HP-UX Open Source Reference Architecture (OSRA) 2.1 For Web Services Configuration Guide

HP-UX Open Source Reference Architecture (OSRA) 2.
1 for Web Services Configuration Guide

HP-UX 1 v1, HP-UX 1 v2 1i 1i
HP Part Number: 5991-7640 Published: March 2007
Copyright 2007 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. UNIX is a registered trademark of The Open Group. Java is a US trademark of Sun Microsystems, Inc This product includes software developed by the Apache Software Foundation. This documentation is based on information from the Apache SoftwareFoundation (http://www.apache.org) This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org).
Table of Contents
About This Document.......................................................................................................11 1 Overview.......................................................................................................................15
Benefits..................................................................................................................................................15 Architecture..........................................................................................................................................15 Components..........................................................................................................................................16 HP-UX 11i Web Server Suite ...........................................................................................................16 Secure Web Server Platform............................................................................................................17 Java and Scripting Languages.........................................................................................................17 JBoss Enterprise Middleware..........................................................................................................17 Database Server...............................................................................................................................18 Directory Server...............................................................................................................................18 Security............................................................................................................................................18
2 Configuration and Integration....................................................................................19

Install Paths and Disk Space.................................................................................................................19 Installing JBoss AS................................................................................................................................20 Installing From the zip File..............................................................................................................20 Installing From the GUI Installer....................................................................................................21 Verifying JBoss AS Installation........................................................................................................21 Removing JBoss AS Components....................................................................................................22 General Configuration Information......................................................................................................23 JBoss AS Basic Configuration...............................................................................................................26 JBoss AS Startup Configuration Files..............................................................................................26 Running JBoss AS With a Different User Name..............................................................................26 Setting the Java Memory Allocation Pool Size................................................................................27 Configure the Oracle Data Source for JBoss....................................................................................27 MySQL Integration with JBoss AS..................................................................................................28 Red Hat Directory Server Setup............................................................................................................30 Verify Directory Operation..............................................................................................................37 Add and Verify Directory Entries...................................................................................................37 Integrating JBoss AS and LDAP...........................................................................................................40 Configuring JBoss to Use LDAP......................................................................................................40 Create or Update Users and Roles in the LDAP Directory.............................................................40 Configure the Application Security Characteristics........................................................................42 Integrating the Web Server to Use LDAP.............................................................................................45 Running Multiple JBoss AS Instances on the Same Server...................................................................46
3 Load Balancing and Cluster Configuration...............................................................49

Web Services Sessions...........................................................................................................................49 Session State Replication.................................................................................................................49 Session Replication in Tomcat.........................................................................................................50 JBoss AS Clustering.........................................................................................................................50 Integrating the Web Server and JBoss AS.............................................................................................50 Content Directed Integration...........................................................................................................51 Apache Directed Content Integration.............................................................................................52 Horizontal Scaling of Web and Application Servers............................................................................52 Hardware Load Balancing...............................................................................................................53
Table of Contents 3
Domain Name System (DNS) Round-Robin Load Balancing.........................................................53 Load Balancing With Apache mod_jk.............................................................................................55 DNS Load Balancing Configuration Example................................................................................55 Configure named With the Virtual Server Hostname...............................................................56 Configure the DNS Cache TTL Value........................................................................................58 Disable the Java DNS Cache.......................................................................................................59 Using DNS Round Robin With JBoss AS...................................................................................59 Apache mod_jk Configuration Example.........................................................................................59 Configuring the Web Server and mod_jk...................................................................................59 Configuring JBoss AS and mod_jk.............................................................................................60
Table of Contents
List of Figures
1-1 2-1 2-2 2-3 2-4 2-5 2-6 2-7 2-8 2-9 2-10 2-11 2-12 2-13 2-14 2-15 2-16 3-1 3-2 3-3 3-4 3-5 HP-UX OSRA for Web Services: Architectural Overview.............................................................15 Welcome Screen.............................................................................................................................30 License Screen................................................................................................................................31 Installation Type............................................................................................................................31 Domain Name................................................................................................................................32 User and Group.............................................................................................................................32 Standalone Server..........................................................................................................................33 Directory Server Data Store...........................................................................................................33 Network Port Number...................................................................................................................34 Unique Identifier...........................................................................................................................34 Administrator Name and Password...........................................................................................34 Directory Suffix...........................................................................................................................35 Directory Manager......................................................................................................................35 Administration Domain..............................................................................................................35 Administration Server Network Port..........................................................................................36 Administration Server User........................................................................................................36 Red Hat Directory Server Startup...............................................................................................37 Content Directed Integration.........................................................................................................51 Apache Directed Integration.........................................................................................................52 Hardware Load Balancing.............................................................................................................53 DNS Load Balancing......................................................................................................................54 Load Balancing With mod_jk........................................................................................................55
List of Tables
1-1 2-1 HP-UX OSRA 2.1 Component Information...................................................................................16 Install Path and Disk Space Used by HP-UX OSRA 2.1 Components..........................................19
List of Examples
2-1 /etc/rc.config.d/jboss File......................................................................................................................26
10
About This Document

This document describes the features provided by the HP-UX Open Source Reference Architecture (OSRA) 2.1 for Web Services on HP-UX 11i v1 and v2 platforms. In addition, the document identifies components that are commonly integrated and provides useful examples on how to integrate them. You can find the latest version of this document at the HP Technical Documentation website, at: http://docs.hp.com/en/internet.html#OSRA/Web%20Services
Intended Audience
This document is intended for system administrators responsible for installing, configuring, and managing the HP-UX OSRA for Web Services component products. Administrators are expected to have knowledge of operating system concepts, commands, and configuration. It is helpful to have knowledge of the Open Source products defined by HP-UX OSRA. This document is not a tutorial, but it is intended to provide the reader with a better understanding of how the HP-UX OSRA components integrate with each other and with the HP-UX operating system.
New and Changed Information in This Edition

This guide has been updated to include HP-UX OSRA 2.1 information. This update includes the addition of the HP-UX 11i Protected Systems Web Server product, reflects a name change to the MySQL Enterprise Database server component (formerly called MySQL Pro Certified Database Server). and other minor improvements. NOTE: Starting with the HP-UX OSRA 2.0 release, HP-UX OSRA contains only components that are delivered and supported by HP either bundled with HP-UX or available with HP subscriptions. HP-UX OSRA 2.0, and later, does not include community supported components. Community supported components continue to be available in the HP-UX Internet Express Open Source bundles. The HP-UX Internet Express bundles are located under the Security and Manageability heading at http://www.software.hp.com.
HP-UX Release Name and Release Identifier

Each HP-UX 11i release has an associated release name and release identifier. The uname -r command returns the release identifier. The following table lists the releases available for HP-UX 11i:
Release Identifier B.11.11 B.11.23 B.11.31 Release Name HP-UX 11i Version 1 HP-UX 11i Version 2 HP-UX 11i Version 3 Supported System HP 9000 HP 9000 and HP Integrity HP 9000 and HP Integrity
11
Document Organization
This document is organized in the following chapters:
Chapter Chapter 1 (page 15) Chapter 2 (page 19) Chapter 3 (page 49) Description This chapter provides summary information about the features and components of HP-UX OSRA 2.1. This chapter explains how to plan for and execute the integration and basic configuration of the HP-UX OSRA 2.1 components. This chapter provides information on load balancing and cluster configuration of the HP-UX OSRA 2.1 components.
Typographic Conventions
This document uses the following typographical conventions: %, $, or # A percent sign represents the C shell system prompt. A dollar sign represents the system prompt for the Bourne, Korn, and POSIX shells. A number sign represents the superuser prompt. A manpage. The manpage name is audit, and it is located in Section 5. A command name or qualified command phrase. Text displayed by the computer. A key sequence. A sequence such as Ctrl+x indicates that you must hold down the key labeled Ctrl while you press another key or mouse button. The name of an environment variable, for example, PATH. The name of an error, usually returned in the errno variable. The name of a keyboard key. Return and Enter both refer to the same key. The defined use of an important word or phrase. Commands and other text that you type. The name of a placeholder in a command, function, or other syntax display that you replace with an actual value. The contents are optional in syntax. If the contents are a list separated by |, you must choose one of the items. The contents are required in syntax. If the contents are a list separated by |, you must choose one of the items. The preceding element can be repeated an arbitrary number of times. Indicates the continuation of a code example. Separates items in a list of choices. A warning calls attention to important information that if not understood or followed will result in personal injury or nonrecoverable system problems. A caution calls attention to important information that if not understood or followed will result in data loss, data corruption, or damage to hardware or software. This alert provides essential information to explain a concept or to complete a task A note contains additional information to emphasize or supplement important points of the main text.
audit(5) Command Computer output Ctrl+x
ENVIRONMENT VARIABLE [ERROR NAME] Key Term User input Variable [] {} ...
| WARNING
CAUTION
IMPORTANT NOTE
12
About This Document
Related Information
Documentation for HP-UX OSRA bundled components is available, by component, from http://www.docs.hp.com. For HP-UX OSRA subscription components work with your HP Support representative or refer to the respective Open Source vendors' documentation web sites.
Publishing History
The following table lists the publication history of this document. You can find the latest version of this document on line at: http://docs.hp.com/en/internet.html#OSRA/Web%20Services.
Manufacturing Part Number Title 59917640 Supported Operating Systems Publication Date March 2007
HP-UX Open Source HP-UX 11i v1 Reference Architecture HP-UX 11i v2 (OSRA) 2.1 for Web Services Configuration Guide HP-UX Open Source HP-UX 11i v1 Reference Architecture HP-UX 11i v2 (OSRA) 2.0 for Web Services Configuration Guide HP-UX Open Source HP-UX 11i v1 Reference Architecture for HP-UX 11i v2 Web Services Configuration Guide
59915939
August 2006
59912681
April 2006
HP Encourages Your Comments

