Copyright MISYS 1995-2014. ALL RIGHTS RESERVED. Registered in England No. 01360027. All rights reserved. Registered Office: One Kingdom Street, Paddington, London W2 6BL, United Kingdom TI PLUS/2.5 INSTALLATION GUIDE v1.1, May 2014 TI PlusInstallation Guide v1.1 COPYRIGHT MISYS 1995-2014. ALL RIGHTS RESERVED.ii Confidential - Limited Distribution to Authorized Persons Only, Pursuant to the Terms of the Misys License Agreement through which you received your rights to use the Software associated with this guide. This guide is protected as an unpublished work and constitutes a trade secret of Misys, One Kingdom Street, Paddington, London, W2 6BL United Kingdom. Republication or redistribution, in whole or in part, of the content of this guide or any other materials made available by Misys is prohibited without the prior written consent of Misys. Any software, including but not limited to, the code, screen, structure, sequence, and organization thereof, and documentation are protected by national copyright laws and international treaty provisions. This guide is subject to U.S. and other national export regulations. Misys does not guarantee that any information contained herein is and will remain accurate or that use of the information will ensure correct and faultless operation of the relevant service or equipment. Misys, its agents, and employees shall not be held liable to or through any user for any loss or damage whatsoever resulting from reliance on the information contained herein or related thereto. This document contains information proprietary to Misys. Misys does not undertake mathematical research but only applies mathematical models recognized within the financial industry. Misys does not guarantee the intrinsic theoretical validity of the calculation models used. It is the obligation of the customer to ensure that responsible decisions are taken when using Misys products. MISYS, MISYS CAPITAL MARKETS FUSION, MISYS KONDOR+, MISYS SUMMIT, MISYS SOPHIS, MISYS KONDOR GLOBAL RISK, MISYS GLOBAL RISK, and the logos used with some of these marks, are trademarks or registered trademarks of a member of the Misys group of companies in various countries around the world. Any third party names or marks are the trademarks or registered trademarks of the relevant third party. For more information Need more information? Read more about our products at http://www.misys.com/products.aspx. Or contact your local Misys office at http://www.misys.com/contact-us.aspx.Feedback Do you have comments about our guides and online help? Please address any comments and questions to your local Misys representative. TI PlusInstallation Guide v1.1 iii CONTENTS Chapter 1 System Overvi ew1 Architecture Summary1 Hardware Components1 Software Components2 Chapter 2 Install ing Software Prerequi sites3 Software Components3 Recommended Installation Sequence4 Chapter 3 Install ation Summary5 The TI Plus Software Distribution5 Overall Installation Sequence5 Installing the TI Plus Database5 Configuring the TI Plus Application Archives5 File System Resources6 First Steps6 Chapter 4 Database Setup7 Creating the TI Plus Database7 Chapter 5 Application Software13 Software Distribution14 Chapter 6 Application Topology15 Configuring the Software15 Application Server and Database15 Application Communication16 Chapter 7 Security17 CAS Authentication17 Pre-Authentication - x50918 Pre-Authentication - General19 Re-Authentication19 Chapter 8 JNDI Resources20 J NDI Patterns20 J DBC Data Sources21 J MS Resources21 Chapter 9 Asynchronous Framework22 J obs and Steps22 J MS Queues23 Split Deployment24 User Identification24 Chapter 10 Notification Framework25 Notifications25 Chapter 11 Service Access26 APIStubs26 EJ B27 Plain J MS27 Pseudo-Synchronous J MS28 J MS Equation Interface29 J MS Trade Portal Interface30 Watch List Checker Interface31 User Identification31 TI PlusInstallation Guide v1.1 iv Bulk Message Handling Incoming32 Bulk Message Handling Outgoing32 Chapter 12 Cross Zone Dashboard33 Cross-Zone Rebroadcaster33 Chapter 13 Miscellaneous35 UI Customisation35 Document Window Recording36 Amount in Words36 PDF Document Watermarks37 Deploying Help Text37 Error Display37 Local Module37 File System Resources38 Chapter 14 Appli cation Server Specifi c41 WebLogic - Configuring Session Cookie Domains41 J Boss - Integrating Other J MS Providers41 WebSphere Use Activation Specification42 Chapter 15 Operating System Specific43 Fonts for AIX and Linux43 Graphics Support for Unix Without X-Windows43 Chapter 16 WebSphere Setup44 Initial Configuration44 J DBC Configuration44 J MS Configuration44 Application Server Process Definition48 Installing TI Plus 2 Software49 Final Configuration Steps49 Chapter 17 WebLogic Setup50 Initial Configuration50 J DBC Configuration50 J MS Configuration50 Installing TI Plus 2 Software54 Chapter 18 JBoss 5.1 Setup55 Initial Configuration55 J DBC Configuration56 J MS Configuration57 Installing TI Plus 2 Software65 Chapter 19 JBoss EAP 6.2 (AS 7.3) Setup66 Pre-Requisite Software66 Initial Configuration66 Management Console68 Defining Servers72 Configuring Profiles72 Installing TI Plus 2 Software79 Chapter 20 First Steps80 Starting the TI Plus Software80 Installing TI Plus Products80 Uploading the Document Templates82 TI PlusInstallation Guide v1.1 v PREFACE - INSTALLATION GUIDE This Guide explains how to install, configure and deploy TI Plus. It assumes knowledge of the operating systems, database management system and 3rd party products used during the installation process. The User Guide contains the following chapters: ChapterDescription Chapter 1provides an overview of the Trade Innovation system, summarising the individual hardware and software components. Chapter 2discusses the software prerequisites and a recommended installation sequence. Chapter 3provides summary details on what is involved in creating the TI Plus database and deploying TI Plus to an application server. Chapter 4details how to create the TI Plus database. Chapters 5-14provide information about various components of the TI Plus applications and the configuration options associated with them. Chapter 15details operating system specific areas of set up. Chapter 16details how to set up WebSphere 7/8.5. Chapter 17details how to set up WebLogic 10.3. Chapter 18details how to set up J Boss 5.1. Chapter 19details how to set up J Boss EAP 6.2 (AS 7.3). Chapter 20details the first steps to perform after the software is deployed. DOCUMENT CONVENTIONS The convention used in the Guide for identifying links accessed via drop-down lists from other links is to cite the name of the first link, followed by name of the second link separated from it by a '|' character - for example, Other|FX Calculator'. Note: This format is used for notes that contain information of more than usual significance, such as warnings or hints on using the software. In the tables listing fields in windows, a tick next to a field indicates that the field is mandatory. FURTHER READING TI Plus is supported by a comprehensive documentation set, which includes user guides for each TI Plus product: TI Plus Documentation Overviewlists each of the documents in the set and explains what it covers. TI Plus Common Facilities User Guide explains common screen elements shared by TI Plus products and is referred to where required in this guide. TI PlusInstallation Guide v1.1 1 CHAPTER 1 SYSTEM OVERVIEW This chapter provides an overview of the possible TI Plus 2 system architectures. It outlines the roles of the main architecture components and summarises their hardware and software. ARCHITECTURE SUMMARY The following diagram illustrates the gross software architecture of the system showing the operation of multiple processing zones (these are the zones of a 'global processing' architecture). HTTPServerContentManagementSystemGlobalApplicationDatabaseZoneDatabaseZoneaccesstiplus2application(ClusterableonJ2EE)GlobalApplicationBackOfficeSystemHTTPZoneaccesstiplus2application(ClusterableonJ2EE)HTTP(S)ZoneDatabaseFrontOfficeSystem As the diagram shows, the TI Plus 2 software consists of two enterprise applications: Global application A management application providing user management and zone control facilities Zone access tiplus2 application The trade finance application. This application can be deployed multiple times, each configured to use a dedicated zone database Both types of application may be installed in a cluster, however for the global application, the number of server instances in the cluster must be limited to two, and each must be on a separate host. HARDWARE COMPONENTS The table below lists and describes the function of the hardware components of the system. ComponentWhat it does NetworkAllows the individual components of the system to communicate Database ServersActs as database storage for TI Plus business data Application ServersRuns the TI Plus Enterprise Application. This provides middleware services for security and state maintenance, along with data access and persistence TI PlusInstallation Guide v1.1 2 ComponentWhat it does HTTP ServerProvides an access point for load balancing Client PCsClient PCs run a web browser (e.g. Internet explorer) to communicate with the web/application server SOFTWARE COMPONENTS The table below lists and describes the software components of the system. ComponentWhat it does Trade Innovation application Main application for TI Plus. This runs on the application server Windows 2008 Server 64-bit Operating system for the Application and Web Server or Database Server Solaris 64-bitOperating system for the Application and Web Server or Database Server AIX 64-bitOperating system for the Application and Web Server or Database Server Red Hat Linux Enterprise Server 64-bit Operating system for the Application and Web Server or Database Server Oracle 11gServes as the Database repository for the TI Plus 2 application. Installed on the Database Server DB2 v9.7Serves as the Database repository for the TI Plus 2 application. Installed on the Database Server WebLogic 11g (10.3.6)Serves as the Application server and hosts the TI Plus 2 enterprise applications WebSphere 7.0/8.5Serves as the Application server and hosts the TI Plus 2 enterprise applications JBoss 5.1Serves as the Application server and hosts the TI Plus 2 enterprise applications JBoss EAP 6.2 (AS 7.3)Serves as the Application server and hosts the TI Plus 2 enterprise applications HTTP ServerThe software choice for the HTTP server is largely driven by the chosen application server. It may be that an existing HTTP server can be used Microsoft WordUsed to create document templates which are uploaded to and utilised by the application to produce associated documents during user transactions Content RepositoryStorage location of files used and managed by the application Web BrowserBrowser Software for accessing the TI Plus application on the application server. TI PlusInstallation Guide v1.1 3 CHAPTER 2 INSTALLING SOFTWARE PREREQUISITES This chapter provides details of the software prerequisites and the order in which they should be installed SOFTWARE COMPONENTS The required software is broken down by the following components: The Database Server The Application Server The HTTP Server Client PCs Note: This Guide does not provide instructions on installing software components supplied by a third party vendor. All these products come with comprehensive installation guides which must be consulted prior to implementation. The Database Server The database server contains the Trade Innovation application business data. Currently, Oracle 11g or DB2 v9.7 or later is the supported database software. It is essential that the data is backed up on a regular basis, and a backup device and backup software are therefore required. Solaris or Windows 2008 or equivalent Oracle 11g/DB2 v9.7 The Appl ication Server The application server contains the WebLogic, WebSphere or J Boss application server software and the main TI Plus application components. AIX, Solaris, Red Hat Linux Enterprise Server or Windows 2008 Server or later based on the application server support J avaSE6 may be installed as part of the application server installation WebLogic 11g, WebSphere 7.0/8.5 or J Boss 5.1/EAP 6.2 (AS 7.3) HTTP Server The software required for the HTTP Server is largely based on the choice of application server software. For instance WebSphere, IBM's HTTP Server software is supplied as part of the software package. The only prerequisite is that the HTTP server software is supported by the application server software. Client PCs Client PCs using a web browser will be used to access TI Plus. A plug-in for viewing PDF files will also be required to view documents and reports. TI PlusInstallation Guide v1.1 4 RECOMMENDED INSTALLATION SEQUENCE It is recommended that you perform installation and configuration in the following sequence. Install the operating system and all necessary patches on the designated database server.Install the database software. Install the operating system and all necessary patches on the designated application server. Install J avaSE6 on the Application server(s) if necessary. Install WebSphere/WebLogic/J Boss software on the Application server(s). TI PlusInstallation Guide v1.1 5 CHAPTER 3 INSTALLATION SUMMARY This chapter summarises the steps involved in installing, configuring and deploying the TI Plus software. THE TI PLUS SOFTWARE DISTRIBUTION The TI Plus software distribution consists of the following folders. / csv contains product configuration files / scr i pt s contains the database scripts / sdk contains tools and resources associated with the SDK / sof t war e contains the application software / t i contains various resources / t ool s contains utilities OVERALL INSTALLATION SEQUENCE Once you have installed and configured all the third-party prerequisites, it is recommended that you take the following approach to installing the TI Plus 2 software. Create the TI Plus 2 database schemas and run the appropriate scripts Set up the required topology of application server instances to deploy the TI Plus 2 software into Configure and assemble the TI Plus 2 application archives Configure the application server including setting up J NDI resources (J DBC, J MS etc) Deploy help text Set up remaining file system resources Install the TI Plus2 application archives to the application servers Perform the first steps of starting the servers, installing the products and uploading default document templates INSTALLING THE TI PLUS DATABASE It is assumed that before starting on creating the TI Plus 2 database, you have already done/obtained the following: Administrator privileges on the Operating systems Installed Oracle/DB2 on the database server Login credentials with admin and DBA roles CONFIGURING THE TI PLUS APPLICATION ARCHIVES The delivered software includes configuration utilities allowing the following main options to be chosen: Application names Choice of application server to be used Security to use Choice of service access options, including an incoming EJ B server, support for J MS-based access, including the Trade Portal Interface, and a test utility to help familiarise with the service interfacing operations User interface customisation facilities including translation and control suppression Integrating a local project when set up TI PlusInstallation Guide v1.1 6 FILE SYSTEM RESOURCES There are some resources required that are currently expected to be stored on the file system of the application server. Their location can be configured. They include: Configuration files (CSV) Folder for user interface customisation files in development Translation files for Document data content. FIRST STEPS This section summarises the additional steps that must now be performed after the applications have successfully started, but before the TI Plus applications can be run Use the configuration application to initialise the TI Plus database Grant capabilities to the supplied user SUPERVISOR Review and configure the system options available Use the Static Data application to add one or more branches and main banking entities Set up teams roles and users as require, as well as setting up the users in the global application Refer to the TI Plus Static Data Maintenance Guide, TI Plus System Tailoring Guide and TI Plus Security Guide for more details. TI PlusInstallation Guide v1.1 7 CHAPTER 4 DATABASE SETUP It is assumed that before starting on creating the TI Plus 2 database, you have already done/obtained the following: Administrator privileges on the Operating systems Installed Oracle/DB2 on the database server Login credentials with admin and DBA roles Database creation scripts are supplied in the / scr i pt s folder of the software release. Upgrade scripts are also available where appropriate. For information on which upgrades scripts are appropriate, refer to the release notes accompanying the software. CREATING THE TI PLUS DATABASE To set up the TI Plus database, several scripts included in the / scr i pt s folder have to be executed. The scripts are provided with . t plextensions so they are not confused to be sql scripts that can be run with any utility. If you need to generate standard sql scripts, they can be created using the SQLRunner utility described in the next section. SQLRunner In the / t ool s folder of the software distribution is a utility called SQLRunner that allows you to Execute a script against a nominated database Provide parameter values to be substituted while executing the script Save a copy of the script with the parameters replaced in order to run the script via a preferred utility Run scripts from the command line This utility is a J ava Swing application, and requires J avaSE6 to be installed. Unzip the software from / t ool s/ sql r unnerinto a local folder. Open a command window and navigate to the folder containing the software. Enter the following command: j avaj ar com. mi sys. t i pl us2. ut i l s. sql r unner . j arThis will bring up the first page of the utility: TI PlusInstallation Guide v1.1 8 This panel allows you to choose if the script is to be run against a database or simply saved after replacing the parameters. The following steps illustrate executing a script against a database. Enter the details: OptionDescription Execute script DriverThe name of the database driver to use URLThe URL for the database. For Oracle this will be in the form: j dbc: or acl e: t hi n: @: 1521: whereas for DB2 it will be: j dbc: db2: / / : 50000/ UserUser id PasswordPassword of the user Save script to folder FolderFolder where the substituted script will be saved the name of the script will be the same as the script selected on the next panel The Test button is available to verify that the connection details are correct. Click Next. Locate the script you wish to run. A description of the script will be displayed when it has been selected. If the script is a template that extracts information from the database, then you must specify an output folder and file extension. Note: Note that this folder must already exist. If it contains any files, you will be prompted to confirm that these files may be deleted. TI PlusInstallation Guide v1.1 9 Click Next. This panel lists the parameters defined in the script and if applicable may already have default values assigned. Selecting a parameter will provide a description with any special considerations that are required for the values supplied. Once the parameter values have been entered, click Next. TI PlusInstallation Guide v1.1 10 This panel summarises the information collected so far. Click Run to execute (or save) the script. This panel shows the progress of the script, and when the script is finished, the following dialog is shown: If an error is encountered then the following dialog is shown: TI PlusInstallation Guide v1.1 11 This shows the details of the exception, and provides four options in the dropdown box: Ignore exception and continue Ignore all further exceptions and continue Stop execution Stop execution and save remaining part of script The last option allows you to provide a file name which will be used to save the remaining part of the script still to be executed. Once a script has been executed, by pressing the Back button, you will go back to the script selection panel. Note that parameter values will be retained. You can also call this utility from a command script and bypass the user interface. The parameters to pass are as follows: OptionDescription - c, - - cl ass The database driver class - d, - - ur l The database URL - g, - - cmdSuppresses any UI - h, - - hel pPrint this message - i , - - i nput Input file of command options - l , - - l og Log file location - m, - - mode The mode - execute or save - n, - - ext n Output file extension (default '.txt') - o, - - out put Output folder - for SQL selects - p, - - passwor d The database user password - q, - - sql The database SQL script to run (*.sql) - r , - - par am Parameters for substitution - t , - - qui et Suppresses confirmation and other logs - u, - - user The database user id - w, - - onexcept i onf i l e File to write remaining SQL on exception (-x S must exist) - x, - - onexcept i on SQL exception handling I=ignore, S=stop, W=write remaining SQL to file Oracle It is expected with Oracle, that separate schemas will be used in the same database. Create the schemas for the global (TI GLOBAL) and zone (TI ZONE1) tables by creating these two users. Run the oGl obal s- xxxx. t pldatabase script using the script runner. For the Schema Name for Trade Innovation, use TI GLOBAL, instead of the default TRADEI N1 Run the database scripts below using the script runner. For the Schema Name for Trade Innovation, use TI ZONE1, instead of the default TRADEI N1. oTI xxxx. t ploeqxxxx. t ploaf - xxxx. t plonf - xxxx. t ploCext xxxx. t plocmsxxxx. t plNote: Note that with version G.1.1 of the database, a transition was made from using unique indexes to TI PlusInstallation Guide v1.1 12 using primary keys. To provide that transition, the scripts oDI xxxx. t pland oCPKxxxx. t plmust also be run after the rest of the scripts to delete the unique indexes and then create the primary keys. Note that the TI Plus application accesses the database using an XA database driver. If the user used to connect to the database