Installing Persistent Mobile Foundation Server to an application server
Overview
The installation of the components can be done by using Ant Tasks. Find out the prerequisite and the details about the installation process so that you can install the components on the application server successfully.
Before you proceed with installing the components to the application server, ensure that the databases and the tables for the components are prepared and ready to use. For more information, see Setting up databases.
The server topology to install the components must also be defined. See Topologies and network flows.
Jump to
- PMF Application server prerequisites
- Installing with Ant tasks
- Installing the PMF components manually
- Installing a server farm
- Persistent Mobile Foundation runtime scheduler
PMF Application server prerequisites
Depending on your choice of the application server, select one of the following topics to find out the prerequisites that you must fulfill before you install the PMF components.
Apache Tomcat prerequisites
Persistent Mobile Foundation Server has some requirements for the configuration of Apache Tomcat that are detailed in the following topics.
Ensure that you fulfill the following criteria:
- Use a supported version of Apache Tomcat. See System requirements.
- Apache Tomcat must be run with JRE 17.0 or later.
- The JMX configuration must be enabled to allow the communication between the administration service and the runtime component. The communication uses RMI as described in Configuring JMX connection for Apache Tomcat below.
You must configure a secure JMX connection for Apache Tomcat application server.
The Ant tasks can configure a default secure JMX connection, which includes the definition of a JMX remote port, and the definition of authentication properties. They modify tomcat_install_dir/bin/setenv.bat and tomcat_install_dir/bin/setenv.sh to add these options to CATALINA_OPTS:
Note: 8686 is a default value. The value for this port can be changed if the port is not available on the computer.
- The setenv.bat file is used if you start Apache Tomcat with tomcat_install_dir/bin/startup.bat, or tomcat_install_dir/bin/catalina.bat.
- The setenv.sh file is used if you start Apache Tomcat with tomcatInstallDir/bin/startup.sh, or tomcat_install_dir/bin/catalina.sh.
This file might not be used if you start Apache Tomcat with another command. If you installed the Apache Tomcat Windows Service Installer, the service launcher does not use setenv.bat.
Important: This configuration is not secure by default. To secure the configuration, you must manually complete steps 2 and 3 of the following procedure.
Manually configuring Apache Tomcat:
- For a simple configuration, add the following options to CATALINA_OPTS:
- To activate authentication, see the Apache Tomcat user documentation SSL Support - BIO and NIO and SSL Configuration HOW-TO.
- For a JMX configuration with SSL enabled, add the following options: Note: The port 8686 can be changed.
-
If the Tomcat instance is running behind a firewall, the JMX Remote Lifecycle Listener must be configured. See the Apache Tomcat documentation for JMX Remote Lifecycle Listener.
The following environment properties must also be added to the Context section of the administration service application in the server.xml file, such as in the following example:
In the previous example:- registryPort must have the same value as the rmiRegistryPortPlatform attribute of the JMX Remote Lifecycle Listener.
- serverPort must have the same value as the rmiServerPortPlatform attribute of the JMX Remote Lifecycle Listener.
- If you installed Apache Tomcat with the Apache Tomcat Windows Service Installer instead of adding the options to CATALINA_OPTS, run tomcat_install_dir/bin/Tomcat7w.exe, and add the options in the Java tab of the Properties window.
WebSphere Application Server Liberty prerequisites
Persistent Mobile Foundation has some requirements for the configuration of the Liberty server that are detailed in the following topics.
Ensure that you fulfill the following criteria:
- Use a supported version of Liberty. See System requirements.
- Liberty must be run with JRE 17.0 or later.
- JMX must be configured as documented in Configuring JMX connection for WebSphere Application Server Liberty profile below.
- For an installation in a production environment, you might want to start the Liberty server as a service on Windows, Linux, or UNIX systems so that: The PMF components are started automatically when the computer starts. The process that runs Liberty server is not stopped when the user, who started the process, logs out.
PMF requires the secure JMX connection to be configured.
- The Ant tasks can configure a default secure JMX connection, which includes the generation of a self-signed SSL certificate with a validity period of 365 days. This configuration is not intended for production use.
- The rest-connector is available for Liberty Core, and other editions of Liberty, but it is possible to package a Liberty server with a subset of the available features. To verify that the rest-connector feature is available in your installation of Liberty, enter the following command: Note: Verify that the output of this command contains restConnector-1.0.
File system prerequisites
To install PMF to an application server, the ant tasks must be run by a user that has specific file system privileges.
For WebSphere Application Server Liberty profile, you must have the required permission to perform the following actions:
- Read the files in the Liberty installation directory.
- Create files in the configuration directory of the Liberty server, which is typically usr/servers/server-name, to create backup copies and modify server.xml and jvm.options.
- Create files and directories in the Liberty shared resource directory, which is typically usr/shared.
- Create files in the Liberty server apps directory, which is typically usr/servers/server-name/apps.
For Apache Tomcat, you must have the required permission to perform the following actions:
- Read the configuration directory.
- Create backup files and modify files in the configuration directory, such as server.xml, and tomcat-users.xml.
- Create backup files and modify files in the bin directory, such as setenv.bat.
- Create files in the lib directory.
- Create files in the webapps directory.
Installing with Ant tasks
Use Ant tasks to install the PMF components to your application server.
You can find the sample configuration files for installing PMF in the pmf_install_dir/MobileFoundationServer/configuration-samples directory.
You can configure the PMF services to run in server farm with Ant tasks. To include your server in a farm, you need to specify some specific attributes that configure your application server accordingly. For more information about configuring a server farm with Ant tasks, see Installing a server farm with Ant tasks.
For other topologies that are supported in Topologies and network flows, you can modify the sample Ant files.
The references to the Ant tasks are as follows:
- Ant tasks for installation of PMF Operations Console, PMF artifacts, PMF administration, and live update services
- Ant tasks for installation of PMF push service
- Ant tasks for installation of PMF runtime environments
For an overview of installing with the sample configuration file and tasks, see Installing PMF in command line mode.
Applying a fix pack by using the Ant files
Updating with the sample Ant file
If you use the sample Ant files that are provided in the pmf_install_dir/MobileFoundationServer/configuration-samples directory to install PMF, you can reuse a copy of this Ant file to apply a fix pack. For password values, you can enter 12 stars (*) instead of the actual value, to be prompted interactively when the Ant file is run.
Edit the copy of the XML file and set the values of the following properties:
-
mfp.admin.contextroot : /mfpadmin
-
mfp.runtime.contextroot : /mfp
-
database.oracle.host : host name of the computer that runs your oracle database. If the database is on the same computer, use localhost.
-
database.oracle.port : the port to which the oracle instance is listening. By default, it is 1521.
-
database.oracle.driver : oracle jdbc driver.
-
database.oracle.mfp.dbname : PMF database name.
-
database.oracle.mfp.schema : provide PMF database schema name
-
database.oracle.mfp.username : PMF oracle user.
-
appserver.was.installdir : the WebSphere installation directory.
-
appserver.was.admin.name : administrator of the WAS server.
-
appserver.was.profile : name of the WAS profile.
-
appserver.was.serverInstance : name of the WAS server.
-
mfp.farm.configure : false if PMF is in stand-alone mode.
-
mfp.analytics.configure : true. If PMF using analytics.
-
mfp.analytics.receiver.configure : true. If PMF using analytics receiver
-
mfp.admin.client.id : PMF admin client id.
