Sunday, June 24, 2012

Install IBM HTTP Server in Solaris 11 zone to front WAS


Now that we have installed the IBM WebSphere Application Server and some sample applications, we will install the IBM HTTP Server to front the app server. It is a common practice to stand up a separate HTTP server instance to serve the resource provided by the app server. This web server typically resides in the tier 1 environment in a DMZ behind a tier 1 firewall facing the internet, or in a tier 1 environment facing the internal network. Application servers are usually placed in tier 2, behind a tier 2 firewall, and have access to tier 3 resources such as database servers. App servers are usually not accessible directly from the internet for security reasons. And for performance reasons and also the hosting of static pages off the filesystem, a separate web server fits the bill. In many configurations, users authentications are performed at web server tier (in collaboration with user stores such as LDAP, and through 3rd party identity solution such as SiteMinder) before the users hitting the dynamic resources serverd by the application server.

Download the IHS package from IBM website, Solaris 11 x86_64, the name of the archive is ihs.7000.solaris.x64.tar. You may install the HTTP server on the same machine as the application server, or on a totally separate machine. As explained earlier, we will install IBM HTTP server in a Solaris 11 local zone. Follow the steps here to install a clean local zone.

Deployment Architecture

The next diagram depicts a typical deployment topology of JEE-based application. Note that there are many other variants exist in production and the choice is really up to the requirements of availability, reliability and security, and also the arrangement of the other existing infrastructures such as user and credential stores, authentication solutions, authorization solutions, network architecture and infrastructures such as load balancers and implementations of app server specific cluster technologies.

Figure 1: Logical Deployment Architecture
This article implements the Tier 1 web server with IBM HTTP Server. We will only install the web server in this article.

A note about 32 bits vs 64 bits

According to the IBM official documentations, you can mix 32/64 bit HTTP servers with 64/32 bit WAS. Any to any is allowed, as long as the plug-in which resides in the HTTP server are of the same architecture (can't have 32 bit HTTP server with 64 bit plug-in, or vice versa).

If you want to install a 32 bit HTTP server on a 64 bit Linux machine (because IBM HTTP server 7 is only available in 32 bit JVM on Linux), you need to first install the ia32-libs package. (apt-get install ia32-libs for Ubuntu)

Additional notes: If you are installing IBM HTTP Server on Ubuntu systems, you may need to install ksh (Korn Shell) package as the setupadmin.sh needs it to configure the process owner of the HTTP Admin server. To install ksh, 'apt-get install ksh' on your Ubuntu. This is not needed if we are installing on Solaris 11, as in this article.

The installation process

To start the installation process, expand the archive, cd into IHS folder. Look for a file called "responsefile.txt". Peruse this file as it gives you all you need to know about silent installation. After you gone through the file, extract all the options into a separate file so we can eliminate the unnecessary comment lines.

root@websvr02:~/ihs_install/IHS# grep -e ^\-OPT responsefile.txt
-OPT silentInstallLicenseAcceptance="false"
-OPT allowNonRootSilentInstall=false
-OPT installLocation="/usr/IBM/HTTPServer"
-OPT httpPort="80"
-OPT adminPort="8008"
-OPT createAdminAuth="false"
-OPT adminAuthUser="username"
-OPT adminAuthPassword="password"
-OPT adminAuthPasswordConfirm="password"
-OPT runSetupAdmin="false"
-OPT createAdminUserGroup=true
-OPT setupAdminUser="useridname"
-OPT setupAdminGroup="groupname"
-OPT installHttpService="true"
-OPT installAdminService="true"
-OPT winServiceLogOnAs="localSystem"
-OPT winServiceUser="YOUR_USER_NAME"
-OPT winServicePassword="YOUR_PASSWORD"
-OPT winServiceStartType="automatic"
-OPT installPlugin="true"
-OPT webserverDefinition="webserver1"
-OPT washostname="localhost"

Copy or pipe the output to a separate file, name it installIHS.resp. Edit the file to look like the sample below.



