Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
http://dotNSF.com
Admin & Developer Conference UK 4th October 2004
How to securely integrate ND7, WAS and WPS using the
WebSphere plug-in
• Jason Hook
• IBM certified Lotus , WebSphere Portal Professional• DB2, Java, Microsoft
• Over 7 years working in Messaging
Introductions
dotNSF, inc.
• dotNSF, inc. High availability, Domino and Web Security Tools
• 2003 Lotus Advisor Editor’s choice award for security
• WebSphere Portal Search Engine optimization
• Meet us at the Penumbra Pedestal
• http://dotNSF.com
What will you get from this session?
• The WAS Plug-in: What & Why?
• IHS (Apache) Installation (for IIS see http://dotNSF.com/wps/portal/whitepapers)
• Configuration Scenarios: Domino, WebSphere Portal and both combined
• Some tips & useful links to Plug-in resources
Questions
• Please save any questions you have to the end – there will be time
• If I can’t answer the question I will try and get an answer
• If you don’t get a chance to ask please mail me [email protected]
• This presentation will available at– http://dotNSF.com/wps/portal/presentations
What are proxies?
• Proxies– Your “go-for” getting stuff on your behalf
– Hardware and Software types but is commonly a software process running on a computer
– There are a few different types, however it is often where you place the proxy that dictates what type it is
What types of proxy are there?
• Forward– Usually outbound serving users in one security zone with access to the next i.e.
a corporate firewall allowing browsing of internet sites• Transparent
– More of a question of design than definition. Do you make your users explicitly aware that they are talking to a proxy?
• Caching– Maintains a cache of reusable resources trick is to only cache what is cacheable
and not cache aggressively• Security
– Can enforce security profiles on top of their usual proxy function. The proxy decides if the user is authorized to access the resource the backend server must trust the proxy. It’s important to ensure that this type cannot be bypassed and headers/credentials forged
• Reverse– Just like forward proxies but configured to work in the opposite direction usually
receiving requests for resources within your organization from an external zone
A forward proxy scenario
In the forward case and with a caching proxy you save internet bandwidth as the proxy returns cached items rather than getting the content from the hosting server again and again
A reverse proxy scenario
Assuming the proxy cannot be bypassed it helps to secure your backend Application servers from hacking attempts.
Normally you would prefer to sacrifice your exposed web server and not your AppServers
If a caching proxy is used then you can reduce the load on your backend servers
1. Domino2. WebSphere Portal3. Combined
Example Scenarios
Scenario 1: Lotus Domino
For this session we will use a single box configuration:
Port 80 & 443 - Apache and the WAS Plug-in
Port 81 & 444 – Domino Servers 1 and 2
Scenario 2: WebSphere Portal
This scenario shows how the plug-in configuration can be used to front end WebSphere portal server.
Scenario 3: Domino and WPS
This final scenario is all about merging the two previous configuration filesinto a single configuration file.
Architecture
• What is the WAS Plug-in?– A relatively simple transparent reverse proxy
– Designed to plug into a web server
– Ships with WebSphere Application Server & is available via ibm.com (see links)
Why use the WAS Plug-in?
– It’s virtually free• Of course you need to be an IBM customer to get support!
– It’s an entry level proxy• It’s gets you started
– Security• Combined with other measures it can allow you to place key
servers further away from the public internet
– Administration• Simplify your SSL configuration• Has some support for Affinity, failover and load balancing
Why use the WAS Plug-in 2
• Apache or IIS for Performance or Policy reasons
• Static Content can be served from the Web Server without loading your application servers
• The Plug-in offers some load-balancing and failover capacity
Why not use the WAS Plug-in?
• It’s quite basic
• You may want to support caching, security etc
• Alternatives include:– IBM Tivoli WebSEAL– Netegrity SiteMinder– WebSphere Edge Server
How it works 1
•A client application (Opera, IE, NS, Safari, Mozilla etc) makes requests to the Web Server
•The Web Server will pass the requests to the plug-in The plug-in will decide if it should handle the request
How it works 2
•If any one plug-in handles then the request is satisfied
•If no plug-in handles the request then the Web Server will at last try to service the request
Which web servers are supported?
