administering apache geronimo 2.x vamsavardhana reddy chillakuru a.k.a. vamsi [email protected]...

Administering Apache Geronimo 2.x

Vamsavardhana Reddy Chillakuru a.k.a. Vamsi

[email protected]@in.ibm.com

mailto:[email protected]


11-Apr-2008 Administering Apache Geronimo 2.x 2

Who am I?

• Committer and Member of Apache Geronimo PMC

• Involved with ASF since 2005

• Over 11 years experience in software development

• Advisory Software Engineer at IBM

• Employed with IBM India since 1996


Geronimo in the making

That’s my son Susanth helping me with Geronimo


Agenda

• Introduction to Geronimo

• Securing Geronimo

• Administration Tasks

• Multiple Server Instances

• Summary

• Q & A


Agenda





• Summary

• Q & A


Introduction to Geronimo• J2EE/Java EE Application Server from

Apache Software Foundation• Brings together the best-of-breed

technologies from open source to support J2EE/Java EE

• Small foot print/Highly customizable• Ease of use is – foremost guiding principle• V2.1 Java EE 5 Certified – Feb/2008


Geronimo History and Progress

August2003

Apa

che G

eron

imo P

rojec

t for

med

V1.0

-M5 r

eleas

ed, J

2EE 1.

4 cer

tifica

tion

Oct2005

Jan2006

V1.0

Rele

ased

June2006

V1.1

Rele

ased

In Plan

V2.2

Rele

ase

Sep2006

V1.1

.1 Rele

ased

Jun2007

V2.0

-M6 r

eleas

ed, J

ava E

E 5 ce

rtifica

tion

Aug2007

V2.0

.1 Rele

ased

Oct2007

V2.0

.2 Rele

ased

Feb2008

V2.1

Rele

ased


Geronimo Architecture• GBeans are the building blocks

– E.g. Containers, Connectors, Servlets…

• Geronimo Kernel– A container for GBeans– Based on Inversion-of-Control/Dependency Injection – Provides Life Cycle management for GBeans

• Loosely coupled system– Start/stop/remove components on the fly– Integrate new components on the fly

• Plugins– Directory Server, Roller and many other


Geronimo Architecture

*Ref: http://www.ibm.com/developerworks/library/os-ag-deploy/


What it contains?• Apache Tomcat• Jetty (Mort Bay)• Apache Derby• Apache OpenEJB• Apache ActiveMQ• Apache OpenJPA• Apache Axis• Apache Axis2• Apache CXF• Apache Yoko

• Apache Commons• Apache jUDDI• Apache Log4J• HOWL• TRANQL• Castor• WADI• CGLIBAnd many more…


What’s new in 2.1?

• Servers assembled out of plugins

• Custom server assemblies– Assemble a server feature

• Flexible admin console

• Monitoring Console

• GShell

• WADI Clustering Support for Tomcat


How to get involved?

• Geronimo project web site– http://geronimo.apache.org/

• Mailing lists– [email protected]– [email protected]

• Wiki– http://cwiki.apache.org/geronimo/

http://geronimo.apache.org/



http://cwiki.apache.org/geronimo/


Geronimo Installation• http://geronimo.apache.org/downloads.html

• Geronimo Tomcat or Geronimo Jetty distributions

• Extract the archive to any directory– On windows, use a short directory name

(for e.g. C:\ or C:\g) to avoid long-path problems.

http://geronimo.apache.org/downloads.html


Geronimo Startup/Shutdown• Requires Sun J2SE 5.0 JDK/JRE• Environment variables

– JAVA_HOME/JRE_HOME– GERONIMO_OPTS– JAVA_OPTS

• Run the server– <g_home>/bin/geronimo start– <g_home>/bin/geronimo jpda run

• Stop the server– Control+C in server console– <g_home>/bin/shutdown


Administration Console• Web-based, Convenient, user-friendly• Based on Apache Pluto (JSR-168)• Access at http://localhost:8080/console• Portlets for administration

– Web Server, JMS Server, JMS Resources, DB Manager, Database Pools

– Application portlets – Deploy New, Web App WARs, Plan Creator etc..

– Security Realms, Keystores• Portlets for monitoring server status

– Information, Java System Info, Server Logs, Monitoring, etc.

