Jason.Hook@dotNSF.com

http://dotNSF.com

Admin & Developer Conference UK 4th October 2004

How to securely integrate ND7, WAS and WPS using the

WebSphere plug-in

• Jason Hook

• IBM certified Lotus , WebSphere Portal Professional• DB2, Java, Microsoft

• Over 7 years working in Messaging

• jason.hook@dotNSF.com

Introductions

dotNSF, inc.

• dotNSF, inc. High availability, Domino and Web Security Tools

• 2003 Lotus Advisor Editor’s choice award for security

• WebSphere Portal Search Engine optimization

• Meet us at the Penumbra Pedestal

• http://dotNSF.com

What will you get from this session?

• The WAS Plug-in: What & Why?

• IHS (Apache) Installation (for IIS see http://dotNSF.com/wps/portal/whitepapers)

• Configuration Scenarios: Domino, WebSphere Portal and both combined

• Some tips & useful links to Plug-in resources

Questions

• Please save any questions you have to the end – there will be time

• If I can’t answer the question I will try and get an answer

• If you don’t get a chance to ask please mail me jason.hook@dotNSF.com

• This presentation will available at– http://dotNSF.com/wps/portal/presentations

What are proxies?

• Proxies– Your “go-for” getting stuff on your behalf

– Hardware and Software types but is commonly a software process running on a computer

– There are a few different types, however it is often where you place the proxy that dictates what type it is

What types of proxy are there?

• Forward– Usually outbound serving users in one security zone with access to the next i.e.

a corporate firewall allowing browsing of internet sites• Transparent

– More of a question of design than definition. Do you make your users explicitly aware that they are talking to a proxy?

• Caching– Maintains a cache of reusable resources trick is to only cache what is cacheable

and not cache aggressively• Security

– Can enforce security profiles on top of their usual proxy function. The proxy decides if the user is authorized to access the resource the backend server must trust the proxy. It’s important to ensure that this type cannot be bypassed and headers/credentials forged

• Reverse– Just like forward proxies but configured to work in the opposite direction usually

receiving requests for resources within your organization from an external zone

A forward proxy scenario

In the forward case and with a caching proxy you save internet bandwidth as the proxy returns cached items rather than getting the content from the hosting server again and again

A reverse proxy scenario

Assuming the proxy cannot be bypassed it helps to secure your backend Application servers from hacking attempts.

Normally you would prefer to sacrifice your exposed web server and not your AppServers

If a caching proxy is used then you can reduce the load on your backend servers

1. Domino2. WebSphere Portal3. Combined

Example Scenarios

Scenario 1: Lotus Domino

For this session we will use a single box configuration:

Port 80 & 443 - Apache and the WAS Plug-in

Port 81 & 444 – Domino Servers 1 and 2

Scenario 2: WebSphere Portal

This scenario shows how the plug-in configuration can be used to front end WebSphere portal server.

Scenario 3: Domino and WPS

This final scenario is all about merging the two previous configuration filesinto a single configuration file.

Architecture

• What is the WAS Plug-in?– A relatively simple transparent reverse proxy

– Designed to plug into a web server

– Ships with WebSphere Application Server & is available via ibm.com (see links)

Why use the WAS Plug-in?

– It’s virtually free• Of course you need to be an IBM customer to get support!

– It’s an entry level proxy• It’s gets you started

– Security• Combined with other measures it can allow you to place key

servers further away from the public internet

– Administration• Simplify your SSL configuration• Has some support for Affinity, failover and load balancing

Why use the WAS Plug-in 2

• Apache or IIS for Performance or Policy reasons

• Static Content can be served from the Web Server without loading your application servers

• The Plug-in offers some load-balancing and failover capacity

Why not use the WAS Plug-in?

