Skip to main content

Non-Functional Requirements::High Performance::Runtime patterns

Basic Runtime pattern

If you've already reviewed the Non-Functional Requirements::High Availability application emphasis, you may recognize the figure below. It is, in fact, the "High Availability: Runtime pattern: Variation 2: Load balancer hot standby". It is used here as the base application pattern for the High Performance patterns. ( The figure is based on the Basic Runtime pattern for the Self-Service::Stand-alone Single Channel application pattern. Although this Runtime pattern was historically used as an entry-level footprint, the proliferation of hacker attacks has caused it now to be regarded as an anti-pattern. However for the moment we will keep it on the web site because it has been used the IBM Redbook, IBM WebSphere V5 Edge of Network Patterns (SG24-6896), as the simplest base design to which various High Availability and High Performance nodes can be added.) The variations that follow show the additional nodes added to this basic Runtime design to enable each High Performance configuration.

High Performance::Basic Runtime pattern

High Performance: Runtime pattern Load Balancer Web Application Server Web Application Server Load Balancer Shared File Server Directory and Security Services User Domain Name Server Database Server Public Key Infrastructure Protocol Firewall Domain Firewall

The three zones contain the following nodes:

  • Outside World
    • Public Key Infrastructure
    • Domain Name Server
    • User
    • Multiple Load Balancer
    • Cluster
      • Multiple Web Application Server
  • Internal Network
    • Directory and Security Services
    • Database
    • Shared File System

Additionally between the Outside World and the DMZ is a Protocol Firewall and between the DMZ and the Internal Network is a Domain Firewall.

Design Last Updated: 12-2002
(Click a node to get a detailed explanation.)

Variation 1: Redirectors

For this variation, at least two additional nodes are needed:

  • Two or more Web server redirector nodes

This pattern splits the Web Application Server node into two functional nodes by separating HTTP server function from the application server function.

High Performance::Runtime pattern::Redirectors

High Performance: Runtime pattern: Redirectors Web Application Server Web Application Server Load Balancer Web Server Redirector Web Server Redirector Load Balancer Shared File Server Directory and Security Services User Domain Name Server Database Server Public Key Infrastructure Protocol Firewall Domain Firewall

The three zones contain the following nodes:

  • Outside World
    • Public Key Infrastructure
    • Domain Name Server
    • User
  • Demilitarized Zone
    • Multiple Load Balancer
    • Multiple Server Redirector
  • Internal Network
    • Multiple Application Server
    • Directory and Security Services
    • Database
    • Shared File System

Additionally between the Outside World and the DMZ is a Protocol Firewall and between the DMZ and the Internal Network is a Domain Firewall.

Design Last Updated: 12-2002
(Click a node to get a detailed explanation.)

The Web server redirector node decides whether the request is being served by the local HTTP server or forwarded to the application server nodes. This pattern moves the application server nodes behind the domain firewall adding further security.

The Web server redirector node is capable of performing workload management for the requests targeted at the application server nodes in the secure network. In addition, it can perform a port change to match the ports on which the application server nodes are listening. It also takes care of cookie based server affinity.

Benefits

This variation has the following additional benefits:

  • Each node type (Redirector and Application Server) can be configured to the specific tasks
  • A domain firewall between the two node types adds additional security
  • More flexibility in number of nodes of each type
  • Flexibility to not apply security on certain static content

Disadvantages

This variation has the following disadvantages:

  • Many configuration changes on the Application Server node call for a redeployment of the plugin-cfg.xml file to all Web server redirector nodes
  • The configuration of the domain firewall requires additional skills. especially if NAT is implemented, IIOP traffic must be tunneled.

Variation 2: Separation

The Runtime pattern we see here further separates the functionality to distinct Application Server nodes. The presentation tasks (Web modules) are run on the Presentation Server behind the domain firewall. The application tasks (EJB modules) run on the Application Server nodes behind the domain firewall in the secure network.

