APP-CAP1676

VMware vFabric tc Server Best Practices for Security, Stability and Sanity

Channing Benson, VMware, Inc.

#vmworldapps

Disclaimer

This session may contain product features that are

currently under development.

This session/overview of the new technology represents

no commitment from VMware to deliver these features in any generally available product.

Features are subject to change, and must not be included in

contracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features
discussed or presented have not been determined.

Agenda

3

Introduction / Goals What is tc Server? tc Server Installation and Configuration Hyperic Configuration Web Application Deployment and Management tc Server Instance Deployment Variations Performance Tuning Security Resources

Introduction / Goals

tc Server: vFabric application server What is a Best Practice? Provide practical advice in installation, care, and feeding Educate for contingencies Lots of ground to cover Compromise between breadth and depth

What is vFabric tc Server?

tc Server: vFabric Application Server

Programming Model

Spring Tool Suite

Spring Data

Integration Patterns

Batch Framework

APM: App Speed, Insight

SQLFire Java Runtime (tc Server) vFabric Web Server Java Optimizations (EM4J, ) RabbitMQ GemFire

vCops Application Deployment

App Director Data Director) Dynamic OPs

vCo

Application Performance Monitoring

Cloud Infrastructure and Management

tc Server: Replace Legacy Java Servers and Apache Tomcat

Efficient, lean, fit-to-purpose runtime platform Lower cost and complexity Enterprise capabilities on Apache Tomcat-compatible base
7

vmware.com/go/tc

tc Server versus Apache Tomcat

Tomcat+, 100% compatible Added features

Convenience scripts Support Indemnification and licensing clarification Enterprise features and integration

Infrastructure integration
VMware vFabric Hyperic monitoring and management Spring application profiling with VMware vFabric AppInsight Elastic Memory for Java (EM4J)

Beyond ASF Tomcat, Fully Compatible

Nothing removed, only added Full binary application compatibility zero lock-in Patch and update without touching configuration Multi-instance templating Dynamic log level changes with JMX Obfuscation of configuration passwords Improved Windows service wrapper UNIX init.d startup scripts provided Pre-tuned and secured Native session-replication clustering or VMware vFabric GemFire Built-in diagnostics valve

Beyond ASF Tomcat, Fully Compatible

Encryption for DB passwords proprietary

server.xml

Encode

server.xml

catalina.properties

10

tc Server Installation and Configuration

11

Installing tc Server

Simplest method is unpack file archive

.tar.gz (Linux) or .zip (Windows)

RPM provided for Linux

Implements certain best practices

Java SDK or JRE is required

Java 6 or Java 7

After installation, create instance(s) to host web applications

12

RPM Install Actions

Gets latest version Installs in fixed location

/opt/vmware/vfabric-tcserver-standard Owner: root Group: vfabric

Creates vfabric group Creates tcserver user Creates target directory for tc Server instances Sets up bash command completion for tc Server scripts

13

tc Server User and Group

Dont run as root! Convention simplifies administration tcserver user in vfabric group Implications on Hyperic configuration

14

Separate Instance Directory

tc Server facilitates separate directory for instances

Uses Tomcats CATALINA_BASE and CATALINA_HOME Improves maintainability Improves security

/var/opt/vmware/vfabric-tc-server-standard
Owned by user tc-server with group vfabric Keeps product bits protected from non-root access

tcruntime-instance script to create instances tcruntime-ctl script to control instances

15

Implemented Using Environment Variables

CATALINA_HOME
Points to directory containing core Tomcat implementation For example, INSTALL_DIRECTORY/tomcat-7.0.23.A.RELEASE

CATALINA_BASE
Points to directory containing elements unique to an instance Contents override any duplicates from CATALINA_HOME By default, CATALINA_BASE = CATALINA_HOME

16

Creating an Instance Using Templates

Use tcruntime-instance script This script uses templates

Templates encapsulate configuration of instance Both user-specified and default

Templates customize configuration file contents Templates customize files in hierarchy

Deployed applications in the webapps directory for example

Example: gemfire-cs
Instance will store session data with GemFire

Create and use your own templates

Standardize security elements

17

Configure Instance to Start at System Boot

Windows version of tcruntime-instance creates Windows service Linux

tcruntime-instance script creates init.d.sh script

18

Obfuscating Passwords in Configuration Files

tc Server value-add Problem: passwords for accessing resources such as database

servers appear in cleartext in tc Server configuration files.

Can only use encryption by interacting with tc Server at startup

time, e.g. entering key Not feasible for production environments

Imperfect solution is to obfuscate password by one of

Encoding in base64 Encoding with specific passphrase Encoding with passphrase stored in separate file from encoded version Encoding with passphrase entered when tc Server is started
Not often practical in production

19

Obfuscating Passwords in Configuration Files (cont.)

Enter either directly in config file (e.g. server.xml) or using a

variable (and variable value entered in conf/catalina.properties).

