11. Can a WebSphere Application Server cell span multiple DNS domains?
A) Prior to WebSphere Application Server V6, the answer was no. This is because when you configured WebSphere Application Server security, one of the items you needed to specify was the LTPA token SSO domain. If you left it blank, the LTPA token/cookie domain was set to blank, which meant that the cookie went back to the same host only. If you provided a value, the cookie domain was set to that and then the cookie would go back to hosts within the same DNS domain. This is the behavior required by the HTTP specification. The problem was that if your cell (or really the Web servers) served requests for multiple DNS domains, there was no way to specify more than one domain. As of WebSphere Application Server V6, the SSO domain value specified to WebSphere Application Server can contain multiple DNS domains. Now, you specify all of the domains you need. When WebSphere Application Server creates the cookie, it will set the domain value for the cookie (the HTTP spec allows for only one value) to the value from the inbound request that matches one of the configured domains.
A) Prior to WebSphere Application Server V6, the answer was no. This is because when you configured WebSphere Application Server security, one of the items you needed to specify was the LTPA token SSO domain. If you left it blank, the LTPA token/cookie domain was set to blank, which meant that the cookie went back to the same host only. If you provided a value, the cookie domain was set to that and then the cookie would go back to hosts within the same DNS domain. This is the behavior required by the HTTP specification. The problem was that if your cell (or really the Web servers) served requests for multiple DNS domains, there was no way to specify more than one domain. As of WebSphere Application Server V6, the SSO domain value specified to WebSphere Application Server can contain multiple DNS domains. Now, you specify all of the domains you need. When WebSphere Application Server creates the cookie, it will set the domain value for the cookie (the HTTP spec allows for only one value) to the value from the inbound request that matches one of the configured domains.
Examples of a valid domain name are ibm.com and tx.gov.
Examples of invalid domain names are ibmus and state_tx.gov. Some users have experienced a problem with Internet Explorer (IE), in that IE 5 and IE 6 do not seem to accept the LTPA token when the domain defined in the SSO domain field is less than five characters, excluding the period, such as "cn.ca"
A) The Simple WebSphere Authentication Mechanism (SWAM) is intended for simple, non-distributed, single application server run time environments. The single application server restriction is due to the fact that SWAM does not support forwardable credentials. What this means is that if a servlet or enterprise bean in one application server process invokes a remote method on an enterprise bean living in another application server process, the caller identity is not transmitted to the second server process. What is transmitted is an unauthenticated credential, which, depending on the security permissions configured on the EJB methods, might cause authorization failures.
SWAM can be used as an authentication mechanism in the base edition of WebSphere Application Server. SWAM is not a supported option for WebSphere Application Server Network Deployment V5.0. Using it in the BMbase edition is even discouraged because it relies on the HTTP Session object for maintaining the user state, which is problematic since the HTTP Session layer is not part of the security infrastructure.
A) If a user has already been authenticated by some authentication system other than WebSphere Application Server, it is possible to inform WebSphere Application Server of the user's identity information rather than requiring that the user re-authenticate. This is known as identity assertion.
Table 1. Login module vs. TAI
Feature
|
Login module
|
TAI
|
IBM proprietary
|
No, but requires WebSphere Application Server specific code anyway
|
Yes
|
Ease of use
|
Harder
|
Easier
|
Multi-phase authentication
|
No
|
Yes
|
Suppress Web login challenge
|
No
|
Yes
|
Can be used for Web calls
|
Yes
|
Yes
|
Can be used for RMI calls
|
Yes
|
No
|
(Re)called for propagation logins
|
Yes
|
No
|
14) In which log file garbage collector information will be recorded ? how to enable garbage collector ?
A) ----> Nativestdout.log Nativestderr.log are GC logs
---> get into the admin console -> application server->select JVM->Java & Process Management->process definition-> Java Virtual Machine.
There u will have an option to enable GC logging.
15) How can we check the performance of the application server without external monitoring tools?
A) Through Websphere in build monitoring tool called Tivoli Performance Monitoring under Monitoring and tuning in Admin Console.
(or)
Tivoli Performance Viewer (TPV): It enables the administrators and programmers to monitor the overall health of the WebSphere Application Server without leaving the Admin console.
From TPV, you can view current activity or log Performance Monitoring Infrastructure(PMI) for the following:
- System resources such as CPU utilization.
- WebSphere pools and queues such as DB connection pool.
- Customer Application data such as servlet response time.
No comments:
Post a Comment