-
mfp.admin.client.secret : PMF admin secret.
-
mfp.push.client.id : PMF push client id.
-
mfp.push.client.secret : PMF push secret.
-
mfp.config.admin.user : PMF config admin user.
-
mfp.config.admin.password : PMF config admin password.
-
mfp.admin.console.install : true
-
mfp.admin.default.user : PMF Operations Console user.
-
mfp.admin.default.user.initialpassword : PMF Operations Console password.
-
Verify the value of the mfp.server.install.dir property in the Ant file. It must point to the directory that contains the product with the fix pack applied. This value is used to take the updated PMF WAR files.
-
Run pmf_install_dir/tools/apache-ant-1.9.4/bin ant -f file-path/configure-was-oracle.xml to show a list of possible targets for the Ant file.
-
Run pmf_install_dir/tools/apache-ant-1.9.4/bin ant -f file-path /configure-was-oracle.xml update to update Persistent Mobile Foundation Server.
-
After the migration is completed, you can use this procedure to test the components that are updated.
-
Start the profile by using the command ./server start pmf1
. You can test PMF Operations Console on a web browser. Go to http://host:port/mfpconsole
Updating with own Ant file
If you use your own Ant file, make sure that for each installation task (installpmfadmin, installpmfruntime, and installpmfpush), you have a corresponding update task in your Ant file with the same parameters. The corresponding update tasks are updatepmfadmin, updatepmfruntime, and updatepmfpush.
- Verify the class path of the taskdef element for the mfp-ant-deployer.jar file. It must point to the mfp-ant-deployer.jar file in an PMF installation that the fix pack is applied. By default, the updated PMF WAR files are taken from the location of mfp-ant-deployer.jar.
- Run the update tasks (updatepmfadmin, updatepmfruntime, and updatepmfpush) of your Ant file.
Sample Ant files modifications
You can modify the sample Ant files that are provided in the pmf_install_dir/MobileFoundationServer/configuration-samples directory to adapt to your installation requirements.
The following sections provide the details on how you can modify the sample Ant files to adapt the installation to your needs:
- Specify extra JNDI properties
- Specify existing users
- Specify Liberty Java EE level
- Specify data source JDBC properties
- Run the Ant files on a computer where PMF is not installed
- Manual configuration of the RMI port on Apache Tomcat
Specify extra JNDI properties
The installpmfadmin, installpmfruntime, and installpmfpush Ant tasks declare the values for the JNDI properties that are required for the components to function. These JNDI properties are used to define the JMX communication, and also the links to other components (such the live update service, the push service, the analytics service, or the authorization server). However, you can also define values for other JNDI properties. Use the <property>
element that exists for these three tasks. For a list of JNDI properties, see:
- List of JNDI properties for PMF administration service
- List of JNDI properties for PMF push service
- List of JNDI properties for PMF runtime
For example:
<installpmfadmin ..>
<property name="mfp.admin.actions.prepareTimeout" value="3000000"/>
</installpmfadmin>
Specify existing users
By default, the installpmfadmin Ant task creates users:
- On WebSphere Application Server Liberty to define a Liberty administrator for the JMX communication.
- On any application server, to define a user that is used for the communication with the live update service.
To use an existing user instead of creating new user, you can do the following operations:
-
In the
<jmx>
element, specify a user and password, and set the value of the createLibertyAdmin attribute to false. For example:<installpmfadmin ...> <jmx libertyAdminUser="myUser" libertyAdminPassword="password" createLibertyAdmin="false" /> ...
-
In the
<configuration>
element, specify a user and password and set the value of the createConfigAdminUser attribute to false. For example:<installpmfadmin ...> <configuration configAdminUser="myUser" configAdminPassword="password" createConfigAdminUser="false" /> ...
Also, the user that is created by the sample Ant files is mapped to the security roles of the administration service and the console. With this setting, you can use this user to log on to PMF after the installation. To change that behavior, remove the <user>
element from the sample Ant files. Alternatively, you can remove the password attribute from the <user>
element, and the user is not created in the local registry of the application server.
Specify Liberty Java EE level
Some distributions of WebSphere Application Server Liberty support features from Java EE 17. By default, the Ant tasks automatically detect the features to install. For example, jdbc-4.1 feature is installed in case of Java EE 17.
Specify data source JDBC properties
You can specify the properties for the JDBC connection. Use the <property>
element of a <database>
element. The element is available in configureDatabase, installpmfadmin, installpmfruntime, and installpmfpush Ant tasks. For example:
<configuredatabase kind="MobileFirstAdmin">
<db2 database="${database.db2.mfpadmin.dbname}"
server="${database.db2.host}"
instance="${database.db2.instance}"
user="${database.db2.mfpadmin.username}"
port= "${database.db2.port}"
schema = "${database.db2.mfpadmin.schema}"
password="${database.db2.mfpadmin.password}">
<property name="commandTimeout" value="10"/>
</db2>
Run the Ant files on a computer where PMF is not installed
To run the Ant tasks on a computer where PMF is not installed, you need the following items:
- An Ant installation
- A copy of the mfp-ant-deployer.jar file to the remote computer. This library contains the definition of the Ant tasks.
- To specify the resources to be installed. By default, the WAR files are taken near the mfp-ant-deployer.jar, but you can specify the location of these WAR files. For example:
<installpmfadmin execute="true" contextroot="/mfpadmin" serviceWAR="/usr/mfp/mfp-admin-service.war">
<console install="true" warFile="/usr/mfp/mfp-admin-ui.war"/>
For more information, see the Ant tasks to install each PMF component at Installation reference.
Manual configuration of the RMI port on Apache Tomcat
By default, the Ant tasks modify the setenv.bat file or the setenv.sh file to open the RMI port. If you prefer to open the RMI port manually, add the tomcatSetEnvConfig attribute with the value as false to the <jmx>
element of the installpmfadmin, updatepmfadmin, and uninstallpmfadmin tasks.
Installing the PMF components manually
You can also install the PMF components to your application server manually.
The following topics provide you the complete information to guide you through the installing process of the components on the supported applications in production.
- Manual installation on WebSphere Application Server Liberty
- Manual installation on WebSphere Application Server Liberty collective
- Manual installation on Apache Tomcat
Manual installation on WebSphere Application Server Liberty
Make sure that you have also fulfilled the requirements as documented in WebSphere Application Server Liberty prerequisites.
- Topology constraints
- Application server settings
- Liberty features required by the PMF applications
- Global JNDI entries
- Class loader
- Password decoder user feature
- Configuration details
Topology constraints
The PMF administration service, the PMF live update service, and the Persistent Mobile Foundation runtime must be installed on the same application server. The context root of the live update service must be defined as the-adminContextRootconfig. The context root of the push service must be imfpush. For more information about the constraints, see Constraints on the PMF components and Persistent Mobile Foundation Analytics.
Application server settings
You must configure the webContainer element to load the servlets immediately. This setting is required for the initialization through JMX. For example: <webContainer deferServletLoad="false"/>
.
Optionally, to avoid timeout issues that break the startup sequence of the runtime and the administration service on some Liberty versions, change the default executor element. Set large values to the coreThreads and maxThreads attributes. For example:
<executor id="default" name="LargeThreadPool"
coreThreads="200" maxThreads="400" keepAlive="60s"
stealPolicy="STRICT" rejectedWorkPolicy="CALLER_RUNS"/>
You might also configure the tcpOptions element and set the soReuseAddr attribute to true
: <tcpOptions soReuseAddr="true"/>
.
Liberty features required by the PMF applications
You can use the following features for Java EE 17.
PMF administration service
- jdbc-4.1
- appSecurity-2.0
- restConnector-1.0
- usr:MFPDecoderFeature-1.0
PMF push service
- jdbc-4.1
- servlet-3.1
- ssl-1.0
- usr:MFPDecoderFeature-1.0
PMF runtime
- jdbc-4.1
- servlet-3.1
- ssl-1.0
- usr:MFPDecoderFeature-1.0
Global JNDI entries
The following global JNDI entries are required to configure the JMX communication between the runtime and the administration service:
- mfp.admin.jmx.host
- mfp.admin.jmx.port
- mfp.admin.jmx.user
- mfp.admin.jmx.pwd
- mfp.topology.platform
- mfp.topology.clustermode
These global JNDI entries are set with this syntax and are not prefixed by a context root. For example: <jndiEntry jndiName="mfp.admin.jmx.port" value="9443"/>
.
Note: To protect against an automatic conversion of the JNDI values, so that 075 is not converted to 61 or 31.500 is not converted to 31.5, use this syntax ‘“075”’ when you define the value.
For more information about the JNDI properties for the administration service, see List of JNDI properties for PMF administration service.
For a farm configuration, see also the following topics:
Class loader
For all applications, the class loader must have the parent last delegation. For example:
<application id="mfpadmin" name="mfpadmin" location="mfp-admin-service.war" type="war">
[...]
<classloader delegation="parentLast">
</classloader>
</application>
Password decoder user feature
Copy the password decoder user feature to your Liberty profile. For example:
-
On UNIX and Linux systems:
mkdir -p LIBERTY_HOME/wlp/usr/extension/lib/features cp product_install_dir/features/com.ibm.websphere.crypto_1.0.0.jar LIBERTY_HOME/wlp/usr/extension/lib/ cp product_install_dir/features/MFPDecoderFeature-1.0.mf LIBERTY_HOME/wlp/usr/extension/lib/features/
-
On Windows systems:
mkdir LIBERTY_HOME\wlp\usr\extension\lib copy /B product_install_dir\features\com.ibm.websphere.crypto_1.0.0.jar LIBERTY_HOME\wlp\usr\extension\lib\com.ibm.websphere.crypto_1.0.0.jar mkdir LIBERTY_HOME\wlp\usr\extension\lib\features copy /B product_install_dir\features\MFPDecoderFeature-1.0.mf LIBERTY_HOME\wlp\usr\extension\lib\features\MFPDecoderFeature-1.0.mf
Configuration details
The administration service is packaged as a WAR application for you to deploy to the application server. You need to make some specific configurations for this application in the server.xml file. The administration service WAR file is in pmf_install_dir/MobileFoundationServer/mfp-admin-service.war. You can define the context root as you want. However, usually it is /mfpadmin.
Mandatory JNDI properties
When you define the JNDI properties, the JNDI names must be prefixed with the context root of the administration service. The following example illustrates the case to declare mfp.admin.push.url whereby the administration service is installed with /mfpadmin as the context root:
If the push service is installed, you must configure the following JNDI properties:
- mfp.admin.push.url
- mfp.admin.authorization.server.url
- mfp.push.authorization.client.id
- mfp.push.authorization.client.secret
- mfp.admin.authorization.client.id
- mfp.admin.authorization.client.secret
The JNDI properties for the communication with the configuration service are as follows:
- mfp.config.service.user
- mfp.config.service.password
For more information about the JNDI properties, see List of JNDI properties for PMF administration service.
Data source
The JNDI name of the data source for the administration service must be defined as jndiName=the-contextRoot/jdbc/mfpAdminDS. The following example illustrates the case whereby the administration service is installed with the context root /mfpadmin, and that the service is using a relational database:
Declare the following roles in the application-bnd element of the application:
- mfpadmin
- mfpdeployer
- mfpmonitor
- mfpoperator
The live update service is packaged as a WAR application for you to deploy to the application server. You need to make some specific configurations for this application in the server.xml file. Before you proceed, review Manual installation on WebSphere Application Server Liberty for the configuration details that are common to all services.
The live update service WAR file is in pmf_install_dir/MobileFoundationServer/mfp-live-update.war. The context root of the live update service must define in this way: /the-adminContextRootconfig. For example, if the context root of the administration service is /mfpadmin, then the context root of the live update service must be /mfpadminconfig.
Data source
The JNDI name of the data source for the live update service must be defined as the-contextRoot/jdbc/ConfigDS. The following example illustrates the case whereby the live update service is installed with the context root /mfpadminconfig, and that the service is using a relational database:
Declare the configadmin role in the application-bnd element of the application. At least one user must be mapped to this role. The user and its password must be provided to the following JNDI properties of the administration service:
- mfp.config.service.user
- mfp.config.service.password
The console is packaged as a WAR application for you to deploy to the application server. You need to make some specific configurations for this application in the server.xml file. Before you proceed, review Manual installation on WebSphere Application Server Liberty for the configuration details that are common to all services.
The console WAR file is in pmf_install_dir/MobileFoundationServer/mfp-admin-ui.war. You can define the context root as you want. However, usually it is /mfpconsole.
Mandatory JNDI properties
When you define the JNDI properties, the JNDI names must be prefixed with the context root of the console. The following example illustrates the case to declare mfp.admin.endpoint whereby the console is installed with /mfpconsole as the context root:
The typical value for the mfp.admin.endpoint property is *://*:*/the-adminContextRoot.
For more information about the JNDI properties, see JNDI properties for PMF Operations Console.
Security roles
Declare the following roles in the application-bnd element of the application:
- mfpadmin
- mfpdeployer
- mfpmonitor
- mfpoperator
The runtime is packaged as a WAR application for you to deploy to the application server. You need to make some specific configurations for this application in the server.xml file. Before you proceed, review Manual installation on WebSphere Application Server Liberty for the configuration details that are common to all services.
The runtime WAR file is in pmf_install_dir/MobileFoundationServer/mfp-server.war. You can define the context root as you want. However, it is /mfp by default.
Mandatory JNDI properties
When you define the JNDI properties, the JNDI names must be prefixed with the context root of the runtime. The following example illustrates the case to declare mfp.analytics.url whereby the runtime is installed with /mobilefirst as the context root:
You must define the mobilefirst/mfp.authorization.server property. For example:
If Persistent Mobile Foundation Analytics is installed, you need to define the following JNDI properties:
- mfp.analytics.url
- mfp.analytics.console.url
- mfp.analytics.username
- mfp.analytics.password
For more information about the JNDI properties, see List of JNDI properties for PMF runtime.
Data source
The JNDI name of the data source for the runtime must be defined as jndiName=the-contextRoot/jdbc/mfpDS. The following example illustrates the case whereby the runtime is installed with the context root /mobilefirst, and that the runtime is using a relational database:
The push service is packaged as a WAR application for you to deploy to the application server. You need to make some specific configurations for this application in the server.xml file. Before you proceed, review Manual installation on WebSphere Application Server Liberty for the configuration details that are common to all services.
The push service WAR file is in pmf_install_dir/PushService/mfp-push-service.war. You must define the context root as /imfpush. Otherwise, the client devices cannot connect to it as the context root is hardcoded in the SDK.