HP encourages your comments concerning this document. We are committed to providing documentation that meets your needs. Send comments to: feedback@fc.hp.com Include the document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document.
13
14
1 Overview
HP-UX OSRA defines the set of open source middleware, networking, and management software for HP-UX that enables a successful web services solution deployment. All HP-UX OSRA software is delivered and fully-supported by HP. HP-UX OSRA is part of the HP Open Source Integrated Portfolio which includes consulting, integration, and support services.This chapter provides an overview of HP-UX OSRA and describes the Open Source components that make up the architecture. This chapter addresses the following topics: Benefits Architecture Components
Benefits
HP-UX OSRA helps you lower costs and reduce the risks associated with using open source software by providing: Support: HP offers a single source for support. All HP-UX OSRA software is fully supported. Flexibility: Use the complete set of OSRA components, or individual components. Integrate with commercial or other open source software. Proven Reliability: HP-UX is a proven, highly available base for deploying your solutions. Value-added Features: HP-UX offers many additional products in the areas of virtualization, manageability, and security, which can help lower your overall costs. Selection: HP-UX OSRA components have been pre-selected to provide an integrated set of complementary open source software needed to deploy web services on HP-UX.
Architecture
The following figure provides an architectural overview of HP-UX OSRA. Figure 1-1 HP-UX OSRA for Web Services: Architectural Overview
Application 1 Application 2 Application 3 Application 4
Additional Web Service Products:
OSRA
Secure Web Services Platform: HP-UX 11i Protected Systems Web Server Application Server: JBoss Application Server, JBoss Cluster, Hibernate
Related Products & Services:
Internet Express: Ant, Eclipse, Python, Struts, XDoclet, and more..
Web Server: Apache & Tomcat
Availability: HP Serviceguard
OpenView: Smart Plug-in for JBoss AS
Database: MySQL
Directory Server: Redhat Directory Server, OpenLDAP
JBoss: Subscription for full JEMS Suite
System & Network Security: HP-UX Bastille, HP-UX IPFilter, HP-UX Secure Shell, OpenSSL, HP-UX 11i Security
LDAP: LDAP-UX Integration
Java , Perl, PHP
Consulting: HP Software Consulting
HP-UX 11.23 and 11.11 Hardware (Integrity and PA-RISC platforms)
Benefits
15
The foundation for the HP-UX OSRA components is the HP-UX 11i Operating System on HP Integrity and PA-RISC servers. As shown in Figure 1-1, HP also offers complimentary security products, management products and high availability products, that add additional value to the HP-UX OSRA architecture.
Components
HP-UX OSRA products enable you to build and deploy open source based web services solutions. This guide describes how to integrate combinations of these open source products, which have been selected and tested for interoperability. The following table lists the components defined by HP-UX OSRA 2.1. For the most current versions of the components refer to HP-UX OSRA for Web Services on HP's Software Depot. Table 1-1 HP-UX OSRA 2.1 Component Information
HP-UX OSRA 2.1 Components HP-UX 11i Web Server Suite: Tomcat Web Servlet Engine HP-UX 11i Web Server Suite: Apache Web Server with popular modules and PHP 5 Delivery/Support * Bundled Bundled
HP-UX 11i Protected Systems Web Server: Secure system built around the HP-UX 11i Bundled Web Server Suite Java Perl JBoss Application Server (JBoss AS) JBoss Cluster: High Availability for JBoss AS MySQL Enterprise Database Server Hibernate Persistance Service Red Hat LDAP Directory Server Symas CDS OpenLDAP Server HP-UX Bastille HP-UX IPFilter OpenSSL HP-UX Secure Shell: ssh client and server Bundled Bundled Subscription Subscription Subscription Subscription Bundled** Subscription Bundled Bundled Bundled Bundled
* Delivery/Support Bundled: Bundled components are delivered free of charge on HP-UX and support is included with your HP-UX software support contract. Subscription: To obtain a subscription, contact HP. ** See Red Hat LDAP Directory Server for product license requirements.
HP-UX 1 Web Server Suite 1i

This collection of software products allows the deployment, management, and implementation of mission critical Web servers. This suite is comprised of the following components: HP-UX Apache-based Web Server: - The Apache-based Web Server dominates the Web server market as the most popular and frequently deployed Web server for publishing and serving static and dynamic Web pages. Apache Modules - The Apache modules provide interfaces to the components that interact with the Web server including Apache Tomcat (mod_jk), OpenSSL (mod_ssl), LDAP (auth_ldap), and PHP (mod_php).
16 Overview
JEE Servlet Engine - HP-UX Tomcat-based Servlet Engine - Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages (JSP) technologies. It seamlessly integrates into HP-UX Apache-based Web Server. PHP - A widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.
Secure Web Server Platform

The HP-UX 11i Protected Systems Web Server (PS-Webserver) is a secure Web services platform built on HP-UX, that utilizes the HP-UX 11i Web Server Suite with HP-UX security products. The secure architecture and run time environment isolates the Internet from backend servers and isolates the Web server from the intranet. If the Web server is compromised, the PS-Webserver mitigates damage to system and intranet resources by minimizing the system access and resource privileges an attacker can obtain. With PS-Webserver, users mitigate risk and benefit from a highly secure Web server environment that uses compartmented processing to isolate customer facing Web processing from internal databases, files, and applications.
Java and Scripting Languages

Java - Java Standard Edition products for HP-UX provide solutions to develop and deploy Java applications with the best performance on the HP-UX operating system. The Java products are also referred to as Java Standard Edition (Java SE), Java Runtime Environment (JRE), and Java Virtual Machine (JVM). Perl - A widely-used scripting language used for web application cgi programs. HP-UX bundles a version of Perl that has been optimized for HP-UX. HP-UX's Perl includes modules such as: Perl Package Manager, Oracle DBD Modules, XML Modules and more. PHP - A widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. PHP is included as part of the HP-UX 11i Web Server Suite.
JBoss Enterprise Middleware

JBoss Enterprise Middleware includes the following components. The JBoss Application Server - The JBoss application server is a widely used JEE application server for developing and deploying enterprise Java applications, Web services applications and portals. The JBoss application server provides extended enterprise services including messaging, clustering, caching, persistence and more. The server integrates Hibernate, JBoss Cache, and JBoss clustering. Hibernate - Hibernate is a object/relational persistence and query service for Java. Hibernate lets you develop persistent classes following common Java idiom - including association, inheritance, polymorphism, composition, and the Java collections framework. Hibernate allows you to express queries in its own portable SQL extension (HQL), as well as in native SQL, or with Java-based Criteria and Example objects. JBoss Cache- JBoss Cache is a product designed to cache frequently accessed Java objects in order to dramatically improve the performance of e-business applications. For example, by eliminating unnecessary database access, JBoss Cache decreases network traffic and increases the scalability of applications. JBoss Cache provides two caching APIs to suit your needs. The JBossCache API offers a traditional, tree-structured node-based cache and the JBossCacheAOP API, which builds on the JBossCache API, provides the ability to perform fine-grained replication of Java objects, resulting in maximum performance benefits. JBoss Clustering- Clustering is a key feature in Java EE application servers. It allows you to add server hardware to handle more requests, make your application fail-safe, and make
Components 17
efficient use of the database server. Clustering is traditionally important for high traffic web applications. But today, as AJAX and SOA applications become more and more popular, smaller web applications also need to handle large amount of incremental page updates and machine-to-machine traffic. Therefore, clustering is becoming more and more important. In JBoss AS, clustering is mostly transparent to applications. JBoss AS supports transparent clustering of EJB 3.0 POJOs. It also supports EJB 3.0 entity bean cache clustering, EJB 3.0 stateful session bean clustering, and HTTP clustering out of the box.
Database Server
The MySQL Database product includes the MySQL Enterprise Database Server and the MySQL Connector/J. The MySQL Enterprise Database Server is the most secure and reliable version of the MySQL Database Server. The MySQL Connector/J is a native Java driver that converts JDBC (Java Database Connectivity) calls from JBoss AS (or other application servers) into the network protocol used by the MySQL database.
Directory Server
Red Hat Directory Server for HP-UX - Red Hat Directory Server is an Open Source LDAP-based server that centralizes application settings, user profiles, group data, policies, and access control information into an operating system-independent, network-based registry. Forming the central repository for an Identity Management infrastructure, Red Hat Directory Server simplifies user management, eliminating data redundancy and automating data maintenance. It also improves security, by storing policies and access control information, Red Hat Directory Server creates a single authentication source across the entire enterprise for both intra- and extranet applications. Symas CDS OpenLDAP - Symas CDS OpenLDAP is an Open Source implementation of LDAP.
Security
HP-UX Bastille - HP-UX Bastille can ease an organization's system-hardening security and/or regulatory-compliance activities. It provides customized lock-down, addressing most of the recommendations from a number of popular security scanning tools and checklists. Some of these checklists are used by security auditors. HP-UX IPFilter - HP-UX IPFilter (B9901AA) is a stateful system firewall that filters IP packets to control packet flow in or out of a machine. It works as a security defense by cutting down on the number of exposure points on a machine. HP-UX 11i Secure Shell - HP-UX Secure Shell is a client/server architecture that supports the SSH-1 and SSH-2 protocols and provides secured remote login, file transfer, and remote command execution. HP-UX OpenSSL - HP-UX OpenSSL is based on the open source product OpenSSL and offers cryptography for applications by providing a general-purpose cryptography library and implementation of the Secure Socket Layer and Transport Layer Security protocols.
18
Overview
2 Configuration and Integration

This chapter contains supplemental installation and configuration information, including the following topics: Install Paths and Disk Space Installing JBoss AS General Configuration Information JBoss AS Basic Configuration Red Hat Directory Server Setup Integrating JBoss AS and LDAP Integrating the Web Server to Use LDAP Running Multiple JBoss AS Instances on the Same Server
Install Paths and Disk Space

The following table provides an estimate of the sizes of files associated with HP-UX OSRA components. Refer to individual product documentation for more precise disk space requirements. Table 2-1 Install Path and Disk Space Used by HP-UX OSRA 2.1 Components
HP-UX OSRA 2.1 Component HP-UX 11i Web Server Suite HP-UX 11i Protected Sytems Web Server Java Perl JBoss Application Server (JBoss AS) JBoss Cluster: High Availability for JBoss AS Install Path /opt/hpws /opt/psws /opt/java<version > /opt/perl /opt/jboss-<version> (same as JBoss AS) Disk Space ~300MB ~125MB ~205 MB ~100 MB ~115 MB plus space for applications N/A. (Not available for separate install; is part of JBoss AS installation.)
MySQL Enterprise Database Server Hibernate Persistence Service
/usr/local/mysql-enterprise-<version> ~96 MB plus database table space /opt/hibernate-3.1 ~98 MB if installed separately (is part of JBoss AS if that is installed) ~300 MB ~31 MB plus space for directories ~1.1MB ~7 MB ~40 MB ~45 MB
Red Hat LDAP Directory Server Symas CDS OpenLDAP Server HP-UX Bastille HP-UX IPFilter OpenSSL HP-UX Secure Shell: ssh client and server
/var/opt/netscape/server7 /opt/symas /opt/sec_mgmt/bastille /opt/ipf /opt/openssl /opt/ssh
Install Paths and Disk Space
19
Installing JBoss AS
NOTE: JBoss AS provides a number of file formats, including zip format, and a GUI installer to install software. HP only supports installing the software from the zip file or using the GUI installer. When installing from the zip file, the installation includes all of the JBoss AS related services distributed as three instances of the JBoss AS: all - this instance contains all of the JBoss AS services default - this instance contains a default set of services minimal - this instance contains the minimum set of services To determine which services are started in each instance, examine the <instance-name>/conf/jboss-service.xml file and the configuration files in the <instance-name>/deploy directories. Services such as clustering and caching are enabled in the all instance, but may only be selectively enabled in the other instances. The GUI installer allows you to perform a basic installation or to select individual services to be installed. Using a custom JBoss AS installation created by the GUI installer simplifies the installation and configuration of JBoss AS. Download JBoss AS files to the /tmp or /var/tmp directory. NOTE: Obtaining JBoss AS components is part of your HP Support Subscription service.
Installing From the zip File

