Sunday, December 15, 2019

Maximo Anywhere configure using server farm for MobileFirst Server

MobileFirst Support two type of deployment

 1. Symmetric Deployment 
  In symmetrical deployment, you must install the MobileFirst administration components (MobileFirst Operations Console, the administration service, and the live update service applications) and the runtime on the same application server.

 2. Asymmetric Deployment
  In asymmetric deployment, you can install the runtimes on different application servers from the MobileFirst administration components.

 For the first deployment method, it is only support for WebSphere Network Deployment cell topology or Liberty collective topology.

 There are more than one topology can be use for Maximo Anywhere
1. Stand Alone server
2. Server Farm
3. WebSphere Application Server Network Deployment
4. Liberty collective 

Detail of each topology can be found at IBM knowledge base https://www.ibm.com/support/knowledgecenter/en/SSHS8R_8.0.0/com.ibm.worklight.installconfig.doc/install_config/c_constraints_adm_config_runtime.html

Maximo Anywhere default using Stand Alone server and WebSphere Application Server Network Deployment for server and runtimes deployment, so when you choice Server Farm as the topology for deployment, it must doing some setting manually in WebSphere.

Figure 1. Topology of server server farm


This topology supports only symmetric deployment. The runtimes and the administration components must be deployed on every server in the farm. The deployment of this topology has the following characteristics:
  • One or several administration components can be deployed. Each instance of MobileFirst Operations Console communicates with one administration service and one live update service.
  • The administration components must be deployed on all servers in the farm.
  • One or several runtimes can be deployed.
  • The runtimes must be deployed on all servers in the farm.
  • One MobileFirst Operations Console can manage several runtimes.
  • One runtime is managed by only one MobileFirst Operations Console.
  • Each administration service uses its own administration database schema. All deployed instances of the same administration service share the same administration database schema.
  • Each live update service uses its own live update database schema. All deployed instances of the same live update service share the same live update database schema.
  • Each runtime uses its own runtime database schema. All deployed instances of the same runtime share the same runtime database schema.
Now start doing the configuration of server farm

The installation same as normal, deploy MobileFirst configuration and MobileFirst runtime environment, it will create 3 applications to WebSphere under MobileFirst Application Server:
Worklight Administration Console and Worklight Administration Service and IBM Worklight project runtime MaximoAnywhere


1. Configure Worklight Administration Servie

  • Click Worklight Administration Service under WebSphere enterprise applications



  • Click Environment entries for Web modules



  • Configure the value for environment entries  in web modules


Web Module Name
Value
Description
ibm.worklight.topology.platform
WAS
We are installing the mobile first on WebSphere, so input WAS  
ibm.worklight.topology.clustermode
Farm
Install default is cluster, now we are using Farm topology, so input Farm
ibm.worklight.admin.serverid
App1
The server id uses for identifying server in the farm and it must unique in the farm
ibm.worklight.admin.jmx.connector
SOAP
Must be SOAP, farm is only support SOAP to server communication
ibm.worklight.admin.jmx.dmgr.host
AppServer1
Hostname of the server
ibm.worklight.admin.jmx.dmgr.port
8879
The SOAP port, default is 8879
ibm.worklight.admin.jmx.user
mobilefarm
The user id uses for creating SOAP connection between each sever, the use id must be defined in the WebSphere Application Server user registry
ibm.worklight.admin.jmx.pwd
********
The password for the user, this password is plain text in the value


  • Click OK to save the configure

2. Configure runtime MaximAnywhere

  • Click  IBM Worklight project runtime MaximoAnywhere on WebSphere enterprise applications


  • Click Environment entries for Web modules


  • Configure the value for environment entries  in web modules


    • Web Module Name
    Value
    Description
    ibm.worklight.topology.platform
    WAS
    We are installing the mobile first on WebSphere, so input WAS  
    ibm.worklight.topology.clustermode
    Farm
    Install default is cluster, now we are using Farm topology, so input Farm
    ibm.worklight.admin.serverid
    App1
    The server id uses for identifying server in the farm and it must unique in the farm
    ibm.worklight.admin.jmx.connector
    SOAP
    Must be SOAP, farm is only support SOAP to server communication
    ibm.worklight.admin.jmx.dmgr.host
    AppServer1
    Hostname of the server
    ibm.worklight.admin.jmx.dmgr.port
    8879
    The SOAP port, default is 8879
    ibm.worklight.admin.jmx.user
    mobilefarm
    The user id uses for creating SOAP connection between each sever, the use id must be defined in the WebSphere Application Server user registry
    ibm.worklight.admin.jmx.pwd
    ********
    The password for the user, this password is plain text in the value

  • Click OK to save the configure
  • Restart the MobileFirst Application Server
Doing the same configuration steps with replace the Hostname and Serverid to other server within the Farm.