• It’s quite basic

• You may want to support caching, security etc

• Alternatives include:– IBM Tivoli WebSEAL– Netegrity SiteMinder– WebSphere Edge Server

How it works 1

•A client application (Opera, IE, NS, Safari, Mozilla etc) makes requests to the Web Server

•The Web Server will pass the requests to the plug-in The plug-in will decide if it should handle the request

How it works 2

•If any one plug-in handles then the request is satisfied

•If no plug-in handles the request then the Web Server will at last try to service the request

Which web servers are supported?

• IIS 5.x • IIS 6.x (some extra steps needed)

• Apache– Apache 1.3.26 to .31 or better– Apache 2.0.47 to .50 or better

• IBM HTTP Server– Server: IBM_HTTP_Server/1.3.26 or better– Server: IBM_HTTP_Server/2.0.47.1 to 2.0.47.1-

PQ90698 or better

Choosing the right Plug-in

• Know which version of WAS

• See useful link “Which plug-in to use and where to get it”

• Generally the advice is:– “The plug-in must be at the same or higher level than

the respective Application Server” (IBM.com)

Getting a basic configuration file

• Where to find the configuration file:

– WebSphere 5.x• <WASROOT>/AppServer/Config/cells/<cell>/plugi

n-cfg.xml– Domino

• <DOMINOROOT>/Domino/plugins/plugin-cfg.xml

What about IIS?

• There are some slides included in the downloadable presentation

• Very detailed step by step installation notes (including SSL configuration):– http://dotNSF.com/wps/portal/whitepapers

IHS 2 Installation

Overview• Install IHS• Install the Global Security Toolkit

(Optional)• Get the Plug-in files (config & library)• Configure IHS to load the Plug-in• Configure the Plug-in• Test

IHS 2 Installation

• Automatic installation with WAS v5?– Configures for 1.3.26– For a 2.0.47 installation read useful link “How to

install IHS 2.0” or follow these slides

• IBM recommends and fully supports IHS 2.0.47 (and we’ll be using this for the demo)

• Tip: create a sensible directory structure on your web server computer (see more detailed slide in the downloadable presentation)

IHS 2 Installation

Directory/Folder name

for the plug-in key file(s)C:\plug-in\plug-in-keys\

for the configuration and log files

C:\plug-in\iis-cfg-log\

for the configuration and log files

C:\plug-in\ihs-cfg-log\

for the plug-in .so or dll filesC:\plug-in\

httpd.conf

• LoadModule was_ap20_module "c:/plug-in/mod_was_ap20_http.dll“

• WebSpherePluginConfig "c:/plug-in/ihs-cfg-log/plugin-cfg.xml"

(If) The plugin doesn’t load..

• Check:– There are no syntax errors in the config file– There are no content errors in that file– The App servers are available– The right DLL is being used

• Check:– Start the Web Server using a command prompt

(Apache)– Web server log– The plug-in log

Plugin-cfg.xml in more detail

• Where? Domino installation Directory and WAS CD’s (see documentation)

• You may need to integrate different backend servers and some manual editing is needed

• You can use WAS to generate a comprehensive configuration file as a starting point

The basic Plug-in configuration file

<?xml version="1.0"?><Config>

<Log LogLevel="TRACE" Name="c:/WebSphere/AppServer/logs/http_plugin.log"/>

</Config>

VirtualHostGroup Stanza

<!-- Virtual host groups provide a mechanism of grouping virtual hosts together. -->

<VirtualHostGroup Name="default_host"><VirtualHost Name="*:80"/><VirtualHost Name="*:443"/>

</VirtualHostGroup>

URI Group Stanza

<!– URI groups provide a mechanism for telling the plug-in which URI’s it will handle. They are case sensitive even in Windows! -->

<UriGroup Name="Star"><Uri Name="*.*"/><Uri Name=“/"/>

</UriGroup>

<UriGroup Name=“DominoUris"><Uri Name="*.nsf"/><Uri Name="*.nsF"/><Uri Name="*.nSf"/><Uri Name="*.Nsf"/>……..

</UriGroup>

ServerGroup Stanza

<!-- The transport defines the hostname and port value that the web server plug-in will use to communicate with the application server. -->

<ServerGroup Name="portal_servers"><Server Name="portal1">

<Transport Hostname="portal.dotNSF.com" Port="9081" Protocol="http"/></Server></ServerGroup>

Route Stanza

<Route ServerGroup="domino_servers" UriGroup="domino_host_URIs" VirtualHostGroup="default_host"/>

<Route ServerGroup="portal_servers" UriGroup="WebSphere_Portal_portal_Cluster_URIs" VirtualHostGroup="default_host"/>

Scenario 1: Domino

• See http://dotNSF.com for more detail in whitepapers

• For this Scenario we’ll just review the pre-configured environment:– httpd.conf– The plugin-cfg.xml file

Domino Configuration

• For the Demo we’ll use a single box config

– Domino is running the HTTP task on Port 81– You may want to bind http to address 127.0.0.1

• Set Config HTTPENABLECONNECTORHEADERS=1

HTTPENABLECONNECTORHEADERS

• The Plug-in forwards headers with authentication data to WebSphere and Domino

• When you set the Notes.ini variable to 1 Domino trusts those headers implicitly

• The Plug-in will strip out these headers from any request that it receives and replace them with it’s own

• If the proxy can be bypassed the headers could be forged allowing a hacker greater privileges than you would want

WARNING!!

• HTTPENABLECONNECTORHEADERS

• Make sure:– The proxy cannot be by-passed by internal or

external users

Scenario 2: WebSphere Portal

• For simplicity we will start from a basic configuration file

• We keep the VirtualHostGroup and create– URI Group– Servergroup– Route

Scenario 3: WebSphere & Domino

• Putting the previous two Scenarios together

• Merging the two plugin-cfg.xml files– Ensure we have unique names for all of the stanzas– No 2 routes the same– Don’t duplicate URI’s in more than one URI Group– No two VirtualHostGroups can have the same port

Troubleshooting Tools

• Plug-in logs

• Web Server logs

• WAS and Domino logs

• Netstat

• The browser

• Tivoli Performance Viewer

• Javacore files

• IHS Server Status Utility

Trace, Warn, Error: the plug-in log

• The plugin-cfg file allows you to log events with varying degrees of detail

<Log LogLevel=“TRACE" Name="c:/WebSphere/AppServer/logs/http_plugin.log"/>

OR<Log LogLevel=“WARN"

Name="c:/WebSphere/AppServer/logs/http_plugin.log"/>OR

<Log LogLevel=“ERROR" Name="c:/WebSphere/AppServer/logs/http_plugin.log"/>

Protocol Analyzers

• Protocol Analyzers can be an invaluable tool

• Hardware and Software options available

• Commercial Protocol Analyzers– CommView (www.tamos.com/products/commview/)

• Fee Free Protocol Analyzers– Ethereal (www.ethereal.com)

A single transaction with a Protocol Analyzer

Useful links & resources

• http://dotNSF.com/wps/portal/whitepapers

• http://dotNSF.com/wps/portal/presentations

• Lotus Security Handbook– http://www.redbooks.ibm.com/redbooks/pdfs/sg247017.pdf

• Where to get IHS– The base server(s)

• http://www-306.ibm.com/software/webservers/httpservers/

• Recommended fix for potential denial of service attacks• http://www-1.ibm.com/support/docview.wss?uid=swg24007451&rs=260

• IHS 2.0 and WAS v4.0 (which plug-ins are supported)– http://www-

1.ibm.com/support/docview.wss?rs=860&context=SW600&q1=ibm+http+server&uid=swg21115062&loc=en_US&cs=utf-8&lang=en+en

Useful links & resources

• Which plug-in to use and where to get it….http://www-

1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&uid=swg21160581

• Installing IHS 2.0 (with some useful links to other documents at the bottom)http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.

websphere.base.doc/info/aes/ae/tins_installIHS2.html

• Understanding the WebSphere Application Server plug-in by SharadCocasse and Makarand Kulkarni (IBM 2003)

• Edge Side Include Caching http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/tprf_esiedgecaching.html

Tips

• Performance Tips– Check ports being listened to– Do Monitor the logs– Don’t use affinity unless you really have to (although

the overhead is said to be relatively small)– Keep up with patches and updates….

• Security Tips – Be aware of the implications of

HttpEnableConnectorHeaders=1– Ensure that the proxy cannot be bypassed

And finally…..

• Please complete your feedback forms– Any feedback gratefully received

• If you think of any questions after this presentation:– Jason.hook@dotNSF.com

• Please visit us on the Web (powered by WebSphere Portal Server)– http://dotNSF.com

Consultancy

We can help you:

• Install and configure the WAS proxy • Implement more complex scenarios:

– Hosting multiple sites (http and https) using IIS or IHS with the WAS proxy

http://dotNSF.comstaff@dotNSF.com

Thank you

SSL and the Plug-in

• Relies on the Global Security Toolkit (GSK)

• GSK ships with IHS but is not installed by default.

• Some earlier versions of the plug-in require GSK5 and GSK7

Installing the GSK

• You need a Java runtime & the JAVA_HOME environment

• Install command is setup setup.iss

• You get a set of libraries which the Web Server & plug-in will use

• The GSK includes iKeyMan for managing keyfiles

IHS 2 Installation

• Automatic installation with WAS v5?

– Configures for 1.3.26– For a 2.0.47 installation read useful link “How to install IHS 2.0” or follow these slides

• IBM recommends and fully supports IHS 2.0.47 (and we’ll be using this for the demo)

• Tip: create a sensible directory structure on your web server computer (valid for IIS and IHS) for example:

– C:\WebSphere\AppServer\bin (for the plug-in .so or dll files)– C:\WebSphere\AppServer\Config\cells (for the configuration file)– C:\WebSphere\AppServer\ihs-log (because you can use the same config file)– C:\WebSphere\AppServer\iis-log (because you can use the same config file)

OR– C:\plug-in\ (for the plug-in .so or dll files)– C:\plug-in\ihs-cfg-log\ (for the configuration and log files)– C:\plug-in\iis-cfg-log\ (for the configuration and log files)– C:\plug-in\plug-in-keys\ (for the plug-in key file(s))

IHS 2 Installation

Step by Step

Install IHS and configure as service

Copy mod_was_ap20_http.dll to c:\plug-in

Copy plugin-cfg.xml to c:\plug-in\ihs-cfg-log

Edit c:\program files\IBM HTTP Server 2.0\conf\httpd.conf

Ensure the following values:

80Listen

was_ap20_module c:\plug-in\mod_was_ap20_http.dll

LoadModule

c:\plug-in\ihs-cfg-log\plugin-cfg.xmlWebSpherePluginConfig

ValueEntry

IHS 2 Installation

Edit the c:\Plug-in\ihs-cfg-log\Plugin-cfg.xml

Either restart IHS or wait 60 seconds for configuration to be re-loaded

Test

IIS Installation

Step by Step

Copy iisWASPlugin_http.dll to c:\plug-in\

Copy the plug-in-cfg.xml to c:\plug-in\iis-cfg-log

IIS Installation

With RegEdit.exe create the following keys and values:

c:\plug-in\iis-cfg-logPlugin config

5MajorVersion

c:\plug-inLibPath

c:\plug-inBinPath

HKEY_LOCAL_MACHINE\SOFTWARE\IBM\WebSphere Application Server\5.0.0.0

ValueKey/Sub-Key

IIS Installation

• Start the Internet Information Services Manager MMC

• We’re going to use the default web site so open the properties for that site

• Select the ISAPI Filters tab and add a new ISAPI filter

IIS Installation

• Edit the Plugin-cfg.xml

• Restart the W3svc service or wait for 60 seconds to reload

• Test

Special Note: II6 extra steps 1

Open the IIS MMC and expand the web sites folder to expose the Web Service Extensions folder

In the right pane select Add a new web service extension.

Special Note: II6 extra steps 2

In the dialog that appears complete the fields as shown using the Add button.

