Sunday, June 24, 2012

Install IBM HTTP Server in Solaris 11 zone to front WAS


Now that we have installed the IBM WebSphere Application Server and some sample applications, we will install the IBM HTTP Server to front the app server. It is a common practice to stand up a separate HTTP server instance to serve the resource provided by the app server. This web server typically resides in the tier 1 environment in a DMZ behind a tier 1 firewall facing the internet, or in a tier 1 environment facing the internal network. Application servers are usually placed in tier 2, behind a tier 2 firewall, and have access to tier 3 resources such as database servers. App servers are usually not accessible directly from the internet for security reasons. And for performance reasons and also the hosting of static pages off the filesystem, a separate web server fits the bill. In many configurations, users authentications are performed at web server tier (in collaboration with user stores such as LDAP, and through 3rd party identity solution such as SiteMinder) before the users hitting the dynamic resources serverd by the application server.

Download the IHS package from IBM website, Solaris 11 x86_64, the name of the archive is ihs.7000.solaris.x64.tar. You may install the HTTP server on the same machine as the application server, or on a totally separate machine. As explained earlier, we will install IBM HTTP server in a Solaris 11 local zone. Follow the steps here to install a clean local zone.

Deployment Architecture

The next diagram depicts a typical deployment topology of JEE-based application. Note that there are many other variants exist in production and the choice is really up to the requirements of availability, reliability and security, and also the arrangement of the other existing infrastructures such as user and credential stores, authentication solutions, authorization solutions, network architecture and infrastructures such as load balancers and implementations of app server specific cluster technologies.

Figure 1: Logical Deployment Architecture
This article implements the Tier 1 web server with IBM HTTP Server. We will only install the web server in this article.

A note about 32 bits vs 64 bits

According to the IBM official documentations, you can mix 32/64 bit HTTP servers with 64/32 bit WAS. Any to any is allowed, as long as the plug-in which resides in the HTTP server are of the same architecture (can't have 32 bit HTTP server with 64 bit plug-in, or vice versa).

If you want to install a 32 bit HTTP server on a 64 bit Linux machine (because IBM HTTP server 7 is only available in 32 bit JVM on Linux), you need to first install the ia32-libs package. (apt-get install ia32-libs for Ubuntu)

Additional notes: If you are installing IBM HTTP Server on Ubuntu systems, you may need to install ksh (Korn Shell) package as the setupadmin.sh needs it to configure the process owner of the HTTP Admin server. To install ksh, 'apt-get install ksh' on your Ubuntu. This is not needed if we are installing on Solaris 11, as in this article.

The installation process

To start the installation process, expand the archive, cd into IHS folder. Look for a file called "responsefile.txt". Peruse this file as it gives you all you need to know about silent installation. After you gone through the file, extract all the options into a separate file so we can eliminate the unnecessary comment lines.

root@websvr02:~/ihs_install/IHS# grep -e ^\-OPT responsefile.txt
-OPT silentInstallLicenseAcceptance="false"
-OPT allowNonRootSilentInstall=false
-OPT installLocation="/usr/IBM/HTTPServer"
-OPT httpPort="80"
-OPT adminPort="8008"
-OPT createAdminAuth="false"
-OPT adminAuthUser="username"
-OPT adminAuthPassword="password"
-OPT adminAuthPasswordConfirm="password"
-OPT runSetupAdmin="false"
-OPT createAdminUserGroup=true
-OPT setupAdminUser="useridname"
-OPT setupAdminGroup="groupname"
-OPT installHttpService="true"
-OPT installAdminService="true"
-OPT winServiceLogOnAs="localSystem"
-OPT winServiceUser="YOUR_USER_NAME"
-OPT winServicePassword="YOUR_PASSWORD"
-OPT winServiceStartType="automatic"
-OPT installPlugin="true"
-OPT webserverDefinition="webserver1"
-OPT washostname="localhost"

Copy or pipe the output to a separate file, name it installIHS.resp. Edit the file to look like the sample below.



