Working with IBM WebSphere

This chapter contains an overview and discusses:

WebSphere Application Server 6.1 with in PeopleSoft.
Starting and Stopping WebSphere Application Server.
Understanding WebSphere Reverse Proxy Servers.
Configuration of WebServer plug-ins for WAS ND 6.1.
Setup SSL with WebSphere Application Server ND 6.1.
Administering WebSphere Application Server ND 6.1.

WebSphere Application Server 6.1 within PeopleSoft

The WebSphere Application Server (WAS) is a J2EE application server that PeopleSoft uses as a web server to deploy the PeopleSoft Internet Architecture. We package WebSphere Base and Network Deployment Manager (ND) together. When you install WebSphere 6.1, both base and ND gets installed and there is no separate installation required for ND. The new terminology for this package of WAS is WebSphere Application Server ND.

This section discusses:

IBM HTTP Server.
WebSphere Application Server Profiles.
Integrated Solution Console.

IBM HTTP Server

The IBM HTTP Server (IHS), which is the IBM version powered by Apache 2.0.47 and a separate installation, is required for IHS and IHS Plug-ins.

WebSphere Application Server Profiles

The WebSphere Application Server profile defines the runtime environment (JVM) for Web applications. The profile includes all of the files that the server processes in the runtime environment and can change. PeopleSoft Internet Architecture makes use of these WAS profiles to deploy the PeopleSoft Enterprise Applications on to the WebSphere Application Server ND.

The following picture shows how profile directory structure looks like when a profile is created under WAS.

Note. The location for Application Server profile location differs from the default location when PIA creates Application Server Profile.

The number of Application Server profiles that we create varies depending on the choices you made during the PeopleSoft Internet Architecture installation. We provide the following types of domain installations during the PIA install.

Single Server Installation

If you specified the default application name of peoplesoft at install time, an application Server profile with the same name gets created in <ps_home>\webserv\<peoplesoft>. When the PIA install creates an Application Server profile, it creates a default server names “server1” (single JVM process) and all of the PeopleSoft web modules are deployed on to this single server.

Single Server profile directory structure located in <ps_home>\webserv\ is shown below.

Multi Server Installation

If you specified the default application name of peoplesoft at install time, three application Server profiles are created under <ps_home>\webserv\.

PIA_peoplesoft

This contains the PORTAL and other web modules used for PeopleSoft online transactions.
PSEMHUB_peoplesoft

This contains the PSEMHUB web module used by the PeopleSoft Environment Management Hub.
PSOL_peoplesoft

This contains the PSOL web module used by the PeopleSoft Online Library Manager.

Each of these Application Server profiles creates a server called “server1” and they all run on different ports. After the PIA install is completed, start the server processes in order to access the application deployed on the server.

Integrated Solutions Console

WebSphere Application Server ND 6.1 offers new web based Administrative console called Integrated Solutions Console that:

is based on the Integrated Solutions Console (ISC) framework which provides consistency and integration capability for administering IBM software
allows ability to create navigation list of customized tasks more frequently performed by the administrator

To access ISC, in a browser, enter the following URL:

http://WASHostname:9060/ibm/console

If you have more than one WAS ND installation on single machine, the port number for the admin console will change. The default port number starts at 9060 and then increments by 1 for subsequent installations of WAS.

On the ISC login page, you can enter any user name and can login if the Global Security is not enabled. After the login, the console home page looks like the following from which you can access the Application Server and Enterprise application configuration.

You can perform many administrative tasks using ISC and some of them are discussed later in this guide.

Note. If you have more than one WAS ND 6.1 installed on a machine, the WAS administrative console’s port number can be found in <PS_HOME>\webserv\<profilename>\logs\AboutThisProfile.txt.

Starting and Stopping WebSphere Application Servers

By default, all of the servers of WAS instance are stopped when you install PIA. You need to start the server in order to access the PeopleSoft Enterprise Application.

Starting the WebSphere Server

Change directories to the folder in which WebSphere Application Server profile is installed—the bin directory under the WebSphere home directory, <ps_home>\webserv\<profilename>\bin.

Enter the following command:

On Windows:

startServer.bat <server_name> -profileName <profilename>

On UNIX:

startServer.sh <server_name> -profileName <profilename>

where <profilename> indicates the application name that you have selected during the PIA install and <server_name> will be the server that gets created when the application server profile is created.

Stopping the WebSphere Server

On Windows:

stopServer.bat <server_name> -profileName <profilename>

On UNIX:

stopServer.sh <server_name> -profileName <profilename>

Working with WebSphere Reverse Proxy Servers

WebSphere Application Server ND 6.1 supports the following HTTP servers as Reverse Proxy Servers:

IBM HTTP Server.
Microsoft IIS.
Sun ONE Web Server.

You must install a supported web server before you can install a plug-in for the web server. You can install the web server plug-ins by itself on a machine where WebSphere Application Server ND has been installed but the plug-in has not. You can also install a plug-in on a remote machine where the HTTP proxy server is already installed (IBM HTTP Server, Microsoft IIS, or Sun ONE Web Server).

This section discusses:
Understanding Web Server Plug-ins.
Configuration of Web Server plug-ins for WAS ND 6.1.

Web Server Plug-in

Web server plug-ins enable the web server to communicate requests for dynamic content, such as servlets, to the application server. A web server plug-in is associated with each web server definition. The configuration file (plugin-cfg.xml) that is generated for each plug-in is based on the applications that are routed through the associated web server.

WebSphere RPS Plug-in

A web server plug-in is used to forward HTTP requests from a supported web server to an application server. Using a web server plug-in to provide communication between a web server and an application server has the following advantages:

XML-based configuration file
Standard protocol recognized by firewall products
Security using HTTPS, replacing proprietary Open Servlet Engine (OSE) over Secure Sockets Layer (SSL)

Each of the supported web server plug-ins runs on a number of operating systems.

See http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27006921

Configuring IHS plug-in with WAS ND 6.1

The following steps discuss how to setup IHS as a RPS for WAS ND 6.1. Before you perform the steps listed below, IHS and web server plug-ins installation needs to be completed.

To configure IHS:

Start the WebSphere Application servers
Copy the configureWeb_server_name script from the plugin_install_root/bin to the directory was_install_root/bin and run it.

This regenerates the plugin-cfg.xml so that IHS can talk to WAS directly and access the PeopleSoft application.
Verify that the WebSphere application server is running
Start the IBM HTTP Server and verify the application.

For more information on the configuration of IHS WebServer plug-ins, see the IBM documentation.

See http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tins_road_plugins.html

Configuring IIS plug-in with WAS ND 6.1

The following steps discuss how to setup IIS as a RPS for WAS ND 6.1. Before you perform the steps listed below, IIS and web server plug-in installation needs to be completed.

Configuring IIS Version 5.0

This section related to ISS 5.0.

To configure IIS 5.0:

Start the IIS application and create a new virtual directory for the Web site instance that you intend to work with WebSphere Application Server.

These instructions assume that you are using the Default Web Site.
Expand the tree on the left until you see Default Web Site.
Right-click Default Web Site, then click New > Virtual Directory to create the directory with a default installation.
Type sePlugins in the Alias to be used to Access Virtual Directory field.
Browse to the plugins_root\bin directory in the Enter the physical path of the directory containing the content you want to publish field.
Select the appropriate Execute check box (such as ISAPI applications or CGI) in what access permissions do you want to set for this directory field.
Click Next to add these Plugins virtual directory to your default Web site.
Click Finish.
Right-click Default Web Site in the navigation tree and click Properties.
Add the Internet Services Application Programming Interface (ISAPI) filter into the IIS configuration.

In the Properties dialog, perform the following steps:
1. Click the Internet Information Services tab.
2. Click WWW Service in the Master properties window.
3. Click Edit to open the WWW Service master properties window.
4. Click ISAPI Filters > Add to open the Filter properties window.
5. Type iisWASPlugin in the Filter Name field.
6. Click Browse in the Executable field.
7. Browse to the plugins_root\bin directory.
8. Click the iisWASPlugin_http.dll file.
9. Click OK until all the open windows close.

Configuring IIS Version 6.0

This section relates to IIS 6.0.

To configure IIS 6.0:

Start the IIS application and create a new virtual directory for the Web site instance that you intend to work with WebSphere Application Server.

These instructions assume that you are using the Default Web Site.
Click Programs > Administrative Tools > Internet Information Services (IIS) Manager on a Windows Server 2003 Standard Edition system, for example.
Expand the tree on the left until you see Default Web Site.
Right-click Default Web Site > New > Virtual Directory to create the directory with a default installation.
Type sePlugins in the Alias field in the Virtual Directory Alias panel of the Virtual Directory Creation Wizard, then click Next.
Browse to the plugins_root\bin\IIS_web_server_name directory in the Path field of the Web Site Content Directory panel of the wizard, and then click Next.

For example, select the C:\Program Files\IBM\WebSphere\Plugins\bin\IIS_webserver1 directory.
Select the appropriate permission check boxes in the Virtual Directory Access Permissions panel of the wizard.
Select the Read check box and the Execute (such as ISAPI applications or CGI) check box, for example.
Click Next to add the sePlugins virtual directory to your default Web site.
Click Finish when the success message displays.
Copy the plug-in binaries to the plugins_root \bin\IIS_web_server_name directory.

For example. copy the plug-in binary files to the C:\Program Files\IBM\WebSphere\Plugins\bin\IIS_webserver1 directory.

The plugin-cfg.loc file resides in this directory. The first line of the plugin-cfg.loc file identifies the location of the plugin-cfg.xml file.
Expand the Web Sites folder in the left pane navigation tree of the IIS Manager panel.
Right-click Default Web Site in the navigation tree and click Properties.

Add the Internet Services Application Programming Interface (ISAPI) filter into the IIS configuration.

In the Default Web Site Properties panel, perform the following steps:
- Click the ISAPI Filters tab.
- Click Add to open the Add/Edit Filter Properties dialog window.
- Type iisWASPlugin in the Filter name field.
- Click Browse to select the C:\Program Files\IBM\WebSphere\Plugins\bin\IIS_webserver1\iisWASPlugin_http.dll file for the value of the Executable field.
- Browse to your plugins_root \bin\IIS_web_server_name directory to select the iisWASPlugin_http.dll file.
- Click OK to close the Add/Edit Filter Properties dialog window.
- Click OK to close the Default Web Site Properties window.
Set the value in the plugin-cfg.loc file to the location of the configuration file.

Set the location to the plugins_root \config\ webserver_name \plugin-cfg.xml file, which might be C:\Program Files\IBM\WebSphere\Plugins\config\IIS_webserver1\plugin-cfg.xml file.

The location varies depending on how you have configured your system. If the Web server and the Application Server are on separate machines, you have a remote installation.

If the two servers are on the same machine, you have a local installation.

Example:

"C:\IBM\WebSphere\Plugins\config\webserver1\plugin-cfg.xml"
Configure the Web server to run WebSphere Application Server extensions:
- Expand the left pane navigation tree and click on the Web Service Extensions folder in the IIS Manager panel.
- Click Add a new Web service extension to open the New Web Service Extension dialog window.
- In the Extension name field, type WASPlugin as the name of the new Web service extension.
- Click Add to open the Add file dialog window.
- In the Path to file field, type the path or click Browse to navigate to the correct iisWASPlugin_http.dll file that the new Web service extension requires, and click OK.
- Select the Set extension status to Allowed check box to automatically set the status of the new Web service extension to Allowed and click OK.

Configuring Sun One as an RPS with WAS ND 6.1

The following steps discuss how to configure the Sun ONE Web Server 6.0 or Sun Java System Web Server, Version 6.1 and later as RPS with WAS ND 6.1. Before you perform the steps listed below, Sun One and WebServer plug-ins installation needs to be completed.

To configure Sun One:

Configure entries in the obj.conf configuration file and in the magnus.conf configuration file for Version 6.0 and later of Sun Java System Web Server.

Add two directives to the obj.conf file after the <Object name=default> tag:
```
Service fn="as_handler"
AddLog fn="as_term"
```
Add two directives at the end of the magnus.conf file:

The location for the bootstrap.properties directive varies, depending on how you have configured your system. If the Web server and the application server are on separate machines, you have a remote installation.

If the two servers are on the same machine, you have a local installation.

On UNIX (example):
```
Init fn="load-modules" 
     funcs="as_init,as_handler,as_term" 
     shlib="/opt/IBM/WebSphere/Plugins/bin/libns41_http.so"
Init fn="as_init" 
     bootstrap.properties="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-cfg.xml"
```
On Windows (example):
```
Init fn="load-modules" 
     funcs="as_init,as_handler,as_term" 
     shlib="C:\IBM\WebSphere\Plugins\bin\ns41_http.dll"
Init fn="as_init" 
     bootstrap.properties="C:\IBM\WebSphere\Plugins\config\webserver1\plugin-cfg.xml"
```
Set the shared library path on HP-UX machines.

On some installations of Sun Java System Web Server on an HP-UX machine, it is necessary to manually set the SHLIB_PATH variable to /usr/lib before starting Sun Java System Web Server with a plug-in that is configured for Secured Sockets Layer (SSL). For example, in the korn shell, issue the following command before invoking the command to start the Sun Java System Web Server:
```
export SHLIB_PATH=/usr/lib:$SHLIB_PATH
```
Disable the feature of Sun Java System Web Server Version 6.1 that supports servlets and JavaServer Pages files by default.

Disable this feature so that the WebSphere Application Server plug-in can handle the requests.

Remove or comment out the following two lines from the obj.conf configuration file:
```
NameTrans fn="ntrans-j2ee" name="j2ee"
Error fn="error-j2ee"
```
Remove or comment out the following line from the magnus.conf configuration file:
```
Init fn="load-modules"

shlib="C:/Sun/WebServer6.1/bin/https/bin/j2eeplugin.so" 
shlib_flags="(global|now)"
Init fn="load-modules"

shlib="C:\Sun\WebServer6.1\bin\https\bin\j2eeplugin.dll" 
shlib_flags="(global|now)"
```

Setting Up SSL with WebSphere Application Server ND 6.1

WebSphere Application server manages keys in key store files. There are two types of files: key stores and trust stores. There is minimal difference in the structure of both these key stores; besides the main difference - trust store contains only trusted signers.

The CA (Certificate Authority) certificates and other signing certificates are kept in a trust store and private information (personal certificates with private keys) is stored in a key store.

This section discusses:

Generating a Certificate for the WebSphere using PeopleSoft pskeyManager
Modifying the WebSphere Container to Support SSL

Generating a Certificate for the WebSphere using PeopleSoft pskeyManager

Use the following steps to generate a self-signed certificate for the web container.

To generate a certificate using pskeyManager:

At a command prompt, change to the WebSphere domain directory, for example:

PS_HOME\webserv\<profilename>\installedApps\<profilename>NodeCell\peoplesoft.ear
Create a new private key and certificate request for your server.
To create a new private key and certificate signing request, run pskeymanager.cmd -create.
Follow the prompts and specify the information that you normally would when creating a certificate.

The script, pskeymanager is a wrapper to Java's keytool, provided by PeopleSoft to manage the predefined WebSphere keystore of

PS_HOME\webserv\<profilename>\installedApps\<profilename>NodeCell\peoplesoft.ear\keystore\pskey.
Decide which Certificate Authority you wish to use.

At the completion of step 2 a Certificate Signing Request (CSR) file named %ALIAS%_certreq.txt was created in PS_HOME\webserv\\<profilename>\installedApps\<profilename>NodeCell\peoplesoft.ear, and its contents displayed. If you submit this data to a Certificate Authority for processing, you obtain a public key that you can load into your keystore.

At this point, you may use any Certificate Authority that is compatible with Sun's Java 1.4 JKS standard.

As an example, the following steps indicate how to provide the CSR that you generated in step 4 to Verisign to obtain a 14-day free trial certificate.
Submit your CSR to Verisign.

Access Verisign's test cart enrollment site at https://www.verisign.com/products/srv/trial/intro.html. Agree to the license and continue to “Step 2 of 5: Submit CSR”. In the large edit box provided, copy and paste the contents of your CSR generated in step 2.
Supply Verisign with contact information.

Fill out the table titled "Enter Technical Contact Information" with your information and verify that the radio button for the "Free 14-day Trial Server ID" is selected. Once this is done, agree to the license information and click 'Accept'. Your certificate will be emailed to the email address you specified. By selecting the free trial ID, you do not need to fill out the "Cardholder Information" table.

Check your email.

Once you've received your certificate email from VeriSign, you can see your actual certificate in the following format:

This is a sample certificate file:

Copy the certificate information, including --BEGIN CERTIFICATE-- and --END CERTIFICATE-- and save it as a file called webservername-cert.pem. (Don't use a word processor such as Microsoft Word that inserts formatting or control characters.) If you need to FTP your certificate to UNIX, you must FTP it in ASCII mode.

Download the VeriSign TestCA certificate:

Download the VeriSign test CA certificate from http://digitalid.verisign.com/cgi-bin/getcacert. When prompted, save getcacert.cer to your WebSphere domain directory. If you need to FTP your certificate to UNIX, you must FTP it in ASCII mode to your WebSphere domain directory.
Import the Verisign test Certificate Authority's certificate into your keystore.

To import the Certificate Authority's public certificate (which you received from Verisign) into your keystore, run pskeymanager.cmd -import. When prompted for an alias, specify VerisignTestCA as the name to store this CA as. This name is simply an alias for this certificate. When prompted for the certificate file to import, specify the getcacert.cer file.
Import your certificate into your keystore.

To import your public certificate (which you received from Verisign in step 8) into your keystore, run the following command from the dos window “pskeymanager.cmd −import”. When prompted for an alias specify the same alias you did when you created your private key and cert request in step 4. When prompted for the certificate file to import, specify your certificate file, webservername-cert.pem.

Modifying the WebSphere Container to Support SSL

To complete the configuration between Web server plug-in and Web Container, the WebSphere Web Container must be modified to use the previously created self-signed certificates.

To set up WebSphere Container SSL:

Start the WebSphere Administration Console, then after login, select Security, SSL certificate and key management, Manage endpoint security configuration.
Click on Inbound, Node or NodeName (as in. peoplesoftNode in this example).
Click on Key stores and certificates under related Items.
Click on NodeDefaultKeyStore under name.
Click in Personal certificate under the Additional Properties.
Click on default under the Import icon at right hand side.
Enter the information of your certification.
- Key file name: Specifies the fully qualified path to keystore file that contains the certificate to import. PS_HOME\webserv\cellname_nodename_servername\peoplesoft.ear\keystore\pskey
- Key File Password: password. This is the password you used when you created your keystore.
- Key File Format: JKS
- Click on Get key file aliases. It will then search the key store and populate the alias name in the drop down box under Certificate alias to import
- Input a new alias name in box under Imported Certificate alias if you want to use a new name otherwise leave it empty.
Click Apply and then OK.
Save the configuration in the WebSphere Administration Console.

Note. To setup Outbound SSL, go back to Step 2 and select, click on the Nodename under Outbound; repeat the steps 3 to 10.

Result

You should see the following screen showing the alias being imported. Then you can use the https with SSL port to access your PIA.

Administering WebSphere Application Server ND 6.1

For all the administrative tasks, refer to IBM’s WebSphere Application Server 6.1 Information Center at

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp

Some of the administrative tasks include JVM performance monitoring, enabling tracing and troubleshooting WAS 6.1.