Download - Migrating SAS® Institute, Inc. Java EE Applications from WLS/WAS/JBoss to Pivotal tc Server™
© 2013 SpringOne 2GX. All rights reserved. Do not distribute without permission.
Migrating SAS® Institute Java EE Applications from
WLS/WAS/JBoss to Pivotal tc Server™
By Zhiyong Li
Contents
Motivation
Technology selection
Implementation – Architecture
– Application migration
– Security
– System administration
Delivery and support – Automated installation and configuration
– Cloud deployment
Demo
Our Pain Points
Supporting three different App Servers is a lot of work! – Install and configure
– Coding and testing
– Performance tuning
– Support
Complex configuration still largely manual – Yet best practice dictates
Way too much “just depends” – Too many free variables in how customer sets up container
Our Solutions
Reduce the number of supported application servers
Encourage simplification of the applications – Focus on business logic
– Build light-weight mid-tier
• Light-weight container and framework
Complete, self-contained packages – HTTP server, servlet container, light-weight framework and system management
– Virtual environment and appliances
– Cloud deployment
Benefits
Lower costs for SAS – Development
– Test
– Release
– Support
Lower costs for customers – Procurement
– Installation and configuration
– Management
– Consolidated support
Technologies - Infrastructure
Infrastructure
– vFabric tc Server: Tomcat
• Active MQ
• Atomikos: Required for Solutions that need two-phase commit
• GemFire
– vFabric Web Server: Apache HTTP server
Monitoring and Management
– vFabric Hyperic
Technologies - Applications
Java EE – No EJBs
– JSP and servlet
– JMS for messaging
– JDBC / JPA for persistence
– JTA for transaction management
– Java Mail for SMTP mail
– REST for web services
– JMX for monitoring and management
JavaScript, HTML5, Java Swing and Flash/Flex
Struts and Spring MVC as Web framework
Spring framework, security, etc.
iBatis/Hibernate for persistence
JCR/WebDAV for content management
Architecture – Single Machine
Reverse Proxy /
Load Balancer
Worker 1 Worker 2
Hyperic Agent
vFWS: Mod_Proxy
Hyperic
Server
tc Server1
SAS web app1
SAS web app2
tc Server2
SAS web app3
SAS web app4
DBMS
Architecture – Multiple Machines
Reverse
Proxy /
Load
Balancer
Worker 1
Worker 2
Hyperic Agent
vFWS: Mod_Proxy
Hyperic Server
tc Server1
SAS web app1
SAS web app2
tc Server2
Hyperic Agent
SAS web app3
SAS web app4
Machine 1
DBMS
Machine 3
Machine 2
Hyperic Agent
Architecture – Multiple Machines and Cluster (V & H) Machine 2
Proxy /
Load
Balancer
Worker 1-3
Worker 4-6
Hyperic Agent
vFWS: Mod_proxy
Hyperic Server
tc Server1
SAS web app1
SAS web app2
tc Server2
Hyperic Agent
SAS web app3
SAS web app4
Machine 1
DBMS
Machine 4
Machine 3
tc Server1_1
SAS web app1
SAS web app2
tc Server2__2
Hyperic Agent
SAS web app3
SAS web app4
Worker 7-9
Worker 10-12
Hyperic Agent
SAS Platform
SAS foundation
SAS middle tier
SAS BI applications
SAS Solutions – Web based
– Desktop based
SAS Middle Tier Platform
Common, shared Web applications
Common infrastructure services
Shared features as services
Web services access to SAS stored processes
Web services access to common services
Workflow and content management
SAS Middle Tier Architecture
Middle Tier Services
• Alert Notification
• Attachments
• Audit
• Authentication
• Comments
• Configuration
• Registry
• Status / Monitoring
• Templates
• Theme
• Workflow
Middle Tier Applications Web apps:
BI Web Services
SAS Content Server
Workflow Engine
Desktop apps:
Configuration Manager
SAS Management Console
Plug-in
Workflow Studio
Browser apps:
Logon Manager
Comment Manager
Stored Process
Preferences Manager
Web Admin
SAS Solutions
Over 80 SAS web
applications
Pre-assigned to 13
application server
instances
Analytics
Business Analytics
Business Intelligence
Customer Intelligence
Financial Intelligence
Fraud & Security Intelligence
Governance, Risk & Compliance
High-Performance Analytics
Information Management
IT & CIO Enablement
Performance Management
Risk Management
Supply Chain Intelligence
Sustainability Management
Application Migration