does not have sufficient privileges, you may see XA exceptions in the application logs. In this case, the following privileges need to be granted to the user: gr ant sel ect onpendi ng_t r ans$t o;gr ant sel ect ondba_2pc_pendi ngt o;gr ant sel ect ondba_pendi ng_t r ansact i onst o;gr ant execut eondbms_xat o;DB2 It is expected that a database will be created for the global application and each of the zone applications. Run the Gl obal s- xxxx. t pldatabase script using the script runner Run the following database scripts for each zone database using the script runner in sequence. TI xxxx. t pleqxxxx. t plaf - xxxx. t plnf - xxxx. t plCext xxxx. t plCMSxxxx. t plNote: Note that with version G.1.1 of the database, a transition was made from using unique indexes to using primary keys. To provide that transition, the scripts DI xxxx. t pland CPKxxxx. t plmust also be run after the rest of the scripts to delete the unique indexes and then create the primary keys. Reporting Vi ews Reporting views are supplied in the scripts: r vcxxxx. t plr vdxxxx. t plThe first script creates the views, while the second script drops the views. So, during an upgrade process, it is necessary to run the r vdxxxx. t plscript of the current version of the database. Once the upgrade scripts have been run, the r vcxxxx. t plscript of the new version may then be run. Note: These scripts may be run against both DB2 and Oracle databases. TI PlusInstallation Guide v1.1 13 CHAPTER 5 APPLICATION SOFTWARE The TI Plus applications include both web and ejb modules that can be deployed on WebSphere, WebLogic and J Boss, as well using DB2 or Oracle as the DBMS. The configuration options provided cover, among other things, interfacing, security and customisation. The interfacing options provided include: Multiple incoming and outgoing J MS queuesIncoming RMI calls to an EJ B session beanBank written components The security options provided include: Embedded single-signon capability using the open source CAS serverPre-authentication scenarios such as client x509 certificates or network proxy-based systems The customisation facility allows extra fields to be added for customer details, transaction master and event details, and posting details. This extra data can be used in processing rules and referenced in customer documents. The output of using this facility includes: Database scriptsWeb resources for UIGenerated java to handle the defined fieldsExtensions to message definitionsOptionally extra hand-written business logic In these three areas of interfacing, security and customisation:New components/resources may need to be includedNew J NDI resources may need to be definedDeployment descriptors may need to be updated (both general J EE and application server specific)Manifest classpath references alteredConfiguration files created/updated (not just properties but spring configuration files as well) The provided assembly mechanism for the enterprise archives driven by a declared configuration enables this level of flexibility in our software. It also provides an additional level of security where if an external access mechanism is not required (e.g. RMI access, or an alternate security configuration not requiring the CAS server), it is not simply disabled - it is not included to be deployed at all. Some of the properties defined may seem to tie an EAR file to a particular deployment environment, however those properties are created as web. xmlenvironment entries. These entries may then be changed or overridden during or after deployment in one of the following ways (listed in the order that they are loaded): Defining them as system properties Defining them in a property file called . envi r onment . pr oper t i es located externally on the classpath Overriding the environment entries from the web. xmlfile Overriding the web. xmlenvironment entries is application server specific - in WebLogic it is done through deployment plans, in WebSphere you can change them as part of deployment if you script the deployment, or you can change them through the admin console. In J Boss it is less clear, as there is no inherent way of doing this. So the remaining options must be used instead. This means that when a final configuration is arrived at after all customisation is performed, the resulting EAR files produced may be deployed to multiple systems through a promotion process resulting in the production system, by updating these properties as appropriate. TI PlusInstallation Guide v1.1 14 SOFTWARE DISTRIBUTION The / sof t war e folder in the main distribution has four main subfolders: / appl i cat i ons - used as a target for software assembly / component s - holds the master software / conf i gur at i on - location of configuration files / l i b - tools used for assembling the software When the application archives are assembled, the folders / assembl y and / depl oy are created under the / appl i cat i ons folder. Once assembled, the enterprise archives are located in the / depl oy folder. The / component s folder contains two subfolders, / modul es and / syst em. / modul es contains the optional components that may be required, whereas / syst emcontains the core software. The / conf i gur at i on folder contains master configuration property files used to drive the assembly process. The / l i b folder contains utility code, including ant, which is used to perform the assembly. Once the configuration options have been specified, the software is assembled by running the ant build script from the root /software folder. For Windows, a bui l d. batfile is supplied to auto-configure using ant to run the build script. A bui l d. sh script is supplied that runs on Linux, but can be adapted to the preferred shell script format. The following chapters provide information about various features of the applications and the configuration options associated with them. TI PlusInstallation Guide v1.1 15 CHAPTER 6 APPLICATION TOPOLOGY The TI Plus software consists of two J EE applications - the global application and the tiplus2 application. The global application is a management application, whereas the tiplus2 application provides the trade finance business functionality. When a user accesses a deployment of the tiplus2 application, they are connected to a zone database. A running system will consist of a single instance of the global application, and one or more deployments of the tiplus2 application, providing access to one or more zone databases. The global application provides control access to the tiplus2 application deployments, enabling zones to be suspended and users accessing those zones to be logged off. This management communication facility limits to two the number of servers in a cluster that the global application can be deployed - a primary and secondary server. Moreover, these server instances must be bound to different host names/IP addresses. A tiplus2 application on the other hand is not limited by the number of servers in the cluster it is deployed to. CONFIGURING THE SOFTWARE The assembly scripts allow for a single global application enterprise archive file, and multiple tiplus2 application enterprise archive files to be created at once. A property file must be configured for each. In the / conf i gur at i on folder, there are two master property files: mast er . gl obal . conf i gur at i on. pr oper t i es mast er . t i pus2. conf i gur at i on. pr oper t i es Copy the mast er . gl obal . conf i gur at i on. pr oper t i es file to be gl obal . conf i gur at i on. pr oper t i es, and for each tiplus2 deployment copy mast er . t i pl us2. conf i gur at i on. pr oper t i es to be xxxxx. t i pl us2. conf i gur at i on. pr oper t i es the value of xxxxxis not significant. These files then need to be changed using a text editor. The properties are described in the following sections. Note that there are two formats of property names lowercase dot-separated, and camel-case. The difference is that the camel-case properties are also added to the relevant web module deployment descriptor as values. APPLICATION SERVER AND DATABASE The supported application servers are WebLogic, WebSphere and J Boss. The supported databases are DB2 and Oracle. For particular version support - see the Overview chapter. Each application instance must have a name, and a URL context. Configuration The following properties can be defined in the gl obal . conf i gur at i on. pr oper t i es file: PropertyDescription appser ver . webl ogi c appser ver . webspher e appser ver . j boss Only one of these properties may be specified - indicating which application server is being used appser ver . j ee6Setting this property provides support for JBoss EAP 6.2 (AS 7.3) dat abase. or acl e dat abase. db2 Only one of these properties may be specified - indicating which database is being used gl obal . app. nameName that will be used for the global application archive the default is t i pl us2- gl obalGl obal AppCont ext Used to define the context URL for the global web module the default is t i pl us2- gl obalGl obal URLFull URL of the global application. This is used to navigate back to the global application when exiting form the zone. Make sure the protocol is correct in relation to the security configuration used TI PlusInstallation Guide v1.1 16 PropertyDescription Gl obal SchemaSchema name for the tables created for the global application - for DB2 this would be TRADEI N1, for Oracle TI GLOBAL The following properties can be defined in the t i pl us2. conf i gur at i on. pr oper t i es file: PropertyDescription Depl oyment I dIdentifier for this tiplus2 deployment - defaults to TI 1 t i pl us2. app. nameName that will be used for the tiplus2 application archive default is t i pl us2- depl oy1 TI Pl us2AppCont ext Used to define the URL for the web module default is t i pl us2- depl oy1 ZoneI dIdentifier of the zone used by this deployment APPLICATION COMMUNICATION The communication between the global application and multiple deployments of the tiplus2 application uses J MX. As each server running a tiplus2 application deployment starts up, it will connect to the global application and register itself, and its own configuration, enabling the global application to connect back to it. As each user logs in and accesses a zone database, their access via a particular server in the cluster is registered. When a zone is suspended, then those users accessing that zone database are prompted to log off when they next send a request to the server. The limitation of two servers to a global application cluster is due to the J MX protocol used, which does not work in a federated environment. So one of the server instances is nominated as the primary server to which all tiplus2 application servers connect to register. If the primary server is not available, or a connection to the server is lost, then the attempts are made to connect to the secondary server. If the secondary server itself loses contact with the primary server, then it promotes itself to be the primary server, and will accept the incoming server registration requests. As part of the registration request, details are passed so the global