7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
1/47
VMware vFabric tc Server
Best Practices forSecurity, Stabilityand Sanity
Channing Benson, VMware, Inc.
APP-CAP1676
#vmworldapps
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
2/47
2
Disclaimer
This session may contain product features that arecurrently under development.
This session/overview of the new technology representsno commitment from VMware to deliver these features inany generally available product.
Features are subject to change, and must not be included in
contracts, purchase orders, or sales agreements of any kind.
Technical feasibi lity and market demand will affect final delivery.
Pricing and packaging for any new technologies or featuresdiscussed or presented have not been determined.
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
3/47
3
Agenda
Introduction / Goals
What is tc Server?
tc Server Installation and Configuration
Hyperic Configuration
Web Application Deployment and Management
tc Server Instance Deployment Variations
Performance Tuning
Security
Resources
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
4/47
4
Introduction / Goals
tc Server: vFabric application server
What is a Best Practice ?
Provide practical advice in installation, care, and feeding
Educate for contingencies
Lots of ground to cover
Compromise between breadth and depth
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
5/47
5
What is vFabric tc Server?
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
6/47
6
tc Server: vFabric Application Server
Cloud Infrastructure and Management
Programming
ModelIntegration
Patterns
Batch
Framework
Spring
Tool Suite
App Director
Java Runtime
(tc Server)
vFabric Web
Server
RabbitMQ
GemFire
SQLFire
Data
Director) Dynamic OPs
Appl icationDeployment
JavaOptimizations
(EM4J, )
Appl ication
PerformanceMonitoring
vCops
APM:App Speed,
Insight
vCo
Spring Data
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
7/47
7
tc Server: Replace Legacy Java Servers and Apache Tomcat
Efficient, lean, fit-to-purpose runt ime platform
Lower cost and complexity
Enterprise capabili ties on Apache Tomcat-compatible base
vmware.com/go/tc
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
8/47
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
9/47
9
Beyond ASF Tomcat, Fully Compatible
Nothing removed, only added
Full binary application compatibili ty zero lock-in
Patch and update without touching configuration
Multi-instance templating
Dynamic log level changes with JMX
Obfuscation of configuration passwords Improved Windows service wrapper
UNIX init .d startup scripts provided
Pre-tuned and secured
Native session-replication clustering or VMware vFabric GemFire
Built-in diagnostics valve
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
10/47
10
Beyond ASF Tomcat, Fully Compatible
Encryption for DB passwords proprietary
Encode
server.xml
server.xml
catalina.properties
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
11/47
11
tc Server Installation and Configuration
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
12/47
12
Installing tc Server
Simplest method is unpack file archive
.tar.gz (Linux) or .zip (Windows)
RPM provided for Linux
Implements certain best practices
Java SDK or JRE is required
Java 6 or Java 7
After installation, create instance(s) to host web applications
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
13/47
13
RPM Install Act ions
Gets latest version
Installs in fixed location
/opt/vmware/vfabric-tcserver-standard
Owner: root Group: vfabric
Creates vfabric group
Creates tcserveruser
Creates target directory for tc Server instances
Sets up bash command completion for tc Server scripts
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
14/47
14
tc Server User and Group
Dont run as root!
Convention simplifies administration
tcserveruser in vfabric group
Implications on Hyperic configuration
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
15/47
15
Separate Instance Directory
tc Server facilitates separate directory for instances
Uses Tomcats CATALINA_BASE and CATALINA_HOME
Improves maintainability
Improves security
/var/opt/vmware/vfabric-tc-server-standard
Owned by user tc-server with group vfabric
Keeps product bits protected from non-root access
tcruntime-instance script to create instances
tcrunt ime-ctl script to control instances
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
16/47
16
Implemented Using Environment Variables
CATALINA_HOME
Points to directory containing core Tomcat implementation
For example, INSTALL_DIRECTORY/tomcat-7.0.23.A.RELEASE
CATALINA_BASE
Points to directory containing elements unique to an instance
Contents override any duplicates from CATALINA_HOME
By default, CATALINA_BASE = CATALINA_HOME
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
17/47
17
Creating an Instance Using Templates
Use tcruntime-instance script
This script uses templates
Templates encapsulate configuration of instance
Both user-specified and default
Templates customize conf iguration file contents
Templates customize files in hierarchy
Deployed applications in the webapps directory for example
Example: gemfire-cs
Instance will store session data with GemFire
Create and use your own templates
Standardize security elements
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
18/47
18
Configure Instance to Start at System Boot
Windows version of tcruntime-instance creates Windows service
Linux
tcruntime-instance script creates init.d.sh script
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
19/47
19
Obfuscating Passwords in Configuration Files
tc Server value-add
Problem: passwords for accessing resources such as database
servers appear in cleartext in tc Server configuration f iles.