Java code
Deployment
Configuration
vFWS and clustering support
Security
Performance
Java Code
Remove EJB
Update the use of Java Messaging Service
Update JNDI lookup
Review J2EE application client library usage
Update transaction architecture and configuration
Use ConnectionFactory instead of QueueConnectionFactory or TopicConnectionFactory
Deployment
Convert .ear to .war
Define context and resources
Create restricted policy files
Update XML parser
Limit Jar Scanning
vFWS and Clustering Support
Logging control files
Forcing a product to be configured as a singleton
Default browser caching configuration
Default proxy server caching configuration
Proxy forwarding
Firewall considerations
Security (Authentication)
SAS Web Application single sign-on
– Logon Manager and Central Authentication Services (CAS)
Enterprise security and Integration
– Container managed security
– Integration with enterprise SSO solutions
• IWA, SiteMinder, WebSeal, SAML, …
SAS Web App Security Architecture
vFWS
Mod_proxy
Load
Balancer
Worke1
Worker2
Mod_SSL
(FIPS
optional)
Mod_sm
(optional)
tc server SASServer1_1
Authenticator
Valve
Realm
SASLogon
Customer
App1
Client
http/
https
http/
https
http/
https
SSO/LDAP
Server
Mod_shib
(optional) tc server SASServerX_Y
SAS Web Application Single Sign-On
SAS Logon Manager
– Single sign-on for all SAS web applications
– Central authentication entry point
– All SAS web applications required to rely on Logon Manager for authentication
– Host authentication as default
– Implemented by CAS
Central Authentication Services (CAS)
1. Browser makes request to a webapp
2. Spring security filter redirects to /SASLogon/login and provides a
callback URL to the security filter in the query string
3. User authenticates with CAS, is assigned a ticket granting ticket
(TGT) and is redirected to the callback URL with a service ticket
(ST) in the query string
4. Browser calls the callback URL with the service ticket
5. The webapp makes an internal call to CAS to validate the ticket and
get user info
6. A new session is established and the browser is redirected back to
the original URL
GET http://host/SASWebReportStudio/ 302
GET http://host/SASLogon/login?service=http%3A%2%2Fhost%2FSASAdmin%2Fj_spring_cas_security_check 302
GET http://host/SASWebReportStudio/j_spring_cas_security_check?ticket=ST-6-XlO6P6L5YbM9Zh1CkdyS-cas 302
GET http://host/SASWebReportStudio/ 200
SAS Logon and CAS
Custom authentication handler – SAS Metadata (via bridge to JAAS OMILoginModule)
Standard authentication handlers – Principal bearing credentials (Trusted Web Authentication)
• Container managed – BASIC, FORM, SPNEGO (IWA), DIGEST, CLIENT-CERT
– Authenticate against LDAP, JAAS, JDBC, etc.
• Web server agent + Application server agent (e.g. Tomcat Valve) – CA SiteMinder
– IBM WebSEAL
– SAML
• Hybrid – Client certificate authentication
– Fallback authentication
Container Managed Security
Configure CAS for Trusted Web Authentication
Secure SASLogon web application – Security constraint on /login
– Login method • Negotiates with the user agent to collect credentials
• Built-in support for: BASIC, FORM, DIGEST, SPNEGO, CLIENT-CERT
– Security Roles • Can use * in conjunction with allRolesMode="authOnly“ on Realm
Realms – Authenticates credentials against some resource
– Checks security roles
Enterprise SSO Integration
Integrated Windows Authentication
CA SiteMinder
SAML
…
Integrated Windows Authentication (IWA)
Microsoft products to support single sign-on
Use Windows credential to automatically logon to your web
applications
IWA Scenarios
Browser to middle tier – Terminate at middle tier
– Delegate the client credential from middle tier to server tier • Database, SAS Workspace server
Desktop client to middle tier – Terminate at middle tier
– Delegate the client credential from middle tier to server tier • Database, SAS Workspace server
Browser Based IWA to Midtier
Internet Explorer setup – Tools -> Internet Options -> Advanced -> Enable Integrated Windows Authentication
– Security -> Local intranet -> Sites -> Advanced. Add the host of your domain if it doesn't already exist there.
