Network Deployment (Distributed operating systems), v8.0 > Set up intermediary services > Set up the proxy server > Configure a DMZ Secure Proxy Server for IBM WAS

Configure secure routing for a DMZ Secure Proxy Server for IBM WAS

We can configure the DMZ Secure Proxy Server for IBM WAS to route requests statically or dynamically. Configure your profiles and security properties before you configure routing. See the topic Tuning the security properties for the DMZ Secure Proxy Server for IBM WAS. Decide whether to configure static or dynamic routing.

Static routing is performed using a flat configuration file. Static routing is considered more secure than dynamic routing. With dynamic routing, requests are routed through a best match mechanism that determines the installed application or routing rule that corresponds to a specific request. The secure proxy server will dynamically discover the best route to a destination and distribute to servers with like protocols.

The secure routing options are:

• Use static routing with the exportTargetTree command.

• Use dynamic routing by setting up a core group bridge tunnel. See the topic Configuring communication with a core group that resides on a DMZ Secure Proxy Server for IBM WAS.

Because the DMZ secure proxy server resides in a different cell from the application servers, it must be configured to trust the application server cell in order for SSL to work properly. See the third step in this procedure.

Use the following procedure to configure static or dynamic secure routing.

Procedure

• To configure static routing, follow these steps:

  1. Set the secure proxy server to use static routing, which is the default level after installation. We can do this by either setting the overall security level to high or by setting the custom security level for the routing property to static.

  2. Use wsadmin.sh to query for the TargetTreeMbean mbean.

     mbean=AdminControl.queryNames('*:*,type=TargetTreeMbean,process=dmgr')
     

  3. If the application uses Servlet 3.0 dynamic cookies, start the application that uses dynamic cookies.

  4. Invoke the exportTargetTree method on the TargetTree mbean to a specified XML file.

     AdminControl.invoke(mbean, 'exportTargetTree', '/opt/IBM/WebSphere/AppServer/targetTree.xml')
     

     The static routing file is a special type of routing file that the proxy server uses to route a request from the proxy server directly to an application server. It is not used to route requests from the Web server plug-in to an application server.

  5. Use the dmgr command line, transfer the targetTree.xml file from the dmgr to the PROFILE_ROOT/staticRoutes directory for the proxy server.

     The file is transferred from the dmgr to the proxy server by FTP or some other protocol.

     If your secure proxy server is interfacing with multiple cells, you can add the static routing file for each cell to the PROFILE_ROOT/staticRoutes directory. The secure proxy server considers any xxx.xml file that is included in the in the PROFILE_ROOT/staticRoutes directory a static routing file. The file does not have to be named targetTree.xml.

     When you add multiple xxx.xml files to the PROFILE_ROOT/staticRoutes directory for a secure proxy server, the secure proxy server merges the content of all of these files. The result of this merge is a single static routing file that the secure proxy server can use to route requests to servers in any of the cells. The merger process does not include any files in subdirectories of the PROFILE_ROOT/staticRoutes directory. Therefore the secure proxy server does not use any content that is contained in files located in any subdirectory when it routes requests to a servers.

     Any attribute change that affects the content of the static routing file, such as a virtual host change, addition or deletion of a proxy server cluster member, a change in weight of a proxy server cluster member, or the installation or uninstallation of an application, automatically regenerates the static routing file.

  6. Start the proxy server from the system command line:

     PROFILE_ROOT/startServer proxy_server_name
     

• To configure dynamic routing, follow these steps:

  1. Configure the core group bridge in the application server cell. See the topic Configuring communication with a core group that resides on a DMZ Secure Proxy Server for IBM WAS.
  2. Export the tunnel template settings to a file. From wsadmin.sh, use the exportTunnelTemplate command to export the settings, as in the following example:

     AdminTask.exportTunnelTemplate('[-tunnelTemplateName exportedTunnelTemplate
     -outputFileName tunnelTemplate1.props]')
     

  3. Import the tunnel template settings into the DMZ proxy configuration, as in the following example:

     AdminTask.importTunnelTemplate('[-inputFileName tunnelTemplate1.props
     -bridgeInterfaceNodeName DMZNode01 -bridge InterfaceServerName DMZProxyServer01]')
     

  4. Start the proxy server from the system command line:

     PROFILE_ROOT/startServer proxy_server_name
     

• To configure SSL communications, follow these steps:

  1. Configure the ssl.client.props properties file using the retrieveSigners command. See the information center topic on using the retrieveSigners command for more details.
  2. The com.ibm.ssl.trustStore property should be set to point to the secure proxy server trust.p12 file. For example:

     ${user.root}/config/cells/SecureProxyCell1/nodes/SecureProxyNode1/trust.p12
     

  3. Specify the truststore name of the cell in which the application servers reside when running the command. By default, its name is CellDefaultTrustStore. The retrieveSigners command can then be used to update the secure proxy server to trust the application server cell:

     retrieveSigners CellDefaultTrustStore AnotherTrustStore -host mybackendDmgr.location.com -port 8879
     

Results

Complete this procedure results in configuring secure routing for a DMZ Secure Proxy Server for IBM WAS.

What to do next

We can now start and begin to use the DMZ Secure Proxy Server for IBM WAS.
Configure communication with a core group that resides on a DMZ Secure Proxy Server for IBM WAS
Use the retrieveSigners command in SSL to enable server to server trust
Tune the security properties for the DMZ Secure Proxy Server for IBM WAS

Related

WebSphere DMZ Secure Proxy Server for IBM WAS
DMZ Secure Proxy Server for IBM WAS routing considerations
Configure a DMZ Secure Proxy Server for IBM WAS

+

Search Tips   |   Advanced Search