You can create a secure proxy profile to serve as the initial
point of entry into your enterprise environment. Typically, a secure
proxy server exists in the demilitarized zone (DMZ), accepts requests
from clients on the Internet, and forwards the requests to servers
in your enterprise environment.
Before you begin
Before you use the Profile Management Tool, install the core
product files. You can create two different secure proxy profiles
depending on which core product files you install. The core product
files could either be for a WebSphere® Application Server, Network Deployment installation
or a DMZ Secure Proxy Server installation. Read about the profiles
created for the different installations in About this task.
Supported configurations: The
Profile Management Tool is the graphical
user interface for the
manageprofiles command and is supported only on AIX®, Linux, and Windows. On HP-UX, IBM® i,
and Solaris, use the
manageprofiles command instead.
sptcfg
You must
provide enough system temporary space to create a profile. For information, read about the file
system requirements for profiles.
Attention: When you launch the Profile Management Tool, the tool could lock up in the following situation
for a non-root user: Log into a machine as root, use the SetPermissions utility to change the user
from x to y. Assume that you are user x and
log back into the machine. Launch the Profile Management Tool, click
Profile Management Tool, and click Create.
The next click after the click on Create could lock up the tool.
About this task
After installing the core product files for the product,
you must create a profile. This procedure describes creating a secure
proxy profile using the graphical user interface that is provided
by the Profile Management Tool. You
can also use the manageprofiles command to create
a secure proxy profile. See the description of the manageprofiles command for
more information.
You can create profiles with the Profile Management Tool
using the typical profile creation process or the advanced profile creation process. The typical
profile creation process uses default settings and assigns unique port values. You can optionally
set values as allowed. For the advanced profile creation process you can accept the default values,
or specify your own values.
You
can create two different profiles for the DMZ Secure Proxy Server
using this task. You can create a secure proxy server profile on a WebSphere Application Server, Network Deployment installation.
However, you can only configure this profile in a WebSphere Application Server, Network Deployment installation.
To use the secure proxy server of the profile, you must export the
profile from the WebSphere Application Server, Network Deployment environment
and then import it into the DMZ Secure Proxy Server installation.
Read about exporting and importing the secure proxy profile in the
topic about the ConfigArchiveOperations command group for the AdminTask
object. Alternatively, you can create a secure proxy server profile
on a DMZ Secure Proxy Server installation. In this situation the secure
proxy server does not have a web container, and so cannot host an
administrative console. To administer this secure proxy server, you
must employ wsadmin scripting commands.
- Start the Profile Management Tool to create a new runtime
environment.
You can use one of the following ways to start the tool.
- At the end of installation, select the check box to launch the Profile Management Tool.
- Issue the command to open the WebSphere Customization Toolbox directly from a command prompt; then, open the Profile Management Tool.
- Select the WebSphere Customization Toolbox option from the First steps
console; then, open the Profile Management Tool.
Use the Start menu to access the WebSphere Customization Toolbox; then, open the Profile Management Tool.
Use the Linux operating system menus that are used to start programs to start the WebSphere Customization Toolbox; then, open the Profile Management Tool.
- Click Create on the Profiles tab to create a new profile.
The Profiles tab contains a list of profiles that have been created on your machine. No action
can be done on a selected profile unless the profile can be augmented. The Augment button is greyed
out unless a profile that you select can be augmented.
The tool displays the Environment selection panel.
- Select Secure proxy (configuration only) for
the WebSphere Application Server, Network Deployment image,
or Secure proxy for the DMZ image, and click Next.
The Profile creation options panel is displayed.
- Select either Typical profile creation or Advanced profile creation, and click
Next.
The Typical profile creation option creates a profile that uses default configuration
settings. With the Advanced profile creation option, you can specify your own configuration
values for a profile.
- If you selected Typical profile creation at
the beginning of these steps, then go to the step that displays the administrative
security.
- Specify a name for the profile and the directory path for the profile directory, or accept the
default values. Then, click Next.
Profile naming guidelines: Double-byte characters are supported. The profile name
can be any unique name with the following restrictions. Do not use any of the following characters
when naming your profile:
- Spaces
- Special characters that are not supported within the name of a directory on your operating
system, such as *&?
