Liberty Deep Dive

1 05/02/2023

InterConnect2017

HAJ-1842 Liberty Deep Dive

Alasdair Nottingham - STSMWAS Liberty Architect @nottycodeErik HochstedtLiberty Dev Lead

2 05/02/2023

• Lightweight• Fit for your purpose• Simple• Zero Migration• 5 years old this year

What is Liberty

3 05/02/2023

Fast & Small Startup

Liberty 16.0.0.4 Tomcat 9 M11 WildFly 10.1 TomEE Plus 1.7.4

0

1

2

3

4

5

6

7

8

9

Startup Time

Liberty 16.0.0.4 Tomcat 9 M11 WildFly 10.1 TomEE Plus 1.7.4

0

50

100

150

200

250

300

Footprint

4 05/02/2023

Excellent Throughput

WAS trad 9.0.0.2 Liberty 16.0.0.4 WildFly 10.1 Jboss EAP 7 Glassfish 4.1.12500

2700

2900

3100

3300

3500

3700

3900

4100

4300

4500

Req/sec

Req/sec

5

Fit-for-purpose server

• You control which features are loaded into each server instance

Kernel

<feature>servlet-3.1</feature>

servlet-3.1

http-1.1 appmgr

<feature>jsf-2.2</feature>

jsp-2.3 jsf-2.2Java EE

zOS

ND

Core

Base

New in 1Q17

New in 4Q16

New in 2Q16

New in 3Q16

Java EE 6 subset

couchdb-1.0mongodb-2.0 wsSecurity-1.1

javaee-7.0

batchManagement-1.0

rtcomm-1.0

rtcommGateway-1.0sipServlet-1.0 wsSecuritySaml-1.1

mediaServerControl-1.0wsAtomicTransaction-1.2cloudant-1.0

scalingController-1.0scalingMember-1.0dynamicRouting-1.0collectiveController-1.0

clusterMember-1.0healthManager-1.0healthAnalyzer-1.0

zosConnect-1.2zosLocalAdapters-1.0 zosSecurity-1.0zosTransaction-1.0 zosWlm-1.0

zosRequestLogging-1.0batchSMFLogging-1.0

Programming Model SecurityProduction

webProfile-6.0

distributedMap-1.0

openid-2.0

openidConnectServer-1.0openidConnectClient-1.0osgiAppIntegration-1.0

spnego-1.0

collectiveMember-1.0restConnector-2.0

sessionDatabase-1.0

ldapRegistry-3.0

webCache-1.0javaMail-1.5

osgiConsole-1.0

json-1.0

timedOperations-1.0

monitor-1.0

oauth-2.0

serverStatus-1.0wab-1.0blueprint-1.0

webProfile-7.0

eventLogging-1.0requestTiming-1.0

adminCenter-1.0

concurrent-1.0 bells-1.0

samlWeb-2.0

httpWhiteboard-1.0

federatedRepository-1.0constrainedDelegation-1.0

osgiBundle-1.0passwordUtilities-1.0

bluemixUtility-1.0

apiDiscovery-1.0

logstashCollector-1.0

scim-1.0microProfile-1.0 jwt-1.0

productInsights-1.0 transportSecurity-1.0

Liberty Features

7

Simple Config

<server> <featureManager> <feature>jsp-2.3</feature> </featureManager>

<webApplication location=“myweb.war” contextRoot=“/” />

<applicationManager autoExpand="true"/></server>

server.xml

-Xmx1g-Dsystem.prop=value

jvm.options

WLP_OUTPUT_DIR=/usr/wlp-out/

server.env

8

Composing Config

<server> <httpEndpoint id=“defaultHttpEndpoint” host=“${host}” httpPort=“${http}” httpsPort=“${https}”/></server>

configDropins/defaults/common-http.xml

<server> <include location="https://myHost/ports.xml”/> <variable name=“host” value=“${my.host}”/> <variable name=“http” value=“${my.host.http}”/> <variable name=“https” value=“${my.host.https}”/></server>

configDropins/overrides/ports.xml

https://myhost/ports.xml

9

Security

• Security by default

• No remotely accessible ports

• Enable admin, enable security

• Enable ssl using ssl-1.0

<feature>restConnector-1.0</feature><quickStartSecurity userName=“admin” userPassword=“{hash}adSDwijgnb==“/>

<feature>transportSecurity-1.0</feature><keyStore password=“{aes}adSDwijgnb==“/>

<httpEndpoint id=“defaultHttpEndpoint” host=“*”/>

10

App Security

• Feature to enable

• Configure security role bindings in server.xml

• Configure registry

<feature>appSecurity-2.0</feature><webApplication location=“myweb.war”> <application-bnd> <security-role name=“user”> <group name=“myGroup”/> </security-role> </application-bnd></webApplication>

<feature>ldapRegistry-3.0</feature>

11

Class Visibility - Parent First

JVM

rt.jar jce.jar jsse.jar

Application Server

runtime.jar libx-1.jar was-util.jar

Web Application

myapp.jar libx-2.jar myutil.jar

1

2

3

✗

✓

• App Server & Application use open source library

• They use different versions• When application loads class in open

source library, the app server copy is found first

✘ Application fails as class is not compatible

12

Class Visibility – Parent Last

JVM


Application Server


Web Application


3

2

1✓ • App Server & Application use open source library


source library, the application copy is found first

✘ If application contains Servlet classes then the container can’t use the Servlet classes so application fails

13

Class Visibility - Liberty

JVM


Application Server


Web Application


1

2✓ • App Server & Application use open source library


source library, only API class loads are delegated to the application server classloader

✔ Application gets the open source class it wants, server and application agree on servlet

14

Zero Migration

• Zero config migration

- Write once, run forever

• Zero migration for apps

- No behavior changes in existing features- New behaviors in new features

• Choose your Java

- Java 8, 7, or 6*- IBM, Oracle, Open JDK

16.0.0.4

17.0.0.1WLP_CONFIG_DIR

app1Svr

app2Svr

15 05/02/2023

Continuous Deploy

TestBuild Package

zip

DeployCode

Script Client

Standalone Server Farms

WAS WAS WAS

IHS, DP, or generic HTTP

Load balancing and session affinity/failover

Operations target individual servers

Web server plugin is a merge of the individual servers’ plugins. Session failover uses DB or session cache.

