Configure communication with a core group that resides on a DMZ Secure Proxy Server for IBM WebSphere Application Server
This task describes the steps that perform to establish communication between a cell inside of a firewall, and a DMZ Secure Proxy Server for IBM WebSphere Application Server outside of the firewall.
- Create a DMZ Secure Proxy Server for IBM WAS on the machine that is outside of the firewall, if one does not already exist.
- Configure core group bridges between the core groups that are in located inside of the firewall but reside in different cells, if they do not already exist.
- Read the topic Advanced core group bridge configurations, which describes how a tunnel access point group is used to set up a core group bridge tunnel between a cell inside of a fire wall, and a DMZ Secure Proxy Server for IBM WebSphere Application Server
When configuring core group bridges, remember the following requirements:
- Whenever a change is made in core group bridge configuration, including the addition of a new bridge, or the removal of an existing bridge, you must fully shut down, and then restart all core group bridges in the affected access point groups.
- There must be at least one running core group bridge in each core group. If we configure two bridges in each core group, a single server failure does not disrupt the bridge functionality. Also, configuring two bridges enables you to periodically cycle out one of the bridges. If all the core group bridges in a core group are shut down, the core group state from all foreign core groups is lost.
gotcha
Best practice: It is also recommended that:
- Core group bridges be configured in their own dedicated server process, and that these processes have their monitoring policy set for automatic restart.
- For each of the core groups, set the IBM_CS_WIRE_FORMAT_VERSION core group custom property to the highest value that is supported on the environment.
- To conserve resources, do not create more than two core group bridge interfaces when you define a core group access point. We can use one interface for workload purposes and another interface for high availability. Ensure that these interfaces are on different nodes for high availability purposes. For more information, see the frequently asked question information on core group bridges.
- You should typically specify ONLY two bridge interfaces per core group. Having at least two bridge interfaces is necessary for high availability. Having more than two bridge interfaces adds unnecessary overhead in memory and CPU.
bprac
Complete the following actions to create a tunnel access point group containing the core group access point for the DMZ Secure Proxy Server for IBM WebSphere Application Server, and a tunnel peer access point that represents the cell located inside the firewall.
- In the administrative console, click Servers > Core Groups > Core group bridge settings > Tunnel templates > New to create a new tunnel template that will represent the core group bridge tunnel settings that can be exported to the DMZ Secure Proxy Server for IBM WebSphere Application Server.
- Select the core group access points to include in this group.
When specifying the core group access points for the tunnel access point group, use the arrows to place the core group access points in the correct order. The specified order determines the order in which the DMZ Secure Proxy Server for IBM WebSphere Application Server defines the peer core groups of a tunnel peer access point. During startup, the proxy server attempts to connect to the peer core groups according to the order in which they are listed.
- Click OK.
- Click Tunnel templates, select the name of the template that you just created, and then click Export.
The file is exported to the WAS_DMGR_PROFILE_ROOT/TUNNEL_TEMPLATE_NAME.props file.
- On the DMZ Secure Proxy Server for IBM WebSphere Application Server, import the tunnel template settings into the DMZ Secure Proxy Server for IBM WebSphere Application Server configuration file.
To import the tunnel template, issue one of the following commands:
$AdminTask importTunnelTemplate -interactive
or
$AdminTask importTunnelTemplate {-inputFileName tunnel_template_name -bridgeInterfaceNodeName DMZ_PROXY_NODE_NAME -bridgeInterfaceServerName secure_proxy_name}
and then issue the $AdminConfig save command.
Where tunnel_template_name is the name that you gave the tunnel template that you just created, and secure_proxy_name is the name of the DMZ Secure Proxy Server for IBM WebSphere Application Server.
- Optional: Configure the high availability manager protocol to establish transparent bridge failover support.
During core group bridge state rebuilds, cross-core group state can be moved between running bridges. This situation might cause the data to be temporarily unavailable until the bridge has completed the rebuild process.