Middle tier configuration – Register Service Provider Name (SPN) in Domain Controller and install Keytab
– Configure Kerberos Domain and KDC
– Setup com.sun.security.auth.module.Krb5LoginModule in JAAS configuration
– Configure container managed security with SPNEGO authentication
– Configure JNDIRealm in server.xml for the Active Directory LDAP
CA SiteMinder for SAS
tc Server
Valve token
1. Decode token
2. login
• SiteMinder Realm protects /SASLogon/login
• Web Agent installed in vFWS
– Performs authentication
– Sets SM_SESSION security token
• Valve intercepts requests to tc Server
– Decodes token and performs login
– Uses pure Java API in SiteMinder SDK
– Requires separate host registration
• tc Server Configured for container-based security
Dependencies:
• CA SiteMinder Web Agent and SDK v12.x
• Oracle Unlimited Strength Java
Cryptography Extension (JCE)
System Administration – SAS Environment Manager
Replacement of SMC – SMC is a desktop client to manage SAS environment
OEM-ed Hyperic – Integration, customization, rebranding
Extensible Infrastructure – Module Framework and Modules
• Content (metadata) management functionality
– Hyperic plugins • Operational functionality
Batch and Command Line Interfaces
Collects a Broad Set Of Operational Metrics
Service
Database
Availability
Performance
Configuration changes
Events
Log entries
Solutions
Web Application Servers
WIP Services and DB
ActiveMQ Messaging
Apache TC server
SAS Servers
• Metadata
• Object Spawner
• Stored Process Server
…
Operating Systems
• Memory
• Processor
• IO
Storage & IO systems
• LASR
• SPDS
• SAS Dataset
Virtualization
Resources
Platforms – Physical or virtual machines or proxies
Servers running on those platforms – Database servers, web application servers, SAS servers, messaging
servers, guest operating systems
Services running in those servers – Web applications in SAS Web Application Server, database tables and
indexes
Logical groupings of platforms, servers, and/or services.
Components
A web-based admin GUI
An agent on each managed host
Solution aware plug-ins
Central server to manage and deploy the plug-ins
Centralized operational data store
Collection of reports and graphs helping characterize resource usage across the whole operational deployment.
Single sign-on with other SAS and customers’ enterprise web applications
SAS Environment Manager Architecture
Web GUI
Dashboard
Control Center
Platform 1 ( machine 1)
Agent Tc
Object
Spawner
Mid-Tier
Servers
Server 1
Agent tc Server
Instance 1
Spring
tc Server
Instance 1
Spring
tc Server
Instance 1
Spring
Platform 2 ( machine 2 )
Agent
tc S
Object
Spawner
Metadata
server
CLI Open API
REST
CMDB Service
Database
Inventory, Events,
Alerts
Management Server
GUI Administration,
Provisioning, Groups, Metrics,
Alerts, Events, Logs, Agents
Upgradeable via XML and JAVA
agent plugins
SAS Environment Manager Plug-Ins
Plug-ins are the interface between SAS Environment Manager and the platforms, servers, and services in your deployment.
Auto-Discovery
– Automatically finds technologies on your systems, adds to inventory, and configures monitoring
Monitoring
– Collects performance data, monitors for configuration and security changes Event Management
– Trigger both email notifications and automated control actions to resolve common problems.
Control
– Executes actions to automatically fix problems in response to alerts
Using Other Interfaces
With the API you can:
– create, update, and extract data about platforms, servers, services and groups
– create, update, and extract metric collection settings for resource types and individual resources
– define alerts for resource types and individual resources
– create and update users and roles.
Automated Installation and Configuration
SAS Planning Application
– Select the products to install and configure
– Select the deployment topology
SAS Deployment Wizard (SDW)
– GUI driven pluggable framework to install/configure all SAS applications
• Automatic installation of middle tier products
• Automatic configuration of middle tier products
Auto Installation
Create installation images
Images are packaged into SAS Software Depot
SDW
– Get user inputs
– Unpack products from SAS Software Depot
– Invokes the product specific installation scripts
Auto Configuration
Configure specific instances – Tc Server, vFWS, Hyperic, etc.