High Performance::Runtime pattern::Separation

High Performance: Runtime pattern: Separation Web Application Server Web Application Server Load Balancer Web Server Redirector Web Server Redirector Load Balancer Shared File Server Directory and Security Services User Domain Name Server Database Server Public Key Infrastructure Protocol Firewall Domain Firewall

The three zones contain the following nodes:

  • Outside World
    • Public Key Infrastructure
    • Domain Name Server
    • User
  • Demilitarized Zone
    • Multiple Load Balancer
    • Multiple Server Redirector
  • Internal Network
    • Multiple Presentation Server
    • Multiple Web Application Server
    • Directory and Security Services
    • Database
    • Shared File System

Additionally between the Outside World and the DMZ is a Protocol Firewall and between the DMZ and the Internal Network is a Domain Firewall.

Design Last Updated: 12-2002
(Click a node to get a detailed explanation.)

With this topology you would create two (WebSphere) server groups in order to execute the presentation and the application modules on different nodes. One would have clones on the Presentation Server nodes in the secure network running the Web modules. The other one would have clones on the Application Server nodes in the secure network running the EJB modules. In this manner, more repetitive and mundane presentation tasks can be offloaded from the application servers freeing more processing power for business application workload.

Benefits

This variation has the following additional advantages:

  • Flexibility to choose the protocol between the two application server nodes (HTTP, HTTPS, RMI, RMI/IIOP)
  • Further separation of presentation and application functionality

Disadvantages

This variation has the following disadvantages:

  • Configuration changes on the Presentation Server node may require a manual update of the Web server redirector nodes
  • More planning for application deployment is required

Variation 3: Caching proxy

A caching proxy node performs a similar function as redirector node in that it receives the initial HTTP request from the Internet. It can serve client requests from its cache, or redirect the request to back-end application servers behind a firewall. The advantage of a caching proxy node is that it can cache both static and dynamic pages in its local cache, thus reducing the traffic to and load on back-end Web application servers. The caching proxy can be configured to proxy one or more Web application server domains. In addition, the caching proxy can be configured to cache not only static pages served by the back-end servers, but also dynamic pages created by the back-end Web application servers.

High Performance::Runtime pattern::Single caching proxy

In this variation, the Web application server is moved behind the Domain Firewall and a single caching proxy node is placed in the DMZ. This configuration further isolates and protects the Web application server from the outside world by locating it within the internal network.

High Performance: Runtime pattern: Single caching proxy Load Balancer Shared File Server Caching Proxy Web Application Server Web Application Server Directory and Security Services User Domain Name Server Database Server Public Key Infrastructure Protocol Firewall Domain Firewall

The three zones contain the following nodes:

  • Outside World
    • Public Key Infrastructure
    • Domain Name Server
    • User
  • Demilitarized Zone
    • Caching Proxy
  • Internal Network
    • Load Balancer
    • Multiple Web Application Servers
    • Directory and Security Services
    • Database
    • Shared File System

Additionally between the Outside World and the DMZ is a Protocol Firewall and between the DMZ and the Internal Network is a Domain Firewall.

Design Last Updated: 02-2004
(Click a node to get a detailed explanation.)

This Runtime pattern represents an initial step in providing authentication and authorization functions for the site. In addition, performance has potentially been enhanced due to the introduction of the caching proxy machine.

Benefits

This variation offers the following benefits:

  • The caching proxy reduces response times tor static and dynamic content.
  • Serving static and dynamic content from the caching proxy (when appropriate) reduces the load on the back-end Web application servers.

Limitations

This variation has the following limitations:

  • The caching proxy node is a single point of failure.
  • Depending on the amount of traffic to be proxied, the caching proxy node could become a bottleneck.

High Performance::Runtime pattern::Caching proxy

This variation introduces a layer of caching proxy server nodes between the load balancer nodes and the Web application server nodes. Because a pure caching proxy node cannot balance requests to multiple (identical) proxy target nodes, a second layer of load balancer nodes is introduced as well. The second layer of load balancing can be configured on the two existing load balancer nodes. For This Runtime pattern variation, you need at least two nodes in addition to those in the Basic Runtime pattern above:

  • Two or more additional caching proxy server nodes
High Performance: Runtime pattern: Caching proxy Caching Proxy Caching Proxy Load Balancer Web Application Server Web Application Server Load Balancer Load Balancer Shared File Server Directory and Security Services User Domain Name Server Database Server Public Key Infrastructure Protocol Firewall Domain Firewall

The three zones contain the following nodes:

  • Outside World
    • Public Key Infrastructure
    • Domain Name Server
    • User
  • Demilitarized Zone
    • Multiple Load Balancer
    • Multiple Caching Proxies
  • Internal Network
    • Load Balancer
    • Multiple Web Application Servers
    • Directory and Security Services
    • Database
    • Shared File System

Additionally between the Outside World and the DMZ is a Protocol Firewall and between the DMZ and the Internal Network is a Domain Firewall.

Design Last Updated: 02-2004
(Click a node to get a detailed explanation.)

The first load balancer node passes the request for the information to the caching proxy nodes. The caching proxy determines if the requested page is in its cache. If the requested information is in the cache, it is served from there. If it is not in the cache, the request is passed on by the caching proxy to the second load balancer node which forwards the request to the back-end servers.

To minimize the overlap of duplicated content in the local cache of each caching proxy machine, remote cache access (RCA) can be implemented in each caching proxy. RCA allows each proxy to share the contents of its cache with the other proxy servers. This results in bandwidth savings because objects are not fetched multiple times, and the larger combined logical cache yields a higher hit rate. The challenge to efficiently use multiple caching proxy nodes is to have high speed connections between them or, in case of disk cache, a high performance shared file system.

Benefits

This variation offers the following benefits:

  • High availability is provided for all node types
  • The caching proxy layer reduces response times for static, cachable content
  • It reduces the load on the Web server redirector nodes
  • Supports SSL encryption between client and Proxy Sever node as well as Proxy Server node to content server node

Limitations

This variation has the following limitation:

  • To harvest the benefit of cache arrays, high speed connections or a high performance shared file system between the caching proxy server nodes is necessary

Variation 4: Caching proxy with security plug-ing

This variation introduces security services in the DMZ in the form of authentication and authorization checking performed by a plug-in component added to the caching proxy node. Security functions are implemented in front of all content server nodes to provide security services at the edge of your network. This reduces the amount of security processing load on the application server nodes, freeing resources to perform application processing work.

Security services in the form of a plug-in to a caching proxy node adds:

  • Robust authentication: only authenticated traffic is allowed into the trusted internal network.
  • Robust authorization: only authorized traffic is allowed into the internal network.
  • Flexibility of authentication and authorization rules: authentication and authorization rules can be easily changed without affecting the back-end application space.
  • Mix-and-match authentication: authenticating rules can be defined based on where a user is authenticating from, so that stronger authentication means can be required for users coming from the Internet, in contrast to weaker authentication means required by users within the internal network.
  • Cost effectiveness: authentication/logging software and hardware is located at the proxy server only. Heavily loaded back-end application servers are not required to implement security functionality or to increase their processing capacity to do so.

Variation A: High Performance::Runtime pattern::Single caching proxy security plug-in

High Performance: Runtime pattern: Single caching proxy with security plug-ing Security Plug In Load Balancer Shared File Server Caching Proxy Web Application Server Web Application Server Directory and Security Services User Domain Name Server Database Server Public Key Infrastructure Protocol Firewall Domain Firewall

The three zones contain the following nodes:

  • Outside World
    • Public Key Infrastructure
    • Domain Name Server
    • User
  • Demilitarized Zone
    • Caching Proxy with Security plug-in
  • Internal Network
    • Load Balancer
    • Multiple Web Application Servers
    • Directory and Security Services
    • Database
    • Shared File System

Additionally between the Outside World and the DMZ are multiple Protocol Firewalls and between the DMZ and the Internal Network are multiple Domain Firewalls.

Design Last Updated: 01-2004
(Click a node to get a detailed explanation.)

For this variation, you require the nodes shown in the High Performance: Basic Runtime pattern and at least two additional nodes:

  • One caching proxy node with security plug-in software added to the proxy. If an optional load balancer node is not present in the configuration, then the caching proxy node would be attached to each back-end Web application server node through the Domain firewall.
  • A directory and security services node if one has not been implemented previously
  • Optionally, one or more additional Web application server nodes (if you want to proxy multiple back-end servers)
  • Optionally, a load balancer node to balance client requests received from the caching proxy node amongst multiple Web application server nodes. If WebSphere Application Server is running on the application server nodes, then a separate load balancer node is not required since WebSphere Application Server can balance requests within a cluster.

