Now that we have installed the IBM WebSphere Application Server and some sample applications, we will install the IBM HTTP Server to front the app server. It is a common practice to stand up a separate HTTP server instance to serve the resource provided by the app server. This web server typically resides in the tier 1 environment in a DMZ behind a tier 1 firewall facing the internet, or in a tier 1 environment facing the internal network. Application servers are usually placed in tier 2, behind a tier 2 firewall, and have access to tier 3 resources such as database servers. App servers are usually not accessible directly from the internet for security reasons. And for performance reasons and also the hosting of static pages off the filesystem, a separate web server fits the bill. In many configurations, users authentications are performed at web server tier (in collaboration with user stores such as LDAP, and through 3rd party identity solution such as SiteMinder) before the users hitting the dynamic resources serverd by the application server.
Download the IHS package from IBM website, Solaris 11 x86_64, the name of the archive is ihs.7000.solaris.x64.tar. You may install the HTTP server on the same machine as the application server, or on a totally separate machine. As explained earlier, we will install IBM HTTP server in a Solaris 11 local zone. Follow the steps here to install a clean local zone.
Deployment Architecture
Figure 1: Logical Deployment Architecture |
A note about 32 bits vs 64 bits
According to the IBM official documentations, you can mix 32/64 bit HTTP servers with 64/32 bit WAS. Any to any is allowed, as long as the plug-in which resides in the HTTP server are of the same architecture (can't have 32 bit HTTP server with 64 bit plug-in, or vice versa).If you want to install a 32 bit HTTP server on a 64 bit Linux machine (because IBM HTTP server 7 is only available in 32 bit JVM on Linux), you need to first install the ia32-libs package. (apt-get install ia32-libs for Ubuntu)
Additional notes: If you are installing IBM HTTP Server on Ubuntu systems, you may need to install ksh (Korn Shell) package as the setupadmin.sh needs it to configure the process owner of the HTTP Admin server. To install ksh, 'apt-get install ksh' on your Ubuntu. This is not needed if we are installing on Solaris 11, as in this article.
The installation process
To start the installation process, expand the archive, cd into IHS folder. Look for a file called "responsefile.txt". Peruse this file as it gives you all you need to know about silent installation. After you gone through the file, extract all the options into a separate file so we can eliminate the unnecessary comment lines.root@websvr02:~/ihs_install/IHS# grep -e ^\-OPT responsefile.txt -OPT silentInstallLicenseAcceptance="false" -OPT allowNonRootSilentInstall=false -OPT installLocation="/usr/IBM/HTTPServer" -OPT httpPort="80" -OPT adminPort="8008" -OPT createAdminAuth="false" -OPT adminAuthUser="username" -OPT adminAuthPassword="password" -OPT adminAuthPasswordConfirm="password" -OPT runSetupAdmin="false" -OPT createAdminUserGroup=true -OPT setupAdminUser="useridname" -OPT setupAdminGroup="groupname" -OPT installHttpService="true" -OPT installAdminService="true" -OPT winServiceLogOnAs="localSystem" -OPT winServiceUser="YOUR_USER_NAME" -OPT winServicePassword="YOUR_PASSWORD" -OPT winServiceStartType="automatic" -OPT installPlugin="true" -OPT webserverDefinition="webserver1" -OPT washostname="localhost"
Copy or pipe the output to a separate file, name it installIHS.resp. Edit the file to look like the sample below.
#silent install
-OPT silentInstallLicenseAcceptance="true"
# do not check prereq, Sol 11 not supported
-OPT disableOSPrereqChecking="true"
# installation location
-OPT installLocation="/opt/IBM/HTTPServer"
# http server port number
-OPT httpPort="8080"
# admin server port number
-OPT adminPort="8008"
# create admin server user, for use by WAS console
-OPT createAdminAuth="true"
# the userid to login into the admin server
-OPT adminAuthUser="ihsadmin"
# the password of admin user
-OPT adminAuthPassword="password"
# confirm the admin password
-OPT adminAuthPasswordConfirm="password"
# the web server name reference by WAS console
-OPT webserverDefinition="websvr02"
# creates the Admin user and group in the host machine
-OPT createAdminUserGroup="true"
# setup the admin user by running the setupadmin.sh
-OPT runSetupAdmin="true"
# Admin user (the uid in Linux/Unix)
-OPT setupAdminUser="ihsadmin"
# Admin group (the gid in Linux/Unix) -OPT setupAdminGroup="ihsadmin"
Lets perform the silent installation using the response file above.
