy set for automatic restart.
  • For each of your core groups, you set the IBM_CS_WIRE_FORMAT_VERSION core group custom property to the highest value that is supported on your environment.
  • To conserve resources, do not create more than two core group bridge interfaces when you define a core group access point. You can use one interface for workload purposes and another interface for high availability. Ensure that these interfaces are on different nodes for high availability purposes. For more information, see the frequently asked question information on core group bridges.
  • You should typically specify ONLY two bridge interfaces per core group. Having at least two bridge interfaces is necessary for high availability. Having more than two bridge interfaces adds unnecessary overhead in memory and CPU.
bprac

Complete the following actions to create a tunnel access point group that contains the core group access point for the DMZ Secure Proxy Server for IBM WebSphere Application Server, and a tunnel peer access point that represents the cell that is located inside the firewall.

Procedure

  1. In the administrative console, click Servers > Core Groups > Core group bridge settings > Tunnel templates > New to create a new tunnel template that will represent the core group bridge tunnel settings that can be exported to the DMZ Secure Proxy Server for IBM WebSphere Application Server.
  2. Select the core group access points that you want to include in this group.

    When specifying the core group access points for the tunnel access point group, use the arrows to place the core group access points in the correct order. The specified order determines the order in which the DMZ Secure Proxy Server for IBM WebSphere Application Server defines the peer core groups of a tunnel peer access point. During startup, the proxy server attempts to connect to the peer core groups according to the order in which they are listed.

  3. Click OK.
  4. Click Tunnel templates, select the name of the template that you just created, and then click Export.

    The file is exported to the WAS_DMGR_PROFILE_ROOT/TUNNEL_TEMPLATE_NAME.props file.

  5. On the DMZ Secure Proxy Server for IBM WebSphere Application Server, import the tunnel template settings into the DMZ Secure Proxy Server for IBM WebSphere Application Server configuration file.
    To import the tunnel template, issue one of the following commands:
    $AdminTask importTunnelTemplate -interactive 
    or
    $AdminTask importTunnelTemplate {-inputFileName tunnel_template_name 
         -bridgeInterfaceNodeName DMZ_PROXY_NODE_NAME 
         -bridgeInterfaceServerName secure_proxy_name}

    and then issue the $AdminConfig save command.

    Where tunnel_template_name is the name that you gave the tunnel template that you just created, and secure_proxy_name is the name of your DMZ Secure Proxy Server for IBM WebSphere Application Server.

  6. Optional: Configure the high availability manager protocol to establish transparent bridge failover support.

    When a core group bridge server restarts, state information, such as WLM data, and ODR or WebSphere Application Server proxy server routing data, is lost until the state information is recovered by a bridge in the same core group. The length of time the data is lost varies depending on the number of core groups and the amount of state data, but the length of time can be a minute or longer. During this time, ODRs and WebSphere Application Server proxy servers might report 503 errors, and JNDI look-ups for objects in remote core groups might fail.

    If you are running on Version 7.0.0.1 or later, you can avoid such outages, if you enable the transparent bridge failover protocol by setting the IBM_CS_HAM_PROTOCOL_VERSION custom property to 6.0.2.31 in each core group. When this custom property is set to 6.0.2.31, the remaining bridges recover the high availability state of the failed bridge without the data being unavailable in the local core group.

    Complete the following actions to set the IBM_CS_HAM_PROTOCOL_VERSION core group custom property to 6.0.2.31 for all of your core groups.

    1. Shut down all core group bridges in all of your core groups.
    2. Repeat the following actions for each core group in each of your cells:
      1. In the administrative console, click Servers > Core Groups > Core group settings > core_group_name > Custom properties.
      2. Specify IBM_CS_HAM_PROTOCOL_VERSION in the Name field, and 6.0.2.31 in the Value field.
      3. Save your changes.
    3. Synchronize your changes across the topology.
    4. Restart all of the bridges in the topology.
    All of the core groups within this topology are using the 6.0.2.31 high availability manager protocol.

Results

A tunnel access point group is created that contains the core group access point for the DMZ Secure Proxy Server for IBM WebSphere Application Server, and a tunnel peer access point that represents the cell that is located inside the firewall.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Jun 11, 2013 8:40:09 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v701sca&product=was-nd-mp&topic=trun_ha_cg4
File name: trun_ha_cg4.html