Learn how to configure load balancing for the on-premises IBM®
Netcool®/OMNIbus WebGUI or Dashboard Application Services
Hub nodes in
a hybrid high availability disaster recovery (HADR) deployment, where there is more than one
on-premises WebGUI
node.
About this task
The on-premises WebGUI or DASH servers must be
set up with load balancing by using an HTTP Server that balances the UI load. If you do not already
have load balancing configured for your on-premises WebGUI or DASH nodes, then
follow the steps listed in the procedure.
If you want to configure load balancing or high availability (HA) with ObjectServer as the
database, see Configuring load balancing with the ObjectServer
Procedure
- Install Db2®.
- Install IBM HTTP Server.
Note: Server and cluster certificates need to be regenerated
manually when certificates expire or when root Certificate Authority (CA) or intermediate CA
certificates are refreshed. For more information, see
Certificate rotation.
Configure WebSphere® certificates. For
more information, see Creating signed WebSphere Application Server certificates.
- Configure single sign-on for the DASH servers.
Export the LPTA keys from the first
DASH server, and then
import them on to the other
DASH server(s). For
more information, see
Supporting procedures for single sign-on 
in the
Netcool/OMNIbus
documentation.
- Create a database to manage load balancing, and then enable WebSphere to connect to the database.
Create a database in Db2, and then from
DASH, click
, and then and add an entry for Db2. For more information, see
Setting up a load balanced cluster 
in the
Jazz® for Service
Management
documentation.
- Create a WebSphere datasource to enable
connection to the load-balancing Db2 database:
In
DASH, click
, and then and add an entry for the load balancing Db2 database that you created.
- Create a key database for IBM HTTP Server to store keys and certificates in.
cd /space/ibm/netcool/httpserver/bin
./gskcapicmd -keydb -create -db ~/http-server-keys -pw WebAS -stash
For more information,
see Creating a new key database using the command-line interface
in the IBM HTTP Server
documentation.
- Add root CA cert to the IBM HTTP Server keystore.
./gskcmd -cert -add -db ~/http-server-keys.kdb -pw WebAS -file ~/root-ca.pem -label root-ca
- Add intermediate cert to the IBM HTTP Server keystore.
./gskcmd -cert -add -db ~/http-server-keys.kdb -pw WebAS -file ~/intermediate-ca.pem -label intermediate
- Create a Certificate Signing Request
(CSR)
./gskcapicmd -certreq -create -db ~/http-server-keys.kdb -pw WebAS -dn "C=GB,ST=England,O=IBM,OU=HDM,CN=noi-on-prem1.xyz.com" -size 2048 -file ~/http-server-lb.csr -label http-server-lb
- Sign the CSR with your intermediate cert to create
http-server-lb.crt.
- Add the signed cert to the IBM HTTP Server keystore.
./gskcmd -cert -receive -file ~/http-server-lb.crt -db ~/http-server-keys.kdb -pw WebAS
- Assign the root CA certificate to be the default certificate. For more information, see Creating a self-signed certificate
in the IBM HTTP server documentation. Alternatively, the user can use the
ikeyman utility provided with IBM HTTP server to assign the
root CA certificate as the default
Note: Server and cluster certificates need to be regenerated manually
when certificates expire or when root Certificate Authority (CA) or intermediate CA certificates are
refreshed. For more information, see
Certificate rotation.
- Configure SSL for IBM HTTP server
Locate the line
# End of example SSL
configuration in HTTP_server_install_dir/conf/httpd.conf
, and then append the following,
ensuring that your
KeyFile and
SSLStashfile values reference the key database file that you created for IBM HTTP Server.
# End of example SSL configuration
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost *:443>
SSLEnable
SSLProtocolDisable SSLv2
ErrorLog "/home/test/sslerror.log"
TransferLog "/home/test/sslaccess.log"
KeyFile "/home/test/http-server-keys.kdb"
SSLStashfile "/home/test/http-server-keys.sth"
</VirtualHost>
SSLDisable
- Tell IBM HTTP Server where the plugin-cfg.xml will be
Add
the following to the end of
HTTP_server_install_dir/conf/httpd.confLoadModule was_ap22_module "HTTP_server_install_dir/bin/64bits/mod_was_ap22_http.so"
WebSpherePluginConfig "HTTP_server_install_dir/config/plugin-cfg.xml"
- Configure the WebSphere
Application Server plugin for IBM HTTP Server.
Generate
plugin-cfg.xml, and copy it to your IBM
HTTP Server installation.
JazzSM_Profile/bin/GenPluginCfg.sh
cp /space/ibm/netcool/jazz/profile/config/cells/plugin-cfg.xml HTTP_web_server_install_dir/plugins/config/webserver1/plugin-cfg.xml
Edit
plugin-cfg.xml to point to your key store and stashfile
(
http-server-keys.kdb and
http-server-keys.sth), and add
entries for each of your
DASH servers. For
more information, see
Generating the plugin-cfg.xml file 
in the
Jazz for Service
Management
documentation.
- Edit
HTTP_web_server_install_dir/plugins/config/webserver1/plugin-cfg.xml
Find
the section called
<UriGroup Name="server1_Cluster_URIs">
and append this
line:
<Uri AffinityCookie="JSESSIONID_ibm_console_16310" AffinityURLIdentifier="jsessionid" Name="/oauth2/*"/>
- Start the HTTP Server
HTTP_web_server_install_dir/bin/apachectl start
- Stop and restart the Jazz for Service
Management application
server
cd JazzSM_WAS_Profile/bin
./stopServer.sh server1 -username smadmin -password password
./startServer.sh server1
where
JazzSM_WAS_Profile is the location of
the application server profile that is used for
Jazz for Service
Management. This is usually
/opt/IBM/JazzSM/profile.
- Stop secondary DASH nodes and run
the following command on the primary DASH node:
<JazzSM_Home>/ui/bin/consolecli.sh ForceHAUpdate --username <smadmin_user> --password <smadmin_password>
Results
When you have load balancing correctly configured, you are able to access DASH without
providing a port in the URL, for example:
https://http_server_hostname/ibm/console.Verify that the
DASH nodes
are Active and InSync. Run the following command from one of the
DASH
servers:
_ui/bin/consolecli.sh ListHANodes --username --password
Where the
admin user name is
smadmin by default.
If the listed nodes are not Active
and InSync, run the following command:
consolecli.sh ForceHAUpdate --username --password
Check the load balanced setup. Check that the NODES table in the Db2 database associated with the
jdbc/tipds data source, contains all HA nodes. Also check that the request sent
to the load balancer returns all servers in the load balanced setup. Run the following command as an
smadmin user:
curl --insecure -X GET -v "https://<load-balancer-host>:<port>/ISCHA/NotificationServlet?username=smadmin&password=<smadmin-password>&listHANodes=truejsp"
Where
values for your
<load-balancer-host> and
<port> are
specified for your load balancer and
<smadmin-password> is the password for
the smadmin user.
Nov 2020 Additional step #7918 and #7660