• IIS 5.x • IIS 6.x (some extra steps needed)
• Apache– Apache 1.3.26 to .31 or better– Apache 2.0.47 to .50 or better
• IBM HTTP Server– Server: IBM_HTTP_Server/1.3.26 or better– Server: IBM_HTTP_Server/2.0.47.1 to 2.0.47.1-
PQ90698 or better
Choosing the right Plug-in
• Know which version of WAS
• See useful link “Which plug-in to use and where to get it”
• Generally the advice is:– “The plug-in must be at the same or higher level than
the respective Application Server” (IBM.com)
Getting a basic configuration file
• Where to find the configuration file:
– WebSphere 5.x• <WASROOT>/AppServer/Config/cells/<cell>/plugi
n-cfg.xml– Domino
• <DOMINOROOT>/Domino/plugins/plugin-cfg.xml
What about IIS?
• There are some slides included in the downloadable presentation
• Very detailed step by step installation notes (including SSL configuration):– http://dotNSF.com/wps/portal/whitepapers
IHS 2 Installation
Overview• Install IHS• Install the Global Security Toolkit
(Optional)• Get the Plug-in files (config & library)• Configure IHS to load the Plug-in• Configure the Plug-in• Test
IHS 2 Installation
• Automatic installation with WAS v5?– Configures for 1.3.26– For a 2.0.47 installation read useful link “How to
install IHS 2.0” or follow these slides
• IBM recommends and fully supports IHS 2.0.47 (and we’ll be using this for the demo)
• Tip: create a sensible directory structure on your web server computer (see more detailed slide in the downloadable presentation)
IHS 2 Installation
Directory/Folder name
for the plug-in key file(s)C:\plug-in\plug-in-keys\
for the configuration and log files
C:\plug-in\iis-cfg-log\
for the configuration and log files
C:\plug-in\ihs-cfg-log\
for the plug-in .so or dll filesC:\plug-in\
httpd.conf
• LoadModule was_ap20_module "c:/plug-in/mod_was_ap20_http.dll“
• WebSpherePluginConfig "c:/plug-in/ihs-cfg-log/plugin-cfg.xml"
(If) The plugin doesn’t load..
• Check:– There are no syntax errors in the config file– There are no content errors in that file– The App servers are available– The right DLL is being used
• Check:– Start the Web Server using a command prompt
(Apache)– Web server log– The plug-in log
Plugin-cfg.xml in more detail
• Where? Domino installation Directory and WAS CD’s (see documentation)
• You may need to integrate different backend servers and some manual editing is needed
• You can use WAS to generate a comprehensive configuration file as a starting point
The basic Plug-in configuration file
<?xml version="1.0"?><Config>
<Log LogLevel="TRACE" Name="c:/WebSphere/AppServer/logs/http_plugin.log"/>
</Config>
VirtualHostGroup Stanza
<!-- Virtual host groups provide a mechanism of grouping virtual hosts together. -->
<VirtualHostGroup Name="default_host"><VirtualHost Name="*:80"/><VirtualHost Name="*:443"/>
</VirtualHostGroup>
URI Group Stanza
<!– URI groups provide a mechanism for telling the plug-in which URI’s it will handle. They are case sensitive even in Windows! -->
<UriGroup Name="Star"><Uri Name="*.*"/><Uri Name=“/"/>
</UriGroup>
<UriGroup Name=“DominoUris"><Uri Name="*.nsf"/><Uri Name="*.nsF"/><Uri Name="*.nSf"/><Uri Name="*.Nsf"/>……..