When performing an installation, the following order of installation must be followed: 1. Install recommended Operating System patches. Information about Operating System patches can be found at: http://www1.itrc.hp.com 2. Check the disk space requirements (~115 MB under /opt, plus space for applications) and increase space as needed. 3. Update Java to 5.0, if required. 4. Install the remaining components. Use the following command to install JBoss AS from the zip file:
cd /opt jar xvf /var/tmp/jboss-<version-number>.zip
During the installation, the system displays the directories that are created and the files installed on the system:
created: jboss-4.0.3SP1/ created: jboss-4.0.3SP1/bin/ created: jboss-4.0.3SP1/client/ created: jboss-4.0.3SP1/docs/ created: jboss-4.0.3SP1/docs/dtd/ created: jboss-4.0.3SP1/docs/examples/ created: jboss-4.0.3SP1/docs/examples/binding-manager/ created: jboss-4.0.3SP1/docs/examples/jboss.net/. . . . extracted: jboss-4.0.3SP1/client/concurrent.jar extracted: jboss-4.0.3SP1/client/getopt.jar extracted: jboss-4.0.3SP1/client/jacorb.jar extracted: jboss-4.0.3SP1/client/javax.servlet.jar extracted: jboss-4.0.3SP1/client/jboss-aop-jdk50-client.jar.
. . .
Installing From the GUI Installer

The GUI installer allows you to perform a basic installation or to select individual services to be installed. Using a custom JBoss AS installation, created by the installer, simplifies the installation and configuration of JBoss AS. You should run the installation program as the login user id of the user that JBoss AS will run as. Down load the JAR file, jboss-<version>-installer.jar. Use the following command to install JBoss AS: java -jar jboss-<version>-installer.jar During the installation, you are asked to: Define the directory that JBoss AS is installed in. HP recommends you create a directory with the same name and version number as the JBoss AS version you are installing. For JBoss AS Version <version>, create the directory /opt/jboss-<version> and install JBoss AS in that directory. Select the components you want installed. Specify a configuration name. Enable or Disable Isolation or Call by Value semantics. By default, JBoss AS uses call by reference semantics in a relatively flat class loading model. This provides increased performance, and allows you to easily share objects among applications on the same JBoss AS server. With call by reference, you do not need to include EJB interface classes in both the .war files (which contain Web objects that use the EJBs) and the .ejb files (which contain the ejb objects). You need only define the interface classes once in the .ejb file. Applications that share objects are more dependent upon one another through the version of the shared object libraries. The alternative is to use call by value semantics with a more scoped hierarchical class loader, forcing the serialization of shared objects. The resulting code libraries are slower and larger, but more independent. The JEE standard requires call-by-value semantics. See http://wiki.jboss.org/wiki/Wiki.jsp?page=ClassLoadingConfiguration for more information. Secure Java Management Extensions (JMX) interfaces. Selecting this option allows you to secure Enterprise JavaBeans (EJBs), Web applications and other services during the installation. See http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss for more information.
Verifying JBoss AS Installation

You can verify that JBoss AS and your system are working correctly after the installation by starting JBoss AS and verifying no errors occur during operation. Use the following command to start the server.
cd /opt/jboss-<version>/bin sh run.sh
Note that if you specified a configuration name in the installation process, you will need to use that name on the command line:
Installing JBoss AS
21
cd /opt/jboss-<version>/bin sh run.sh -c <name>
A properly installed system will return information similar to the following, and continue to run without producing errors.
========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /opt/jboss JAVA: java JAVA_OPTS: -server -Xms128m -Xmx128m -Dprogram.name=run.sh CLASSPATH: /opt/jboss/bin/run.jar:/lib/tools.jar ========================================================================= 09:39:57,845 INFO [Server] Starting JBoss (MX MicroKernel)... 09:39:57,847 INFO [Server] Release ID: JBoss [Zion] 4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231751) 09:39:57,850 INFO [Server] Home Dir: /opt/jboss 09:39:57,851 INFO [Server] Home URL: file:/opt/jboss/ 09:39:57,853 INFO [Server] Patch URL: null 09:39:57,853 INFO [Server] Server Name: default 09:39:57,853 INFO [Server] Server Home Dir: /opt/jboss/server/default 09:39:57,854 INFO [Server] Server Home URL: file:/opt/jboss/server/default/ 09:39:57,854 INFO [Server] Server Temp Dir: /opt/jboss/server/default/tmp 09:39:57,857 INFO [Server] Root Deployment Filename: jboss-service.xml 09:39:59,056 INFO [ServerInfo] Java version: 1.4.2.09,Hewlett-Packard Co. 09:39:59,056 INFO [ServerInfo] Java VM: Java HotSpot(TM) Server VM 1.4.2 1.4.2. 09-050713-09:59-IA64N IA64,Hewlett-Packard Company 09:39:59,056 INFO [ServerInfo] OS-System: HP-UX B.11.23,IA64N 09:40:00,197 INFO [Server] Core system initialized 09:40:03,591 INFO [Log4jService$URLWatchTimerTask] Configuring from URL: resource:log4j.xml
Removing JBoss AS Components

The GUI installer creates an uninstaller program in the /opt/jboss<version>/Uninstaller directory. You can use this program to remove the JBoss AS components and files: 1. Log in as root 2. Shut down JBoss AS as described in the Basic Configuration Information section of this chapter. 3. Use the following command to run the uninstaller program:
java -jar /opt/jboss<version>/Uninstaller/uninstaller.jar
To remove the files installed from the JBoss AS tar file installation: 1. Log in as root 2. Shut down JBoss AS as described in the Basic Configuration Information section of this chapter. 3. Use the following command to remove the files installed on your system:
rm -rf /opt/jboss<version>
22
Configuration and Integration
General Configuration Information

This section provides basic configuration information for the majority of the HP-UX OSRA 2.1 components. Additional sections, in this chapter, describe the more complex tasks required to configure the JBoss AS and Red Hat Directory Server components. The following list provides the basic information required to start, stop, and minimally configure many of the HP-UX OSRA 2.1 components. Tomcat Startup: /opt/hpws/tomcat/bin/startup.sh <options> Shutdown: /opt/hpws/tomcat/bin/shutdown.sh <options> System Startup and Shutdown: /sbin/init.d/hpws_tomcat start|stop /etc/rc.confid.d/hpws_tomcatconf - startup configuration file. Configuration file: /opt/hpws/tomcat/conf/server.xml - primary configuration file. These files are for the standalone Tomcat server, provided with the HP-UX Web Server Suite. JBoss AS contains a copy of Tomcat that is controlled through the JBoss AS. Apache Web Server Start and Stop: /opt/hpws/apache/bin/apachectl start|stop Configuration file: /opt/hpws/apache/conf/httpd.conf System Startup and Shutdown: /sbin/init.d/hpws_apache start|stop /etc/rc.config.d/hpws_apacheconf - startup configuration file. Both Apache and Tomcat are integrated with OpenSSL and HP Integrity Crypto hardware. MySQL Server Startup: /usr/local/mysql-enterprise-<version-platform>/bin/mysqld start /usr/local/mysql-enterprise-<version-platform>/bin/mysqld_safe <options> - safe start (restart on error, log errors). /usr/local/mysql-enterprise-<version-platform>/bin/mysqld_multi <options> - manages several mysqld processes running in different UNIX sockets and TCP/IP ports. /usr/local/mysql-enterprise-<version-platform>/bin/mysql <options> - start a MySQL client. Shutdown: /usr/local/mysql-enterprise-<version-platform>/bin/mysqld stop System Startup and Shutdown:
23
Refer to the mysql.server(1) man page or MySQL documentation for instructions on how to set up system startup and shutdown. Java JBoss AS Startup: /opt/java<version>/jre/bin/java Startup: /opt/jboss-<version>/bin/run.sh<options> System Startup and Shutdown: /sbin/init.d/jboss start|stop - see the JBoss AS Basic Configuration section of this chapter for an example of configuring this file. /etc/rc.config.d/jboss - startup configuration file. JVM configuration file: /opt/jboss-<version>/bin/run.conf Initial Application Server Configuration: /opt/jboss-<version>/server/<instance>/conf/jboss-service.xml Red Hat Directory Server Startup: /var/opt/netscape/server7/slapd-<servername>/start-slapd <options> Shutdown: /a/p/esaesre7sad<evrae/tpsadotos vrotntcp/evr/lp-srenm>so-lp<pin> Configuration files: /var/opt/netscape/server7/slapd-<servername>/config No system startup script is provided with Red Hat Directory Server. Symas CDS OpenLDAP Refer to the Symas CDS Installation Guide. Configuration files: /opt/symas/etc/openldap/slapd.conf /opt/symas/etc/openldap/cds.conf Start: /sbin/init.d/cdsserver start|stop HP-UX Secure Shell Start and Stop: /usr/sbin/sshd <options> /sbin/init.d/secsh start|stop Configuration files: /etc/opt/ssh/sshd_config - main configuration file. /etc/opt/ssh - other configuration files and key files directory. System Startup and Shutdown: /sbin/init.d/secsh start|stop /etc/rc.config.d/sshd - system startup configuration file.
24
NOTE: The following products do not run as services and thus do not have startup or shutdown commands: OpenSSL, Perl, PHP, Hibernate, JBoss Cluster and JBoss Cache. OpenSSL is a library that can be added to a custom-built service. Perl is a scripting language that can be used to run services. PHP is integrated with the HP Apache Web Server. Hibernate, JBoss Cluster and JBoss Cache are libraries that can be added to a Java Web Server, such as Tomcat.
25
JBoss AS Basic Configuration

This section provides basic configuration information for the JBoss AS. Sample configuration files are provided and a number of configuration topics are discussed.
JBoss AS Startup Configuration Files

Example 2-1 contains a JBoss AS startup control script that you can use to configure JBoss AS at system startup. With JBoss AS version 4.0.4, this control script is delivered as the /opt/jboss-<version>/bin/jboss_init_hpux.sh file. You will need to edit this file, adding the correct installation path and defining variables for JBoss AS. The following steps describe how to install this example file: 1. Copy /opt/jboss-<version>/jboss_init_hpux.sh to /sbin/init.d/jboss 2. Create softlinks to the file from the various startup and shutdown directories:
# # ln -s /sbin/init.d/jboss /sbin/rc2.d/K001jboss ln -s /sbin/init.d/jboss /sbin/rc3.d/S999jboss
The following example contains a sample /etc/rc.config.d/jboss file. Specify the appropriate values for your configuration and install the file in the /etc/rc.config.d directory. Example 2-1 /etc/rc.config.d/jboss File
# Home directory of JBoss Installation on this system JBOSS_HOME=/opt/jboss-4.0.3.SP1 # INSTANCE is the name of the server under $JBOSS_HOME/server which should # be started at system startup time INSTANCE="default" # set JBOSS_START to 1 to start jboss at system start time, 0 otherwise. JBOSS_START=1 # User name the JBoss should be run as. If you select a non-root user then JBoss needs # additional configuration so it won't open any TCP port numbers less than 1000. JBOSS_USER=jboss
Running JBoss AS With a Different User Name

By default, JBoss AS runs as root, but does not require root privileges to operate correctly. To reduce the risk of users gaining root privileges through the JBoss AS, you should run the program as a non-root user. The sample jboss_init_hpux.sh file provided with JBoss defines the JBoss AS user as jboss. In order for JBoss AS to run as this user (or any other non-root user), you must make the following modifications to the system: 1. Create a user account:
useradd -g other <username>
2.
Change ownership of all server files to the user<username>

chown -R <username>:other /opt/jboss-<version>/server/*
3.
Make the server directory writable by the user:

chmod 0755 /opt/jboss-<version>/server/*
4.
Set the file protection for the data, data/hypersonic, deploy,and farm directories writable by user. (Note: INSTANCE=all, or default, or minimal)
chmod 0755 <JBOSS_HOME>/server/<INSTANCE>/data \ <JBOSS_HOME>/server/<INSTANCE>/data/hypersonic \
26
<JBOSS_HOME>/server/<INSTANCE>/deploy \ <JBOSS_HOME>/server/<INSTANCE>/farm
5.
Make the hypersonic database writable by user:

chmod u+rw <JBOSS_HOME>/server/<INSTANCE>/data/hypersonic/localDB.*
6.
Edit the /etc/rc.config.d/jboss file. Set the value of the variable JBOSS_USER to <username>: (JBOSS_USER=<username>).
NOTE: HP-UX does not permit non-root users to open ports that are numbered lower than 1000. By default, JBoss AS ports are assigned to numbers higher than 1000. If you have changed port assignments to lower numbered ports, you cannot run JBoss AS as a non-root user until you restore the port assignments to numbers higher than 1000.
Setting the Java Memory Allocation Pool Size

Some installations of JBoss AS will require increasing the size of the Java memory allocation pool size. JBoss AS memory requirements increase as the number of simultaneous requests to the server increase. Memory requirements vary depending upon the needs of the applications that are deployed on the server. The default Java memory allocation pool is set conservatively and should be increased in installations that anticipate more than moderate server loads. You can change the size of the memory allocation pool for JBoss AS by changing the JAVA_OPTS parameter in the /opt/jboss-<version>/bin/run.conf file. For example, to set the maximum pool size to 1024 MB:JAVA_OPTS="-server -Xms128m -Xmx1024m" See the java(1) manpage for more information about configuring the memory allocation pool.
Configure the Oracle Data Source for JBoss

If you configure the Oracle data source, the Oracle documentation describes only some of the steps required. The following steps must be performed to complete this task: 1. Set the padding for the Oracle Xid values in the <JBOSS_INSTANCE>/conf/jboss-services.xml file:
 <mbean code="org.jboss.tm.XidFactory" name="jboss:service=XidFactory"> <attribute name="Pad">true</attribute> </mbean>
2.
Modify the conf/standardjbosscmp-jbdbc.xmlfile, specifying the use of the Oracle data source.
<jbosscmp-jdbc> <defaults> <datasource>java:/OraceleDS</datasource> <datasource-mapping>Oracle9i</datasource-mapping> <create-table>true</create-table> <remove-table>false<.remove-table> <read-only>false</read-only> <read-time-out>300000</read-time-out> <row-locking>false</row-locking> <pk-constraint>true</pk-constraint> <fk-constraint>false</fk-constraint> <preferred-relation-mapping>foreign-key</preferred-relation-mapping> JBoss AS Basic Configuration 27
<read-ahead> <strategy>on-load</strategy> <page-size>1000</page-size> <eager-load-group>*</eager-load-group> </read-ahead> <list-cache-max>1000</list-cache-max> <clean-read-ahead-on-load>false</clean-read-ahead-on-load> <unknown-pk> <key-generator-factory>UUIDKeyGeneratorFactory</key-generator-factory> <unknown-pk-class>java.lang.String</unknown-pk-class> <jdbc-type>VARCHAR</jdbc-type> <sql-type>VARCHAR(32)</sql-type> </unknown-pk> <entity-command name="default"/> <ql-compiler>org.jboss.ejb.plugins.cmp.jdbc.JDBCEJBQLCompiler</ql-compiler> </defaults>
MySQL Integration with JBoss AS

To integrate MySQL with JBoss AS, complete the following steps: 1. Download the MySQL Connector/J driver from the MySQL web site http://www.mysql.com/products/connector/j/ to the /tmp directory. Choose the .zip file download. Unpack the .zip file into /usr/local/mysql-connector-java-<version>.
# cd /usr/local # jar xvf /tmp/mysql-connector-<version>.zip
2.
3.
Copy the .jar file to the JBoss server lib directory.

# cp /usr/local/mysql-connector-java-<version>/mysql-connector-java-<version>bin.jar \ /opt/jboss-<version>/server/<instance>/lib/
4.
Copy the sample MySQL data source configuration file from the JBoss AS docs directory to the JBoss server deploy directory.
# cp /opt/jboss-<version>/docs/examples/jca/mysql-ds.xml \ /opt/jboss-<version>/server/<instance>/deploy/mysql-ds.xml
5.
Edit and modify the MySQL data source configuration file, specify: - the system where the MySQL Database Server is located - the database name - the database password Here is a sample mysql-ds.xml file:
<?xml version="1.0" encoding="UTF-8"?>   <datasources> <local-tx-datasource> <jndi-name>MySqlDS</jndi-name> <connection-url>jdbc:mysql://mysql-hostname:3306/jbossdb</connection-url> <driver-class>com.mysql.jdbc.Driver</driver-class> <user-name>x</user-name> <password>y</password> <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.MySQLExceptionSorter</exception-sorter-class-name>    <metadata> <type-mapping>mySQL</type-mapping> </metadata> </local-tx-datasource> </datasources>
6.
Restart JBoss AS.

# cd /opt/jboss-<version>/bin # ./shutdown.sh -S # ./run.sh -C <instance>
JBoss AS Basic Configuration
29
Red Hat Directory Server Setup

After installing the Red Hat Directory Server you need to configure the server. This section provides an example of the server configuration using the Directory Server setup program. The initial setup of the Red Hat Directory Server is straightforward, as illustrated in the example below. Run the Setup program and provide the requested input as the program guides you through each of the required setup steps. In the example all of the default values are used. In most cases, these values are acceptable for most configurations. Before performing the server configuration, you should refer to the following documentation: Red Hat Directory Server Installation Guide located at: http://www.docs.hp.com/en/internet.html#Netscape%20Directory%20Server/Red%20Hat%20Directory%20Server The README.hp file located in the /var/opt/netscape/server7 directory. This file provides information about general HP-UX system requirements including kernel parameter settings, patches required and file systems requirements.
Use the following command to start the setup program:

# cd /var/opt/netscape/server7/setup # ./setup
Figure 2-1 Welcome Screen
The first step to the installation requires you to accept the license terms of use for the product. Select Yes to continue.
30
Figure 2-2 License Screen
The choice of three types of installation are offered in the Installation Type screen. You want to perform a Typical installation from this screen, select 2 in this screen. Figure 2-3 Installation Type
The system displays the Domain Name screen. The domain name of your system should be displayed in this screen. Press Enter to accept the default or enter the correct domain name.
31
Figure 2-4 Domain Name
The User and Group screen identifies the user ID and group ID that the Red Hat Directory Server runs as. The user and group must exist on your system in order for the directory server to operate. Figure 2-5 User and Group
The next configuration step requires you to select a configuration server if you are adding this server to an existing configuration server, or to specify that the server is configured as a standalone server. Enter No to configure a standalone server.
32
Figure 2-6 Standalone Server
The next step determines if you will use another directory server to store information. The default configuration does not use an additional directory server to store data. Enter No for the default. Figure 2-7 Directory Server Data Store
In the Network Port Number screen, you specify a network port to be used by the directory server. The default port number is 389 if the port is not already in use and you are logged in as the root user. The screen provides information about port selection if the default port cannot be selected.
33
Figure 2-8 Network Port Number
A unique name is required for a directory server. The default name is the system name, taken from the DNS host name. Figure 2-9 Unique Identifier
An administrator name and password are required for the directory server. This step provides a default administrator name, but requires you to enter and verify a unique password. Figure 2-10 Administrator Name and Password
A directory suffix is the directory entry that represents the first entry in a directory tree. You will need at least one directory suffix for the tree that will contain your enterprise's data. It is common practice to select a directory suffix that corresponds to the DNS host name used by your enterprise. For example, if your organization uses the DNS name example.com, then select a suffix of dc=example,dc=com. The defaults provided in this screen are taken from the DNS host name.
Figure 2-1 Directory Suffix 1
In this screen you are asked to identify a Directory Manager. The Directory Manager is the administrative user that performs directory administrative tasks. You can use the defaults provided in this screen. Figure 2-12 Directory Manager
The administration domain allows you to group multiple servers together logically so that you can more easily distribute server administrative tasks. The default configuration does not use administration domains. Select the default administration domain in this step. Figure 2-13 Administration Domain
35
The administration domain uses a dedicated, restricted network port, one that is different from the directory server port defined earlier in the setup procedure. Figure 2-14 Administration Server Network Port
The final configuration step is to define an what user the Administration Server runs as. The default user is root. The root user has the privileges required to use the server administration screen to start and stop the server. Figure 2-15 Administration Server User
After selecting the administration server user, the system automatically starts the Red Hat Directory Server and displays information similar to that shown in the following screen. After the server starts, you can add entries to the server and perform other administrative tasks.
36
Figure 2-16 Red Hat Directory Server Startup
Verify Directory Operation

Use the following command to verify that the directory server is running and is configured correctly:
# # cd /var/opt/netscape/server7/shared/bin/ ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
A correctly configured system will return the following information:

version: 1 dn: namingContexts: dc=example,dc=com namingContexts: o=NetscapeRoot
If the system does not appear to be working correctly, then consult the Administrators Guide for taking corrective action. (http://www.docs.hp.com/en/internet.html#Netscape%20Directory%20Server/Red%20Hat%20Directory%20Server)
Add and Verify Directory Entries

To add directory entries and verify that the directory server is operating correctly, you need to create an LDIF (LDAP Data Interchange Format) file with initial configuration data, insert the entries into the directory, and then verify that the entries have been added correctly. Refer to the Red Hat Directory Server's Administrators Guide, Appendix A and the LDIF(5) manpage for more information on these tasks.
Red Hat Directory Server Setup 37
Use an editor to create the file /tmp/example.ldif containing the content listed below.
dn: ou=myexample, dc=example, dc=com objectclass: top objectclass: organizationalunit ou: example description: Example organizational unit
Use the ldapmodify command to insert the entries into the directory:
# # cd /var/opt/netscape/server7/shared/bin ./ldapmodify -a -D "cn=Directory Manager" -w password\-f /tmp/example.ldif
The system returns the following information :

ldapmodify: started Fri Oct 7 12:57:45 2005 ldap_init( localhost, 389 ) add objectclass: top organizationalunit add ou: exampleadd description: Example organizational unitadding new entry ou=myexample, dc=example, dc=com modify complete
Use the ldapsearch command to verify that the entry was added correctly:
# ./ldapsearch -x -b 'dc=example, dc=com' '(objectclass=*)'
If your entry was added correctly, the system returns information similar to the following:
version: 1 dn: dc=example,dc=com objectClass: top objectClass: domain dc: hp dn: cn=Directory Administrators, dc=example,dc=com objectClass: top objectClass: groupofuniquenames cn: Directory Administrators dn: ou=Groups, dc=example,dc=com objectClass: top objectClass: organizationalunit ou: Groups dn: ou=People, dc=example,dc=com objectClass: top objectClass: organizationalunit ou: People dn: ou=Special Users,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Special Users description: Special Administrative Accounts dn: cn=Accounting Managers,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: Accounting Managers ou: groups description: People who can manage accounting entries dn: cn=HR Managers,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames
cn: HR Managers ou: groups description: People who can manage HR entries dn: cn=QA Managers,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: QA Managers ou: groups description: People who can manage QA entries dn: cn=PD Managers,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries dn: ou=example, dc=example,dc=com objectClass: top objectClass: organizationalunit ou: myexample description: Example organizational unit
39
Integrating JBoss AS and LDAP

This section describes how to configure JBoss, and applications deployed under JBoss AS, to use LDAP for authentication. This integration requires the following steps: 1. Configure JBoss AS to use LDAP. 2. Configure the security characteristics of the application. 3. Create users and roles in the LDAP directory.
Configuring JBoss to Use LDAP

To configure LDAP for login security edit the /opt/jboss-<version>/server/<instance>/conf/login-config.xml file to add a new application policy to the file for LDAP. This application policy corresponds to the security realm defined in an application's web.xml file. An example of the login-config.xml follows:
<application-policy name="testLDAP"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory </module-option> <module-option name="java.naming.provider.url"> ldap://ldaphost.exampledc=example.com:1389/ </module-option> <module-option name="java.naming.security.authentication"> simple </module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix"> ,ou=People,dc=example,dc=com </module-option> <module-option name="rolesCtxDN"> ou=Roles,dc=example,dc=com </module-option> <module-option name="uidAttributeID">member</module-option> <module-option name="matchOnUserDN">true</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">false </module-option> </login-module> </authentication> </application-policy>
Create or Update Users and Roles in the LDAP Directory

Update the LDAP server, adding user names, passwords, and role information that matches the roles created in this section. You can do this by creating an LDIF formatted file similar to the one shown below. In the example entries for the users and roles that the sample application security configuration validates against are created. Areas that must match the entry in the JBoss AS login-config.xml file are also added. In the example, the user with uid 200 needs to be authenticated and have his roles validated for the dukesbank application. Once JBoss AS validates the user id (uid) and password it searches an LDAP domain for the roles that the uid is defined in. In the login-config.xml file, the LDAP domain that defines user roles is identified by the module-option named "rolesCtxDN", which in this case is "ou=Roles,dc=example,dc=com". JBoss AS searches this domain and all it's sub-domains for user roles. JBoss AS uses the "uidAttributeID" to identify member entries in the "rolesCtxDN" domain to obtain the roles they are defined in. In our example "uidAttributreID"
40
is set to "member". Since "matchOnUserDn" is also set to "true" in the login-config.xml file, the member id must match the user's domain name. In this example, if the user id is "200", then the LDAP "uidAttributeID" entries in the domains under the "rolesCtxDN" domain "dn: ou=Roles,dc=example,dc=com" must match "member: uid=200,ou=People,dc=example,dc=com" When a matching role in the LDAP directory is found, the corresponding "roleAttribute" value is returned. In the login-config.xml file, the "roleAttribute" is configured to be "cn". Also, in the LDAP file users with uid "200" and "300" are assigned the role of "bankCustomer". This is defined under the domain "cn=bankCustomer, ou=Roles.dc=example, dc=com" with the entry "cn: bankCustomer", and the appropriate "member" entries for each user id. Therefore, in this example uid "200" returns a role of "bankCustomer" for the JBoss AS "testLDAP" login-config.xml application policy.
Example LDIF file:

dn: dc=example,dc=com objectclass: top objectclass: domain dc: example dn: ou=People, dc=example,dc=com objectClass: top objectClass: organizationalunit ou: People dn: uid=200,ou=People,dc=example,dc=com objectclass: top objectclass: account objectclass: person uid: 200 cn: Java Duke sn: Duke userPassword: j2ee dn: uid=201,ou=People,dc=example,dc=com objectclass: top objectclass: account objectclass: person uid: 201 cn: Janet Jones sn: Jones userPassword: janetJones dn: ou=Roles,dc=example,dc=com objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=bankCustomer,ou=Roles,dc=example,dc=com objectclass: top objectclass: groupOfNames cn: bankCustomer member: uid=200,ou=People,dc=example,dc=com member: uid=201,ou=People,dc=example,dc=com description: The Duke's Bank Customers
Use the following command to update the directory server with the information in the LDIF file (use an editor to create this file, naming it /tmp/example2.ldif):
# cd /var/opt/netscape/server7/shared/bin # ./ldapmodify -p 1389 -ac -D "cn=Directory Manager" -w passwd -f /tmp/example2.ldif
The system displays the following information in response to this command:

Integrating JBoss AS and LDAP 41
adding new entry dc=example,dc=com ldap_add: Already exists adding new entry ou=People, dc=example,dc=com ldap_add: Already exists adding new entry uid=200,ou=People,dc=example,dc=com adding new entry uid=201,ou=People,dc=example,dc=com adding new entry ou=Roles,dc=example,dc=com adding new entry cn=bankCustomer,ou=Roles,dc=example,dc=com
Configure the Application Security Characteristics

JBoss AS adheres to the JEE security model, based on the Java Authentication and Authorization Service (JAAS). For more information on this security model see the following documents: The Security on JBoss chapter of the JBoss Application Server Guide at http://labs.jboss.com/portal/jbossas/docs Java Servlet Specification at http://java.sun.com/products/servlet/download.html#specs Enterprise Java-Beans Specifications http://java.sun.com/products/ejb/docs.html#specs JAAS Specification http://java.sun.com/products/jaas/ Configure the security domain in the application's jboss-web.xml file with the Java Naming Directory Interface (JNDI) name of the application-policy name in the JBoss conf/login-config.xml file. For example, if the application policy name is "dukesbank" then the JNDI name is java:/jaas/dukesbank as shown in the following sample jboss-web.xml file:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd"> <jboss-web> <security-domain>java:/jaas/dukesbank</security-domain> <ejb-ref> <ejb-ref-name>ejb/accountController</ejb-ref-name> <jndi-name>ebankAccountController</jndi-name> </ejb-ref> <ejb-ref> <ejb-ref-name>ejb/customerController</ejb-ref-name> <jndi-name>ebankCustomerController</jndi-name> </ejb-ref> <ejb-ref> <ejb-ref-name>ejb/txController</ejb-ref-name> <jndi-name>ebankTxController</jndi-name> </ejb-ref> </jboss-web>
Configure the security constraints, roles, and Web authentication in the applications web.xml file as required. The web.xml security configuration follows the JEE security model and is related to the JBoss AS LDAP module configuration. The roles defined for the application must be configured in the LDAP database. In the following web.xml file segment, we have defined a security constraint for a number of Web pages (URL patterns) such that users must have the role "bankCustomer" to access a page with the URL pattern: The <security-constraint>.<auth-constraint>.<role-name> entries must match with a <security-role>.<role-name> entry. The role is obtained by validating the user name and password entered through the <login-config> <auth-method> configured. In this example, the application developer has specified FORM for the <auth-method>. This means that the application is providing a
customized login form in the browser window. The convention for FORM based authentication is: The form action must be "j_security_check". The username and password fields must be "j_username" and "j_password". Note that the application could have used basic authentication. Basic authentication uses the browser's default login screen to prompt for a user name and password.
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" version="2.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> . . <security-constraint> <display-name>SecurityConstraint</display-name> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/main</url-pattern> <url-pattern>/atm</url-pattern> <url-pattern>/atmAck</url-pattern> <url-pattern>/accountList</url-pattern> <url-pattern>/accountHist</url-pattern> <url-pattern>/transferFunds</url-pattern> <url-pattern>/transferAck</url-pattern> <url-pattern>/atm</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>bankCustomer</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Duke's Bank</realm-name> <form-login-config> <form-login-page>/logon.jsp</form-login-page> <form-error-page>/logonError.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>bankCustomer</role-name> </security-role>. . . </web-app>
If the application uses EJBs, you need to configure the EJB deployment descriptors. As with the web.xml configuration, the roles defined in the ejb-jar.xml file must be defined in the LDAP database if access is to be granted. JBoss AS forwards user roles with the EJB request for service:
<?xml version="1.0" encoding="UTF-8"?> <ejb-jar xmlns="http://java.sun.com/xml/ns/j2ee" version="2.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/ejb-jar_2_1.xsd">
Integrating JBoss AS and LDAP 43
. . <assembly-descriptor> <security-role> <role-name>bankCustomer</role-name> </security-role> <method-permission> <role-name>bankCustomer</role-name> <method> <ejb-name>CustomerBean</ejb-name> <method-name>*</method-name> </method> </method-permission> . . </assembly-descriptor> </ejb-jar>
44
Integrating the Web Server to Use LDAP

Integrating LDAP with the Web server is simplified by use of the built in LDAP authentication module (auth_ldap). The following examples builds on the sample LDAP configuration used to configure the Duke's Bank application for JBoss AS. You should refer to the auth_ldap documentation (http://<servername>.com/hp_docs/apache/apache.admin.guide) for details on how to configure auth_ldap. Edit the httpd.conf file, identifying the appropriate modules as shown in the example below. Also include a separate file containing the auth_ldap directives. Sample /opt/hpws/apache/conf/httpd.conf file:
. . LoadModule ldap_module modules/mod_ldap.so LoadModule auth_ldap_module modules/mod_auth_ldap.so. . . Include conf/ldap.conf
You must configure the auth_ldap module to define how to search the LDAP directory and to authenticate and authorize user logins. The following example uses the same LDAP configuration as the one used in the JBoss AS configuration with LDAP (uid 200 and 201 are defined under ou=People, dc=example, dc=com) Sample /opt/hpws/apache/conf/ldap.conf file:
# Use ldap to protect the manual directory <IfModule !mod_auth_ldap.c> LoadModule auth_ldap_module modules/auth_ldap.so </IfModule> <IfModule mod_auth_ldap.c> LDAPSharedCacheFile logs/ldap_cache </IfModule> <Location /manual> AuthName "Restricted Area" AuthType Basic # AuthLDAPURL should point to your ldap server AuthLDAPURL ldap://hpdhl217.example.com:1389/ou=People,dc=example,dc=com?uid # AuthLDAPStartTLS on require valid-user </Location>
Activate the changes by starting and stopping the Web server :

# /opt/hpws/apache/bin/apachectl stop # /opt/hpws/apache/bin/apachectl start or startssl
You can check the Web server error log for any errors (/opt/hpws/apache/logs/error_log).
Integrating the Web Server to Use LDAP
45
Running Multiple JBoss AS Instances on the Same Server

The primary consideration when running multiple instances on the same server is whether to assign a unique IP address to each server instance or not. In general it is easier to assign a different IP address to each server because: Network firewall rules are less likely to be impacted because the server port numbers are consistent across IP addresses. It is easier to move a server instance to another physical server if you wish to do so. You cannot have multiple server instances listening to the same TCP and UDP port numbers with the same IP address. Each instance requires a different set of port numbers if the same IP address is used. This configuration is discussed at the JBoss Wiki at: http://wiki.jboss.org/wiki/Wiki.jsp?page=ConfiguringMultipleJBossInstancesOnOneMachine HP-UX supports the assignment of multiple IP addresses to a single physical network interface with the sam configuration utility or the ifconfig command. For example, instead of assigning a single address to the interface lan0, you would assign an IP address to lan0:1 and another IP address to lan0:2, as follows:
# ifconfig lan0:1 inet 192.168.0.1 netmask 255.255.255.0 # ifconfig lan0:2 inet 192.168.0.2 netmask 255.255.255.0
If these configuration changes are made with the sam utility, they are automatically maintained across system reboots. If you use the ifconfig command to make these changes, you must also update the /etc/rc.config.d/netconf file so that they are maintained across system reboots. The JBoss Wiki describes how to assign a different set of TCP/UDP ports to different server instances on the same machine. The process is summarized with an example: Make sure that each server instance you wish to configure has its own directory root under $JBOSS_HOME/server. For example, you can create a new directory instance as follows:
# cd $JBOSS_HOME/server # cp -r all node1
Modify conf/jboss-service.xml (or deploy/binding-service.xml in Version 4.0.3 and later) uncomment "Service Binding" section and select "ServerName?" value from sample-bindings.xml (for example, ports-01 or ports-02). This "ServerName" must be configured in thejboss-bindings.xml file and must be unique for each server instance:
    <!| | | | | | | | | | | | | | Binding service manager for port/host mapping. This is a sample config that demonstrates a JBoss instances with a server name 'ports-01' loading its bindings from an XML file using the ServicesStoreFactory implementation returned by the XMLServicesStoreFactory.
ServerName: The unique name assigned to a JBoss server instance for lookup purposes. This allows a single ServicesStore to handle mulitiple JBoss servers. StoreURL: The URL string passed to org.jboss.services.binding.ServicesStore during initialization that specifies how to connect to the bindings store. StoreFactory: The org.jboss.services.binding.ServicesStoreFactory interface implementation to create to obtain the ServicesStore instance. --> <mbean code="org.jboss.services.binding.ServiceBindingManager" name="jboss.system:service=ServiceBindingManager"> <attribute name="ServerName">ports-01</attribute>  <attribute name="StoreURL">/etc/jboss-bindings.xml</attribute> <attribute name="StoreFactoryClassName"> org.jboss.services.binding.XMLServicesStoreFactory </attribute> </mbean>
Copy service bindings in the file $JBOSS_HOME/docs/examples/binding-manager/sample-bindings.xml to /etc/jboss-bindings.xml and modify them as appropriate (in the jboss-bindings.xml file). The following file segment shows the port assignments for server "ports-01":
   <server name="ports-01">  <service-config name="jboss:service=Naming"delegateClass="org.jboss.services.binding.AttributeMappingDelegate" > <delegate-config portName="Port" hostName="BindAddress"> <attribute name="RmiPort">10005</attribute> </delegate-config> <binding port="10006" host="${jboss.bind.address}"/> </service-config> <service-config name="jboss:service=WebService" delegateClass="org.jboss.services.binding.AttributeMappingDelegate" > <delegate-config portName="Port"/> <binding port="10008"/> </service-config> <service-config name="jboss:service=invoker,type=jrmp" delegateClass="org.jboss.services.binding.AttributeMappingDelegate" > <delegate-config portName="RMIObjectPort"/> <binding port="10009"/> </service-config><service-config name="jboss:service=invoker,type=pooled" delegateClass="org.jboss.services.binding.AttributeMappingDelegate" > <delegate-config portName="ServerBindPort"/> <binding port="10010"/> </service-config>  <service-config name="jboss:service=HAJNDI" delegateClass="org.jboss.services.binding.AttributeMappingDelegate" > <delegate-config portName="RmiPort"/> <binding port="10005"/> </service-config> <service-config name="jboss:service=HAJNDI" delegateClass="org.jboss.services.binding.AttributeMappingDelegate" > <delegate-config portName="Port"/> <binding port="10007"/> </service-config> <service-config> name="jboss:service=invoker,type=jrmpha"</service-config>  <service-config name="jboss.jmx:name=SnmpAgent,service=trapd,type=logger" delegateClass="org.jboss.services.binding.AttributeMappingDelegate" > <delegate-config portName="Port"/> <binding port="10018"/> </service-config> <service-config name="jboss.jmx:name=SnmpAgent,service=snmp,type=adaptor" delegateClass="org.jboss.services.binding.AttributeMappingDelegate"
Running Multiple JBoss AS Instances on the Same Server
47
> <delegate-config portName="Port"/> <binding port="10017"/> </service-config>  
48
3 Load Balancing and Cluster Configuration

This chapter describes the JBoss AS and Web server integration concepts and describes the steps required to successfully configure some of the integration options. The chapter discusses the following topics: Web Services Sessions Integrating the Web Server and JBoss AS Horizontal Scaling of Web and Application Servers
Web Services Sessions

A session is a series of requests to the Web server and the JBoss AS, originating from the same Web browser. Applications use session constructs to keep track of individual users. A large amount of session information may be generated during a session. This information includes a unique session ID, the individual user identification and state information that can include, security information, personal information, status, and so on. For example, during a session, the Web services software may use an online shopping cart to keep track of a customer's potential purchases. If particular shopping items, shopping carts, and session IDs are not all linked together, the wrong items could end up in the wrong cart. Application server software distinguishes users by their unique session IDs. The session ID may be stored in a Web browser as a cookie, or may be delivered back and forth between the Web browser, Web server, and application server throughout the session. In some cases, requests are made over HTTPS or Secure Socket Layer (SSL) connections. These sessions may use SSL information for session identification.
Session State Replication

Fail over and load balancing require the session state to be replicated at different servers in a cluster. Session state replication allows a client to get session information from another server in the cluster when the original server, on which the client established a session, fails. The state can be system state and/or application state (application state contains the objects and data stored in an HTTP session, while the system state contains status of the environment that the application is running in). The goal of session replication is to maintain session details if a cluster member becomes unavailable. Maintaining session persistence in a cluster can be a simple scenario where session information is stored on a single server, while other cluster members are unaware of any of this session information. A cluster can be implemented so that each cluster member is completely aware of the session state of other cluster members, with the session state periodically propagated to all (or preferably, one or two) cluster members. This type of session is known as a replicated session. There are three ways to implement replicated session persistence: Memory-to-memory replication, where the individual objects in the session are serialized to a backup server (or servers) as they change. File system replication, where session information is written to and read from a centralized file system. Database replication, where session data is stored in a relational database. Database and file system replication limit scalability when storing large or numerous objects in the session. Every time a user adds an object to the session, all of the objects in the session are serialized and written to the database or shared file system.
Web Services Sessions
49
There are cases where session data is not necessarily replicated. In these sessions, all Web requests are directed to the same Web or application server by load balancing hardware or software. These sessions are referred to as sticky sessions or session affinity.
Session Replication in Tomcat

Session replication in the Tomcat server is an all-to-all replication of session state, meaning the session attributes are propagated to all cluster members, all of the time. This algorithm is efficient with small clusters. There are three types of session replication mechanisms in Tomcat: Using in-memory replication, with the SimpleTcpCluster (in the org.apache.catalina.cluster.tcp package) that ships with Tomcat 5 (in server/lib/catalina-cluster.jar) Saving the session to a shared database (org.apache.catalina.session.JDBCStore). For more information, see the server.xml directive <StoreclassName="org.apache.catalina.session.JDBCStore">. Saving the session state to a shared file system (org.apache.catalina.session.FileStore, part of catalina-optional.jar). By default, the Tomcat server, bundled with the JBoss AS, uses in-memory replication of HTTP session data when JBoss AS clustering is turned on.
JBoss AS Clustering
JBoss AS clustering is enabled, automatically, when you install the full version of JBoss AS. Clustering is enabled in the all instance of the server software. The cluster configuration is defined in the file cluster-service.xml file in the <instance>/deploy directory. Other than configuring the cluster-service.xml file and starting the all instance of the server, no additional cluster configuration is required. The default configuration uses the JGroups service to automatically detect other JBoss AS servers, on the same LAN segment, with which it can form a cluster. Also, any application (packaged as a .war, .sar, or .ear) deployed to the <instance>/farm group is automatically deployed to all servers in the cluster. The cluster-service.xml file provides configuration for clustering of: HTTP Sessions via the Tomcat Servlet Container Session and Entity Enterprise Java Beans (EJBs) Java Naming and Directory Interface (JNDI ) Services JBoss recommends avoiding clustering of EJB2.0 entity beans because of potential data synchronization issues between hosts. The JNDI naming service plays a key role in JEE applications, providing the infrastructure used to locate objects or services within JBoss AS. The High Availability JNDI (HA-JNDI) service keeps track of cluster-wide services, and helps maintain a distinction between cluster bound services and those that are not cluster bound. The cluster-service.xml file provides additional configuration options that allow you to limit a cluster by specifying a cluster partition name and/or specifying which remote hosts can form the cluster. You can also specify cache replication policies for propagating state information to the nodes in a cluster. For more information about JBoss AS clustering, JBossCache, and JGroups Services see the JBoss 4 Application Server Guide.
Integrating the Web Server and JBoss AS

There are a number of options available to integrate the Web server and the JBoss AS. The primary reasons for integrating JBoss and the Web server are:
50 Load Balancing and Cluster Configuration
You can integrate them in such a way that focuses on the strengths of each server. The Web server is well suited and more efficient at providing static Web content while the JBoss AS is an excellent tool for providing dynamic Web content with JEE application services. With the addition of a java connector module (mod_jk) the Web server can be used to load balance requests to several JBoss AS servers. While other more efficient load balancing techniques exist, this approach offers the advantage of not having to incorporate load balancing hardware or configure complex load balancing software. If user authentication and authorization is to be performed, and JBoss AS and the Web server are integrated, JBoss AS is well suited for providing these services because it offers built-in role-based access control.
Content Directed Integration

The simplest way to integrate JBoss AS and the Web server is to let the content define the integration. If a user is served up a page from JBoss AS that contains static content, such as embedded images, then the URL for the static content should point to a Web server. Likewise, a static Web page may contain links to content that is served in JBoss AS. The integration occurs when the content is delivered to the Web client as illustrated in Figure 3-1. No special JBoss or HP Web Server Suite configuration is required for this integration. Figure 3-1 Content Directed Integration
Tomcat
Pr ot oc ol
JBoss Application Server
Web Client
Ht tp
Ht ol oc ot Pr
tp
Apache Web Server
In this configuration, when a user authorization and authentication policy is required, it should be implemented in the JBoss AS because JBoss AS and JEE make use of role-based security. This allows deployment of applications that use more fine grained privileges. Users with specified roles can access resources for which these roles are enabled. If the JBoss AS and Web servers are operating in a hostile Web client environment they should be secured by disabling unnecessary services, and implementing reasonable system security policies. HP-UX 11i provides a number of tools to help with this: HP-UX IPFilter for network lockdown that blocks undesirable network traffic. HP-UX Bastille for system lockdown policy enforcement. HP-UX Security Containment for implementing role-based access controls and providing a secure environment for the Web services components.
Integrating the Web Server and JBoss AS 51
Security Patch Check for ensuring the HP-UX operating system is up to date with security patches. OpenSSL for providing encrypted HTTP communications with the Web client.
Apache Directed Content Integration

Another integration approach is to access all content through the Web server. This is useful when: The Web server is in a perimeter network established to house public services, but maintained outside of the internal, protected network (this is known as a demilitarized zone (DMZ)). Since a DMZ is open to allow public access to services, it is considered less secure than the internal, protected network and access to the application is mediated by the Web server. The Web client will only access the address of the Web server. The application server and its associated database server are deployed behind a firewall. The user authorization and authentication security policy is implemented in the Web server. The Web server may or may not use encryption for HTTP communications between the Web client and the Web server. The Web server system is highly secure and is locked down to minimize the likelihood of a security breach. If an intrusion or attack does occur, the Web server is sufficiently isolated from the rest of the system to minimize the damage. mod_jk is primarily used to connect the Web server to JBoss AS, through the embedded Tomcat server, but may be used to load balance connections to several JBoss AS servers. Figure 3-2 shows the integration of JBoss AS through the Web server with the mod_jk module. Figure 3-2 Apache Directed Integration
Web Client
Http Protocol
Apache Web Server
Mod JK
AJP Protocol
AJP Connector
Tomcat
Horizontal Scaling of Web and Application Servers

Horizontal scaling involves configuring multiple servers, with each running either the Web or application server software, and distributing the work across multiple servers. Vertical scaling involves adding multiple instances of an application to a single server and distributing the workload among the instances of the application. Horizontal scaling provides increased throughput and provides failover support. This topology lets you handle application server process failure and hardware failure without significant interruption to client services. In a horizontally scaled configuration, you can use different load balancing techniques to optimize the distribution of client requests: Hardware load balancing, where you add an additional server to act as the load balancer. Domain Name System (DNS), where load balancing is provided by software included with the HP-UX operating system. Apache mod_jk, where load balancing is provided by a software module included with the HP Web Server Suite. The following sections provide information about each of these load balancing techniques.
52
Load Balancing and Cluster Configuration
Hardware Load Balancing

In very high traffic situations, a hardware load balancer may provide the best performance. Figure 3-3 (page 53) illustrates a hardware load balancer distributing client requests to a farm of two JBoss AS servers. Figure 3-3 Hardware Load Balancing
Tomcat
Web Client
Http Protocol
Hardware Load Balancer
Ht Ht tp ol oc ot Pr
Tomcat JBoss Application Server
Typically the hardware load balancer is configured with a virtual IP address. When a Web client requests a Web service, the load balancer translates the virtual IP address into the address of one of the JBoss AS servers. The request is passed on to a JBoss AS server based on the translated address and based on an allocation policy. The allocation policy can define the minimum response time required by the server, the number of requests allowed to a server, the server weight, and so on. The load balancer will typically not route requests to a JBoss AS server that is unavailable. In practice, you may have many servers, each serving the same Web session, or one server, in the farm, serving a complete Web session. When configuring any load balancer, consideration must be given to storage of session information. If multiple servers serve a session, they must have access to the session information. This information must be stored, updated, and made available to each of the servers serving the session. When a single application server serves a Web session, the session state information can be stored on the server serving the Web session.
Domain Name System (DNS) Round-Robin Load Balancing

DNS round-robin load balancing provides load balancing without requiring additional hardware. With DNS round-robin we assign the IP address of several JBoss AS servers to a virtual server name, such as www.myservice.com. When a Web client requests a Web resource from the virtual server name, DNS assigns one of the IP addresses through the DNS named server. Subsequent requests to DNS to resolve the virtual server name are assigned another IP address in a round-robin fashion until all the available addresses have been assigned. In theory, the JBoss AS servers will be equally loaded because incoming Web service requests will be evenly distributed among them. Figure 3-4 (page 54) shows an example of a DNS load balancing configuration.
tp
Pr ot oc ol
53
Figure 3-4 DNS Load Balancing

Tomcat
DB N
Pr ot oc ol
or w et k ol oc ot Pr
H ttp
Web Client
Database Server
Tomcat
DNS (Bind Server)
When compared to hardware load balancing, there are several potential shortfalls when using a DNS load balancing configuration: The DNS named server does not consider the status of the JBoss AS servers when it resolves the virtual server name. It is possible that requests may be routed to a server that is very busy or is no longer available. The DNS named server has no notion of a sticky session. Subsequent requests from the same client to resolve the virtual server name will likely receive a different IP addresses. This will cause problems if the application is keeping session state information on the JBoss AS server. The application will not work properly because subsequent client requests will be routed to different servers unless the JBoss AS server takes steps to propagate the state information. In general, approaches to propagate state information do not scale well and may defeat the advantages gained by using a server farm. In a DNS load balancing configuration, applications must not store state information in the JBoss AS, unless it is propagated. Note that Figure 3-4 shows a single database server. All session data must be written to the database server or returned in an HTTP session cookie or URL encoded query string, to the client, with each request. All JBoss AS servers must share the same database server, or the database must instantly replicate session state data to all database servers used by the farm. The Web client often caches the IP address returned by the DNS. This resolves the sticky session problem, but it also means that the client will not respond to changes in the DNS round-robin configuration in a timely manner. In addition, the same client will not load balance over several JBoss AS servers, but will always use the same server until the DNS to IP address cache is flushed. You can use techniques to reduce or eliminate the time a name
54
DB
et w or
Pr ot oc ol
H ttp ol oc ot Pr
DN S nd Bi
ol oc ot Pr
spends in the name cache, but flushing the cache more frequently puts a larger load on the DNS name server as more requests are forwarded to it.
Load Balancing With Apache mod_jk

The Apache mod_jk module is a plug-in that handles the communication between Tomcat and the HP-UX Apache-based Web server. Load balancing with mod_jk eliminates many of the limitations of DNS Round-Robin load balancing and does not require any additional hardware. Load balancing with mod_jk is illustrated in Figure 3-5. The mod_jk module is set up to load balance between several JBoss AS servers. In most cases, the Web server would handle the static data and distribute dynamic content to the JBoss AS servers. Figure 3-5 Load Balancing With mod_jk
AJP Connector
Tomcat
Web Client
Http Protocol
Apache Web Server
Mod JK
A A JP ol oc ot Pr
AJP Connector
JP
Pr ot oc ol
Tomcat
When configuring mod_jk load balancing, you can: Ensure that requests are not routed to a machine that is not responding. Set up round-robin, or weighted round-robin to route requests to a server. Route all requests, from the same session, to the same server (sticky session).
DNS Load Balancing Configuration Example

This section describes how to configure DNS Round Robin load balancing and provides examples of the files you must create and modify when setting up this configuration. This example uses the hosts_to_named utility to convert the /etc/hosts file into the appropriate Internet domain name server (named) configuration files. The goal is to configure a virtual host name with multiple addresses, so that each time a client makes a request to the host name, the client receives a different address, in round-robin order. The steps to configure DNS Round-Robin are: 1. Configure named with the virtual server host name. 2. Tune the DNS cache. For more information, see the named(1m), named.conf(4) manpages, and the HP-UX IP Address and Client Management Administrator's Guide (http://docs.hp.com/en/B2355-90775/index.html).
55
Configure named With the Virtual Server Hostname

This configuration example uses a domain name server for the domain test.nameX.example.com. In that domain we have a virtual hostname specj.test.nameX.example.com that may use one of the following addresses: 10.10.118.230, 10.10.118.231, or 10.10.118.232. Each of these three addresses is also assigned to another server. For instance 10.10.118.230 is bound to the name hpdhl230-2.test.nameX.example.com. Use the following steps to configure named with the virtual hostname: 1. Update the local /etc/hosts file with the names of the individual servers in the server farm, and with the virtual hostname. Note that in the example we assign three separate addresses to the virtual hostname. The example /etc/hosts file follows:
127.0.0.1 localhost loopback 172.16.118.67 hptem270.nameX.example.com hptem270 # 10.10.118.67 hptem270.test.nameX.example.com hptem270.test 10.10.118.230 specj.test.nameX.example.com specj.test 10.10.118.231 specj.test.nameX.example.com specj.test 10.10.118.232 specj.test.nameX.example.com specj.test 10.10.118.208 hpdhl208.test.nameX.example.com hpdhl208.test 10.10.118.209 hpdhl209.test.nameX.example.com hpdhl209.test 10.10.118.211 hpdhl211.test.nameX.example.com hpdhl211.test 10.10.118.212 hpdhl212.test.nameX.example.com hpdhl212.test 10.10.118.214 hpdhl214.test.nameX.example.com hpdhl214.test 10.10.118.230 hpdhl230.test.nameX.example.com hpdhl230.test 10.10.118.231 hpdhl231.test.nameX.example.com hpdhl231.test 10.10.118.232 hpdhl232.test.nameX.example.com hpdhl232.test # 10.10.119.67 hptem270-2.test.nameX.example.com hptem270-2.test 10.10.119.230 hpdhl230-2.test.nameX.example.com hpdhl230-2.test 10.10.119.231 hpdhl231-2.test.nameX.example.com hpdhl231-2.test 10.10.119.232 hpdhl232-2.test.nameX.example.com hpdhl232-2.test # 172.16.118.66 spec-mysql.test.nameX.example.com spec-myql.test 172.16.118.4 ple.cospec-myql.testspec-mysql.test.nameX.exam
In the example /etc/hosts file, two subnets will be used for our configuration: Addresses beginning with 10.10.* Addresses beginning with 172.16.118* The configuration only uses domain names that are in the domain: test.nameX.example.com 2. Generate the named configuration files in the /usr/local/domain directory:
# mkdir /usr/local/domain # cd /usr/local/domain # hosts_to_named -d test.nameX.example.com -n 10.10 -n 172.16. 118
The system displays the following information:

Translating /etc/hosts to lower case ... Collecting network data ... 10.10 172.16.118 Creating list of multi-homed hosts ... Creating "A" data (name to address mapping) for net 10.10 ... The following names were left out of the database: hptem270.test (name not in test.nameX.example.com) specj.test (name not in test.nameX.example.com) . . hpdhl230-2.test (name not in test.nameX.example.com) hpdhl231-2.test (name not in test.nameX.example.com) hpdhl232-2.test (name not in test.nameX.example.com) Creating "PTR" data (address to name mapping) for net 10.10 ... Creating "A" data (name to address mapping) for net 172.16.118 ... The following names were left out of the database: spec-myql.test (name not in test.nameX.example.com) spec-myql.test (name not in test.nameX.example.com)
56
The following lines were left out of the database: 172.16.118.67 hptem270.nameX.example.com hptem270 (first name not in test.nameX.example.com) Creating "PTR" data (address to name mapping) for net 172.16.118 ...Creating "MX" (mail exchanger) data ... Building default named.boot file ... Building default db.cache file ... WARNING: db.cache must be filled in with the name(s) and address(es) of therootserver(s) Building default boot.cacheonly for caching only servers ... done
3.
If you are using DNS forwarders to resolve names and addresses that the local named server cannot resolve, you must update the db.cache file with the forwarders names. In our case we are using two forwarders so we must update the db.cache as follows:
; FILL IN THE NAMES AND ADDRESSES OF THE ROOT SERVERS ; ; . 99999999 IN NS root.server. ; root.server. 99999999 IN A ??.??.??.?? . 99999999 IN NS namX-resolver.nameX.test.net. namX-resolver.nameX.test.net. 99999999 IN A 172.243.128.51 . 99999999 IN NS namY-resolver.nameY.test.net. namY-resolver.nameY.test.net. 99999999 IN A 172.243.160.51
4.
Update the options section of the named.conf file: Specify a forwarders directive if forwarders are being used. Specify the rrset-order directive so that equal priority MX records are returned in round-robin order instead of random order:
# # type domain source file # options { directory "/usr/local/domain"; forwarders { 172.243.128.51; 172.243.160.51; }; rrset-order { order cyclic; }; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "db.127.0.0"; }; zone "test.nameX.example.com" { type master; file "db.test"; }; zone "10.10.IN-ADDR.ARPA" { type master; file "db.10.10"; }; zone "118.16.172.IN-ADDR.ARPA" { type master; file "db.172.16.118"; }; zone "." { type hint; file "db.cache"; };
5.
Start or restart the named server. Stop the currently running server:
57
# ps -eax | grep -v grep | grep named | read pid restofline # (($?==0)) && kill $pid
Start the named server:

# named -c /usr/local/domain/named.conf
Configure the /etc/rc.config.d/namesvrs file so that the named server starts automatically when the system is started. Set the variable NAMED to 1, and the appropriate value for NAMED_ARGS: NAMED=1 NAMED_ARGS="-c /usr/local/domain/named.conf"
Configure the DNS Cache TTL Value

To address the problem of DNS clients caching the virtual server name, change the time-to-live (TTL) parameter for the virtual server name in the DNS configuration file. Changing the TTL parameter does not guarantee that your Web client will honor this number. Older versions of Microsoft Internet Explorer and Mozilla Firefox cache DNS server names, ignoring the DNS TTL value. Internet Explorer, version 6.0 and later is reported to now respect the TTL value. Later versions of Firefox are reported to cache entries for 1 minute by default. When you configure the DNS TTL value, you can change the value for all servers, or change the value for the virtual server name. The following example changes the DNS TTL value for the virtual server name. The value is changed to 60 seconds by updating the zone configuration file (/usr/local/domain/db.test).
$TTL @ ( 2 ; Serial 10800 ; Refresh every 3 hours 3600 ; Retry every hour 604800 ; Expire after a week 60 ) ; Minimum ttl of 1 day hptem270.test.nameX.example.com. A A A A A A A A A A A A A A A A A MX MX MX MX MX MX MX MX MX MX MX MX MX MX 127.0.0.1 10.10.118.67 10.10.118.230 10.10.118.231 10.10.118.232 10.10.118.208 10.10.118.209 10.10.118.211 10.10.118.212 10.10.118.214 10.10.118.230 10.10.118.231 10.10.118.232 10.10.119.67 10.10.119.230 10.10.119.231 10.10.119.232 10 hpdhl208.test.nameX.example.com. 10 hpdhl209.test.nameX.example.com. 10 hpdhl211.test.nameX.example.com. 10 hpdhl212.test.nameX.example.com. 10 hpdhl214.test.nameX.example.com. 10 hpdhl230.test.nameX.example.com. 10 hpdhl230-2.test.nameX.example.com. 10 hpdhl231.test.nameX.example.com. 10 hpdhl231-2.test.nameX.example.com. 10 hpdhl232.test.nameX.example.com. 10 hpdhl232-2.test.nameX.example.com. 10 hptem270.test.nameX.example.com. 10 hptem270-2.test.nameX.example.com. 10 specj.test.nameX.example.com. 60 IN SOA hptem270.test.nameX.example.com. root.hptem270.test.nameX.example.com.
IN localhost hptem270 specj specj specj hpdhl208 hpdhl209 hpdhl211 hpdhl212 hpdhl214 hpdhl230 hpdhl231 hpdhl232 hptem270-2 hpdhl230-2 hpdhl231-2 hpdhl232-2 hpdhl208 hpdhl209 hpdhl211 hpdhl212 hpdhl214 hpdhl230 hpdhl230-2 hpdhl231 hpdhl231-2 hpdhl232 hpdhl232-2 hptem270 hptem270-2 specj
NS IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN
58
Note that setting the TTL value to zero is not recommended because it can, in theory, cause problems with the DNS proxy servers. It is very common to set the TTL to a small value, such as 5 minutes, because many Web clients use DHCP and must react fairly quickly to changes in their IP address allocation. After changing the TTL value, restart the named server as described in the previous section.
Disable the Java DNS Cache

Java 1.5 does not respect the DNS TTL value you set in the zone configuration file. If you are running your Web client in a JVM, you need to specify your own TTL value. By default, Java caches DNS addresses indefinitely. To disable DNS caching, start the JVM with the following properties: networkaddress.cache.ttl=0 sun.net.inetaddr.ttl=0 The command format is: # java -D networkaddress.cache.ttl=0 -D sun.net.inetaddr.ttl=0...
Using DNS Round Robin With JBoss AS

If you are using DNS Round Robin to load balance across a farm of JBoss AS servers, you cannot store state information on the JBoss AS server unless you replicate the state information to the other servers in the farm. For instance, this means that the JEE features Stateful Session Bean EJB and the HttpSession Objects in the Tomcat Servlet Container of JBoss cannot be used. To work around this problem, use JBoss Cache with Tomcat to replicate the session state information. However, any object stored with the session must implement the serializable interface. JBoss Cache and HTTPSession replication are automatically configured with the JBoss all instance configuration. For more information, see the JBoss 4 Application Server Guide. In general clustering provides your application with JBoss AS server failover capabilities, but it requires system and network resources to implement, and may not scale out as servers are added to the cluster farm.
Apache mod_jk Configuration Example

In order to configure mod_jk load balancing with JBoss AS you must complete the following steps: Configure mod_jk load balancing with the Web server. Configure the JBoss AS embedded Tomcat server to work with the Web server and mod_jk.
Configuring the Web Server and mod_jk

NOTE: This configuration requires mod_jk version 1.2.10 or later, available with the HP Web Server Suite version 2.11. To configure load balancing with mod_jk, for the Web server, do the following: 1. Add the following line to the /opt/hpws/apache/conf/httpd.conf file: Include conf/mod_jk.conf 2. Edit the /opt/hpws/apache/conf/mod_jk.conf file to specify which URLs should be load balanced. The following sample mod_jk.conf file will load balance all URLs starting with /crime, /bookstore1, /bank, and /jmx-console.
Sample mod_jk configuration file <IfModule !mod_jk.c> LoadModule jk_module /opt/hpws/apache/modules/mod_jk.so </IfModule>
Horizontal Scaling of Web and Application Servers 59
JkWorkersFile /opt/hpws/apache/conf/workers.properties JkLogFile /opt/hpws/apache/logs/jk.log JkLogLevel info JkMount /bookstore1 router JkMount /bookstore1/* router JkMount /bank router JkMount /bank/* router JkMount /crime router JkMount /crime/* router JkMount /jmx-console router JkMount /jmx-console/* router <Location /jkstatus/> JkMount status Order allow,deny Allow from all </Location>
3.
Edit the /opt/hpws/apache/conf/workers.properties file to specify which machines will load balance the URLs specified in the mod_jk.conf file. The following example shows the contents of a workers.properties file that will load balance between two nodes:
workers.properties workers.tomcat_home=/opt/hpws/tomcat workers.java_home=/opt/java1.4 ps=/ # # worker.node1.port=8009 worker.node1.host=hpdhl207.nameX.example.com worker.node1.type=ajp13 worker.node1.lbfactor=1 worker.node1.cachesize=10 worker.node2.port=8009 worker.node2.host=hpdhl221.nameX.example.com worker.node2.type=ajp13 worker.node2.lbfactor=1 worker.node2.cachesize=10 worker.router.type=lb worker.router.balance_workers=node1,node2 worker.router.sticky_session=1 worker.status.type=status worker.list=router,status
Configuring JBoss AS and mod_jk

The following steps are required to configure the JBoss AS embedded Tomcat server on each of the application server systems (hpdhl207 for node1 and hpdhl221 for node2): 1. Modify the file /opt/jboss<version>/server/<instance>/deploy/jbossweb-tomcat55.sar/META-INF/jboss-service.xml, setting UseJK to true: <attribute_name="UseJK">true</attribute>. 2. Modify the file /opt/jboss<version>/server/<instance>/deploy/jbossweb-tomcat55.sar/server.xml. Add a jvmRoute argument to the Engine directive. Make sure that the nodename tag used matches one of the nodenames specified in the mod_jk workers.properties file. For example, on the node representing node1(hpdhl207) include the following jvmRoute argument to the engine directive: <Engine name="jboss.web" jvmRoute="node1" default-Host="localhost">.
60

HP-UX Open Source Reference Architecture (OSRA) 2.1 For Web Services Configuration Guide

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

HP-UX Open Source Reference Architecture (OSRA) 2.1 For Web Services Configuration Guide

Enviado por

Direitos autorais:

Formatos disponíveis

HP-UX Open Source Reference Architecture (OSRA) 2.

1 for Web Services Configuration Guide

HP Part Number: 5991-7640 Published: March 2007

2 Configuration and Integration....................................................................................19

3 Load Balancing and Cluster Configuration...............................................................49

About This Document

New and Changed Information in This Edition

HP-UX Release Name and Release Identifier

audit(5) Command Computer output Ctrl+x

About This Document

HP Encourages Your Comments

Additional Web Service Products:

Related Products & Services:

Internet Express: Ant, Eclipse, Python, Struts, XDoclet, and more..

Web Server: Apache & Tomcat

OpenView: Smart Plug-in for JBoss AS

Directory Server: Redhat Directory Server, OpenLDAP

JBoss: Subscription for full JEMS Suite

LDAP: LDAP-UX Integration

Java , Perl, PHP

Consulting: HP Software Consulting

HP-UX 11.23 and 11.11 Hardware (Integrity and PA-RISC platforms)

HP-UX 1 Web Server Suite 1i

Secure Web Server Platform

Java and Scripting Languages

JBoss Enterprise Middleware

2 Configuration and Integration

Install Paths and Disk Space

MySQL Enterprise Database Server Hibernate Persistence Service

/var/opt/netscape/server7 /opt/symas /opt/sec_mgmt/bastille /opt/ipf /opt/openssl /opt/ssh

Install Paths and Disk Space

Installing From the zip File

Installing From the GUI Installer

Verifying JBoss AS Installation

cd /opt/jboss-<version>/bin sh run.sh -c <name>

Removing JBoss AS Components

Configuration and Integration

General Configuration Information

General Configuration Information

Configuration and Integration

General Configuration Information

JBoss AS Basic Configuration

JBoss AS Startup Configuration Files

Running JBoss AS With a Different User Name

Change ownership of all server files to the user<username>

Make the server directory writable by the user:

Configuration and Integration

Make the hypersonic database writable by user:

Setting the Java Memory Allocation Pool Size

Configure the Oracle Data Source for JBoss

MySQL Integration with JBoss AS

Copy the .jar file to the JBoss server lib directory.

Configuration and Integration

Restart JBoss AS.

JBoss AS Basic Configuration

Red Hat Directory Server Setup

Use the following command to start the setup program:

Figure 2-1 Welcome Screen

Configuration and Integration

Figure 2-2 License Screen

Red Hat Directory Server Setup

Figure 2-4 Domain Name

Configuration and Integration