Mandatory JNDI properties
When you define the JNDI properties, the JNDI names must be prefixed with the context root of the push service. The following example illustrates the case to declare mfp.push.analytics.user whereby the push service is installed with /imfpush as the context root:
You need to define the following properties:- mfp.push.authorization.server.url
- mfp.push.authorization.client.id
- mfp.push.authorization.client.secret
- mfp.push.services.ext.security - the value must be com.ibm.mfp.push.server.security.plugin.OAuthSecurityPlugin.
- mfp.push.db.type - for a relational database, the value must be DB.
- mfp.push.analytics.endpoint
- mfp.analytics.username
- mfp.analytics.password
- mfp.push.services.ext.analytics - the value must be com.ibm.mfp.push.server.analytics.plugin.AnalyticsPlugin.
The artifacts component is packaged as a WAR application for you to deploy to the application server. You need to make some specific configurations for this application in the server.xml file. Before you proceed, review Manual installation on WebSphere Application Server Liberty for the configuration details that are common to all services.
The WAR file for this component is in pmf_install_dir/MobileFoundationServer/mfp-dev-artifacts.war. You must define the context root as /mfp-dev-artifacts.
Manual installation on WebSphere Application Server Liberty collective
Make sure that you have also fulfilled the requirements as documented in WebSphere Application Server Liberty prerequisites.
- Topology constraints
- Application server settings
- Liberty features required by the PMF applications
- Global JNDI entries
- Class loader
- Password decoder user feature
- Configuration details
Topology constraints
The PMF administration service, the PMF live update service, and PMF Operations Console must be installed in a Liberty collective controller. The PMF runtime and the PMF push service must be installed in every member of the Liberty collective cluster.
The context root of the live update service must be defined as the-adminContextRootconfig. The context root of the push service must be imfpush. For more information about the constraints, see Constraints on the PMF components and Persistent Mobile Foundation Analytics.
Application server settings
You must configure the webContainer element to load the servlets immediately. This setting is required for the initialization through JMX. For example: <webContainer deferServletLoad="false"/>
.
Optionally, to avoid timeout issues that break the startup sequence of the runtime and the administration service on some Liberty versions, change the default executor element. Set large values to the coreThreads and maxThreads attributes. For example:
<executor id="default" name="LargeThreadPool"
coreThreads="200" maxThreads="400" keepAlive="60s"
stealPolicy="STRICT" rejectedWorkPolicy="CALLER_RUNS"/>
You might also configure the tcpOptions element and set the soReuseAddr attribute to true
: <tcpOptions soReuseAddr="true"/>
.
Liberty features required by the PMF applications
You need to add the following features for Java EE 17.
PMF administration service
- jdbc-4.1
- appSecurity-2.0
- restConnector-1.0
- usr:MFPDecoderFeature-1.0
PMF push service
- jdbc-4.1
- servlet-3.1
- ssl-1.0
- usr:MFPDecoderFeature-1.0
PMF runtime
- jdbc-4.1
- servlet-3.1
- ssl-1.0
- usr:MFPDecoderFeature-1.0
Global JNDI entries
The following global JNDI entries are required to configure the JMX communication between the runtime and the administration service:
- mfp.admin.jmx.host
- mfp.admin.jmx.port
- mfp.admin.jmx.user
- mfp.admin.jmx.pwd
- mfp.topology.platform
- mfp.topology.clustermode
- mfp.admin.serverid
These global JNDI entries are set with this syntax and are not prefixed by a context root. For example: <jndiEntry jndiName="mfp.admin.jmx.port" value="9443"/>
.
Note: To protect against an automatic conversion of the JNDI values, so that 075 is not converted to 61 or 31.500 is not converted to 31.5, use this syntax ‘“075”’ when you define the value.
- For more information about the JNDI properties for the administration service, see List of JNDI properties for PMF administration service.
- For more information about the JNDI properties for the runtime, see List of JNDI properties for PMF runtime.
Class loader
For all applications, the class loader must have the parent last delegation. For example:
<application id="mfpadmin" name="mfpadmin" location="mfp-admin-service.war" type="war">
[...]
<classloader delegation="parentLast">
</classloader>
</application>
Password decoder user feature
Copy the password decoder user feature to your Liberty profile. For example:
-
On UNIX and Linux systems:
mkdir -p LIBERTY_HOME/wlp/usr/extension/lib/features cp product_install_dir/features/com.ibm.websphere.crypto_1.0.0.jar LIBERTY_HOME/wlp/usr/extension/lib/ cp product_install_dir/features/MFPDecoderFeature-1.0.mf LIBERTY_HOME/wlp/usr/extension/lib/features/
-
On Windows systems:
mkdir LIBERTY_HOME\wlp\usr\extension\lib copy /B product_install_dir\features\com.ibm.websphere.crypto_1.0.0.jar LIBERTY_HOME\wlp\usr\extension\lib\com.ibm.websphere.crypto_1.0.0.jar mkdir LIBERTY_HOME\wlp\usr\extension\lib\features copy /B product_install_dir\features\MFPDecoderFeature-1.0.mf LIBERTY_HOME\wlp\usr\extension\lib\features\MFPDecoderFeature-1.0.mf
Configuration details
The administration service is packaged as a WAR application for you to deploy to the Liberty collective controller. You need to make some specific configurations for this application in the server.xml file of the Liberty collective controller.
Before you proceed, review Manual installation on WebSphere Application Server Liberty collective for the configuration details that are common to all services.
The administration service WAR file is in pmf_install_dir/MobileFoundationServer/mfp-admin-service-collective.war. You can define the context root as you want. However, usually it is /mfpadmin.
Mandatory JNDI properties
When you define the JNDI properties, the JNDI names must be prefixed with the context root of the administration service. The following example illustrates the case to declare mfp.admin.push.url whereby the administration service is installed with /mfpadmin as the context root:
If the push service is installed, you must configure the following JNDI properties:
- mfp.admin.push.url
- mfp.admin.authorization.server.url
- mfp.push.authorization.client.id
- mfp.push.authorization.client.secret
- mfp.admin.authorization.client.id
- mfp.admin.authorization.client.secret
The JNDI properties for the communication with the configuration service are as follows:
- mfp.config.service.user
- mfp.config.service.password
For more information about the JNDI properties, see List of JNDI properties for PMF administration service.
Data source
The JNDI name of the data source for the administration service must be defined as jndiName=the-contextRoot/jdbc/mfpAdminDS. The following example illustrates the case whereby the administration service is installed with the context root /mfpadmin, and that the service is using a relational database:
Security roles
Declare the following roles in the application-bnd element of the application:
- mfpadmin
- mfpdeployer
- mfpmonitor
- mfpoperator
The live update service is packaged as a WAR application for you to deploy to the liberty collective controller. You need to make some specific configurations for this application in the server.xml file of the Liberety collective controller.
Before you proceed, review Manual installation on WebSphere Application Server Liberty collective for the configuration details that are common to all services.
The live update service WAR file is in pmf_install_dir/MobileFoundationServer/mfp-live-update.war. The context root of the live update service must define in this way: /the-adminContextRootconfig. For example, if the context root of the administration service is /mfpadmin, then the context root of the live update service must be /mfpadminconfig.