Note that we are setting the status of this extension to allowed.

Click on OK to confirm the changes.

Restart the World Wide Web Service

Following one request in the log with Trace

• Initialization– [Mon Aug 16 15:30:06 2004] 0000068c 00000c9c - TRACE: ws_property:

propertyCreate: Creating the property– [Couple of hundred lines later!!]– [Mon Aug 16 15:30:06 2004] 00000d3c 00000178 - PLUGIN: Plugins loaded.

Following one request in the log with Trace

• URL Matching and Server determination

– parseHostHeader: Defaulting port for scheme 'http'– parseHostHeader: Host: 'www.dotnsfdemo.com', port 80– websphereShouldHandleRequest: trying to match a route for: vhost='www.dotnsfdemo.com';

uri='/names.nsf/$icon'– webspherePortNumberForMatching: Using logical.– ws_common: websphereVhostMatch: Comparing '*:443' to 'www.dotnsfdemo.com:80' in VhostGroup:

default_host– ws_common: websphereVhostMatch: Comparing '*:80' to 'www.dotnsfdemo.com:80' in VhostGroup:

default_host– ws_common: websphereVhostMatch: Found a match '*:80' to 'www.dotnsfdemo.com:80' in VhostGroup:

default_host with score 1– ws_common: websphereUriMatch: Comparing '/wps' to '/names.nsf/$icon' in UriGroup:

WebSphere_Portal_portal_Cluster_URIs score is 4– ..........– ws_common: websphereUriMatch: Comparing '*.*' to '/names.nsf/$icon' in UriGroup: domino_host_URIs

score is 1– ws_common: websphereUriMatch: Found a match '*.*' to '/names.nsf/$icon' in UriGroup: domino_host_URIs with score 1

• Preparing and sending the request to the app server

– WebSphere will handle: /names.nsf/$icon– websphereCreateClient: Creating the client– htclientCreate: Creating the client with no stream– htrequestCreate: Creating the request object– htresponseCreate: Creating the response object– htresponseInit: initializing the response object– htresponseInit: done initializing the response object– htrequestSetMethod: Setting the method |GET|– htrequestSetURL: Setting the url |/names.nsf/$icon|– cb_get_headers: In the get headers callback

Following one request in the log with Trace

– Writing the request:– GET /names.nsf/$icon HTTP/1.1– Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*– Accept-Language: en-gb– Accept-Encoding: gzip, deflate– User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)– Host: www.dotnsfdemo.com– Connection: Keep-Alive– wWSIS: false– wWSSC: http– wWSPR: HTTP/1.1– wWSRA: 192.168.2.5– wWSRH: 192.168.2.5– wWSSN: www.dotnsfdemo.com– wWSSP: 80– WS-ESI="ESI/1.0+"– Writing the request content– Wrote the request; reading the response

Following one request in the log with Trace

• Receiving a response from the app server– Reading the response: 1349854– HTTP/1.1 401 Unauthorized– Server: Lotus-Domino– Date: Sat, 21 Aug 2004 07:30:46 GMT– Connection: close– Expires: Tue, 01 Jan 1980 06:00:00 GMT– Content-Type: text/html; charset=US-ASCII– Content-Length: 210– ….. Prompt for Basic Authentication– ….. Then the whole server, uri matching and request preparation and writing

performed again

Following one request in the log with Trace

Edge Side Include Caching

• See link on useful links page• The plug-in can cache:

– Whole pages, fragments, images etc– When a request is received by the Web

server plug-in, it is sent to the ESI processor– If a cache miss occurs, ESI uses headers to

check with the AppServer to see if this request is cacheable. If so the response is stored in the ESI cache with a cache ID.

Configuring ESI

• This is done using plugin-cfg.xml<?xml version-"1.0"?>

<Config><Property Name="esiEnable" Value="true"/><Property Name="esiMaxCacheSize" Value="1024"/><Property Name="esiInvalidationMonitor" Value="false"/>

• Turn ESI On (default)– <Property Name="esiEnable" Value="true"/>

• Turn ESI Off– <Property Name="esiEnable" Value=“false"/>

Configuring ESI

• <Property Name="esiMaxCacheSize" Value="1024"/>

• esiMaxCacheSize - the maximum size of the cache in 1KB units.