• Don’t forget the Help view in the portlets

http://localhost:8080/console


Agenda


• Geronimo Console




• Do’s & Don’ts

• Q & A


Important configuration files• Located in <g_home>/var/config• config.xml

– Overridden GBean attributes– New GBeans and configurations

• config-substitutions.properties– Properties used in confg.xml

• artifact_aliases.properties– Substitute one artifact for another


Replace Default Realm• Default security realm - geronimo-admin

– Used by JMX server, Admin Console, Online-deployer, MEJB application

• Change default credentials– Edit var/security/users.properties– Users and Groups portlet

• Replace default realm– Deploy desired realm with name geronimo-admin

• Database or LDAP Realm recommended for production

– Delete the realm gbean in server-security-config


Protecting passwords

• Pluggable Encryption Mechanism

<gbean name="org.apache.geronimo.configs/rmi-naming/2.1/car?name=ConfiguredEncryption,j2eeType=GBean" gbeanInfo="o.a.g.system.util.ConfiguredEncryption"> <attribute name="path"> var/security/ConfiguredSecretKey.ser </attribute> <reference name="ServerInfo"> <pattern><name>ServerInfo</name></pattern> </reference></gbean>


Securing Derby• <g_home>/var/derby/derby.properties

derby.connection.requireAuthentication=truederby.authentication.provider=BUILTINderby.user.userName1=password1derby.user.userName2=password2

• Other authentication methods– LDAP, application-defined– o.a.d.authentication.UserAuthenticator

• Users at database level too• http://db.apache.org/derby/binaries/jta-WE15.pdf


Update database pools• Update credentials used by database pools

– Using Admin Console• Update before enabling Derby security. Otherwise

Geronimo server will not start.

– By editing config.xml (xml shown next)– Database pools to update

• MonitoringClientDS• NoTxDatasource• SystemDatasource• jdbc/ActiveDS• jdbc/ArchiveDS• jdbc/juddiDB• Any other database pools that use Embedded Derby


Update DB pools - config.xml<module name="org.apache.geronimo.configs/system-

database/2.1/car"> <gbean name="o.a.g.c/system-

database/2.1/car?...,name=SystemDatasource"> <attribute name="UserName">userName1</attribute> <attribute name="Password">password1</attribute></gbean><gbean name="o.a.g.c/system-database/2.1/car?...,

name=NoTxDatasource"> <attribute name="UserName">userName1</attribute> <attribute name="Password">password1</attribute></gbean>

</module>


Agenda





• Summary

• Q & A


A typical scenario• Setup the web server• Create user database and DB Pools• Create Security Realms• Create JMS Factories and Queues• Deploy Applications• Manage Applications• Server Logs• Monitoring


Administering Tomcat

• WebServers portlet for connectors– Connector protocol: HTTP, HTTPS, AJP– BIO/NIO/APR– add/delete/edit/stop/start/restart

• Configuring HTTPS– Server Authentication only– ClientAuth


Virtual hosts• Add HostGBeans to Tomcat config• Specify virtual host in deployment

plan<container-config> <tomcat> <host>virtualhost1.com</host> </tomcat></container-config>


Single Sign-On

• Login to one application maintains login across all applications on the server

• Create a SingleSignOn valve and connect to the valve chain– Edit config.xml


Managing Keystores

• Add keystores

• Lock/unlock keystores

• Create/delete private keys

• Change keystore/key passwords

• Add/delete trust certificates

• Manage private keys/certificates

• Support for all keystore types in v2.1


Administering Derby

• DB Info portlet

• DB Manager portlet– Create/delete databases– View tables, table content– Run SQL

• Derby Log Viewer portlet


Database Pools

• Database pools portlet– Create/edit database pool

• J2EE Connectors portlet– Stop/start/delete connector

configurations


Security Realms

• Add security realms– Properties File Realm– Database (SQL) Realm– LDAP Realm– Custom Realm

• Edit security realms

• Configure Auditing, Lockout


Administering ActiveMQ• JMS Server portlet

– Add/delete/start/stop connectors– Stopped connectors started at next run

• JMS Resources portlet– Add connection factories, queues, topics

for ActiveMQ or any other JMS provider

• J2EE Connectors portlet– Stop/start/delete connector configs


Deploy Applications• Command Line Deployer

– bin\deploy– Offline deployment: bin\deploy -o – inPlace deployment– Deploy to different target stores– Start/stop/restart/deploy/undeploy …

• Deploy New portlet– Deploy and redeploy operations only


Deploy Applications (contd.)

