Creating advanced deployment manager profiles

You can create a WSRR deployment manager profile by using the Profile Management Tool. Choosing the Advanced option in the Profile Management tool creates a profile with a customized configuration

About this task

By selecting the Advanced option, you can do the following:

Assign customized values to the location of the profile, and to the names of the profile, node, host, and cell.
Enable administrative security.
Create or import a personal security certificate for the profile. The default certificate has a personal key and private key, each with a default value of WebAS (you must change this password). The expiration period is one year.
Create or import a root signing security certificate for signing other certificates. The default certificate has a personal key and private key, each with a default value of WebAS (you must change this password). The expiration period is 15 years.
If your operating system and the privileges of your user account permit, create a system service to run the server.

After you create the deployment manager profile, you use the administrative console to deploy WSRR to clusters or federated servers controlled by the deployment manager. See the related link for details.

Procedure

In the Profile Name and Location page, perform the following steps.
1. Specify a unique name and directory path for the profile, or accept the defaults.
  Each profile that you create must have a name. When you have more than one profile, you can tell them apart at their highest level by this name. If you elect not to use the default name, see Naming considerations for profiles, nodes, servers, hosts, and cells for information about issues you must consider when naming the profile, such as restrictions on the length of the directory name.
  The directory you specify will contain the files that define the runtime environment, such as commands, configuration files, and log files. The default directory is dependent on platform:
  - install_root/profiles/profile_name
  - install_root\profiles\profile_name
  where profile_name is the name you specified. An error message is displayed if:
  - The profile_name you specify is not unique.
  - The directory you specify is not empty.
  - Your user ID does not have sufficient permissions for the directory.
  - There is not sufficient space to create the profile.
2. You can make the profile you are creating the default profile (so commands work automatically with it) by selecting the Make this profile the default check box. This check box is displayed only if you have an existing profile on your system.
  The first profile that you create on a workstation is the default profile.
  
  The default profile is the default target for commands that are issued from the bin directory in the product installation root. When only one profile exists on a workstation, every command operates on that profile. If more than one profile exists, certain commands require that you specify the profile to which the command applies.
3. Click Next. (If you click Back and change the name of the profile, you might have to manually change the name on this page when it is displayed again.)
  The Node, Host and Cell Names page is displayed.
In the Node, Host and Cell Names page, specify the node, host, and cell names for the deployment manager profile, or accept the defaults and click Next. Try to keep the node name as short as possible, but ensure that node names are unique within your deployment environment. See Naming considerations for profiles, nodes, servers, hosts, and cells for information about reserved terms and other issues you must consider when naming.
The Administrative Security page is displayed.
Optionally enable administrative security.
You can enable administrative security now, or later from the administrative console. To enable administrative security now, leave the Enable administrative security check box selected, supply a user name and password to log on to the administrative console, and click Next. To disable administrative security, clear the check box. To enable administrative security later from the administrative console, open the console and click Security > Business Integration Security.

If you chose to enable administrative security then application security will also automatically be enabled.

The Security Certificate (Part 1) page is displayed.
In the Security Certificate (Part 1) page, create a default personal certificate and a root signing certificate, or import a personal certificate and a root signing certificate from keystore files, and click Next.
You can create both certificates, import both certificates, or create one certificate, and import the other certificate.

When you import a personal certificate as the default personal certificate, import the root certificate that signed the personal certificate. Otherwise, the Profile Management Tool adds the signer of the personal certificate to the trust.p12 file. If you import the default personal certificate or the root signing certificate, specify the path and the password, and select the keystore type and the keystore alias for each certificate that you import.

