administering apache geronimo 2.x vamsavardhana reddy chillakuru a.k.a. vamsi [email protected]...
TRANSCRIPT
Administering Apache Geronimo 2.x
Vamsavardhana Reddy Chillakuru a.k.a. Vamsi
[email protected]@in.ibm.com
11-Apr-2008 Administering Apache Geronimo 2.x 2
Who am I?
• Committer and Member of Apache Geronimo PMC
• Involved with ASF since 2005
• Over 11 years experience in software development
• Advisory Software Engineer at IBM
• Employed with IBM India since 1996
11-Apr-2008 Administering Apache Geronimo 2.x 3
Geronimo in the making
That’s my son Susanth helping me with Geronimo
11-Apr-2008 Administering Apache Geronimo 2.x 4
Agenda
• Introduction to Geronimo
• Securing Geronimo
• Administration Tasks
• Multiple Server Instances
• Summary
• Q & A
11-Apr-2008 Administering Apache Geronimo 2.x 5
Agenda
• Introduction to Geronimo
• Securing Geronimo
• Administration Tasks
• Multiple Server Instances
• Summary
• Q & A
11-Apr-2008 Administering Apache Geronimo 2.x 6
Introduction to Geronimo• J2EE/Java EE Application Server from
Apache Software Foundation• Brings together the best-of-breed
technologies from open source to support J2EE/Java EE
• Small foot print/Highly customizable• Ease of use is – foremost guiding principle• V2.1 Java EE 5 Certified – Feb/2008
11-Apr-2008 Administering Apache Geronimo 2.x 7
Geronimo History and Progress
August2003
Apa
che G
eron
imo P
rojec
t for
med
V1.0
-M5 r
eleas
ed, J
2EE 1.
4 cer
tifica
tion
Oct2005
Jan2006
V1.0
Rele
ased
June2006
V1.1
Rele
ased
In Plan
V2.2
Rele
ase
Sep2006
V1.1
.1 Rele
ased
Jun2007
V2.0
-M6 r
eleas
ed, J
ava E
E 5 ce
rtifica
tion
Aug2007
V2.0
.1 Rele
ased
Oct2007
V2.0
.2 Rele
ased
Feb2008
V2.1
Rele
ased
11-Apr-2008 Administering Apache Geronimo 2.x 8
Geronimo Architecture• GBeans are the building blocks
– E.g. Containers, Connectors, Servlets…
• Geronimo Kernel– A container for GBeans– Based on Inversion-of-Control/Dependency Injection – Provides Life Cycle management for GBeans
• Loosely coupled system– Start/stop/remove components on the fly– Integrate new components on the fly
• Plugins– Directory Server, Roller and many other
11-Apr-2008 Administering Apache Geronimo 2.x 9
Geronimo Architecture
*Ref: http://www.ibm.com/developerworks/library/os-ag-deploy/
11-Apr-2008 Administering Apache Geronimo 2.x 10
What it contains?• Apache Tomcat• Jetty (Mort Bay)• Apache Derby• Apache OpenEJB• Apache ActiveMQ• Apache OpenJPA• Apache Axis• Apache Axis2• Apache CXF• Apache Yoko
• Apache Commons• Apache jUDDI• Apache Log4J• HOWL• TRANQL• Castor• WADI• CGLIBAnd many more…
11-Apr-2008 Administering Apache Geronimo 2.x 11
What’s new in 2.1?
• Servers assembled out of plugins
• Custom server assemblies– Assemble a server feature
• Flexible admin console
• Monitoring Console
• GShell
• WADI Clustering Support for Tomcat
11-Apr-2008 Administering Apache Geronimo 2.x 12
How to get involved?
• Geronimo project web site– http://geronimo.apache.org/
• Mailing lists– [email protected]– [email protected]
• Wiki– http://cwiki.apache.org/geronimo/
11-Apr-2008 Administering Apache Geronimo 2.x 13
Geronimo Installation• http://geronimo.apache.org/downloads.html
• Geronimo Tomcat or Geronimo Jetty distributions
• Extract the archive to any directory– On windows, use a short directory name
(for e.g. C:\ or C:\g) to avoid long-path problems.