Benefits

This variation offers the following benefits:

  • Adding the authentication and authorization functions in the form of a plug-in to the caching proxy eliminates much if not all the security processing power required by back-end application servers.
  • Removing security processing from back-end servers and moving it to machines running in the DMZ further isolates the back-end servers from potential security breaches.
  • Potentially allows for single sign-on support for all applications within the secure domain.

Limitations

This variation has the following limitation:

  • The caching proxy node is a single point of failure.
  • Depending on the amount of traffic to be proxied, and the amount of security processing required to perform enterprise security policies, the caching proxy node could become a bottleneck.

Variation B: High Performace::Runtime pattern::Caching proxies with security plug-in

This variation adds elements of scalability, high availability and back-up to the authentication and authorization functions performed in the caching proxy node with the introduction of additional caching proxy nodes and a high availability load balancer node to distribute client requests between the caching proxy nodes.

The second caching proxy node provides a measure of replication and failover support in the event of a caching proxy node failure (or if one is brought down for maintenance purposes). Each caching proxy node can perform the authentication/authorization functions required for clients in addition to proxying and caching requests to the back-end application servers.

Note: This is the same as High Availability: Runtime pattern: Caching proxies with security plug-in

High Availability::Runtime pattern::Caching proxies with security plug-in Security Plug In Security Plug In Caching Proxy Caching Proxy Security Plug In Load Balancer Shared File Server Web Application Server Web Application Server Load Balancer Directory and Security Services User Domain Name Server Database Server Public Key Infrastructure Protocol Firewall Domain Firewall

The three zones contain the following nodes:

  • Outside World
    • Public Key Infrastructure
    • Domain Name Server
    • User
  • Demilitarized Zone
    • Multiple Load Balancer
    • Cluster
      • Multiple Caching Proxies with Security plug-ins
  • Internal Network
    • Load Balancer
    • Mulitple Web Application Servers
    • Directory and Security Services
    • Database
    • Shared File System

Additionally between the Outside World and the DMZ is a Protocol Firewall and between the DMZ and the Internal Network is a Domain Firewall.

Design Last Updated: 01-2004
(Click a node to get a detailed explanation.)

This configuration is well suited for e-business environments demanding highly scalable and uninterrupted access to secure Web applications.

Benefits

  • Replicated caching proxy nodes adds scalability, increased bandwidth, and failover capabilities to the caching and security configuration.
  • High availability load balancer nodes provide automatic back-up and recovery from failures within both the load balancer nodes and the caching proxy nodes. In addition, scalability support is enhanced by being to easily add and remove additional caching proxy nodes as network traffic demands.

Limitations

  • Additional hardware is needed for caching proxy and load balancer nodes.

Next, review product mappings.

Close [x]

Shared File Server Node

The timely synchronization of several Web servers is achieved by using a shared file system as the content storage and capitalizing on the replication capability of this technology.

Additional Resources

  • (in English) ESS

Close [x]

Public Key Infrastructure (PKI)

PKI is a system for verifying the authenticity of each party involved in an Internet transaction, protecting against fraud or sabotage, and for nonrepudiation purposes to help consumers and retailers protect themselves against denial of transactions. Trusted third-party organizations called certificate authorities issue digital certificates -- attachments to electronic messages -- that specify key components of the user's identity. During an Internet transaction, signed, encrypted messages are automatically routed to the certificate authority, where the certificates are verified before the transaction can proceed. PKI can be embedded in software applications, or offered as a service or a product. e-business leaders agree that PKIs are critical for transaction security and integrity, and the software industry is moving to adopt open standards for their use.

Close [x]

Domain Name Server (DNS) Node

The DNS Node assists in determining the physical network address associated with the symbolic address (URL) of the requested information. The Domain Name Server Node provides the technology platform to provide host to IP address mapping, that is, to allow for the translation of names (referred to as URLs) into IP addresses and vice versa.

Additional Resources

  • (in English) ESS

Close [x]

User Node

The user node is most frequently a personal computing device (PC) supporting a commercial browser, for example, Netscape Navigator and Internet Explorer. The browser is expected to support SSL and some level of DHTML. Increasingly, designers need to also consider that this node might be a pervasive computing device, such as a Personal Digital Assistant (PDA).

Close [x]

Protocol Firewall Node

A firewall is a hardware/software system that manages the flow of information between the Internet and an organization's private network. Firewalls can prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets, and can block some virus attacks -- as long as those viruses are coming from the Internet. A firewall can separate two or more parts of a local network to control data exchange between departments. Components of firewalls include filters or screens, each of which controls transmission of certain classes of traffic. Firewalls provide the first line of defense for protecting private information, but comprehensive security systems combine firewalls with encryption and other complementary services, such as content filtering and intrusion detection.

Firewalls control access from a less trusted network to a more trusted network. Traditional implementations of firewall services include:

  • Screening routers, (the Protocol Firewall)
  • Application gateways (The Domain Firewall)

A pair of Firewall Nodes provides increasing levels of protection at the expense of increasing computing resource requirements. The Protocol Firewall is typically implemented as an IP Router.

See Also

Additional Resources

  • (in English) ESS

Close [x]

Domain firewall node

A firewall is a hardware/software system that manages the flow of information between the Internet and an organization's private network. Firewalls can prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets, and can block some virus attacks -- as long as those viruses are coming from the Internet. A firewall can separate two or more parts of a local network to control data exchange between departments. Components of firewalls include filters or screens, each of which controls transmission of certain classes of traffic. Firewalls provide the first line of defense for protecting private information, but comprehensive security systems combine firewalls with encryption and other complementary services, such as content filtering and intrusion detection.

Firewalls control access from a less trusted network to a more trusted network. Traditional implementations of firewall services include:

  • Screening routers (the Protocol Firewall)
  • application gateways (The Domain Firewall)

A pair of Firewall Nodes provides increasing levels of protection at the expense of increasing computing resource requirements. The Domain Firewall is typically implemented as a dedicated server Node.

See Also

Additional Resources

  • (in English) ESS

Close [x]

Web Application Server

A Web application server node is an application server that includes an HTTP server (also known as a Web server) and is typically designed for access by HTTP clients and to host both presentation and business logic.

The Web application server node is a functional extension of the informational (publishing-based) Web server. It provides the technology platform and contains the components to support access to both public and user specific information by users employing Web browser technology. For the latter, the node provides robust services to allow users to communicate with shared applications and databases. In this way, it acts as an interface to business functions, such as banking, lending, and HR systems.

The node can contain these data types:

  • HTML text pages, images, multimedia content to be downloaded to the client browser
  • JavaServer Pages
  • Application program libraries, such as Java applets for dynamic download to client Workstations

See Also

Additional Resources

  • (in English) ESS

Close [x]

Web Server Redirector Node

In order to separate the Web server from the application server, a so-called Web Server Redirector Node (or just redirector for short) is introduced. The Web server redirector is used in conjunction with a Web server. The Web server serves HTTP pages and the redirector forwards servlet and JSP requests to the application servers. The advantage of using a redirector is that you can move the application server behind the domain firewall into the secure network, where it is more protected than within the DMZ.

Close [x]

Directory and security services node

The directory and security services node supplies information on the location, capabilities, and attributes (including user ID/password pairs and certificates) of resources and users known to this Web application system. This node can supply information for various security services (authentication and authorization) and can also perform the actual security processing, for example, to verify certificates. The authentication in most current designs validates the access to the Web application server part of the Web server, but this node also authenticates for access to the database server.

See Also

Additional Resources

  • (in English) ESS

Close [x]

Database server node

This Node's function is to provide persistent data storage and retrieval in support of the user to-online buying transactional interaction.

Customer related data that is stored is relevant to the specific business interaction, for example, the shopping cart and shipping address information. Some sites are registering users and storing customer profile data such as address, clothing sizes, preferences, and gift wish lists that others can access when buying presents. Most sites today do not store credit card information on this server for security reasons.

Also stored here is the product and catalog information used to dynamically build HTML pages for presentation during the shopping process.

The mode of DB access is perhaps the most important factor determining the performance of this Web application, in all but the simplest cases. The recommended approach is to collapse the DB accesses into a single or very few calls. This can be achieved using coding and invoking Stored Procedure Calls on the database. Typically many commerce servers share only one database server in a high volume site, so the technology to implement this node must be able to scale vertically.

