IBM WebSphere Application Server

= Introduction = This describes how to create a WAS 9.0 cell.

Structure
A WAS cell consists of:
 * 1 Deployment Manager [wasd01.example.com]
 * 2 Application Server [wasa01.example.com, wasa02.example.com]
 * 2 Web Server [wasw01.example.com, wasw02.example.com]

Operating System
The servers have been installed with Red Hat Enterprise Linux.

= IBM Packaging Utility = This tool allows you to create a local repository containing IBM software installable via Installation Manager.

Installation
To install this utility, proceed as described below:

mkdir -p $HOME/Downloads/IBM/tmp $HOME/Downloads/WAS/WAS90 cd $HOME/Downloads/IBM unzip -q pu.offering.disk.linux.gtk.x86_64_*.zip cd disk_linux.gtk.x86_64/InstallerImage_linux.gtk.x86_64 ./install cd $HOME/Downloads/IBM rm -rf pu.offering.disk.linux.gtk.x86_64_*.zip disk_linux.gtk.x86_64
 * 1) Install\Packaging Utility\pu.offering.disk.linux.gtk.x86_64_*.zip   ->   $HOME/Downloads/IBM/

Base Packages
To create the repository containing the base version, proceed as described below:

Copy the zips:
 * 1) Install\*.zip           ->   $HOME/Downloads/IBM/tmp/
 * 2) Install\Java8.0\*.zip   ->   $HOME/Downloads/IBM/tmp/

Decompress the files: cd $HOME/Downloads/IBM/tmp ls *.zip | while read FILE do    NEWDIR=$(echo "${FILE}" | sed -e 's/[-_]part[0-9].zip//g' -e 's/.zip//g') mkdir -p ${NEWDIR} cd ${NEWDIR} unzip -q ../${FILE} cd - done

Run the Packaging Utility: ls $HOME/Downloads/IBM/tmp/*/repository.config $HOME/Downloads/IBM/tmp/was.repo.9000.java8/disk1/diskTag.inf | while read REPO do    /opt/IBM/PackagingUtility/PUCL listAvailablePackages -repositories ${REPO} | \ egrep "java\.jdk\.|websphere\.ND\.|websphere\.IHS\.|websphere\.PLG\." | while read PKG do        /opt/IBM/PackagingUtility/PUCL copy ${PKG} -repositories ${REPO} -target $HOME/Downloads/WAS/WAS90 -platform os=linux,arch=x86    -showProgress -acceptLicense /opt/IBM/PackagingUtility/PUCL copy ${PKG} -repositories ${REPO} -target $HOME/Downloads/WAS/WAS90 -platform os=linux,arch=x86_64 -showProgress -acceptLicense done done

Delete files no longer needed: rm -rf $HOME/Downloads/IBM/tmp/*

FixPack
To add a new FixPack to the repository, proceed as described below:

Copy the FixPack:
 * 1) \FixPack\??\*.zip   ->   $HOME/Downloads/IBM/tmp/

Decompress the files: cd $HOME/Downloads/IBM/tmp ls *.zip | while read FILE do    NEWDIR=$(echo "${FILE}" | sed -e 's/[-_]part[0-9].zip//g' -e 's/.zip//g') mkdir -p ${NEWDIR} cd ${NEWDIR} unzip -q ../${FILE} cd - done

Run the Packaging Utility: ls $HOME/Downloads/IBM/tmp/*/repository.config | while read REPO do    /opt/IBM/PackagingUtility/PUCL listAvailablePackages -repositories ${REPO} | \ egrep "java\.jdk\.|websphere\.ND\.|websphere\.IHS\.|websphere\.PLG\." | while read PKG do        /opt/IBM/PackagingUtility/PUCL copy ${PKG} -repositories ${REPO} -target $HOME/Downloads/WAS/WAS90 -platform os=linux,arch=x86    -showProgress -acceptLicense /opt/IBM/PackagingUtility/PUCL copy ${PKG} -repositories ${REPO} -target $HOME/Downloads/WAS/WAS90 -platform os=linux,arch=x86_64 -showProgress -acceptLicense done done

Delete files no longer needed: rm -rf $HOME/Downloads/IBM/tmp/*

= WebSphere Application Server Network Deployment =

Local Firewall
Create rules in the local firewall, firewalld, to allow any type of connection between the machines that make up the cell:

firewall-cmd --permanent --zone=custom --add-rich-rule='rule family="ipv4" source address="172.16.1.0/24" accept' firewall-cmd --permanent --zone=custom --add-rich-rule='rule family="ipv4" source address="172.16.2.0/24" accept' firewall-cmd --permanent --new-service=dmgr firewall-cmd --permanent --service=dmgr --set-description="WAS DMGR" firewall-cmd --permanent --service=dmgr --add-port=8879/tcp firewall-cmd --permanent --service=dmgr --add-port=9043/tcp firewall-cmd --permanent --zone=custom --add-service=dmgr firewall-cmd --reload
 * 1) vlan app server
 * 1) vlan web server
 * 1) dmgr

TCP Wrapper
Create rules in tcp_wrapper to allow the DMGR to access the machines that make up the cell via SSH:

hostschk=$(grep "^sshd:.* wasd" /etc/hosts.allow 2>/dev/null) if [ -z "$hostschk" ]; then sed -i '/^sshd:/ s/$/ wasd01.example.com/g' /etc/hosts.allow fi

Deployment Manager and Application Servers
fdisk -l 2>/dev/null | grep "Disk /dev/sd.\:" | sort pvcreate /dev/sdc vgcreate was /dev/sdc lvcreate -L 3g -n ibm was mkfs.xfs -L was-ibm /dev/mapper/was-ibm lvcreate -L 6g -n appSrv was mkfs.xfs -L was-appSrv /dev/mapper/was-appSrv lvcreate -L 2g -n prof was mkfs.xfs -L was-prof /dev/mapper/was-prof lvcreate -L 2g -n srvLog was mkfs.xfs -L was-srvLog /dev/mapper/was-srvLog lvcreate -L 4g -n appLog was mkfs.xfs -L was-appLog /dev/mapper/was-appLog lvcreate -L 1g -n crash was mkfs.xfs -L was-crash /dev/mapper/was-crash echo " LABEL=was-ibm                              /opt/IBM                          xfs     defaults,nodev        1 2 LABEL=was-appSrv                            /opt/IBM/WebSphere/AppServer      xfs     defaults,nodev        1 2 LABEL=was-prof                              /opt/IBM/WebSphere/Profiles       xfs     defaults,nodev        1 2 LABEL=was-srvLog                            /var/log/WebSphere/AppServer      xfs     defaults,nodev        1 2 LABEL=was-appLog                            /var/log/WebSphere/Applications   xfs     defaults,nodev        1 2 LABEL=was-crash                             /var/crash                        xfs     defaults,nodev        1 2" >> /etc/fstab mkdir -p /opt/IBM /var/log/WebSphere/AppServer /var/log/WebSphere/Applications /var/crash mount /opt/IBM mkdir -p /opt/IBM/WebSphere/AppServer /opt/IBM/WebSphere/Profiles /opt/IBM/WebSphere/AppResources mount -a chmod go+rx /opt/IBM /var/log/WebSphere /var/log/WebSphere/AppServer /var/log/WebSphere/Applications /var/crash chmod go+rx /opt/IBM/WebSphere /opt/IBM/WebSphere/AppServer /opt/IBM/WebSphere/Profiles /opt/IBM/WebSphere/AppResources restorecon -RF /opt/IBM /var/log/WebSphere
 * 1) IBM WAS