• The default is 1 megabyte.

• If the cache is full, the first entry to be evicted from the cache is the entry

that is closest to expiration.

• In memory not disk cache (doesn’t survive a restart)

Configuring ESI

• <Property Name="esiInvalidationMonitor" Value="false"/>

• Is disabled by default

• Three methods of deleting a resource from the ESI Cache– 1. Expiry timeout fires– 2. ESI Cache is full and resource closest to expiry is out– 3. AppServer sends explicit Invalidations to the Plug-in

Scenario 3: Plugin-cfg.xml

<Config IgnoreDNSFailures="true"><!-- The LogLevel controls the amount of information that gets written to

the plugin log file. Possible values are Error, Warn, and Trace. -->

<Log Name="C:/plug-in\ihs-cfg-log\plugin.log" LogLevel="Trace"/><!-- Virtual host groups provide a mechanism of grouping virtual hosts

together. --><VirtualHostGroup Name="default_host">

<VirtualHost Name="*:80"/><VirtualHost Name="*:443"/>

</VirtualHostGroup>

<ServerGroup Name="domino_servers"><Server Name="server1">

<!-- The transport defines the hostname and port value that the web server plugin will use to communicate with the application server. -->

<Transport Hostname="server1.dotNSFdemo.com" Port="81" Protocol="http"/><Transport Hostname="server1.dotNSFdemo.com" Port="444" Protocol="https">

<Property name="keyring" value="c:\plug-in\plug-in-keys\server1dotNSFdemo.kdb"/>

<Property name="stashfile" value="c:\plug-in\plug-in-keys\server1dotNSFdemo.sth"/></Transport>

</Server>

<Server Name="server2"> <Transport Hostname="server2.dotNSFdemo.com" Port="81"

Protocol="http"/><Transport Hostname="server2.dotNSFdemo.com" Port="444" Protocol="https">

<Property name="keyring" value="c:\plug-in\plug-in-keys\server1dotNSFdemo.kdb"/>

<Property name="stashfile" value="c:\plug-in\plug-in-keys\server1dotNSFdemo.sth"/></Transport>

</Server></ServerGroup>

<ServerGroup Name="portal_servers"><Server Name="portal1">

<!-- The transport defines the hostname and port value that the web server plugin will use to communicate with the application server. -->

<Transport Hostname="portal.dotNSF.com" Port="9081" Protocol="http"/>

</Server></ServerGroup>

Scenario 3: Plugin-cfg.xml

<UriGroup Name="WebSphere_Portal_portal_Cluster_URIs"><Uri Name="/wps/*"/><Uri Name="/wps/richText/*"/><Uri Name="/wps/presentation/*"/><Uri Name="/wps/spreadSheet/*"/><Uri Name="/wps/PersAdmin/*"/><Uri Name="/wps/feedback/*"/><Uri Name="/wps/wcp/*"/><Uri Name="/wps/wcpfr/*"/><Uri Name="/wps/wcpfr/*.jsp"/><Uri Name="/wps/wcpfr/*.jsp"/><Uri Name="/wps/wcpfr/*.jsv"/><Uri Name="/wps/wcpfr/*.jsw"/><Uri Name="/wps/wcpfr/j_security_check"/><Uri Name="/wps/pdm/*"/><Uri Name="/wps/PA_1_2_35/*"/><Uri Name="/wps/PA_1_2_36/*"/><Uri Name="/wps/PA_1_2_37/*"/><Uri Name="/wps/PA_1_2_38/*"/><Uri Name="/wps/PA_1_2_39/*"/><Uri Name="/wps/PA_1_2_3A/*"/><Uri Name="/wps/PA_1_2_3B/*"/><Uri Name="/wps/PA_1_2_3C/*"/><Uri Name="/wps/PA_1_2_3D/*"/><Uri Name="/wps/PA_1_2_3E/*"/><Uri Name="/wps/PA_1_2_3F/*"/><Uri Name="/wps/PA_1_2_3G/*"/><Uri Name="/wps/PA_1_2_3H/*"/><Uri Name="/wps/PA_1_2_3I/*"/><Uri Name="/wps/PA_1_2_3J/*"/><Uri Name="/wps/PA_1_2_3K/*"/><Uri Name="/wps/PA_1_2_3L/*"/>