application can connect back to the tiplus2 application server. Configuration In the gl obal . conf i gur at i on. pr oper t i es file, the following properties are set: PropertyDescription J MXPr i mar yHost Host name of the primary global instance J MXSecondar yHost Host name of the secondary global instance (may be left blank) J MXGl obal Por t Port number of the global instance J MXPr ot ocol Protocol of JMX communication currently only RMI is supported. These values are used by the global application as well as the tiplus2 application instances. If failover is not required, then the J MXSecondar yHostmay be left blank. Note that when the global application starts it queries the host name from the network stack. The host name returned must match the Primary or Secondary host names. It may be that the host name is returned with a domain suffix. If the global application cannot match the host name, an error is logged during initialization together with the host name returned from the network stack. This must then be used to update the host property. In the t i pl us2. conf i gur at i on. pr oper t i es file, the following properties are set: PropertyDescription J MXZonePor t St ar t Start port number J MXZonePor t EndEnd port number While instances of the global application must be on separate hosts, there may be multiple server instances of a tiplus2 application deployment on the same host - so a range is required. The number of ports available in the range must be at least equal to the number of server instances that that application can have on a single host. TI PlusInstallation Guide v1.1 17 CHAPTER 7 SECURITY Since the TI Plus software consists of at least two applications, it requires a single-signon authentication environment. TI Plus was designed to integrate with different authentication environments. To achieve this, the spring security framework is used to provide a chiefly configuration-based solution, to provide the highest flexibility. Two single-signon models are supported: Co-operative authentication Pre-authenticated The co-operative model relies on the configuration of an authentication server that can be redirected to and also called directly to verify any token or ticket issued. This model is used to provide the default configuration of the software by bundling an open source single-signon server (CAS - central authentication server) in the global application. The pre-authentication modelrelies on network or application server configuration to force authentication before access is made to the application. If the user cannot be derived from the request, then access is not allowed. Two configurations are provided to achieve this - one based on client certificates, and the other a little more generic that can reference a configured HTTP header to extract the user id. Note that whatever authentication mechanism used, the user must be defined in the user registry in the global application database. CAS AUTHENTICATION An open source single-signon server is embedded in the global application, and both global and tiplus2 applications reference the server to issue tickets based on user authentication. These tickets are then verified explicitly by a direct connection from the server being accessed to the CAS server. By default, only the authentication part of the server access is via HTTPS, however it is possible to enforce HTTPS for all access to the application. Authentication is performed by presenting a login page, accepting a user id and password. The password is checked against the password stored in the user registry in the global application database. The password is stored using a one-way encryption algorithm. An alternate configuration allows the credentials captured to be verified via Windows Active Directory server using LDAP. Note that if the global application is clustered, then there needs to be a trust relationship between the application servers and the issuer of the SSL certificate of the HTTP server being used as the load balance point of the global application. Configuration In the gl obal . conf i gur at i on. pr oper t i es file, the following properties are set: PropertyDescription secur i t y. casThis property must be defined to enable the CAS configuration secur i t y. cas. ht t psSet this property to force all access to the application to be via HTTPS. CASSer ver URLThis is the URL for the CAS server - as the CAS server is embedded in the global application, this is the HTTPS URL for the global application - ht t ps: / / : [ ] / t i pl us2- gl obalCASSer vi ceURLThis is the HTTPS URL of the application to be authenticated for - this turn out to be the HTTPS URL of the global application - ht t ps: / / : [ ] / t i pl us2- gl obalIn the t i pl us2. conf i gur at i on. pr oper t i es file, the following properties are set: PropertyDescription CASSer vi ceURLThis is the HTTPS URL of the application to be authenticated for - this turn out to be the HTTPS URL of the tilus2 application - ht t ps: / / : [ ] / t i pl us2- depl oy1 TI PlusInstallation Guide v1.1 18 If authentication is required by a Window Active Directory server, then the following properties must be defined in the gl obal . conf i gur at i on. pr oper t i es file: PropertyDescription secur i t y. cas. l dapThis property must be defined to enable the LDAP configuration to be appliedsecur i t y. cas. l dap. host Active Directory server name secur i t y. cas. l dap. por t Port number for access to server (typically 389) secur i t y. cas. l dap. base. dnThe base distinguished name and template for searching. This is of the form:?sAMAccount Name?sub?( obj ect Cl ass=*)Where is the distinguished name of the active directory domain name broken down into domain components. So if the domain name is bank. domai n. com, the is: DC=bank, DC=domai n, DC=comsecur i t y. cas. l dap. user A search user on the domain that has at least browse access. The search user executes the search for the user to authenticate. The credentials entered are then used to connect that effectively verifies the password. It is specified in the form of an e-mail address: sear ch_user @bank. domai n. comsecur i t y. cas. l dap. passwor dPassword of the search user secur i t y. cas. l dap. sear ch. baseBase node to start searching from (typically cn=user s) secur i t y. cas. l dap. sear ch. f i l t er The search string to use. This must be compatible with the template specified previously. Which is: ( &( sAMAccount Name={0}) ( obj ect cl ass=user ) )Note: The email format for users is not required when adding users or logging in. The database creation script for the global application database has a pre-defined user called SUPERVISOR. To set up other users you can do one of the following: Configure the application not to use LDAP to start with, and add at least one user that is already defined in the domain and make them a Security Officer. LDAP can then be enabled, and the new user used to set up all of the others Add SUPERVISOR to the active directory before first logging in with LDAP enabled Update the creation script to change SUPERVISOR to a user already defined in the active directory domain. The application can then have LDAP enabled. PRE-AUTHENTICATION - X509 If authentication via client certificates is required (using smart cards for instance), then the configuration relies on the HTTP server (or HTTP component of a single application server) being set to enforce client certificates, and also to be responsible for checking that the certificate presented is not on a revocation list. When the user access the application, the certificate is extracted from an HTTP header, and using a configured regular expression, the user id is identified. Configuration In the gl obal . conf i gur at i on. pr oper t i es file, the following properties are set: PropertyDescription secur i t y. x509This property must be defined to enable the x509 configuration secur i t y. x509. r egexpThis property represents the regular expression required to extract the user id. The default expression is CN=( . *?) $, which extracts the content of the last CN=component at the end of the name sequence TI PlusInstallation Guide v1.1 19 PRE-AUTHENTICATION - GENERAL If your network infrastructure relies on proxy servers to verify all HTTP access is authenticated, then the configuration relies on the users user id being added as an HTTP header. In this configuration, all authentication is expected to be performed before access to the application is permitted. By default all access is assumed to be over HTTP. It is possible to fore all access to be via HTTPS. Configuration In the gl obal . conf i gur at i on. pr oper t i es file, the following properties are set: PropertyDescription secur i t y. pr eaut hThis property must be defined to enable the pre-authentication configuration . . . pr eaut h. ht t psIf all access to the application needs to be via HTTPS, set this property to yes . . . pr eaut h. pr i nci pal . header The name of the HTTP header that will contain the user id. . . . pr eaut h. cr edent i al s. header If credentials are passed on a separate header, then it can be set here - though it will not be used Note: Note that the property names have had the security prefix omitted for readability. RE-AUTHENTICATION It is possible to configure TI Plus to require the user to re-enter their password when processing a transaction after it has been input. Details of this functionality can be found in the System Tailoring Guide. The re-authentication process is currently only supported when using the CAS single-signon configuration. Note that when using this facility, it is necessary to control how the session cookies used by each application are processed - keeping them separate for the global and tiplus2 applications. Configuration In the gl obal . conf i gur at i on. pr oper t i es file, the following properties are set: PropertyDescription secur i t y. r eaut hent i cat or This property must be set to activate the re-authentication configuration secur i t y. r eaut hent i cat or . casThis property must be set to yes to also include the CAS implementation TI PlusInstallation Guide v1.1 20 CHAPTER 8 J NDI RESOURCES The TI Plus software uses J NDI to look up resources for Database connections J MS queue sessions for read/write Email server sessions Apart from message driven beans, the mapping of J NDI resources from a local name to a global name is not defined in application deployment descriptors. This operation is performed on demand. When defining J NDI resources, each application server (WebSphere, WebLogic and J Boss) have different ways of targeting J NDI resources. For WebSphere, J NDI names can be defined at the Cell, Node, Cluster or Server level, and when a resource is looked up, these levels are checked in order of specific (Server) to general (Cell). So it is possible to define different resources with the same name for different servers. WebLogic allows targeting of resources to particular servers or clusters, while J Boss expects all appropriate resources to be defined for each server deployment. Since it is possible to deploy multiple tiplus2 application instances