Web Server
fdisk -l 2>/dev/null | grep "Disk /dev/sd.\:" | sort pvcreate /dev/sdc vgcreate ihs /dev/sdc lvcreate -L 2g -n ibm ihs mkfs.xfs -L ihs-ibm /dev/mapper/ihs-ibm lvcreate -L 2g -n home ihs mkfs.xfs -L ihs-home /dev/mapper/ihs-home lvcreate -L 1.9g -n log ihs mkfs.xfs -L ihs-log /dev/mapper/ihs-log echo " LABEL=ihs-ibm                              /opt/IBM                xfs     defaults,nodev                  1 2 LABEL=ihs-home                              /opt/IBM/HTTPServer     xfs     defaults,nodev                  1 2 LABEL=ihs-log                               /var/log/HTTPServer     xfs     defaults,nodev                  1 2" >> /etc/fstab mkdir -p /opt/IBM /var/log/HTTPServer mount /opt/IBM mkdir -p /opt/IBM/HTTPServer mount -a chmod go+rx /opt/IBM /var/log/HTTPServer /opt/IBM/HTTPServer restorecon -RF /opt/IBM /var/log/HTTPServer
 * 1) IBM IHS

WAS User
Create a dedicated group and a non-privileged user used to run WAS: usrchk=$(grep "^filter_users.*,wasuser" /etc/sssd/sssd.conf* 2>/dev/null) if [ -z "$usrchk" ]; then sed -i '/^filter_users/ s/$/,wasuser/g' /etc/sssd/sssd.conf* fi grpchk=$(grep "^filter_groups.*,wasgroup" /etc/sssd/sssd.conf* 2>/dev/null) if [ -z "$grpchk" ]; then sed -i '/^filter_groups/ s/$/,wasgroup/g' /etc/sssd/sssd.conf* fi systemctl restart sssd.service

allowchk=$(grep "^AllowGroups.* wasgroup" /etc/ssh/sshd_config 2>/dev/null) allchk=$(grep "^AllowGroups \*" /etc/ssh/sshd_config 2>/dev/null) if [ -z "$allowchk" -a -z "$allchk" ]; then sed -i '/^AllowGroups/ s/$/ wasgroup/g' /etc/ssh/sshd_config fi systemctl restart sshd.service

groupadd -g 60620 wasgroup useradd -u 60620 -g wasgroup -c "WebSphere user" -d /home/wasuser -s /bin/bash -m wasuser passwd wasuser chage -I -1 -m 0 -M 99999 -E -1 wasuser mskchk=$(grep "^umask " /home/wasuser/.bashrc 2>/dev/null) if [ -z "$mskchk" ]; then sed -i '/^# User specific aliases and functions/a umask 0022' /home/wasuser/.bashrc fi su - wasuser ssh-keygen -b 2048 -t rsa -C wasuser@$(hostname -f) -f ~/.ssh/id_rsa -N '' touch ~/.ssh/authorized_keys exit restorecon -RF /home/wasuser

Copy the public key of the DMRG wasuser user into the authorized_keys of all servers: cat /home/wasuser/.ssh/id_rsa.pub vi /home/wasuser/.ssh/authorized_keys
 * 1) DMGR
 * 1) all servers

Set the necessary permissions: mkdir -p /opt/IBM /var/ibm chown -R wasuser:wasgroup /opt/IBM /var/ibm chmod go+rx /opt/IBM /var/ibm restorecon -RF /opt/IBM /var/ibm

Limits
Increase the maximum number of user-openable WAS files from 1024 to 8192: echo ' wasuser        hard   nofile           8192 wasuser        soft   nofile           8192 ' > /etc/security/limits.d/wasuser.conf

Prerequisites
Install the necessary packages: yum -q -y install gtk2

Installation Manager
Install the IBMIM on the DMGR: mkdir -p $HOME/Downloads/WAS cd $HOME/Downloads/WAS unzip -q agent.installer.lnx.gtk.x86_64_1.8.5.zip rm agent.installer.lnx.gtk.x86_64_1.8.5.zip chown -R wasuser:wasgroup $HOME/Downloads/WAS
 * 1) Install\IBMIM Install Kit\agent.installer.lnx.gtk.x86_64_1.8.5.zip   ->   $HOME/Downloads/WAS/
 * 2) InstalMgrWAS.install.xml                                             ->   $HOME/Downloads/WAS/

su - wasuser cd $HOME/Downloads/WAS ./userinstc -silent -input $HOME/Downloads/WAS/InstalMgrWAS.install.xml -showProgress -acceptLicense sed -i '/\/opt\/download\/WAS/d' /home/wasuser/var/ibm/InstallationManager/.settings/com.ibm.cic.agent.core.prefs sed -i '/^com.ibm.cic.common.core.preferences.ssl.nonsecureMode/ s/false/true/g' /home/wasuser/var/ibm/InstallationManager/.settings/com.ibm.cic.agent.core.prefs exit

rm -rf $HOME/Downloads/WAS/*

WAS binaries installation
Install the basic WAS on the DMGR: mkdir -p $HOME/Downloads/WAS sed -i -e "s/DMGRHOST/$(hostname -f)/g" $HOME/Downloads/WAS/WAS_ASNode*_profile.txt chown -R wasuser:wasgroup $HOME/Downloads/WAS
 * 1) WAS_ASNode*_profile.txt   ->   $HOME/Downloads/WAS/
 * 2) WAS_IHS.install.xml       ->   $HOME/Downloads/WAS/
 * 3) WAS_Java80.install.xml    ->   $HOME/Downloads/WAS/

su - wasuser cd /opt/IBM/InstallationManager/eclipse ./IBMIM --launcher.ini silent-install.ini -input $HOME/Downloads/WAS/WAS_Java80.install.xml -showProgress -acceptLicense exit

