05 Oct 2015
October 5, 2015

Liberty Collective Creation – Part 2

October 5, 2015 Blog, WebSphere Liberty 0 Comment

Introduction

This guide is Part 2 of a two-part guide detailing how to configure a WAS ND Liberty Profile Collective. If you have not read Part 1, please do so now.

In the Previous guide (Part 1) we covered how to install Liberty Profile from a WAS ND repository. We will now configure the collective to for a Liberty Cluster.

Configure a server as a collective controller

To configure the server, we simply modify server.xml. Below is the default server.xml

<server description=”new server”>
<!– Enable features –>
<featureManager>

<feature>jsp-2.2</feature>

</featureManager>

<httpEndpoint id=”defaultHttpEndpoint”

host=”localhost”

httpPort=”9080″

httpsPort=”9443″ />

</server>

I would also recommend that the server description attribute be changed to something like “Collective Controller 1”

<server description=”Collective Controller 1″>

 

To configure a Liberty server as a collective controller use the following steps:

Create the collective controller configuration using the collective command with the create action from the bin folder of the Liberty profile installation

./collective create controller1 –keystorePassword=secureme

 

Result:

Add the following lines to the server.xml to enable:
<featureManager>

<feature>collectiveController-1.0</feature>

</featureManager>

 

<!– Define the host name for use by the collective.

If the host name needs to be changed, the server should be

removed from the collective and re-joined or re-replicated. –>

<variable name=”defaultHostName” value=”localhost” />

 

<!– TODO: Set the security configuration for Administrative access –>

<quickStartSecurity userName=”” userPassword=”” />

 

<!– clientAuthenticationSupported set to enable bidirectional trust –>

<ssl id=”defaultSSLConfig”

keyStoreRef=”defaultKeyStore”

trustStoreRef=”defaultTrustStore”

clientAuthenticationSupported=”true” />

 

<!– inbound (HTTPS) keystore –>

<keyStore id=”defaultKeyStore” password=”{xor}LDo8Ki06Mjo=”

location=”${server.config.dir}/resources/security/key.jks” />

 

<!– inbound (HTTPS) truststore –>

<keyStore id=”defaultTrustStore” password=”{xor}LDo8Ki06Mjo=”

location=”${server.config.dir}/resources/security/trust.jks” />

 

<!– server identity keystore –>

<keyStore id=”serverIdentity” password=”{xor}LDo8Ki06Mjo=”

location=”${server.config.dir}/resources/collective/serverIdentity.jks” />

 

<!– collective trust keystore –>

<keyStore id=”collectiveTrust” password=”{xor}LDo8Ki06Mjo=”

location=”${server.config.dir}/resources/collective/collectiveTrust.jks” />

 

<!– collective root signers keystore –>

<keyStore id=”collectiveRootKeys” password=”{xor}LDo8Ki06Mjo=”

location=”${server.config.dir}/resources/collective/rootKeys.jks” />

 

 

Please ensure administrative security is configured for the server.

An administrative user is required to join members to the collective.

Paste the code into the server.xml the resulting server.xml should look something like

<server description=”Collective Controller 1″>
<!– Enable features –>

<featureManager>

<feature>jsp-2.2</feature>


<feature>collectiveController-1.0</feature>

</featureManager>

 

<httpEndpoint id=”defaultHttpEndpoint”

host=”localhost”

httpPort=”9080″

httpsPort=”9443″ />

 

<!– Define the host name for use by the collective.

If the host name needs to be changed, the server should be

removed from the collective and re-joined or re-replicated. –>

<variable name=”defaultHostName” value=”localhost” />

 

<!– TODO: Set the security configuration for Administrative access –>

<quickStartSecurity userName=”” userPassword=”” />

 

<!– clientAuthenticationSupported set to enable bidirectional trust –>

<ssl id=”defaultSSLConfig”

keyStoreRef=”defaultKeyStore”

trustStoreRef=”defaultTrustStore”

clientAuthenticationSupported=”true” />

 

<!– inbound (HTTPS) keystore –>

<keyStore id=”defaultKeyStore” password=”{xor}LDo8Ki06Mjo=”

location=”${server.config.dir}/resources/security/key.jks” />

 

<!– inbound (HTTPS) truststore –>

<keyStore id=”defaultTrustStore” password=”{xor}LDo8Ki06Mjo=”

location=”${server.config.dir}/resources/security/trust.jks” />

 

<!– server identity keystore –>

<keyStore id=”serverIdentity” password=”{xor}LDo8Ki06Mjo=”

location=”${server.config.dir}/resources/collective/serverIdentity.jks” />

 

<!– collective trust keystore –>

<keyStore id=”collectiveTrust” password=”{xor}LDo8Ki06Mjo=”

location=”${server.config.dir}/resources/collective/collectiveTrust.jks” />

 

<!– collective root signers keystore –>

<keyStore id=”collectiveRootKeys” password=”{xor}LDo8Ki06Mjo=”

location=”${server.config.dir}/resources/collective/rootKeys.jks” />

 

</server>

 

You will notice that there is a commented out stanza with the element TODO, below it we see a quickStartSecurity element

 

<quickStartSecurity userName=”” userPassword=”” />

You can use the <quickStartSecurity> element to quickly enable a simple (one user) security setup for the Liberty profile.