#silent install
-OPT silentInstallLicenseAcceptance="true"
# do not check prereq, Sol 11 not supported 
-OPT disableOSPrereqChecking="true" 
# installation location 
-OPT installLocation="/opt/IBM/HTTPServer" 
# http server port number
-OPT httpPort="8080" 
# admin server port number
-OPT adminPort="8008"
# create admin server user, for use by WAS console
-OPT createAdminAuth="true" 
# the userid to login into the admin server
-OPT adminAuthUser="ihsadmin"
# the password of admin user
-OPT adminAuthPassword="password" 
# confirm the admin password
-OPT adminAuthPasswordConfirm="password"
# the web server name reference by WAS console
-OPT webserverDefinition="websvr02" 
# creates the Admin user and group in the host machine 
-OPT createAdminUserGroup="true"
# setup the admin user by running the setupadmin.sh
-OPT runSetupAdmin="true" 
# Admin user (the uid in Linux/Unix)
-OPT setupAdminUser="ihsadmin" 
# Admin group (the gid in Linux/Unix)
-OPT setupAdminGroup="ihsadmin" 

Lets perform the silent installation using the response file above.

# install -options installHTTP.resp -silent   

To ensure that the installation has completed successfully, look under /opt/IBM/HTTPServer/logs/install/ for the log.txt file. If the installation failed, you should be looking for the log in ~/ihslogs directory.

Sanity check

You should see the ihsadmin user and ihsadmin group are created as OS user.

root@websvr02:/opt/IBM/HTTPServer/bin# id ihsadmin
uid=101(ihsadmin) gid=100(ihsadmin)

You should also notice that a password entry has been created in the /opt/IBM/HTTPServer/conf/admin.passwd file. This is the credential used for logging into the HTTPServer admin server.

root@websvr02:/opt/IBM/HTTPServer/conf# cat admin.passwd
ihsadmin:$apr1$n/4.....$j0KP/AbsaceWBvUF.g/xz1 

Check that the owner of the configuration has been changed.


Starting the HTTP server and HTTP Admin server

Start the HTTP Admin server
To start the admin server, run the following command in the bin directory of the IHS installation.

root@websvr01:/opt/IBM/HTTPServer/bin# ./apachectl start

Start the HTTPServer
To start the http server, run the following command in the bin directory of the IHS installation.

root@websvr01:/opt/IBM/HTTPServer/bin# ./adminctl start

Check the processes and the owners


root@websvr02:/opt/IBM/HTTPServer/conf# ps -ef | grep httpd | grep -v grep
  nobody  6354  6352   0 23:44:03 ?           0:00 /opt/IBM/HTTPServer/bin/httpd -d /opt/IBM/HTTPServer -k start
  nobody  6353  6352   0 23:44:03 ?           0:00 /opt/IBM/HTTPServer/bin/httpd -d /opt/IBM/HTTPServer -k start
  nobody  6355  6352   0 23:44:03 ?           0:00 /opt/IBM/HTTPServer/bin/httpd -d /opt/IBM/HTTPServer -k start
    root  6352  4569   0 23:44:02 ?           0:00 /opt/IBM/HTTPServer/bin/httpd -d /opt/IBM/HTTPServer -k start
    root  6358  4569   0 23:44:07 ?           0:00 /opt/IBM/HTTPServer/bin/httpd -f /opt/IBM/HTTPServer/conf/admin.conf
    root  6359  6358   0 23:44:07 ?           0:00 /opt/IBM/HTTPServer/bin/httpd -f /opt/IBM/HTTPServer/conf/admin.conf
ihsadmin  6360  6358   0 23:44:07 ?           0:00 /opt/IBM/HTTPServer/bin/httpd -f /opt/IBM/HTTPServer/conf/admin.conf

Note that the httpd processes for the HTTP server is running as 'nobody'. It is a good security practice to change this to a specialized user meant to run the process, in our case is the 'ihsadmin'. Edit the httpd.conf and change the lines from

User nobody
Group nobody

to

User ihsadmin
Group ihsadmin

Do the same for conf/admin.conf file. The admin server must be started with ihsadmin user because it needs to write to the files...

Visit the HTTP server page and the Admin Server Page

By now we have 2 instances of webservers running, one for HTTP server and other for Admin server. Trying hitting the HTTP server at the port number we specified earlier (if you forgot this number, go look up the httpd.conf file), in our case it was 8080.

You should see something like this.



Trying hitting the Admin server page at http://websvr01:8008/wasadmin, you should be presented with a login screen. If you try to login by using the credential "ihsadmin"/"password" you would get this error.


This is because the Admin server is meant to be log-in from the WebSphere Application Server console, and automation is performed from there. HTTP Admin server is not meant to be an interactive website.

In the next article, we will manually set up the Websphere Application Server plugin in this HTTP Server instance to act as a reverse proxy into the WAS.

Cheers,


Wednesday, June 20, 2012

Install SamplesGallery in IBM Websphere Application Server

Alright, the previous article discussed the steps to install an IBM WAS in silent mode. By default, the installed instance is without the sample applications.

(Update: To install a new instance of WAS that includes SamplesGallery, you can add -OPT feature="samplesSelected", into the response file, however, this also requires you to provide the -OPT samplesPassword="aPassword" option.)

To install the sample applications (referred to as SamplesGallery in the IBM documentation), we need to run the install script once again, this time with a set of different options in the response file.

Create the following response file in your /WAS folder of your un-tar'ed installation archive.

# cat > addSamples.resp << EOF
-OPT silentInstallLicenseAcceptance="true"
-OPT disableOSPrereqChecking="true"
-OPT installType="addFeature"
-OPT feature="samplesSelected"
-OPT installLocation="/opt/IBM/WebSphere/AppServer"
-OPT traceLevel="INFO"
EOF

Make sure you stop all servers before carry out the installation of samples.
Install the samples

# ./install -options addSamples.resp -silent

Check the log file to see if the installation is successful.

# cat /opt/IBM/WebSphere/AppServer/logs/install/log.txt

You should see these 2 lines ending the log file immediately after your installation exits.

(Jun 19, 2012 1:07:40 PM), Process, com.ibm.ws.install.ni.ismp.actions.SetExitCodeAction, msg1, CWUPI0000I: EXITCODE=0
(Jun 19, 2012 1:07:40 PM), Process, com.ibm.ws.install.ni.ismp.actions.ISMPLogSuccessMessageAction, msg1, INSTCONFSUCCESS

Inspect the directory where the samples are installed. It is located in [was_install_dir]/samples

root@ubuntu12svr01:/opt/IBM/WebSphere/AppServer/samples# ls
bin  javadoc  lib  src

As an exercise, cd into lib/ and look at all available ear's. They are all the samples you can deploy into your profiles. The SamplesGallery is of our particular interest because it is a 'Gallery' that introduces the apps and provides some basic instructions on how to install them.

Now we need to install SamplesGallery app into our server1 of appsvr01 profile (created in this article). Once installed, the 'Gallery' can be access via URL http://server:9080/WSsamples.

You can either do this using the install script under the bin/ folder of the samples directory, or do this using the web admin console of profile appsvr01. Lets use command line to install SamplesGallery and use the web admin console to install others.

Using the command line.

root@ubuntu12svr01:/opt/IBM/WebSphere/AppServer/samples/bin# ./install.sh -profileName appsvr01 -server server1 -samples SamplesGallery
WASX7357I: By request, this scripting client is not connected to any server process. Certain configuration and application operations will be available in local mode.
WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: "[-server, server1, -samples, SamplesGallery]"

---------------------------------------------------------------
              Command parameters
---------------------------------------------------------------
 Command:
                        configure & install
 Scope:
    cell                ubuntu12svr01Node01Cell
    node                ubuntu12svr01Node01
    server              server1
 Samples:
                        SamplesGallery
---------------------------------------------------------------

SAMP INFO: SamplesGallery was not configured because it does not have resources to configure.

************* Install Samples Gallery *************************

---------------------------------------------------------------
              Install application
---------------------------------------------------------------
 Scope:
    node                ubuntu12svr01Node01
    server              server1
 EAR:
    name                /opt/IBM/WebSphere/AppServer/samples/lib/SamplesGallery/SamplesGallery.ear                                                                                            
    application         SamplesGallery
    destination         $(APP_INSTALL_ROOT)/$(CELL)
    usedefaultbindings  true
    noejbdeploy         true
---------------------------------------------------------------

ADMA0073W: Custom permissions are found in the [(com.ibm.websphere.security.WebSphereRuntimePermission AdminPermiss                                                                           ion)] policy file. Custom permissions can compromise the integrity of Java 2 Security.
WASX7327I: Contents of was.policy file:
 //
// WebSphere Application Security Policy for SamplesGallery.ear
//

// Required to access the WAS Admin API's.
grant codeBase "file:${application}" {
  permission java.io.FilePermission "${/}QIBM/ProdData${/}Java400${/}SamplesProperties.xml", "read";
  permission java.io.FilePermission "${was.install.root}${/}samples${/}config", "read";
  permission java.io.FilePermission "${was.install.root}${/}samples${/}config${/}*", "read";
  permission java.io.FilePermission "${was.install.root}${/}properties${/}*", "read";
  permission com.ibm.websphere.security.WebSphereRuntimePermission "AdminPermission";
  permission javax.management.MBeanPermission "*", "queryNames,getMBeanInfo,invoke";
};

ADMA5016I: Installation of SamplesGallery started.
ADMA5058I: Application and module versions are validated with versions of deployment targets.
ADMA5005I: The application SamplesGallery is configured in the WebSphere Application Server repository.
ADMA5053I: The library references for the installed optional package are created.
ADMA5005I: The application SamplesGallery is configured in the WebSphere Application Server repository.
ADMA5001I: The application binaries are saved in /opt/IBM/WebSphere/AppServer/profiles/appsvr01/wstemp/Script13804e                                                                           cf838/workspace/cells/ubuntu12svr01Node01Cell/applications/SamplesGallery.ear/SamplesGallery.ear
ADMA5005I: The application SamplesGallery is configured in the WebSphere Application Server repository.
SECJ0400I: Successfully updated the application SamplesGallery with the appContextIDForSecurity information.
ADMA5005I: The application SamplesGallery is configured in the WebSphere Application Server repository.
CWSAD0040I: The application SamplesGallery is configured in the Application Server repository.
ADMA5113I: Activation plan created successfully.
ADMA5011I: The cleanup of the temp directory for application SamplesGallery is complete.
ADMA5013I: Application SamplesGallery installed successfully.

SAMP INFO: The install command for SamplesGallery completed successfully.

---------------------------------------------------------------
              Save
---------------------------------------------------------------

SAMP INFO: The save command for SamplesGallery completed successfully.

---------------------------------------------------------------
              Summary
---------------------------------------------------------------
 The following samples were configured and installed successfully:

    SamplesGallery

---------------------------------------------------------------
root@ubuntu12svr01:/opt/IBM/WebSphere/AppServer/samples/bin#

There you have it, the SamplesGallery application was installed successfully. Lets fire up the web browser and inspect the installed application at http://server-ip:9080/WSsamples you should see something like this.


As you can see, the 'gallery' provides command line instructions to install the app. We will install Plants By WebSphere using admin console.

Steps:
1) Log in to the web console, browse to the 'Application' section on the left hand menu, click on 'New Application then 'New Enterprise Application' on the right hand pane.


2) Browse to the path for 'Plants By WebSphere' ear file.


3) Select and click ok


4) Click 'Next' and choose 'Fast path'. Leave everything else to default.



5) Click 'Next'. Select all modules to map to the 'server1'


6) Click 'Next'. Select all modules to map to the default virtual host. We have only one virtual host here because we haven't created any other.


7) Click 'Next'. Review the summary and click 'Finish'.


8) Click 'Save' link in the resultant page to save the new server configuration. The is the last step of the installation of the application.



9) Locate the newly install application in the application list. Start the application.


10) Point your browser to http://server-ip:9080/PlantsByWebSphere, you should be presented with this page.


Unfortunately, the installation of PlantsByWebSphere using web console is far from complete as we are still missing whole other resources such as mail provider, authentication provider, JDBC provider, data source, so don't expect this app to fully work until we configured those. It is probably much easier to install the PlantsByWebSphere by command line.


# sh /opt/IBM/WebSphere/AppServer/samples/bin/install.sh -samples PlantsByWebSphere

I thought this article would be a short one, but look what I have done...

Cheers,

Monday, June 18, 2012

Install and Uninstall IBM Websphere Application Server 7

This article describes how to install and uninstall an IBM Websphere Application Server 7 on a Ubuntu 12.04 64 bit server. Between the installation and uninstallation processes, we will also start an instance of the server in the profile we created, just to see it in action.