GUI Driven to collect configuration parameters – Configuration options for horizontal clustering
• Number of vertical servers
• Choice of source instance for horizontal clustering
• Number of vertical servers in the horizontal cluster members
Configuration API for all web applications – Create tc Server instance, configure data source, JMS queue, topics, etc.
Multiple servers vs. clustering – There are two different concepts
– Multiple servers + clustering
Enable Cloud Deployment: SAS Virtual Applications
SAS will provide pre-packaged virtual machines – Contain a full application stack from operating system through database and
middleware to SAS solution software.
Virtual application – Consist of one or more virtual machines that work together and are able to self-
configure.
Instances of the virtual applications – Can be up and running in minutes without the need for a software installation.
tcServer is an integral part of this offering – It is the only Application Server included in the Applications
SAS Virtual Applications (vAPP)
Application Server
Operating System
File System Managem
ent
SAS Software
3rd party Storage
(DBMS, SAN, etc.)
3rd party
Monitoring/
Management
3rd party
Authentication
(ex.LDAP, AD)
HTTP Server
Configura
tio
n
choic
es
TOPOLOGIES ALIGN WITH USAGE MODELS
Operating System
SAS Software
Cluster File System Ma
na
ge
me
nt
Application Server
Operating System
SAS Software
HTTP Server
Operating System
SAS Metadata Server
Front Door
Middle
tier
clustered
……
Compute
tiers
(load
balanced)
Metadata
Clustered
….
DN
S (
netw
ork
ing)
Da
ta S
tore
LD
AP
SAS Software
Cluster File System Ma
na
ge
me
nt Application Server
SAS Software
HTTP Server
Operating System
SAS Metadata Server
Da
ta S
tore
LD
AP
DN
S (
ne
two
rkin
g)
Enterprise Workgroup
1 vApp = n VMs 1 vApp = 1-2 VMs
Tc Server and Logic Layout of a vApp
Reverse Proxy/Router L
ed
ge
r
Mo
nit
ori
ng
User
Ad
min
Au
then
ticati
on
Ap
plicati
on
A
uth
en
ticati
on
Sto
re
Up
date
Serv
ice
“content”
SAS Solution
Software
tc
Server
tc
Server
tc
Server
tc
Server
Summary
A complete packaged middle tier platform
– Light-weight infrastructure and applications
– Built-in support for proxy server
– Built-in support for clustering for performance and fail over
– Built-in support for system management and monitoring
• Customized SAS Environment Manager plugin to monitor SAS system
• Rebranding to give the seamless SAS look-and-feel
– Built-in support for security integration
Easy button
– Automatically install and configure the platform and SAS applications
Virtual and cloud environment enablement
Demo
SAS Single Sign-On
SAS Stored Process Web Application
SAS Environment Manager
– SAS Web Application Server Plugins
SAS Cloud
– https://cloud.sas.com
References
SAS 9.4
– SAS 9.4 Resource Center
– SAS® 9.4 Intelligence Platform: Middle-Tier Administration Guide
– Monitoring 101: New Features in SAS 9.4 for Monitoring Your SAS Intelligence Platform
SAS Cloud
The SAS® Middle Tier: Providing Integration Services for the SAS® Intelligence Platform
VMware vFabric Suite Documentation
– vFabric tc Server Spring Edition
– vFabric Web Server
– vFabric Hyperic
– vFabric GemFire Application Cache Node
Spring
– Spring Framework
– Spring Security
Migrating JEE Applications from WLS/WAS to SpringSource tc Server™
Valve, JAAS and Filter in Tomcat
IWA for a Spring Desktop and Web Application
Learn More. Stay Connected.
• Try SAS Cloud: https://cloud.sas.com
• Learn SAS Visual Analytics: http://www.sas.com/software/visual-analytics/demos/all-demos.html
• Learn SAS 9.4: SAS 9.4 Resource Center
• Learn IWA: http://java.sys-con.com/node/1326751
• Talk to us on Twitter: @springcentral
• Find Session replays on YouTube: spring.io/video