CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf

7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf

1/47

VMware vFabric tc Server

Best Practices forSecurity, Stabilityand Sanity

Channing Benson, VMware, Inc.

APP-CAP1676

#vmworldapps


2/47

2

Disclaimer

This session may contain product features that arecurrently under development.

This session/overview of the new technology representsno commitment from VMware to deliver these features inany generally available product.

Features are subject to change, and must not be included in

contracts, purchase orders, or sales agreements of any kind.

Technical feasibi lity and market demand will affect final delivery.

Pricing and packaging for any new technologies or featuresdiscussed or presented have not been determined.


3/47

3

Agenda

Introduction / Goals

What is tc Server?

tc Server Installation and Configuration

Hyperic Configuration

Web Application Deployment and Management

tc Server Instance Deployment Variations

Performance Tuning

Security

Resources


4/47

4

Introduction / Goals

tc Server: vFabric application server

What is a Best Practice ?

Provide practical advice in installation, care, and feeding

Educate for contingencies

Lots of ground to cover

Compromise between breadth and depth


5/47

5

What is vFabric tc Server?


6/47

6

tc Server: vFabric Application Server

Cloud Infrastructure and Management

Programming

ModelIntegration

Patterns

Batch

Framework

Spring

Tool Suite

App Director

Java Runtime

(tc Server)

vFabric Web

Server

RabbitMQ

GemFire

SQLFire

Data

Director) Dynamic OPs

Appl icationDeployment

JavaOptimizations

(EM4J, )

Appl ication

PerformanceMonitoring

vCops

APM:App Speed,

Insight

vCo

Spring Data


7/47

7

tc Server: Replace Legacy Java Servers and Apache Tomcat

Efficient, lean, fit-to-purpose runt ime platform

Lower cost and complexity

Enterprise capabili ties on Apache Tomcat-compatible base

vmware.com/go/tc


8/47


9/47

9

Beyond ASF Tomcat, Fully Compatible

Nothing removed, only added

Full binary application compatibili ty zero lock-in

Patch and update without touching configuration

Multi-instance templating

Dynamic log level changes with JMX

Obfuscation of configuration passwords Improved Windows service wrapper

UNIX init .d startup scripts provided

Pre-tuned and secured

Native session-replication clustering or VMware vFabric GemFire

Built-in diagnostics valve


10/47

10

Beyond ASF Tomcat, Fully Compatible

Encryption for DB passwords proprietary

Encode

server.xml

server.xml

catalina.properties


11/47

11

tc Server Installation and Configuration


12/47

12

Installing tc Server

Simplest method is unpack file archive

.tar.gz (Linux) or .zip (Windows)

RPM provided for Linux

Implements certain best practices

Java SDK or JRE is required

Java 6 or Java 7

After installation, create instance(s) to host web applications


13/47

13

RPM Install Act ions

Gets latest version

Installs in fixed location

/opt/vmware/vfabric-tcserver-standard

Owner: root Group: vfabric

Creates vfabric group

Creates tcserveruser

Creates target directory for tc Server instances

Sets up bash command completion for tc Server scripts


14/47

14

tc Server User and Group

Dont run as root!

Convention simplifies administration

tcserveruser in vfabric group

Implications on Hyperic configuration


15/47

15

Separate Instance Directory

tc Server facilitates separate directory for instances

Uses Tomcats CATALINA_BASE and CATALINA_HOME

Improves maintainability

Improves security

/var/opt/vmware/vfabric-tc-server-standard

Owned by user tc-server with group vfabric

Keeps product bits protected from non-root access

tcruntime-instance script to create instances

tcrunt ime-ctl script to control instances


16/47

16

Implemented Using Environment Variables

CATALINA_HOME

Points to directory containing core Tomcat implementation

For example, INSTALL_DIRECTORY/tomcat-7.0.23.A.RELEASE

CATALINA_BASE

Points to directory containing elements unique to an instance

Contents override any duplicates from CATALINA_HOME

By default, CATALINA_BASE = CATALINA_HOME


17/47

17

Creating an Instance Using Templates

Use tcruntime-instance script

This script uses templates

Templates encapsulate configuration of instance

Both user-specified and default

Templates customize conf iguration file contents

Templates customize files in hierarchy

Deployed applications in the webapps directory for example

Example: gemfire-cs

Instance will store session data with GemFire

Create and use your own templates

Standardize security elements


18/47

18

Configure Instance to Start at System Boot

Windows version of tcruntime-instance creates Windows service

Linux

tcruntime-instance script creates init.d.sh script


19/47

19

Obfuscating Passwords in Configuration Files

tc Server value-add

Problem: passwords for accessing resources such as database

servers appear in cleartext in tc Server configuration f iles.