Check the version of WAS and JDK installed: /opt/IBM/WebSphere/AppServer/bin/versionInfo.sh WVER0010I: Copyright (c) IBM Corporation 2002, 2012; All rights reserved. WVER0012I: VersionInfo reporter version 1.15.1.48, dated 2/8/12

IBM WebSphere Product Installation Status Report

Report at date and time July 28, 2017 11:31:49 AM CEST

Installation

Product Directory       /opt/IBM/WebSphere/AppServer Version Directory       /opt/IBM/WebSphere/AppServer/properties/version DTD Directory           /opt/IBM/WebSphere/AppServer/properties/version/dtd Log Directory           /home/wasuser/var/ibm/InstallationManager/logs

Product List

ND                      installed JAVA8                   installed

Installed Product

Name                 IBM WebSphere Application Server Network Deployment Version              9.0.0.4 ID                   ND Build Level           cf041721.01 Build Date           5/23/17 Package              com.ibm.websphere.ND.v90_9.0.4.20170523_1327 Architecture         x86-64 (64 bit) Installed Features   WebSphere Application Server traditional EJBDeploy tool for pre-EJB 3.0 modules Embeddable EJB container Stand-alone thin clients and resource adapters

Installed Product

Name           IBM SDK, Java Technology Edition, Version 8 Version        8.0.4.7 ID             JAVA8 Build Level    pxa6480sr4fp7-20170627_02 Build Date     06/27/17 Architecture   x86-64 (64 bit)

End Installation Status Report

Creation of the DMGR profile
Create the profile on the DMGR: export HOST="$(hostname -f)" export NODE_NAME="DmgrNode01" export PROFILE_NAME="Dmgr01" export WAS_BINARY_DIR="/opt/IBM/WebSphere/AppServer" export WAS_PROFILE_DIR="/opt/IBM/WebSphere/Profiles" export CELL_NAME="Cell01" ${WAS_BINARY_DIR}/bin/manageprofiles.sh \ -create \ -profileName ${PROFILE_NAME} \ -profilePath ${WAS_PROFILE_DIR}/${PROFILE_NAME} \ -templatePath ${WAS_BINARY_DIR}/profileTemplates/management \ -personalCertValidityPeriod 10 \ -signingCertValidityPeriod 15 \ -enableService false \ -serviceUserName wasuser \ -serverType DEPLOYMENT_MANAGER \ -cellName ${CELL_NAME} \ -hostName ${HOST} \ -nodeName ${NODE_NAME} \ -isDefault \ -enableAdminSecurity false ${WAS_PROFILE_DIR}/${PROFILE_NAME}/bin/wasservice.sh \ -add was90_DmgrNode01.init \ -serverName dmgr \ -profilePath ${WAS_PROFILE_DIR}/${PROFILE_NAME} \ -wasHome /opt/IBM/WebSphere/AppServer -userid wasuser chown -R wasuser:wasgroup /opt/IBM/WebSphere restorecon -RF /opt/IBM/WebSphere

Check the created profile: cat /opt/IBM/WebSphere/Profiles/Dmgr01/logs/AboutThisProfile.txt Application server environment to create: Management Location: /opt/IBM/WebSphere/Profiles/Dmgr01 Disk space required: 30 MB Profile name: Dmgr01 Make this profile the default: True Node name: DmgrNode01 Cell name: Cell01 Host name: wasd01.example.com Enable administrative security (recommended): False Administrative console port: 9060 Administrative console secure port: 9043 Management bootstrap port: 9809 Management SOAP connector port: 8879 Run Management as a service: False

Move the logs under /var/log: chown -R wasuser:wasgroup /var/log/WebSphere mv /opt/IBM/WebSphere/Profiles/Dmgr01/logs/* /var/log/WebSphere/AppServer/ rmdir /opt/IBM/WebSphere/Profiles/Dmgr01/logs ln -s /var/log/WebSphere/AppServer /opt/IBM/WebSphere/Profiles/Dmgr01/logs

DMGR Configuration
Start the DMGR: /etc/init.d/was90_DmgrNode01.init_was.init start

Log in to the WAS console as wasuser and increase the DMGR memory to 1 GB: System administration > Deployment manager > Java and Process Management > Process definition > Java Virtual Machine
 * Initial heap size = 1024 MB
 * Maximum heap size = 1024 MB

Disable the creation of the unhelpful Job Manager log: System administration > Deployment manager > Java and Process Management > Process definition > Java Virtual Machine > Custom properties
 * Name       = otis.audit.location
 * Value      = OFF
 * Description = Disable Job Manager daily log

Enable the automatic configuration saving: System administration > Extended Repository Service
 * Enable automatic repository checkpoints
 * Information required Automatic checkpoint depth = 50

Change the description of the console: System administration > Console Identity
 * Custom identity string = My Cell

Change the RippleStart timeout: System administration > Cell > Custom properties > New
 * Name = IBM_CLUSTER_RIPPLESTART_NOTIFICATION_TIMEOUT
 * Value = 300000
 * Description = Amount of time, in milliseconds, the ripplestart function waits for processes to shut down before restarting them.

Change the timeout of the DMGR session: chown -R wasuser:wasgroup $HOME/Downloads/WAS su - wasuser /opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -lang jacl -f $HOME/Downloads/WAS/timeout.jacl exit
 * 1) wsadmin\timeout.jacl   ->   $HOME/Downloads/WAS/

Change the timeout of SOAP requests (wsadmin.sh): sed -i 's/^com.ibm.SOAP.requestTimeout=180$/com.ibm.SOAP.requestTimeout=3600/g' /opt/IBM/WebSphere/Profiles/Dmgr01/properties/soap.client.props

Restart the DMGR to apply the changes: /etc/init.d/was90_DmgrNode01.init_was.init restart

Job Manager
Log in to the WAS console as wasuser and perform the next steps:

Preparing the environment
Copy of the IBMIM zip file: Jobs > Installation Manager installation kits > Add... Install\IBMIM Install Kit\agent.installer.lnx.gtk.x86_64_1.8.5.zip

Servers definition: Jobs > Targets > New Hosts... Host name = was[adw]0[12].example.com Operating system = Linux Administrative user with installation authority = wasuser x Public-private key authentication Full path to keystore = /home/wasuser/.ssh/id_rsa x Save security information Installation Manager data location path(s) = /opt/IBM/InstallationManager

Groups definition: Jobs > Target groups > New... Group name = Application Description = Application Server Member list = wasa0[12].example.com

Jobs > Target groups > New... Group name = Web Description = Web Server Member list = wasw0[12].example.com

Jobs > Target groups > New... Group name = Deployment Manager Description = Deployment Manager Server Member list = wasd01.example.com

Installation Manager
Install the IBMIM on the Application Servers and Web Servers: Jobs > Submit Job type = Install IBM Installation Manager Description = installIM Next Target groups = Application e Web Next The path and file name of Installation Manager kit = /opt/IBM/WebSphere/Profiles/Dmgr01/IMKits/agent.installer.lnx.gtk.x86_64_1.8.5.zip Installation Manager agent data location = /home/wasuser/var/ibm/InstallationManager Installation Manager installation directory = /opt/IBM/InstallationManager Installation action = Install based on login credential x I accept the terms in the license agreements Next x Make the job available now. x Use default expiration - 1 days. Availability interval = Run once Next Finish

WAS binaries installation
Install the basic WAS on the Application Servers: Jobs > Submit Job type = Manage offering Description = manageOfferings Next Target groups = Application Next Response file = $HOME/Downloads/WAS/WAS_Java80.install.xml x I accept the terms in the license agreements Next x Make the job available now. x Use default expiration - 1 days. Availability interval = Run once Next Finish

Profile creation
Create the profile on the Application Servers: Jobs > Submit Job type = Manage profiles Description = manageprofiles Next Target names = wasa0[12].example.com Next WebSphere Application Server home = /opt/IBM/WebSphere/AppServer Response file = $HOME/Downloads/WAS/WAS_ASNode*_profile.txt Next x Make the job available now. x Use default expiration - 1 days. Availability interval = Run once Next Finish

Check the created profile: cat /opt/IBM/WebSphere/Profiles/Custom01/logs/AboutThisProfile.txt Application server environment to create: Custom Location: /opt/IBM/WebSphere/Profiles/Custom01 Disk space required: 10 MB Profile name: Custom01 Make this profile the default: True Node name: AsNode01 Host name: wasa01.example.com Federate to deployment manager: wasd01.example.com:8879

Move the logs under /var/log: chown -R wasuser:wasgroup /var/log/WebSphere mv /opt/IBM/WebSphere/Profiles/Custom01/logs/* /var/log/WebSphere/AppServer/ rmdir /opt/IBM/WebSphere/Profiles/Custom01/logs ln -s /var/log/WebSphere/AppServer /opt/IBM/WebSphere/Profiles/Custom01/logs

Create the NodeAgent startup script: export SRVNAME=$(hostname -s | tr "[:upper:]" "[:lower:]") export NODE_NUMBER=$(echo ${SRVNAME: -2}) export PROFILE_NAME="Custom01" export WAS_PROFILE_DIR="/opt/IBM/WebSphere/Profiles" export NODE_NAME="nodeagent_AsNode${NODE_NUMBER}" ${WAS_PROFILE_DIR}/${PROFILE_NAME}/bin/wasservice.sh \ -add was90_${NODE_NAME}.init \ -serverName nodeagent \ -profilePath ${WAS_PROFILE_DIR}/${PROFILE_NAME} \ -wasHome /opt/IBM/WebSphere/AppServer \ -userid wasuser chown -R wasuser:wasgroup /opt/IBM/WebSphere

Repeat the previous steps for all nodes present, making the appropriate changes.

Installation of IHS binaries
Install IHS on Web Servers: Jobs > Submit Job type = Manage offering Description = manageOfferings Next Target groups = Web Next Response file = $HOME/Downloads/WAS/WAS_IHS.install.xml x I accept the terms in the license agreements Next x Make the job available now. x Use default expiration - 1 days. Availability interval = Run once Next Finish

chmod a+rx /opt/IBM/WebSphere /opt/IBM/WebSphere/Plugins

ln -s /opt/IBM/HTTPServer/bin/adminctl /etc/init.d/was90_IHSAdmin ln -s /opt/IBM/HTTPServer/bin/apachectl /etc/init.d/was90_IHS

echo ' ' >> /etc/init.d/was90_IHS echo ' ' >> /etc/init.d/was90_IHSAdmin
 * 1) The next lines are for chkconfig on RedHat systems.
 * 2) chkconfig: 235 98 02
 * 3) description: Starts and stops IBM HTTPD Server instances.
 * 1) The next lines are for chkconfig on RedHat systems.
 * 2) chkconfig: 235 98 02
 * 3) description: Starts and stops IBM HTTPD Server instances.

yum -q -y install elinks sed -i 's/lynx/elinks/g' /etc/init.d/was90_IHS*

chkconfig was90_IHS on chkconfig was90_IHSAdmin on

sed -i 's/@@AdminPort@@/8008/g' /opt/IBM/HTTPServer/conf/admin.conf*

export IHSNODE=IHSNode01 mkdir -p /opt/IBM/WebSphere/Plugins/config/WebServer_${IHSNODE} chown wasuser:wasgroup /opt/IBM/WebSphere/Plugins/config/WebServer_${IHSNODE} echo " LoadModule was_ap24_module /opt/IBM/WebSphere/Plugins/bin/64bits/mod_was_ap24_http.so WebSpherePluginConfig /opt/IBM/WebSphere/Plugins/config/WebServer_${IHSNODE}/plugin-cfg.xml " >> /opt/IBM/HTTPServer/conf/httpd.conf

sed -i -e 's+^#\(LoadModule rewrite_module modules/mod_rewrite.so\)$+\1+g' \ -e '/^LogFormat .* combined$/ i \ SetEnvIf X-RP-UNIQUE-ID .+ unique-id-present \ RequestHeader set X-RP-UNIQUE-ID %{UNIQUE_ID}e env=!unique-id-present \ \ SetEnvIf X-Client-IP. client-ip-present \ RewriteEngine On \ RewriteCond %{REMOTE_ADDR} (.*) \ RewriteRule .* - [E=R_A:%1] \ RequestHeader set X-Client-IP %{R_A}e env=!client-ip-present \ \ LogFormat "%v %h %l %u %t \\"%r\\" %>s %b \\"%{Referer}i\\" \\"%{User-Agent}i\\" \\"%{error-notes}n\\" | %{X-RP-UNIQUE-ID}i | %{Host}i | %D %{WAS}e" performance \ ' \       -e 's+^\(CustomLog logs/access_log common\)$+#\1+g' \ -e '/^#CustomLog logs\/access_log common$/ a \ CustomLog logs/access_log performance' \ -e '//,/<\/Location>/ s+^#  Require ip 192.168.1$+    Require ip 127.0.0.1+g' \ -e '/^LoadModule was_ap24_module/ i # Limits \ LimitRequestFieldSize 16380 \ ' \    /opt/IBM/HTTPServer/conf/httpd.conf
 * 1) Add X-RP-UNIQUE-ID to the Request Headers if not present \
 * 1) Add X-Client-IP to the Request Headers if not present \

/opt/IBM/HTTPServer/bin/htpasswd /opt/IBM/HTTPServer/conf/admin.passwd wasuser

mkdir -p /opt/IBM/HTTPServer/OldLogs chown wasuser:wasgroup /opt/IBM/HTTPServer/OldLogs chmod go+rx /opt/IBM/HTTPServer/OldLogs

echo ' /opt/IBM/HTTPServer/logs/*access[_.]log /opt/IBM/HTTPServer/logs/*error[_.]log /opt/IBM/HTTPServer/logs/http_plugin[_.]log { compress copytruncate daily dateext maxage 33 minsize +10M missingok notifempty olddir /opt/IBM/HTTPServer/OldLogs rotate 33 sharedscripts postrotate /opt/IBM/HTTPServer/bin/adminctl graceful /opt/IBM/HTTPServer/bin/apachectl graceful endscript } ' > /etc/logrotate.d/IHS /sbin/restorecon -RF "/etc/logrotate.d"

setsebool -P httpd_can_connect_ldap 1 setsebool -P httpd_can_network_connect 1 setsebool -P httpd_can_sendmail 1 /usr/sbin/semanage fcontext -a -t bin_t                  "/opt/IBM/HTTPServer/bin(/.*)?" /usr/sbin/semanage fcontext -a -t httpd_sys_script_exec_t "/opt/IBM/HTTPServer/cgi-bin(/.*)?" /usr/sbin/semanage fcontext -a -t httpd_sys_content_t    "/opt/IBM/HTTPServer/htdocs(/.*)?" /usr/sbin/semanage fcontext -a -t lib_t                  "/opt/IBM/HTTPServer/lib(/.*)?" /usr/sbin/semanage fcontext -a -t httpd_log_t            "/opt/IBM/HTTPServer/logs(/.*)?" /usr/sbin/semanage fcontext -a -t httpd_log_t            "/opt/IBM/HTTPServer/OldLogs(/.*)?" /usr/sbin/semanage fcontext -a -t httpd_modules_t        "/opt/IBM/WebSphere/Plugins/bin/64bits(/.*)?" /usr/sbin/semanage fcontext -a -t initrc_exec_t          "/opt/IBM/HTTPServer/bin/adminctl" /usr/sbin/semanage fcontext -a -t initrc_exec_t          "/opt/IBM/HTTPServer/bin/apachectl" /sbin/restorecon -RF "/opt/IBM/HTTPServer/bin" /sbin/restorecon -RF "/opt/IBM/HTTPServer/cgi-bin" /sbin/restorecon -RF "/opt/IBM/HTTPServer/htdocs" /sbin/restorecon -RF "/opt/IBM/HTTPServer/lib" /sbin/restorecon -RF "/opt/IBM/HTTPServer/logs" /sbin/restorecon -RF "/opt/IBM/HTTPServer/OldLogs" /sbin/restorecon -RF "/opt/IBM/WebSphere/Plugins/bin/64bits"

mkdir -p /etc/semodules restorecon -FR "/etc/semodules" cd /etc/semodules semodule -i ihs.pp
 * 1) semodules\*   -> /etc/semodules/

Move the logs under /var/log: chown -R wasuser:wasgroup /var/log/HTTPServer mv /opt/IBM/HTTPServer/logs/* /var/log/HTTPServer/ rmdir /opt/IBM/HTTPServer/logs ln -s /var/log/HTTPServer /opt/IBM/HTTPServer/logs

/etc/init.d/was90_IHSAdmin start

Adding the new Web Servers
Add the two web servers to WAS: System administration > Nodes > Add Node System administration > Nodes > Add Node Servers > Server Types > Web servers > New... Servers > Server Types > Web servers > New...
 * Unmanaged node
 * Name = IHSNode01
 * Host Name = wasw01.example.com
 * Platform Type = Linux
 * Unmanaged node
 * Name = IHSNode02
 * Host Name = wasw02.example.com
 * Platform Type = Linux
 * Select node = IHSNode01
 * Server name = WebServer_IHSNode01
 * Type = IBM HTTP Server
 * Port = 80
 * Web server installation location = /opt/IBM/HTTPServer
 * Plug-in installation location = /opt/IBM/WebSphere/Plugins
 * Application mapping to the Web server = ALL
 * Administration Server Port = 8008
 * Username = wasuser
 * Password = ********
 * Confirm password = ********
 * Select node = IHSNode02
 * Server name = WebServer_IHSNode02
 * Type = IBM HTTP Server
 * Web server template = IHS
 * Port = 80
 * Web server installation location = /opt/IBM/HTTPServer
 * Plug-in installation location = /opt/IBM/WebSphere/Plugins
 * Application mapping to the Web server = ALL
 * Administration Server Port = 8008
 * Username = wasuser
 * Password = ********
 * Confirm password = ********

Configuring the new Web Servers

 * Change the path where the http_plugin.log file is saved:

Servers > Server Types > Web servers > WebServer_IHSNode01 > Plug-in properties

Log file name = /opt/IBM/HTTPServer/logs/http_plugin.log


 * Change the header management by the plugin:

Servers > Server Types > Web servers > WebServer_IHSNode01 > Plug-in properties > Request routing

Remove special headers = no


 * Start the web servers:

/etc/init.d/was90_IHS restart

Creation of the HTTPS VirtualHost
Create the VirtualHost for HTTPS: Servers > Server Types > Web servers > WebServer_IHSNode01 > Web server virtual hosts > New...
 * Security enabled virtual host
 * Key store file name = WebServer_IHSNode01
 * Target key store directory = $(WEB_INSTALL_ROOT)/conf
 * Key store password = WebAS
 * Verify key store password = WebAS
 * Certificate alias = selfSigned
 * IP Address = nnn.nnn.nnn.nnn
 * Port = 443

Set the Server name of the new VirtualHost: Servers > Server Types > Web servers > WebServer_IHSNode01 > Web Server Virtual Hosts > nnn.nnn.nnn.nnn:443
 * Server name = was.example.com

Add the necessary certificate for HTTPS: Servers > Server Types > Web servers > WebServer_IHSNode01 > Web Server Virtual Hosts > nnn.nnn.nnn.nnn:443 > Manage keys and certificates > Personal certificates > Import...
 * Key store file
 * Key file name = /tmp/certificati/was.example.com.p12
 * Type = PKCS12
 * Key file password = ********
 * Get Key File Aliases
 * Certificate alias to import = was.example.com
 * Imported certificate alias = was.example.com

Servers > Server Types > Web servers > WebServer_IHSNode01 > Web Server Virtual Hosts > nnn.nnn.nnn.nnn:443
 * Key store certificate alias > was.example.com

Servers > Server Types > Web servers > WebServer_IHSNode01 > Web Server Virtual Hosts > nnn.nnn.nnn.nnn:443
 * Copy to Web server key store directory

Servers > Server Types > Web servers > WebServer_IHSNode01 > Plug-in properties
 * Copy to Web server key store directory

Restart the web servers: /etc/init.d/was90_IHS restart

Server SSL Certificate
Import the server certificate: Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > Import...
 * Key file name = /tmp/certificati/wasd01.example.com.p12
 * Type = PKCS12
 * Key file password = ********
 * > Get Key File Aliases
 * Certificate alias to import = wasd01.example.com
 * Imported certificate alias = wasd01.example.com

Set the use of the new server certificate: Security > SSL certificate and key management > SSL configurations > CellDefaultSSLSettings
 * Default server certificate alias = wasd01.example.com

Client SSL Certificate
Import the clinet certificate: Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > Import...
 * Key file name = /tmp/certificati/WAS.p12
 * Type = PKCS12
 * Key file password = ********
 * > Get Key File Aliases
 * Certificate alias to import = WAS
 * Imported certificate alias = WAS

Enable the support for the verification of client certificates received: Security > SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings
 * Client authentication = Supported

Restart the DMGR to apply the changes: /etc/init.d/was90_DmgrNode01.init_was.init restart

Global Security
Configure the Federated repositories: Security > Global security > Federated repositories > Configure...
 * Primary administrative user name = wasuser
 * Allow operations if some of the repositories are down = Yes
 * Apply
 * Add repositories (LDAP)...
 * New Repository... > LDAP repository
 * Repository identifier = example.com
 * Directory type = Microsoft Windows Active Directory
 * Primary host name = lbad01.example.com  Port = 636
 * Failover server = lbad02.example.com  Port = 636
 * Add
 * Support referrals to other LDAP servers = follow
 * Bind distinguished name = CN=was,OU=Users,DC=example,DC=ch
 * Bind password = ********
 * Require SSL communications = Yes
 * OK
 * Unique distinguished name of the base (or parent) entry in federated repositories = DC=example,DC=ch
 * OK
 * OK
 * Enable administrative security = Yes
 * Enable application security = Yes
 * Federated repositories > Set as current
 * Apply
 * Save

Add credentials on the DMGR and Application Servers to be able to run init scripts without being prompted to enter user and password: sed -i -e 's/^com.ibm.SOAP.securityEnabled=.*/com.ibm.SOAP.securityEnabled=true/g' \ -e 's/^com.ibm.SOAP.loginUserid=.*/com.ibm.SOAP.loginUserid=wasuser/g' \ /opt/IBM/WebSphere/Profiles/*/properties/soap.client.props

vim +/com.ibm.SOAP.loginPassword= /opt/IBM/WebSphere/Profiles/*/properties/soap.client.props com.ibm.SOAP.loginPassword=********

Encrypt the password: /opt/IBM/WebSphere/AppServer/bin/PropFilePasswordEncoder.sh /opt/IBM/WebSphere/Profiles/*/properties/soap.client.props com.ibm.SOAP.loginPassword -noBackup

Stop all WAS processes: /etc/init.d/was90_nodeagent_AsNode0*.init_was.init stop /etc/init.d/was90_DmgrNode01.init_was.init stop

Start all WAS processes: /etc/init.d/was90_DmgrNode01.init_was.init start /etc/init.d/was90_nodeagent_AsNode0*.init_was.init start

Configure the Administrative group roles: Security > Global security > Administrative group roles > Add...
 * WAS_Admin: Administrator, Admin Security Manager, ISC Admins
 * WAS_Audit: Auditor
 * WAS_Config: Configurator
 * WAS_Deploy: Deployer
 * WAS_Mon:   Monitor
 * WAS_Oper:  Operator
 * WAS_SecAdm: Admin Security Manager

SSO with SPNEGO
ktpass                                     -out c:\was90-krb.keytab.temp1 -princ HTTP/wasd01.example.com@EXAMPLE.COM \ -mapUser was90-krb -mapOp set -pass "xxxxxxxxxxxxx" -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL ktpass -in c:\was90-krb.keytab.temp1 -out c:\was90-krb.keytab      -princ HTTP/was.example.com@.EXAMPLE.COM \ -mapUser was90-krb -mapOp add -pass "xxxxxxxxxxxxx" -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL
 * Create the keytab file:


 * Copy the was90-krb.keytab file in /opt/IBM/WebSphere/AppServer/etc/

echo ' [libdefaults] default_realm = EXAMPLE.COM default_keytab_name = FILE:/opt/IBM/WebSphere/AppServer/etc/was90-krb.keytab default_tkt_enctypes = rc4-hmac des-cbc-md5 default_tgs_enctypes = rc4-hmac des-cbc-md5 forwardable = true renewable = true noaddresses = true clockskew = 300 [realms] EXAMPLE.COM = { kdc = kdc01.example.com:88 kdc = kdc02.example.com:88 kdc = kdc03.example.com:88 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM ' > /opt/IBM/WebSphere/AppServer/etc/was90-krb.ini
 * Create the /opt/IBM/WebSphere/AppServer/etc/was90-krb.ini file:

chown wasuser:wasgroup /opt/IBM/WebSphere/AppServer/etc/was90-krb.* chmod a+r /opt/IBM/WebSphere/AppServer/etc/was90-krb.*

Security > Global security > LTPA
 * LTPA timeout = 840
 * OK

Security > Global security > Kerberos configuration
 * Kerberos service name = HTTP
 * Kerberos configuration file with full path = /opt/IBM/WebSphere/AppServer/etc/was90-krb.ini
 * Kerberos keytab file name with full path = /opt/IBM/WebSphere/AppServer/etc/was90-krb.keytab
 * Kerberos realm name = EXAMPLE.COM
 * Flag "Trim Kerberos realm from principal name"
 * Unflag "Enable delegation of Kerberos credentials"
 * Apply

Security > Global security > Kerberos configuration > SPNEGO web authentication > SPNEGO Filters > New
 * Host name = wasd01.example.com
 * Kerberos realm name = EXAMPLE.COM
 * Empty all the rest
 * Flag "Trim Kerberos realm from principal name"
 * Unflag "Enable delegation of Kerberos credentials"
 * OK

Security > Global security > Kerberos configuration > SPNEGO web authentication > SPNEGO Filters > New
 * Host name = was.example.com
 * Kerberos realm name = EXAMPLE.COM
 * Empty all the rest
 * Flag "Trim Kerberos realm from principal name"
 * Unflag "Enable delegation of Kerberos credentials"
 * OK

Security > Global security > Kerberos configuration > SPNEGO web authentication
 * Unflag "Use the alias host name for the application server"
 * Flag "Dynamically update SPNEGO"
 * Flag "Enable SPNEGO"
 * Flag "Allow fall back to application authentication mechanism"
 * Kerberos configuration file with full path = /opt/IBM/WebSphere/AppServer/etc/was90-krb.ini
 * Kerberos keytab file name with full path = /opt/IBM/WebSphere/AppServer/etc/was90-krb.keytab
 * OK

Security > Global security > Web and SIP security > Single sign-on (SSO)
 * Flag "Enables"
 * Unflag "Require SSL"
 * Domain name = example.com
 * Unflag "Interoperability mode"
 * Flag "Web inbound security attribute propagation"
 * Flag "Set security cookies to HTTPOnly to help prevent cross-site scripting attacks"
 * OK

Security > Global security
 * reset LTPA (ratio button)
 * Apply
 * Save

Session Replication Domain
Create the Replication Domain from the WAS Console: Environment > Replication domains > New...
 * Name = Cell01
 * Request timeout = 5 seconds
 * Number of replicas = 2

JDBC Driver
Copy JDBC drivers for DB2 and Oracle: mkdir -p /opt/IBM/WebSphere/AppServer/lib/ext/db2/db2_jcc_4.25.13 ln -s db2/db2_jcc_4.25.13 /opt/IBM/WebSphere/AppServer/lib/ext/db2Driver chown -R wasuser:wasgroup /opt/IBM/WebSphere/AppServer/lib/ext
 * 1) DB2 v11.1_M4_FP4_4.25.13 JDBC Drivers\* -> /opt/IBM/WebSphere/AppServer/lib/ext/db2Driver/

mkdir -p /opt/IBM/WebSphere/AppServer/lib/ext/oracle/oracle_jdbc_12.2.0.1 ln -s oracle/oracle_jdbc_12.2.0.1 /opt/IBM/WebSphere/AppServer/lib/ext/oracleDriver chown -R wasuser:wasgroup /opt/IBM/WebSphere/AppServer/lib/ext
 * 1) Oracle 12.2.0.1 JDBC Drivers\* -> /opt/IBM/WebSphere/AppServer/lib/ext/oracleDriver/

Create the following variable at the Cell level: Environment > WebSphere Variables
 * DB2_JCC_DRIVER_PATH = ${WAS_INSTALL_ROOT}/lib/ext/db2Driver
 * UNIVERSAL_JDBC_DRIVER_PATH = ${WAS_INSTALL_ROOT}/lib/ext/db2Driver
 * ORACLE_JDBC_DRIVER_PATH = ${WAS_INSTALL_ROOT}/lib/ext/oracleDriver

Remove the following variable at the Nodo level: Environment > WebSphere Variables
 * DB2_JCC_DRIVER_PATH
 * UNIVERSAL_JDBC_DRIVER_PATH
 * ORACLE_JDBC_DRIVER_PATH

Virtual Host
Create the was.example.com Virtual Host from the Deployment Manager: chown -R wasuser:wasgroup $HOME/Downloads/WAS su - wasuser /opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -lang jython -f $HOME/Downloads/WAS/CreateVirtualHost.py was.example.com 443 WASX7209I: Connected to process "dmgr" on node DmgrNode01 using SOAP connector; The type of process is: DeploymentManager WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: "[was.example.com, 443]" Checking if the Virtual Host was.example.com already exists Creating the Virtual Host was.example.com Saving config changes exit
 * 1) wsadmin\CreateVirtualHost.py   ->   $HOME/Downloads/WAS/

High-Availability Session Replication (HSR) Dynamic Cluster
Create the HSR_DynaCluster cluster from the Deployment Manager: chown -R wasuser:wasgroup $HOME/Downloads/WAS su - wasuser /opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -lang jython -f $HOME/Downloads/WAS/CreateDynamicCluster.py HSR_DynaCluster 256 all WASX7209I: Connected to process "dmgr" on node DmgrNode01 using SOAP connector; The type of process is: DeploymentManager WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: "[HSR_DynaCluster, 256, all]" Checking if the DynamicCluster HSR_DynaCluster already exists Creating the DynamicCluster HSR_DynaCluster Configuring the Server template of HSR_DynaCluster Configuring the Session Replication of HSR_DynaCluster to Server only Saving config changes exit
 * 1) wsadmin\CreateDynamicCluster.py   ->   $HOME/Downloads/WAS/

Create the startup scripts on the Application Servers: chown wasuser:wasgroup /var/crash chmod 755 /var/crash restorecon -RF /var/crash export SRVNAME=$(hostname -s | tr "[:upper:]" "[:lower:]") export NODE_NUMBER=$(echo ${SRVNAME: -2}) export PROFILE_NAME="Custom01" export WAS_PROFILE_DIR="/opt/IBM/WebSphere/Profiles" export SERVER_NAME="HSR_DynaCluster_AsNode${NODE_NUMBER}" ${WAS_PROFILE_DIR}/${PROFILE_NAME}/bin/wasservice.sh \ -add was90_${SERVER_NAME}.init \ -serverName ${SERVER_NAME} \ -profilePath ${WAS_PROFILE_DIR}/${PROFILE_NAME} \ -wasHome /opt/IBM/WebSphere/AppServer \ -userid wasuser chown -R wasuser:wasgroup /opt/IBM/WebSphere sed -i "s/^# Required-Start:.*/& was90_nodeagent_AsNode${NODE_NUMBER}.init_was.init/g" /etc/init.d/was90_HSR_DynaCluster_AsNode0*.init_was.init chkconfig was90_HSR_DynaCluster_AsNode${NODE_NUMBER}.init_was.init off chkconfig was90_HSR_DynaCluster_AsNode${NODE_NUMBER}.init_was.init on /etc/init.d/was90_HSR_DynaCluster_AsNode0*.init_was.init start

Repeat the previous steps for all nodes present, making the appropriate changes.

TLS v1.2
From the Deployment Manager, change the Web Server configuration below:
 * Servers > Server Types > Web servers > WebServer_IHSNode01 > Edit Configuration File

adding after the "SSLEnable" directive:
 * SSLProtocolDisable SSLv3 TLSv10 TLSv11

Reboot the web servers: /etc/init.d/was90_IHS restart /opt/IBM/HTTPServer/bin/apachectl -DDUMP_SSL_CONFIG

Also from the Deployment Manager, modify the SSLSettings of Cell and all the Nodes below:
 * Security > SSL certificate and key management > SSL configurations

setting the Quality of protection (QoP) settings: The default value is SSL_TLSv2, which corresponds to: SSLv3, TLSv1, TLSv1.1, TLSv1.2
 * Protocol = TLSv1.2

Add the parameter com.ibm.ssl.protocol=TLSv1.2 on the Deployment Manager and Application Servers: sed -i '/^com.ibm.ssl.alias=/a com.ibm.ssl.protocol=TLSv1.2' /opt/IBM/WebSphere/Profiles/*/properties/soap.client.props

Restart the DMGR to apply the changes: /etc/init.d/was90_DmgrNode01.init_was.init restart

Restart the nodeagents to apply the changes: /etc/init.d/was90_nodeagent_AsNode0*.init_was.init restart

WAS FixPack Installation
Stop all WAS components: /etc/init.d/was90_DmgrNode01.init_was.init stop /etc/init.d/was90_IHS stop /etc/init.d/was90_IHSAdmin stop /etc/init.d/was90_*_DynaCluster_AsNode0*.init_was.init stop /etc/init.d/was90_nodeagent_AsNode0*.init_was.init stop

Delete Rollback files from previous versions: rm -rf /opt/IBM/IMShared/files/com.ibm.*.tar.gz rm -rf /opt/IBM/IMShared/files/com.ibm.*.file rm -rf /opt/IBM/IMShared/native/com.ibm.*.zip

Run the update as wasuser: su - wasuser cd /opt/IBM/InstallationManager/eclipse ./IBMIM --launcher.ini silent-install.ini -updateAll -showProgress -acceptLicense exit

Check the installed versions: /opt/IBM/WebSphere/AppServer/bin/versionInfo.sh /opt/IBM/WebSphere/Plugins/bin/versionInfo.sh

Restore SELinux contexts on web servers: /sbin/restorecon -RF "/opt/IBM/HTTPServer/bin" /sbin/restorecon -RF "/opt/IBM/HTTPServer/cgi-bin" /sbin/restorecon -RF "/opt/IBM/HTTPServer/htdocs" /sbin/restorecon -RF "/opt/IBM/HTTPServer/lib" /sbin/restorecon -RF "/opt/IBM/HTTPServer/logs" /sbin/restorecon -RF "/opt/IBM/HTTPServer/OldLogs" /sbin/restorecon -RF "/opt/IBM/WebSphere/Plugins/bin/64bits"

Restart all previously stopped WAS components: /etc/init.d/was90_DmgrNode01.init_was.init start /etc/init.d/was90_IHSAdmin start /etc/init.d/was90_IHS start /etc/init.d/was90_nodeagent_AsNode0*.init_was.init start /etc/init.d/was90_*_DynaCluster_AsNode0*.init_was.init start

= Monitoring =

WAS Health Policies
Create the following policies:

Operational policies > Health Policies > New...
 * Name = Default_Excessive_Memory_Usage
 * Predefined health condition = Memory condition: excessive memory usage
 * JVM heap size = 95 %
 * Offending time period = 20 Minutes
 * Reaction mode = Supervise
 * Add Action = Place server in maintenance mode
 * Move Up = Place server in maintenance mode
 * Add Action = Place server out of maintenance mode
 * Memberships = Cell

Operational policies > Health Policies > New...
 * Name = Default_Excessive_Request_Timeout
 * Predefined health condition = Excessive request timeout condition
 * Timed out requests = 40 %
 * Reaction mode = Supervise
 * Add Action = Place server in maintenance mode and break affinity
 * Move Up = Place server in maintenance mode and break affinity
 * Add Action = Place server out of maintenance mode
 * Memberships = None

Operational policies > Health Policies > New...
 * Name = Default_Excessive_Response_Time
 * Predefined health condition = Excessive response time condition
 * Response time = 120 Seconds
 * Reaction mode = Supervise
 * Add Action = Place server in maintenance mode and break affinity
 * Move Up = Place server in maintenance mode and break affinity
 * Add Action = Place server out of maintenance mode
 * Memberships = None

Operational policies > Health Policies > New...
 * Name = Default_Maximum_Requests
 * Predefined health condition = Workload condition
 * Total requests = 20000000
 * Reaction mode = Supervise
 * Add Action = Place server in maintenance mode
 * Move Up = Place server in maintenance mode
 * Add Action = Place server out of maintenance mode
 * Memberships = None

Operational policies > Health Policies > New...
 * Name = Default_Maximum_Server_Age
 * Predefined health condition = Age-based condition
 * Maximum age = 30 Days
 * Reaction mode = Supervise
 * Add Action = Place server in maintenance mode
 * Move Up = Place server in maintenance mode
 * Add Action = Place server out of maintenance mode
 * Memberships = Cell

Operational policies > Health Policies > New...
 * Name = Default_Memory_Leak
 * Predefined health condition = Memory condition: memory leak
 * Detection level = Slow (fewer false alarms)
 * Reaction mode = Supervise
 * Add Action = Place server in maintenance mode
 * Move Up = Place server in maintenance mode
 * Add Action = Place server out of maintenance mode
 * Memberships = None

Operational policies > Health Policies > New...
 * Name = Default_Storm_Drain
 * Predefined health condition = Storm drain condition
 * Detection level = Slow (fewer false alarms)
 * Reaction mode = Supervise
 * Add Action = Place server in maintenance mode
 * Move Up = Place server in maintenance mode
 * Add Action = Place server out of maintenance mode
 * Memberships = None

= Links =
 * WebSphere Application Server Network Deployment traditional V9
 * Recommended updates for WebSphere Application Server
 * WebSphere Application Server
 * WebSphere IBM HTTP Server