to the same server (each accessing a different zone), there also needs to be a mechanism for being able to provide different resources of the same J NDI identifier in the same server. J NDI PATTERNS To be able to provide a local to global mapping facility that can work at a lower level than a particular server, then J NDI patterns can be specified that at runtime will be used to resolve to the global J NDI name. A J NDI identifier is made up of a category and name for instance j dbc/ zone where j dbc is the category, and zone is the name. The category is used to locate the pattern to be used. Patterns are defined in the j ndi . r esour ce. l ocat or . pr oper t i es file. Given a local J NDI name for instance j dbc/ zone, then the following properties are checked in order until one is encountered: j ndi . j dbc. zone j dbc. pat t er n j ndi . pat t er n There will always be a default in the form of j ndi . pat t er n. The pattern can be a fixed string, or text with parameters defined. The following parameters are available: ${depl oyment } ${zone} ${cat egor y} ${name} The simplest of patterns is ${cat egor y}/ ${name} which simply maps the local name to be the global name. Configuration A mast er . j ndi . r esour ce. l ocat or . pr oper t i es file is supplied with default patterns for the different application servers. Copy or rename this file to be j ndi . r esour ce. l ocat or . pr oper t i es. Uncomment the properties for the relevant application server where the properties have values. For instance for WebLogic, uncomment the appropriate j ndi . pat t er n property only. For J MS-based resources, though it is possible to use ${zone} as a parameter it is more appropriate to use ${depl oyment } instead. Especially as this property file is used when creating the deployment descriptors for message driven beans. TI PlusInstallation Guide v1.1 21 J DBC DATA SOURCES The following J NDI names for J DBC datasources need to be defined using the appropriate XA database drivers: j dbc/ gl obalfor access to the global application database j dbc/ zone for access to the zone application database j dbc/ r epor t s for access to the zone application database for reports j dbc/ dl zone for access to the zone application database for departmental limits Configure the connection pool sizes as follows: for the global connection pool, configure twice the number of expected concurrent users for the zone connection pool, configure twice times the number of concurrent users and add twice the number of async framework slots. J MS RESOURCES J MS resources are discussed in subsequent chapters. TI PlusInstallation Guide v1.1 22 CHAPTER 9 ASYNCHRONOUS FRAMEWORK The async framework component provides a means to execute long running processes in the background. It is used by the following features: Ad-hoc reporting End of day Transfer of postings/deal etc. Transfer of SWIFT or corporate access system messages Printing or emailing documents Processing incoming service requests The framework is an independent generic facility that the tiplus2 application makes use of and provides function-specific enquiries to provide monitoring and control. There is also a generic lower-level enquiry that provides access to some repair features not available at the functional level. J OBS AND STEPS The async framework models jobs that are made up of multiple steps that need to execute before the job is deemed complete. The job is responsible for defining and managing the sequence in which the steps that provide the business functionality are executed. There are three types of job: Those that must run in isolation (sequential) Those that can run in parallel with each other (parallel) Those that can run at any time (utility) These rules can be applied at two levels at the zone level, or within a named stream. If a sequential job needs to start at the zone level, then no other parallel or sequential job can already be running either at the zone level or within a named stream. A sequential job can start in a named stream if no sequential job is running at the zone level, and no other sequential or parallel job is running in the named stream. There is a limit to the number of jobs that can be run at once. This is controlled via tuning parameters defined in the global application for the deployment. When a deployment is defined in the global application, a single tuning parameter is creating defining the total number of slots available for the async framework in that deployment. A slot represents a running step. By default the minimum number of slots a job can use is 1. So the default tuning parameter provides the maximum number of jobs that can run at once inside a deployment. There are other tuning parameters that may be set available: Maximum number of slots at the zone level Maximum number of slots for a particular job in a particular zone and optionally a particular stream Maximum number of instances of a named parallel job that can run at the same time Maximum number of named steps within a job that can run in parallel Minimum number of slots to assign to a named job As jobs start, they are allocated an equal share of available slots unless they are capped by the tuning parameters by name. Some jobs only require a single slot as they are made up of one or more sequentially running steps. In which case when they are initiated, they declare they are single stream. This then is taken into account when sharing out the remaining slots. The maximum number of slots at the zone level is really to limit the number of jobs that can be started for a zone. So if there is a tuning parameter that sets the maximum number of slots for the zone to 5, then it will limit the number of jobs that can be started not cap the number of slots for the zone. So if there are three jobs running already each requiring a minimum of 1 slot, two more of the same type could be started before jobs would have top wait until a running job finishes. If the number of slots defined at the deployment level is 10, then the 5 jobs would run with 2 slots each. The sequence in which steps for a job run, is based on a steps dependency. Steps with no dependency are run first and as they complete, steps that are dependent on them are eligible to run. These steps are then run in turn until there are no more steps left to run. TI PlusInstallation Guide v1.1 23 Steps can go into a waiting state, which means that after the call to the step object completes, the object is thrown away, and a timer is set to a configurable period. After this period is complete, the step is re-created and called to check if the step can complete. This mechanism is only used where the purpose of a step is to initiate something, and then wait until it is complete. If a step needs to be re-attempted at a later time, it can ask for the job to be postponed for a period of time. Once that time is reached, the job is eligible to be restarted from where it left off. The difference between the two features is that for waiting steps, the job is still executing, and may be preventing other jobs from running. Configuration In the t i pl us2. conf i gur at i on. pr oper t i es file, the following properties can be set: PropertyDescription moni t or . per i odThis property represents the number of seconds to wait before calling a step that is waiting to see if it can complete the default is 300 seconds t r ansf er . post pone. per i odWhen transferring postings, SWIFT messages or customer access system messages, if the receiving system is unavailable, then the transfer job will be postponed. This property represents the time in seconds to wait before re-running the transfer job default 600 seconds J MS QUEUES J obs and steps are processed by messages sent to J MS queues. There are three main queues: J ob lifecycle queue J ob execution queue Step execution queue The job lifecycle queue deals with initiating jobs, allocating slots to them and marking them as complete. The job execution queue handles all messages to do with executing and completing steps, and managing which steps should be executed next. The step execution queue handles messages to do with executing business functionality. Both the job lifecycle and job execution queues are fully transactional, so they may be configured with a number of retries before being delivered to a fourth dead message queue. The step execution queue is not fully transactional, however repair facilities are available to retry or bypass steps that have not completed successfully. Configuration The J NDI names for the queues are: queue/ J obLi f ecycl eQueue queue/ J obExecut i onQueue queue/ St epExecut i onQueue queue/ DeadMessageQueue The J MS queue connection factory J NDI name is: j ms/ QueueConnect i onFact or y TI PlusInstallation Guide v1.1 24 SPLIT DEPLOYMENT Ordinarily, the async framework is deployed along with the rest of the tiplus2 application. A drawback of this is that users accessing the system are competing for resources with these long running processes. It is possible to deploy the async framework as a standalone application which can then be sized and controlled independently from the rest of the application. The remaining tiplus2 application only requires access to the J MS server used by the standalone deployment, and references to the job lifecycle and job execution queues. The remaining queues are used by the async framework alone. Configuration In the t i pl us2. conf i gur at i on. pr oper t i es file, the following properties can be set: PropertyDescription depl oyment . spl i t Uncomment this property to enable the async framework to be deployed independently When the applications are assembled, if this property is set, this configuration will generate two enterprise archives. One with the same name as usually expected, and the second ending with - async. USER IDENTIFICATION J obs that are processed through the async framework will adopt a common user id. This is to focus the security features for users on allowing to jobs to be initiated rather than what the jobs actually do. Configuration In the t i pl us2. conf i gur at i on. pr oper t i es file, the following properties can be set: PropertyDescription Def aul t Bat chUser The user specified in this property will be used as the default user for async jobs TI PlusInstallation Guide v1.1 25 CHAPTER 10 NOTIFICATION FRAMEWORK The TI Plus application provides transaction and system status information using a notification framework. Information currently available for notification is: Transaction event step status change (event - st at us) Async framework J ob status change (async- j ob) Async framework Step status change (async- st ep) These notifications are transactional in nature, so if status changes are rolled back, these notifications are also rolled back. NOTIFICATIONS Notifications once generated are handled by a message driven bean and can be published as Not i f i cat i ons. Al l service request messages. Since notifications are informational in nature, it is possible to publish them using a J MS topic, rather than queue see later section on service access. Configuration In the t i pl us2. conf i gur at i on. pr