Use the operational checklist to prepare your environment for deploying WebSphere® eXtreme Scale.
Table 1. Operational checklist
Checklist item |
For more information |
If you are using AIX®, tune the following
operating system settings:
- TCP_KEEPINTVL
- The TCP_KEEPINTVL setting is part of a socket keep-alive protocol that enables detection of
network outage. The property specifies the interval between packets that are sent to validate the
connection. When you are using WebSphere eXtreme Scale, set the value to
10. To check the current setting, run the following
command:
# no –o tcp_keepintvl To change the current setting, run the
following command:# no –o tcp_keepintvl=10 The TCP_KEEPINTVL setting is in
half seconds.
- TCP_KEEPINIT
- The TCP_KEEPINIT setting is part of a socket keep-alive protocol that enables detection of
network outage. The property specifies the initial timeout value for TCP connection. When you are
using WebSphere eXtreme Scale, set the value to
40. To check the current setting, run the following
commands:
# no –o tcp_keepinit To change the current setting, run the
following command:# no –o tcp_keepinit=40 The TCP_KEEPINIT setting is in half
seconds.
|
|
Update the orb.properties file to modify the transport
behavior of the grid. The orb.properties file is in the
java/jre/lib directory. |
ORB properties |
Use parameters in the startOgServer
or startXsServer script. In particular, use the
following parameters:
- Set heap settings with the -jvmArgs parameter.
- Set application class path and properties with the -jvmArgs parameter.
- Set -jvmArgs parameters for configuring agent monitoring.
- Port settings
- WebSphere eXtreme Scale has to open ports for communications for
some transports. These ports are all dynamically defined. However, if a firewall is in use between
containers then you must specify the ports. Use the following information about the ports:
- Listener port
- You can use the -listenerPort argument to specify the port that is used for
communication between processes.
- Core group port
- You can use the -haManagerPort argument to specify the port that is used
for failure detection. This argument is the same as peerPort. Note that core groups do not need to
communicate across zones, so you might not need to set this port if the firewall is open to all the
members of a single zone.
- JMX service port
- You can use the -JMXServicePort argument to specify the port that the JMX
service should use.
- SSL port
- Passing -Dcom.ibm.CSI.SSLPort=1234 as a -jvmArgs
argument sets the SSL port to 1234. The SSL port is the secure port peer to
the listener port.
- Client port
- Used in the catalog service only. You can specify this value with the
-catalogServiceEndPoints argument. The format of the value of this parameter is
in the format: serverName:hostName:clientPort:peerPort
|
startOgServer script (ORB) startXsServer script (XIO)
|
Verify that security settings are configured correctly:
- Transport (SSL)
- Application (Authentication and Authorization)
To verify your security settings, you can try to use a malicious client to connect to your
configuration. For example, when the SSL-Required setting is configured, a client that has a TCP_IP
setting with or a client with the wrong trust store should not be able to connect to the server.
When authentication is required, a client with no credential, such as a user ID and password, should
not be able to connect to the sever. When authorization is enforced, a client with no access
authorization should not be granted the access to the server resources. |
Security integration with external providers |
Choose how you are going to monitor your environment.
|
|