Set secure routing for a DMZ Secure Proxy Server for IBM WAS
The DMZ Secure Proxy Server for IBM WAS can be configured to route requests statically or dynamically.
Set the profiles and security properties before you configure routing. See the topic Tuning the security properties for the DMZ Secure Proxy Server for IBM WAS. Decide whether you want to configure static or dynamic routing.
Static routing is performed using a flat configuration file. Static routing is considered more secure than dynamic routing. With dynamic routing, requests are routed through a best match mechanism that determines the installed application or routing rule that corresponds to a specific request. The secure proxy server will dynamically discover the best route to a destination and distribute to servers with like protocols.
The secure routing options are:
- Use static routing with the exportTargetTree command.
- Use dynamic routing by setting up a core group bridge tunnel. See the topic Set communication with a core group residings on a DMZ Secure Proxy Server for IBM WAS.
Avoid trouble: Because the DMZ secure proxy server resides in a different cell from the appservers, it must be configured to trust the appserver cell in order for SSL to work properly. See the third bullet in this procedure.
Use the following procedure to configure static or dynamic secure routing.
- To configure static routing, follow these steps:
- Set the secure proxy server to use static routing, which is the default level after installation. We can do this by either setting the overall security level to high or by setting the custom security level for the routing property to static.
- Use wsadmin, query for the TargetTreeMbean mbean.
mbean=AdminControl.queryNames('*:*,type=TargetTreeMbean,process=dmgr')- Invoke the exportTargetTree method on the TargetTree mbean to a specified XML file.
AdminControl.invoke(mbean, 'exportTargetTree', '/IBM/WAS/AppServer/targetTree.xml')- Use the dmgr command line, transfer the targettree.xml file from the dmgr to the proxy server's profile root /staticRoutes directory. The file is transferred from the dmgr to the proxy server by FTP or some other protocol.
- Start the proxy server from the system command line: ProfileRoot/startServer proxy_server_name.
- To configure dynamic routing, follow these steps:
- Set the core group bridge in the appserver cell.
See the topic Set communication with a core group residings on a DMZ Secure Proxy Server for IBM WAS.
- Export the tunnel template settings to a file. From wsadmin, use the exportTunnelTemplate command to export the settings, as in the following example:
AdminTask.exportTunnelTemplate('[-tunnelTemplateName exportedTunnelTemplate -outputFileName tunnelTemplate1.props]')- Import the tunnel template settings into the DMZ proxy config, as in the following example:
AdminTask.importTunnelTemplate('[-inputFileName tunnelTemplate1.props -bridgeInterfaceNodeName DMZNode01 -bridge InterfaceServerName DMZProxyServer01]')- Start the proxy server from the system command line: ProfileRoot/startServer proxy_server_name.
- To configure SSL communications, follow these steps:
- Set the ssl.client.props properties file using the retrieveSigners command. See the information center topic on using the retrieveSigners command for more details.
- The com.ibm.ssl.trustStore property should be set to point to the secure proxy server trust.p12 file. For example:
${user.root}/config/cells/SecureProxyCell1/nodes/SecureProxyNode1/trust.p12- Specify the truststore name of the cell in which the application servers reside when running the command. By default, its name is CellDefaultTrustStore. The retrieveSigners command can then be used to update the secure proxy server to trust the appserver cell:
retrieveSigners CellDefaultTrustStore AnotherTrustStore -host mybackendDmgr.location.com -port 8879
Results
Completing this procedure results in configuring secure routing for a DMZ Secure Proxy Server for IBM WAS.
Next steps
We can now start and begin to use the DMZ Secure Proxy Server for IBM WAS.
Related tasks
Set communication with a core group residings on a DMZ Secure Proxy Server for IBM WAS
Use the retrieveSigners command to enable server to server trust
Tuning the security properties for the DMZ Secure Proxy Server for IBM WAS
Related
WebSphere DMZ Secure Proxy Server for IBM WAS
DMZ Secure Proxy Server for IBM WAS routing considerations
Set a DMZ Secure Proxy Server for IBM