Friday Mar 23, 2007

Leaving Sun! :(

It was so great working at Sun. I worked on so many areas and learnt so many things

  • Starting from JDBC driver development
  • Transactions, design and performance
  • Admin infrastructure - Synchronization, Load Balancer administration, Web Services Management, Monitoring etc.
  • Update Center backend and APIs to name a few.

I am sad to leave Sun, but change can be a good thing.

My email address is  moc.liamg@mahtanawsiv.hsitas (spelt backwards to avoid spam). Wish me luck!

Wednesday Jan 17, 2007

Verisign trial Cert

For Update Center project we plan to sign the hosted jars and they are verified on the client side. This way only trusted jars can be downloaded and installed by the GlassFish Users. I wanted to test this code with a trial certificate. Verisign makes this process very easy.

The list of SSL certficate packages are available on verisign website . I clicked on the Trial button to generate a trial certficate. Once the contact information is filled out. A form is shown asking the type of server platform, use of the certficate and the CSR. The following steps create the CSR. First a key pair needs to be generated. The following generates a key name "mykey" in the specified mykeystore file.

chandu(sv96363):~ -> keytool -genkey -keystore ~/public_html/mykeystore -keyalg rsa -alias mykey
Enter keystore password:  changeit
What is your first and last name?
 [Unknown]:  www.java.net
What is the name of your organizational unit?
 [Unknown]:  Application Server
What is the name of your organization?
 [Unknown]:  Sun
What is the name of your City or Locality?
 [Unknown]:  Santa Clara
What is the name of your State or Province?
 [Unknown]:  California
What is the two-letter country code for this unit?
 [Unknown]:  US
Is CN=www.java.net, OU=Application Server, O=Sun, L=Santa Clara, ST=California, C=US correct?
 [no]:  yes

Enter key password for <mykey>
       (RETURN if same as keystore password):
 Then the CSR is obtained as follows:

chandu(sv96363):~ -> keytool -certreq -keystore ~/public_html/mykeystore -alias mykey

Enter keystore password: changeit

-----BEGIN NEW CERTIFICATE REQUEST----- MIICdzCCAjUCAQAwczELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRQwEgYDVQQHEwtTYW50YSBD bGFyYTEMMAoGA1UEChMDU3VuMRswGQYDVQQLExJBcHBsaWNhdGlvbiBTZXJ2ZXIxFjAUBgNVBAMT DVVwZGF0ZSBDZW50ZXIwggG3MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YR t1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQ IsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFQCX YFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSvu/o66oL5V0wLPQeCZ1FZ V4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64eK7OmdZFuo38L+iE1YvH7 YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhAACgYBy4ONz1v6OT+JT23T+ TPDvI0gjREzrXfampRS93eEYzXxfcVDjfSPa1QvugG7puBaK/ZCVYg5ewEHSG2YBL+VV8ix6XWLQ l2p4cGuiabimuwbVrHgL9fr0vpxA3+uPVrHVI3/+34kvzp8+rdWYMCunw/xsRajzt9mrr5Srs+ZY KqAAMAsGByqGSM44BAMFAAMvADAsAhRXvF8S8VIqiyPkAtRMfwdi/uvluwIULtTEGcqgM97tgEZ7 GprfupartWw= -----END NEW CERTIFICATE REQUEST----- 

 Almost immediately I got an email containing my trial cert. I saved the trial cert as uc_cert.cer. I import this trial certificate along with <a href="http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html"> trial Root CA</a> certifcate.

keytool –import –trustcacerts –keystore ~/public_html/mykeystore  -alias mykey -file ~/public_html/uc_cert.cer
keytool –import –trustcacerts –keystore ~/public_html/mykeystore  -alias mykey -file ~/public_html/trial_root.cer
 

Now a jar file can be signed as follows:

jarsigner Test.jar mykey

Then it can be verified as follows:

jarsigner -verify -verbose -certs Test.jar


Wednesday Dec 06, 2006

Update on Update Center (GlassFish) and lessons from Java Update

The engineers working on Update Center Project are excited to finish the milestone 2 of the project. Initial GUI is up and running. Next week, we will finish the Desktop tray implementation and we will also integrate into the GlassFish Application Server.

