C9510-401 D Application Server Network Deployment V8.5.5 and Liberty Profile System Administration Questions and Answers

Enabling verboseGC (Garbage Collection) output is often required when diagnosing issues with WebSphere Application Server. Because verboseGC data is critical to troubleshooting memory and performance problems and the overhead is generally very low, you may want to consider proactively enabling it in your environment.

References: http://www-01.ibm.com/support/docview.wss?uid=swg21114927

Monitoring overall system health. To monitor overall system health, monitor the following statistics at a minimum:

Average response time Include statistics, for example, servlet or enterprise beans response time. Response time statistics indicate how much time is spent in various parts of WebSphere Application Server and might quickly indicate where the problem is (for example, the servlet or the enterprise beans).

Java virtual memory Use JVM metrics to understand the JVM heap dynamics, including the frequency of garbage collection. This data can assist in setting the optimal heap size. In addition, use the metric to identify potential memory leaks.

Number of Live HTTP Sessions The number of live HTTP sessions reflects the concurrent usage of your site. The more concurrent live sessions, the more memory is required. As the number of live sessions increase, you might adjust the session time-out values or the Java virtual machine (JVM) heap available.

References: https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tprf_monitoringhealth.html

Cross Component Trace (XCT) annotates the logs so that log entries that are related to a request that is serviced by more than one thread, process, or even server are identified as belonging to the same unit of work. XCT helps identify the root cause of problems across components.

References: WebSphere Application Server V8.5 Administration and Configuration Guide for the Full Profile (July 2013), page 1091

The ibm-webservicesclient-bnd.xmi deployment descriptor file contains information for the web services run time that is WebSphere® product-specific. This deployment descriptor file is used with Java API for XML-based web services.

References: https://www.ibm.com/support/knowledgecenter/SSEQTJ_8.5.5/com.ibm.websphere.base.doc/ae/rwbs_assembpropclient.html

Use the AdminControl object to invoke operational commands that manage objects for the application server.

Many of the AdminControl commands have multiple signatures so that they can either invoke in a raw mode using parameters that are specified by Java Management Extensions (JMX), or by using strings for parameters. In addition to operational commands, the AdminControl object supports some utility commands for tracing, reconnecting with a server, and converting data types.

References: https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rxml_admincontrol.html

The admin_host virtual host is used for access to the WebSphere administrative console.

At installation time, the host is configured to match requests on the wc_adminhost and wc_adminhost_secure ports for the stand-alone server or deployment manager.

References: WebSphere Application Server V8.5 Administration and Configuration Guide for the Full Profile (July 2013), page 303

In WebSphere Application Server Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. This function was deprecated In WebSphere Application Server 7.0. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method.

References: https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/csec_ssovo.html

Fine-grained administrative security

In releases prior to WebSphere® Application Server version 6.1, users granted administrative roles could administer all of the resources under the cell. WebSphere Application Server is now more fine-grained, meaning that access can be granted to each user per resource.

For example, users can be granted configurator access to a specific instance of a resource only (an application, an application server or a node).

To achieve this instance-based security or fine-grained security, resources that require the same privileges are placed in a group called the administrative authorization group or authorization group. Users can be granted access to the authorization group by assigning to them the required administrative role.

References: http://www-01.ibm.com/support/knowledgecenter/ S SEQTP_8.5.5/com.ibm.websphere.base.doc/ae/csec_fineg_admsec.html?cp=SSEQTP_8.5.5%2F1-8-1-30-3-3

Securing web applications using an assembly tool.

You can use three types of web login authentication mechanisms to configure a web application: basic authentication, form-based authentication and client certificate-based authentication. Protect web resources in a web application by assigning security roles to those resources.

References: https://www.ibm.com/support/knowledgecenter/SS7JFU_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_secweb_atk.html

Authenticate only when the URI is protected

The application server challenges the web client to provide authentication data when the web client accesses a Uniform Resource Identifier (URI) that is protected by a Java Platform, Enterprise Edition (Java EE) role. The authenticated identity is available only when the web client accesses a protected URI.

This option is the default Java EE web authentication behavior that is also available in previous releases of WebSphere® Application Server.

References: https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.base.doc/ae/usec_webauth.html

Run the command to record a response file for the package installation. This command uses the -skipInstall < agentDataLocation > argument, which records the installation commands without installing the Tivoli Monitoring packages. Substitute your own file name and location for the response file. Verify that the file paths that you enter exist. Installation Manager does not create directories for the response file:

Windows: IBMIM -record < responseFile > -skipInstall < agentDataLocation >

Unix/Linux: ./IBMIM -record < responseFile > -skipInstall < agentDataLocation >

References: https://www.ibm.com/support/knowledgecenter/SS4EKN_7.2.0/com.ibm.itm.doc_6.3/install/record_resp_file.htm

The server process comprises a single JVM, the Liberty kernel, and any number of optional features.

References: https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/cwlp_about.html

When Java 2 security is enabled for a WebSphere Application Server, all the applications that run on WebSphere Application Server undergo a security check before accessing system resources. An application might need a was.policy file if it accesses resources that require more permissions than those granted in the default app.policy file

References: http://www.aiotestking.com/ibm/how-can-a-system-administrator-secure-a-websphere-application-server-environment-to-ensure-that-an-application-code-will-not-be-allowed-to-access-any-files-in-the-servers-file-system/

Problem(Abstract)

The SystemOut.log contains a WSVR0605W message, also called a hung thread message. A javacore, or thread dump on Solaris and HP-UX, is needed in order to determine how to resolve the potentially hung threads.

Cause

WebSphere Application Server attempts to report potentially hung threads using the hung thread detector. Depending on how the hung thread detector policy is configured, a thread running for a certain interval (default 10 minutes) might be reported as hung and a WSVR0605W message is printed in the SystemOut.log file:

WSVR0605W: Thread < threadname > has been active for < time > and may be hung. There are < totalthreads > in total in the server that may be hung.

References: https://www-01.ibm.com/support/docview.wss?uid=swg21448581

AdminConfig.save()to save changes after script execution.