</UriGroup>
ServerGroup Stanza
<!-- The transport defines the hostname and port value that the web server plug-in will use to communicate with the application server. -->
<ServerGroup Name="portal_servers"><Server Name="portal1">
<Transport Hostname="portal.dotNSF.com" Port="9081" Protocol="http"/></Server></ServerGroup>
Route Stanza
<Route ServerGroup="domino_servers" UriGroup="domino_host_URIs" VirtualHostGroup="default_host"/>
<Route ServerGroup="portal_servers" UriGroup="WebSphere_Portal_portal_Cluster_URIs" VirtualHostGroup="default_host"/>
Scenario 1: Domino
• See http://dotNSF.com for more detail in whitepapers
• For this Scenario we’ll just review the pre-configured environment:– httpd.conf– The plugin-cfg.xml file
Domino Configuration
• For the Demo we’ll use a single box config
– Domino is running the HTTP task on Port 81– You may want to bind http to address 127.0.0.1
• Set Config HTTPENABLECONNECTORHEADERS=1
HTTPENABLECONNECTORHEADERS
• The Plug-in forwards headers with authentication data to WebSphere and Domino
• When you set the Notes.ini variable to 1 Domino trusts those headers implicitly
• The Plug-in will strip out these headers from any request that it receives and replace them with it’s own
• If the proxy can be bypassed the headers could be forged allowing a hacker greater privileges than you would want
WARNING!!
• HTTPENABLECONNECTORHEADERS
• Make sure:– The proxy cannot be by-passed by internal or
external users
Scenario 2: WebSphere Portal
• For simplicity we will start from a basic configuration file
• We keep the VirtualHostGroup and create– URI Group– Servergroup– Route
Scenario 3: WebSphere & Domino
• Putting the previous two Scenarios together
• Merging the two plugin-cfg.xml files– Ensure we have unique names for all of the stanzas– No 2 routes the same– Don’t duplicate URI’s in more than one URI Group– No two VirtualHostGroups can have the same port
Troubleshooting Tools
• Plug-in logs
• Web Server logs
• WAS and Domino logs
• Netstat
• The browser
• Tivoli Performance Viewer
• Javacore files
• IHS Server Status Utility
Trace, Warn, Error: the plug-in log
• The plugin-cfg file allows you to log events with varying degrees of detail
<Log LogLevel=“TRACE" Name="c:/WebSphere/AppServer/logs/http_plugin.log"/>
OR<Log LogLevel=“WARN"
Name="c:/WebSphere/AppServer/logs/http_plugin.log"/>OR
<Log LogLevel=“ERROR" Name="c:/WebSphere/AppServer/logs/http_plugin.log"/>
Protocol Analyzers
• Protocol Analyzers can be an invaluable tool
• Hardware and Software options available
• Commercial Protocol Analyzers– CommView (www.tamos.com/products/commview/)
• Fee Free Protocol Analyzers– Ethereal (www.ethereal.com)
A single transaction with a Protocol Analyzer
Useful links & resources
• http://dotNSF.com/wps/portal/whitepapers
• http://dotNSF.com/wps/portal/presentations
• Lotus Security Handbook– http://www.redbooks.ibm.com/redbooks/pdfs/sg247017.pdf
• Where to get IHS– The base server(s)
• http://www-306.ibm.com/software/webservers/httpservers/
• Recommended fix for potential denial of service attacks• http://www-1.ibm.com/support/docview.wss?uid=swg24007451&rs=260
• IHS 2.0 and WAS v4.0 (which plug-ins are supported)– http://www-
1.ibm.com/support/docview.wss?rs=860&context=SW600&q1=ibm+http+server&uid=swg21115062&loc=en_US&cs=utf-8&lang=en+en
Useful links & resources
• Which plug-in to use and where to get it….http://www-
1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&uid=swg21160581
• Installing IHS 2.0 (with some useful links to other documents at the bottom)http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.
websphere.base.doc/info/aes/ae/tins_installIHS2.html
• Understanding the WebSphere Application Server plug-in by SharadCocasse and Makarand Kulkarni (IBM 2003)
• Edge Side Include Caching http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/tprf_esiedgecaching.html
Tips
• Performance Tips– Check ports being listened to– Do Monitor the logs– Don’t use affinity unless you really have to (although
the overhead is said to be relatively small)– Keep up with patches and updates….
• Security Tips – Be aware of the implications of
HttpEnableConnectorHeaders=1– Ensure that the proxy cannot be bypassed
And finally…..
• Please complete your feedback forms– Any feedback gratefully received
• If you think of any questions after this presentation:– [email protected]
• Please visit us on the Web (powered by WebSphere Portal Server)– http://dotNSF.com
Consultancy
We can help you:
• Install and configure the WAS proxy • Implement more complex scenarios:
– Hosting multiple sites (http and https) using IIS or IHS with the WAS proxy
http://[email protected]
Thank you
SSL and the Plug-in
• Relies on the Global Security Toolkit (GSK)
• GSK ships with IHS but is not installed by default.
• Some earlier versions of the plug-in require GSK5 and GSK7
Installing the GSK
• You need a Java runtime & the JAVA_HOME environment
• Install command is setup setup.iss
• You get a set of libraries which the Web Server & plug-in will use
• The GSK includes iKeyMan for managing keyfiles
IHS 2 Installation
• Automatic installation with WAS v5?
– Configures for 1.3.26– For a 2.0.47 installation read useful link “How to install IHS 2.0” or follow these slides
• IBM recommends and fully supports IHS 2.0.47 (and we’ll be using this for the demo)
• Tip: create a sensible directory structure on your web server computer (valid for IIS and IHS) for example:
– C:\WebSphere\AppServer\bin (for the plug-in .so or dll files)– C:\WebSphere\AppServer\Config\cells (for the configuration file)– C:\WebSphere\AppServer\ihs-log (because you can use the same config file)– C:\WebSphere\AppServer\iis-log (because you can use the same config file)
OR– C:\plug-in\ (for the plug-in .so or dll files)– C:\plug-in\ihs-cfg-log\ (for the configuration and log files)– C:\plug-in\iis-cfg-log\ (for the configuration and log files)– C:\plug-in\plug-in-keys\ (for the plug-in key file(s))
IHS 2 Installation
Step by Step
Install IHS and configure as service
Copy mod_was_ap20_http.dll to c:\plug-in
Copy plugin-cfg.xml to c:\plug-in\ihs-cfg-log
Edit c:\program files\IBM HTTP Server 2.0\conf\httpd.conf
Ensure the following values:
80Listen
was_ap20_module c:\plug-in\mod_was_ap20_http.dll
LoadModule
c:\plug-in\ihs-cfg-log\plugin-cfg.xmlWebSpherePluginConfig
ValueEntry
IHS 2 Installation
Edit the c:\Plug-in\ihs-cfg-log\Plugin-cfg.xml
Either restart IHS or wait 60 seconds for configuration to be re-loaded
Test
IIS Installation
Step by Step
Copy iisWASPlugin_http.dll to c:\plug-in\
Copy the plug-in-cfg.xml to c:\plug-in\iis-cfg-log
IIS Installation
With RegEdit.exe create the following keys and values:
c:\plug-in\iis-cfg-logPlugin config
5MajorVersion
c:\plug-inLibPath
c:\plug-inBinPath
HKEY_LOCAL_MACHINE\SOFTWARE\IBM\WebSphere Application Server\5.0.0.0
ValueKey/Sub-Key
IIS Installation
• Start the Internet Information Services Manager MMC
• We’re going to use the default web site so open the properties for that site
• Select the ISAPI Filters tab and add a new ISAPI filter
IIS Installation
• Edit the Plugin-cfg.xml
• Restart the W3svc service or wait for 60 seconds to reload
• Test
Special Note: II6 extra steps 1
Open the IIS MMC and expand the web sites folder to expose the Web Service Extensions folder
In the right pane select Add a new web service extension.
Special Note: II6 extra steps 2
In the dialog that appears complete the fields as shown using the Add button.
Note that we are setting the status of this extension to allowed.
Click on OK to confirm the changes.