11-Apr-2008 Administering Apache Geronimo 2.x 14
Geronimo Startup/Shutdown• Requires Sun J2SE 5.0 JDK/JRE• Environment variables
– JAVA_HOME/JRE_HOME– GERONIMO_OPTS– JAVA_OPTS
• Run the server– <g_home>/bin/geronimo start– <g_home>/bin/geronimo jpda run
• Stop the server– Control+C in server console– <g_home>/bin/shutdown
11-Apr-2008 Administering Apache Geronimo 2.x 15
11-Apr-2008 Administering Apache Geronimo 2.x 16
Administration Console• Web-based, Convenient, user-friendly• Based on Apache Pluto (JSR-168)• Access at http://localhost:8080/console• Portlets for administration
– Web Server, JMS Server, JMS Resources, DB Manager, Database Pools
– Application portlets – Deploy New, Web App WARs, Plan Creator etc..
– Security Realms, Keystores• Portlets for monitoring server status
– Information, Java System Info, Server Logs, Monitoring, etc.
• Don’t forget the Help view in the portlets
11-Apr-2008 Administering Apache Geronimo 2.x 17
11-Apr-2008 Administering Apache Geronimo 2.x 18
Agenda
• Introduction to Geronimo
• Geronimo Console
• Securing Geronimo
• Administration Tasks
• Multiple Server Instances
• Do’s & Don’ts
• Q & A
11-Apr-2008 Administering Apache Geronimo 2.x 19
Geronimo directory structure+-bin|-deploy|-etc|-lib|-repository|-schema|-var +-config |-derby |-security |-shared
+-i1=instance-name +-deploy +-var +-config |-derby |-security | +-keystores |-shared +-classes |-lib
11-Apr-2008 Administering Apache Geronimo 2.x 20
Important configuration files• Located in <g_home>/var/config• config.xml
– Overridden GBean attributes– New GBeans and configurations
• config-substitutions.properties– Properties used in confg.xml
• artifact_aliases.properties– Substitute one artifact for another
11-Apr-2008 Administering Apache Geronimo 2.x 21
Replace Default Realm• Default security realm - geronimo-admin
– Used by JMX server, Admin Console, Online-deployer, MEJB application
• Change default credentials– Edit var/security/users.properties– Users and Groups portlet
• Replace default realm– Deploy desired realm with name geronimo-admin
• Database or LDAP Realm recommended for production
– Delete the realm gbean in server-security-config
11-Apr-2008 Administering Apache Geronimo 2.x 22
Protecting passwords
• Pluggable Encryption Mechanism
<gbean name="org.apache.geronimo.configs/rmi-naming/2.1/car?name=ConfiguredEncryption,j2eeType=GBean" gbeanInfo="o.a.g.system.util.ConfiguredEncryption"> <attribute name="path"> var/security/ConfiguredSecretKey.ser </attribute> <reference name="ServerInfo"> <pattern><name>ServerInfo</name></pattern> </reference></gbean>
11-Apr-2008 Administering Apache Geronimo 2.x 23
Securing Derby• <g_home>/var/derby/derby.properties
derby.connection.requireAuthentication=truederby.authentication.provider=BUILTINderby.user.userName1=password1derby.user.userName2=password2
• Other authentication methods– LDAP, application-defined– o.a.d.authentication.UserAuthenticator
• Users at database level too• http://db.apache.org/derby/binaries/jta-WE15.pdf
11-Apr-2008 Administering Apache Geronimo 2.x 24
Update database pools• Update credentials used by database pools
– Using Admin Console• Update before enabling Derby security. Otherwise
Geronimo server will not start.