  • Update the quickStartSecurity elements attributes as required
<quickStartSecurity userName=”admin” userPassword=”letmein” />

 

  • Start the Controller
./server start controller1

 

When you are starting the collective controller the first time (or any server), use the server run command to start the controller rather than the server start command. This allows you to monitor the startup messages to catch any configuration errors.
When you are copying text from the output of a command into the server.xml file there is always the possibility of syntax problems, for example, extra spaces in words.
You could also use the tail command and tail the messages.log file

 

Verify that the controller started correctly by looking for this message: CWWKX9003I: CollectiveRegistration MBean is available. The message is located in the message.log file of the controller.

Result:

[02/03/15 22:28:36:967 GMT] 00000011 nagement.repository.internal.CollectiveRegistrationMBeanImpl I CWWKX9003I: CollectiveRegistration MBean is available.

 

Create Collective Member

We will now create a collective member.

Create a new server called member1

./create server memeber1

 

Join a Member to the Collective

To join a Liberty server to the collective controller, use the collective command with the join action. The command and action are targeted to the Liberty controller name and use as options the host, https port, administrative user and password of the controller, and a password for the member keystore as were created earlier in the controller configuration.

This command will produce a few configuration lines that you will be instructed to add to the collective member server.xml file for the configuration to be completed.

Note you will be prompted to accept the certificate during the command processing

Add the server to the collective

./collective join member1 –host=localhost –port=9443 –user=admin –password=letmein –keystorePassword=secureme

 

Result:

[root@localhost bin]# ./collective join member1 –host=localhost –port=9443 –user=admin –password=letmein –keystorePassword=secureme
Joining the collective with target controller localhost:9443…
This may take a while.

 

SSL trust has not been established with the target server.

 

Certificate chain information:

Certificate [0]

Subject DN: CN=localhost, OU=controller1, O=ibm, C=us

Issuer DN: OU=controllerRoot, O=e4c6751d-8c76-4f88-8bb5-ccf0e573d195, DC=com.ibm.ws.collective

Serial Number: 547,886,959,810,458

Expires: 29/02/20 22:22

SHA-1 digest: E9:1E:87:FC:A8:A1:45:54:A4:7B:08:D3:FB:34:05:FE:1D:33:E4:56

MD5 digest: 5C:89:20:90:C4:DD:50:69:04:C0:FF:A6:00:D3:5A:B3

 

Certificate [1]

Subject DN: OU=controllerRoot, O=e4c6751d-8c76-4f88-8bb5-ccf0e573d195, DC=com.ibm.ws.collective

Issuer DN: OU=controllerRoot, O=e4c6751d-8c76-4f88-8bb5-ccf0e573d195, DC=com.ibm.ws.collective

Serial Number: 547,885,449,033,281

Expires: 24/02/40 22:22

SHA-1 digest: A2:7E:33:8D:90:32:F4:51:57:38:C0:E8:F6:DD:63:BE:78:AA:0C:49

MD5 digest: 7F:4E:20:9B:B9:C6:4A:B0:96:09:15:77:BF:B7:75:73

 

Do you want to accept the above certificate chain? (y/n) y

Successfully completed MBean request to the controller.

 

Successfully joined the collective for server member1

 

Add the following lines to the server.xml to enable:

 

<featureManager>

<feature>collectiveMember-1.0</feature>

</featureManager>

 

<!– Define the host name for use by the collective.