Restart the World Wide Web Service
Following one request in the log with Trace
• Initialization– [Mon Aug 16 15:30:06 2004] 0000068c 00000c9c - TRACE: ws_property:
propertyCreate: Creating the property– [Couple of hundred lines later!!]– [Mon Aug 16 15:30:06 2004] 00000d3c 00000178 - PLUGIN: Plugins loaded.
Following one request in the log with Trace
• URL Matching and Server determination
– parseHostHeader: Defaulting port for scheme 'http'– parseHostHeader: Host: 'www.dotnsfdemo.com', port 80– websphereShouldHandleRequest: trying to match a route for: vhost='www.dotnsfdemo.com';
uri='/names.nsf/$icon'– webspherePortNumberForMatching: Using logical.– ws_common: websphereVhostMatch: Comparing '*:443' to 'www.dotnsfdemo.com:80' in VhostGroup:
default_host– ws_common: websphereVhostMatch: Comparing '*:80' to 'www.dotnsfdemo.com:80' in VhostGroup:
default_host– ws_common: websphereVhostMatch: Found a match '*:80' to 'www.dotnsfdemo.com:80' in VhostGroup:
default_host with score 1– ws_common: websphereUriMatch: Comparing '/wps' to '/names.nsf/$icon' in UriGroup:
WebSphere_Portal_portal_Cluster_URIs score is 4– ..........– ws_common: websphereUriMatch: Comparing '*.*' to '/names.nsf/$icon' in UriGroup: domino_host_URIs
score is 1– ws_common: websphereUriMatch: Found a match '*.*' to '/names.nsf/$icon' in UriGroup: domino_host_URIs with score 1
• Preparing and sending the request to the app server
– WebSphere will handle: /names.nsf/$icon– websphereCreateClient: Creating the client– htclientCreate: Creating the client with no stream– htrequestCreate: Creating the request object– htresponseCreate: Creating the response object– htresponseInit: initializing the response object– htresponseInit: done initializing the response object– htrequestSetMethod: Setting the method |GET|– htrequestSetURL: Setting the url |/names.nsf/$icon|– cb_get_headers: In the get headers callback
Following one request in the log with Trace
– Writing the request:– GET /names.nsf/$icon HTTP/1.1– Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*– Accept-Language: en-gb– Accept-Encoding: gzip, deflate– User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)– Host: www.dotnsfdemo.com– Connection: Keep-Alive– wWSIS: false– wWSSC: http– wWSPR: HTTP/1.1– wWSRA: 192.168.2.5– wWSRH: 192.168.2.5– wWSSN: www.dotnsfdemo.com– wWSSP: 80– WS-ESI="ESI/1.0+"– Writing the request content– Wrote the request; reading the response
Following one request in the log with Trace
• Receiving a response from the app server– Reading the response: 1349854– HTTP/1.1 401 Unauthorized– Server: Lotus-Domino– Date: Sat, 21 Aug 2004 07:30:46 GMT– Connection: close– Expires: Tue, 01 Jan 1980 06:00:00 GMT– Content-Type: text/html; charset=US-ASCII– Content-Length: 210– ….. Prompt for Basic Authentication– ….. Then the whole server, uri matching and request preparation and writing
performed again
Following one request in the log with Trace
Edge Side Include Caching
• See link on useful links page• The plug-in can cache:
– Whole pages, fragments, images etc– When a request is received by the Web
server plug-in, it is sent to the ESI processor– If a cache miss occurs, ESI uses headers to
check with the AppServer to see if this request is cacheable. If so the response is stored in the ESI cache with a cache ID.
Configuring ESI
• This is done using plugin-cfg.xml<?xml version-"1.0"?>
<Config><Property Name="esiEnable" Value="true"/><Property Name="esiMaxCacheSize" Value="1024"/><Property Name="esiInvalidationMonitor" Value="false"/>
• Turn ESI On (default)– <Property Name="esiEnable" Value="true"/>
• Turn ESI Off– <Property Name="esiEnable" Value=“false"/>
Configuring ESI
• <Property Name="esiMaxCacheSize" Value="1024"/>
• esiMaxCacheSize - the maximum size of the cache in 1KB units.