oper t i es file, the following properties can be set: PropertyDescription ser vi ce. access. not i f i cat i on. async. j ob. st at usEnable notification of async framework job status changes ser vi ce. access. not i f i cat i on. async. st ep. st at usEnable notification of async framework step status changes ser vi ce. access. not i f i cat i on. event . st ep. st at usEnable notification of transaction event step status changes A J MS queue is required to trigger transaction-based notifications. So where a transaction is rolled back, the notifications will be as well. The queue must be configured so that a number of delivery attempts are made. If those are exceeded, it must be configured to use the dead message queue defined as part of the async framework. The J NDI name for the queue is: queue/ Not i f i cat i onQueue The J MS queue connection factory is the same as the async framework: j ms/ QueueConnect i onFact or y TI PlusInstallation Guide v1.1 26 CHAPTER 11 SERVICE ACCESS The TI Plus application provides a set of services as well as interacting with a set of external services. There are some alternate methods of allowing this access. APIStubs a test-only facility to allow familiarisation with setting up message formats for service access EJ B A stateless session bean made available for remote access for using services provided by TI Plus Plain J MS incoming and outgoing service access using XML messages via J MS where responses are not required Pseudo-Synchronous J MS incoming and outgoing service access using XML messages via J MS with the ability to set a reply queue J MS Equation interface a pre-configured set of queues and resources for interfacing to one or more Equation units J MS TPI a pre-configured set of queues and resources for interfacing to one or more instances of the Misys Trade Portal Interface J MS Watch List Checker - a pre-configured set of queues and resources for interfacing to one or more instances of a Watch List Checker system such as Misys Trade Watch For more information see the TI Plus Interface Services Guide. APISTUBS This is a test facility that allows the familiarisation of sending messages into TI Plus andproviding responses to messages originating from TI Plus. With this enabled, three tables are created in the zone database API SERVER, API CLI ENT and API RESPONSE. The API SERVER table is checked for periodically to see if there are any messages to be sent into TI Plus. Once processed, the item is updated with the response received. Whenever a service request is made from TI Plus, the request message is stored in the API CLI ENT table, and the details of the request are used to match an entry in the API RESPONSE table in order to send back a targeted service response. A client data entry utility is available in the / sdk/ t ool s/ api st ubs distribution folder. For more details refer to the TI Plus SDK Systems Interfacing Guide. Configuration In the t i pl us2. conf i gur at i on. pr oper t i es file, the following properties can be set: PropertyDescription ser vi ce. access. api st ubsUncomment this property to enable the apistubs utility . . . api st ubs. db. ur l The JDBC URL of the database driver . . . api st ubs. db. user User id . . . api st ubs. db. passwor dPlain text password for the user (this is not expected to be configured in the production environment) . . . api st ubs. db. schemaThe name of the schema where the apistubs tables will be created Note: Note that ser vi ce. access.has been omitted to improve readability TI PlusInstallation Guide v1.1 27 EJ B A stateless session bean called Eni gmaSer vi ceAccess is available to be called to pass an XML message as a parameter, and receive the response on return. The EJ B is supplied in the com. mi sys. t i pl us2. ser vi ce. access- ej b. j arfile, which can be used as the remote client jar file as well. Note that this file does not contain stubs and ties for the EJ B as these are application server specific. Please generate these using the utilities appropriate to the application server you are using. Configuration In the t i pl us2. conf i gur at i on. pr oper t i es file, the following properties can be set: PropertyDescription ser vi ce. access. ej bUncomment this property to enable the EJB remote access facility. Note that if this is not set, the EJB is not included in the assembly PLAIN J MS Plain J MS service access allows both incoming and outgoing service requests. This service access must only be used where a response to the service request is not required. Incoming and outgoing queue names are derived from queue name prefixes defined in the configuration. For each incoming queue, the J NDI name of queue/ I ncomi ng will be used. For each outgoing queue, the J NDI name of queue/ Out goi ng will be used. For each unique queue name prefix, the J NDI name of j ms/ QueueConnect i onFact or y will be used for the respective queue connection factory. For outgoing service requests, it is unlikely that all outgoing requests will be handled by the same interface. So it is possible to list the service operation identifiers whose service requests are to be sent to the corresponding queue. As part of the global processing facilities, it is possible to interact with multiple external systems that provide the same role for different parts of the branch hierarchy defined in the zone. For instance, there may be multiple main banking entities, each of which will require interfacing to its own general ledger system. Service request messages identify the target system as part of their request header which is available to the middleware to enable routing the request to the correct system. However if you simply want to assign a particular queue to a particular system, then prefix the service operation identifiers with the name of the external system defined in TI Plus. Configuration In the t i pl us2. conf i gur at i on. pr oper t i es file, the following properties can be set: PropertyDescription ser vi ce. access. j msUncomment this property to enable any JMS service access ser vi ce. access. j ms. pl ai nUncomment this property to enable plain JMS service access . . . pl ai n. ser ver . queuesThis property is a comma-separated list of queue prefix names that will be used to accept messages from . . . pl ai n. cl i ent . queuesThis property is a comma-separated list of queue prefix names that will be used to send messages to . . . pl ai n. cl i ent . ser vi cesThis property defines which service operations use which queue prefix when sending service requests (see below) . . . pl ai n. cl i ent . xaSet this property to yes to enable XA processing when writing messages to queues Note: Note that ser vi ce. access. j ms has been omitted to improve readability. TI PlusInstallation Guide v1.1 28 The format of the ser vi ce. access. j ms. pl ai n. cl i ent . ser vi ces property is as follows: =; =, J DBC->J DBC Providers and Resources->J DBC->Data sources links. Only j dbc/ gl obalis required for the global application, whereas all jdbc resources are required for the tiplus2 application deployment servers. If you are using DB2, then for each datasource, select the Custom properties link, and set the webSpher eDef aul t I sol at i onLevelto 2 (Read Commited). J MS CONFIGURATION The areas of the application that use J MS are: Async and Notification Frameworks Service Access Cross-zone dashboard Async and Notification Frameworks A service bus is required to be set up to define the queues for the async and notification frameworks. If multiple tiplus2 applications are to be deployed, then they could share the same bus instance, but it is not a requirement.Note: However if you are configuring for a split deployment, then the user access application and the async framework application must share the bus. Create a Bus from the Service integration->Buses link Add the server to the bus using the Bus members link. Note it will be necessary to restart the server before installing the TI Plus software to allow the bus member to start TI PlusInstallation Guide v1.1 45 Add the async framework queues to the bus using the Destinations link: J OB. LI FECYCLE. QUEUE J OB. EXECUTI ON. QUEUE STEP. EXECUTI ON. QUEUE NOTI FI CATI ON. QUEUE DEAD. MESSAGE. QUEUE For the job lifecycle, job execution and notification queues, edit their definitions, and change the Exception destination details. Specify the DEAD. MESSAGE. QUEUE as the target, and the Maximum failed deliveries per message as 5. Create the J MS resources for the server, starting with a queue connection factory using the Resources->JMS->Queue connection factories link, selecting the bus name, and using the J NDI name j ms/ QueueConnect i onFact or y Create five Queues using the Resources->JMS->Queue link, specifying the appropriate J NDI name, and selecting the relevant destination queue from the bus. The J NDI names are: queue/ J obLi f ecycl eQueue queue/ J obExecut i onQueue queue/ St epExecut i onQueue queue/ Not i f i cat i onQueue queue/ DeadMessageQueue Create five Activation specifications to map the queues to the message driven beans that use them, using the Resources->JMS->Activation specifications link. The J NDI names to use are l i st ener / . Associate them with the respective queues If a split deployment is configured, then the steps described correspond to the async framework server. For the user access server, the only resources that need to be set up are the connection factory, and queue resources for the job lifecycle, job execution and notification queues. As far as other J MS resources are concerned, both the user access and async framework servers need to be configured in the same way unless otherwise stated. Service Access J MS Service access is usually configured using an external J MS provider, such as WebSphere MQ. This section describes how to configure MQ to be used with WebSphere. The example used to describe the configuration is for the TPI interface whose J NDI resources are: queue/ mer i di anI ncomi ng queue/ mer i di anOut goi ng j ms/ mer i di anQueueConnect i onFact or y Note that is possible to link WebSphere MQ to a service bus. If this is the case, then follow similar steps to the async framework, as the relevant queues will appear as bus-located resources. In this circumstance, you can also use the WebSphere specific configuration option to use activation specifications, rather than listener ports which are described below. TI PlusInstallation Guide v1.1 46 Configuring WebSphere MQ Connection Factory In the navigation tree, click the link Resources->JMS->Queue connection factories and set the scope appropriately. Click New, select WebSphere MQ messaging provider as a provider then click OK. Enter the following details and click Next. FieldValue NameMer i di anQCF JNDI Namej ms/ mer i di anQueueConnect i onFact or y Select Enter all the required information into this wizard and click Next. Enter the Queue manager name and click Next. Enter the following details and click Next. FieldValue TransportCl i entHostnamePortServer connection channelSYSTEM. DEF. SVRCONN Test the connection and if successful, click Next. Click the Finish button and then click on Save link. Configuring Queues In the navigation tree, click the link Resources->JMS-> Queues and set the appropriate scope. Click New and select WebSphere MQ messaging provider as a provider then click OK. Enter the following details. FieldValue NameMer i di anI ncomi ngQ JNDI Namequeue/ mer i di anI ncomi ng Queue nameTI . GWY. I N. Queue managerClick the OK button and then click on the Save link. Select the queue and click on WebSphere MQ connection properties. Enter the following and click OK and then on the Save link FieldValue Queue manager hostQueue manager portServer connection channel nameSYSTEM. DEF. SVRCONN Repeat the steps above for the outgoing queue with following details: FieldValue NameMer i di anOut goi ngQ JNDI Namequeue/ mer i di anOut goi ng Queue nameTI . GWY. OUT. TI PlusInstallation Guide v1.1 47 The remaining details are the same as the first queue Configuring Listener Ports In the navigation tree, click on the Servers>Server Types->WebSphere application servers link. Click on the appropriate tiplus2 application server. Click on the Communications->Messaging->Message listener service link Click on the Listener Ports link. Click on New and enter the following details: FieldValue Namel i st ener _mer i di anI ncomi ng Connection factory JNDI Namej ms/ mer i di anQueueConnect i onFact or y Destination JNDI namequeue/ mer i di anI ncomi ng Click the OK button and then click on the Save link. Cross-Zone Dashboard For WebSphere, these queues are defined on a bus that has the global and each tiplus2 server as bus members. If the same bus is used by the tiplus2 servers for the async framework queues, then simply add the global server as a destination, otherwise create a new bus and add all servers as bus members.TI2tiplus2applicationdeploymentGlobalapplicationdeploymentZone2AccessRebroadcasterIncoming Outgoing OutgoingReplyTI2Broadcast TI1Broadcast BroadcastReplyIncomingGlobalServerTI1Server TI2ServerTI1tiplus2applicationdeploymentZone1AccessIncoming Outgoing OutgoingReplyBusTI1.ENQUIRY.INCOMING TI1.ENQUIRY.REPLY TI2.ENQUIRY.INCOMING TI2.ENQUIRY.REPLYREBROADCASTER.INCOMING REBROADCASTER.REPLY The solid lines are J NDI mappings, whereas the dashed lines are references due to the queue being defined as the reply-to attribute on an originating message in these cases no J NDI mapping is required. The following steps assume you are creating a new bus, and that there are two zones - AMERI CA (deployment TI 1) and EUROPE (deployment TI 2). Create a Bus called TI Dashboar d from the Service integration->Buses link Add the global and tiplus2 servers to the bus using the Bus members link Add the following queues using the Destinations link, referencing the relevant bus member as appropriate: Queue nameBus member REBROADCASTER. I NCOMI NGGlobal server REBROADCASTER. REPLYGlobal server TI PlusInstallation Guide v1.1 48 Queue nameBus member TI 1. ENQUI RY. I NCOMI NGTI1 server TI 1. ENQUI RY. REPLYTI1 server TI 2. ENQUI RY. I NCOMI NGTI2 server TI 2. ENQUI RY. REPLYTI2 server Create the following connection factories, queues and activation specifications from the Resources->JMS-> links For the global application server: j ms/ QueueConnect i onFact or y queue/ r ebr oadcast er I ncomi ng mapping to REBROADCASTER. I NCOMI NG l i st ener / r ebr oadcast er I ncomi ng activation specification referencing queue/ r ebr oadcast er I ncomi ng queue/ r ebr oadcast er Out goi ngResponse mapping to REBROADCASTER. REPLY queue/ t i 1Br oadcast I ncomi ngmapping to TI 1. ENQUI RY. I NCOMI NG queue/ t i 2Br oadcast I ncomi ng mapping to TI 2. ENQUI RY. I NCOMI NG For the TI 1 deployment server: j ms/ enqui r yQueueConnect i onFact or y queue/ enqui r yI ncomi ng mapping to TI 1. ENQUI RY. I NCOMI NG l i st ener / enqui r yI ncomi ng activation specification referencing queue/ enqui r yI ncomi ng queue/ enqui r yOut goi ng mapping to REBROADCASTER. I NCOMI NG queue/ enqui r yOut goi ngRepl y mapping to TI 1. ENQUI RY. REPLY For the TI 2 deployment server: j ms/ enqui r yQueueConnect i onFact or y queue/ enqui r yI ncomi ng mapping to TI 2. ENQUI RY. I NCOMI NG l i st ener / enqui r yI ncomi ng activation specification referencing queue/ enqui r yI ncomi ng queue/ enqui r yOut goi ng mapping to REBROADCASTER. I NCOMI NG queue/ enqui r yOut goi ngRepl y mapping to TI 2. ENQUI RY. REPLY When the EAR files are deployed, the message driven bean mapping for the Incoming queue will default to a listener port being defined. This needs to be overridden to use an activation specification as referred to in the previous chapter. Add the following to the t i pl us2. conf i gur at i on. pr oper t i es file: over r i de. enqui r yi ncomi ng. use. webspher e. act i vat i on=Y APPLICATION SERVER PROCESS DEFINITION This only applies to WebSphere 8.5. For each of the application servers that have been defined, a command-line property must to be added: - Dor g. apache. el . par ser . SKI P_I DENTI FI ER_CHECK=t r ue This is set in the Generic J VM arguments field on the page Application servers->->Process definition->J ava Virtual Machine. TI PlusInstallation Guide v1.1 49 INSTALLING TI PLUS 2 SOFTWARE Click on the Applications->Application Types->WebSphere enterprise applications link. Click on Install . Click on Browse, and locate the EAR file of the application you wish to deploy. You should be able to click Next on all pages without changing anything, except for the Manage Modules page where you target the server/cluster the application is to be deployed to. Make sure all components of an application are referencing the same target. On the final summary page, click Finish. The application will be deployed, and once finished, click on the Save link. WebSphere 8.5 Configuration After each application has been deployed, select the application from the Applications->Application Types->Websphere enterprise applications list in turn and set the following: In Details Properties->Class Loading and update detection Set Class loader order to be Classes loaded with local class loader first (parent last) Set War class loader policy to be Single class loader for applicationIn Web Module Properties->JSP and JSF options Set JSF Implementation to SunRI1.2 Once finished, click Save. FINAL CONFIGURATION STEPS Session Cooki es To segregate session cookies, click on the Applications->Application Types->Websphere enterprise applications link and select the global application. Click on the Session management link Make sure Enable cookies is checked, and click its link Enter the domain and path from the URL used to access the global application Click OK and then click the Save link. Repeat these steps for each tiplus2 application. TI PlusInstallation Guide v1.1 50 CHAPTER 17 WEBLOGIC SETUP This chapter summarises the WebLogic setup required before the TI Plus software can be deployed and started. It is assumed that a user domain with separate application server instances will be created for the global application and tiplus2 applications. Links referred to below are for the WebLogic Administration Console. INITIAL CONFIGURATION Shared Libraries Before installing the TI Plus software, two shared libraries must be installed Click on the Deployments link from the left-hand menu Click the Install button, and navigate to the / wl ser ver _10. 3/ common/ depl oyabl e- l i br ar i es folder. The libraries to install are j sf - 1. 2. warand j st l - 1. 2. war . Select to Install this deployment as a library option and target the servers the applications are going to be installed to. Locate the jar files gl assf i sh. j st l _1. 2. 0. x. j arand j avax. j sf _1. 2. 0. x. j arfrom the / modul es folder (where x is the highest value available) and copy them to the / l i b folder if you have set up a domain, or to each / l i b folder if you have set up individual servers. It will be necessary to restart the servers affected. J DBC CONFIGURATION J DBC resources can be set up from the Services->JDBC->Data Sources link. The j dbc/ gl obaldatasource must target all servers, whereas the zone-based datasources need only target the tiplus2 application servers. If you are using Oracle as your DBMS, make sure on the Connection Pool tab under the Advanced link, the check box for Remove Infected Connections Enabled is unchecked. If this is enabled, then connections will be created and destroyed continually, negating the advantage the connection pool provides. The TI Plus software access the Oracle connection directly in order to provide more robust CLOB/BLOB handling so the connections are fine to be reused. Do not set an XA transaction timeout on the J DBC resource let it default to the J TA timeout. If you are using DB/2, make sure that the option Keep Connection After Local Transaction is not set. Both of these settings can be found on the Transaction tab of the J DBC resource. J MS CONFIGURATION The areas of the application that use J MS are: Async and Notification Frameworks Service Access Cross-zone dashboard Async and Notification Frameworks For each tiplus2 application server: Create a J MS server using the Services->Messaging->JMS Servers link. Target the server that the tiplus2 application will be deployed to. Create a new J MS module using the Services->Messaging->JMS Modules link. TI PlusInstallation Guide v1.1 51 Create a Subdeployment in the J MS module from the Subdeployments tab. From the Configuration tab of the J MS Module, add the queues and connection factory linking them to the subdeployment: j ms/ QueueConnect i onFact or y queue/ J obLi f ecycl eQueue queue/ J obExecut i onQueue queue/ St epExecut i onQueue queue/ Not i f i cat i onQueue queue/ DeadMessageQueue Note: Note that when creating the queue connection factory, make sure that the XA Connection Factory Enabled field on the Transactions tab is checked. If you are creating a split deployment, then these steps apply to the async server. The user access server needs to reference the J MS server just defined as a Foreign Server. Only the connection factory and the job lifecycle, job execution and notification queues need to be included in the foreign server definition. As far as other J MS resources are concerned, both the user access and async framework servers need to be configured in the same way unless otherwise stated. Service Access J MS Service access is usually configured using an external J MS provider, such as WebSphere MQ. This section describes how to configure MQ to be used with WebLogic. The example used to describe the configuration is for the TPI interface whose J NDI resources are: queue/ mer i di anI ncomi ng queue/ mer i di anOut goi ng j ms/ mer i di anQueueConnect i onFact or y Setting up the Classpath Copy the following jar files from the J MS server / WebSpher eMQ/ J ava/ l i b folder into the / l i b folder: com. i bm. mq. j arcom. i bm. mqj ms. j arcom. i bm. mq. pcf - 6. 1. j arconnect or . j ardhbcor e. j armqcont ext . j arAdd a java property to the startup command line for each tiplus2 application server: Click on the Environment->Servers link and select a relevant application server Click on the Server Start tab In the Arguments field add the following: - Duser . name=Note: The user name is defined because the WebSphere MQ server will only grant access to a valid user defined on the machine that the MQ Server is running. TI PlusInstallation Guide v1.1 52 Configure a Foreign JMS Server in WebLogic Create a J MS Foreign Server as follows: Click on the Services->Messaging->JMS Modules link. Click on the J MS module for the tiplus2 server Click the New button, select the Foreign Server radio button, and then click the Next button. Give the Foreign Server a name and click the Next button. Ensure that the targeting is set to the subdeployment click the Finish button. Click on the newly created resource, and enter the following value in the J NDI Initial Context Factory textbox: com. i bm. mq. j ms. cont ext . WMQI ni t i al Cont ext Fact or y Then enter the following value into the J NDI Connection URL textbox: : / SYSTEM. DEF. SVRCONN Click Save. Create Destinations In the J MS Foreign Server, select the Destinations tab, and for each queue Click the New button to create a new Foreign Destination. Give the destination a Name, a Local JNDI Name, and a Remote JNDI Name. Finally, Click OK.The following queues should be defined. Local JNDI nameRemote JNDI name queue/ mer i di anI ncomi ngTI . GWY. I N. queue/ mer i di anOut goi ngTI . GWY. OUT. Note: The Remote J NDI Name must match the name given to the queue created within the WebSphere MQ Server. Create Connection Factories In the J MS Foreign Server, select the Connection Factories tab. Click the New button to create a new Foreign Connection Factory. Give the foreign connection factory a Name, a Local J NDI Name, and a Remote J NDI Name. Finally, Click OK. FieldValue Local JNDI Namej ms/ mer i di anQueueConnect i onFact or y Remote JNDI NameTI MQMGR Note: Ensure that the username and password fields on the Foreign Connection Factory are left blank as this will cause problems. TI PlusInstallation Guide v1.1 53 Cross-Zone Dashboard The approach for the cross zone dashboard configuration for WebLogic is to have a single J MS server on the global application server that hosts the queues, and the zone applications treat that J MS server as a foreign server. The names of the resources referred to below are suggestions, however any J NDI name specified must be used. TI2tiplus2applicationdeploymentGlobalapplicationdeploymentZone2AccessRebroadcasterGlobalServerTI1Server TI2ServerTI1tiplus2applicationdeploymentZone1AccessJMSServerTI1.ENQUIRY.REPLY TI2.ENQUIRY.REPLYBroadcastReply TI2BroadcastIncomingTI1BroadcastForeignJMSServerIncomingOutgoingOutgoingReplyForeignJMSServerIncomingOutgoingOutgoingReplyIncomingResponse IncomingResponse The dotted lines for queues indicate they are placeholders for the actual queues that reside in the global J MS server. The following steps assume that there are two zones - AMERI CA (deployment TI 1) and EUROPE (deployment TI 2). For the global application: Create a J MS server called Gl obal J MSSer verusing the Services->Messaging->JMS Servers link. Target the server the global application will be deployed to.Create a new J MS module called Gl obal Modul e using the Services->Messaging->JMS Modules link Add a Subdeployment to the Gl obal Modul e using the Subdeployments tab, targeting the Gl obal J MSSer verFrom the Configuration tab in the Gl obal Modul e, add the following queues and connection factory, linking them to the subdeployment Resource nameTypeJNDI name QueueConnect i onFact or yConnection Factory j ms/ QueueConnect i onFact or y REBROADCASTER. I NCOMI NGQueuequeue/ r ebr oadcast er I ncomi ng REBROADCASTER. REPLYQueuequeue/ r ebr oadcast er Out goi ngResponse TI 1. ENQUI RY. I NCOMI NGQueuequeue/ t i 1Br oadcast I ncomi ng TI 1. ENQUI RY. REPLYQueuequeue/ t i 1Br oadcast Out goi ngResponse TI 2. ENQUI RY. I NCOMI NGQueuequeue/ t i 2Br oadcast I ncomi ng TI 2. ENQUI RY. REPLYQueuequeue/ t i 2Br oadcast Out goi ngResponse Note that the xxx. ENQUI RY. REPLY queues will not be accessed directly by the global application via these J NDI names, however they will be used to link to the relevant zone J MS configuration. TI PlusInstallation Guide v1.1 54 For each of the AMERI CA( TI 1)and EUROPE( TI 2)zones: Create a new J MS module called TI 1Modul e using the Services->Messaging->JMS Modules link targeting the server that the AMERI CA zone is to be accessed from From the Configuration tab create a Foreign Server called Gl obal For ei gnSer ver , setting the JNDI Initial Context Factory to webl ogi c. j ndi . WLI ni t i al Cont ext Fact or y and J NDI Connection URL to t 3: / / : On the Destinations tab, add the following: Resource nameLocal JNDIRemote JNDI I ncomi ngqueue/enqui r yI ncomi ng queue/t i 1Br oadcast I ncomi ng I ncomi ngResponsequeue/enqui r yI ncomi ngResponse queue/r ebr oadcast er Out goi ngResponse Out goi ngqueue/enqui r yOut goi ng queue/r ebr oadcast er I ncomi ng Out goi ngRepl yqueue/enqui r yOut goi ngRepl y queue/t i 1Br oadcast Out goi ngResponse On the Connection Factories tab, add the following: Resource nameLocal JNDIRemote JNDI Connect i onFact or yj ms/enqui r yQueueConnect i onFact or y j ms/QueueConnect i onFact or y Repeat this configuration for the EUROPE zone. INSTALLING TI PLUS 2 SOFTWARE Click on the Deployments link from the left-hand menu. Click on Install . Locate the EAR file of the application you wish to deploy and click Next. Select Install this deployment as an application and click Next. Check the appropriate server where the software will be installed to and click Next. Click Finish. The software will now be installed. If the target server is already running, then the software will be started automatically, so it is advisable to make sure the server you are installing to has been stopped. TI PlusInstallation Guide v1.1 55 CHAPTER 18 J BOSS 5.1 SETUP This chapter summarises the J Boss setup required before the TI Plus software can be deployed and started. It is assumed that a separate server environment will be configured for global application and each tiplus2 application. All configuration is expected to be performed via editing configuration files using a text editor. INITIAL CONFIGURATION J Boss has the following folder structure: FolderContent / bi nControl scripts / cl i ent Jar files required to run a JEE client / common/ l i bCommon jar files for all configurations / docsDTD and schema definitions as well as sample configuration files / l i bServer jar files / ser ver Folder containing individual server definitions / ser ver / al l Full configuration supporting clustering / ser ver / def aul t Default configuration / ser ver / xxxFurther configurations that are not appropriate for running TI Plus 2 To create an instance of an application server, then a server configuration folder must be used as a basis. If clustering is required, start with / ser ver / al l , otherwise start with / ser ver / def aul t . The name of the subfolder of / ser verwill become the name of the server configuration for example / ser ver / gl obal - ser ver 1 would represent an application server for running the global application. Startup Scripts To start an application server, create a script in the / bi n folder called r un- . bat . (or r un-. sh on Linux). The script should contain: set RUN_CONF=C: \ j boss\ bi n\ r un. . conf . batr un. bat - c - bhost name Where host name is the host name of the machine. This script references a configuration script to call - r un. . conf . bat . These are created by copying r un. conf . bat . To make sure that each application server on the same host does not use the same ports as each other, the debug port and service binding system property must be set uniquely. In the r un. . conf . batfile, change the debug port (defaults to 8787) and add the following line near the bottom: set J AVA_OPTS=" %J AVA_OPTS%- Dj boss. ser vi ce. bi ndi ng. set =por t s- nn"Where nn starts as 01. While the first configuration does not need to specify this each subsequent configuration by specifying por t s- nn has a set of port numbers offset by 100 x nn. So, for instance the first configuration would use port 8080 for http. When specifying por t s- 01, this would become 8180. This script also contains the memory requirements for the application server, and so it must be set accordingly. If clustering support is required, make sure that all of the servers that are to be used in a cluster share the same UPD IP number and that other application servers do not. This IP address is specified by setting the j boss. par t i t i on. udpGr oup property: set J AVA_OPTS=" %J AVA_OPTS%- Dj boss. par t i t i on. udpGr oup=228. 11. 11. 12"Those servers participating in the cluster must all specify the same IP address. TI PlusInstallation Guide v1.1 56 Default Datasource A J Boss application server has a default data source that is used for identity tracking, and the default J MS implementation. It is pre-configured using hsqldb. Use a database created specifically for J Boss using your chosen DMBS. Update the / ser ver / / depl oy/ def aul t - ds. xmlto reference the database you nominate. All of the relevant tables will be created on demand. Examples of this file are in / j boss/ docs/ exampl es/ j ca based on the DBMS used. Setting up SSL Create the folder / common/ confand open a terminal at this location. To create a certificate for each application server, execute the following command for each configuration: keyt ool - genkey- al i as - keyal gRSA- val i di t y3650- keyst or e mykeys. keyst or e setting the value to one that represents the configuration. Also create a trust store with the certificates, by first exporting them: keyt ool - expor t - al i as - keyst or emykeys. keyst or e- f i l e. cerand then importing them: keyt ool - i mpor t - al i as - f i l e. cer - keyst or emykeys. t r ust st or e You will be prompted for password and identity information. When asked for first and last name, enter the host name of the url associated with the application server. Update the configuration of the embedded tomcat server to reference the certificates as follows: Open the server.xml file in the / ser ver / / depl oy/ j bossweb. sar folder Uncomment the definition for https Set the keyst or eFi l e and keyst or ePass attributes Add a keyAl i as attribute The definition should look something like: Note that the keyst or eFi l e attribute should reference the file using an absolute path. Update the r un. . conf . batfile to reference the truststore by adding the following two lines near the bottom: set J AVA_OPTS="%J AVA_OPTS%- Dj avax. net . ssl . t r ust St or e=C: / j boss/ common/ conf / mykeys. t r ust st or e" set J AVA_OPTS="%J AVA_OPTS%- Dj avax. net . ssl . t r ust St or ePasswor d=" Default JMS Provider The default J MS provider uses a database to handle the message store. The tables to create for this facility are DBMS-specific. The default hsqldb-based definition must be removed (hsql db- per si st ence-ser vi ce. xml ) and a DBMS-specific one replace it. Sample files are available in / j boss/ docs/ exampl es/ j ms place the respective file in / ser ver / / depl oy/ messagi ng folder. J DBC CONFIGURATION For each datasource a separate configu