Escolar Documentos
Profissional Documentos
Cultura Documentos
Copyright 2007 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. UNIX is a registered trademark of The Open Group. Java is a US trademark of Sun Microsystems, Inc This product includes software developed by the Apache Software Foundation. This documentation is based on information from the Apache SoftwareFoundation (http://www.apache.org) This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org).
Table of Contents
About This Document.......................................................................................................11 1 Overview.......................................................................................................................15
Benefits..................................................................................................................................................15 Architecture..........................................................................................................................................15 Components..........................................................................................................................................16 HP-UX 11i Web Server Suite ...........................................................................................................16 Secure Web Server Platform............................................................................................................17 Java and Scripting Languages.........................................................................................................17 JBoss Enterprise Middleware..........................................................................................................17 Database Server...............................................................................................................................18 Directory Server...............................................................................................................................18 Security............................................................................................................................................18
Domain Name System (DNS) Round-Robin Load Balancing.........................................................53 Load Balancing With Apache mod_jk.............................................................................................55 DNS Load Balancing Configuration Example................................................................................55 Configure named With the Virtual Server Hostname...............................................................56 Configure the DNS Cache TTL Value........................................................................................58 Disable the Java DNS Cache.......................................................................................................59 Using DNS Round Robin With JBoss AS...................................................................................59 Apache mod_jk Configuration Example.........................................................................................59 Configuring the Web Server and mod_jk...................................................................................59 Configuring JBoss AS and mod_jk.............................................................................................60
Table of Contents
List of Figures
1-1 2-1 2-2 2-3 2-4 2-5 2-6 2-7 2-8 2-9 2-10 2-11 2-12 2-13 2-14 2-15 2-16 3-1 3-2 3-3 3-4 3-5 HP-UX OSRA for Web Services: Architectural Overview.............................................................15 Welcome Screen.............................................................................................................................30 License Screen................................................................................................................................31 Installation Type............................................................................................................................31 Domain Name................................................................................................................................32 User and Group.............................................................................................................................32 Standalone Server..........................................................................................................................33 Directory Server Data Store...........................................................................................................33 Network Port Number...................................................................................................................34 Unique Identifier...........................................................................................................................34 Administrator Name and Password...........................................................................................34 Directory Suffix...........................................................................................................................35 Directory Manager......................................................................................................................35 Administration Domain..............................................................................................................35 Administration Server Network Port..........................................................................................36 Administration Server User........................................................................................................36 Red Hat Directory Server Startup...............................................................................................37 Content Directed Integration.........................................................................................................51 Apache Directed Integration.........................................................................................................52 Hardware Load Balancing.............................................................................................................53 DNS Load Balancing......................................................................................................................54 Load Balancing With mod_jk........................................................................................................55
List of Tables
1-1 2-1 HP-UX OSRA 2.1 Component Information...................................................................................16 Install Path and Disk Space Used by HP-UX OSRA 2.1 Components..........................................19
List of Examples
2-1 /etc/rc.config.d/jboss File......................................................................................................................26
10
Intended Audience
This document is intended for system administrators responsible for installing, configuring, and managing the HP-UX OSRA for Web Services component products. Administrators are expected to have knowledge of operating system concepts, commands, and configuration. It is helpful to have knowledge of the Open Source products defined by HP-UX OSRA. This document is not a tutorial, but it is intended to provide the reader with a better understanding of how the HP-UX OSRA components integrate with each other and with the HP-UX operating system.
11
Document Organization
This document is organized in the following chapters:
Chapter Chapter 1 (page 15) Chapter 2 (page 19) Chapter 3 (page 49) Description This chapter provides summary information about the features and components of HP-UX OSRA 2.1. This chapter explains how to plan for and execute the integration and basic configuration of the HP-UX OSRA 2.1 components. This chapter provides information on load balancing and cluster configuration of the HP-UX OSRA 2.1 components.
Typographic Conventions
This document uses the following typographical conventions: %, $, or # A percent sign represents the C shell system prompt. A dollar sign represents the system prompt for the Bourne, Korn, and POSIX shells. A number sign represents the superuser prompt. A manpage. The manpage name is audit, and it is located in Section 5. A command name or qualified command phrase. Text displayed by the computer. A key sequence. A sequence such as Ctrl+x indicates that you must hold down the key labeled Ctrl while you press another key or mouse button. The name of an environment variable, for example, PATH. The name of an error, usually returned in the errno variable. The name of a keyboard key. Return and Enter both refer to the same key. The defined use of an important word or phrase. Commands and other text that you type. The name of a placeholder in a command, function, or other syntax display that you replace with an actual value. The contents are optional in syntax. If the contents are a list separated by |, you must choose one of the items. The contents are required in syntax. If the contents are a list separated by |, you must choose one of the items. The preceding element can be repeated an arbitrary number of times. Indicates the continuation of a code example. Separates items in a list of choices. A warning calls attention to important information that if not understood or followed will result in personal injury or nonrecoverable system problems. A caution calls attention to important information that if not understood or followed will result in data loss, data corruption, or damage to hardware or software. This alert provides essential information to explain a concept or to complete a task A note contains additional information to emphasize or supplement important points of the main text.
ENVIRONMENT VARIABLE [ERROR NAME] Key Term User input Variable [] {} ...
| WARNING
CAUTION
IMPORTANT NOTE
12
Related Information
Documentation for HP-UX OSRA bundled components is available, by component, from http://www.docs.hp.com. For HP-UX OSRA subscription components work with your HP Support representative or refer to the respective Open Source vendors' documentation web sites.
Publishing History
The following table lists the publication history of this document. You can find the latest version of this document on line at: http://docs.hp.com/en/internet.html#OSRA/Web%20Services.