If we are running on Version 7.0.0.1 or later, set the IBM_CS_HAM_PROTOCOL_VERSION core group custom property to 6.0.2.31 for all of the core groups to avoid a possible high availability state outage during core group bridge failover. When this custom property is set to 6.0.2.31, the remaining bridges recover the high availability state of the failed bridge without the data being unavailable in the local core group.
Complete the following actions to set the IBM_CS_HAM_PROTOCOL_VERSION core group custom property to 6.0.2.31 for all of the core groups.
All of the core groups within this topology are using the 6.0.2.31 high availability manager protocol.
- Shut down all core group bridges in all of the core groups.
- Repeat the following actions for each core group in each of the cells:
- In the administrative console, click Servers > Core Groups > Core group settings > core_group_name > Custom properties.
- Specify IBM_CS_HAM_PROTOCOL_VERSION in the Name field, and 6.0.2.31 in the Value field.
- Save the changes.
- Synchronize the changes across the topology.
- Restart all of the bridges in the topology.
Results
A tunnel access point group is created containing the core group access point for the DMZ Secure Proxy Server for IBM WebSphere Application Server, and a tunnel peer access point that represents the cell located inside the firewall.
Subtopics
- Tunnel access point group collection
Use this page to view the tunnel access point groups defined for the core groups. The tunnel access point group includes core group access points and tunnel peer access points for enabling communication between a DMZ Secure Proxy Server for IBM WebSphere Application Server and a WAS Network Deployment cell.
- Tunnel access point group settings
Use this page to modify the tunnel peer access points and the core group access points that belong to this access point group. A tunnel access point group defines the access points that a set of core groups use to communicate with each other, even though they reside on opposite sides of a firewall. Access points can be either tunnel peer access points or core group access points. The core group access points enable core groups in the same cell to communicate with each other. Tunnel peer access points enable core groups residing outside of the firewall to communicate with core groups residing inside of the firewall.
- Tunnel peer access point collection
Use this page to view the tunnel peer access points defined for the core groups. Tunnel peer access points define the set of servers that provide access to core groups that reside in different cells, and one cell is located on a DMZ Secure Proxy Server for IBM WebSphere Application Server, while the other cell is located inside of the firewall. At least one tunnel peer access point must be defined for each cell, located on the DMZ Secure Proxy Server for IBM WebSphere Application Server, that needs to communicate with one or more of the core groups that are located inside of the firewall.
- Tunnel peer access point settings
Use this page to configure a tunnel peer access point. A tunnel peer access point is used to establish communication between core groups that are in different cells, when one of the cells is located on a DMZ Secure Proxy Server for IBM WebSphere Application Server, and the other is located inside of the firewall. A tunnel peer access point corresponds to a core group access point in the peer cell. The tunnel peer access point communication settings are specified by using one or more peer endpoints or a proxy peer.
- Tunnel peer access point selection
Use this page to control which tunnel peer access points are associated with this tunnel access point group. We can also use this page to create new tunnel peer access points for this tunnel access point group, or delete an existing tunnel peer access points.
- Tunnel templates settings
Use this page to edit the properties of a tunnel access point group template.
- Tunnel templates collection
Use this page to view a list of the tunnel templates defined for a tunnel access point group. We can also use this page to create a new template, delete an existing template, or export relevant settings from the cell that is inside of the firewall to the cell that is outside of the firewall.
- Peer core group collection
Use this page to view the peer core groups defined for your system. We can also use this page to define a new peer core group or delete an existing peer core group.
- Peer core group settings
Use this page to create a peer core group. Peer core groups are core groups that reside in different cell. The local core group bridge attempts to establish communication between peer core groups in the order in which they appear in the list of peer core groups.
Related concepts
Core group communications using the core group bridge service
Related tasks
Configure the core group bridge service Configure the core group bridge between core groups that are in different cells Configure communication between core groups that are in the same cell Configure core group communication using a proxy peer access point Configure a DMZ Secure Proxy Server for IBM WebSphere Application Server using the administrative console
Tunnel access point group collection Tunnel access point group settings Tunnel peer access point collection Tunnel peer access point settings Tunnel peer access point selection Tunnel templates settings Tunnel templates collection Peer core group collection Peer core group settings