- Slashes (/) or (\)
The default profile
The first profile that you create on a machine is the default profile. The default
profile is the default target for commands that are issued from the bin
directory in the product installation root. When only one profile exists on a machine, every command
works on the single server process in the configuration. You can make another profile the
default profile when you create that profile by checking Make this profile the default on the
Profile name and location panel of the Advanced profile creation path. You can also make
another profile the default profile using the manageprofiles command after you create the
profile.
Addressing a profile in a multiprofile environment
When multiple profiles exist on a machine, certain commands require that you specify
the profile to which the command applies if the profile is not the default profile. These commands
use the -profileName parameter to identify which profile to address. You might find it easier to use
the commands that are in the bin directory of each profile.
Use these commands to query the command shell to determine the calling profile and to
address these commands to the calling profile.
Default profile information
The default profile name is
<profile_type><profile_number>:
- <profile_type> is a value of AppSrv,
Dmgr, Custom, AdminAgent,
JobMgr, or SecureProxySrv.
- <profile_number> is a sequential number that is used
to create a unique profile name
![[AIX]](../images/aixlogo.gif)
The default profile directory is
app_server_root/profiles, where
app_server_root is the installation root.
The default profile directory is
app_server_root\profiles, where
app_server_root is the installation root.
- On the Node and Host Names panel, specify a unique node
name, a server name, and the actual host name of the machine. Click Next.
Table 1. Characteristics
of the secure proxy server node. This table shows the
characteristics of the secure proxy server node.
Field name |
Default value |
Constraints |
Description |
Node name |
shortHostName
Node
where:- shortHostName is the short host name.
- NodeNumber is a sequential number starting
at 01.
|
Use a unique name for the secure proxy server. |
The name is used for administration within the
deployment manager cell. |
Server name |
proxy1
|
Specifies a logical name for the server. Server
names must be unique within a node. However, for multiple nodes within
a cluster, you might have different servers with the same server name
as long as the server and node pair are unique. |
The server name is used for administration within
the deployment manager cell. |
Host name |
The long form of the domain name server (DNS) name.
|
The host name must be addressable through your
network. |
Use the actual DNS name or IP address of your
machine to enable communication with your machine. See additional
information about the host name that follows this table. |
Reserved names: Avoid using reserved folder names as field values. The use of
reserved folder names can cause unpredictable results. The following terms are reserved folder
names:
- cells
- nodes
- servers
- clusters
- applications
- deployments
- Directory path length:
The
number of characters in the profiles_directory_path\profile_name directory must
be less than or equal to 80 characters.
- Host name considerations:
The host name is the network name for the physical machine on which the node is
installed. The host name must resolve to a physical network node on the server. When multiple
network cards exist in the server, the host name or IP address must resolve to one of the network
cards. Remote nodes use the host name to connect to and communicate with this node. Selecting a host
name that other machines can reach within your network is important. Do not use the generic
identifier, localhost, for this value. Also, do not attempt to install WebSphere
Application Server products on a machine with a host name that uses characters from a double-byte
character set (DBCS). DBCS characters are not supported when used in the host name.
If you define coexisting nodes on the same computer with unique IP addresses, then
define each IP address in a domain name server (DNS) look-up table. Configuration files for
standalone application servers do not provide domain name resolution for multiple IP addresses on a
machine with a single network address.
The value that you specify for the host name is used as the value of the hostName
property in configuration documents for the standalone application server. Specify the host name
value in one of the following formats:
- Fully qualified domain name server (DNS) host name string, such as
xmachine.manhattan.ibm.com
- The default short DNS host name string, such as xmachine
- Numeric IP address, such as 127.1.255.3
The fully qualified DNS host name has the advantages of being unambiguous and
flexible. You have the flexibility of changing the actual IP address for the host system without
having to change the application server configuration. This value for the host name is particularly
useful if you plan to change the IP address frequently when using Dynamic Host Configuration
Protocol (DHCP) to assign IP addresses. A disadvantage of this format is dependency on DNS. If DNS
is not available, then connectivity is compromised.
The short host name is also dynamically resolvable. A short name format has the added
function of being redefined in the local hosts file so that the system can run the application
server, even when disconnected from the network. To run disconnected, define the short name as the
loopback address, 127.0.0.1, in the hosts file to run disconnected. A disadvantage
of this format is a dependency on DNS for remote access. If DNS is not available, then connectivity
is compromised.
A numeric IP address has the advantage of not requiring name resolution through DNS.
A remote node can connect to the node that you name with a numeric IP address without DNS being
available. A disadvantage of this format is that the numeric IP address is fixed.