I also looked at Java Update functionality over this weekend. It is pretty cool. There was an update available, so a tool tip balloon appeared as below on my computer. When I clicked on the ballon, I get an option to Download or be reminded later. (screen shot shown below).
I like that fact it asks you, when again to remind me about the update. I can choose a time ranging from 30 mins to 3 days. This is very convienent. In Update Center project we may think about doing this too.

.
Just like the Update Center project - options could be set to either manual option, download or just inform about the updates. As you can see in the following menu - "Check for updates automatically" can be turned on or off. Notification could be either "before downloading" or "before downloading and before installing". Unlike Update Center, there is no way to automatically download and install updates. Sometimes this could be very useful.
. Not let me talk about the settings. Automatic update setting could be either daily, weekly or monthly. The default is day 0 at 4 p.m. I am assuming that is 1st day of the month.
.
Update Center should also have monthly option, rather than every week. Every week scan not required for many users. I also liked the proxy settings menu in Java Update. It looks like the following:
. I like the fact that they let you choose either system settings or the brower settings. We will support proxy configuration script option in Update Center in future. Finally if you do not like to the System tray icon to disappear- you can uncheck the following option:
. Just to recap, in the Java Update- I liked the remind me later feature, ability to set monthly update checks and more flexible proxy configuration. Please take a look at the Update Center GUI mockups, let us know how we can improve the look and feel the Update Center GUI.

Monday Oct 30, 2006

Change a GlassFish domain to be cluster aware domain

GlassFish V2 supports Clustering including Load balancing, scalability and Failover. If you built GlassFish V2 and setup the domain using configur-runtime maven goal, it creates a PE style domain. Even if you run configure-cluster goal after that newer domains are always going to be PE style domains. Work around for this is to remove ${glassfish.home}/bin directory and re-do maven configure-cluster. This will make sure you have the correct cluster aware EE (Enterprise Edition) domains.

Thursday Oct 19, 2006

Feature rich NetBeans Update Center

I tried NetBeans Update Center a while back, however I did not blog about its features till now. The Update Center project for GlassFish will borrow code from NetBeans Update Center and add Desktop integration of Update Center, so that new modules and updates can be notified to the user.
The first screen of NetBeans Update Center Wizard looks like the following:

NetBeans shows all the Update Centers (for example NetBeans Update Center, Third Party Update Center etc), so that the users can pick only the Update Centers of their choice. If user already has an update (NBM file), user can install this update/module at this point. User can set proxy server information by clicking on "Proxy Configuration" button. I liked the fact that the default is to use the system proxy settings.

I click on "Next" button to select the modules and updates for the Update Centers. All the updates and new modules show with different icons. NetBeans does not all the existing modules here. I guess NetBeans has a ModuleManager to look at the current modules and their installed versions. User can also uninstall from the ModuleManager menu. It would be nice if NetBeans provides a link to ModuleManager from Update Center. I can click on the update to see the available version and the installed version. I can choose these using "Add", "Add All" button to be installed.

I selected CVS client and CVS Version System. NetBeans quickly downloads these components.

At any points these download process can be stopped. However it can not be resumed. It would be nice enhancement for large updates/modules in the order of few Mega bytes or more. If the internet connection is dropped, user does not have to start from the beginning. GlassFish Update Center is planning to use Sun Download Manager so that we provide this functionality. NetBeans NBM modules come with the certificate of the module developer. User can check the certificate for validity and trustworthiness of the module/update and make a decision to get this or not. A screenshot of the certification verification looks like the following:

To summarize I liked all the NetBeans Update Center features. Smart download, Desktop Integration (notify in case of updates or new modules) will further enhance user experience. Better integration between Module Manager and Update Center would also be a major plus. It would be nice, if user could also rollback an update easily.