HTTP/S

WAS WAS WAS

WAS

Liberty Collectives

liberty liberty liberty

liberty

controllers


IHS/DP

collective

Script Client

Operations target individual servers or clusters

HTTP/S Load balancing and session affinity/failover

libertylibertyliberty

Liberty Dynamic Routing


liberty

controllers


IHS/DP

collective

Script Client


HTTP/S Load balancing and session affinity/failover


get dynamictopology

AutoScaling & Dynamic Routing

<scalingPolicy name=”policy1” min=”3”> <metric name=”heap” max=”80”/> <bind clusters=”cluster1”/></scalingPolicy>

Administratively defined policyliberty liberty liberty

liberty

controllers


IHS/DP

dynamicstart/stop

get dynamictopology

collective

Script Client


HTTP/S

clustermembers

Load balancing and session affinity/failover


• Policy bound to app clusters• Automatic start/stop of JVMs to scale up/down capacity.• Dynamic routing• Health management

Liberty and Docker

app and config

liberty and java

docker

+

+os config

+ =

portable container

Private IaaSWAS PatternsPure App System

Local Docker host

Third-party PaaSOpenShift

CloudFoundry

ApprendaPublic IaaS IBM Softlayer

MS AzureAmazon AWS

Last Year

21

16.0.0.22Q16

17.0.0.11Q17

16.0.0.33Q16

16.0.0.44Q16

oauth token propagationdefault map role to groupenhanced password utilsjaxrs SAML tokensapiDiscovery enhancedzosRequestLoggingjaxws policy attachmentsdashDB service plugin collective docker & nodewdt docker dev enhancedwdt swagger enhancedmigration tools enhancedinstall consolidationserver pckge file perms

json web token issue & acceptvmm custom adapter spijsse helper apicollective user cert docplugin config auto generation restConnector-2.0 featurez/os local adapter for imsasync tcpip for zosunwrapped jdbc vendor apissqlj for db2java batch logs from native clibatchSMFLogging-1.0 featurejava batch events to jmsjava batch multi-files prop/parmwdt custom p/w encryptwdt jax-rs gen from swaggercloudant-1.0 featuremicroProfile-1.0 featurenode.js in docker + autoscale

Plugin config util for clustersmerge jvm.options fileslogstashCollector w/binary logz/OS angel management +arbitrary SQL at connection initDB conn validation/pretestMS SQL 2016 certificationbatch events at timer intervalsAdmin Center Batch tooljwt-1.0 & enhancementsWindows serviceWAMT skeleton server.xml genWAMT pre-deploy app analysisWDT docker workspace appsWDT fine-grained auto featureWDT apiTypeVisibilty

Override deployment descriptors in configurationIBM Cloud Product Insights integrationDynamic Routing support for routing rulesRoute to same app in multiple collectivesApi discovery works without authentication.Customize swagger UI cssAdminCenter batch job stop/restartOutbound SSL config independent from inboundLog dates in ISO formatPause HTTP traffic

22

Customer Requirements• Please, create and vote on Requests For Enhancement

https://www.ibm.com/developerworks/rfe/execute?use_case=submitRfe• Also: lab advocates, workshops, WASdev forum and others• Are we delivering?

16.0.0.3

SQLJ 19

Plugin merge tool 18

Batch CLI restart 6

Batch CLI param files 5

16.0.0.4

Windows service 51

DB test on connect 47

CMD-line plugin generation 12

17.0.0.1

Outbound SSL (partial) 55

API explorer fixes 21

Batch SMF records 16

Custom DN in routing cert. 14

Pause/Resume HTTP 12

OIDC Cluster support 9

ISO data format 5

Raw kerberos token 5

Routing rules 4

Binding overrides 4

Liberty Top 10

Outbound SSL 55

OAuth PKCE 31

Custom roles 28

HTTP 2.0* 27

Admin/App traffic 27

Config merge view 26

HTTP method restrictions 24

IIOP Txn propagation 24

Collective bulk update 15

Collective cert. SAF 14

https://www.ibm.com/developerworks/rfe/execute?use_case=submitRfe

23

WASdev.net

24 05/02/2023

Notices and disclaimersCopyright © 2017 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights — use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. This document is distributed “as is” without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

IBM products are manufactured from new parts or new and used parts. In some cases, a product may not be new and may have been previously installed. Regardless, our warranty terms apply.”

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented

as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

25 05/02/2023

Notices and disclaimers continuedInformation concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM expressly disclaims all warranties, expressed or implied, including but not limited to, the implied warranties of merchantability and fitness for a particular, purpose.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services®,Global Technology Services®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli® Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

http://www.ibm.com/legal/copytrade.shtml



26 05/02/2023

InterConnect2017