Chapter 8. From development to production

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

From development to production

The Liberty profile runtime fits the full range of production environments, from stand-alone servlet engines to massive Java EE deployments. By using the different Liberty server configurations to fit the different applications, you can eliminate the complexity of managing different applications servers. You can simplify your operations with a single set of management skills, tools, and processes. The Liberty profile can be used to develop and deploy on the same runtime, to any environment, at any scale. The applications can be moved easily between the traditional and the cloud environments, and the Liberty profile can be used to create an elastic hybrid cloud environment.

The chapter contains the following sections:

•Configuring a server for production use

•Using the package utility

•Moving an application to the full profile

•Using the Liberty profile on z/OS

8.1 Configuring a server for production use

The following advanced configuration settings should be considered when using a Liberty profile server in a production environment.

8.1.1 Turning off application monitoring

By default, application directories are monitored for any updates. Because applications are unlikely to change frequently in a production environment and because this monitoring can be resource-intensive, the preferred practice is to disable application monitoring.

Application monitoring can be disabled in the Liberty profile developer tools by editing the server configuration. In the design view, click Application Monitoring. In the Application Monitoring details window, clear the box next to Monitor application drop-in directory. Additionally, you might want to change the value of the drop-down menu for Application update trigger to disabled.

To disable application monitoring, by editing the server.xml file, add the following element:

You can also change the value of the updateTrigger attribute to mbean. This allows you to update the application manually by using JMX.

8.1.2 Turning off configuration file monitoring

As with application monitoring, configuration file monitoring is enabled by default. To disable this function by editing the server.xml file, add the following element:

If you want configuration file monitoring to be enabled and avoid being resource-intensive, you can change the value of the monitorInterval attribute. The monitorInterval means the rate at which the server checks for configuration updates. To change the value of the monitorInterval attribute, add the following element:

8.1.3 Generating a web server plug-in configuration

To use the Liberty profile server with an external web server, you must generate the web server plug-in configuration, whose properties can be specified in the server configuration.

To add plug-in configuration properties in the Liberty profile developer tools, load the server.xml file in the Design editor and click the server configuration. Then, click Add and select Generate Plug-in. You can specify properties such as ports in the Generate Plug-in details window.

To add plug-in configuration properties by editing the server.xml file, add a pluginConfiguration element to the file. The element supports the following attributes:

webServerPort The port that the web server uses to listen for requests. The default value is 80.

webServerSecurePort The port that the web server uses to listen for secure requests. The default value is 443.

ipv6Preferred Whether to prefer ipv6. The default value is false.

pluginInstallRoot The plug-in installation root.

sslCertLabel SSL certificate label.

sslKeyringLocation SSL key ring location.

sslStashFileLocation SSL stash file location.

The actual plug-in configuration file must be generated either by using a utility in the Liberty profile developer tools, or by running an mbean command using JMX. In the tools, generate the file by right-clicking the server and selecting Utilities → Generate Web Server Plug-in.

To generate the plug-in configuration using mbean, use a JMX console, such as jconsole, to connect to the server. The localConnector-1.0 feature must be enabled on the server. From the console, start the defaultPluginConfig generation MBean.

8.2 Using the package utility

Because a Liberty profile server is lightweight, it can be packaged easily with applications in a compressed file. This package can be stored, distributed to colleagues, and used to deploy the application to a different location or to another system. It can even be embedded in the product distribution. The deployment by replacing the package is the best practice for the Liberty profile.

The packaged Liberty profile is an archive file that contains one or more types of resources of the Liberty profile environment like the server configuration or the application. The types depend on the topology that is deployed. You can extract them manually or you can use an extraction tool to deploy the file to one or more systems. Alternatively, you can use the job manager or Liberty collective in the WebSphere Application Server Network Deployment product to deploy these images.

The package contains all of the binary files, server configuration, and applications necessary to distribute the server.

8.2.1 Packaging a Liberty profile server by using the WebSphere developer tools

Use the following procedure to package a Liberty profile server from the WebSphere developer tools:

1. Stop the server.

2. From the Servers view, right-click the server and select Utilities → Package Server.

3. Enter a file name for the archive.

4. Select whether you want to include all server content (including the server binary files) or only the server applications and configuration.

5. Click Finish.

8.2.2 Packaging a Liberty profile server from a command prompt

Use the following procedure to package a Liberty profile server from a command prompt:

1. Navigate to the Liberty profile server installation root directory.

2. Run the bin/server package server_name command.

The package command supports the following options:

--archive The name of the output file

--include Include the entire server configuration by specifying all. Include only the server applications and configuration by specifying usr. Include only resources that are required by the server by specifying minify, that can minimize the server by scanning runtime and selecting only the loaded features.