• The default is 1 megabyte.
• If the cache is full, the first entry to be evicted from the cache is the entry
that is closest to expiration.
• In memory not disk cache (doesn’t survive a restart)
Configuring ESI
• <Property Name="esiInvalidationMonitor" Value="false"/>
• Is disabled by default
• Three methods of deleting a resource from the ESI Cache– 1. Expiry timeout fires– 2. ESI Cache is full and resource closest to expiry is out– 3. AppServer sends explicit Invalidations to the Plug-in
Scenario 3: Plugin-cfg.xml
<Config IgnoreDNSFailures="true"><!-- The LogLevel controls the amount of information that gets written to
the plugin log file. Possible values are Error, Warn, and Trace. -->
<Log Name="C:/plug-in\ihs-cfg-log\plugin.log" LogLevel="Trace"/><!-- Virtual host groups provide a mechanism of grouping virtual hosts
together. --><VirtualHostGroup Name="default_host">
<VirtualHost Name="*:80"/><VirtualHost Name="*:443"/>
</VirtualHostGroup>
<ServerGroup Name="domino_servers"><Server Name="server1">
<!-- The transport defines the hostname and port value that the web server plugin will use to communicate with the application server. -->
<Transport Hostname="server1.dotNSFdemo.com" Port="81" Protocol="http"/><Transport Hostname="server1.dotNSFdemo.com" Port="444" Protocol="https">
<Property name="keyring" value="c:\plug-in\plug-in-keys\server1dotNSFdemo.kdb"/>
<Property name="stashfile" value="c:\plug-in\plug-in-keys\server1dotNSFdemo.sth"/></Transport>
</Server>
<Server Name="server2"> <Transport Hostname="server2.dotNSFdemo.com" Port="81"
Protocol="http"/><Transport Hostname="server2.dotNSFdemo.com" Port="444" Protocol="https">
<Property name="keyring" value="c:\plug-in\plug-in-keys\server1dotNSFdemo.kdb"/>
<Property name="stashfile" value="c:\plug-in\plug-in-keys\server1dotNSFdemo.sth"/></Transport>
</Server></ServerGroup>
<ServerGroup Name="portal_servers"><Server Name="portal1">
<!-- The transport defines the hostname and port value that the web server plugin will use to communicate with the application server. -->
<Transport Hostname="portal.dotNSF.com" Port="9081" Protocol="http"/>
</Server></ServerGroup>
Scenario 3: Plugin-cfg.xml