If the host name needs to be changed, the server should be

removed from the collective and re-joined or re-replicated. –>

<variable name=”defaultHostName” value=”localhost” />

 

<!– Connection to the collective controller –>

<collectiveMember controllerHost=”localhost”

controllerPort=”9443″ />

 

<!– clientAuthenticationSupported set to enable bidirectional trust –>

<ssl id=”defaultSSLConfig”

keyStoreRef=”defaultKeyStore”

trustStoreRef=”defaultTrustStore”

clientAuthenticationSupported=”true” />

 

<!– inbound (HTTPS) keystore –>

<keyStore id=”defaultKeyStore” password=”{xor}LDo8Ki06Mjo=”

location=”${server.config.dir}/resources/security/key.jks” />

 

<!– inbound (HTTPS) truststore –>

<keyStore id=”defaultTrustStore” password=”{xor}LDo8Ki06Mjo=”

location=”${server.config.dir}/resources/security/trust.jks” />

 

<!– server identity keystore –>

<keyStore id=”serverIdentity” password=”{xor}LDo8Ki06Mjo=”

location=”${server.config.dir}/resources/collective/serverIdentity.jks” />

 

<!– collective truststore –>

<keyStore id=”collectiveTrust” password=”{xor}LDo8Ki06Mjo=”

location=”${server.config.dir}/resources/collective/collectiveTrust.jks” />

 

  • Start the server once you have copied the appropriate elements in to the server.xml of member1

Result:

./server start member1
Starting server member1.
Server member1 started with process ID 5799.

 

If we look at the messages.log of member1 we will see output messages such as:

[03/03/15 00:05:34:491 GMT] 00000017 gement.repository.client.internal.RemoteConnectionHelperImpl I CWWKX8055I: The collective member has established a connection to the collective controller.
[03/03/15 00:05:36:009 GMT] 00000026 nt.repository.member.internal.publisher.ServerPathsPublisher I CWWKX8114I: The server’s paths were successfully published to the collective repository.
[03/03/15 00:05:36:214 GMT] 00000026 om.ibm.ws.management.filetransfer.internal.mbean.FileService I CWWKX7912I: The FileServiceMXBean attribute ReadList was successfully updated.

[03/03/15 00:05:36:323 GMT] 00000026 om.ibm.ws.management.filetransfer.internal.mbean.FileService I CWWKX7912I: The FileServiceMXBean attribute WriteList was successfully updated.

[03/03/15 00:05:36:408 GMT] 00000026 nt.repository.member.internal.publisher.ServerStatePublisher I CWWKX8116I: The server STARTED state was successfully published to the collective repository.

 

We now have a collective created. Before we finish we need to cover a few Collective Administration practices.

Summary

In this guide, we have learned how to install WAS 8.5.5 Liberty Profile using IBM Installation Manager and then using the imcl command line tool to initiate the binary installations using command line variables as input. This is a very powerful command-line tool and can easily be integrated into master shell scripts.

We looked at how to create and configure a collective controller server and one join one member to the collective. We did not cover Administration of a collective nor test an application deployed to the collective. We will cover a details of provisioning for highly available application in the Guide
titled: WASND_8.5.5.x_LibertyProfile_HighAvailability, which can be purchased from http://www.themiddlewareshop.com.

We also covered how to remove the IBM SDK and uninstall WAS 8.5.5 Liberty Profile.

Consulting

If you or your organization require support in architecture, performance tuning, automation or simply advice, then please contact me via my support site and request a conversation, where we can discuss your requirement.

About Steve

Steve is a seasoned passionate technology professional, strategist and leader.

An expert in technical communications, and adept in almost all forms of Internet and mobile related technology, Steve has time and time again proven his tenacity to improve systems around him and deliver.

Steve has worn many hats during his career such as Chief Technical Officer, Founding Member of several business ventures, Programmer, Systems Administrator, Architect, Blogger and Published Author to name a few.

Due to 20 years Industry experience in Middleware, Programming, Networks and Internet Technologies, He combines systems knowledge with efficient working methods and inter personal skills required to build effective relationship with clients and colleagues alike. Exceeding typical expectations in any role undertaken, Steve is certain to become a valuable asset within any organisation He joins.

Key Skills

• Leadership (Team, Project, Business, People).

• Architecture (Solutions, Information, Technical, Applications).

Simply, I help you deal with CANETI: Constant And Never Ending Technological Innovation

 Specific IBM WebSphere skills:

WebSphere Application Server (WAS Base, WAS ND & Liberty Profile & Liberty Runtime)

Automation

Security, SSL

Dev Ops

Architecture

Performance Tuning

 Middleware Integration Skills:

.NET programming, and Architecture

Java Programming, and Architecture

SOA, SOAP and XML messaging

JBoss Fuse, WMQ, IIB, Mule

 Integration Skills:

SOA

Process Improvement

ICD’s

Messaging Architecture

Governance

 General Digital Architecture & Governance

Lightweight Architectures

Digital Strategy, platform stacks for example IAAS, PAAS, SAAS

PCI-DSS

 Industry Qualifications & Recognition

TOGAF 9.1

IBM Champion 2013

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply