IBM Certified Database Administrator – DB2 UDB V8.1 for Linux, UNIX and Windows
IBM Certified Database Associate – DB2 Universal Database V8.1 Family
IBM Certified Administrator for SOA Solutions – WebSphere Process Server V6.0
IBM Certified SOA Associate

Finally I got some Information Management certifications as well.

IBM Certified System Administrator — WebSphere Application Server Network Deployment V6.0
IBM Certified Deployment Professional — WebSphere Process Server V6.0

Some guys from work and me are attending to this years IBM Impact conference in Las Vegas. This will be my first time in Sin City and I’m quite excited about the trip. I’ll try to keep up blogging about both the interesting technical stuff from the conference and my personal impressions about the city.

(insider) I have already ordered some drivers gloves which I have to pick up at the local Bimmer dealer – so what could go wrong? (/insider)

Ian says:

In summary, have exactly two full repositories per cluster unless you have a very good reason and fully interconnect them with manually defined cluster sender channels.

That’s the new look for WebSphere:

and this for Tivoli:

Here is an example for how the logo looked like before:

Not that this is very important but I just don’t like it.

Last week I made my first Tivoli certificate at the Transaction & Messaging Technical Conference in Vienna. I hope that IBM will develop some sort of test for the Omegamon XE for Messaging as well soon, the ITM V6.1 test is way to general for my area of expertise.

My current certificates:
IBM Certified Deployment Professional – Tivoli Monitoring V6.1
IBM Certified Solution Designer – WebSphere MQ V6.0
IBM Certified System Administrator – WebSphere Message Broker V6.0
IBM Certified System Administrator – WebSphere MQ V6.0
IBM Certified System Administrator – WebSphere Business Integration Message Broker V5
IBM Certified System Administrator – WebSphere MQ V5.3

Would be nice to expand knowledge in the area of WAS (WebSphere Application Server) soon as well.

One interesting field was the topic on how to handle the situation when a not HA enabled Deployment Manager gets corrupted or unavailable. To be able to accomplish this you should take backups of the configuration on a regular basis using the backupConfig command, to restore the configuration the command restoreConfig should be used. The path of restoring an unavailable Deployment Manager on another host could be looking something like:

1.Backup your DMGR on a regular basis using backupConfig
2.Re-install the WAS product to the backup server to the exactly same location as the corrupt one
3.Restore your DMGR configuration using the restoreConfig command
4.Change DNS entries to point to the new server

Hendrik presented a slide showing a WAS ND Cluster environment “Gold Design” (an infrastructure design setup assuming that money is not a problem) Very interesting and complex.

Another important design consideration when running clusters in two data centers either active/active or active/passive is to keep track on network latency. It is NOT recommended to run cells that span over two data centers due to network latency, you should run 2 cells, one in each data center instead.

Why should you buy a DataPower appliance anyway?
IBM says:

-Hardened specialized hardware for helping to integrate, secure & accelerate SOA
-Higher levels of security
-Higher performance
-Simplified deployment

SOA appliances centralize XML functions as they can do more than just routing, they validate and transform at wire speed.

Traditional systems do not offer much protection, XML validation is typically off for performance reasons. By the time they try to parse the message it’s often too late.

Simon spoke about the 4 main broad threat classification as there are:

-XML Denial of Service (xDOS)
-Unauthorized Access
-Data Integrity/Confidentiality Attacks
-System Compromise Attacks

Each of the threats were explained in detail where an XML entity expansion attack called “Billion Laughs Attack” was explained.

Read more about various XML threats as Billion Laughs and their prevention on DevCentral

As summary I would call the DataPower appliances some real cool hardware and I’m sure that most of the companies out there running their SOA approach should think about using them in their environments.

-Network
-Machine
-External Application
-Internal Application Isolation

WAS V6.1 has improved security hardening by the the meaning “Secure by default” which means that Administrative Security is on by default and most subsystems as well.

The following list are some of the more important things to think about concerning security in your WAS environment.

Network Design Considerations

-Use two firewall DMZ
-No WAS in the DMZ
-Firewall protection from intranet

Use HTTPS for the browser

-WAS can enforce https by configuring this in the web.xml file

Configure Secure File Transfer

Keep up to date with patches and and fixes

-Important! Security updates are rolled into the next release/refreshpack and then no longer listed on the recommended update page.