The Security Certificate (Part 2) page is displayed.
In the Security Certificate (Part 2) page, verify that the certificate information is correct, and click Next.
If you create the certificates, you can use the default values or modify them to create new certificates. The default personal certificate is valid for one year by default and is signed by the root signing certificate. The root signing certificate is a self-signed certificate that is valid for 15 years by default. The default keystore password for the root signing certificate is WebAS. Change the password. The password cannot contain any double-byte character set (DBCS) characters because certain keystore types, including PKCS12, do not support these characters. The keystore types that are supported depend on the providers in the java.security file.
When you create either or both certificates, or import either or both certificates, the keystore files that are created are:
- key.p12: Contains the default personal certificate.
- trust.p12: Contains the signer certificate from the default root certificate.
- root-key.p12: Contains the root signing certificate.
- default-signers.p12: Contains signer certificates that are added to any new keystore file that you create after the server is installed and running. By default, the default root certificate signer and a DataPower® signer certificate are in this keystore file.
- deleted.p12: Holds certificates deleted with the deleteKeyStore task so that they can be recovered if needed.
- ltpa.jceks: Contains server default Lightweight Third-Party Authentication (LTPA) keys that the servers in your environment use to communicate with each other.
These files all have the same password when you create or import the certificates, which is either the default password, or a password that you specify.
An imported certificate is added to the key.p12 file or the root-key.p12 file.

If you import any certificates and the certificates do not contain the information that you want, click Back to import another certificate.
Choose whether to run the process as a Windows service on a Windows platform or as a Linux service on a Linux platform and click Next.
The Windows Service Definition page is displayed for the Windows platform only if the ID that installs the Windows service has the Administrator group privilege. If the profile is configured as a Windows service, the product starts Windows services for processes started by the startServer or startManager commands. For example, if you configure a server or deployment manager as a Windows service and issue the startServer or startManager commands, the wasservice command starts the defined services.
Important: If you choose to log on as a specified user account, you must specify the user ID and the password for the user who is to run the service, and the startup type (default is Manual). The user ID must not have spaces in its name, it must belong to the Administrator group, and it must have the advanced user right "Log on as a service." If the user ID belongs to the Administrator group, the Profile Management Tool grants it the advanced user right if it does not already have it.

During profile deletion, you can remove the Windows service that is added during profile creation.

Profiles created to run as a Windows service fail to start when using IPv6 if the service is configured to run as Local System. Create a user-specific environment variable to enable IPv6. Because this environment variable is a user variable instead of a Local System variable, only a Windows service that runs as that specific user can access this environment variable. By default, when a new profile is created and configured to run as a Windows service, the service is set to run as Local System. When the WSRR Windows service tries to run, the service is unable to access the user environment variable that specifies IPv6, and thus tries to start as IPv4. The server does not start correctly in this case. To resolve the problem, when creating the profile, specify that the WSRR Windows service runs as the same user ID under which the environment variable that specifies IPv6 is defined, instead of as Local System.

The Linux Service Definition page is displayed only if the current operating system is a supported version of Linux and the current user has the appropriate permissions.

WSRR attempts to start Linux services for processes that are started by the startServer or startManager commands. For example, if you configure a server or deployment manager as a Linux service and issue the startServer or startManager commands, the wasservice command starts the defined services.

By default, WSRR is not selected to run as a Linux service.

To create the service, the user who runs the Profile Management Tool must be the root user. If you run the Profile Management Tool with a non-root user ID, the Linux Service Definition page is not displayed, and no service is created.

You must specify a user name under which the service runs.

To delete a Linux service, the user must be the root user or have proper privileges for deleting the service. Otherwise, a removal script is created that the root user can run to delete the service on behalf of the user.
In the Profile Summary page, click Create to create the profile or Back to change the characteristics of the profile.
When the profile creation is complete, the Profile Complete page is displayed with the message The Profile Management tool created the profile successfully.
Attention: If errors are detected during profile creation, other messages might be displayed in place of the success message, for example:
- The Profile Management tool created the profile but errors occurred, which indicates that profile creation completed but errors were generated.
- The Profile Management tool cannot create the profile, which indicates that profile creation failed completely.
The Profile Complete page identifies the log file to reference in order to troubleshoot the problem.

What to do next

After creating the deployment manager profile, you must create profiles for your cluster members and federated servers (if these do not already exist). You then use the deployment manager administrative console to create your cluster, or federate managed nodes, and deploy WSRR to them.