Can only use encryption by interacting with tc Server at startuptime, e.g. entering key

Not feasible for production environments

Imperfect solution is to obfuscate password by one of Encoding in base64

Encoding with specific passphrase

Encoding with passphrase stored in separate file from encoded version

Encoding with passphrase entered when tc Server is started Not often practical in production


20/47

20

Obfuscating Passwords in Configuration Files (cont.)

Enter either directly in config fi le (e.g. server.xml) or using avariable (and variable value entered in conf/catalina.properties).

Use Java class in tc Server runt ime directory to obtain value% cd /opt/vmware/vfabric-tc-server-standard/tomcat-

7.0.27.A.RELEASE

% java -cp lib/tcServer.jar:bin/tomcat-juli.jar:lib/tomcat-

coyote.jar \ com.springsource.tcserver.security.PropertyDecoder -

encode base64 mypassword

In catalina.properties, have the following precede the variablevalue, like

org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.spr

ingsource.tcserver.security.PropertyDecodercom.springsource.tcserver.security.PropertyDecoder.pass

phrase=base64

db.password=s2enc://bXlwYXNzd29yZA==


21/47

21

Hyperic Overview and Configuration


22/47

22

Hyperic is tc Server Console

Monitor tc Server instances

Collect performance metrics

Trigger alerts

Manage tc Server instances

Start/Stop/Restart

Change configuration

Deploy/Undeploy applications

Not Specific to tc Server

Hyperic is a general enterprise management / monitoring tool.

Monitors anything for which there is a plugin

Java programs through JMX

Manage mult iple tc Server instances through Hyperic groups


23/47

23

Hyperic Components

Server

Central process providing web interface for management/monitoring

Implemented as tc Server web application

Database

Servers data store

Can be PostgreSQL, MySQL, or Oracle

PostgreSQL for smaller POC environments

Agent

One running on each managed system

Communicates bidirectionally with server

Command l ine interface Allows scripting of Hyperic commands and operations

Works through same Web services interface so operations are logged thesame way as through the GUI


24/47

24

Hyperic Production Deployment


25/47

25

Key Interactions Between tc Server and Hyperic

Users and permissions

Dont run Hyperic agent as root, but

Hyperic agent must run as user with suitable permissions :

Modify tc Server configuration files: / var / opt / vmwar e/ t cs er ver -st andar d/ /*

Kill tc Server process

Can be configured to use sudo command so that Hyperic agent doesnt need

to run as root

JMX

Hyperic agent must be able to login to tc Server remote JMX server


26/47

26

vFabric Administration Server

New alternative to Hyperic for managing tc Server and webapplications

Similar agent / server architecture Server is tc Server instance combined with RabbitMQ broker

Manages RabbitMQ and GemFire as well

REST API

Facilitates scaling of applications through group model

Single system image for all nodes in group

Easily perform operations across a group

http://www.vmware.com/support/developer/vas/rest-api-

1.0.0.RELEASE/index.html
http://www.vmware.com/support/developer/vas/rest-api-1.0.0.RELEASE/index.htmlhttp://www.vmware.com/support/developer/vas/rest-api-1.0.0.RELEASE/index.htmlhttp://www.vmware.com/support/developer/vas/rest-api-1.0.0.RELEASE/index.htmlhttp://www.vmware.com/support/developer/vas/rest-api-1.0.0.RELEASE/index.html


27/47

27

Web Application Deployment


28/47

28

Web Application Deployment and Management

Hyperic provides UI for deploying applications

Group tc Server instances for one-step cluster deployment

Tomcat 7 includes versioned deployment

Zero-downtime application updates

LDAP Authentication and single-sign-on


29/47

29

Control Tab for TC Runtime Resource


30/47

30

Webapp Management

Accessed through Application Management view

Deploy (via uploaded or local war file), start, stop, undeploy

S i d D l Th h H i


31/47

31

Scripted Deployment Through Hyperic

Download tc Server Command-line Interface from Hyperic Admintab

Create $HOME/.hq/client.properties with resource sett ings toconnect to Hyperic Server (target system, user, password)