8.2.3 Using the Job Manager to package and distribute Liberty profile servers

In WebSphere Application Server V8.5 Network Deployment, use the Job Manager to perform these functions:

•Package the Liberty profile runtime environments, configurations, and applications.

•Distribute and deploy a Liberty profile server and applications.

•Start embedded profile packages.

For more information about how to package the Liberty profile using the job manager, see the following website:

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/tagt_jobmgr_comp_server.html

8.2.4 Using the Liberty collective to distribute Liberty profile servers

In WebSphere Application Server V8.5 Network Deployment, you can configure the Liberty collective. In the Liberty collective, the FileTransfer and FileService MBeans can be used to perform file actions on any Liberty server in the Liberty collective. This includes both Liberty servers configured as collective controllers and those configured as collective members. You can distribute the package to the Liberty server by using these MBeans. Also, you can use the AdminCenter to distribute the package, which is already available and more user-friendly to use MBean than using manually.

For more information about the package distribution using the Liberty collective, see the following website:

http://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/cwlp_collective_arch.html

8.3 Moving an application to the full profile

Applications that are developed on the Liberty profile server can also be redeployed to run on a WebSphere full profile server. The WebSphere full profile environment provides some features that are not available in the Liberty profile server. Applications that are developed in the full profile environment might not run on Liberty profile.

8.3.1 Programming model differences between full profile and Liberty profile

The WebSphere full profile server and the Liberty profile server differ in programming support for the following technologies:

•Java EE 6

•Java EE 7

•Enterprise Open Service Gateway initiative (OSGi)

For example, the Liberty profile already supports Java EE 7, but full profile does not yet. For OSGi applications, Liberty profile does not support Blueprint security.

For a more detailed comparison of technologies that are supported by the full profile and Liberty profile, see the following website:

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/rwlp_prog_model_support.html

8.3.2 Configuration differences between full profile and Liberty profile

Although applications developed in the Liberty profile environment can be run on the full profile, there might be some configuration differences that must be addressed.

General concerns

In the Liberty profile, many properties that represent time values can be specified using units of time. For example, 1 hour can be specified as the value 1h. In full profile, time values are typically expressed as numeric values. When migrating application resources such as data sources or connection managers to full profile, you might need to modify property values to be specified as numbers.

Class loading

The Liberty profile server provides different methods of controlling class visibility than the full profile server. If your application requires you to configure advanced class loading behavior, you might need to reconfigure class loading in the full profile environment. You might also need to configure class loading in full profile if your application embeds classes that conflict with the full profile run time.

For more information about class loading in the full profile, see the following website:

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/trun_classload.html

Data sources

Some data source properties have different names:

•ifxIFX_LOCK_MODE_WAIT is informixLockModeWait in the full profile.

•supplementalJDBCTrace is supplementalTrace in the full profile.

Some data source properties have different default values:

•beginTranForResultSetScrollingAPIs is true by default in the Liberty profile.

•beginTranForVendorAPIs is true by default in the Liberty profile.

•statementCacheSize is 10 by default in the Liberty profile.

The Liberty profile allows connectionSharing to be configured to either MatchOriginalRequest or MatchCurrentState. By default, it is MatchOriginalRequest.

The Liberty profile allows connectionSharing to be configured in a finer grained manner, where individual connection properties can be matched based on the original connection request or current state of the connection. In the full profile, connectionSharing is a combination of bits representing which connection properties to match based on the current state of the connection.

In the full profile, a value of 0 means match all properties that are based on the original connection request, and a value of -1 means to match all properties that are based on the current state of the connection. The default value for the full profile is 1, which means that the isolation level is matched based on the current state of the connection and all other properties are matched based on the original connection request.

For more information about the differences for data sources of the full profile and the Liberty profile, see the following website:

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/rwlp_ds_diff.html

Connection Manager

Some of the connection manager properties have different names in the full profile and Liberty profile. Table 8-1 shows the property naming differences.

Table 8-1 Properties with different names

Liberty profile property name	Full profile property name
maxConnectionsPerThread	maxNumberofMCsAllowableInThread
maxIdleTime	unusedTimeout
maxPoolSize	maxConnections
minPoolSize	minConnections

There are also differences in the way timeout values for immediate or never (disabled) are specified. In Liberty profile, 0 represents an immediate timeout and -1 represents a disabled timeout. In full profile, -1 represents an immediate timeout and 0 represents a disabled timeout.