# install -options installHTTP.resp -silent
To ensure that the installation has completed successfully, look under /opt/IBM/HTTPServer/logs/install/ for the log.txt file. If the installation failed, you should be looking for the log in ~/ihslogs directory.
Sanity check
You should see the ihsadmin user and ihsadmin group are created as OS user.root@websvr02:/opt/IBM/HTTPServer/bin# id ihsadmin
uid=101(ihsadmin) gid=100(ihsadmin)
You should also notice that a password entry has been created in the /opt/IBM/HTTPServer/conf/admin.passwd file. This is the credential used for logging into the HTTPServer admin server.
root@websvr02:/opt/IBM/HTTPServer/conf# cat admin.passwd
ihsadmin:$apr1$n/4.....$j0KP/AbsaceWBvUF.g/xz1
Check that the owner of the configuration has been changed.
Starting the HTTP server and HTTP Admin server
Start the HTTP Admin serverTo start the admin server, run the following command in the bin directory of the IHS installation.
root@websvr01:/opt/IBM/HTTPServer/bin# ./apachectl start
Start the HTTPServer
To start the http server, run the following command in the bin directory of the IHS installation.
root@websvr01:/opt/IBM/HTTPServer/bin# ./adminctl start
Check the processes and the owners
root@websvr02:/opt/IBM/HTTPServer/conf# ps -ef | grep httpd | grep -v grep nobody 6354 6352 0 23:44:03 ? 0:00 /opt/IBM/HTTPServer/bin/httpd -d /opt/IBM/HTTPServer -k start nobody 6353 6352 0 23:44:03 ? 0:00 /opt/IBM/HTTPServer/bin/httpd -d /opt/IBM/HTTPServer -k start nobody 6355 6352 0 23:44:03 ? 0:00 /opt/IBM/HTTPServer/bin/httpd -d /opt/IBM/HTTPServer -k start root 6352 4569 0 23:44:02 ? 0:00 /opt/IBM/HTTPServer/bin/httpd -d /opt/IBM/HTTPServer -k start root 6358 4569 0 23:44:07 ? 0:00 /opt/IBM/HTTPServer/bin/httpd -f /opt/IBM/HTTPServer/conf/admin.conf root 6359 6358 0 23:44:07 ? 0:00 /opt/IBM/HTTPServer/bin/httpd -f /opt/IBM/HTTPServer/conf/admin.conf ihsadmin 6360 6358 0 23:44:07 ? 0:00 /opt/IBM/HTTPServer/bin/httpd -f /opt/IBM/HTTPServer/conf/admin.conf
Note that the httpd processes for the HTTP server is running as 'nobody'. It is a good security practice to change this to a specialized user meant to run the process, in our case is the 'ihsadmin'. Edit the httpd.conf and change the lines from
User nobody Group nobody
to
User ihsadmin Group ihsadmin
Do the same for conf/admin.conf file. The admin server must be started with ihsadmin user because it needs to write to the files...
Visit the HTTP server page and the Admin Server Page
By now we have 2 instances of webservers running, one for HTTP server and other for Admin server. Trying hitting the HTTP server at the port number we specified earlier (if you forgot this number, go look up the httpd.conf file), in our case it was 8080.
You should see something like this.
Trying hitting the Admin server page at http://websvr01:8008/wasadmin, you should be presented with a login screen. If you try to login by using the credential "ihsadmin"/"password" you would get this error.
This is because the Admin server is meant to be log-in from the WebSphere Application Server console, and automation is performed from there. HTTP Admin server is not meant to be an interactive website.
In the next article, we will manually set up the Websphere Application Server plugin in this HTTP Server instance to act as a reverse proxy into the WAS.
Cheers,
This is because the Admin server is meant to be log-in from the WebSphere Application Server console, and automation is performed from there. HTTP Admin server is not meant to be an interactive website.
In the next article, we will manually set up the Websphere Application Server plugin in this HTTP Server instance to act as a reverse proxy into the WAS.
Cheers,