Most of the examples on the internet show you how to install WAS using GUI, but if you want to install the WAS on a Ubuntu server that doesn't come with xorg-server, then you might need to do some internet digging. There are numerous posts out there providing hints but I had to piece them up together to make the procedure work in my environment.

I am not great a fan of having my servers to be able to support GUI applications so I will not install the xorg-server package. Your preference may vary.

For that reason I will be performing a silent installation of IBM WAS 7.

What we need in order to perform a silent installation is the following:
- IBM WAS 7 software package
- Ubuntu 12.04 64-bit server installation
- Putty
- A response file for silent installation
- root access to the Ubuntu server

At the end of the install, we will have created a profile called 'appsvr01' and a default server called 'server1'   using default ports, when we use the following response file.

-OPT silentInstallLicenseAcceptance="true"
-OPT disableOSPrereqChecking="true"
-OPT installType="installNew"
-OPT profileType="standAlone"
-OPT feature="noFeature"
-OPT PROF_enableAdminSecurity="true"
-OPT PROF_adminUserName="wasadmin"
-OPT PROF_adminPassword="password"
-OPT PROF_profileName="appsvr01"
-OPT PROF_defaultPorts="true"
-OPT installLocation="/opt/IBM/WebSphere/AppServer"
-OPT traceLevel="INFO"

The options are self-explanatory. Due to the fact that Ubuntu is not a supported platform to run WAS, the 'disableOSPrereqChecking="true"' is necessary.

It is not necessary to pre-create the installation directory. As long as the installation process has the privilege to create the folder, we are ok.

Before we start, there is this little subtlety that we need to address. If you execute the command "ls -al `which sh`" you will see that the /bin.sh is actually pointing to a binary called 'dash'.

~# ls -al `which sh`
lrwxrwxrwx 1 root root 4 Jun  7 20:49 /bin/sh -> dash

We need to re-link the/bin/sh to /bin/bash as the default symbolic link of sh in Ubuntu is pointing to dash. There are numerous posts on the internet talked about this. Won't worry about why it is so, just interested to install the IBM WAS. Fix the sh sym link issue.

cd /bin
unlink sh
ln -s /bin/bash sh

Installation Steps:
1) Untar the IBM Websphere Application Server 7 archive.
# tar -xzvf was.7000.wasdev.nocharge.linux.amd64.tar.gz




2) Create a responce file for silent installation
# cat > responce.text << EOF
-OPT silentInstallLicenseAcceptance="true"
-OPT disableOSPrereqChecking="true"
-OPT installType="installNew"
-OPT profileType="standAlone"
-OPT feature="noFeature"
-OPT PROF_enableAdminSecurity="true"
-OPT PROF_adminUserName="wasadmin"
-OPT PROF_adminPassword="password"
-OPT PROF_profileName="appsvr01"
-OPT PROF_defaultPorts="true"
-OPT installLocation="/opt/IBM/WebSphere/AppServer"
-OPT traceLevel="INFO"
EOF

It is also worth noting that in the WAS directory in the expanded installation archive, there is a sample response file named "responsefile.base.txt". Have a look at this file, it should give you a good idea of what options are supported without needing to read through thousands of pages of documents.

3) cd to WAS directory and execute the install.sh with the following arguments
# ./install -is:javaconsole -options responce.text -silent
Or
# install -options responce.text -silent -log # !/root/was_install_log.txt  @ALL

to log all installation messages.


The "-is:javaconsole" argument tells the installer to print the output to stdout. Unfortunately, on my server, this doesn't work as it gives this warning message and terminates the installation process :-(

WARNING: could not write using log service: java.lang.IllegalStateException: proxy has been closed

I had to remove the argument, clean the installation directory and re-run the installation for a successful outcome.