The value of the purge policy can also differ slightly between full profile and Liberty profile. There are three possible values in Liberty profile: EntirePool, FailingConnectionOnly, and ValidateAllConnections. The EntirePool option maps directly to the EntirePool option in full profile. FailingConnectionOnly maps to the FailingConnectionOnly option with the defaultPretestOptimizationOverride property set to false in the full profile. ValidateAllConnections corresponds to FailingConnectionOnly with the defaultPretestOptimizationOverride property set to true in full profile.

For more information about the differences for Connection Manager of the full profile and the Liberty profile, see the following website:

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/rwlp_connpool_diff.html

Security

In the Liberty profile, you can configure user-to-role mappings and runAs users in the application-bnd element of the server.xml file. In the full profile, you can configure this only in ibm-application-bnd.xml/xmi or via administrative console.

Liberty profile has the following security limitations as compared to full profile:

•Not all public APIs and SPIs are supported. The Java API document for each Liberty profile API is detailed in the Programming Interfaces (APIs) section of the IBM Knowledge Center, and is also available in a separate compressed file in one of the Javadoc subdirectories of the /dev directory of the server image.

•No horizontal propagation of the security attribute.

•No SecurityAdmin MBean support; therefore, methods such as clearing the authentication cache are not available.

•No Java 2 Connector (J2C) principal mapping modules support.

•No multiple security domain support.

•No security auditing subsystem that is part of the security infrastructure of the server.

For more information about the differences for the security of the full profile and the Liberty profile, see the following website:

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/rwlp_sec_diff.html

Web Services Security

WS-Security in the Liberty profile is configured by using the WS-SecurityPolicy within the Web Service Definition Language (WSDL) file of a web service application. WS-Security, in the full profile, is configured and enabled by using a policy set.

WS-Security in Liberty profile supports the following WS-Security Policy namespaces:

•http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702

•http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802

•http://schemas.xmlsoap.org/ws/2005/07/securitypolicy

WS-Security, in full profile, supports the WS-Security policy namespace:

http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512

The Liberty profile supports more policy assertions than the full profile. To sign or encrypt a SupportingToken, such as a UsernameToken in the Liberty profile, you assert the token as SignedSupportingTokens, SignedEncryptedSupportingTokens, or EncryptedSupportingTokens. In the full profile, you must use an XPath expression to sign or encrypt a SupportingToken.

Some endorsing tokens are not supported in the full profile, including EndorsingSupportingTokens, SignedEndorsingSupportingTokens, EndorsingEncryptedSupportingTokens, and SignedEndorsingEncryptedSupportingTokens.

Both the Liberty profile and the full profile support the SymmetricBinding and AsymmetricBinding assertions. Only Liberty profile supports the TransportBinding assertion.

The IncludeToken assertion is enforced in the Liberty profile, but is ignored in the WS-Security runtime environment of the full profile.

The Liberty profile supports PasswordDigest and key derivation in the UsernameToken assertion. The full profile supports only PasswordText in a UsernameToken.

An unrecognized element in the Security header is rejected by the full profile. It is accepted by the Liberty profile.

For more information about the differences for the Web Service Security of the full profile and the Liberty profile, see the following website:

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/cwlp_wssec_cxf_diff.html

Web applications

The Liberty profile server does not automatically expand web archive (WAR) files that are deployed to the server. The Java EE specification states that the getRealPath() method returns a null value if the content is being made available from a WAR file.

If your application relies on a result being returned by getRealPath(), you must deploy the application as an expanded web application, not as a WAR file. For example, you can manually extract the WAR file and copy the expanded application to the dropins directory.

JSP

Full profile supports a useInMemory configuration option to store only translated JSP files in memory. The jsp-2.2 feature of Liberty profile does not support this option.

8.4 Using the Liberty profile on z/OS

WebSphere Application Server V8.5 provides features for administering a Liberty profile on a z/OS platform. You can use IBM MVS™ operator commands to create, start, stop, or modify the Liberty profile servers.

The IBM Installation Manager is used to install the Liberty profile on z/OS using a part of the com.ibm.websphere.liberty.zOS.v85 package offering described in 2.2.3, “Installation on z/OS” on page 51.

Before creating a server or running the default server instance, you need to set the Java Runtime. The Liberty profile runtime searches for the Java command in the following order of properties: JAVA_HOME, JRE_HOME, and PATH.

You can set the environment variable by executing a command with the same syntax as in Example 8-1. This command exports the environment variable, but it is only valid in the command prompt shell that you are currently in.

Example 8-1 Exporting the PATH environment variable

export PATH=/usr/lpp/java/J7.0_64/bin/:/bin/:/usr/sbin/:.