Data source
The JNDI name of the data source for the live update service must be defined as the-contextRoot/jdbc/ConfigDS. The following example illustrates the case whereby the live update service is installed with the context root /mfpadminconfig, and that the service is using a relational database:
Security roles
Declare the configadmin role in the application-bnd element of the application. At least one user must be mapped to this role. The user and its password must be provided to the following JNDI properties of the administration service:
- mfp.config.service.user
- mfp.config.service.password
The console is packaged as a WAR application for you to deploy to the Liberty collective controller. You need to make some specific configurations for this application in the server.xml file of the Liberty collective controller.
Before you proceed, review Manual installation on WebSphere Application Server Liberty for the configuration details that are common to all services.
The console WAR file is in pmf_install_dir/MobileFoundationServer/mfp-admin-ui.war. You can define the context root as you want. However, usually it is /mfpconsole.
Mandatory JNDI properties
When you define the JNDI properties, the JNDI names must be prefixed with the context root of the console. The following example illustrates the case to declare mfp.admin.endpoint whereby the console is installed with /mfpconsole as the context root:
The typical value for the mfp.admin.endpoint property is *://*:*/the-adminContextRoot.
For more information about the JNDI properties, see JNDI properties for PMF Operations Console.
Security roles
Declare the following roles in the application-bnd element of the application:
- mfpadmin
- mfpdeployer
- mfpmonitor
- mfpoperator
The runtime is packaged as a WAR application for you to deploy to the Liberty collective cluster members. You need to make some specific configurations for this application in the server.xml file of every Liberty collective cluster member.
Before you proceed, review Manual installation on WebSphere Application Server Liberty collective for the configuration details that are common to all services.
The runtime WAR file is in pmf_install_dir/MobileFoundationServer/mfp-server.war. You can define the context root as you want. However, it is /mfp by default.
Mandatory JNDI properties
When you define the JNDI properties, the JNDI names must be prefixed with the context root of the runtime. The following example illustrates the case to declare mfp.analytics.url whereby the runtime is installed with /mobilefirst as the context root:
You must define the mobilefirst/mfp.authorization.server property. For example:
If Persistent Mobile Foundation Analytics is installed, you need to define the following JNDI properties:
- mfp.analytics.url
- mfp.analytics.console.url
- mfp.analytics.username
- mfp.analytics.password
For more information about the JNDI properties, see List of JNDI properties for PMF runtime.
Data source
The JNDI name of the data source for the runtime must be defined as jndiName=the-contextRoot/jdbc/mfpDS. The following example illustrates the case whereby the runtime is installed with the context root /mobilefirst, and that the runtime is using a relational database:
The push service is packaged as a WAR application for you to deploy to a Liberty collective cluster member or to a Liberty server. If you install the push service in a Liberty server, see PMF push service configuration details under Manual installation on WebSphere Application Server Liberty.
When the PMF push service is installed in a Liberty collective, it can be installed in the same cluster than the runtime or in another cluster.
You need to make some specific configurations for this application in the server.xml file of every Liberty collective cluster member. Before you proceed, review Manual installation on WebSphere Application Server Liberty collective for the configuration details that are common to all services.
The push service WAR file is in pmf_install_dir/PushService/mfp-push-service.war. You must define the context root as /imfpush. Otherwise, the client devices cannot connect to it as the context root is hardcoded in the SDK.
Mandatory JNDI properties
When you define the JNDI properties, the JNDI names must be prefixed with the context root of the push service. The following example illustrates the case to declare mfp.push.analytics.user whereby the push service is installed with /imfpush as the context root:
You need to define the following properties:- mfp.push.authorization.server.url
- mfp.push.authorization.client.id
- mfp.push.authorization.client.secret
- mfp.push.services.ext.security - the value must be com.ibm.mfp.push.server.security.plugin.OAuthSecurityPlugin.
- mfp.push.db.type - for a relational database, the value must be DB.
- mfp.push.analytics.endpoint
- mfp.analytics.username
- mfp.analytics.password
- mfp.push.services.ext.analytics - the value must be com.ibm.mfp.push.server.analytics.plugin.AnalyticsPlugin.
The artifacts component is packaged as a WAR application for you to deploy to the Liberty collective controller. You need to make some specific configurations for this application in the server.xml file of the Liberty collective controller. Before you proceed, review Manual installation on WebSphere Application Server Liberty for the configuration details that are common to all services.
The WAR file for this component is in pmf_install_dir/MobileFoundationServer/mfp-dev-artifacts.war. You must define the context root as /mfp-dev-artifacts.
Manual installation on Apache Tomcat
Make sure that you have fulfilled the requirements as documented in Apache Tomcat prerequisites.
Topology constraints
The PMF administration service, the PMF live update service, and the PMF runtime must be installed on the same application server. The context root of the live update service must be defined as the-adminContextRootconfig. The context root of the push service must be imfpush. For more information about the constraints, see Constraints on the PMF components and Persistent Mobile Foundation Analytics.
Application server settings
ou must activate the Single Sign On Valve. For example:
<Valve className="org.apache.catalina.authenticator.SingleSignOn"/>
Optionally, you might want to activate the memory realm if the users are defined in tomcat-users.xml. For example:
<Realm className="org.apache.catalina.realm.MemoryRealm"/>
Configuration details
The administration service is packaged as a WAR application for you to deploy to the application server. You need to make some specific configurations for this application in the server.xml file of the application server.
Before you proceed, review Manual installation on Apache Tomcat for the configuration details that are common to all services.
The administration service WAR file is in pmf_install_dir/MobileFoundationServer/mfp-admin-service.war. You can define the context root as you want. However, usually it is /mfpadmin.
Mandatory JNDI properties
The JNDI properties are defined within the Environment
element in the application context. For example:
To enable the JMX communication with the runtime, define the following JNDI properties:
- mfp.topology.platform
- mfp.topology.clustermode
If the push service is installed, you must configure the following JNDI properties:
- mfp.admin.push.url
- mfp.admin.authorization.server.url
- mfp.push.authorization.client.id
- mfp.push.authorization.client.secret
- mfp.admin.authorization.client.id
- mfp.admin.authorization.client.secret
The JNDI properties for the communication with the configuration service are as follows:
- mfp.config.service.user
- mfp.config.service.password
For more information about the JNDI properties, see List of JNDI properties for PMF administration service.
Data source
The data source (jdbc/mfpAdminDS) is declared as a resource in the **Context** element. For example:
Security roles
The security roles available for the administration service application are:
- mfpadmin
- mfpdeployer
- mfpmonitor
- mfpoperator
The live update service is packaged as a WAR application for you to deploy to the application server. You need to make some specific configurations for this application in the server.xml file.
Before you proceed, review Manual installation on Apache Tomcat for the configuration details that are common to all services.
The live update service WAR file is in pmf_install_dir/MobileFoundationServer/mfp-live-update.war. The context root of the live update service must define in this way: /the-adminContextRoot/config. For example, if the context root of the administration service is /mfpadmin, then the context root of the live update service must be /mfpadminconfig.
Data source
The JNDI name of the data source for the live update service must be defined as jdbc/ConfigDS
. Declare it as a resource in the Context
element.
Security roles
The security role available for the live update service application is configadmin.
At least one user must be mapped to this role. The user and its password must be provided to the following JNDI properties of the administration service:
- mfp.config.service.user
- mfp.config.service.password
The console is packaged as a WAR application for you to deploy to the application server. You need to make some specific configurations for this application in the server.xml file of the application server.
Before you proceed, review Manual installation on Apache Tomcat for the configuration details that are common to all services.