<Uri Name="/wps/PA_1_2_3M/*"/><Uri Name="/wps/PA_1_2_3N/*"/><Uri Name="/wps/PA_1_2_3O/*"/><Uri Name="/wps/PA_1_2_3P/*"/><Uri Name="/wps/PA_1_2_3Q/*"/><Uri Name="/wps/PA_1_2_3R/*"/><Uri Name="/wps/PA_1_2_3S/*"/><Uri Name="/wps/PA_1_2_3T/*"/><Uri Name="/wps/PA_1_2_41/*"/><Uri Name="/wps/PA_1_2_42/*"/><Uri Name="/wps/PA_1_2_43/*"/><Uri Name="/wps/PA_1_2_44/*"/><Uri Name="/wps/PA_1_2_45/*"/><Uri Name="/wps/PA_1_2_46/*"/><Uri Name="/wps/PA_1_2_47/*"/><Uri Name="/wps/PA_1_2_48/*"/><Uri Name="/wps/PA_1_2_49/*"/><Uri Name="/wps/PA_1_2_4A/*"/><Uri Name="/wps/PA_1_2_4B/*"/><Uri Name="/wps/PA_1_2_4C/*"/><Uri Name="/wps/PA_1_2_4D/*"/><Uri Name="/wps/PA_1_2_4E/*"/><Uri Name="/wps/PA_1_2_4F/*"/><Uri Name="/wps/PA_1_2_4G/*"/><Uri Name="/wps/PA_1_2_4H/*"/><Uri Name="/wps/PA_1_2_4I/*"/><Uri Name="/wps/PA_1_2_4J/*"/><Uri Name="/wps/PA_1_2_69/*"/><Uri Name="/wps/PA_1_2_9D/*"/><Uri Name="/wps/PA_1_2_CH/*"/><Uri Name="/wps/PA_1_2_FL/*"/><Uri Name="/wps/PA_1_2_FM/*"/><Uri Name="/wps/PA_1_2_FN/*"/>

<Uri Name="/wps/PA_1_2_FO/*"/><Uri Name="/wps/PA_1_2_FP/*"/><Uri Name="/wps/PA_1_2_FQ/*"/><Uri Name="/wps/PA_1_2_FR/*"/><Uri Name="/wps/PA_1_2_FS/*"/><Uri Name="/wps/PA_1_2_FT/*"/><Uri Name="/wps/PA_1_2_FU/*"/><Uri Name="/wps/PA_1_2_FV/*"/><Uri Name="/wps/PA_1_2_G0/*"/><Uri Name="/wps/PA_1_2_G1/*"/><Uri Name="/wps/PA_1_2_G2/*"/><Uri Name="/wps/PA_1_2_G3/*"/><Uri Name="/wps/PA_1_2_G4/*"/><Uri Name="/wps/PA_1_2_G5/*"/><Uri Name="/wps/PA_1_2_G7/*"/><Uri Name="/wps/PA_1_2_G8/*"/><Uri Name="/wps/PA_1_2_G9/*"/><Uri Name="/wps/PA_1_2_GA/*"/><Uri Name="/wps/PA_1_2_GB/*"/><Uri Name="/wps/PA_1_2_GC/*"/><Uri Name="/wps/PA_1_2_GD/*"/><Uri Name="/wps/PA_1_2_IP/*"/><Uri Name="/wps/PA_1_2_M6/*"/><Uri Name="/wps/PA_1_2_LV/*"/><Uri Name="/wps/PA_1_2_M0/*"/><Uri Name="/wps/PA_1_2_M1/*"/><Uri Name="/wps/PA_1_2_M2/*"/><Uri Name="/wps/PA_1_2_M4/*"/><Uri Name="/wps/PA_1_2_M5/*"/><Uri Name="/wps/PA_1_2_P1/*"/><Uri Name="/wps/PA_1_2_P2/*"/><Uri Name="/wps/PA_1_2_P3/*"/><Uri Name="/wps/PA_1_2_S5/*"/><Uri Name="/wps/PA_1_2_S6/*"/>