<UriGroup Name="WebSphere_Portal_portal_Cluster_URIs"><Uri Name="/wps/*"/><Uri Name="/wps/richText/*"/><Uri Name="/wps/presentation/*"/><Uri Name="/wps/spreadSheet/*"/><Uri Name="/wps/PersAdmin/*"/><Uri Name="/wps/feedback/*"/><Uri Name="/wps/wcp/*"/><Uri Name="/wps/wcpfr/*"/><Uri Name="/wps/wcpfr/*.jsp"/><Uri Name="/wps/wcpfr/*.jsp"/><Uri Name="/wps/wcpfr/*.jsv"/><Uri Name="/wps/wcpfr/*.jsw"/><Uri Name="/wps/wcpfr/j_security_check"/><Uri Name="/wps/pdm/*"/><Uri Name="/wps/PA_1_2_35/*"/><Uri Name="/wps/PA_1_2_36/*"/><Uri Name="/wps/PA_1_2_37/*"/><Uri Name="/wps/PA_1_2_38/*"/><Uri Name="/wps/PA_1_2_39/*"/><Uri Name="/wps/PA_1_2_3A/*"/><Uri Name="/wps/PA_1_2_3B/*"/><Uri Name="/wps/PA_1_2_3C/*"/><Uri Name="/wps/PA_1_2_3D/*"/><Uri Name="/wps/PA_1_2_3E/*"/><Uri Name="/wps/PA_1_2_3F/*"/><Uri Name="/wps/PA_1_2_3G/*"/><Uri Name="/wps/PA_1_2_3H/*"/><Uri Name="/wps/PA_1_2_3I/*"/><Uri Name="/wps/PA_1_2_3J/*"/><Uri Name="/wps/PA_1_2_3K/*"/><Uri Name="/wps/PA_1_2_3L/*"/>
<Uri Name="/wps/PA_1_2_3M/*"/><Uri Name="/wps/PA_1_2_3N/*"/><Uri Name="/wps/PA_1_2_3O/*"/><Uri Name="/wps/PA_1_2_3P/*"/><Uri Name="/wps/PA_1_2_3Q/*"/><Uri Name="/wps/PA_1_2_3R/*"/><Uri Name="/wps/PA_1_2_3S/*"/><Uri Name="/wps/PA_1_2_3T/*"/><Uri Name="/wps/PA_1_2_41/*"/><Uri Name="/wps/PA_1_2_42/*"/><Uri Name="/wps/PA_1_2_43/*"/><Uri Name="/wps/PA_1_2_44/*"/><Uri Name="/wps/PA_1_2_45/*"/><Uri Name="/wps/PA_1_2_46/*"/><Uri Name="/wps/PA_1_2_47/*"/><Uri Name="/wps/PA_1_2_48/*"/><Uri Name="/wps/PA_1_2_49/*"/><Uri Name="/wps/PA_1_2_4A/*"/><Uri Name="/wps/PA_1_2_4B/*"/><Uri Name="/wps/PA_1_2_4C/*"/><Uri Name="/wps/PA_1_2_4D/*"/><Uri Name="/wps/PA_1_2_4E/*"/><Uri Name="/wps/PA_1_2_4F/*"/><Uri Name="/wps/PA_1_2_4G/*"/><Uri Name="/wps/PA_1_2_4H/*"/><Uri Name="/wps/PA_1_2_4I/*"/><Uri Name="/wps/PA_1_2_4J/*"/><Uri Name="/wps/PA_1_2_69/*"/><Uri Name="/wps/PA_1_2_9D/*"/><Uri Name="/wps/PA_1_2_CH/*"/><Uri Name="/wps/PA_1_2_FL/*"/><Uri Name="/wps/PA_1_2_FM/*"/><Uri Name="/wps/PA_1_2_FN/*"/>
<Uri Name="/wps/PA_1_2_FO/*"/><Uri Name="/wps/PA_1_2_FP/*"/><Uri Name="/wps/PA_1_2_FQ/*"/><Uri Name="/wps/PA_1_2_FR/*"/><Uri Name="/wps/PA_1_2_FS/*"/><Uri Name="/wps/PA_1_2_FT/*"/><Uri Name="/wps/PA_1_2_FU/*"/><Uri Name="/wps/PA_1_2_FV/*"/><Uri Name="/wps/PA_1_2_G0/*"/><Uri Name="/wps/PA_1_2_G1/*"/><Uri Name="/wps/PA_1_2_G2/*"/><Uri Name="/wps/PA_1_2_G3/*"/><Uri Name="/wps/PA_1_2_G4/*"/><Uri Name="/wps/PA_1_2_G5/*"/><Uri Name="/wps/PA_1_2_G7/*"/><Uri Name="/wps/PA_1_2_G8/*"/><Uri Name="/wps/PA_1_2_G9/*"/><Uri Name="/wps/PA_1_2_GA/*"/><Uri Name="/wps/PA_1_2_GB/*"/><Uri Name="/wps/PA_1_2_GC/*"/><Uri Name="/wps/PA_1_2_GD/*"/><Uri Name="/wps/PA_1_2_IP/*"/><Uri Name="/wps/PA_1_2_M6/*"/><Uri Name="/wps/PA_1_2_LV/*"/><Uri Name="/wps/PA_1_2_M0/*"/><Uri Name="/wps/PA_1_2_M1/*"/><Uri Name="/wps/PA_1_2_M2/*"/><Uri Name="/wps/PA_1_2_M4/*"/><Uri Name="/wps/PA_1_2_M5/*"/><Uri Name="/wps/PA_1_2_P1/*"/><Uri Name="/wps/PA_1_2_P2/*"/><Uri Name="/wps/PA_1_2_P3/*"/><Uri Name="/wps/PA_1_2_S5/*"/><Uri Name="/wps/PA_1_2_S6/*"/>