Wednesday Oct 18, 2006

Do you like Automatic Updates feature in Windows?

I looked at Windows Automatic Updates feature to see how we can come up a nice design for Update Center in GlassFish. Like other products (Apple's and Google's Updaters) windows also shows the latest available updates with all the details. A sample updates windows looks like the following:

Microsoft identifies each update with an ID like KB918899 etc along with giving a long description about the update and the link to get more information. I am assuming the ID KB918899 is the knowledgebase article number rather than update ID. Lot of updates have variable sizes. For example KB918899 is mentioned as 1.5 MB - 4.4 MB. I rather want to see the exact size/maximum size of the update or atleast more explanation. I rather also want to see the updates be classified into categories - like Security Updates, Funcationality Updates (bugs) etc. I clicked on the "Change automatic updates settings" to look at the preferences menu. A sample preferences looks like the following:

I liked preferences menu better than Google's Updater for the following reason. Rather than showing 3 preferences ( Auto Download and Install, Notify and OFF) Microsoft has 4 preferences (Auto Down and Install, Auto Download and Notify, Just Notify and OFF). Google gives an option to user, so he can either allow or disallow collection of statistics. Microsoft does not give this option to user. It collects these statistics anyway. However Microsoft clearly states what kind of statistics it is collecting and why? I never saw such details from Google. Here is Microsoft's statistics collection policy:

Microsoft does not attempt show the installed software updates in the Automatic Updates menu. In GlassFish we also want to give similar 4 option preference menu to the users. If any comments or ideas on this subject please email to dev@updatecenter.dev.java.net. Thanks for reading.

Thursday Oct 12, 2006

How good is Google Updater?

Last week I looked at the Apple's Software Update feature. I want to summarize Google's Updater experience this week. This may help us in designing the Update Center user interface. Google Updater has a toolbar icon. If you click on it shows you the current status of the Google's software. The screen shot looks like the following:

On my computer I already had Norton Antivirus 2004 installed. Google could update that software automatically. It had asked me to un-install before it could install the 2005 version.
You can look at the current installed software and the details like install size, date, option to run, option to uninstall and option to get more software. The screen shot for the installed software looks like the following:

One interesting fact is that it "Software installed or detected by Google Updater". Even though I did not install Norton Antivirus 2004 through Google Updater, it shows it. Because Norton Antivirus is part of Google Update Center. Thats why the install date of the Norton Antivirus is in 2004, where as others is in 2006. I tried clicking on the "Get more software" link. I get the following in a browser window:

I was bit confused by the terminology here. This page says there is "no new software", however it shows the additional software links for Google Video, Picassa, Google screen saver etc. It meant that there are new versions, when it said "no new software". To confirm this fact, I clicked on the updates tab. As I expected it shows that there are no updates (even though there are more software available for download). The screen shot looks like the following:

The most important tab is Preferences tab. You can control the behavior of Updater here. If you are behind firewall/proxy, you need to setup the proxy information here. The screen shot looks like the following:

The default is Updater checks for the updates and installs them automatically. It also notifies the user, if there is another update. By default Updater shows up in the system tray.
I did not like the fact that the term 'new software' is used in exchange of 'newer software update' and I do not like the default of 'Automatically update software' rather than notifying the user. The version of Google Updater is very interesting too version 1.2.567.20382.beta.en. :). The version name is bit longer than I am used to. :). I am interesting in learning more about what type of anonymous usage statistics that Google intend to collect, once that option is enabled. Over all I liked the Google Updater.

