Create a management profile with an administrative agent
Create a management profile for the administrative agent to administer applications on multiple appservers using a single admin console.
The Profile Management Tool is the graphical user interface for the manageprofiles command.
You must provide enough system temporary space to create a profile.
Non-root gotcha
When you launch the Profile Management Tool, the tool could lock up in the following situation for a non-root user:
- Log into a machine as root
- use the SetPermissions utility to change the user from x to y
- Assume that we are user x and log back into the machine
- Launch the Profile Management Tool, click...
Profile Management Tool | Create
- The next click after the click on Create could lock up the tool.
Solaris gotcha
When you use the Profile Management Tool with the Motif GUI on the Solaris operating system, the default size of the Profile Management Tool might be too small to view all the messages and buttons of the Profile Management Tool. To fix the problem, add the following lines to the app_server_root/.Xdefaults file:
Eclipse*spacing:0 Eclipse*fontList:-misc-fixed-medium-r-normal-*-10-100-75-75-c-60-iso8859-1
After adding the lines, run the following command before launching the Profile Management Tool:
xrdb -load user_home/.Xdefaults
Procedure
- Start the Profile Management Tool.
- From the command-line
cd app_server_root/bin/ProfileManagement
./pmt.sh...or select the Profile Management Tool option from the First steps console.
From Windows use the Start menu to access the Profile Management Tool. For example, click...
Start | Programs or All Programs | IBM WebSphere | my_product | Profile Management Tool
For Linux use OS menus...
menu | IBM WebSphere | my_product | Profile Management Tool
- From the command-line
- Click Create on the Profiles tab to create a new profile.
The Profiles tab contains a list of profiles that have been created on the machine. No action can be done on a selected profile unless the profile can be augmented. The Augment button is greyed out unless a profile that you select can be augmented.
The tool displays the Environment selection panel.
- Select...
Management | Next | Administrative agent | Next
- Select either Typical profile creation or Advanced profile creation, and click Next.
The Typical profile creation option creates a profile that uses default settings. With the Advanced profile creation option, we can specify our own configuration values for a profile.
- If we selected Typical profile creation, go to the step on administrative security.
- If we selected Advanced profile creation, optionally select to deploy the admin console and then click Next.
If we chose not to deploy the admin console, then the admin console ports are disabled on the Ports panel.
The tool displays the Profile name and location panel.
- Specify a name for the profile and the directory path for the profile directory, or accept the default values. Then, click Next.
Double-byte characters are supported. Do not use any of the following characters when naming the profile:
- Spaces
- Special characters not supported within the name of a directory on the OS, such as *&?
- Slashes (/) or (\)
The first profile created is the default profile, and is the default target for commands that are issued from...
WAS_HOME/bin
When only one profile exists on a machine, every command works on the single server process in the configuration. You can make another profile the default profile when you create that profile by checking Make this profile the default on the Profile name and location panel of the Advanced profile creation path. You can also make another profile the default profile using manageprofiles after you create the profile.
When multiple profiles exist on a machine, to specify the profile, use the parameter -profileName.
You might find it easier to use the commands that are in..
PROFILE_HOME/bin
- On the Node, host, and cell names panel, specify a unique node name, the actual host name of the machine, and a unique cell name. Click Next.
If we plan to migrate a V5 or V6 cell to V7, use the same cell name as the V5 or V7 cell.
A cell name must be unique in any circumstance in which WAS is running on the same physical machine or cluster of machines, such as a sysplex. Additionally, a cell name must be unique in any circumstance in which network connectivity between entities is required either between the cells or from a client that must communicate with each of the cells. Cell names must also be unique if their namespaces are federated. Otherwise, you might encounter symptoms such as...
javax.naming.NameNotFoundException
All federated nodes become members of the cell, which you name in this panel.
Avoid using reserved folder names as field values...
For Windows, the number of characters in...
PROFILE_HOME\profile_name
...must be less than or equal to 80 characters.
The host name is the network name for the physical machine on which the node is installed and must resolve to a physical network node on the server. When multiple network cards exist in the server, the host name or IP address must resolve to one of the network cards. Remote nodes use the host name to connect to and communicate with this node.
Do not use the generic identifier, localhost, for this value. Do not attempt to install WAS on a machine with a host name that uses characters from a double-byte character set, which are not supported when used in the host name.