Can only use encryption by interacting with tc Server at startuptime, e.g. entering key
Not feasible for production environments
Imperfect solution is to obfuscate password by one of Encoding in base64
Encoding with specific passphrase
Encoding with passphrase stored in separate file from encoded version
Encoding with passphrase entered when tc Server is started Not often practical in production
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
20/47
20
Obfuscating Passwords in Configuration Files (cont.)
Enter either directly in config fi le (e.g. server.xml) or using avariable (and variable value entered in conf/catalina.properties).
Use Java class in tc Server runt ime directory to obtain value% cd /opt/vmware/vfabric-tc-server-standard/tomcat-
7.0.27.A.RELEASE
% java -cp lib/tcServer.jar:bin/tomcat-juli.jar:lib/tomcat-
coyote.jar \ com.springsource.tcserver.security.PropertyDecoder -
encode base64 mypassword
In catalina.properties, have the following precede the variablevalue, like
org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.spr
ingsource.tcserver.security.PropertyDecodercom.springsource.tcserver.security.PropertyDecoder.pass
phrase=base64
db.password=s2enc://bXlwYXNzd29yZA==
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
21/47
21
Hyperic Overview and Configuration
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
22/47
22
Hyperic is tc Server Console
Monitor tc Server instances
Collect performance metrics
Trigger alerts
Manage tc Server instances
Start/Stop/Restart
Change configuration
Deploy/Undeploy applications
Not Specific to tc Server
Hyperic is a general enterprise management / monitoring tool.
Monitors anything for which there is a plugin
Java programs through JMX
Manage mult iple tc Server instances through Hyperic groups
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
23/47
23
Hyperic Components
Server
Central process providing web interface for management/monitoring
Implemented as tc Server web application
Database
Servers data store
Can be PostgreSQL, MySQL, or Oracle
PostgreSQL for smaller POC environments
Agent
One running on each managed system
Communicates bidirectionally with server
Command l ine interface Allows scripting of Hyperic commands and operations
Works through same Web services interface so operations are logged thesame way as through the GUI
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
24/47
24
Hyperic Production Deployment
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
25/47
25
Key Interactions Between tc Server and Hyperic
Users and permissions
Dont run Hyperic agent as root, but
Hyperic agent must run as user with suitable permissions :
Modify tc Server configuration files: / var / opt / vmwar e/ t cs er ver -st andar d/ /*
Kill tc Server process
Can be configured to use sudo command so that Hyperic agent doesnt need
to run as root
JMX
Hyperic agent must be able to login to tc Server remote JMX server
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
26/47
26
vFabric Administration Server
New alternative to Hyperic for managing tc Server and webapplications
Similar agent / server architecture Server is tc Server instance combined with RabbitMQ broker
Manages RabbitMQ and GemFire as well
REST API
Facilitates scaling of applications through group model
Single system image for all nodes in group
Easily perform operations across a group
http://www.vmware.com/support/developer/vas/rest-api-
1.0.0.RELEASE/index.html
http://www.vmware.com/support/developer/vas/rest-api-1.0.0.RELEASE/index.htmlhttp://www.vmware.com/support/developer/vas/rest-api-1.0.0.RELEASE/index.htmlhttp://www.vmware.com/support/developer/vas/rest-api-1.0.0.RELEASE/index.htmlhttp://www.vmware.com/support/developer/vas/rest-api-1.0.0.RELEASE/index.html7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
27/47
27
Web Application Deployment
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
28/47
28
Web Application Deployment and Management
Hyperic provides UI for deploying applications
Group tc Server instances for one-step cluster deployment
Tomcat 7 includes versioned deployment
Zero-downtime application updates
LDAP Authentication and single-sign-on
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
29/47
29
Control Tab for TC Runtime Resource
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
30/47
30
Webapp Management
Accessed through Application Management view
Deploy (via uploaded or local war file), start, stop, undeploy
S i d D l Th h H i
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
31/47
31
Scripted Deployment Through Hyperic
Download tc Server Command-line Interface from Hyperic Admintab