Close [x]

Database Server Node

This Node's function is to provide a persistent data storage and retrieval in support of the user-to-business transactional interaction. The data stored is relevant to the specific business interaction, for example bank balance, insurance information, and current purchase by the user.

It is important to note that the mode of database access is perhaps the most important factor determining the performance of this Web application, in all but the simplest cases. The recommended approach is to collapse the database accesses into single or very few calls. This can be achieved via coding and invoking stored procedure calls on the database.

See Also

Additional Resources

  • (in English) ESS

Close [x]

Thin Client Transactional Pattern

The Thin Client Transactional Pattern is the Enterprise Solution Structure (ESS) technical architecture which addresses the need to do enterprise-scale administrative business as opposed to solutions requiring real-time control of equipment. For example:

  • Customer sales and service
  • Order processing
  • Claims processing, loan origination, and so on.

Its purpose is to support the business need of doing enterprise-scale commerce (as contrasted with business intelligence or collaboration) over the Web or via network-connected workstations. The essence of this pattern is the need to use highly secure, highly scalable transaction processing via this new channel.

See Also

Additional Resources

Close [x]

Enterprise Solution Structure (ESS)

Enterprise Solutions Structure (ESS) is a major IBM initiative to establish a standard architectural framework to support creation, reuse, and maintenance of architecture and design assets. These intellectual capital assets are used by IBM services practitioners for developing and delivering enterprise solutions. ESS draws on experiences with building customer solutions to distill "best practice" structures, models, and sample deliverables. The framework provides a rich set of architectural building blocks for solution architects and provides guidance on when and how to use this content to advantage. Specifically, this architecture provides a common, consistent approach for understanding and documenting business requirements via a business model, designing a logical architecture of key components and services, and finally, implementing a physical architecture based on actual products, platforms, and services.

The term "Reference Architecture" is used to refer to the collection of assets which as a whole describe how to implement a given type of business solution. For example, there is a reference architecture which shows how to implement a call center. There is another one which shows how to implement an online buying application. This site which provides Patterns for e-business is based to a large extent upon the ESS reference architecture assets. The intent is to share a summary of those reference architectures with you in this way.

See Also

Additional Resources

Close [x]

Load Balancer Node

The Load Balancer (or Network Dispatcher) provides horizontal scalability by dispatching http connections among several, identically configured Web Servers.

The Load Balancer component distributes interactive traffic across a number of hosts using dynamically updated rules for load balancing, while providing a single system image to the client system. It is used to achieve scalability through use of multiple servers, and high availability through being able to dynamically vary the algorithms by which a host is selected if one host fails or becomes overloaded.

The Load Balancer may be required to concurrently provide local or remote load balancing function for:

  • Web server requests
  • Mail servers
  • Firewall / authentication hosts (i.e. not just IP address filtering)

The Load Balancer uses TCP/IP addressing standards to provide a single IP address for users to access. IP aliasing allows the ND to forward a message to a host and have it appear as if it had come direct from the client. The host therefore replies directly to the client.

The Load Balancer selects a host to process each incoming message on the basis of user-defined rules and dynamically updated information about the status of each eligible host. It uses agents to maintain awareness of the health and loading of each eligible back-end host within a defined cluster, and forwards each incoming request to one of these hosts on the basis of either existing persistent connections or the displaceable capacity (loading) of the target host application or server.

The main benefits of using a Load Balancer are

  • Enhanced service scalability, as servers can be replicated to accommodate increasing workload
  • Enhanced service availability, as traffic can be routed to alternative servers if one server fails
  • Enhanced manageability, as an individual server can be taken out of service for maintenance without interrupting the service to users.

Additional Resources

  • (in English) ESS

Close [x]

Caching Proxy Node

A proxy server node intercepts data requests from a client, retrieves the requested information from content-hosting machines, and delivers that content back to the client. Most commonly, the requests are for documents stored on Web server machines and delivered via the Hypertext Transfer Protocol (HTTP). However, some proxy servers also handle other protocols such as File Transfer Protocol (FTP) and Gopher. The IP address of the content-hosting machines is not seen by the clients.

A caching proxy node stores cacheable content in a local cache before delivering it to the client. Subsequent requests for the same content are served from the local cache which is much faster and does not consume as much content server processing and network bandwidth.

Close [x]

Security Plug-In

A software component that provides authentication and authorization checking security services.