Run bin/tcsadmin[.sh|.bat]

http://pubs.vmware.com/vfabric51/topic/com.vmware.vfabric.tc-

server.2.7/admin/cli.html for documentation

V i d b D l t
http://pubs.vmware.com/vfabric5/topic/com.vmware.vfabric.tc-server.2.6/admin/cli.htmlhttp://pubs.vmware.com/vfabric5/topic/com.vmware.vfabric.tc-server.2.6/admin/cli.htmlhttp://pubs.vmware.com/vfabric5/topic/com.vmware.vfabric.tc-server.2.6/admin/cli.htmlhttp://pubs.vmware.com/vfabric5/topic/com.vmware.vfabric.tc-server.2.6/admin/cli.html


32/47

32

Versioned webapp Deployment

Added to Tomcat 7 so present in any version of tc Server >= 2.5

Developed and contributed by VMware employees

Allows zero-downtime deployment of new versions

Automatically handles session transition

Th V i i M h i


33/47

33

The Versioning Mechanism

Works via string appended to webapp context name

app##01.war for instance

Versions compared via String comparison

app##11 is earlier than app##2

Recommended to use leading zeroes

C t t E l


34/47

34

Context Examples

Context Path Context Version Context Name Base filename

/foo None /foo foo

/foo/bar None /foo/bar foo#bar

Empty String None Empty String ROOT

/foo 42 /foo##42 foo##42

/foo/bar 42 /foo/bar##42 foo#bar##42

Empty String 42 ##42 ROOT##42

S i H dli


35/47

35

Session Handling

New requests go to latest version of app

If request has non-expired session information, then route to

matching version

If matching version is no longer deployed, route to latest version


36/47

36

tc Server Instance Deployment

tc Ser er Instance Deplo ment Variations


37/47

37

tc Server Instance Deployment Variations

Common use case is to use vFabric Web Server (or Apache WebServer) as a software load-balancer

mod_proxy or mod_jk Terminate SSL at Web server to get native performance

Restrict network connections to tc Server

Clustering for high-availabili ty

Tomcat-provided or GemFire HTTP Session Management Module

Communications Between Apache and tc Server


38/47

38

Communications Between Apache and tc Server

Choose between mod_proxy_* and mod_jk

Protocol for mod_proxy is http

Protocol for mod_jk is AJP

Four basic rules:

If encryption needed to tc Server, then choose mod_proxy_http

If application needs SSL information, then use mod_jk

Go with what you know Configuration of mod_proxy_http is consistent with rest of Apache.

http://www.tomcatexpert.com/blog/2010/06/16/deciding-between-modjk-modproxyhttp-and-modproxyajp


39/47

39

Performance Tuning

Performance Tuning


40/47

40

Performance Tuning

Tuning process

Measure

Tweak (one at a time, please)

Rinse, repeat

Primary tuning possibilit ies

Heap configuration

Thread pool size Database connection pool size

I/O Connectors (BIO, NIO, APR)

Performance is primarily a characteristic of the application

Spring Insight and AppInsight for detailed views

Virtualization impacts

EM4J


41/47

41

Security


42/47


43/47

Where to Find Help


44/47

44

Where to Find Help

vFabric Documentation Center

http://pubs.vmware.com/vfabric51/index.jsp

vFabric Blogs

http://blogs.vmware.com/vfabric/

Tomcat Expert

www.tomcatexpert.com

Twitter

ChanningBe

Questions
http://pubs.vmware.com/vfabric51/index.jsphttp://blogs.vmware.com/vfabric/http://www.tomcatexpert.com/http://www.tomcatexpert.com/http://www.tomcatexpert.com/http://www.tomcatexpert.com/http://blogs.vmware.com/vfabric/http://pubs.vmware.com/vfabric51/index.jsp


45/47

45

Questions


46/47

FILL OUT

A SURVEY

EVERY COMPLETE SURVEY

IS ENTERED INTO

DRAWING FOR A

$25 VMWARE COMPANY

STORE GIFT CERTIFICATE


47/47

VMware vFabric tc Server

Best Practices forSecurity, Stabilityand Sanity

Channing Benson, VMware, Inc.

APP-CAP1676

Documents

CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf