This task describes the steps that you must perform to
establish communication between a cell inside of a firewall, and a DMZ Secure Proxy Server for IBM® WebSphere® Application Server outside
of the firewall.
Before you begin
- Create a DMZ Secure Proxy Server for IBM WebSphere Application Server on
your machine that is outside of the firewall, if one does not already
exist.
- Configure core group bridges between your core groups that are
in located inside of the firewall but reside in different cells, if
they do not already exist.
- Read the topic Advanced core group bridge configurations,
which describes how a tunnel access point group is used to set up
a core group bridge tunnel between a cell inside of a fire wall, and
a DMZ Secure Proxy Server for IBM WebSphere Application Server
About this task
Avoid trouble: When
configuring core group bridges, remember the following requirements:
- Whenever a change is made in core group bridge configuration,
including the addition of a new bridge, or the removal of an existing
bridge, you must fully shutdown, and then restart all core group bridges
in the affected access point groups.
- There must be at least one running core group bridge in each core
group. If you configure two bridges in each core group, a single server
failure does not disrupt the bridge functionality. Also, configuring
two bridges enables you to periodically cycle out one of the bridges.
If all the core group bridges in a core group are shutdown, the core
group state from all foreign core groups is lost.
gotcha
Best practice: It
is also recommended that:
- Core group bridges be configured in their own dedicated server
process, and that these processes have their monitoring policy set
for automatic restart.
- For each of your core groups, you set the IBM_CS_WIRE_FORMAT_VERSION
core group custom property to the highest value that is supported
on your environment.
- To conserve resources, do not create more than two core group
bridge interfaces when you define a core group access point. You can
use one interface for workload purposes and another interface for
high availability. Ensure that these interfaces are on different nodes
for high availability purposes. For more information, see the frequently
asked question information on core group bridges.
- You should typically specify ONLY two bridge
interfaces per core group. Having at least two bridge interfaces is
necessary for high availability. Having more than two bridge interfaces
adds unnecessary overhead in memory and CPU.
bprac
Complete
the following actions to create a tunnel access point group that contains
the core group access point for the DMZ Secure Proxy Server for IBM WebSphere Application Server, and
a tunnel peer access point that represents the cell that is located
inside the firewall.
Procedure
- In the administrative console, click to create a new tunnel template that
will represent the core group bridge tunnel settings that can be exported
to the DMZ Secure Proxy Server for IBM WebSphere Application Server.
- Select the core group access points that you want to include
in this group.
When specifying the core group access
points for the tunnel access point group, use the arrows to place
the core group access points in the correct order. The specified
order determines the order in which the DMZ Secure Proxy Server for IBM WebSphere Application Server defines
the peer core groups of a tunnel peer access point. During startup,
the proxy server attempts to connect to the peer core groups according
to the order in which they are listed.
- Click OK.
- Click Tunnel templates, select the
name of the template that you just created, and then click Export.
The file is exported to the WAS_DMGR_PROFILE_ROOT/TUNNEL_TEMPLATE_NAME.props
file.
- On the DMZ Secure Proxy Server for IBM WebSphere Application Server, import
the tunnel template settings into the DMZ Secure Proxy Server for IBM WebSphere Application Server configuration
file.
To import the tunnel template, issue one of the
following commands:
$AdminTask importTunnelTemplate -interactive
or
$AdminTask importTunnelTemplate {-inputFileName tunnel_template_name
-bridgeInterfaceNodeName DMZ_PROXY_NODE_NAME
-bridgeInterfaceServerName secure_proxy_name}
and
then issue the $AdminConfig save command.
Where tunnel_template_name is
the name that you gave the tunnel template that you just created,
and secure_proxy_name is the name of your DMZ Secure Proxy Server for IBM WebSphere Application Server.
- Optional: Configure the high
availability manager protocol to establish transparent bridge failover
support.
During core group bridge state rebuilds, cross-core
group state can be moved between running bridges. This situation
might cause the data to be temporarily unavailable until the bridge
has completed the rebuild process.
If you are running on Version
7.0.0.1 or later, set the IBM_CS_HAM_PROTOCOL_VERSION core group custom
property to 6.0.2.31 for all of your core
groups to avoid a possible high availability state outage during core
group bridge failover. When this custom property is set to 6.0.2.31,
the remaining bridges recover the high availability state of the
failed bridge without the data being unavailable in the local core
group.
Complete the following actions to set the IBM_CS_HAM_PROTOCOL_VERSION
core group custom property to 6.0.2.31 for
all of your core groups.
- Shut down all core group bridges in all of your core
groups.
- Repeat the following actions for each core group in
each of your cells:
- In the administrative console, click core_group_name >
Custom properties.
- Specify IBM_CS_HAM_PROTOCOL_VERSION in
the Name field, and 6.0.2.31 in
the Value field.
- Save your changes.
- Synchronize your changes across the topology.
- Restart all of the bridges in the topology.
All of the core groups within this topology are using
the 6.0.2.31 high availability manager protocol.
Results
A tunnel access point group is created that contains the core
group access point for the
DMZ Secure Proxy Server for IBM WebSphere Application Server, and
a tunnel peer access point that represents the cell that is located
inside the firewall.