Platform-as-a-service environment considerations for setting up Liberty

Platform-as-a-service (PaaS) environments, such as IBM Cloud®, Pivotal Cloud Foundry, and OpenShift Enterprise, provide management and monitoring of application instances, but they also have some restrictions. Because of the inherent characteristics of PaaS environments, some Liberty features are redundant or behave differently, and they are therefore not supported.

Liberty server management restrictions

Features related to Liberty collectives do not apply to a PaaS environment because all Liberty server JVM instances are started, stopped, and managed by the PaaS infrastructure. The Admin Center feature is not designed to be used in a PaaS environment, where an application can be scaled to use multiple JVM instances without a collective controller. In this topology, a request to Admin Center could be directed to any of the running instances and have visibility only to the server on which the request runs.

The following administrative features are not supported in a PaaS environment:
  • adminCenter-1.0
  • clusterMember-1.0
  • collectiveController-1.0
  • collectiveMember-1.0
  • dynamicRouting-1.0
  • healthAnalyzer-1.0
  • healthManager-1.0
  • scalingController-1.0
  • scalingMember-1.0

File system restrictions

Most PaaS environments do not provide a persistent local file system to their applications. For Liberty, this impacts both the applications and the components within the server that write data locally and expect it to persist across a server JVM restart.

The Liberty transaction manager writes log files to the local file system when multiple resource managers are involved in the transaction. If the logs are not available after a JVM failure and restart, then transactions cannot be automatically completed and must be manually resolved to unlock data and to make it consistent across resource managers. To avoid this scenario, the Liberty buildpack or cartridge prevents transaction log records from being written and raises an exception to the application to prevent the second resource from enlisting. As a result, although you can still use transactions with a single XA resource, a second transactional resource cannot be enlisted in a transaction. Additionally, Web Services Atomic Transactions cannot be used because they always write log records.

If your PaaS environment provides persistent storage, then you can modify the Liberty buildpack or cartridge to enable two-phase transactions by removing the following Java™ property from the JVM configuration:
-Dcom.ibm.tx.jta.disable2PC=true
The following features depend on persistent local storage:
  • wsAtomicTransaction-1.2
  • Other features that use transactions, depending on the application behavior

Network restrictions

In general, PaaS routers do not support Internet Inter-ORB Protocol (IIOP) traffic, so remote requests to Enterprise JavaBeans (EJB) components cannot be used. The following features depend on IIOP transport:
  • appClientSupport-1.0
  • appSecurityClient-1.0
  • ejbRemote-3.2

Most PaaS environments can decrypt a request by terminating SSL for encrypted inbound requests at the HTTP router. These encrypted requests can be HTTPS or wss. The decrypted request is then passed to the application server as a decrypted HTTP or wss request. Some applications are configured to be accessible only by encrypted requests. You can set this configuration in the web.xml file of the application by using the transport-guarantee element or the transportGuarantee element on the @HttpConstraint annotation. Some Liberty features are implemented as applications that require secure transport, including the REST connector, Admin Center, and API Discovery.

In an environment where SSL terminates, a mechanism is needed for the router to indicate to the application server that the original request from the client was encrypted. This mechanism ensures that the application request can still succeed. A private WebSphere header is used to terminate SSL in DataPower, such as when DataPower is used with IBM Cloud, or in IBM HTTP Server. Beginning with fix pack 16.0.0.4, when other HTTP routers are used, the router can set the X-Forwarded-Proto header to indicate the protocol of the original request. If the request was originally encrypted, the header indicates the HTTPS or wss protocol. The Liberty server then allows access to applications that require secure transport.

The following features require the router to set HTTP headers to indicate that SSL termination occurred:

  • ssl-1.0
  • Other features that depend on ssl-1.0, as listed in the Features that enable this feature section of Secure Socket Layer.

Liberty swagger processor

In a Cloud Foundry environment, the swagger processor in Liberty, including its user interface, checks for the existence of the VCAP_APPLICATION environment variable. It uses the first element of the uris array as the API host.