If we define coexisting nodes on the same computer with unique IP addresses, then define each IP address in a DNS look-up table. Configuration files for standalone appservers do not provide domain name resolution for multiple IP addresses on a machine with a single network address.
The value specified for the host name is used as the value of the hostName property in configuration documents for the standalone application server.
Specify the host name value in one of the following formats:
- Fully qualified DNS host name string, such as...
amsterdam.setgetweb.com
- The default short DNS host name string, such as amsterdam
- Numeric IP address, such as 127.1.255.3
The fully qualified DNS host name has the advantages of being unambiguous and flexible. we have the flexibility of changing the actual IP address for the host system without having to change the application server configuration. This value for the host name is particularly useful if we plan to change the IP address frequently when using DHCP to assign IP addresses. A disadvantage of this format is dependency on DNS. If DNS is not available, then connectivity is compromised.
The short host name is also dynamically resolvable. A short name format has the added function of being redefined in the local hosts file so that the system can run the application server, even when disconnected from the network. To run disconnected, define the short name as the loopback address, 127.0.0.1, in the hosts file to run disconnected. A disadvantage of this format is a dependency on DNS for remote access. If DNS is not available, then connectivity is compromised.
A numeric IP address has the advantage of not requiring name resolution through DNS. A remote node can connect to the node that you name with a numeric IP address without DNS being available. A disadvantage of this format is that the numeric IP address is fixed. You must change the setting of the hostName property in Express configuration documents whenever you change the machine IP address. Therefore, do not use a numeric IP address if we use DHCP, or if we change IP addresses regularly. Another disadvantage of this format is that we cannot use the node if the host is disconnected from the network.
After displaying characteristics, the tool displays the Administrative security panel.
- Fully qualified DNS host name string, such as...
- Optionally enable admin security, and click Next.
You can enable administrative security now during profile creation, or later from the console. If we enable admin security now, then enter a user name and password to log onto the admin console.
After specifying security characteristics, the tool displays the Security certificate panel if we previously selected Advanced profile creation.
- If we selected Typical profile creation at the beginning of these steps, then go to the step that displays the Profile summary panel.
- Create a default personal certificate and a root signing certificate, or import a personal certificate and a root signing certificate from keystore files, and click Next.
You can create both certificates, import both certificates, or create one certificate, and import the other certificate.
Best practice: When you import a personal certificate as the default personal certificate, import the root certificate that signed the personal certificate. Otherwise, the Profile Management Tool adds the signer of the personal certificate to the trust.p12 file
If we import the default personal certificate or the root signing certificate, specify the path and the password, and select the keystore type and the keystore alias for each certificate that you import.
- Verify that the certificate information is correct, and click Next.
If we create the certificates, we can use the default values or modify them to create new certificates. The default personal certificate is valid for one year by default and is signed by the root signing certificate. The root signing certificate is a self-signed certificate that is valid for 15 years by default.
The default keystore password for the root signing certificate is WebAS. The keystore types that are supported depend on the providers in the file java.security
When you create either or both certificates, or import either or both certificates, the keystore files that are created are key.p12, trust.p12, root-key.p12, default-signers.p12, deleted.p12, and ltpa.jceks. These files all have the same password when you create or import the certificates, which is either the default password, or a password specified.
key.p12 Contains the default personal certificate. trust.p12 Contains the signer certificate from the default root certificate. root-key.p12 Contains the root signing certificate. default-signer.p12 Contains signer certificates that are added to any new keystore file created after the server is installed and running. By default, the default root certificate signer and a DataPower signer certificate is in the default-signer.p12 keystore file.
deleted.p12 Contains certificates deleted with the deleteKeyStore task so that they can be recovered if needed. ltpa.jceks Contains server default LTPA keys that the servers in the environment use to communicate with each other. An imported certificate is added to the key.p12 file or the root-key.p12 file.
If we import any certificates and the certificates do not contain the information that you want, click Back to import another certificate.
After displaying the Security certificate panels, the tool displays the Ports panel if we previously selected Advanced profile creation.
- Verify that the ports within the administrative agent profile are unique, or intentionally conflicting, and click Next.
If we chose not to deploy the admin console, then the admin console ports are disabled on the Ports panel.
Ports are recognized as being in use if one of the following conditions exists:
- The ports are assigned to a profile created from an installation that is performed by the current user.
- The port is currently in use.
Validation of ports occurs when you access the Port value assignment panel. Conflicts can still occur between the Port value assignment panel and the Profile creation complete panel because ports are not assigned until profile creation completes.