The console WAR file is in pmf_install_dir/MobileFoundationServer/mfp-admin-ui.war. You can define the context root as you want. However, usually it is /mfpconsole.
Mandatory JNDI properties
You need to define the mfp.admin.endpoint property. The typical value for this property is *://*:*/the-adminContextRoot.
For more information about the JNDI properties, see JNDI properties for PMF Operations Console.
Security roles
The security roles available for the application are:
- mfpadmin
- mfpdeployer
- mfpmonitor
- mfpoperator
The runtime is packaged as a WAR application for you to deploy to the application server. You need to make some specific configurations for this application in the server.xml file.
Before you proceed, review Manual installation on Apache Tomcat for the configuration details that are common to all services.
The runtime WAR file is in pmf_install_dir/MobileFoundationServer/mfp-server.war. You can define the context root as you want. However, it is /mfp by default.
Mandatory JNDI properties
You must define the mfp.authorization.server property. For example:
To enable the JMX communication with the administration service, define the following JNDI properties:
- mfp.topology.platform
- mfp.topology.clustermode
If Persistent Mobile Foundation Analytics is installed, you need to define the following JNDI properties:
- mfp.analytics.url
- mfp.analytics.console.url
- mfp.analytics.username
- mfp.analytics.password
For more information about the JNDI properties, see List of JNDI properties for PMF runtime.
Data source
The JNDI name of the data source for the runtime must be defined as jdbc/mfpDS. Declare it as a resource in the Context element.
The push service is packaged as a WAR application for you to deploy to the application server. You need to make some specific configurations for this application. Before you proceed, review Manual installation on Apache Tomcat for the configuration details that are common to all services.
The push service WAR file is in pmf_install_dir/PushService/mfp-push-service.war. You must define the context root as /imfpush. Otherwise, the client devices cannot connect to it as the context root is hardcoded in the SDK.
Mandatory JNDI properties
You need to define the following properties:
- mfp.push.authorization.server.url
- mfp.push.authorization.client.id
- mfp.push.authorization.client.secret
- mfp.push.services.ext.security - the value must be com.ibm.mfp.push.server.security.plugin.OAuthSecurityPlugin.
- mfp.push.db.type - for a relational database, the value must be DB.
If Persistent Mobile Foundation Analytics is configured, define the following JNDI properties:
- mfp.push.analytics.endpoint
- mfp.analytics.username
- mfp.analytics.password
- mfp.push.services.ext.analytics - the value must be com.ibm.mfp.push.server.analytics.plugin.AnalyticsPlugin.
The artifacts component is packaged as a WAR application for you to deploy to the application server. You need to make some specific configurations for this application in the server.xml file of the application server. Before you proceed, review Manual installation on Apache Tomcat for the configuration details that are common to all services.
The WAR file for this component is in pmf_install_dir/MobileFoundationServer/mfp-dev-artifacts.war. You must define the context root as /mfp-dev-artifacts.
Installing a server farm
You can install your server farm by running Ant tasks, or manually.
- Planning the configuration of a server farm
- Installing a server farm with Ant tasks
- Configuring a server farm manually
- Verifying a farm configuration
- Lifecycle of a server farm node
Planning the configuration of a server farm
To plan the configuration of a server farm, choose the application server, configure the PMF databases, and deploy the WAR files of the PMF components on each server of the farm. You have the options to use Ant tasks, or manual operations to configure a server farm.
When you intend to plan a server farm installation, see Constraints on PMF administration service, PMF live update service and Persistent Mobile Foundation runtime first, and in particular see Server farm topology.
In PMF, a server farm is composed of multiple stand-alone application servers that are not federated or administered by a managing component of an application server. PMF internally provides a farm plug-in as the means to enhance an application server so that it can be part of a server farm.
When to declare a server farm
Declare a server farm in the following cases:
- PMF is installed on multiple Tomcat application servers.
- PMF is installed on multiple WebSphere Application Server Liberty servers.
Do not declare a server farm in the following cases:
- Your application server is stand-alone.
Why it is mandatory to declare a farm
Each time a management operation is performed through PMF Operations Console or through the PMF administration service application, the operation needs to be replicated to all instances of a runtime environment. Examples of such management operations are the uploading of a new version of an app or of an adapter. The replication is done via JMX calls performed by the administration service application instance that handles the operation. The administration service needs to contact all runtime instances in the cluster. In environments listed under When to declare a server farm above, the runtime can be contacted through JMX only if a farm is configured. If a server is added to a cluster without proper configuration of the farm, the runtime in that server will be in an inconsistent state after each management operation, and until it is restarted again.
Installing a server farm with Ant tasks
Use Ant tasks to configure each server in the farm according to the requirements of the single type of application server that is used for each member of the server farm.
When you plan a server farm with Ant tasks, first create the stand-alone servers and configure their respective truststores so that they can communicate with one another in a secure way. Then, run Ant tasks to configure the database instance that is shared by the PMF components. Finally, run Ant tasks to deploy the PMF components to each server and modify its configuration to make it a member of a server farm.
PMF requires the secure JMX connection to be configured.
- Prepare the application servers that must be configured as the server farm members.
- Choose the type of application server to use to configure the members of the server farm. PMF supports the following application servers in server farms:
- WebSphere Application Server Liberty profile
- Apache Tomcat
Important: PMF supports only homogeneous server farms. A server farm is homogeneous when it connects same type of application servers. Attempting to associate different types of application servers might lead to unpredictable behavior at run time. For example, a farm with a mix of Apache Tomcat servers and WebSphere Application Server full profile servers is an invalid configuration.
- Set up as many stand-alone servers as the number of members that you want in the farm.
Each of these stand-alone servers must communicate with the same database. You must make sure that any port used by any of these servers is not also used by another server that is configured on the same host. This constraint applies to the ports used by HTTP, HTTPS, REST, SOAP, and RMI protocols.
Each of these servers must have the PMF administration service, the PMF live update service, and one or more PMF runtimes deployed on it.
For more information about setting up a server, see Constraints on PMF administration service, PMF live update service and PMF runtime. - Exchange the signer certificates between all the servers in their respective truststores.
Note: This step is mandatory for the farms that use WebSphere Application Liberty as security must be enabled. In addition, for Liberty farms, the same LTPA configuration must be replicated on each server to ensure single-sign on capability. To do this configuration, follow the guidelines in step 6 of Configuring a server farm manually
.
- Choose the type of application server to use to configure the members of the server farm. PMF supports the following application servers in server farms:
- Configure the database for the administration service, the live update service, and the runtime.
- Decide which database that you want to use and choose the Ant file to create and configure the database in the pmf_install_dir/MobileFoundationServer/configuration-samples directory:
- For DB2 , use create-database-db2.xml.
- For MySQL, use create-database-mysql.xml.
- For Oracle, use create-database-oracle.xml.
Note: Do not use the Derby database in a farm topology because the Derby database allows only a single connection at a time.
- Edit the Ant file and enter all the required properties for the database.
To enable the configuration of the database that is used by the PMF components, set the values of the following properties:- Set mfp.process.admin to true. To configure the database for the administration service and the live update service.
- Set mfp.process.runtime to true. To configure the database for the runtime.