</UriGroup>

<UriGroup Name="domino_host_URIs"><Uri Name="*.*"/>

<Uri Name="*.nsf/*"/><Uri Name="*.nSf/*"/><Uri Name="*.Nsf/*"/><Uri Name="*.NSf/*"/>

<Uri Name="*.nSF/*"/><Uri Name="*.nSF/*"/><Uri Name="*.NsF/*"/><Uri Name="*.NSF/*"/>

<Uri Name="*.nsg/*"/><Uri Name="*.nSg/*"/><Uri Name="*.Nsg/*"/><Uri Name="*.NSg/*"/>

<Uri Name="*.nSG/*"/><Uri Name="*.nSG/*"/><Uri Name="*.NsG/*"/><Uri Name="*.NSG/*"/>

<Uri Name="*.nsh/*"/><Uri Name="*.nSh/*"/><Uri Name="*.Nsh/*"/><Uri Name="*.NSh/*"/>

<Uri Name="*.nSH/*"/><Uri Name="*.nSH/*"/><Uri Name="*.NsH/*"/><Uri Name="*.NSH/*"/>

Scenario 3: Plugin-cfg.xml

<Uri Name="*.ns2/*"/><Uri Name="*.nS2/*"/><Uri Name="*.Ns2/*"/><Uri Name="*.NS2/*"/>

<Uri Name="*.ns3/*"/><Uri Name="*.nS3/*"/><Uri Name="*.Ns3/*"/><Uri Name="*.NS3/*"/>

<Uri Name="*.ns4/*"/><Uri Name="*.nS4/*"/><Uri Name="*.Ns4/*"/><Uri Name="*.NS4/*"/>

<Uri Name="*.ns5/*"/><Uri Name="*.nS5/*"/><Uri Name="*.Ns5/*"/><Uri Name="*.NS5/*"/>

<Uri Name="*.ns6/*"/><Uri Name="*.nS6/*"/><Uri Name="*.Ns6/*"/><Uri Name="*.NS6/*"/><Uri Name="/icons/*"/><Uri Name="/domjava/*"/>

</UriGroup>

<Route ServerGroup="domino_servers" UriGroup="domino_host_URIs" VirtualHostGroup="default_host"/>

<Route ServerGroup="portal_servers" UriGroup="WebSphere_Portal_portal_Cluster_URIs" VirtualHostGroup="default_host"/>

Httpd.conf

httpd.conf

Images from the Live Demo

• A single box configuration• Two ND7 Servers with http bound to

separate IP addresses• Apache 2.0.47.1 with Plug-in• One Remote WebSphere Portal Server

Two Domino Servers

Starting the Apache Server

Hostnames -> IP Addresses

NETSTAT: What’s listening?

Apache on 192.168.2.5:80 and :443Domino Server1 on 192.168.2.6:81 and :443Domino Server1 on 192.168.2.7:81 and :443Nothing on Port 9081 (WPS default)

Apache on Port 80

You can redirect this page if necessary to an AppServer or customize the static html page

Requesting a Domino Resource

Note:That url has not changed to server1.dotNSFdemo.comWe have two potential Domino servers declared in the Plug-in configbut it is difficult to show load balancing on two very lightly loaded servers

Failover: Shutting Down Server1

I shut down Server2, & after the server is down I request the resource again.This time it is served from Server1.

Error 500

When all of the potential servers in a route are unavailable you will see an Error 500