</UriGroup>
<UriGroup Name="domino_host_URIs"><Uri Name="*.*"/>
<Uri Name="*.nsf/*"/><Uri Name="*.nSf/*"/><Uri Name="*.Nsf/*"/><Uri Name="*.NSf/*"/>
<Uri Name="*.nSF/*"/><Uri Name="*.nSF/*"/><Uri Name="*.NsF/*"/><Uri Name="*.NSF/*"/>
<Uri Name="*.nsg/*"/><Uri Name="*.nSg/*"/><Uri Name="*.Nsg/*"/><Uri Name="*.NSg/*"/>
<Uri Name="*.nSG/*"/><Uri Name="*.nSG/*"/><Uri Name="*.NsG/*"/><Uri Name="*.NSG/*"/>
<Uri Name="*.nsh/*"/><Uri Name="*.nSh/*"/><Uri Name="*.Nsh/*"/><Uri Name="*.NSh/*"/>
<Uri Name="*.nSH/*"/><Uri Name="*.nSH/*"/><Uri Name="*.NsH/*"/><Uri Name="*.NSH/*"/>
Scenario 3: Plugin-cfg.xml
<Uri Name="*.ns2/*"/><Uri Name="*.nS2/*"/><Uri Name="*.Ns2/*"/><Uri Name="*.NS2/*"/>
<Uri Name="*.ns3/*"/><Uri Name="*.nS3/*"/><Uri Name="*.Ns3/*"/><Uri Name="*.NS3/*"/>
<Uri Name="*.ns4/*"/><Uri Name="*.nS4/*"/><Uri Name="*.Ns4/*"/><Uri Name="*.NS4/*"/>
<Uri Name="*.ns5/*"/><Uri Name="*.nS5/*"/><Uri Name="*.Ns5/*"/><Uri Name="*.NS5/*"/>
<Uri Name="*.ns6/*"/><Uri Name="*.nS6/*"/><Uri Name="*.Ns6/*"/><Uri Name="*.NS6/*"/><Uri Name="/icons/*"/><Uri Name="/domjava/*"/>
</UriGroup>
<Route ServerGroup="domino_servers" UriGroup="domino_host_URIs" VirtualHostGroup="default_host"/>
<Route ServerGroup="portal_servers" UriGroup="WebSphere_Portal_portal_Cluster_URIs" VirtualHostGroup="default_host"/>
Httpd.conf
httpd.conf
Images from the Live Demo
• A single box configuration• Two ND7 Servers with http bound to
separate IP addresses• Apache 2.0.47.1 with Plug-in• One Remote WebSphere Portal Server
Two Domino Servers
Starting the Apache Server
Hostnames -> IP Addresses
NETSTAT: What’s listening?
Apache on 192.168.2.5:80 and :443Domino Server1 on 192.168.2.6:81 and :443Domino Server1 on 192.168.2.7:81 and :443Nothing on Port 9081 (WPS default)
Apache on Port 80
You can redirect this page if necessary to an AppServer or customize the static html page
Requesting a Domino Resource
Note:That url has not changed to server1.dotNSFdemo.comWe have two potential Domino servers declared in the Plug-in configbut it is difficult to show load balancing on two very lightly loaded servers
Failover: Shutting Down Server1
I shut down Server2, & after the server is down I request the resource again.This time it is served from Server1.
Error 500
When all of the potential servers in a route are unavailable you will see an Error 500