Friday Oct 06, 2006

Learning from Software Update feature on Mac

Some of GlassFish engineers including me working on providing the auto update (update center) feature on GlassFish. That way users can get blue prints, frameworks, sample applications, additional modules or add on products as they are available on GlassFish, rather than downloading new builds and installing the whole new build. So I thought I would look at he Software Update feature on Mac. I started from "System Preferences" icon/menu. If you are not very familiar with Mac, "System Preferences" is equivalent to "Control Panel" in windows. System Preferences has 4 categories - Personal, Hardware, Internet & Network and System. "Software Update" is available in the System section. Once I clicked on "Software Update", the screen looks like the following:



This main screen shows the time when last software update was successfully. You can also select how often to check for updates. The default seems to be weekly. I clicked on the installed updates. It shows the following screen:



It shows the installed components, the date & time of the install and versions. Nice thing is it allows open this information a log file. This feature will be useful, if you want to share what types of updates are installed on your computer. I go back to Update Software tab, click on "Check Now" button. After a brief delay of showing the following screen



It comes back the list of the updates. It auto selects the recommended updates. For example in the following screen 4 out of 6 are selected. This screen also provides a brief description about the update. For example you can also look other 2 updates (which are currently unselected) and decide if you want to install them too. Airpot feature seems to fix connectivity and security issues. I chose this update, as I use wireless feature often and want to update to date with security features.



Another thing I liked about the Apple's Software Update feature is that it lets you download the updates in the background, can notify when the downloading of these updates is done. This way user does not have to wait for the download of the updates. I also the fact that restart required status shown, so I have a choice to select only "no restart required" updates when I do not want to restart the computer. We have looked at Google pack and its updater too. We will be looking at Ubuntu update features in preparation for desing of Update Center feature in GlassFish. If you are interested, please provide feedback and paticipate.

Thursday Sep 28, 2006

Could not create domain? What/Who is the culprit?

If you are removing the glassfish sources to refresh your build to get the latest sources. Re-checkout of the sources and building the sources should go through fine. Nut you may run into the following issue during configure-runtime stage

configure-runtime:
[copy] Copying 1 file to /export/satish/install/tip-gf
[mkdir] Created dir: /export/satish/install/tip-gf/bin
[echo] Current Java Version 1.5.0_06
[copy] Copying 1 file to /export/satish/install/tip-gf/config
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[copy] Copying 1 file to /export/satish/install/tip-gf/bin
[exec] Domain domain1 already exists in /export/satish/install/tip-gf/domains. Use a different domain name or the --domaindir option.
[exec] CLI130 Could not create domain, domain1

BUILD FAILED
File...... /export/satish/src/gf/glassfish/bootstrap/maven.xml
Element... ant:ant
Line...... 385
Column.... 76
exec returned: 1
Total time: 49 minutes 36 seconds
Finished at: Thu Sep 28 16:10:53 PDT 2006


If you guessed the reason, then you are smart :) and you can skip the rest of this blog. This is caused by an existing glassfish instance still running and is using the domains/domain1/autodeploy directory. GlassFish running instance crates .autodeploystatus file in the domain directory. Even though you removed this directory. The un-stopped running instance creates this file, if it is removed.

So stop the running instance and remove the domains directory. Then you are all set to a new version of GlassFish and ready to try out the newer builds.

Thursday Sep 21, 2006

Updating and Monitoring LB plug-in with Web Server 7.0

My previous blog talks about setting up a SSL connection between DAS and load balancer (Web Server 6.0), configuration changes can be pushed from DAS (Domain Administration Server) to Load Balancer automatically. This avoids manual copying of loadbalancer.xml. The monitoring data about load balancer can also be obtained, once SSL is setup. The following instructions talk about setting up Load Balancer in SSL Mode in Web Server 7.0.

Instructions to install load balancer (Web Server 7.0) and enable the 9.0 features:

Please install Web Server 7 Preview 2. Please make sure you do not use the default directory on windows (Program Files/Sun/WebServer7). Please choose a directory which does not contain any spaces. Otherwise create-selfsigned-cert command fails. This bug is fixed in the upcoming Web Server 7 Preview 3 release. Once the web server is installed in a non default directory, start the admin server as follows:

C:\\Sun\\WebServer7\\admin-server>bin\\startserv.bat
The Sun Java System Web Server 7.0 Administration Server service is starting....
The Sun Java System Web Server 7.0 Administration Server service was started successfully.

Get the config name of the server instance by using the wadm command.

C:\\Sun\\WebServer7>bin\\wadm.bat --user admin
Please enter admin-user-password>
Sun Java System Web Server 7.0-Technology-Preview-2 B06/19/2006 16:59
wadm> list-configs
CHAND-NT

I will be working with the CHAND-NT configuration. Most commands need the --config parameter, so instead of typing that over and over, I'll set it once:

wadm>set wadm_config CHAND-NT

Then create a self signed certificate as follows

wadm> create-selfsigned-cert --server-name=CHAND-NT --nickname=ServerCert --token=internal

With the certificate installed, I now need a listener on some port which will have SSL enabled. I'll need a default virtual server associated with a listener, so first I want to check what virtual servers are configured so far:

wadm>list-virtual-servers
CHAND-NT

Ok there is only one (the default) virtual server here, so I'll go with that one:

wadm>create-http-listener --server-name=CHAND-NT --default-virtual-server-name=CHAND-NT --listener-port=8090 http-listener-ssl

Finally I need to set a few things on my new SSL listener: at the very least it needs to be enabled and it needs to be associated with the nickname of the cert it's going to use:

wadm>set-ssl-prop --http-listener=http-listener-ssl enabled=true
wadm>set-ssl-prop --http-listener=http-listener-ssl server-cert-nickname=MyServerCert

After all the configuration is done, I just need to deploy this new configuration and start my server:

wadm>deploy-config host.red.iplanet.com
wadm>start-instance

I can now go and check https://CHAND-NT:8090 from a browser to verify the setup is working.

Please export DAS certificate by executing the command

<as home>/lib/upgrade/pk12util -d <domain root>/config -o sjsas.p12 -W <file password> -K <master password> -n s1as

Please import the das certificate into webserver instance.

pk12util -i sjsas.p12 -d C:\\Sun\\WebServer7\\admin-server\\config-store\\JHAUK\\config


If obj.conf does not contain the following lines, please inser the following lines to the end of obj.conf

<Object ppath="\*lbconfigupdate\*">
PathCheck fn="get-client-cert" dorequest="1" require="1"
<Object>
<Object ppath="\*lbgetmonitordata\*">
PathCheck fn="get-client-cert" dorequest="1" require="1"
</Object>

You can verify the above setup from DAS. From the appserver admin gui, create a cluster, load balancer. Instead of using local CA, you can use any other CA and server certificate. In that case you skip step 5 and 6, but need to import server certificate you obtained from other CAs.
From CLI, the following creates the load balancer and sets it up, so that DAS posts the configuration changes automatically to that load balancer.

asadmin create-http-lb-config --target cluster1 sample_lb_config

asadmin create-http-lb --config sample_lb_config --autoapplyenabled=true --devicehost device_host_or_ip --deviceport device_port sample_lb

Give the webserver host and https listener port for device host and port. Click on test connection to test the connection. By default load balancer created from GUI uses SSL connection to connect to load balancer device.

Monday Sep 11, 2006

Load Balancer Administration - Current Status

I presented about Load Balancer Administration in the User Experience Group. You can take a look at the slides and the meeting minutes. I received good feedback, especially from Vince Kraemer. He carefully reviewed CLIs and GUI and pointed out some issues. Some of which have existing RFEs/bugs associated with them.

As a follow-up to the user experience meeting, I wrote two blog entries detailing an easier way to install load balancer plug-in and also setup load balancer so that it receives confiuration updates from DAS automatically - Installing Load Balancer (Using APS Installer) with GlassFish and Updating and Monitoring HTTP Load Balancer. I also added the Loadbalancer Administration module page for GlassFish.

Following is the recap of the feedback Vince and others provided. I tried to classify the feedback into two areas - feedback to the existing features and feedback to Documentation.

Functionality Feedback
  • loadbalancer.xml's DTD lets user to configure error-url per web-module. By default LB uses a local  page in its installtion directory called default-error.html. There is no way to configure this now. Load Balancer admin should provide a way to configure this error url. (Bug # 6463611 is filed for this)
  • DTD documentation error was pointed out by Vince. DTD says the unit of measurement for disable-timeout-in-minutes is seconds. It should say minutes. Bug 6463768 is filed for this).
  • Simplify adding multiple clusters to LB configuration.  User should be able to enter comma separated targets for --target argument in   create-http-lb-config  and create-http-lb commands. (Pre-existing RFE: 6193575 )
  • Thee is a data overlap between the data in the loadbalancer.xml file for "our" lb plugin and configuration files for some of the other load balancers that I discussed on slide 4 of my presentation. XSLT "scripts" could be created to automate this for users that have those other LB configurations. No customer asked for these yet. We could take community contribution in this area.
  • [Issue 1020] We have options to enable all server instances/applications in create-http-lb-ref command, but also need lbEnableAllInstances & lbEnableAllApplications options for create-http-lb-config.
  • Auto apply should not be enabled by default in GUI. Bug # 6468049 is filed.
  • When auto-apply flag is enabled, it should not produce a large stack trace with every asadmin command if DAS is unable to contact the loadbalancer. We should warn the user without creating lots of stack traces.

Documentation Feedback

I filed a documentation bug to improve documentation with the following items. The issue 1019 is filed as a tracking bug. I need to spend some more time to write the following documentation suggestions in great detail, which can then be consumed by the documentation team for production. Documentation for Application Server 8.2 is missing the following topics:

  • The current Loadbalancer Administration documentation mentions the CLI commands. It should also provide a link that CLI command, so that user can click on the CLI command and immediately can read more about that command.
  • Document the way to change the value of the properties that were used/defaulted when a health-checker was created. Example dotted commands must be provided.
  • Clarify that the additional health-checker  properties, like active-healthcheck-enabled are global to the load balancer.
    • These properties can added during create-http-lb-config or create-http-lb.
  • Clarify that there is no stand-alone verifier for the loadbalancer.xml. asadmin (GlassFish) generates a correct loadbalancer.xml. We try to remove the need to edit the loadbalancer.xml manually and avoid any editorial mistakes.
  • Clarify that  all the customizations of the loadbalancer.xml file are supported by CLI commands and GUI screens. If they aren't, it is a bug and must be fixed.
  • Table 5-1 and other tables must use the actual names for the parameter specified in DTD.
  • Document the way to set/change the disable-timeout-in-minutes attribute of the instance element. Provide a sample command.
  • Use cases like what happens when a new application is deployed, un deployed, a new HTTP listener is added and their semantics must be clearly documented. This should also cover how web-module elements are added and deleted from loadbalancer.xml.
  • Provide a link to the latest version of DTD/Schema of the loadbalancer.xml.
  • Talk about why we require the user to execute disable-http-lb-server  before they can execute delete-http-lb-ref.
  • Discuss the behavior of delete-http-lb-config, it does not delete the loadbalancer.xml file from the machine that has the lb installed. It only removes the config object on DAS. Even in the Auto Apply mode, the loadbalancer.xml is not deleted from lb installation. No further configuration updates are sent from DAS into LB in this case.
  • Provide the mapping between the elements of the lbxml and the asadmin commands that manipulate the object created by the create-http-lb-config command? For example:

    <!ELEMENT web-module (idempotent-url-pattern\*)>
    <!ATTLIST web-module       context-root    CDATA     #REQUIRED   --> comes from domain.xml ( context-root in web-module element for stand alone modules, for an application it comes from descriptor)
     enabled         %boolean; "true"                                      -->  asadmin http-lb-enable-application
     disable-timeout-in-minutes CDATA     "31"                  -->   asadmin http-disable-http-application --timeout (you can only modify during disable, because that is when this is useful)                          error-url      CDATA ""  >                                            --> Bug # 6463611 is filed to fix this
    .
The following must be corrected/added in 9.1 Documentation:

  • All the new commands like create-http-lb, delete-http-lb etc must be documented. New commands to add policy modules, set/change the listeners/weight attribute of the instance element must also be discussed. The way to enable/disable all the servers/applications in a config with just  --lbEnableAllApplications and --lbEnableAllInstances command/argument must be discussed. Please refer to the latest CLI man pages here.
  • Auto Apply feature must be documented.
  • The way to enable/disable all the servers/applications in a config with just  one command/argument must be discussed.
  • If the user wants to configure custom error pages, they need to be present on the machine that is balancing the load.  "best practice" for names/locations/content/whatever that we should encourage folks to follow (or build tools to automate) must be documented.

Thursday Sep 07, 2006

Updating and Monitoring HTTP Load Balancer

My previous blog talks about setting up a Load Balancer plug-in. If you setup a SSL connection between DAS and load balancer, configuration changes can be pushed from DAS (Domain Administration Server) to Load Balancer automatically. This avoids manual copying of loadbalancer.xml. The monitoring data about load balancer can also be obtained, once SSL is setup. The following instructions talk about setting up Load Balancer in SSL Mode.

Instructions to install load balancer and enable the 9.0 features:

Please make sure that you have the load balancer setup using either instructions from my previous blog or using manual steps. Start the webserver's admin server by calling <web server home>/https-admserv/start. Now you are ready to setup the SSL.

1. From the browser access the admin gui of the webserver and login

2. Select your server instance and click on manage

3. Click on security tab

4. Initialize the trust database by giving the username and password. This could be done either using certutil or using GUI. The following certutil options could be used to initialize trust database:

certutil -N -P "https-boqueron.virkki.com-boqueron-" -d .
When prompted by certutil, enter the password to encrypt your keys:

Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character.

Enter new password: your-password
Re-enter password: your-password

The following is the screen shot for this task :

5. Create a sample local CA (Certificate Authority)

certutil -S -P "https-boqueron.virkki.com-boqueron-" -d . -n SelfCA -s "CN=Self CA,OU=virkki.com,C=US" -x -t "CT,CT,CT" -m 101 -v 99 -5

You will be asked to enter 0-7 for type of certificate, please choose 5 for SSL CA. It will re-ask the same dialog again, this time choose 9 now to finish the dialog

For the following question Is this a critical extension [y/n]? please answer y.

6. Use the above create sample CA to generate a certificate

certutil -S -P "https-boqueron.virkki.com-boqueron-" -d . -n MyServerCert -s "CN=boqueron.virkki.com,C=US" -c SelfCA -t "u,u,u"   -m 102 -v 99 -5

You will be asked to enter 0-7 for type of certificate, please choose 1 for SSL Server. It will re-ask the same dialog again, this time choose 9 now to finish the dialog

For the following question Is this a critical extension [y/n]? please answer y.

7. Edit the current http listener socket by clicking on "Preferences->Edit Listen Socket" enable the security and choose the certificate created in step 6. The following is the screen shot for this task :

If you wish to not use GUI. Change the entry to read as follows:

Change the tag so that the value of security= is "true"; the tag must be altered to contain additional body content and a closing tag. Be sure to remove carriage returns when adding the tag.
<LS id="ls1" port="80" servername="$DEPLOY-INSTANCE" defaultvs="https-$DEPLOY-INSTANCE" ip="any" security="true" acceptorthreads="1" blocking="false">
<SSLPARAMS servercertnickname="$HOST-DOMAIN" ssl2="off" ssl2ciphers="-rc4,-rc 4export,-rc2,-rc2export,-desede3,-des" ssl3="on" tls="on" ssl3tlsciphers="-rsa_rc4_128_sha,+rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,+rsa_3des_sha,+rsa_des_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,-rsa_null_md5,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,+fips_3des_sha,-fips_des_sha" tlsrollback="on" clientauth="off"/>

</LS>
8. Export DAS certificate by executing the command

<as home>/lib/upgrade/pk12util -d <domain root>/config -o sjsas.p12 -W <file password> -K <master password> -n s1as

9. Import the das certificate into webserver instance

<webserver home>/bin/https/admin/bin/pk12util -i sjsas.p12 -d <webserver home>/alias -W <file password> -K <webserver security db password> -P <instance-name>-<hostname>-

<webserver home>/bin/https/admin/bin/certutil -M -n s1as -t "TCu,Cu,Tuw" -d alias -P <instance-name>-<hostname>. This command makes s1as CA be a trusted CA to sign both client and server certificates. The following screen shot shows a sample certificate : -

If obj.conf does not contain the following lines, please inser the following lines to the end of obj.conf

<Object ppath="\*lbconfigupdate\*">
PathCheck fn="get-client-cert" dorequest="1" require="1"
<Object>
<Object ppath="\*lbgetmonitordata\*">
PathCheck fn="get-client-cert" dorequest="1" require="1"
</Object>

You can verify the above setup from DAS. From the appserver admin gui, create a cluster, load balancer. Instead of using local CA, you can use any other CA and server certificate. In that case you skip step 5 and 6, but need to import server certificate you obtained from other CAs.
From CLI, the following creates the load balancer and sets it up, so that DAS posts the configuration changes automatically to that load balancer.

asadmin create-http-lb-config --target cluster1 sample_lb_config

asadmin create-http-lb --config sample_lb_config --autoapplyenabled=true --devicehost device_host_or_ip --deviceport device_port sample_lb Give the webserver host and https listener port for device host and port. Click on test connection to test the connection. By default load balancer created from GUI uses SSL connection to connect to load balancer device.

Wednesday Aug 23, 2006

Installing Load Balancer (Using APS Installer) with GlassFish

Dinesh published the a blog on Configuring the Cluster/Load Balancer with GlassFish V2. It involves downloading web server and manually configuring it. GlassFish V2 does not have a installer it to do this job. However APS installer could be for this purpose. The following are the instructions to setup Load balancer using APS installer.[Read More]

Tuesday Aug 22, 2006

Setting up BIG-IP v4.5 LoadBalancer with GlassFish

Prashant Abbagani wrote detailed instructions on setting BIG IP load balancer with Sun Application Server (GlassFish). I posting his work.[Read More]

Friday Aug 18, 2006

WS Management.NEXT in GlassFish

In GlassFish v1, we added support for Web Services automatic discovery, monitoring and integrated with Web Services registry. GlassFish v1 also supports message level security and XSLT transformation. Using these features one can secure Web Services on the wire and also do performance monitoring, track usage, analyze failures and do debugging during development. Refer to this article and screencast for more details on v1 features.

We are planning to extend the existing Web Services monitoring capabilities in GlassFish with more sophisticated features such as Activity Monitoring, Service Monitoring, Policy Management and Service Testing and Validation. Activity Monitoring lets you monitor and view only interested activities rather than monitoring all web service calls and increases administrator's productivity. Service Monitoring enables monitoring key service levels such performance and availability targets and alerts if the boundary conditions are broken for immediate attention. Each web service deployment has its own policies to enforce in terms of Inter-operability and security requirements. We allow easier management of these policies. Service Testing provides a easy to do testing and verify key deployment properties like inter-operability and makes sure that web services work for all possible kinds of inputs.

Refer to this document and presentation for more details on the planned features. Please give us feedback via comments on blog.
About

sv96363

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today