After restart application server, login to worklight console a new tab Server Farm Nodes show


and all the server status can found under Server Farm Nodes

張貼者: 1 comment:
標籤: ,

Sunday, November 3, 2019

Configure Maximo using TLS 1.2

Various vulnerabilities over the past few year have had industry experts recommending disabling all version of SSL and TLS 1.0 for a while now, most of company change their security policy to disable TLS 1.0. Enforcing Maximo using TLS 1.2 to ensure that at any weakness in previous version, or older, less secure protocols, cannot be used by malicious parties to obtain sensitive data.

Below is the procedure to configure Maximo in Microsoft SQL server

1. Configure IBM HTTP server to disable less secure protocols
  1.1 Open the httpd.conf file under  IBM\HTTPServer\conf\
  1.2 Add SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11 inside the SSL configuration part between <VirtualHost *:443> and </VirtualHost>

  1.3 Save the change and restart the IBM HTTP Server

2. Modify WebSphere client properties file force to use TLS 1.2
  2.1 Open the file file ssl.client.prop file for deployment manager under IBM\WebSphere\AppServer\profiles\ctgDmgr01\properties\
  2.2 Set com.ibm.ssl.protocol to the value com.ibm.ssl.protocol=TLSv1.2 and save the file


  2.3 Open the file file ssl.client.prop file for node under IBM\WebSphere\AppServer\profiles\ctgAppSrv01\properties\
  2.4 Set com.ibm.ssl.protocol to the value com.ibm.ssl.protocol=TLSv1.2 and save the file


  2.5 Repeat step 2.3 and 2.4 for each node if more than node

3. Configure WebSphere SSL configuration to only allow TLS 1.2
  3.1 Login WebSphere admin console
  3.2 Stop all WebSphere Application Server process


  3.3 Expand SecuritySSL certificate and key management


  3.4 Click SSL configuration under Related Item


  3.5 Click CellDefaultSSLSettings


  3.6 Click Quality of protection (QoP) settings


  3.7 Pull down Protocol and select SSL_TLSv2 to only allow TLS 1.2
  3.8 Save the change
  3.9 Repeat 3.5 to 3.8 for NodeDefaultSSLSettings and XDADefaultSSLSettings

4. Update application server generic JVM argument
  4.1 Still in WebSphere admin console
  4.2 Expand Servers Server TypesWebSphere Application Server


4.3 Click MXserver


  4.4 Click Java and Process ManagementProcess definition under Server Infrastructure


  4.5 Click Java Virtual Machine under Additional Properties
  4.6 Add the argument -Dcom.ibm.jsse2.overrideDefaultTLS=true to General JVM arguments

   4.7 Click OK and Click Save in message box to save to master

5. Update JDBC driver
  Since there is allows SSL Protocol to set in JDBC connection string after JDBC 6.4, we should update to 6.4 or higher version of the driver.
  https://docs.microsoft.com/en-us/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sql-server?view=sql-server-ver15
  5.1 Download the update JDBC driver for Maximo
  5.2 Extract the downloaded drive

  5.3 Rename the jdbc-xxxx.jar to sqljdbc.jar, reference to Maximo Java rutime version to rename.
  https://www.ibm.com/support/pages/what-version-jdk-supported-maximo-76
  5.4 Copy the driver sqljdbc.jar to IBM\SMP\maximo\applications\maximo\lib and replace the existing.

6. Modify JDBC connection string in maximo.properties
  6.1 Open the file maximo.properties under IBM\SMP\maximo\applications\maximo\properties
  6.2 Add the properties encrypted=true;trustServerCertificate=true;sslProtocol=TLSv1.2; to end of JDBC connection string
  6.3 Follow the guide to encrypt maximo.peoperties
  6.4 Rebuild and deploy the maximo.ear

If there still get error in the log like below
BMXAA6806I - Reading the properties file maximo.properties.
com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "SQL Server did not return a response. The connection has been closed. ClientConnectionId:".
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2397)
        at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1762)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1977)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1628)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1459)

 Update the IBM JDK by applying the latest fix pack with the link below
https://developer.ibm.com/javasdk/support/fixes/sdk7/
https://developer.ibm.com/javasdk/support/fixes/sdk8/



張貼者: 3 comments:
標籤: , ,
Subscribe to: Posts (Atom)