<<

. 67
( 87 .)



>>

validate the sessions with the Policy Server.
d. Set the com.ibm.wps.sso.SiteMinderTrustAssociation
as the class name for the interceptor TAI.
3. Finally, set the following con¬guration parameters:

com.ibm.websphere.security.trustassociation.enabled=true
com.ibm.websphere.security.trustassociation.types=Netegrity
com.ibm.websphere.security.trustassociation.interceptor=
com.ibm.wps.sso.SiteMinderTrustAssociationInterceptor
com.ibm.websphere.security.trustassociation.config=siteminder




Using SiteMinder as an External Security Manager
Installing SiteMinder as an external security manager is a little more in-
volved. There are two primary steps involved: installing SiteMinder and
modifying WP to delegate policy decisions to SiteMinder. Installing Site-
Minder as an external security manager involves the following steps (these
steps are for Windows; refer to the Netegrity Policy Server Installation
Guide for other platforms):

1. Run the Policy Server setup program nete-ps-5.5-win32.exe.
2. Click Next twice and accept the license agreement. Click Next.
3. When asked for the Web servers to con¬gure for use with Policy
Server, select the Web server being used by WP.
P1: FCH/SPH P2: FCH/SPH QC: FCH/SPH T1: FCH
WY009-20 WY009-BenNatan-v1.cls May 17, 2004 18:56




400 Chapter 20


4. When asked for a JRE for the Policy Server, make sure you give it a
JRE 1.3.1”if your currently installed JRE is not version 1.3.1
download a new one and install it.
5. Choose a destination for the installation and click Next.
6. Enter an encryption key and recon¬rm it. Remember to record this
key for future use. Click Next.
7. If you do not want to con¬gure hardware keys, click Next. If you do,
refer to the Netegrity Policy Server Installation Guide.
8. Enter and con¬rm an administrator password and record this
password for future use. Click Next.
9. If you want to con¬gure an SNMP agent at this time refer to the
Netegrity Policy Server Installation Guide.
10. Review the settings and click Next if all is correct. When copying is
done click Finish to reboot your system.
Modifying WP to use SiteMinder as an external security manager in-
volves setting the following con¬guration properties:
In externalacecsscontrolservice.properties:
accesscontrol.domainname=WPS Portal Server
accesscontrol.accountingport=44441
accesscontrol.authport=44442
accesscontrol.aznport=44443
accesscontrol.maxtimeout=5400
accesscontrol.idletimeout=3600
accesscontrol.syncaudit=false
accesscontrol.ipaddress=<your IP>
accesscontrol.scheme=Basic
accesscontrol.agentname=agent
accesscontrol.agentsecret=<Your secret/password>
accesscontrol.admin=siteminder
accesscontrol.password=<Your password>
accesscontrol.userdir=<Your LDAP server>
accesscontrol.public_access_mode=1
accesscontrol.anonymousid=anonymous
accesscontrol.anyauthuser=anyauth

In services.properties:
com.ibm.wps.services.authorization.ExternalAccessControlService=com.ibm.
wps.services.authorization.SiteminderExternlAccessControlImpl

In portlalogin.cfg add the following to WpsNewSubject:
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy required
delegate=com.tivoli.mts.SiteMinderLoginModule;
P1: FCH/SPH P2: FCH/SPH QC: FCH/SPH T1: FCH
WY009-20 WY009-BenNatan-v1.cls May 17, 2004 18:56




Integrating Security and Identity Management Tools 401


In portlalogin.cfg add the following to WpsSubjectExists:
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy required
delegate=com.tivoli.mts.SiteMinderLoginModule;

Add a callbackheaderslist.properties ¬le to the portal app
config directory with the following contents:
header.1=sm-serversessionspec
header.2=sm-serversessionid
cookie.1=SMSESSION




Summary
Setting up a portal is not a trivial thing, but creating a good portal experience
is even harder. In this chapter we introduced you to identity management
tools and SSO architectures. We explained when you would choose to use
these products and how these tools help you in complex portal environ-
ments. We then walked you through a brief overview of how to integrate
TAM and SiteMinder with WP; a full account of such integration cannot
be accomplished in such a short space and you should refer to the doc-
umentation of these respective products. Most importantly, we hope you
understand the importance of SSO and the importance of creating a good
user experience. The main reason of failed portal projects is low user adop-
tion and the main reason for low user adoption is annoying requests to
re-login every time a new application is accessed.
While integrating WP within an SSO environment is crucial for large
portal projects that serve a large population of users, setting up scaleable
and fault-tolerant portal environments is just as important. In fact, you
should view this as a prerequisite”after all, if the server is down it really
doesn™t matter how good of a user experience it could have provided if it
were up. In the next chapter we will show you what it takes to build a WP
environment with high-availability attributes and will cover topics such as
high-availability strategies, portal clusters, horizontal vs. vertical scaling,
and how to deploy portlets into a clustered environment.
P1: FCH/SPH P2: FCH/SPH QC: FCH/SPH T1: FCH
WY009-20 WY009-BenNatan-v1.cls May 17, 2004 18:56




402
P1: FCH/SPH P2: FCH/SPH QC: FCH/SPH T1: FCH
WY009-21 WY009-BenNatan-v1.cls May 13, 2004 22:25




CHAPTER

21
Designing High Availability
into Your Portal Server

In today™s large corporations, one of the most common requirements is that
the portal should be available 24 hours and 7 days. When users want 24 by
7, they are not referring to uptime but rather a lot more. The requirement
is that the system should be perceived to be working 100 percent of the
time, with response times consistently meeting expectations (usually under
3 seconds), and all transactions executing accurately, completely, timely, and
reliably. While much of the IT industry considers this de¬nition a highly
available system, most users consider it a basic requirement of a system
design.
In this chapter we will discuss the issues in creating a highly available
WebSphere Portal and show you how to manage and con¬gure WebSphere
Portal within a cluster.



The Challenges of High Availability
At ¬rst glance, most people do not understand the complexity of high avail-
ability. To understand it, examine a simple WebSphere Portal con¬gura-
tion such as the one shown in Figure 21-1. Typical users would feel happy
if you told them that each component would have an uptime of 99 per-
cent. At ¬rst glance, this seems pretty good but translates to a downtime
of 3.65 days for one component. The problem is that a WebSphere Por-
tal system is made up of many components. In Figure 21-1, a high level
of 33 possible points of failure are identi¬ed. If each point had a 99 per-
cent uptime, then the cumulative uptime would be .99**33 or 71.77 percent.
This means that for approximately 103 days of a year, WebSphere Portal

403
P1: FCH/SPH P2: FCH/SPH QC: FCH/SPH T1: FCH
WY009-21 WY009-BenNatan-v1.cls May 13, 2004 22:25




404 Chapter 21




Figure 21-1 Possible WebSphere Portal points of failure.


would be down. It goes without saying that your users would not be
happy.
Availability is a metric de¬ned by a user™s perception of a system™s perfor-
mance and reliability. It can be calculated as a percentage by the following
equation:

MTBF/(MTBF+MTTR)

where NTGB is the mean time between failures and MTTR is the maximum
time to repair or resolve the failure. A WebSphere Portal failure is not just
a hardware or software failure but rather anything that prevents the user
from performing his or her required function using WebSphere Portal. This
includes slow performance, process, and environmental factors. One thing
interesting about the equation, which relates to user perception, is that the
faster you correct or are perceived to have corrected the problem, the higher
the availability. So if problems are shifted to a different system without any
interruption in their session, no failure is perceived.
Most IT people believe that high availability can be obtained through
hardware redundancy. However, as seen in Figure 21-2, 30 percent of
P1: FCH/SPH P2: FCH/SPH QC: FCH/SPH T1: FCH
WY009-21 WY009-BenNatan-v1.cls May 13, 2004 22:25




Designing High Availability into Your Portal Server 405




Figure 21-2 Causes of downtime.
Source: IEEE Computer April 1995.


downtime is planned, 10 percent is unplanned hardware downtime, and
40 percent is related to software. This was in 1995. Today with more reliable
hardware that is designed to hot pluggable, software failures are increas-
ingly dominating downtime.


Determining a High-Availability Strategy
for WebSphere Portal
The most critical decision for you to make is how highly available do you
want your WebSphere Portal system to be. The decision should be based
on a cost“bene¬t analysis.
The ¬rst step is to determine the impact on your business in dollars and
minutes if the system is down. Focus on lost revenue, both in the immediate
and distant future. Revenue may be lost in the future due to the impact on
customer loyalty and your company™s reputation. Also, quantify the impact
on employee productivity due to downtime. Look at lost hours, increase in
cost due to overtime, and reduced employee ef¬ciency due to poor system
performance.
Next calculate the cost of availability. Table 21-1 lists the different lev-
els of cumulative availability. For the ¬rst level, 98 percent, determine the
cost of implementing availability and multiply it by 10 for each level to
get a rough estimate. In other words, level 7 is 60 times more expensive
than level 1.
P1: FCH/SPH P2: FCH/SPH QC: FCH/SPH T1: FCH
WY009-21 WY009-BenNatan-v1.cls May 13, 2004 22:25




406 Chapter 21

Table 21-1 Availability Levels
LEVEL PERCENTAGE UPTIME DOWNTIME/YEAR
1 98% 7.3 days

2 99% 3.65 days

3 99.8% 17 hours, 30 minutes

4 99.9% 8 hours, 45 minutes

5 99.99% 52.5 minutes

6 99.999% 5.25 minutes

7 99.9999% 31.5 seconds


To identify the components that impact availability, you need to look at
your process, organization, and technology. Given how little impact hard-
ware has on availability, the largest focus is on the implementation of a
well-de¬ned process and the integration of an organization designed to
support high availability.
High availability cannot be provided to your WebSphere Portal systems

<<

. 67
( 87 .)



>>