4) During the installation process, you could watch the progress by tail-ing the log file located in ~/waslogs directory. (In the first-time installation, a temporary log file directory is always created in the home directory of the current user)

# tail -f ~/waslogs/log.txt
(Jun 18, 2012 11:47:17 AM), Process, com.ibm.ws.install.ni.ismp.mediaspanning.InstallNIFMaintenanceMediaSpanning, msg1, Installing component: wccm.services.pme, percent complete: 89%
(Jun 18, 2012 11:47:17 AM), Process, com.ibm.ws.install.ni.ismp.mediaspanning.InstallNIFMaintenanceMediaSpanning, msg1, Installing component: webcontainer, percent complete: 89%
(Jun 18, 2012 11:47:17 AM), Process, com.ibm.ws.install.ni.ismp.mediaspanning.InstallNIFMaintenanceMediaSpanning, msg1, Installing component: webservices, percent complete: 89%
(Jun 18, 2012 11:47:18 AM), Process, com.ibm.ws.install.ni.ismp.mediaspanning.InstallNIFMaintenanceMediaSpanning, msg1, Installing component: websvcs.admin.impl, percent complete: 89%
(Jun 18, 2012 11:47:18 AM), Process, com.ibm.ws.install.ni.ismp.mediaspanning.InstallNIFMaintenanceMediaSpanning, msg1, Installing component: websvcs.admin, percent complete: 89%
(Jun 18, 2012 11:47:18 AM), Process, com.ibm.ws.install.ni.ismp.mediaspanning.InstallNIFMaintenanceMediaSpanning, msg1, Installing component: websvcs, percent complete: 89%
(Jun 18, 2012 11:47:19 AM), Process, com.ibm.ws.install.ni.ismp.mediaspanning.InstallNIFMaintenanceMediaSpanning, msg1, Installing component: webui.webservices.admin, percent complete: 90%
(Jun 18, 2012 11:47:19 AM), Process, com.ibm.ws.install.ni.ismp.mediaspanning.InstallNIFMaintenanceMediaSpanning, msg1, Installing component: webui.webservices.policyset, percent complete: 90%
(Jun 18, 2012 11:47:19 AM), Process, com.ibm.ws.install.ni.ismp.mediaspanning.InstallNIFMaintenanceMediaSpanning, msg1, Installing component: webui.webservices.trust, percent complete: 90%
(Jun 18, 2012 11:47:19 AM), Process, com.ibm.ws.install.ni.ismp.mediaspanning.InstallNIFMaintenanceMediaSpanning, msg1, Installing component: webui, percent complete: 90%

5) Take note of the the last line of the installation log, you should see an exitcode = 0.

(Jun 18, 2012 12:18:02 PM), Process, com.ibm.ws.install.ni.ismp.actions.SetExitCodeAction, msg1, CWUPI0000I: EXITCODE=0

The installation takes about 5 minutes to complete on my i5-3550 machine.

By now, the installation has been completed successfully. Lets examine the installation. First, start the default server 'server1' of our profile appsvr01.

To start the server:
1) cd to the [was_install_dir]/profile/appsvr01/bin
2) execute the startServer.sh script with "server1" as the argument. "server1" is the default server of a profile.

root@ubuntu12svr01:/opt/IBM/WebSphere/AppServer/profiles/appsvr01/bin# ./startServer.sh server1
ADMU0116I: Tool information is being logged in file
          /opt/IBM/WebSphere/AppServer/profiles/appsvr01/logs/server1/startServer.log
ADMU0128I: Starting tool with the appsvr01 profile
ADMU3100I: Reading configuration for server: server1
ADMU3200I: Server launched. Waiting for initialization status.
ADMU3000I: Server server1 open for e-business; process id is 29695

The application server instance server1 is now started. The default secured listener port of this instance is 9043, try hitting https://server-ip:9043/admin yields the following.




Just add the exception and tell the browser to connect to the server, the following log-in screen will be displayed.




Enter the username and password you specified earlier in the responce.text file and login. Voila you are in!




As far as the installation goes, it has been successful.


If you want to repeat the exercise, just follow the following steps to uninstall the entire installation, in silent mode.

Steps to uninstall:
1) Stop all servers
2) cd to [was_install_dir]/uninstall/
3) execute the uninstall script with the '-silent' argument

root@ubuntu12svr01:/opt/IBM/WebSphere/AppServer/uninstall# ./uninstall -silent

4) After the script exits, delete the entire IBM directory as well as a hidden directory ".ibm" in the /opt.
5) Delete the ~/waslogs directory, too.



To install the SamplesGallery that comes together with WAS, follow this article.


That is it. Install, start server, stop server, uninstall. For the fun of it.

Cheers,