– By editing config.xml (xml shown next)– Database pools to update
• MonitoringClientDS• NoTxDatasource• SystemDatasource• jdbc/ActiveDS• jdbc/ArchiveDS• jdbc/juddiDB• Any other database pools that use Embedded Derby
11-Apr-2008 Administering Apache Geronimo 2.x 25
Update DB pools - config.xml<module name="org.apache.geronimo.configs/system-
database/2.1/car"> <gbean name="o.a.g.c/system-
database/2.1/car?...,name=SystemDatasource"> <attribute name="UserName">userName1</attribute> <attribute name="Password">password1</attribute></gbean><gbean name="o.a.g.c/system-database/2.1/car?...,
name=NoTxDatasource"> <attribute name="UserName">userName1</attribute> <attribute name="Password">password1</attribute></gbean>
</module>
11-Apr-2008 Administering Apache Geronimo 2.x 26
Agenda
• Introduction to Geronimo
• Securing Geronimo
• Administration Tasks
• Multiple Server Instances
• Summary
• Q & A
11-Apr-2008 Administering Apache Geronimo 2.x 27
A typical scenario• Setup the web server• Create user database and DB Pools• Create Security Realms• Create JMS Factories and Queues• Deploy Applications• Manage Applications• Server Logs• Monitoring
11-Apr-2008 Administering Apache Geronimo 2.x 28
Administering Tomcat
• WebServers portlet for connectors– Connector protocol: HTTP, HTTPS, AJP– BIO/NIO/APR– add/delete/edit/stop/start/restart
• Configuring HTTPS– Server Authentication only– ClientAuth
11-Apr-2008 Administering Apache Geronimo 2.x 29
Virtual hosts• Add HostGBeans to Tomcat config• Specify virtual host in deployment
plan<container-config> <tomcat> <host>virtualhost1.com</host> </tomcat></container-config>
11-Apr-2008 Administering Apache Geronimo 2.x 30
Single Sign-On
• Login to one application maintains login across all applications on the server
• Create a SingleSignOn valve and connect to the valve chain– Edit config.xml
11-Apr-2008 Administering Apache Geronimo 2.x 31
Managing Keystores
• Add keystores
• Lock/unlock keystores
• Create/delete private keys
• Change keystore/key passwords
• Add/delete trust certificates
• Manage private keys/certificates
• Support for all keystore types in v2.1
11-Apr-2008 Administering Apache Geronimo 2.x 32
Administering Derby
• DB Info portlet
• DB Manager portlet– Create/delete databases– View tables, table content– Run SQL
• Derby Log Viewer portlet
11-Apr-2008 Administering Apache Geronimo 2.x 33
Database Pools
• Database pools portlet– Create/edit database pool
• J2EE Connectors portlet– Stop/start/delete connector
configurations
11-Apr-2008 Administering Apache Geronimo 2.x 34
Security Realms
• Add security realms– Properties File Realm– Database (SQL) Realm– LDAP Realm– Custom Realm
• Edit security realms
• Configure Auditing, Lockout
11-Apr-2008 Administering Apache Geronimo 2.x 35
Administering ActiveMQ• JMS Server portlet
– Add/delete/start/stop connectors– Stopped connectors started at next run
• JMS Resources portlet– Add connection factories, queues, topics
for ActiveMQ or any other JMS provider
• J2EE Connectors portlet– Stop/start/delete connector configs
11-Apr-2008 Administering Apache Geronimo 2.x 36
Deploy Applications• Command Line Deployer
– bin\deploy– Offline deployment: bin\deploy -o – inPlace deployment– Deploy to different target stores– Start/stop/restart/deploy/undeploy …
• Deploy New portlet– Deploy and redeploy operations only
11-Apr-2008 Administering Apache Geronimo 2.x 37
Deploy Applications (contd.)
• Hot deployer– Copy to <g_home>/deploy directory– Plan should be part of archive
• Plan Creator– Lets you create a deployment plan in a
series of steps.– Web Apps only as of v2.1– EJB, EAR etc under development
11-Apr-2008 Administering Apache Geronimo 2.x 38
Manage Applications
• System Modules portlet
• Web App WARs portlet
• EJB Jars portlet
• Application EARs portlet
• App Clients
• J2EE Connectors
11-Apr-2008 Administering Apache Geronimo 2.x 39
Logging
• var/log/server-log4j.properties– org.apache.geronimo.log.ConsoleLogLevel system property to change console log level
– org.apache.geronimo.log4jservice.configuration to change the default config file
• ServerLogs portlet– Update config file temporarily
11-Apr-2008 Administering Apache Geronimo 2.x 40
Web Access logs
• Server Logs–Web Access Log Viewer
• Log rotation – rotated daily– NOTE: Logs not deleted by Geronimo
