Configure secure routing for a DMZ Secure Proxy Server
Overview
We can configure the DMZ Secure Proxy Server for IBM WebSphere Application Server to route requests statically or dynamically.
Static routing is performed using a flat configuration file. Static routing is considered more secure than dynamic routing. With dynamic routing, requests are routed through a best match mechanism that determines the installed application or routing rule that corresponds to a specific request. The secure proxy server dynamically discovers the best route to a destination and distribute to servers with like protocols.
Configure profiles and security properties before configuring routing.
Configure static routing
- Set the secure proxy server to use static routing, which is the default level after installation.
We can either set the overall security level to high or set the custom security level for the routing property to static.
- Use the wsadmin tool to query for the TargetTreeMbean mbean.
mbean=AdminControl.queryNames('*:*,type=TargetTreeMbean,process=dmgr')
The server(s) involved in the proxy configuration must be active when the wsadmin tool is used to query and export the TargetTree.XML file.
- If the application uses Servlet 3.0 dynamic cookies, start the application that uses dynamic cookies.
- Invoke the exportTargetTree method on the TargetTree mbean to a specified XML file.
AdminControl.invoke(mbean, 'exportTargetTree', '/opt/IBM/WebSphere/AppServer/targetTree.xml')
The static routing file is a special type of routing file that the proxy server uses to route a request from the proxy server directly to an application server. It is not used to route requests from the web server plug-in to an application server.
- Use the deployment manager command line, transfer the targetTree.xml file from the deployment manager to the profile_root/staticRoutes directory for the proxy server.
The file is transferred from the deployment manager to the proxy server by FTP or some other protocol.
If our secure proxy server is interfacing with multiple cells, we can add the static routing file for each cell to the profile_root/staticRoutes directory. The secure proxy server considers any xxx.xml file that is included in the profile_root/staticRoutes directory a static routing file. The file does not have to be named targetTree.xml.
When we add multiple xxx.xml files to the profile_root/staticRoutes directory for a secure proxy server, the secure proxy server merges the content of all of these files. The result of this merge is a single static routing file that the secure proxy server can use to route requests to servers in any of the cells.
The merger process does not include any files in subdirectories of the profile_root/staticRoutes directory. Therefore, the secure proxy server does not use any content contained in files in any subdirectory when it routes requests to a server.
Attribute changes that affect the content of the static routing file, such as a virtual host change, addition or deletion of a proxy server cluster member, a change in weight of a proxy server cluster member, or the installation or uninstallation of an application, automatically regenerates the static routing file.
- Start the proxy server from the system command line:
profile_root/startServer proxy_server
Configure dynamic routing
- Configure the core group bridge in the application server cell. communication with a core group that resides on a DMZ Secure Proxy Server.
- Export the tunnel template settings to a file. From the wsadmin tool, use the exportTunnelTemplate command to export the settings, as in the following example:
AdminTask.exportTunnelTemplate('[-tunnelTemplateName exportedTunnelTemplate -outputFileName tunnelTemplate1.props]')
- Import the tunnel template settings into the DMZ proxy configuration, as in the following example:
AdminTask.importTunnelTemplate('[-inputFileName tunnelTemplate1.props -bridgeInterfaceNodeName DMZNode01 -bridge InterfaceServerName DMZProxyServer01]')
- Start the proxy server from the system command line:
profile_root/startServer proxy_server
Configure SSL communications
- Configure the ssl.client.props properties file using the retrieveSigners command.
- The com.ibm.ssl.trustStore property should be set to point to the secure proxy server trust.p12 file. For example:
${user.root}/config/cells/SecureProxyCell1/nodes/SecureProxyNode1/trust.p12
- Truststore name of the cell in which the application servers reside when running the command.
By default, its name is CellDefaultTrustStore. The retrieveSigners command can then be used to update the secure proxy server to trust the application server cell:
retrieveSigners CellDefaultTrustStore AnotherTrustStore -host mybackendDmgr.location.com -port 8879
Configure communication with a core group that resides on a DMZ Secure Proxy Server for IBM WAS Use the retrieveSigners command in SSL to enable server to server trust Tune the security properties for the DMZ Secure Proxy Server for IBM WAS WebSphere DMZ Secure Proxy Server for IBM WAS DMZ Secure Proxy Server for IBM WAS routing considerations