Set communication with a core group residings on a DMZ Secure Proxy Server for IBM WAS

This task describes the steps that perform to establish communication between a cell inside of a firewall, and a DMZ Secure Proxy Server for IBM WAS outside of the firewall.

• Create a DMZ Secure Proxy Server for IBM WAS on your machine that is outside of the firewall, if one does not already exist.

• Set core group bridges between the core groups that are in located inside of the firewall but reside in different cells, if they do not already exist.

• Read the topic Advanced core group bridge configurations, which describes how a tunnel access point group is used to set up a core group bridge tunnel between a cell inside of a fire wall, and a DMZ Secure Proxy Server for IBM WAS

Avoid trouble: When configuring core group bridges, remember the following requirements:

• Whenever a change is made in core group bridge configuration, including the addition of a new bridge, or the removal of an existing bridge, fully shutdown, and then restart all core group bridges in the affected access point groups.

• There must be at least one running core group bridge in each core group. Set two bridges in each core group, allows for single failures, and the periodic cycling out of one bridge at a time from each core group. If all the core group bridges in a core group are shutdown, core group state from all foreign core groups is lost.

Best practice: It is also recommended that:

• Core group bridges be configured in their own dedicated server process, and that these processes have their monitoring policy set for automatic restart.

• For each of the core groups, you set the IBM_CS_WIRE_FORMAT_VERSION core group custom property to the highest value that is supported on the environment.

Complete the following actions to create a tunnel access point group that contains the core group access point for the DMZ Secure Proxy Server for IBM WAS, and a tunnel peer access point that represents the cell that is located inside the firewall.

 

1. In the admin console ...

   Servers > Core Groups > Core group bridge settings > Tunnel templates > New to create a new tunnel template that will represent the core group bridge tunnel settings that can be exported to the DMZ Secure Proxy Server for IBM WAS.

2. Select the core group access points to include in this group.

   When specifying the core group access points for the tunnel access point group, use the arrows to place the core group access points in the correct order. The specified order determines the order in which the DMZ Secure Proxy Server for IBM WAS defines the peer core groups of a tunnel peer access point. During startup, the proxy server attempts to connect to the peer core groups according to the order in which they are listed.

3. Click OK.

4. Click Tunnel templates, select the name of the template that you just created, and then click Export.

   The file is exported to the WAS_DMGR_PROFILE_ROOT/TUNNEL_TEMPLATE_NAME.props file.

5. On the DMZ Secure Proxy Server for IBM WAS, import the tunnel template settings into the DMZ Secure Proxy Server for IBM WAS configuration file. To import the tunnel template, issue one of the following commands:

   $AdminTask importTunnelTemplate -interactive

   or

   $AdminTask importTunnelTemplate {-inputFileName tunnel_template_name -bridgeInterfaceNodeName DMZ_PROXY_NODE_NAME -bridgeInterfaceServerName secure_proxy_name}

   and then issue the $AdminConfig save command.

   Where tunnel_template_name is the name that you gave the tunnel template that you just created, and secure_proxy_name is the name of the DMZ Secure Proxy Server for IBM WAS.

6. Set the high availability manager protocol to establish transparent bridge failover support.

   During core group bridge state rebuilds, cross-core group state can be moved between running bridges. This situation might cause the data to be temporarily unavailable until the bridge has completed the rebuild process.

   If running on V7.0.0.1 or later, set the IBM_CS_HAM_PROTOCOL_VERSION core group custom property to 6.0.2.31 for all of the core groups to avoid a possible high availability state outage during core group bridge failover. When this custom property is set to 6.0.2.31, the remaining bridges recover the high availability state of the failed bridge without the data being unavailable in the local core group.

   Complete the following actions to set the IBM_CS_HAM_PROTOCOL_VERSION core group custom property to 6.0.2.31 for all of the core groups.

   1. Shut down all core group bridges in all of the core groups.

   2. Repeat the following actions for each core group in each of your cells:

      1. In the admin console ...

         Servers > Core Groups > Core group settings > core_group_name > Custom properties.

      2. Specify IBM_CS_HAM_PROTOCOL_VERSION in the Name field, and 6.0.2.31 in the Value field.

      3. Save the changes.

   3. Synchronize the changes across the topology.

   4. Restart all of the bridges in the topology.

   All of the core groups within this topology are using the 6.0.2.31 high availability manager protocol.

 

Results

A tunnel access point group is created that contains the core group access point for the DMZ Secure Proxy Server for IBM WAS, and a tunnel peer access point that represents the cell that is located inside the firewall.

Tunnel access point group collection
Tunnel access point group settings
Tunnel peer access point collection
Tunnel peer access point settings
Tunnel peer access point selection
Tunnel templates settings
Tunnel templates collection
Peer core group collection
Peer core group settings

 

Related concepts

Core group communications using the core group bridge service

 

Related tasks

Set the core group bridge service
Set the core group bridge between core groups that are in different cells
Set communication between core groups in the same cell
Set core group communication using a proxy peer access point
Set a DMZ Secure Proxy Server for IBM