• Changing log configuration
<gbean name="AccessLogValve"> <attribute name="initParams">prefix=${ServerHostname}_access_log. suffix=.txt pattern=common fileDateFormat=yyyy-MM</attribute></gbean>
11-Apr-2008 Administering Apache Geronimo 2.x 41
Monitoring
• Servers - Local and remote servers– EJB and JMX protocols
• Graphs– Select MBean and statistic– Based on two statistics from the MBean
• Views– Compose multiple graphs into views
11-Apr-2008 Administering Apache Geronimo 2.x 42
Debug Views
• JMX Viewer
• LDAP Viewer
• ClassLoader Viewer
• JNDI Viewer
• Dependency Viewer
11-Apr-2008 Administering Apache Geronimo 2.x 43
Plugins• Plugins portlet
– Add plugin repositories– Search for plugins– Install plugins– Export config as plugin– Assemble a server
• Command Line Deployer– Search-plugins
11-Apr-2008 Administering Apache Geronimo 2.x 44
Agenda
• Introduction to Geronimo
• Securing Geronimo
• Administration Tasks
• Multiple Server Instances
• Summary
• Q & A
11-Apr-2008 Administering Apache Geronimo 2.x 45
Running multiple instances• Shared directories
– bin, lib, repository• Instance home <inst_home> directory
– Create <g_home>/<inst_name> dir– Copy <g_home>/var to <inst_home>/var
• Change PortOffset to resolve port conflicts– <inst_home>/var/config/config-
substitutions.properties• Set org.apache.geronimo.server.name
system property.– Use GERONIMO_OPTS
11-Apr-2008 Administering Apache Geronimo 2.x 46
Geronimo directory structure+-bin|-deploy|-etc|-lib|-repository|-schema|-var +-config |-derby |-security |-shared
+-i1=instance-name +-deploy +-var +-config |-derby |-security | +-keystores |-shared +-classes |-lib
11-Apr-2008 Administering Apache Geronimo 2.x 47
Deploying to an instance• Offline Deployment
– org.apache.geronimo.server.name property with GERONIMO_OPTS
• Online deployment– Host and port deployer options– Deploy New portlet
• Deploy to specific target config stores– target deployer option– bin/deploy list-targets
11-Apr-2008 Administering Apache Geronimo 2.x 48
Individual Repositories
• Maven2Repository GBean
• RepositoryConfigurationStore GBean
• Deploy to the specific instance
• Use target option to deploy to the new store.
11-Apr-2008 Administering Apache Geronimo 2.x 49
New Repository – plan.xml<!--Repository--><gbean name="newRepo"
class="org.apache.geronimo.system.repository.Maven2Repository">
<attribute name="resolveToServer">true</attribute> <reference name="ServerInfo"> <name>ServerInfo</name> </reference></gbean><!--Configuration Store service--><gbean name="Local2"
class="org.apache.geronimo.system.configuration. RepositoryConfigurationStore">
<reference name="Repository"><name>newRepo</name> </reference>
</gbean>
11-Apr-2008 Administering Apache Geronimo 2.x 50
Agenda
• Introduction to Geronimo
• Securing Geronimo
• Administration Tasks
• Multiple Server Instances
• Summary
• Q & A
11-Apr-2008 Administering Apache Geronimo 2.x 51
Summary• Introduction to Geronimo• Replace default-realm• Protect passwords• Enable Derby security• Secure default keystore• Administration Console for most tasks• config.xml to add new GBeans• Running multiple server instances
11-Apr-2008 Administering Apache Geronimo 2.x 52
Do’s
• Secure <g_home>
• Use Database/LDAP realm
• Use digested passwords
• Use schema names with table names– E.g. AUTH.USERTABLE
• Use config-substitutions.properties for attribute values in config.xml
11-Apr-2008 Administering Apache Geronimo 2.x 53
Don’ts
• Do not enable logging to console when running in background in Linux
• Do not direct console output to file
• Do not use passwords in the command line with– bin\deploy– bin\shutdown
11-Apr-2008 Administering Apache Geronimo 2.x 54
Agenda
• Introduction to Geronimo
• Securing Geronimo
• Administration Tasks
• Multiple Server Instances
• Summary
• Q & A
11-Apr-2008 Administering Apache Geronimo 2.x 55
Q & A
Question/Comments?Vamsi
[email protected]@in.ibm.com
Administering Apache Geronimo 2.x
11-Apr-2008 Administering Apache Geronimo 2.x 56
Resources• http://geronimo.apache.org• http://cwiki.apache.org/geronimo/• Geronimo Mailing lists
– [email protected]– [email protected]
• IBM developerWorks– http://www.ibm.com/developerworks/
opensource/top-projects/geronimo.html
11-Apr-2008 Administering Apache Geronimo 2.x 57
Thank you