After displaying the node name, server name, and
host name for the secure proxy profile, the tool displays the Security
Level Selection panel.
- Accept the defaults or change the proxy security level
and the protocols, and click Next.
You
can optionally change your security settings after you create the
secure proxy server profile. Read about tuning security properties
for the secured proxy server.
After displaying the security
level options, the tool displays the Administrative security panel.
- Optionally enable administrative security, and click Next.
You can enable administrative security now during profile creation, or later from
the console. If you enable administrative security now, then enter a user name and password to log
onto the administrative console.
After specifying security characteristics, the tool displays the Security
certificate panel if you previously selected Advanced profile creation.
- If you selected Typical profile creation at
the beginning of these steps, then go to the step that displays the Profile summary panel.
- Create a default personal certificate and a root signing certificate, or import a personal
certificate and a root signing certificate from keystore files, and click Next.
You can create both certificates, import both certificates, or create one certificate, and import
the other certificate.
Best practice: When you import a personal certificate as the default personal certificate,
import the root certificate that signed the personal certificate. Otherwise, the
Profile Management Tool adds the signer of the personal certificate to the
trust.p12 file.
bprac
If you import the default personal certificate or the root signing certificate, specify the path
and the password, and select the keystore type and the keystore alias for each certificate that you
import.
- Verify that the certificate information is correct, and click
Next.
If you create the certificates, you can use the default values or modify them to create new
certificates. The default personal certificate is valid for one year by default and is signed by the
root signing certificate. The root signing certificate is a self-signed certificate that is valid
for 15 years by default. The default keystore password for the root signing certificate is
WebAS. You should change the password. The password cannot contain any double-byte
character set (DBCS) characters because certain keystore types, including PKCS12, do not support
these characters. The keystore types that are supported depend on the providers in the java.security
file.
When you create either or both certificates, or import either or both certificates, the keystore
files that are created are key.p12, trust.p12, root-key.p12, default-signers.p12, deleted.p12, and
ltpa.jceks. These files all have the same password when you create or import the certificates, which
is either the default password, or a password that you specify. The key.p12 file contains the
default personal certificate. The trust.p12 file contains the signer certificate from the default
root certificate. The root-key.p12 file contains the root signing certificate. The
default-signer.p12 file contains signer certificates that are added to any new keystore file that
you create after the server is installed and running. By default, the default root certificate
signer and a DataPower® signer certificate is in the default-signer.p12 keystore file. The deleted.p12
keystore file is used to hold certificates deleted with the deleteKeyStore task so that they can be
recovered if needed. The ltpa.jceks file contains server default Lightweight Third-Party
Authentication (LTPA) keys that the servers in your environment use to communicate with each
other.
An imported certificate is added to the key.p12 file or the root-key.p12 file.
If you import any certificates and the certificates do not contain the information that you want,
click Back to import another certificate.
After displaying the Security certificate panels, the tool displays the Ports panel if you
previously selected Advanced profile creation.
- Verify that the ports within the secure proxy profile are
unique, or intentionally conflicting, and click Next.
Port conflict resolution
Ports are recognized as being in use if one of the following conditions exists:
- The ports are assigned to a profile created from an installation that is performed by the
current user.
- The port is currently in use.
Validation of ports occurs when you access the Port value assignment panel. Conflicts can still
occur between the Port value assignment panel and the Profile creation complete panel because ports
are not assigned until profile creation completes.
If you suspect a port conflict, then you can investigate the port conflict after the
profile is created. Determine the ports that are used during profile creation by examining the
following files.
![[AIX]](../images/aixlogo.gif)
profile_root/properties/portdef.props file
profile_root\properties\portdef.props
file
Included in this file are the keys and values that are used in setting the ports. If you
discover ports conflicts, then you can reassign ports manually. To reassign ports, run the
updatePorts.ant file by using the ws_ant script.
![[Windows]](../images/windows.gif)
The tool displays the Windows service definition
panel if you are installing on a Windows operating system and the installation ID has the administrative
group privilege. The tool displays the Linux service definition panel if you are installing on a supported Linux operating
system and the ID that runs the Profile Management Tool is the root
user.
![[Windows]](../images/windows.gif)
Choose whether to run the
secure proxy server as a Windows service
on a Windows operating system
or as a Linux Service on a Linux operating system, and click Next. The Windows service definition panel is displayed for the Windows operating system only
if the ID that installs the Windows service has the administrator group privilege. However, you can run
the WASService.exe command to create the Windows service as long as the installer ID belongs to the
administrator group. Read about automatically restarting server processes for more
information.