Manufacturing Part Number Title 59917640 Supported Operating Systems Publication Date March 2007
HP-UX Open Source HP-UX 11i v1 Reference Architecture HP-UX 11i v2 (OSRA) 2.1 for Web Services Configuration Guide HP-UX Open Source HP-UX 11i v1 Reference Architecture HP-UX 11i v2 (OSRA) 2.0 for Web Services Configuration Guide HP-UX Open Source HP-UX 11i v1 Reference Architecture for HP-UX 11i v2 Web Services Configuration Guide
59915939
August 2006
59912681
April 2006
13
14
1 Overview
HP-UX OSRA defines the set of open source middleware, networking, and management software for HP-UX that enables a successful web services solution deployment. All HP-UX OSRA software is delivered and fully-supported by HP. HP-UX OSRA is part of the HP Open Source Integrated Portfolio which includes consulting, integration, and support services.This chapter provides an overview of HP-UX OSRA and describes the Open Source components that make up the architecture. This chapter addresses the following topics: Benefits Architecture Components
Benefits
HP-UX OSRA helps you lower costs and reduce the risks associated with using open source software by providing: Support: HP offers a single source for support. All HP-UX OSRA software is fully supported. Flexibility: Use the complete set of OSRA components, or individual components. Integrate with commercial or other open source software. Proven Reliability: HP-UX is a proven, highly available base for deploying your solutions. Value-added Features: HP-UX offers many additional products in the areas of virtualization, manageability, and security, which can help lower your overall costs. Selection: HP-UX OSRA components have been pre-selected to provide an integrated set of complementary open source software needed to deploy web services on HP-UX.
Architecture
The following figure provides an architectural overview of HP-UX OSRA. Figure 1-1 HP-UX OSRA for Web Services: Architectural Overview
Application 1 Application 2 Application 3 Application 4
OSRA
Secure Web Services Platform: HP-UX 11i Protected Systems Web Server Application Server: JBoss Application Server, JBoss Cluster, Hibernate
Availability: HP Serviceguard
Database: MySQL
System & Network Security: HP-UX Bastille, HP-UX IPFilter, HP-UX Secure Shell, OpenSSL, HP-UX 11i Security
Benefits
15
The foundation for the HP-UX OSRA components is the HP-UX 11i Operating System on HP Integrity and PA-RISC servers. As shown in Figure 1-1, HP also offers complimentary security products, management products and high availability products, that add additional value to the HP-UX OSRA architecture.
Components
HP-UX OSRA products enable you to build and deploy open source based web services solutions. This guide describes how to integrate combinations of these open source products, which have been selected and tested for interoperability. The following table lists the components defined by HP-UX OSRA 2.1. For the most current versions of the components refer to HP-UX OSRA for Web Services on HP's Software Depot. Table 1-1 HP-UX OSRA 2.1 Component Information
HP-UX OSRA 2.1 Components HP-UX 11i Web Server Suite: Tomcat Web Servlet Engine HP-UX 11i Web Server Suite: Apache Web Server with popular modules and PHP 5 Delivery/Support * Bundled Bundled
HP-UX 11i Protected Systems Web Server: Secure system built around the HP-UX 11i Bundled Web Server Suite Java Perl JBoss Application Server (JBoss AS) JBoss Cluster: High Availability for JBoss AS MySQL Enterprise Database Server Hibernate Persistance Service Red Hat LDAP Directory Server Symas CDS OpenLDAP Server HP-UX Bastille HP-UX IPFilter OpenSSL HP-UX Secure Shell: ssh client and server Bundled Bundled Subscription Subscription Subscription Subscription Bundled** Subscription Bundled Bundled Bundled Bundled
* Delivery/Support Bundled: Bundled components are delivered free of charge on HP-UX and support is included with your HP-UX software support contract. Subscription: To obtain a subscription, contact HP. ** See Red Hat LDAP Directory Server for product license requirements.
JEE Servlet Engine - HP-UX Tomcat-based Servlet Engine - Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages (JSP) technologies. It seamlessly integrates into HP-UX Apache-based Web Server. PHP - A widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.
efficient use of the database server. Clustering is traditionally important for high traffic web applications. But today, as AJAX and SOA applications become more and more popular, smaller web applications also need to handle large amount of incremental page updates and machine-to-machine traffic. Therefore, clustering is becoming more and more important. In JBoss AS, clustering is mostly transparent to applications. JBoss AS supports transparent clustering of EJB 3.0 POJOs. It also supports EJB 3.0 entity bean cache clustering, EJB 3.0 stateful session bean clustering, and HTTP clustering out of the box.
Database Server
The MySQL Database product includes the MySQL Enterprise Database Server and the MySQL Connector/J. The MySQL Enterprise Database Server is the most secure and reliable version of the MySQL Database Server. The MySQL Connector/J is a native Java driver that converts JDBC (Java Database Connectivity) calls from JBoss AS (or other application servers) into the network protocol used by the MySQL database.
Directory Server
Red Hat Directory Server for HP-UX - Red Hat Directory Server is an Open Source LDAP-based server that centralizes application settings, user profiles, group data, policies, and access control information into an operating system-independent, network-based registry. Forming the central repository for an Identity Management infrastructure, Red Hat Directory Server simplifies user management, eliminating data redundancy and automating data maintenance. It also improves security, by storing policies and access control information, Red Hat Directory Server creates a single authentication source across the entire enterprise for both intra- and extranet applications. Symas CDS OpenLDAP - Symas CDS OpenLDAP is an Open Source implementation of LDAP.
Security
HP-UX Bastille - HP-UX Bastille can ease an organization's system-hardening security and/or regulatory-compliance activities. It provides customized lock-down, addressing most of the recommendations from a number of popular security scanning tools and checklists. Some of these checklists are used by security auditors. HP-UX IPFilter - HP-UX IPFilter (B9901AA) is a stateful system firewall that filters IP packets to control packet flow in or out of a machine. It works as a security defense by cutting down on the number of exposure points on a machine. HP-UX 11i Secure Shell - HP-UX Secure Shell is a client/server architecture that supports the SSH-1 and SSH-2 protocols and provides secured remote login, file transfer, and remote command execution. HP-UX OpenSSL - HP-UX OpenSSL is based on the open source product OpenSSL and offers cryptography for applications by providing a general-purpose cryptography library and implementation of the Secure Socket Layer and Transport Layer Security protocols.