Create $HOME/.hq/client.properties with resource sett ings toconnect to Hyperic Server (target system, user, password)
Run bin/tcsadmin[.sh|.bat]
http://pubs.vmware.com/vfabric51/topic/com.vmware.vfabric.tc-
server.2.7/admin/cli.html for documentation
V i d b D l t
http://pubs.vmware.com/vfabric5/topic/com.vmware.vfabric.tc-server.2.6/admin/cli.htmlhttp://pubs.vmware.com/vfabric5/topic/com.vmware.vfabric.tc-server.2.6/admin/cli.htmlhttp://pubs.vmware.com/vfabric5/topic/com.vmware.vfabric.tc-server.2.6/admin/cli.htmlhttp://pubs.vmware.com/vfabric5/topic/com.vmware.vfabric.tc-server.2.6/admin/cli.html7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
32/47
32
Versioned webapp Deployment
Added to Tomcat 7 so present in any version of tc Server >= 2.5
Developed and contributed by VMware employees
Allows zero-downtime deployment of new versions
Automatically handles session transition
Th V i i M h i
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
33/47
33
The Versioning Mechanism
Works via string appended to webapp context name
app##01.war for instance
Versions compared via String comparison
app##11 is earlier than app##2
Recommended to use leading zeroes
C t t E l
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
34/47
34
Context Examples
Context Path Context Version Context Name Base filename
/foo None /foo foo
/foo/bar None /foo/bar foo#bar
Empty String None Empty String ROOT
/foo 42 /foo##42 foo##42
/foo/bar 42 /foo/bar##42 foo#bar##42
Empty String 42 ##42 ROOT##42
S i H dli
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
35/47
35
Session Handling
New requests go to latest version of app
If request has non-expired session information, then route to
matching version
If matching version is no longer deployed, route to latest version
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
36/47
36
tc Server Instance Deployment
tc Ser er Instance Deplo ment Variations
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
37/47
37
tc Server Instance Deployment Variations
Common use case is to use vFabric Web Server (or Apache WebServer) as a software load-balancer
mod_proxy or mod_jk Terminate SSL at Web server to get native performance
Restrict network connections to tc Server
Clustering for high-availabili ty
Tomcat-provided or GemFire HTTP Session Management Module
Communications Between Apache and tc Server
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
38/47
38
Communications Between Apache and tc Server
Choose between mod_proxy_* and mod_jk
Protocol for mod_proxy is http
Protocol for mod_jk is AJP
Four basic rules:
If encryption needed to tc Server, then choose mod_proxy_http
If application needs SSL information, then use mod_jk
Go with what you know Configuration of mod_proxy_http is consistent with rest of Apache.
http://www.tomcatexpert.com/blog/2010/06/16/deciding-between-modjk-modproxyhttp-and-modproxyajp
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
39/47
39
Performance Tuning
Performance Tuning
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
40/47
40
Performance Tuning
Tuning process
Measure
Tweak (one at a time, please)
Rinse, repeat
Primary tuning possibilit ies
Heap configuration
Thread pool size Database connection pool size
I/O Connectors (BIO, NIO, APR)
Performance is primarily a characteristic of the application
Spring Insight and AppInsight for detailed views
Virtualization impacts
EM4J
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
41/47
41
Security
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
42/47
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
43/47
Where to Find Help
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
44/47
44
Where to Find Help
vFabric Documentation Center
http://pubs.vmware.com/vfabric51/index.jsp
vFabric Blogs
http://blogs.vmware.com/vfabric/
Tomcat Expert
www.tomcatexpert.com
ChanningBe
Questions
http://pubs.vmware.com/vfabric51/index.jsphttp://blogs.vmware.com/vfabric/http://www.tomcatexpert.com/http://www.tomcatexpert.com/http://www.tomcatexpert.com/http://www.tomcatexpert.com/http://blogs.vmware.com/vfabric/http://pubs.vmware.com/vfabric51/index.jsp7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
45/47
45
Questions
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
46/47
FILL OUT
A SURVEY
EVERY COMPLETE SURVEY
IS ENTERED INTO
DRAWING FOR A
$25 VMWARE COMPANY
STORE GIFT CERTIFICATE
7/22/2019 CAP1676-VMware vFabric tc Server Best Practices for Security, Stability and Sanity_Final_US.pdf
47/47
VMware vFabric tc Server
Best Practices forSecurity, Stabilityand Sanity
Channing Benson, VMware, Inc.
APP-CAP1676
Top Related