Configuring communication with a core group that resides on a DMZ Secure Proxy Server for IBM WebSphere Application Server (deprecated)

This task describes the steps that you must perform to establish communication between a cell inside of a firewall, and a DMZ Secure Proxy Server for IBM® WebSphere® Application Server outside of the firewall.

Deprecated feature: DMZ Secure Proxy Server is deprecated.

Before you begin

  • Create a DMZ Secure Proxy Server for IBM WebSphere Application Server on your machine that is outside of the firewall, if one does not already exist.
  • Configure core group bridges between your core groups that are in located inside of the firewall but reside in different cells, if they do not already exist.

About this task

Avoid trouble: When configuring core group bridges, remember the following requirements:
  • Whenever a change is made in core group bridge configuration, including the addition of a new bridge, or the removal of an existing bridge, you must fully shut down, and then restart all core group bridges in the affected access point groups.
  • There must be at least one running core group bridge in each core group. If you configure two bridges in each core group, a single server failure does not disrupt the bridge functionality. Also, configuring two bridges enables you to periodically cycle out one of the bridges. If all the core group bridges in a core group are shut down, the core group state from all foreign core groups is lost.
Best practice: It is also recommended that:
  • Core group bridges be configured in their own dedicated server process, and that these processes have their monitoring policy set for automatic restart.
  • For each of your core groups, you set the IBM_CS_WIRE_FORMAT_VERSION core group custom property to the highest value that is supported on your environment.
  • To conserve resources, do not create more than two core group bridge interfaces when you define a core group access point. You can use one interface for workload purposes and another interface for high availability. Ensure that these interfaces are on different nodes for high availability purposes. For more information, see the frequently asked question information on core group bridges.
  • You should typically specify ONLY two bridge interfaces per core group. Having at least two bridge interfaces is necessary for high availability. Having more than two bridge interfaces adds unnecessary overhead in memory and CPU.

Complete the following actions to create a tunnel access point group that contains the core group access point for the DMZ Secure Proxy Server for IBM WebSphere Application Server, and a tunnel peer access point that represents the cell that is located inside the firewall.

Procedure

  1. In the administrative console, click Servers > Core Groups > Core group bridge settings > Tunnel templates > New to create a new tunnel template that will represent the core group bridge tunnel settings that can be exported to the DMZ Secure Proxy Server for IBM WebSphere Application Server.
  2. Select the core group access points that you want to include in this group.

    When specifying the core group access points for the tunnel access point group, use the arrows to place the core group access points in the correct order. The specified order determines the order in which the DMZ Secure Proxy Server for IBM WebSphere Application Server defines the peer core groups of a tunnel peer access point. During startup, the proxy server attempts to connect to the peer core groups according to the order in which they are listed.

  3. Click OK.
  4. Click Tunnel templates, select the name of the template that you just created, and then click Export.

    The file is exported to the WAS_DMGR_PROFILE_ROOT/TUNNEL_TEMPLATE_NAME.props file.

  5. On the DMZ Secure Proxy Server for IBM WebSphere Application Server, import the tunnel template settings into the DMZ Secure Proxy Server for IBM WebSphere Application Server configuration file.
    To import the tunnel template, issue one of the following commands: 
    $AdminTask importTunnelTemplate -interactive
    or 
    $AdminTask importTunnelTemplate {-inputFileName tunnel_template_name 
     -bridgeInterfaceNodeName DMZ_PROXY_NODE_NAME 
     -bridgeInterfaceServerName secure_proxy_name}

    and then issue the $AdminConfig save command.

    Where tunnel_template_name is the name that you gave the tunnel template that you just created, and secure_proxy_name is the name of your DMZ Secure Proxy Server for IBM WebSphere Application Server.

  6. Optional: Configure the high availability manager protocol to establish transparent bridge failover support.

    During core group bridge state rebuilds, cross-core group state can be moved between running bridges. This situation might cause the data to be temporarily unavailable until the bridge has completed the rebuild process.

    If you are running on Version 7.0.0.1 or later, set the IBM_CS_HAM_PROTOCOL_VERSION core group custom property to 6.0.2.31 for all of your core groups to avoid a possible high availability state outage during core group bridge failover. When this custom property is set to 6.0.2.31, the remaining bridges recover the high availability state of the failed bridge without the data being unavailable in the local core group.

    Complete the following actions to set the IBM_CS_HAM_PROTOCOL_VERSION core group custom property to 6.0.2.31 for all of your core groups.

    1. Shut down all core group bridges in all of your core groups.
    2. Repeat the following actions for each core group in each of your cells:
      1. In the administrative console, click Servers > Core Groups > Core group settings > core_group_name > Custom properties.
      2. Specify IBM_CS_HAM_PROTOCOL_VERSION in the Name field, and 6.0.2.31 in the Value field.
      3. Save your changes.
    3. Synchronize your changes across the topology.
    4. Restart all of the bridges in the topology.
    All of the core groups within this topology are using the 6.0.2.31 high availability manager protocol.

Results

A tunnel access point group is created that contains the core group access point for the DMZ Secure Proxy Server for IBM WebSphere Application Server, and a tunnel peer access point that represents the cell that is located inside the firewall.