Additionally, you can use the Liberty profile server.env configuration file to set up a specified Java Runtime. To configure the Java runtime using this file, add the JAVA_HOME parameter and the required value for your environment into the file as in Example 8-2 on page 223. If the server.env file does not exist, you must create it manually in the Liberty profile etc directory, which should be in the Liberty profile installation directory. You have to create the etc directory manually in case it does not exist. The server.env file in the etc directory is shared by all servers created from runtime. You can also place the server.env file in the home directory of a server to be used only by that server.

Example 8-2 JAVA_HOME variable in server.env

MTRES1 @ SC49:/u/mtres1/IBM/etc>cat ./server.env

JAVA_HOME=/usr/lpp/java/J7.0_64/

MTRES1 @ SC49:/u/mtres1/IBM/etc>

Note: The Liberty profile installation directory is often represented by the ${wlp.install.dir} variable in configuration files.

After setting the Java Runtime, you can create and start a Liberty profile server as in Example 8-3. You can configure your server and add features using the server.xml file.

Example 8-3 Creating and starting a Liberty profile server

MTRES1 @ SC49:/u/mtres1/IBM/bin>./server create server1

Server server1 created.

MTRES1 @ SC49:/u/mtres1/IBM/bin>./server start server1

Starting server server1.

Server server1 started with process ID 67633642.

MTRES1 @ SC49:/u/mtres1/IBM/bin>

To list the version of the Liberty profile that you are using, run the server version command. To find information about the features of your Liberty profile, run the productInfo featureInfo command as in Example 8-4.

Example 8-4 Listing the version and features of a Liberty profile

MTRES1 @ SC49:/u/mtres1/IBM/bin>server version

WebSphere Application Server 8.5.5.6, WAS FOR Z/OS 8.5.5.6 (1.0.9.20150425-1300) on IBM J9 VM, version pmz6470sr8fp10-20141219_01 (SR8 FP10) (en_US)

MTRES1 @ SC49:/u/mtres1/IBM/bin>./productInfo featureInfo

appSecurity-1.0 [1.1.0]

appSecurity-2.0 [1.0.0]

beanValidation-1.0 [1.0.0]

blueprint-1.0 [1.0.0]

cdi-1.0 [1.0.0]

clusterMember-1.0 [1.0.0]

collectiveController-1.0 [1.0.0]

collectiveMember-1.0 [1.0.0]

concurrent-1.0 [1.0.0]

distributedMap-1.0 [1.0.0]

ejbLite-3.1 [1.0.0]

jaxrs-1.1 [1.0.0]

jdbc-4.0 [1.0.0]

jndi-1.0 [1.0.0]

jpa-2.0 [1.0.0]

jsf-2.0 [1.0.0]

json-1.0 [1.0.0]

jsp-2.2 [1.0.0]

ldapRegistry-3.0 [1.0.0]

localConnector-1.0 [1.0.0]

managedBeans-1.0 [1.0.0]

monitor-1.0 [1.0.0]

oauth-2.0 [1.0.0]

osgi.jpa-1.0 [1.0.0]

osgiConsole-1.0 [1.0.0]

restConnector-1.0 [1.0.0]

serverStatus-1.0 [1.0.0]

servlet-3.0 [1.0.0]

sessionDatabase-1.0 [1.0.0]

ssl-1.0 [1.0.0]

timedOperations-1.0 [1.0.0]

wab-1.0 [1.0.0]

webCache-1.0 [1.0.0]

webProfile-6.0 [6.0.0]

zosSecurity-1.0 [1.0.0]

zosTransaction-1.0 [1.0.0]

zosWlm-1.0 [1.0.0]

MTRES1 @ SC49:/u/mtres1/IBM/bin>

Additional optional features provide enhanced integration with z/OS qualities of service:

•Classify inbound HTTP requests with Workload Manager (WLM)

•Use an IBM DB2® Type 2 driver with Resource Recovery Services (RRS) transaction management

•Authenticate users by using a System Authorization Facility (SAF) user registry

•Authorize users by using a SAF authorization provider

You can add more features to your Liberty profile installation by using the featureManager command. Be aware that some features are available starting with a specific version of the Liberty profile. For example, the z/OS Connect offering feature can be set up only if you are running Liberty profile version 8.5.5.2 with interim fix packs IFPI18279 and IFPI18379, or version 8.5.5.3. Make sure that you always run the most recent version of the Liberty profile.