The product attempts to start Windows services for secure proxy processes
that are started by a startServer command. For example, if you configure
a secure proxy server as a Windows service
and issue the startServer command, then the wasservice command
attempts to start the defined service.
If you chose to install a local system service, then you do not have to specify your
user ID or password. If you create a specified user type of service, then you must specify the user
ID and the password for the user who runs the service. The user must have Log on as a
service authority for the service to run correctly. If the user does
not have Log on as a service authority, then the Profile Management tool
automatically adds the authority.
To perform this profile creation task, the user ID must not contain spaces. In
addition to belonging to the administrator group, the ID must also have the advanced user privilege
of Log on as a service. The Installation program grants the user ID the advanced
user access if the user ID does not already have the advanced user privileges and if the user ID
belongs to the administrator group.
You can also create other Windows services after the installation is complete to start
other server processes. Read about automatically restarting server processes for more
information.
You can remove the Windows service that is added during profile creation during profile
deletion. You can also remove the Windows service with the wasservice command.
IPv6 considerations
Profiles created
to run as a Windows service
fail to start when using Internet Protocol Version 6.0 (IPv6) if
the service is configured to run as local system. Create a user-specific
environment variable to enable IPv6. Since this environment variable
is a user variable instead of a local system variable, only a Windows service that runs as
that specific user can access this environment variable. By default,
when a new profile is created and configured to run as a Windows service, the service is set to run
as local system. When the Windows service
for the secure proxy server process attempts to run, the service is
unable to access the user environment variable that specifies IPv6,
and thus attempts to start as IPv4. The server does not start correctly
in this case. To resolve the problem, when creating the profile, specify
that the Windows service
for the secure proxy server process runs as the same user ID from
which the environment variable that specifies IPv6 is defined, instead
of as Local System.
![[Windows]](../images/windows.gif)
The following default values for the Windows service definition
panel exist:
- The default is to run as a Windows service.
- The service process is selected to run as a system account.
- The user account is the current user name. User name requirements are the requirements that the
Windows
operating system imposes for a user ID.
- The startup type is automatic. The values for the startup type are those values
that the Windows operating system imposes. If you want a startup type other than
automatic, you can either select another available option from the menu or change
the startup type after you create the profile. You can also remove the created service after profile
creation, and add it later with the desired startup type. You can choose not to create a service at
profile creation time and optionally create the service later with the desired startup type.
The Linux service definition panel is displayed if the current operating system is a supported
version of Linux
operating systems, and the current user has the appropriate permissions.
The product attempts to start Linux services for application server processes that are started
by a startServer command. For example, if you configure an application server as a Linux service and
issue the startServer command, then the wasservice command attempts to start the defined
service.
By default, the product is not selected to run as a Linux service.
To create the service, the user that runs the Profile Management Tool must be the root user. If you run the Profile Management Tool with a non-root user ID, then the Linux service
definition panel is not displayed, and no service is created.
When you create a Linux service, you must specify a user name from which the service runs.
To delete a Linux service, the user must be the root user or have appropriate privileges
for deleting the service. Otherwise, a removal script is created that the root user can run to
delete the service for the user.
The tool displays
the Profile creation summary panel.
- Click Create to create
the secure proxy server profile, or click Back to
change the characteristics of the profile.
The Profile creation progress panel, which shows the configuration commands that
are running, is displayed.
When the profile creation completes, the tool displays the Profile creation
complete panel.
- If the secure proxy profile that you are creating is part
of the DMZ Secure Proxy Server for IBM WebSphere Application Server installation,
optionally select Launch the First steps console.
Click Finish to exit.
With the
First steps console, you can create additional profiles, and start
the application server.
If the secure proxy profile that you
are creating is part of the WebSphere Application Server, Network Deployment installation,
you do not have the option of launching the First steps console.
What to do next
The secure proxy server can accept requests from clients
on the Internet and forward the requests to servers in your enterprise
environment.
The secure proxy profile is available both on the WebSphere Application Server, Network Deployment and the DMZ
images. You cannot start the profile on the WebSphere Application Server, Network Deployment image. The profile
is used only for configuration on an administrative console. After
you configure the profile, you can export it and then import it into
the secure proxy profile of the DMZ image. The secure proxy profile
is fully operational on the DMZ image.