Configuring Reverse Proxy Servers For WebSphere

You can configure a reverse proxy server to add an additional, security layer between your application and the internet or your end users.

This section discusses how various servers can be configured as reverse proxy servers.

Using reverse proxy servers adds an additional, protective layer between your application and the internet or your end users. A reverse proxy server receives user requests, and sends them to a back end content server, usually behind a firewall. The back end server, in this case your PeopleSoft web server, remains unknown to the user.

For your PeopleSoft implementation, you can configure reverse proxy servers for WebSphere on the following web servers:

  • IBM HTTP Server.

  • Microsoft Internet Information Server (IIS).

  • Oracle Sun Java System Web Server.

The communication between your web server and your reverse proxy server is configured using delivered plug-ins. You must install the web server software before you can install a plug-in for the web server. You can install the web server plug-in by itself on a machine where WebSphere Application Server ND has been installed but the plug-in has not. You can also install a plug-in on a remote machine where the HTTP proxy server is already installed.

Web Server Plug-In

Web server plug-ins enable the web server to communicate requests for dynamic content, such as servlets, to the application server. A web server plug-in is associated with each web server definition. The configuration file (plugin-cfg.xml) that is generated for each plug-in is based on the applications that are routed through the associated web server.

WebSphere RPS Plug-in

The RPS plug-in is used to forward HTTP requests from the proxy server to the PeopleSoft web server. The RPS plug-in provides:

  • XML-based configuration file.

  • Standard protocol recognized by firewall products.

  • Security using HTTPS, replacing proprietary Open Servlet Engine (OSE) over Secure Sockets Layer (SSL).

To configure the IBM HTTP Server for use as a reverse proxy server, you use the IHS plug-in.

Before you perform the following steps, you need to install the following items:

  • IBM HTTP Server.

  • Web server plug-ins.

See PeopleTools Installation for your database platform, Installing Web Server Products, "Installing IBM HTTP Server and Web Server Plug-ins"

To configure IHS for reverse proxy:

  1. Start WebSphere server and open the ISC window.

  2. Navigate to Environment, Virtual Hosts, pia_host, Host Aliases.

    The PeopleSoft application is deployed on a virtual host called "pia_host".

  3. Create new entries for the required ports.

    For example:

    Hostname = *, Port =10001 (for web server port )

    Hostname = *, Port =10002 (for HTTP Administration Server port)

    Hostname = *, Port =10043 (for SSL port assigned to IHS)

  4. In a multi server environment, repeat the steps 2. and 3. for the other virtual hosts and "psemhub_host".

  5. Click Apply and save the settings to "master".

    This updates <PIA_HOME>/webserv/profile_name/config/cells/node_name/virtualhosts.xml

  6. From the WebSphere Plug-ins installation, copy the configureWebserverDefinition script from the <Plugin_Install_Root>/bin to the directory <PS_HOME>/webserv/profile_name/bin and run it.

    This creates the web server definition in WebSphere server.

  7. Generate the plugin-cfg.xml by selecting the web server definition in Servers, Web servers.

  8. Copy the plugin-cfg.xml from <PS_HOME>/profile_name/config/cells/cell_name/nodes/node_name/servers/WebserverDefinition to <Plugin_Install_Root>/config/WebserverDefinition so that IHS can communicate with WebSphere directly and access the PeopleSoft application.

  9. Restart the WebSphere server, IBM HTTP Server, and IBM HTTP Administration Server.

  10. Verify accessing the PeopleSoft application using the IHS HTTP port.

Note: In scenarios where the system needs to process large amounts of data, a page may become stuck in the processing status. While the change is reflected on the database, it cannot be viewed on a page until another session is started. This problem can be resolved by increasing the ServerIOTimeout from 60 seconds to 600 seconds, for example, in the Plugin-cfg.xml file located in <PLUGIN_HOME>/config/webserver1.

This section discusses how to configure Microsoft IIS as a reverse proxy server for WebSphere. Before you perform these steps, the following items need to be installed:

  • Microsoft IIS.

  • Web server plug-ins.

Microsoft IIS Installation should have the following components already installed in order for the RPS setup to be successful:

  • IIS Management Compatibility

  • IIS Management Console

  • IIS Scripting Tools

  • IIS WMI Compatibility

  • IIS Metabase compatibility

  • ISAPI Extensions

  • ISAPI Filters

See http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.nd.doc/info/ae/ae/tins_webplugins.html.

See PeopleTools Installation, Installing Web Server Products, "Installing IBM HTTP Server 7.0 and Web Server Plug-ins"

See your Microsoft IIS documentation.

Installing WebSphere Web Server Plugin for Microsoft IIS

Before installing the plugin, create a new IIS website according to the instructions given in the IBM WebSphere "Installing Web Server Plug-ins" documentation. Alternately, you can use the Default website if it is available. The Plugins install wizard prompts for the location where the WebSphere plugins for IIS need to be installed and also for the location where WebSphere is installed. The wizard also prompts for the name of the web server definition to be created.

Note: The WebSphere version may come with 32-bit and 64–bit web server plugins. The 32-bit plugin installer is in CD1 and 64-bit plugin installer is in CD2. Install the appropriate plugin based on your machine architecture and the mode (32-bit or 64-bit) in which your IIS is running.

Configuring the Plugin on Microsoft IIS

To configure the plugin:

  1. From the WebSphere plugin installation, copy the configureWebserverDefinition script from the <Plugin_Install_Root>/bin to the directory <PS_HOME>/webserv/profile_name/bin.

  2. Start the WebSphere server and run the configureWebserverDefinition script from the PIA profile location.

    This creates the web server definition in the WebSphere server.

  3. In the Administrative Console select Environment, Virtual hosts, and add new Host Alias entries for the IIS web server HTTP port into following virtual hosts:

    • pia_host

    • psemhub_host

  4. Select Servers, Web servers, and select the server definition and generate the plugin-cfg.xml.

  5. Copy the plugin-cfg.xml from <PS_HOME>/profile_name/config/cells/cell_name/nodes/node_name/servers/WebserverDefinition to <Plugin_Install_Root>/config/WebserverDefinition.

    This enables the IIS web server to communicate with WebSphere directly and access the PeopleSoft application.

  6. Restart the Microsoft IIS web server, and start the IIS website that you have created.

  7. Restart the WebSphere server and login to the Administrative Console.

  8. (Optional) Enable Administrative Console to manage the IIS web server.

    This will show the IIS web server as running. This step is needed only if you want to manage your IIS web server from the WebSphere Administrative Console.

    1. In the Administrative Console select Servers, Server Type, Web servers.

    2. Click the web server definition to create one for the IIS web server.

    3. Enter the port number for the IIS web server.

  9. Access the PeopleSoft application through the IIS web server HTTP port:

    http://<hostname>:<IIS_HTTPPort>/ps/signon.html

Note: If you have a Windows 64-bit machine, IIS runs in 64-bit mode by default and requires 64-bit WebSphere plugins to be installed. However, if you have installed 32-bit WebSphere plugins then you can set IIS to run in 32-bit mode by executing the following script at the command prompt:

CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1 Restart the IIS web server following the execution of this script.

The following steps discuss how to configure the Oracle Sun Java System Web Server as a Reverse Proxy Server. Before you perform these steps, the following items need to be installed:

  • Oracle Sun Java System Web Server.

  • Web server plug-ins.

Installing WebSphere Plugin for Oracle Sun Java System Web Server

The Plugins install wizard prompts for the location where WebSphere and Oracle Sun Java System Web Server are installed. The wizard also prompts for the name of the web server definition to be created, the location of the obj.conf file, and the location magnus.conf file. These two configuration files can be found under the Oracle Sun Java System Web Server installation in the following directory:

$SunJava_Home/https-<hostname>/config

Configuring the Plugin

To configure the plugin:

  1. From the WebSphere Plugins installation, copy the configureWebserverDefinition script from the <Plugin_Install_Root>/bin to the directory <PS_HOME>/webserv/profile_name/bin.

  2. Start the WebSphere server and run the configureWebserverDefinition script from PIA profile location.

    This creates the web server definition in WebSphere server.

  3. In the Administrative Console, select Environment, Virtual Host, and add the new Host Alias entries for Oracle Sun Java System Web Server HTTP port into following virtual hosts:

    • pia_host

    • psemhub_host

  4. Select Servers, Web servers and generate the plugin-cfg.xml by selecting the web server definition.

  5. Copy the plugin-cfg.xml from <PS_HOME>/profile_name/config/cells/cell_name/nodes/node_name/servers/WebserverDefinition to <Plugin_Install_Root>/config/WebserverDefinition,

    This enables the Oracle Sun Java System Web Server to communicate with WebSphere directly and access the PeopleSoft application.

  6. Note the following entries in the Obj.conf file.

    After the <Object name=default> tag

Service fn="as_handler"
AddLog fn="as_term"

  7. Note the following entries in the Magnus.conf file.

    UNIX:

    Init fn="load-modules" 
     funcs="as_init,as_handler,as_term" 
     shlib="/opt/IBM/WebSphere/Plugins/bin/libns61_http.so"

Init fn="as_init" 
     bootstrap.properties="/opt/IBM/WebSphere/Plugins/config/webserver1
/plugin-cfg.xml"

    Windows:

    Init fn="load-modules" 
     funcs="as_init,as_handler,as_term" 
     shlib="C:\IBM\WebSphere\Plugins\bin\ns41_http.dll"

Init fn="as_init" 
     bootstrap.properties="C:\IBM\WebSphere\Plugins\config\webserver1
\plugin-cfg.xml"

  8. Restart the Oracle Sun Java System Web Server.

  9. Restart the WebSphere web server.

  10. Access the PeoplesSoft application through the Oracle Sun Java System Web Server HTTP port.

    http://<hostname>:<SunJava_HTTPPort>/ps/signon.html

  11. (Optional) Enable Administrative Console to manage the Oracle Sun Java System Web Server.

    This will show the Oracle Sun Java System Web Server as running. This step is needed only if you want to manage your Oracle Sun Java System Web Server from the WebSphere Administrative Console.

    1. In the Administrative Console select Servers, Server Type, Web servers.

    2. Click the web server definition to create one for Oracle Sun Java System Web Server.

    3. Enter the port number for the Oracle Sun Java System Web Server’s.

Configuring for Deleting Attachments

If you intend to allow end users to delete attachments, and you are using the Oracle Sun Java System RPS, you need to make sure the access control lists for Oracle Sun Java System RPS are configured correctly.

To configure Oracle Sun Java System RPS for deleting attachments:

  1. Start the Sun Java admin server and login to the administrative console.

  2. Navigate to Configurations, and click the appropriate configuration.

  3. Select Access Control, Access Control Lists, where you'll see the default and es-internal access control lists.

  4. Modify the default access control list.

    • Click default.

    • For Allow anyone and Allow all, click delete rights.

    • Save.

  5. Modify the es-internal access control list.

    • Click es-internal.

    • Click on allow anyone and enable delete rights.

    • Click on deny anyone and disable delete right.

    • Save.

  6. Save and deploy the change so it is reflected in the instances.