#silent install
-OPT silentInstallLicenseAcceptance="true"
# do not check prereq, Sol 11 not supported 
-OPT disableOSPrereqChecking="true" 
# installation location 
-OPT installLocation="/opt/IBM/HTTPServer" 
# http server port number
-OPT httpPort="8080" 
# admin server port number
-OPT adminPort="8008"
# create admin server user, for use by WAS console
-OPT createAdminAuth="true" 
# the userid to login into the admin server
-OPT adminAuthUser="ihsadmin"
# the password of admin user
-OPT adminAuthPassword="password" 
# confirm the admin password
-OPT adminAuthPasswordConfirm="password"
# the web server name reference by WAS console
-OPT webserverDefinition="websvr02" 
# creates the Admin user and group in the host machine 
-OPT createAdminUserGroup="true"
# setup the admin user by running the setupadmin.sh
-OPT runSetupAdmin="true" 
# Admin user (the uid in Linux/Unix)
-OPT setupAdminUser="ihsadmin" 
# Admin group (the gid in Linux/Unix)
-OPT setupAdminGroup="ihsadmin" 

Lets perform the silent installation using the response file above.

# install -options installHTTP.resp -silent   

To ensure that the installation has completed successfully, look under /opt/IBM/HTTPServer/logs/install/ for the log.txt file. If the installation failed, you should be looking for the log in ~/ihslogs directory.

Sanity check

You should see the ihsadmin user and ihsadmin group are created as OS user.

root@websvr02:/opt/IBM/HTTPServer/bin# id ihsadmin
uid=101(ihsadmin) gid=100(ihsadmin)

You should also notice that a password entry has been created in the /opt/IBM/HTTPServer/conf/admin.passwd file. This is the credential used for logging into the HTTPServer admin server.

root@websvr02:/opt/IBM/HTTPServer/conf# cat admin.passwd
ihsadmin:$apr1$n/4.....$j0KP/AbsaceWBvUF.g/xz1 

Check that the owner of the configuration has been changed.


Starting the HTTP server and HTTP Admin server

Start the HTTP Admin server
To start the admin server, run the following command in the bin directory of the IHS installation.

root@websvr01:/opt/IBM/HTTPServer/bin# ./apachectl start

Start the HTTPServer
To start the http server, run the following command in the bin directory of the IHS installation.

root@websvr01:/opt/IBM/HTTPServer/bin# ./adminctl start

Check the processes and the owners


root@websvr02:/opt/IBM/HTTPServer/conf# ps -ef | grep httpd | grep -v grep
  nobody  6354  6352   0 23:44:03 ?           0:00 /opt/IBM/HTTPServer/bin/httpd -d /opt/IBM/HTTPServer -k start
  nobody  6353  6352   0 23:44:03 ?           0:00 /opt/IBM/HTTPServer/bin/httpd -d /opt/IBM/HTTPServer -k start
  nobody  6355  6352   0 23:44:03 ?           0:00 /opt/IBM/HTTPServer/bin/httpd -d /opt/IBM/HTTPServer -k start
    root  6352  4569   0 23:44:02 ?           0:00 /opt/IBM/HTTPServer/bin/httpd -d /opt/IBM/HTTPServer -k start
    root  6358  4569   0 23:44:07 ?           0:00 /opt/IBM/HTTPServer/bin/httpd -f /opt/IBM/HTTPServer/conf/admin.conf
    root  6359  6358   0 23:44:07 ?           0:00 /opt/IBM/HTTPServer/bin/httpd -f /opt/IBM/HTTPServer/conf/admin.conf
ihsadmin  6360  6358   0 23:44:07 ?           0:00 /opt/IBM/HTTPServer/bin/httpd -f /opt/IBM/HTTPServer/conf/admin.conf

Note that the httpd processes for the HTTP server is running as 'nobody'. It is a good security practice to change this to a specialized user meant to run the process, in our case is the 'ihsadmin'. Edit the httpd.conf and change the lines from

User nobody
Group nobody

to

User ihsadmin
Group ihsadmin

Do the same for conf/admin.conf file. The admin server must be started with ihsadmin user because it needs to write to the files...

Visit the HTTP server page and the Admin Server Page

By now we have 2 instances of webservers running, one for HTTP server and other for Admin server. Trying hitting the HTTP server at the port number we specified earlier (if you forgot this number, go look up the httpd.conf file), in our case it was 8080.

You should see something like this.



Trying hitting the Admin server page at http://websvr01:8008/wasadmin, you should be presented with a login screen. If you try to login by using the credential "ihsadmin"/"password" you would get this error.


This is because the Admin server is meant to be log-in from the WebSphere Application Server console, and automation is performed from there. HTTP Admin server is not meant to be an interactive website.

In the next article, we will manually set up the Websphere Application Server plugin in this HTTP Server instance to act as a reverse proxy into the WAS.

Cheers,


No comments:

Post a Comment