Use Java class in tc Server runtime directory to obtain value

% cd /opt/vmware/vfabric-tc-server-standard/tomcat7.0.27.A.RELEASE % java -cp lib/tcServer.jar:bin/tomcat-juli.jar:lib/tomcatcoyote.jar \ com.springsource.tcserver.security.PropertyDecoder encode base64 mypassword

In catalina.properties, have the following precede the variable

value, like org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.spr ingsource.tcserver.security.PropertyDecoder com.springsource.tcserver.security.PropertyDecoder.pass phrase=base64 db.password=s2enc://bXlwYXNzd29yZA==
20

Hyperic Overview and Configuration

21

Hyperic is tc Server Console

Monitor tc Server instances

Collect performance metrics Trigger alerts

Manage tc Server instances

Start/Stop/Restart Change configuration Deploy/Undeploy applications

Not Specific to tc Server

Hyperic is a general enterprise management / monitoring tool. Monitors anything for which there is a plugin Java programs through JMX

Manage multiple tc Server instances through Hyperic groups

22

Hyperic Components

Server
Central process providing web interface for management/monitoring Implemented as tc Server web application

Database
Servers data store Can be PostgreSQL, MySQL, or Oracle
PostgreSQL for smaller POC environments

Agent
One running on each managed system Communicates bidirectionally with server

Command line interface

Allows scripting of Hyperic commands and operations Works through same Web services interface so operations are logged the
same way as through the GUI
23

Hyperic Production Deployment

24

Key Interactions Between tc Server and Hyperic

Users and permissions

Dont run Hyperic agent as root, but Hyperic agent must run as user with suitable permissions :
Modify tc Server configuration files: /var/opt/vmware/tcserverstandard/<instance>/*

Kill tc Server process

Can be configured to use sudo command so that Hyperic agent doesnt need
to run as root

JMX
Hyperic agent must be able to login to tc Server remote JMX server

25

vFabric Administration Server

New alternative to Hyperic for managing tc Server and web

applications

Similar agent / server architecture

Server is tc Server instance combined with RabbitMQ broker

Manages RabbitMQ and GemFire as well REST API Facilitates scaling of applications through group model
Single system image for all nodes in group Easily perform operations across a group

http://www.vmware.com/support/developer/vas/rest-api1.0.0.RELEASE/index.html

26

Web Application Deployment

27

Web Application Deployment and Management

Hyperic provides UI for deploying applications

Group tc Server instances for one-step cluster deployment

Tomcat 7 includes versioned deployment

Zero-downtime application updates

LDAP Authentication and single-sign-on

28

Control Tab for TC Runtime Resource

29

Webapp Management

Accessed through Application Management view Deploy (via uploaded or local war file), start, stop, undeploy

30

Scripted Deployment Through Hyperic

Download tc Server Command-line Interface from Hyperic Admin

tab

Create $HOME/.hq/client.properties with resource settings to

connect to Hyperic Server (target system, user, password)

Run bin/tcsadmin[.sh|.bat] http://pubs.vmware.com/vfabric51/topic/com.vmware.vfabric.tcserver.2.7/admin/cli.html for documentation

31

Versioned webapp Deployment

Added to Tomcat 7 so present in any version of tc Server >= 2.5 Developed and contributed by VMware employees Allows zero-downtime deployment of new versions Automatically handles session transition

32

The Versioning Mechanism

Works via string appended to webapp context name app##01.war for instance Versions compared via String comparison
app##11 is earlier than app##2 Recommended to use leading zeroes

33

Context Examples

Context Path /foo /foo/bar Empty String /foo /foo/bar Empty String

Context Version None None None 42 42 42

Context Name /foo /foo/bar Empty String /foo##42 /foo/bar##42 ##42

Base filename foo foo#bar ROOT foo##42 foo#bar##42 ROOT##42

34

Session Handling

New requests go to latest version of app If request has non-expired session information, then route to
matching version

If matching version is no longer deployed, route to latest version

35

tc Server Instance Deployment

36

tc Server Instance Deployment Variations

Common use case is to use vFabric Web Server (or Apache Web
Server) as a software load-balancer mod_proxy or mod_jk Terminate SSL at Web server to get native performance Restrict network connections to tc Server

Clustering for high-availability

Tomcat-provided or GemFire HTTP Session Management Module

37

Communications Between Apache and tc Server

Choose between mod_proxy_* and mod_jk

Protocol for mod_proxy is http Protocol for mod_jk is AJP

Four basic rules:

If encryption needed to tc Server, then choose mod_proxy_http If application needs SSL information, then use mod_jk Go with what you know Configuration of mod_proxy_http is consistent with rest of Apache.

http://www.tomcatexpert.com/blog/2010/06/16/deciding-betweenmodjk-modproxyhttp-and-modproxyajp

38

Performance Tuning

39

Performance Tuning

Tuning process
Measure Tweak (one at a time, please) Rinse, repeat

Primary tuning possibilities

Heap configuration Thread pool size Database connection pool size I/O Connectors (BIO, NIO, APR) Performance is primarily a characteristic of the application
Spring Insight and AppInsight for detailed views

Virtualization impacts
EM4J

40

Security

41

Security (A Little Paranoia Goes a Long Way)

tc Server improvements
Obfuscation of passwords in configuration files User/Group configuration with RPM install and cooperation with Hyperic manager webapp removed

Tomcat Mechanisms
RemoteHostValve/RemoteAddrValve restricts access to or prohibits access
from hosts or subnets Can be set at various levels (Engine, Host, Context)

Remove unused configuration elements

Other
Firewalls
No outbound HTTP requests

42

Resources

43

Where to Find Help

vFabric Documentation Center

http://pubs.vmware.com/vfabric51/index.jsp

vFabric Blogs
http://blogs.vmware.com/vfabric/

Tomcat Expert
www.tomcatexpert.com

Twitter
ChanningBe

44

Questions

45

FILL OUT A SURVEY

EVERY COMPLETE SURVEY IS ENTERED INTO DRAWING FOR A $25 VMWARE COMPANY STORE GIFT CERTIFICATE

APP-CAP1676

VMware vFabric tc Server Best Practices for Security, Stability and Sanity

Channing Benson, VMware, Inc.

#vmworldapps