- Run the following commands from the pmf_install_dir/MobileFoundationServer/configuration-samples directory where create-database-ant-file.xml must be replaced with the actual Ant file name that you chose:
pmf_install_dir/tools/apache-ant-1.9.4/bin/ant -f create-database-ant-file.xml admdatabases
andpmf_install_dir/tools/apache-ant-1.9.4/bin/ant -f create-database-ant-file.xml rtmdatabases
.
As the PMF databases are shared between the application servers in a farm, these two commands must be run only once, whatever the number of servers in the farm. - Optionally, if you want to install another runtime, you must configure another database with another database name or schema. To do so, edit the Ant file, modify the properties, and run the following command once, whatever the number of servers in the farm:
pmf_install_dir/tools/apache-ant-1.9.4/bin/ant -f create-database-ant-file.xml rtmdatabases
.
- Decide which database that you want to use and choose the Ant file to create and configure the database in the pmf_install_dir/MobileFoundationServer/configuration-samples directory:
- Deploy the administration service, the live update service, and the runtime on the servers and configure these servers as the members of a server farm.
- Choose the Ant file that corresponds to your application server and your database in the pmf_install_dir/MobileFoundationServer/configuration-samples directory to deploy the administration service, the live update service, and the runtime on the servers.
For example, choose the configure-liberty-db2.xml file for a deployment on Liberty server with the DB2 database. Make as many copies of this file as the number of members that you want in the farm.
Note: Keep these files after the configuration as they can be reused for upgrading the PMF components that are already deployed, or for uninstalling them from each member of the farm. - Edit each copy of the Ant file, enter the same properties for the database that are used at step 2, and also enter the other required properties for the application server.
To configure the server as a server farm member, set the values of the following properties:- Set mfp.farm.configure to true.
- mfp.farm.server.id: An identifier that you define for this farm member. Make sure that each server in the farm has its own unique identifier. If two servers in the farm have the same identifier, the farm might behave in an unpredictable way.
- mfp.config.service.user: The user name that is used to access the live update service. The user name must be the same for all the members of the farm.
- mfp.config.service.password: The password that is used to access the live update service. The password must be the same for all the members of the farm.
- Set mfp.process.admin to true. To deploy the WAR files of the administration service and the live update service.
- Set mfp.process.runtime to true. To deploy the WAR file of the runtime.
Note: If you plan to install more than one runtime on the servers of the farm, specify the attribute id and set a value that must be unique for each runtime on the installpmfruntime, updatepmfruntime, and uninstallpmfruntime Ant tasks.
For example, - For each server, run the following commands where configure-appserver-database-ant-file.xml must be replaced with the actual Ant file name that you chose:
pmf_install_dir/tools/apache-ant-1.9.4/bin/ant -f configure-appserver-database-ant-file.xml adminstall
andpmf_install_dir/tools/apache-ant-1.9.4/bin/ant -f configure-appserver-database-ant-file.xml rtminstall
.
These commands run the installpmfadmin and installpmfruntime Ant tasks. For more information about these tasks, see Ant tasks for installation of PMF Operations Console, PMF artifacts, PMF administration, and live update services and Ant tasks for installation of PMF runtime environments. - Optionally, if you want to install another runtime, do the following steps:
- Make a copy of the Ant file that you configured at step 3.b.
- Edit the copy, set a distinct context root, and a value for the attribute id of installpmfruntime, updatepmfruntime, and uninstallpmfruntime that is different from the other runtime configuration.
- Run the following command on each server on the farm where configure-appserver-database-ant-file2.xml must be replaced with the actual name of the Ant file that is edited:
pmf_install_dir/tools/apache-ant-1.9.4/bin/ant -f configure-appserver-database-ant-file2.xml rtminstall
. - Repeat this step for each server of the farm.
- Choose the Ant file that corresponds to your application server and your database in the pmf_install_dir/MobileFoundationServer/configuration-samples directory to deploy the administration service, the live update service, and the runtime on the servers.
- Restart all the servers.
Configuring a server farm manually
You must configure each server in the farm according to the requirements of the single type of application server that is used for each member of the server farm.
When you plan a server farm, first create stand-alone servers that communicate with the same database instance. Then, modify the configuration of these servers to make them members of a server farm.
- Choose the type of application server to use to configure the members of the server farm. PMF supports the following application servers in server farms:
- WebSphere Application Server full profile
Note: In a farm topology, you cannot use the RMI JMX connector. In this topology, only the SOAP connector is supported by PMF. - WebSphere Application Server Liberty profile
- Apache Tomcat
Important: PMF supports only homogeneous server farms. A server farm is homogeneous when it connects same type of application servers. Attempting to associate different types of application servers might lead to unpredictable behavior at run time. For example, a farm with a mix of Apache Tomcat servers and WebSphere Application Server full profile servers is an invalid configuration.
- WebSphere Application Server full profile
- Decide which database that you want to use. You can choose from:
- DB2
- MySQL
- Oracle
- You create the database only once, whatever the number of servers in the farm.
- You cannot use the Derby database in a farm topology because the Derby database allows only a single connection at a time.
- Set up as many stand-alone servers as the number of members that you want in the farm.
- Each of these stand-alone servers must communicate with the same database. You must make sure that any port used by any of these servers is not also used by another server that is configured on the same host. This constraint applies to the ports used by HTTP, HTTPS, REST, SOAP, and RMI protocols.
- Each of these servers must have the PMF administration service, the PMF live update service, and one or more PMF runtimes deployed on it.
- When each of these servers is working properly in a stand-alone topology, you can transform them into members of a server farm.
- Stop all the servers that are intended to become members of the farm.
- Configure each server appropriately for the type of application server.
You must set some JNDI properties correctly. In a server farm topology, the mfp.config.service.user and mfp.config.service.password JNDI properties must have the same value for all the members of the farm. For Apache Tomcat, you must also check that the JVM arguments are properly defined.- WebSphere Application Server Liberty profile
In the server.xml file, set the JNDI properties shown in the following sample code. These properties must be set with appropriate values:- mfp.admin.serverid: The identifier that you defined for this farm member. This identifier must be unique across all farm members.
- mfp.admin.jmx.user and mfp.admin.jmx.pwd: These values must match the credentials of a user as declared in the
administrator-role
element. - mfp.admin.jmx.host: Set this parameter to the IP or the host name that is used by remote members to access this server. Therefore, do not set it to localhost. This host name is used by the other members of the farm and must be accessible to all farm members.
- mfp.admin.jmx.port: Set this parameter to the server HTTPS port that is used for the JMX REST connection. You can find the value in the
httpEndpoint
element of the server.xml file.
- Apache Tomcat
Modify the conf/server.xml file to set the following JNDI properties in the administration service context and in every runtime context. The mfp.admin.serverid property must be set to the identifier that you defined for this farm member. This identifier must be unique across all farm members.
You must make sure that the-Djava.rmi.server.hostname
JVM argument is set to the IP or the host name that is used by remote members to access this server. Therefore, do not set it to localhost. In addition, you must make sure that the-Dcom.sun.management.jmxremote.port
JVM argument is set with a port that is not already in use to enable JMX RMI connections. Both arguments are set in the CATALINA_OPTS environment variable. - WebSphere Application Server full profile
You must declare the following JNDI properties in the administration service and in every runtime application deployed on the server.- mfp.topology.clustermode
- mfp.admin.serverid
- select Applications → Application Types → WebSphere Enterprise applications.
- Select the administration service application.
- In Web Module Properties, click Environment entries for Web Modules to display the JNDI properties.
- Set the values of the following properties.
- Set mfp.topology.clustermode to Farm.
- Set mfp.admin.serverid to the identifier that you chose for this farm member. This identifier must be unique across all farm members.
- Set mfp.admin.jmx.user to a user name that has access to the SOAP connector.
- Set mfp.admin.jmx.pwd to the password of the user as declared in mfp.admin.jmx.user.
- Set mfp.admin.jmx.port to the value of the SOAP port.
- Verify that mfp.admin.jmx.connector is set to SOAP.
- Click OK and save the configuration.
- Make similar changes for every PMF runtime application deployed on the server.
- WebSphere Application Server Liberty profile
- Exchange the server certificates in their truststores between all members of the farm. Exchanging the server certificates in their truststores is mandatory for farms that use WebSphere Application Server full profile and WebSphere Application Server Liberty profile because in these farms, communications between the servers is secured by SSL.
- WebSphere Application Server Liberty profile
You can configure the truststore by using IBM utilities such as Keytool or iKeyman.- For more information about Keytool, see Keytool in the IBM SDK, Java Technology Edition.
- For more information about iKeyman, see iKeyman in the IBM SDK, Java Technology Edition.
Note: If you want to confirm the location of the truststore, you can do so by adding the following declaration to the server.xml file:
Lastly, start the server and look for lines that contain com.ibm.ssl.trustStore in the ${wlp.install.dir}/usr/servers/server_name/logs/trace.log file.- Import the public certificates of the other servers in the farm into the truststore that is referenced by the server.xml configuration file of the server.
- Exchange the signer certificates between all the servers in their respective truststores.
Note: This step is mandatory for the farms that use WebSphere Application Server full profile or Liberty as security must be enabled. In addition, for Liberty farms, the same LTPA configuration must be replicated on each server to ensure single-sign on capability. To do this configuration, perform the following steps.
- Start one member of the farm. In the default LTPA configuration, after the Liberty server starts successfully, it generates an LTPA keystore as ${wlp.user.dir}/servers/server_name/resources/security/ltpa.keys.
- Copy the ltpa.keys file to the ${wlp.user.dir}/servers/server_name/resources/security directory of each farm member to replicate the LTPA keystores across the farm members. For more information about LTPA configuration, see Configuring LTPA on the Liberty profile.
- WebSphere Application Server full profile
Configure the truststore in the WebSphere Application Server administration console.- Log in to WebSphere Application Server administration console.
- Select Security → SSL certificate and key management.
- In Related Items, select Keystores and certificates.
- In the Keystore usages field, make sure that SSL keystores is selected. You can now import the certificates from all the other servers in the farm.
- Click NodeDefaultTrustStore.
- In Additional Properties, select Signer certificates.
- Click Retrieve from port. You can now enter communication and security details of each of the other servers in the farm. Follow the next steps for each of the other farm members.
- In the Host field, enter the server host name or IP address.
- In the Port field, enter the HTTPS transport (SSL) port.
- In SSL configuration for outbound connection, select NodeDefaultSSLSettings.
- In the Alias field, enter an alias for this signer certificate.
- Click Retrieve signer information.
- Review the information that is retrieved from the remote server and then click OK.
- Click Save.
- Restart the server.
- WebSphere Application Server Liberty profile
Verifying a farm configuration
The purpose of this task is to check the status of the farm members and verify whether a farm is configured properly.
- Start all the servers of the farm.
- Access PMF Operations Console. For example, http://server_name:port/mfpconsole, or https://hostname:secure_port/mfpconsole in HTTPS. In the console sidebar, an extra menu that is labeled as Server Farm Nodes appears.
- Click Server Farm Nodes to access the list of registered farm members and their status. In the following example, the server farm nodes are shown
Lifecycle of a server farm node
You can configure heartbeat rate and timeout values to indicate possible server problems among farm members by triggering a change in status of an affected node.
Registration and monitoring servers as farm nodes
When a server configured as a farm node is started, the administration service on that server automatically registers it as a new farm member. When a farm member is shut down, it automatically unregisters from the farm.
A heartbeat mechanism exists to keep track of farm members that might become unresponsive, for example, because of a power outage or a server failure. In this heartbeat mechanism, PMF runtimes periodically send a heartbeat to PMF administration services at a specified rate. If the PMF administration service registers that too long a time has elapsed since a farm member sent a heartbeat, the farm member is considered to be down.
Farm members that are considered to be down do not serve any more requests to mobile applications.
Having one or more nodes down does not prevent the other farm members from correctly serving requests to mobile applications nor from accepting new management operations that are triggered through the PMF Operations Console.
Configuring the heartbeat rate and timeout values
You can configure the heartbeat rate and timeout values by defining the following JNDI properties:
- mfp.admin.farm.heartbeat
- mfp.admin.farm.missed.heartbeats.timeout
For more information about JNDI properties, see List of JNDI properties for PMF administration service.
Persistent Mobile Foundation runtime scheduler
PMF runtime uses quartz schedulers for performing some of the scheduled activities.
The scheduler in PMF runtime performs the following activities:
- License Tracking
- Creating audit logs
The running of scheduler is controlled by the following two JNDI properties,
- mfp.licenseTracking.enabled
- mfp.purgedata.enabled
These JNDI properties are enabled by default for all supported application servers.
License Tracking
License Tracking tracks metrics relevant to the licensing policy, such as active client devices, addressable devices, and installed apps. This information helps determine if the current usage of PMF is within the license entitlement levels and can prevent potential license violations. License tracking helps in decommissioning devices that are no longer accessing the PMF Server and also helps in archiving and deleting old records of MFP_PERSISTENT_DATA.
The following table lists the JNDI properties related to license tracking.
JNDI Property | Description |
---|---|
mfp.device.decommissionProcessingInterval | Defines how often (in seconds) the decommissioning task is executed. Default: 86400 , which is one day. |
mfp.device.decommission.when | The number of days of inactivity after which a client device is decommissioned by the device decommissioning task. Default: 90 days . |
mfp.device.archiveDecommissioned.when | The number of days of inactivity, after which a client device that has been decommissioned is archived. This task writes the client devices that were decommissioned to an archive file. The archived client devices are written to a file in the Persistent Mobile Foundation Server home\devices_archive directory. The name of the file contains the time stamp when the archive file is created. Default: 90 days . |
mfp.licenseTracking.enabled | A value that is used to enable or disable device tracking in Persistent Mobile Foundation. For performance reasons, you can disable device tracking when PMF runs only Business-to-Consumer (B2C) apps. When device tracking is disabled, the license reports are also disabled and no license metrics are generated. Possible values are true (default) and false . |
Creating Audit Log
License tracking saves the latest run and license data into PMF runtime table LICENSE_TERMS. The audit log creates a log based on the latest report entry in this table. The reports are available as .slmtag
files in the logs folder under the server install directory.
Security recommendations :
Secure cookies:
Missing secure flag on cookies could allow attacker to read the cookies and make unintended use of it, this can be avoided by setting listed flags in liberty server configuration:
- To have secure flag on session cookies set the configuration as:
<httpSession cookieSecure="true" cookieHttpOnly="true" />
- To have secure flag on LtpaToken cookies, make sure you access the application on https protocol.
Below property should be added in server configuration only if you are accessing application on https. If it is on http, you should disable the given configuration:
<webAppSecurity logoutOnHttpSessionExpire="true" ssoRequiresSSL="true" />