18
Overview
/usr/local/mysql-enterprise-<version> ~96 MB plus database table space /opt/hibernate-3.1 ~98 MB if installed separately (is part of JBoss AS if that is installed) ~300 MB ~31 MB plus space for directories ~1.1MB ~7 MB ~40 MB ~45 MB
Red Hat LDAP Directory Server Symas CDS OpenLDAP Server HP-UX Bastille HP-UX IPFilter OpenSSL HP-UX Secure Shell: ssh client and server
19
Installing JBoss AS
NOTE: JBoss AS provides a number of file formats, including zip format, and a GUI installer to install software. HP only supports installing the software from the zip file or using the GUI installer. When installing from the zip file, the installation includes all of the JBoss AS related services distributed as three instances of the JBoss AS: all - this instance contains all of the JBoss AS services default - this instance contains a default set of services minimal - this instance contains the minimum set of services To determine which services are started in each instance, examine the <instance-name>/conf/jboss-service.xml file and the configuration files in the <instance-name>/deploy directories. Services such as clustering and caching are enabled in the all instance, but may only be selectively enabled in the other instances. The GUI installer allows you to perform a basic installation or to select individual services to be installed. Using a custom JBoss AS installation created by the GUI installer simplifies the installation and configuration of JBoss AS. Download JBoss AS files to the /tmp or /var/tmp directory. NOTE: Obtaining JBoss AS components is part of your HP Support Subscription service.
During the installation, the system displays the directories that are created and the files installed on the system:
created: jboss-4.0.3SP1/ created: jboss-4.0.3SP1/bin/ created: jboss-4.0.3SP1/client/ created: jboss-4.0.3SP1/docs/ created: jboss-4.0.3SP1/docs/dtd/ created: jboss-4.0.3SP1/docs/examples/ created: jboss-4.0.3SP1/docs/examples/binding-manager/ created: jboss-4.0.3SP1/docs/examples/jboss.net/. . . . extracted: jboss-4.0.3SP1/client/concurrent.jar extracted: jboss-4.0.3SP1/client/getopt.jar extracted: jboss-4.0.3SP1/client/jacorb.jar extracted: jboss-4.0.3SP1/client/javax.servlet.jar extracted: jboss-4.0.3SP1/client/jboss-aop-jdk50-client.jar.
20 Configuration and Integration
. . .
Note that if you specified a configuration name in the installation process, you will need to use that name on the command line:
Installing JBoss AS
21
A properly installed system will return information similar to the following, and continue to run without producing errors.
========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /opt/jboss JAVA: java JAVA_OPTS: -server -Xms128m -Xmx128m -Dprogram.name=run.sh CLASSPATH: /opt/jboss/bin/run.jar:/lib/tools.jar ========================================================================= 09:39:57,845 INFO [Server] Starting JBoss (MX MicroKernel)... 09:39:57,847 INFO [Server] Release ID: JBoss [Zion] 4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231751) 09:39:57,850 INFO [Server] Home Dir: /opt/jboss 09:39:57,851 INFO [Server] Home URL: file:/opt/jboss/ 09:39:57,853 INFO [Server] Patch URL: null 09:39:57,853 INFO [Server] Server Name: default 09:39:57,853 INFO [Server] Server Home Dir: /opt/jboss/server/default 09:39:57,854 INFO [Server] Server Home URL: file:/opt/jboss/server/default/ 09:39:57,854 INFO [Server] Server Temp Dir: /opt/jboss/server/default/tmp 09:39:57,857 INFO [Server] Root Deployment Filename: jboss-service.xml 09:39:59,056 INFO [ServerInfo] Java version: 1.4.2.09,Hewlett-Packard Co. 09:39:59,056 INFO [ServerInfo] Java VM: Java HotSpot(TM) Server VM 1.4.2 1.4.2. 09-050713-09:59-IA64N IA64,Hewlett-Packard Company 09:39:59,056 INFO [ServerInfo] OS-System: HP-UX B.11.23,IA64N 09:40:00,197 INFO [Server] Core system initialized 09:40:03,591 INFO [Log4jService$URLWatchTimerTask] Configuring from URL: resource:log4j.xml
To remove the files installed from the JBoss AS tar file installation: 1. Log in as root 2. Shut down JBoss AS as described in the Basic Configuration Information section of this chapter. 3. Use the following command to remove the files installed on your system:
rm -rf /opt/jboss<version>
22
23
Refer to the mysql.server(1) man page or MySQL documentation for instructions on how to set up system startup and shutdown. Java JBoss AS Startup: /opt/java<version>/jre/bin/java Startup: /opt/jboss-<version>/bin/run.sh<options> System Startup and Shutdown: /sbin/init.d/jboss start|stop - see the JBoss AS Basic Configuration section of this chapter for an example of configuring this file. /etc/rc.config.d/jboss - startup configuration file. JVM configuration file: /opt/jboss-<version>/bin/run.conf Initial Application Server Configuration: /opt/jboss-<version>/server/<instance>/conf/jboss-service.xml Red Hat Directory Server Startup: /var/opt/netscape/server7/slapd-<servername>/start-slapd <options> Shutdown: /a/p/esaesre7sad<evrae/tpsadotos vrotntcp/evr/lp-srenm>so-lp<pin> Configuration files: /var/opt/netscape/server7/slapd-<servername>/config No system startup script is provided with Red Hat Directory Server. Symas CDS OpenLDAP Refer to the Symas CDS Installation Guide. Configuration files: /opt/symas/etc/openldap/slapd.conf /opt/symas/etc/openldap/cds.conf Start: /sbin/init.d/cdsserver start|stop HP-UX Secure Shell Start and Stop: /usr/sbin/sshd <options> /sbin/init.d/secsh start|stop Configuration files: /etc/opt/ssh/sshd_config - main configuration file. /etc/opt/ssh - other configuration files and key files directory. System Startup and Shutdown: /sbin/init.d/secsh start|stop /etc/rc.config.d/sshd - system startup configuration file.
24
NOTE: The following products do not run as services and thus do not have startup or shutdown commands: OpenSSL, Perl, PHP, Hibernate, JBoss Cluster and JBoss Cache. OpenSSL is a library that can be added to a custom-built service. Perl is a scripting language that can be used to run services. PHP is integrated with the HP Apache Web Server. Hibernate, JBoss Cluster and JBoss Cache are libraries that can be added to a Java Web Server, such as Tomcat.
25
The following example contains a sample /etc/rc.config.d/jboss file. Specify the appropriate values for your configuration and install the file in the /etc/rc.config.d directory. Example 2-1 /etc/rc.config.d/jboss File
# Home directory of JBoss Installation on this system JBOSS_HOME=/opt/jboss-4.0.3.SP1 # INSTANCE is the name of the server under $JBOSS_HOME/server which should # be started at system startup time INSTANCE="default" # set JBOSS_START to 1 to start jboss at system start time, 0 otherwise. JBOSS_START=1 # User name the JBoss should be run as. If you select a non-root user then JBoss needs # additional configuration so it won't open any TCP port numbers less than 1000. JBOSS_USER=jboss
2.
3.
4.
Set the file protection for the data, data/hypersonic, deploy,and farm directories writable by user. (Note: INSTANCE=all, or default, or minimal)
chmod 0755 <JBOSS_HOME>/server/<INSTANCE>/data \ <JBOSS_HOME>/server/<INSTANCE>/data/hypersonic \
26
<JBOSS_HOME>/server/<INSTANCE>/deploy \ <JBOSS_HOME>/server/<INSTANCE>/farm
5.
6.
Edit the /etc/rc.config.d/jboss file. Set the value of the variable JBOSS_USER to <username>: (JBOSS_USER=<username>).
NOTE: HP-UX does not permit non-root users to open ports that are numbered lower than 1000. By default, JBoss AS ports are assigned to numbers higher than 1000. If you have changed port assignments to lower numbered ports, you cannot run JBoss AS as a non-root user until you restore the port assignments to numbers higher than 1000.
2.
Modify the conf/standardjbosscmp-jbdbc.xmlfile, specifying the use of the Oracle data source.
<jbosscmp-jdbc> <defaults> <datasource>java:/OraceleDS</datasource> <datasource-mapping>Oracle9i</datasource-mapping> <create-table>true</create-table> <remove-table>false<.remove-table> <read-only>false</read-only> <read-time-out>300000</read-time-out> <row-locking>false</row-locking> <pk-constraint>true</pk-constraint> <fk-constraint>false</fk-constraint> <preferred-relation-mapping>foreign-key</preferred-relation-mapping> JBoss AS Basic Configuration 27
<read-ahead> <strategy>on-load</strategy> <page-size>1000</page-size> <eager-load-group>*</eager-load-group> </read-ahead> <list-cache-max>1000</list-cache-max> <clean-read-ahead-on-load>false</clean-read-ahead-on-load> <unknown-pk> <key-generator-factory>UUIDKeyGeneratorFactory</key-generator-factory> <unknown-pk-class>java.lang.String</unknown-pk-class> <jdbc-type>VARCHAR</jdbc-type> <sql-type>VARCHAR(32)</sql-type> </unknown-pk> <entity-command name="default"/> <ql-compiler>org.jboss.ejb.plugins.cmp.jdbc.JDBCEJBQLCompiler</ql-compiler> </defaults>
2.
3.
4.
Copy the sample MySQL data source configuration file from the JBoss AS docs directory to the JBoss server deploy directory.
# cp /opt/jboss-<version>/docs/examples/jca/mysql-ds.xml \ /opt/jboss-<version>/server/<instance>/deploy/mysql-ds.xml
5.
Edit and modify the MySQL data source configuration file, specify: - the system where the MySQL Database Server is located - the database name - the database password Here is a sample mysql-ds.xml file:
<?xml version="1.0" encoding="UTF-8"?> <!-- $Id: mysql-ds.xml,v 1.3.2.1 2004/12/01 11:46:00 schrouf Exp $ --> <!-- Datasource config for MySQL using 3.0.9 available from: http://www.mysql.com/downloads/api-jdbc-stable.html --> <datasources> <local-tx-datasource> <jndi-name>MySqlDS</jndi-name> <connection-url>jdbc:mysql://mysql-hostname:3306/jbossdb</connection-url> <driver-class>com.mysql.jdbc.Driver</driver-class> <user-name>x</user-name> <password>y</password> <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.MySQLExceptionSorter</exception-sorter-class-name> <!-- sql to call when connection is created <new-connection-sql>some arbitrary sql</new-connection-sql> --> <!-- sql to call on an existing pooled connection when it is obtained from pool <check-valid-connection-sql>some arbitrary sql</check-valid-connection-sql>
28
--> <!-- corresponding type-mapping in the standardjbosscmp-jdbc.xml (optional) --> <metadata> <type-mapping>mySQL</type-mapping> </metadata> </local-tx-datasource> </datasources>
6.
29
The first step to the installation requires you to accept the license terms of use for the product. Select Yes to continue.
30
The choice of three types of installation are offered in the Installation Type screen. You want to perform a Typical installation from this screen, select 2 in this screen. Figure 2-3 Installation Type
The system displays the Domain Name screen. The domain name of your system should be displayed in this screen. Press Enter to accept the default or enter the correct domain name.
31
The User and Group screen identifies the user ID and group ID that the Red Hat Directory Server runs as. The user and group must exist on your system in order for the directory server to operate. Figure 2-5 User and Group
The next configuration step requires you to select a configuration server if you are adding this server to an existing configuration server, or to specify that the server is configured as a standalone server. Enter No to configure a standalone server.
32
The next step determines if you will use another directory server to store information. The default configuration does not use an additional directory server to store data. Enter No for the default. Figure 2-7 Directory Server Data Store
In the Network Port Number screen, you specify a network port to be used by the directory server. The default port number is 389 if the port is not already in use and you are logged in as the root user. The screen provides information about port selection if the default port cannot be selected.
33
A unique name is required for a directory server. The default name is the system name, taken from the DNS host name. Figure 2-9 Unique Identifier
An administrator name and password are required for the directory server. This step provides a default administrator name, but requires you to enter and verify a unique password. Figure 2-10 Administrator Name and Password
A directory suffix is the directory entry that represents the first entry in a directory tree. You will need at least one directory suffix for the tree that will contain your enterprise's data. It is common practice to select a directory suffix that corresponds to the DNS host name used by your enterprise. For example, if your organization uses the DNS name example.com, then select a suffix of dc=example,dc=com. The defaults provided in this screen are taken from the DNS host name.
34 Configuration and Integration
In this screen you are asked to identify a Directory Manager. The Directory Manager is the administrative user that performs directory administrative tasks. You can use the defaults provided in this screen. Figure 2-12 Directory Manager
The administration domain allows you to group multiple servers together logically so that you can more easily distribute server administrative tasks. The default configuration does not use administration domains. Select the default administration domain in this step. Figure 2-13 Administration Domain
35
The administration domain uses a dedicated, restricted network port, one that is different from the directory server port defined earlier in the setup procedure. Figure 2-14 Administration Server Network Port
The final configuration step is to define an what user the Administration Server runs as. The default user is root. The root user has the privileges required to use the server administration screen to start and stop the server. Figure 2-15 Administration Server User
After selecting the administration server user, the system automatically starts the Red Hat Directory Server and displays information similar to that shown in the following screen. After the server starts, you can add entries to the server and perform other administrative tasks.
36
If the system does not appear to be working correctly, then consult the Administrators Guide for taking corrective action. (http://www.docs.hp.com/en/internet.html#Netscape%20Directory%20Server/Red%20Hat%20Directory%20Server)
Use an editor to create the file /tmp/example.ldif containing the content listed below.
dn: ou=myexample, dc=example, dc=com objectclass: top objectclass: organizationalunit ou: example description: Example organizational unit
Use the ldapmodify command to insert the entries into the directory:
# # cd /var/opt/netscape/server7/shared/bin ./ldapmodify -a -D "cn=Directory Manager" -w password\-f /tmp/example.ldif
Use the ldapsearch command to verify that the entry was added correctly:
# ./ldapsearch -x -b 'dc=example, dc=com' '(objectclass=*)'
If your entry was added correctly, the system returns information similar to the following:
version: 1 dn: dc=example,dc=com objectClass: top objectClass: domain dc: hp dn: cn=Directory Administrators, dc=example,dc=com objectClass: top objectClass: groupofuniquenames cn: Directory Administrators dn: ou=Groups, dc=example,dc=com objectClass: top objectClass: organizationalunit ou: Groups dn: ou=People, dc=example,dc=com objectClass: top objectClass: organizationalunit ou: People dn: ou=Special Users,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Special Users description: Special Administrative Accounts dn: cn=Accounting Managers,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: Accounting Managers ou: groups description: People who can manage accounting entries dn: cn=HR Managers,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames
38 Configuration and Integration
cn: HR Managers ou: groups description: People who can manage HR entries dn: cn=QA Managers,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: QA Managers ou: groups description: People who can manage QA entries dn: cn=PD Managers,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries dn: ou=example, dc=example,dc=com objectClass: top objectClass: organizationalunit ou: myexample description: Example organizational unit
39
40
is set to "member". Since "matchOnUserDn" is also set to "true" in the login-config.xml file, the member id must match the user's domain name. In this example, if the user id is "200", then the LDAP "uidAttributeID" entries in the domains under the "rolesCtxDN" domain "dn: ou=Roles,dc=example,dc=com" must match "member: uid=200,ou=People,dc=example,dc=com" When a matching role in the LDAP directory is found, the corresponding "roleAttribute" value is returned. In the login-config.xml file, the "roleAttribute" is configured to be "cn". Also, in the LDAP file users with uid "200" and "300" are assigned the role of "bankCustomer". This is defined under the domain "cn=bankCustomer, ou=Roles.dc=example, dc=com" with the entry "cn: bankCustomer", and the appropriate "member" entries for each user id. Therefore, in this example uid "200" returns a role of "bankCustomer" for the JBoss AS "testLDAP" login-config.xml application policy.
Use the following command to update the directory server with the information in the LDIF file (use an editor to create this file, naming it /tmp/example2.ldif):
# cd /var/opt/netscape/server7/shared/bin # ./ldapmodify -p 1389 -ac -D "cn=Directory Manager" -w passwd -f /tmp/example2.ldif
adding new entry dc=example,dc=com ldap_add: Already exists adding new entry ou=People, dc=example,dc=com ldap_add: Already exists adding new entry uid=200,ou=People,dc=example,dc=com adding new entry uid=201,ou=People,dc=example,dc=com adding new entry ou=Roles,dc=example,dc=com adding new entry cn=bankCustomer,ou=Roles,dc=example,dc=com
Configure the security constraints, roles, and Web authentication in the applications web.xml file as required. The web.xml security configuration follows the JEE security model and is related to the JBoss AS LDAP module configuration. The roles defined for the application must be configured in the LDAP database. In the following web.xml file segment, we have defined a security constraint for a number of Web pages (URL patterns) such that users must have the role "bankCustomer" to access a page with the URL pattern: The <security-constraint>.<auth-constraint>.<role-name> entries must match with a <security-role>.<role-name> entry. The role is obtained by validating the user name and password entered through the <login-config> <auth-method> configured. In this example, the application developer has specified FORM for the <auth-method>. This means that the application is providing a
42 Configuration and Integration
customized login form in the browser window. The convention for FORM based authentication is: The form action must be "j_security_check". The username and password fields must be "j_username" and "j_password". Note that the application could have used basic authentication. Basic authentication uses the browser's default login screen to prompt for a user name and password.
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" version="2.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> . . <security-constraint> <display-name>SecurityConstraint</display-name> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/main</url-pattern> <url-pattern>/atm</url-pattern> <url-pattern>/atmAck</url-pattern> <url-pattern>/accountList</url-pattern> <url-pattern>/accountHist</url-pattern> <url-pattern>/transferFunds</url-pattern> <url-pattern>/transferAck</url-pattern> <url-pattern>/atm</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>bankCustomer</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Duke's Bank</realm-name> <form-login-config> <form-login-page>/logon.jsp</form-login-page> <form-error-page>/logonError.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>bankCustomer</role-name> </security-role>. . . </web-app>
If the application uses EJBs, you need to configure the EJB deployment descriptors. As with the web.xml configuration, the roles defined in the ejb-jar.xml file must be defined in the LDAP database if access is to be granted. JBoss AS forwards user roles with the EJB request for service:
<?xml version="1.0" encoding="UTF-8"?> <ejb-jar xmlns="http://java.sun.com/xml/ns/j2ee" version="2.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/ejb-jar_2_1.xsd">
Integrating JBoss AS and LDAP 43
. . <assembly-descriptor> <security-role> <role-name>bankCustomer</role-name> </security-role> <method-permission> <role-name>bankCustomer</role-name> <method> <ejb-name>CustomerBean</ejb-name> <method-name>*</method-name> </method> </method-permission> . . </assembly-descriptor> </ejb-jar>
44
You must configure the auth_ldap module to define how to search the LDAP directory and to authenticate and authorize user logins. The following example uses the same LDAP configuration as the one used in the JBoss AS configuration with LDAP (uid 200 and 201 are defined under ou=People, dc=example, dc=com) Sample /opt/hpws/apache/conf/ldap.conf file:
# Use ldap to protect the manual directory <IfModule !mod_auth_ldap.c> LoadModule auth_ldap_module modules/auth_ldap.so </IfModule> <IfModule mod_auth_ldap.c> LDAPSharedCacheFile logs/ldap_cache </IfModule> <Location /manual> AuthName "Restricted Area" AuthType Basic # AuthLDAPURL should point to your ldap server AuthLDAPURL ldap://hpdhl217.example.com:1389/ou=People,dc=example,dc=com?uid # AuthLDAPStartTLS on require valid-user </Location>
You can check the Web server error log for any errors (/opt/hpws/apache/logs/error_log).
45
If these configuration changes are made with the sam utility, they are automatically maintained across system reboots. If you use the ifconfig command to make these changes, you must also update the /etc/rc.config.d/netconf file so that they are maintained across system reboots. The JBoss Wiki describes how to assign a different set of TCP/UDP ports to different server instances on the same machine. The process is summarized with an example: Make sure that each server instance you wish to configure has its own directory root under $JBOSS_HOME/server. For example, you can create a new directory instance as follows:
# cd $JBOSS_HOME/server # cp -r all node1
Modify conf/jboss-service.xml (or deploy/binding-service.xml in Version 4.0.3 and later) uncomment "Service Binding" section and select "ServerName?" value from sample-bindings.xml (for example, ports-01 or ports-02). This "ServerName" must be configured in thejboss-bindings.xml file and must be unique for each server instance:
<!-- Service Binding --> <!-- ==================================================================== --> <!-- Automatically activated when generating the clustering environment --> <!-- @TESTSUITE_CLUSTER_CONFIG@ --> <!| | | | | | | | | | | | | | Binding service manager for port/host mapping. This is a sample config that demonstrates a JBoss instances with a server name 'ports-01' loading its bindings from an XML file using the ServicesStoreFactory implementation returned by the XMLServicesStoreFactory.
ServerName: The unique name assigned to a JBoss server instance for lookup purposes. This allows a single ServicesStore to handle mulitiple JBoss servers. StoreURL: The URL string passed to org.jboss.services.binding.ServicesStore during initialization that specifies how to connect to the bindings store. StoreFactory: The org.jboss.services.binding.ServicesStoreFactory interface implementation to create to obtain the ServicesStore instance. --> <mbean code="org.jboss.services.binding.ServiceBindingManager" name="jboss.system:service=ServiceBindingManager"> <attribute name="ServerName">ports-01</attribute> <!--
46
<attribute name="StoreURL">${jboss.home.url}/docs/examples/binding-manager/sample-bindings.xml</attribute> --> <attribute name="StoreURL">/etc/jboss-bindings.xml</attribute> <attribute name="StoreFactoryClassName"> org.jboss.services.binding.XMLServicesStoreFactory </attribute> </mbean>
Copy service bindings in the file $JBOSS_HOME/docs/examples/binding-manager/sample-bindings.xml to /etc/jboss-bindings.xml and modify them as appropriate (in the jboss-bindings.xml file). The following file segment shows the port assignments for server "ports-01":
<!-- ********************************************************** --> <!-- * ports-01 * --> <!-- ********************************************************** --> <server name="ports-01"> <!-- ********************* jboss-service.xml ****************** --> <service-config name="jboss:service=Naming"delegateClass="org.jboss.services.binding.AttributeMappingDelegate" > <delegate-config portName="Port" hostName="BindAddress"> <attribute name="RmiPort">10005</attribute> </delegate-config> <binding port="10006" host="${jboss.bind.address}"/> </service-config> <service-config name="jboss:service=WebService" delegateClass="org.jboss.services.binding.AttributeMappingDelegate" > <delegate-config portName="Port"/> <binding port="10008"/> </service-config> <service-config name="jboss:service=invoker,type=jrmp" delegateClass="org.jboss.services.binding.AttributeMappingDelegate" > <delegate-config portName="RMIObjectPort"/> <binding port="10009"/> </service-config><service-config name="jboss:service=invoker,type=pooled" delegateClass="org.jboss.services.binding.AttributeMappingDelegate" > <delegate-config portName="ServerBindPort"/> <binding port="10010"/> </service-config> <!-- ********************* cluster-service.xml **************** --> <service-config name="jboss:service=HAJNDI" delegateClass="org.jboss.services.binding.AttributeMappingDelegate" > <delegate-config portName="RmiPort"/> <binding port="10005"/> </service-config> <service-config name="jboss:service=HAJNDI" delegateClass="org.jboss.services.binding.AttributeMappingDelegate" > <delegate-config portName="Port"/> <binding port="10007"/> </service-config> <service-config> name="jboss:service=invoker,type=jrmpha"</service-config> <!-- ********************* snmp-adaptor.sar ****************** --> <service-config name="jboss.jmx:name=SnmpAgent,service=trapd,type=logger" delegateClass="org.jboss.services.binding.AttributeMappingDelegate" > <delegate-config portName="Port"/> <binding port="10018"/> </service-config> <service-config name="jboss.jmx:name=SnmpAgent,service=snmp,type=adaptor" delegateClass="org.jboss.services.binding.AttributeMappingDelegate"
47
> <delegate-config portName="Port"/> <binding port="10017"/> </service-config> <!-- ********************* jbossmq-service.xml **************** --> <!-- JMS relatedservices-->
48
49
There are cases where session data is not necessarily replicated. In these sessions, all Web requests are directed to the same Web or application server by load balancing hardware or software. These sessions are referred to as sticky sessions or session affinity.
