Professional Documents
Culture Documents
VMware vFabric tc Server Best Practices for Security, Stability and Sanity
#vmworldapps
Disclaimer
Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features
discussed or presented have not been determined.
Agenda
3
Introduction / Goals What is tc Server? tc Server Installation and Configuration Hyperic Configuration Web Application Deployment and Management tc Server Instance Deployment Variations Performance Tuning Security Resources
Introduction / Goals
tc Server: vFabric application server What is a Best Practice? Provide practical advice in installation, care, and feeding Educate for contingencies Lots of ground to cover Compromise between breadth and depth
Programming Model
Spring Data
Integration Patterns
Batch Framework
SQLFire Java Runtime (tc Server) vFabric Web Server Java Optimizations (EM4J, ) RabbitMQ GemFire
vCo
Efficient, lean, fit-to-purpose runtime platform Lower cost and complexity Enterprise capabilities on Apache Tomcat-compatible base
7
vmware.com/go/tc
Infrastructure integration
VMware vFabric Hyperic monitoring and management Spring application profiling with VMware vFabric AppInsight Elastic Memory for Java (EM4J)
Nothing removed, only added Full binary application compatibility zero lock-in Patch and update without touching configuration Multi-instance templating Dynamic log level changes with JMX Obfuscation of configuration passwords Improved Windows service wrapper UNIX init.d startup scripts provided Pre-tuned and secured Native session-replication clustering or VMware vFabric GemFire Built-in diagnostics valve
Encode
server.xml
catalina.properties
10
11
Installing tc Server
12
Creates vfabric group Creates tcserver user Creates target directory for tc Server instances Sets up bash command completion for tc Server scripts
13
Dont run as root! Convention simplifies administration tcserver user in vfabric group Implications on Hyperic configuration
14
/var/opt/vmware/vfabric-tc-server-standard
Owned by user tc-server with group vfabric Keeps product bits protected from non-root access
15
CATALINA_HOME
Points to directory containing core Tomcat implementation For example, INSTALL_DIRECTORY/tomcat-7.0.23.A.RELEASE
CATALINA_BASE
Points to directory containing elements unique to an instance Contents override any duplicates from CATALINA_HOME By default, CATALINA_BASE = CATALINA_HOME
16
Example: gemfire-cs
Instance will store session data with GemFire
17
18
19
21
22
Hyperic Components
Server
Central process providing web interface for management/monitoring Implemented as tc Server web application
Database
Servers data store Can be PostgreSQL, MySQL, or Oracle
PostgreSQL for smaller POC environments
Agent
One running on each managed system Communicates bidirectionally with server
24
Can be configured to use sudo command so that Hyperic agent doesnt need
to run as root
JMX
Hyperic agent must be able to login to tc Server remote JMX server
25
Manages RabbitMQ and GemFire as well REST API Facilitates scaling of applications through group model
Single system image for all nodes in group Easily perform operations across a group
http://www.vmware.com/support/developer/vas/rest-api1.0.0.RELEASE/index.html
26
27
28
29
Webapp Management
Accessed through Application Management view Deploy (via uploaded or local war file), start, stop, undeploy
30
31
Added to Tomcat 7 so present in any version of tc Server >= 2.5 Developed and contributed by VMware employees Allows zero-downtime deployment of new versions Automatically handles session transition
32
Works via string appended to webapp context name app##01.war for instance Versions compared via String comparison
app##11 is earlier than app##2 Recommended to use leading zeroes
33
Context Examples
Context Path /foo /foo/bar Empty String /foo /foo/bar Empty String
34
Session Handling
New requests go to latest version of app If request has non-expired session information, then route to
matching version
35
36
Common use case is to use vFabric Web Server (or Apache Web
Server) as a software load-balancer mod_proxy or mod_jk Terminate SSL at Web server to get native performance Restrict network connections to tc Server
37
http://www.tomcatexpert.com/blog/2010/06/16/deciding-betweenmodjk-modproxyhttp-and-modproxyajp
38
Performance Tuning
39
Performance Tuning
Tuning process
Measure Tweak (one at a time, please) Rinse, repeat
Virtualization impacts
EM4J
40
Security
41
tc Server improvements
Obfuscation of passwords in configuration files User/Group configuration with RPM install and cooperation with Hyperic manager webapp removed
Tomcat Mechanisms
RemoteHostValve/RemoteAddrValve restricts access to or prohibits access
from hosts or subnets Can be set at various levels (Engine, Host, Context)
Other
Firewalls
No outbound HTTP requests
42
Resources
43
vFabric Blogs
http://blogs.vmware.com/vfabric/
Tomcat Expert
www.tomcatexpert.com
Twitter
ChanningBe
44
Questions
45
APP-CAP1676
VMware vFabric tc Server Best Practices for Security, Stability and Sanity
#vmworldapps