Enable Application Security

-That enables applications to leverage Java EE security

Restrict Access to WebSphere MQ

-Custom security exit for client authentication
-A simpler approach is to use MQ SSL client authentication

SIBus

-Configure inter-engine authentication alias

Harden the Web Server and Host

-Harden the OS
-Harden the Web Server

-Limit the modules loaded
-Review the Web Server configuration
-Consider limiting the SSL strength allowed

-Ensure that the WAS plugin is configured to only forward traffic for the right application
-Remove the JRE’s installed when installing the Web Server and the Web Server Plugin
-WAS V6.0 and later can manage Web Servers as part of the Cell, this is NOT recommended in a production environment

Harden the Proxy Host

-Standard OS hardening applies
-Harden the Proxy
-Ensure the Proxy is only forwarding what should be forwarded
-Best bet for Web Services Proxy: DataPower

Configure and use TAI’s carefully

-Trust Associations Interceptors extend the trust domain
-TAI must be carefully designed and carefully deployed
-Mistakes result in serious security weaknesses

Consider Authenticating Web Server to WAS link

-Any http client can connect to the web container

Limiting Web Container Access to trusted servers

-Create new trust store that contains only the Web Server Plugin signers
-Create new SSL configuration
-Disable HTTP transport on Web Container
-Ensure web plugin has needed signer

Don’t run samples in production

Choose an appropriate process identity

Protect your configuration files & private keys

Encrypt the LDAP link

-APAR PK34088 is needed to accomplish this

This were some of the most important measures to take into consideration when revising the WAS infrastructure security.

Simon then explained the medium and less important security hints to us, unfortunately the time was up very soon. This topic definitely needs more time to be discussed.

Applications
Messages
Transport
Hardware
Queue Manager
Message Broker
Data

I would assume Transport and Queue Manager in the same puzzle tile but that’s just my 5 cent. All of the parts listed above should be taken into consideration when designing your integration platform for performance.

The main processing requirements are:

Data

which type?
size?

Transport

MQ?
HTTP?

Processing Pattern

Transformation?
Aggregation?
Rating?

QoS

Persistent?
Non-Persistent?

Tim went through all of the typical usage patterns used in WMB briefly. He explained what happens “under the skin” of a quite simple looking message flow, how the parsing, navigation, and the Message/Business processing occurs. Tree copying is very expensive as you have to handle a big structure in the broker.

Some of the improvements to think about:

Parsing

Use the cheapest parser possible
Identify the message type quickly
Use parsing strategies
Parsing avoidence
Partial parsing
Opaque parsing

The cost of parsing is significantly higher when parsing tds instead of xml.

A very good performance improvement is to do partial parsing the following table shows this in numbers:

Ration CPU cost 1 KB Message 16 KB Message 256 KB Message
Filter First 1 1 1
Filter Last 1,4 3,4 5,6

High processing cost applies for 2-face commit in WMB as well so try to avoid it when not needed.

How can you increase the message throughput in your platform?
Mainly there are 4 different ways to accomplish that:

Additional instances
Copying the message flows
Adding execution groups (relatively expensive)
Multiple brokers (very expensive, high management overhead)

Recommendations for execution groups

One or two per application
Assign heavy resource users (memory) to special EG’s

How many instances of a message flow to run?
The 3 rules!

There is no preset magic number
Flows are like people different and sensitive
You need to run it for real to find out what’s needed

Tim then had a small drive through of the IS02 supportpac which we already do use in some environments. We do not yet use the “Accounting and Statistics” – plugin but soon we will as this gives you some real sexy bars and diagrams about the accounting statistics in the Message Broker.

Improvements in V6.1

Up to 150% better complex XML document processing
Up to 300% better XML validation
Process gigabyte files with minimal storage growth
Process 1000s of records per second
Reduced runtime memory footprint, up to 30% less memory

Tim promised more details on the improvements as the product goes GA.

Summary

Understand your requirements
Be aware of key design considerations
Tuning is important
Avoid the common problems
Benefit from the performance improvements in the latest releases