JBoss AS Clustering
JBoss AS clustering is enabled, automatically, when you install the full version of JBoss AS. Clustering is enabled in the all instance of the server software. The cluster configuration is defined in the file cluster-service.xml file in the <instance>/deploy directory. Other than configuring the cluster-service.xml file and starting the all instance of the server, no additional cluster configuration is required. The default configuration uses the JGroups service to automatically detect other JBoss AS servers, on the same LAN segment, with which it can form a cluster. Also, any application (packaged as a .war, .sar, or .ear) deployed to the <instance>/farm group is automatically deployed to all servers in the cluster. The cluster-service.xml file provides configuration for clustering of: HTTP Sessions via the Tomcat Servlet Container Session and Entity Enterprise Java Beans (EJBs) Java Naming and Directory Interface (JNDI ) Services JBoss recommends avoiding clustering of EJB2.0 entity beans because of potential data synchronization issues between hosts. The JNDI naming service plays a key role in JEE applications, providing the infrastructure used to locate objects or services within JBoss AS. The High Availability JNDI (HA-JNDI) service keeps track of cluster-wide services, and helps maintain a distinction between cluster bound services and those that are not cluster bound. The cluster-service.xml file provides additional configuration options that allow you to limit a cluster by specifying a cluster partition name and/or specifying which remote hosts can form the cluster. You can also specify cache replication policies for propagating state information to the nodes in a cluster. For more information about JBoss AS clustering, JBossCache, and JGroups Services see the JBoss 4 Application Server Guide.
You can integrate them in such a way that focuses on the strengths of each server. The Web server is well suited and more efficient at providing static Web content while the JBoss AS is an excellent tool for providing dynamic Web content with JEE application services. With the addition of a java connector module (mod_jk) the Web server can be used to load balance requests to several JBoss AS servers. While other more efficient load balancing techniques exist, this approach offers the advantage of not having to incorporate load balancing hardware or configure complex load balancing software. If user authentication and authorization is to be performed, and JBoss AS and the Web server are integrated, JBoss AS is well suited for providing these services because it offers built-in role-based access control.
Tomcat
Pr ot oc ol
Web Client
Ht tp
Ht ol oc ot Pr
tp
In this configuration, when a user authorization and authentication policy is required, it should be implemented in the JBoss AS because JBoss AS and JEE make use of role-based security. This allows deployment of applications that use more fine grained privileges. Users with specified roles can access resources for which these roles are enabled. If the JBoss AS and Web servers are operating in a hostile Web client environment they should be secured by disabling unnecessary services, and implementing reasonable system security policies. HP-UX 11i provides a number of tools to help with this: HP-UX IPFilter for network lockdown that blocks undesirable network traffic. HP-UX Bastille for system lockdown policy enforcement. HP-UX Security Containment for implementing role-based access controls and providing a secure environment for the Web services components.
Integrating the Web Server and JBoss AS 51
Security Patch Check for ensuring the HP-UX operating system is up to date with security patches. OpenSSL for providing encrypted HTTP communications with the Web client.
Web Client
Http Protocol
Mod JK
AJP Protocol
AJP Connector
Tomcat
52
Tomcat
Web Client
Http Protocol
Ht Ht tp ol oc ot Pr
Tomcat JBoss Application Server
Typically the hardware load balancer is configured with a virtual IP address. When a Web client requests a Web service, the load balancer translates the virtual IP address into the address of one of the JBoss AS servers. The request is passed on to a JBoss AS server based on the translated address and based on an allocation policy. The allocation policy can define the minimum response time required by the server, the number of requests allowed to a server, the server weight, and so on. The load balancer will typically not route requests to a JBoss AS server that is unavailable. In practice, you may have many servers, each serving the same Web session, or one server, in the farm, serving a complete Web session. When configuring any load balancer, consideration must be given to storage of session information. If multiple servers serve a session, they must have access to the session information. This information must be stored, updated, and made available to each of the servers serving the session. When a single application server serves a Web session, the session state information can be stored on the server serving the Web session.
