Configure secure routing for a DMZ Secure Proxy Server for IBM WebSphere Application Server

We can configure the DMZ Secure Proxy Server for IBM WebSphere Application Server to route requests statically or dynamically.

Configure the profiles and security properties before configuring routing. See the topic Tuning the security properties for the DMZ Secure Proxy Server for IBM WebSphere Application Server. Decide whether to configure static or dynamic routing.

Static routing is performed using a flat configuration file. Static routing is considered more secure than dynamic routing. With dynamic routing, requests are routed through a best match mechanism that determines the installed application or routing rule that corresponds to a specific request. The secure proxy server will dynamically discover the best route to a destination and distribute to servers with like protocols.

The secure routing options are:

• Use static routing with the exportTargetTree command.

• Use dynamic routing by setting up a core group bridge tunnel. See the topic Configuring communication with a core group that resides on a DMZ Secure Proxy Server for IBM WebSphere Application Server.

Avoid trouble: Because the DMZ secure proxy server resides in a different cell from the application servers, it must be configured to trust the application server cell in order for SSL to work properly. See the third step in this procedure.gotcha

Use the following procedure to configure static or dynamic secure routing.

• To configure static routing:

  The server(s) involved in the proxy configuration must be active when wsadmin.sh is used to query and export the TargetTree.XML file.gotcha

  1. Set the secure proxy server to use static routing, which is the default level after installation. We can do this by either setting the overall security level to high or by setting the custom security level for the routing property to static.

  2. Use wsadmin.sh to query for the TargetTreeMbean mbean.
     mbean=AdminControl.queryNames('*:*,type=TargetTreeMbean,process=dmgr')

  3. If the application uses Servlet 3.0 dynamic cookies, start the application that uses dynamic cookies.

  4. Invoke the exportTargetTree method on the TargetTree mbean to a specified XML file.
     AdminControl.invoke(mbean, 'exportTargetTree', '/opt/IBM/WebSphere/AppServer/targetTree.xml')

     The static routing file is a special type of routing file that the proxy server uses to route a request from the proxy server directly to an application server. It is not used to route requests from the Web server plug-in to an application server.

  5. Use the deployment manager command line, transfer the targetTree.xml file from the deployment manager to the profile_root/staticRoutes directory for the proxy server.

     The file is transferred from the deployment manager to the proxy server by FTP or some other protocol.

     If wer secure proxy server is interfacing with multiple cells, we can add the static routing file for each cell to the profile_root/staticRoutes directory. The secure proxy server considers any xxx.xml file included in the in the profile_root/staticRoutes directory a static routing file. The file does not have to be named targetTree.xml.

     When we add multiple xxx.xml files to the profile_root/staticRoutes directory for a secure proxy server, the secure proxy server merges the content of all of these files. The result of this merge is a single static routing file that the secure proxy server can use to route requests to servers in any of the cells.

     The merger process does not include any files in subdirectories of the profile_root/staticRoutes directory. Therefore the secure proxy server does not use any content contained in files located in any subdirectory when it routes requests to a servers.gotcha

     Any attribute change that affects the content of the static routing file, such as a virtual host change, addition or deletion of a proxy server cluster member, a change in weight of a proxy server cluster member, or the installation or uninstallation of an application, automatically regenerates the static routing file.

  6. Start the proxy server from the system command line:
     profile_root/startServer proxy_server_name

• To configure dynamic routing:

  1. Configure the core group bridge in the application server cell. See the topic Configuring communication with a core group that resides on a DMZ Secure Proxy Server for IBM WebSphere Application Server.

  2. Export the tunnel template settings to a file. From wsadmin.sh, use the exportTunnelTemplate command to export the settings, as in the following example:
     AdminTask.exportTunnelTemplate('[-tunnelTemplateName exportedTunnelTemplate -outputFileName tunnelTemplate1.props]')

  3. Import the tunnel template settings into the DMZ proxy configuration, as in the following example:
     AdminTask.importTunnelTemplate('[-inputFileName tunnelTemplate1.props -bridgeInterfaceNodeName DMZNode01 -bridge InterfaceServerName DMZProxyServer01]')

  4. Start the proxy server from the system command line:
     profile_root/startServer proxy_server_name

• To configure SSL communications:

  1. Configure the ssl.client.props properties file using the retrieveSigners command. See the information center topic on using the retrieveSigners command for more details.

  2. The com.ibm.ssl.trustStore property should be set to point to the secure proxy server trust.p12 file. For example:
     ${user.root}/config/cells/SecureProxyCell1/nodes/SecureProxyNode1/trust.p12

  3. Specify the truststore name of the cell in which the application servers reside when running the command. By default, its name is CellDefaultTrustStore. The retrieveSigners command can then be used to update the secure proxy server to trust the application server cell:
     retrieveSigners CellDefaultTrustStore AnotherTrustStore -host mybackendDmgr.location.com -port 8879

Results

Complete this procedure results in configuring secure routing for a DMZ Secure Proxy Server for IBM WebSphere Application Server.

What to do next

We can now start and begin to use the DMZ Secure Proxy Server for IBM WebSphere Application Server.

Related tasks

Configure communication with a core group that resides on a DMZ Secure Proxy Server for IBM WebSphere Application Server

Use the retrieveSigners command in SSL to enable server to server trust

Tune the security properties for the DMZ Secure Proxy Server for IBM WebSphere Application Server

WebSphere DMZ Secure Proxy Server for IBM WebSphere Application Server

DMZ Secure Proxy Server for IBM WebSphere Application Server routing considerations