If we suspect a port conflict, then we can investigate the port conflict after the profile is created. Determine the ports that are used during profile creation by examining the following files.
- $PROFILE_ROOT/properties/portdef.props file
Included in this file are the keys and values that are used in setting the ports. If we discover ports conflicts, then we can reassign ports manually. To reassign ports, run the updatePorts.ant file by using the ws_ant script.
The tool displays the Windows service definition panel if we are installing on a Windows operating system and the installation ID has the admin group privilege. The tool displays the Linux service definition panel if we are installing on a supported Linux operating system and the ID that runs the Profile Management Tool is the root user.
- Choose whether to run the administrative agent process as a Windows service on a Windows operating system or as a Linux service on a Linux operating system, and click Next.
The Windows service definition panel is displayed for the Windows operating system only if the ID that installs the Windows service has the administrator group privilege. However, we can run the WASService.exe command to create the Windows service as long as the installer ID belongs to the administrator group.
[Windows] WAS ND v7.0 attempts to start Windows services for administrative agent processes that are started by a startServer command. For example, if we configure an administrative agent as a Windows service and issue the startServer command, then the wasservice command attempts to start the defined service.
If we chose to install a local system service, then you do not have to specify the user ID or password. If we create a specified user type of service, then specify the user ID and the password for the user who runs the service. The user must have Log on as a service authority for the service to run correctly. If the user does not have Log on as a service authority, then the Profile Management tool automatically adds the authority.
To perform this profile creation task, the user ID must not contain spaces. In addition to belonging to the administrator group, the ID must also have the advanced user right of Log on as a service. The Installation wizard grants the user ID the advanced user right if the user ID does not already have the advanced user right and if the user ID belongs to the administrator group.
You can also create other Windows services after the installation is complete to automatically start other server processes.
You can remove the Windows service that is added during profile creation during profile deletion. You can also remove the Windows service with the wasservice command.
Profiles created to run as a Windows service fail to start when using IPv6 if the service is configured to run as local system. Create a user-specific environment variable to enable IPv6. Since this environment variable is a user variable instead of a local system variable, only a Windows service that runs as that specific user can access this environment variable.
By default, when a new profile is created and configured to run as a Windows service, the service is set to run as local system. When the Windows service for the administrative agent process attempts to run, the service is unable to access the user environment variable that specifies IPv6, and thus, attempts to start as IPv4. The server does not start correctly in this case. To resolve the problem, when creating the profile, specify that the Windows service for the administrative agent process runs as the same user ID from which the environment variable that specifies IPv6 is defined, instead of as local system.
The following default values for the Windows service definition panel exist:
- The default is to run as a Windows service.
- The service process is selected to run as a system account.
- The user account is the current user name. User name requirements are the requirements that the Windows operating system imposes for a user ID.
- The startup type is automatic. The values for the startup type are those values that the Windows operating system imposes. If we want a startup type other than automatic, we can either select another available option from the menu or change the startup type after you create the profile. You can also remove the created service after profile creation, and add it later with the desired startup type. You can choose not to create a service at profile creation time and optionally create the service later with the desired startup type.
The Linux service definition panel is displayed if the current operating system is a supported version of Linux operating systems, and the current user has the appropriate permissions.
The product attempts to start Linux services for application server processes that are started by a startServer command. For example, if we configure an application server as a Linux service and issue the startServer command, then the wasservice command attempts to start the defined service.
By default, WAS is not selected to run as a Linux service.
To create the service, the user that runs the Profile Management Tool must be the root user. If we run the Profile Management Tool with a non-root user ID, then the Linux service definition panel is not displayed, and no service is created.
When you create a Linux service, specify a user name from which the service runs.
To delete a Linux service, the user must be the root user or have appropriate privileges for deleting the service. Otherwise, a removal script is created that the root user can run to delete the service for the user.
The tool displays the Profile creation summary panel.
- Click Create to create the management profile for the administrative agent, or click Back to change the characteristics of the profile.
The Profile creation progress panel, which shows the configuration commands that are running, is displayed.
When the profile creation completes, the tool displays the Profile creation complete panel.
- Optionally, select Launch the First steps console. Click Finish to exit.
With the First steps console, we can create additional profiles and start the application server.
What to do next
Register appservers with the administrative agent using the registerNode command. Then, access the administrative agent console to administer the appservers.