tp
Pr ot oc ol
53
Tomcat
DB N
Pr ot oc ol
or w et k ol oc ot Pr
H ttp
Web Client
Database Server
Tomcat
When compared to hardware load balancing, there are several potential shortfalls when using a DNS load balancing configuration: The DNS named server does not consider the status of the JBoss AS servers when it resolves the virtual server name. It is possible that requests may be routed to a server that is very busy or is no longer available. The DNS named server has no notion of a sticky session. Subsequent requests from the same client to resolve the virtual server name will likely receive a different IP addresses. This will cause problems if the application is keeping session state information on the JBoss AS server. The application will not work properly because subsequent client requests will be routed to different servers unless the JBoss AS server takes steps to propagate the state information. In general, approaches to propagate state information do not scale well and may defeat the advantages gained by using a server farm. In a DNS load balancing configuration, applications must not store state information in the JBoss AS, unless it is propagated. Note that Figure 3-4 shows a single database server. All session data must be written to the database server or returned in an HTTP session cookie or URL encoded query string, to the client, with each request. All JBoss AS servers must share the same database server, or the database must instantly replicate session state data to all database servers used by the farm. The Web client often caches the IP address returned by the DNS. This resolves the sticky session problem, but it also means that the client will not respond to changes in the DNS round-robin configuration in a timely manner. In addition, the same client will not load balance over several JBoss AS servers, but will always use the same server until the DNS to IP address cache is flushed. You can use techniques to reduce or eliminate the time a name
54
DB
et w or
Pr ot oc ol
H ttp ol oc ot Pr
DN S nd Bi
ol oc ot Pr
spends in the name cache, but flushing the cache more frequently puts a larger load on the DNS name server as more requests are forwarded to it.
AJP Connector
Tomcat
Web Client
Http Protocol
Mod JK
A A JP ol oc ot Pr
AJP Connector
JP
Pr ot oc ol
Tomcat
When configuring mod_jk load balancing, you can: Ensure that requests are not routed to a machine that is not responding. Set up round-robin, or weighted round-robin to route requests to a server. Route all requests, from the same session, to the same server (sticky session).
55
In the example /etc/hosts file, two subnets will be used for our configuration: Addresses beginning with 10.10.* Addresses beginning with 172.16.118* The configuration only uses domain names that are in the domain: test.nameX.example.com 2. Generate the named configuration files in the /usr/local/domain directory:
# mkdir /usr/local/domain # cd /usr/local/domain # hosts_to_named -d test.nameX.example.com -n 10.10 -n 172.16. 118
56
The following lines were left out of the database: 172.16.118.67 hptem270.nameX.example.com hptem270 (first name not in test.nameX.example.com) Creating "PTR" data (address to name mapping) for net 172.16.118 ...Creating "MX" (mail exchanger) data ... Building default named.boot file ... Building default db.cache file ... WARNING: db.cache must be filled in with the name(s) and address(es) of therootserver(s) Building default boot.cacheonly for caching only servers ... done
3.
If you are using DNS forwarders to resolve names and addresses that the local named server cannot resolve, you must update the db.cache file with the forwarders names. In our case we are using two forwarders so we must update the db.cache as follows:
; FILL IN THE NAMES AND ADDRESSES OF THE ROOT SERVERS ; ; . 99999999 IN NS root.server. ; root.server. 99999999 IN A ??.??.??.?? . 99999999 IN NS namX-resolver.nameX.test.net. namX-resolver.nameX.test.net. 99999999 IN A 172.243.128.51 . 99999999 IN NS namY-resolver.nameY.test.net. namY-resolver.nameY.test.net. 99999999 IN A 172.243.160.51
4.
Update the options section of the named.conf file: Specify a forwarders directive if forwarders are being used. Specify the rrset-order directive so that equal priority MX records are returned in round-robin order instead of random order:
# # type domain source file # options { directory "/usr/local/domain"; forwarders { 172.243.128.51; 172.243.160.51; }; rrset-order { order cyclic; }; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "db.127.0.0"; }; zone "test.nameX.example.com" { type master; file "db.test"; }; zone "10.10.IN-ADDR.ARPA" { type master; file "db.10.10"; }; zone "118.16.172.IN-ADDR.ARPA" { type master; file "db.172.16.118"; }; zone "." { type hint; file "db.cache"; };
5.
Start or restart the named server. Stop the currently running server:
57
# ps -eax | grep -v grep | grep named | read pid restofline # (($?==0)) && kill $pid
Configure the /etc/rc.config.d/namesvrs file so that the named server starts automatically when the system is started. Set the variable NAMED to 1, and the appropriate value for NAMED_ARGS: NAMED=1 NAMED_ARGS="-c /usr/local/domain/named.conf"
IN localhost hptem270 specj specj specj hpdhl208 hpdhl209 hpdhl211 hpdhl212 hpdhl214 hpdhl230 hpdhl231 hpdhl232 hptem270-2 hpdhl230-2 hpdhl231-2 hpdhl232-2 hpdhl208 hpdhl209 hpdhl211 hpdhl212 hpdhl214 hpdhl230 hpdhl230-2 hpdhl231 hpdhl231-2 hpdhl232 hpdhl232-2 hptem270 hptem270-2 specj
NS IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN
58
Note that setting the TTL value to zero is not recommended because it can, in theory, cause problems with the DNS proxy servers. It is very common to set the TTL to a small value, such as 5 minutes, because many Web clients use DHCP and must react fairly quickly to changes in their IP address allocation. After changing the TTL value, restart the named server as described in the previous section.
JkWorkersFile /opt/hpws/apache/conf/workers.properties JkLogFile /opt/hpws/apache/logs/jk.log JkLogLevel info JkMount /bookstore1 router JkMount /bookstore1/* router JkMount /bank router JkMount /bank/* router JkMount /crime router JkMount /crime/* router JkMount /jmx-console router JkMount /jmx-console/* router <Location /jkstatus/> JkMount status Order allow,deny Allow from all </Location>
3.
Edit the /opt/hpws/apache/conf/workers.properties file to specify which machines will load balance the URLs specified in the mod_jk.conf file. The following example shows the contents of a workers.properties file that will load balance between two nodes:
workers.properties workers.tomcat_home=/opt/hpws/tomcat workers.java_home=/opt/java1.4 ps=/ # # worker.node1.port=8009 worker.node1.host=hpdhl207.nameX.example.com worker.node1.type=ajp13 worker.node1.lbfactor=1 worker.node1.cachesize=10 worker.node2.port=8009 worker.node2.host=hpdhl221.nameX.example.com worker.node2.type=ajp13 worker.node2.lbfactor=1 worker.node2.cachesize=10 worker.router.type=lb worker.router.balance_workers=node1,node2 worker.router.sticky_session=1 worker.status.type=status worker.list=router,status
60