To add features to your z/OS Liberty profile server, two steps need to be configured:

1. Install the new feature (if available for your version of z/OS Liberty profile server). This can be accomplished by using IBM Installation Manager or the featureManager command. For more information, see the following website:

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_inst_assets.html?cp=SSAW57_8.5.5%2F3-3-11-0-1-2&lang=en

2. Enable the new feature by editing the server.xml configuration file of your z/OS Liberty profile server and adding the feature short name is a feature xml tag.

For more information about administering the Liberty profile on z/OS, see the following IBM Knowledge Center website:

http://www-01.ibm.com/support/knowledgecenter/SS7K4U_8.5.5/com.ibm.websphere.wlp.zseries.doc/ae/twlp_admin_zos.html?cp=SS7K4U_8.5.5%2F1-3-11-0-3-1-19

8.4.1 IBM z/OS Connect

The IBM z/OS Connect offering is a new Liberty profile feature that encapsulates calling z/OS target applications by using Representational State Transfer (REST) calls. Following are the benefits of z/OS Connect:

•Provides RESTful access to identify and invoke z/OS-based business assets in IBM CICS®, IBM IMS™, UNIX System Services, and classic batch environments, opening up these assets to cloud and mobile-based system of engagement environments.

•Functionality that is based on Liberty server technology, is lightweight and easily configurable, and provides z/OS differentiation with SAF security integration, z/OS WLM, and Resource Recovery Services (RRS) integration. WLM integration means different URIs can have varying levels of priority and performance criteria.

•As a feature in the Liberty profile server on z/OS, you can integrate z/OS Connect with z/OS standard system management, which can run as a started task and integrate with z/OS automated operations.

•Provides the ability to secure individual or groups of z/OS Connect services with SAF security in which only specific users or groups can have access to specific services.

•Provides the ability to uniformly track requests from cloud, mobile, and web environments by using z/OS System Management Facility (SMF) services. This tracking means that z/OS clients can use their existing processes for auditing and chargeback for requests from these environments.

•Enables the ability to do an automatic conversion of the request payload from JavaScript Object Notation (JSON) form on input to binary form consumable by z/OS applications such as Cobol, PL/I, and C. The reverse for the response from the z/OS application, converting the output from binary to JSON form is also true.

To enable the z/OS Connect feature, you have to install it first. Example 8-5 provides a way to use the featureManager command in order to enable the z/OS Connect feature using a local repository. The second thing that you need to do is to edit the server.xml file of your Liberty profile server and add the zosConnect-1.0 feature.

Example 8-5 Installing the zosConnect-1.0 feature by using the featureManager command

MTRES1 @ SC49:/u/mtres1/IBM/bin>featureManager install zosConnect-1.0 --offlineOnly --location=/u/mtres1/kits/8556/repository/files/

Additional Features Terms & Conditions:

By clicking on the "I agree" button , you agree that the program code,

samples, updates, fixes and related licensed materials such as keys and

documentation ("Code") that you are about to download are subject to

the terms of the license agreement that you accepted when you acquired

the Program for which you are obtaining the Code. You further agree

that you will install or use the Code solely as part of a Program for

which you have a valid agreement or Proof of Entitlement. The terms

"Program" and "Proof of Entitlement" have the same meaning as in the

IBM International Program License Agreement ("IPLA"). The IPLA is

available for reference at http://www.ibm.com/software/sla/

Select [1] I Agree, or [2] I do not Agree: 1

Step 1 of 4: Starting installation...

Step 2 of 4: Installing zosConnect-1.0...

Step 3 of 4: Cleaning up temporary files...

Step 4 of 4: Installation completed

CWWKF1017I: One or more features installed successfully: [zosConnect-1.0].

Start product validation...

Product validation completed successfully.

MTRES1 @ SC49:/u/mtres1/IBM/bin>

For more information about the IBM z/OS Connect feature, see the following website:

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_setup_zosconnect.html

8.4.2 WebSphere optimized local adapters for z/OS

The z/OS native applications can use the WebSphere optimized local adapters (WOLA) new Liberty profile feature for z/OS to make inbound calls to the application server enterprise beans and enable native programs to act as a server and accept requests from applications running in the WebSphere Liberty profile server.

To enable this feature, you need to install it as shown in Example 8-6 and enable it by editing the server.xml file of your server. You have to use the zosLocalAdapters-1.0 short name of the feature.

Example 8-6 Installing the zosLocalAdapters-1.0 feature using the featureManager command

MTRES1 @ SC49:/u/mtres1/IBM/bin>featureManager install zosLocalAdapters-1.0 --offlineOnly --location=/u/mtres1/kits/8556/repository/files/