• Hot deployer– Copy to <g_home>/deploy directory– Plan should be part of archive

• Plan Creator– Lets you create a deployment plan in a

series of steps.– Web Apps only as of v2.1– EJB, EAR etc under development


Manage Applications

• System Modules portlet

• Web App WARs portlet

• EJB Jars portlet

• Application EARs portlet

• App Clients

• J2EE Connectors


Logging

• var/log/server-log4j.properties– org.apache.geronimo.log.ConsoleLogLevel system property to change console log level

– org.apache.geronimo.log4jservice.configuration to change the default config file

• ServerLogs portlet– Update config file temporarily


Web Access logs

• Server Logs–Web Access Log Viewer

• Log rotation – rotated daily– NOTE: Logs not deleted by Geronimo

• Changing log configuration

<gbean name="AccessLogValve"> <attribute name="initParams">prefix=${ServerHostname}_access_log. suffix=.txt pattern=common fileDateFormat=yyyy-MM</attribute></gbean>


Monitoring

• Servers - Local and remote servers– EJB and JMX protocols

• Graphs– Select MBean and statistic– Based on two statistics from the MBean

• Views– Compose multiple graphs into views


Debug Views

• JMX Viewer

• LDAP Viewer

• ClassLoader Viewer

• JNDI Viewer

• Dependency Viewer


Plugins• Plugins portlet

– Add plugin repositories– Search for plugins– Install plugins– Export config as plugin– Assemble a server

• Command Line Deployer– Search-plugins


Agenda





• Summary

• Q & A


Running multiple instances• Shared directories

– bin, lib, repository• Instance home <inst_home> directory

– Create <g_home>/<inst_name> dir– Copy <g_home>/var to <inst_home>/var

• Change PortOffset to resolve port conflicts– <inst_home>/var/config/config-

substitutions.properties• Set org.apache.geronimo.server.name

system property.– Use GERONIMO_OPTS


Deploying to an instance• Offline Deployment

– org.apache.geronimo.server.name property with GERONIMO_OPTS

• Online deployment– Host and port deployer options– Deploy New portlet

• Deploy to specific target config stores– target deployer option– bin/deploy list-targets


Individual Repositories

• Maven2Repository GBean

• RepositoryConfigurationStore GBean

• Deploy to the specific instance

• Use target option to deploy to the new store.

New Repository – plan.xml<gbean name="newRepo"

class="org.apache.geronimo.system.repository.Maven2Repository">

<attribute name="resolveToServer">true</attribute> <reference name="ServerInfo"> <name>ServerInfo</name> </reference></gbean><gbean name="Local2"

class="org.apache.geronimo.system.configuration. RepositoryConfigurationStore">

<reference name="Repository"><name>newRepo</name> </reference>

</gbean>


Agenda





• Summary

• Q & A


Summary• Introduction to Geronimo• Replace default-realm• Protect passwords• Enable Derby security• Secure default keystore• Administration Console for most tasks• config.xml to add new GBeans• Running multiple server instances


Do’s

• Secure <g_home>

• Use Database/LDAP realm

• Use digested passwords

• Use schema names with table names– E.g. AUTH.USERTABLE

• Use config-substitutions.properties for attribute values in config.xml


Don’ts

• Do not enable logging to console when running in background in Linux

• Do not direct console output to file

• Do not use passwords in the command line with– bin\deploy– bin\shutdown


Agenda





• Summary

• Q & A


Q & A

Question/Comments?Vamsi

[email protected]@in.ibm.com

Administering Apache Geronimo 2.x




Resources• http://geronimo.apache.org• http://cwiki.apache.org/geronimo/• Geronimo Mailing lists

– [email protected]– [email protected]

• IBM developerWorks– http://www.ibm.com/developerworks/

opensource/top-projects/geronimo.html

http://geronimo.apache.org/

http://cwiki.apache.org/geronimo/




Thank you

administering apache geronimo 2.x vamsavardhana reddy chillakuru a.k.a. vamsi [email protected]...

Documents