IBM PureApplication Systems provide IaaS private cloud solution in a box, with the hardware, storage, and a pattern-based deployment all rolled into one high scale package. You might have seen IBM has also announced plans (and a beta) for a PureApplication Service on SoftLayer, giving a really compelling hybrid cloud story.

So in this post, I wanted to share how easy it is to extend the Hypervisor edition of IBM Integration Bus V9 available for PureApplication Systems.

I show how you can build a customized Virtual System pattern that exploits some of the benefits of the PureApplication System environment, specifically:

  • Automatic generation of self-signed TLS (SSL) certificates during pattern deployment
  • Enablement of the Web User Interface, with security
  • Configuring a DB2 database for ODBC connectivity, and as a DataCaptureStore for Record & Replay – e.g. an audit database

Because the scripting I’ve used in PureApplication Systems is simply OS scripting, you might find these examples useful for other environments.
The examples are based on the POWER platform (AIX) and would need a few minor tweaks for the x86 platform.

Overview of the Virtual System Pattern

The following screenshot shows the Virtual System Pattern I created. It simply contains an IIB V9 part (virtual machine), and a DB2 part.
There are three script packages that perform additional configuration of the parts, which I describe in detail below.

The script packages themselves are just zip files containing the configuration and script files. Once installed into the catalog, you simply drag them into the parts from the palette on the left.

Script package to install the DB2 10.5 Data Server Client package

DB2 provides a package called the Data Server Client package, which is very compact (<40MB).
So to install ODBC connectivity into the IIB part, I simply packaged this archive (v10.5fp3_aix64_odbc_cli.tar.gz) together with the following text files into a script package zip.

Remember to ensure you use UNIX line breaks in all your scripts.

cbscript.json – describes the script package to the PureApplication System

[
 {
    "name": "Install the DB2 V10.5 DSClient package",
    "version": "1.0.0",
    "description": "Install the DB2 V10.5 DSClient package",
    "command": "/bin/sh /etc/install_db2_dsclient.sh",
    "log": "/etc",
    "location": "/etc",
    "timeout": "0",
    "commandargs": "",
    "keys":
    []
 }
]

install_db2_dsclient.sh – the shell script run as root by the script package

#!/bin/sh
# The "v10.5fp3_aix64_odbc_cli.tar.gz" filename should match the DS-Client version
# that is zipped into the script package
mkdir /home/virtuser/db2cli_odbc_driver
cd /home/virtuser/db2cli_odbc_driver
mv /etc/v10.5fp3_aix64_odbc_cli.tar.gz .
gunzip v10.5fp3_aix64_odbc_cli.tar.gz
tar xvf v10.5fp3_aix64_odbc_cli.tar
rm v10.5fp3_aix64_odbc_cli.tar
chown -R virtuser:staff /home/virtuser/db2cli_odbc_driver

Script package to configure IBM Integration Bus for TLS (SSL), Web Admin and Record&Replay

The bulk of the work is performed by this script package, which contains all the artifacts required to perform the following steps:

  1. Open ports in the ipsec4 AIX security module for outbound connectivity to the database (50000) and Web Admin (4414) – only step run as root
  2. Generate self-signed SSL certificates for IIB and MQ
  3. Configure Web administration, with security enabled using the above certificates
  4. Configure ODBC using a set of odbc.ini files contained in the script package
  5. Configure Record & Replay using the ODBC connection

The parts that make up the script package are as follows:

cbscript.json – describes the script package to the PureApplication System


[
 {
    "name": "IIB Script Package",
    "version": "1.0.0",
    "description": "Configuration scripts for IIB",
    "command": "/bin/sh /etc/configure_iib_root.sh",
    "log": "/etc",
    "location": "/etc",
    "timeout": "0",
    "commandargs": "",
    "keys":
    [
       {
        "scriptkey": "DB2_HOSTNAME",
        "scriptvalue": "",
        "scriptdefaultvalue": "${DB2_ESE.hostname}"
       },
       {
        "scriptkey": "DB2_PORT",
        "scriptvalue": "",
        "scriptdefaultvalue": "50000"
       },
       {
        "scriptkey": "DB2_USERNAME",
        "scriptvalue": "",
        "scriptdefaultvalue": "virtuser"
       },
       {
        "scriptkey": "DB2_PASSWORD",
        "scriptvalue": "",
        "scriptdefaultvalue": "passw0rd",
        "type": "password"
       }
    ]
 }
]

configure_iib_root.sh – shell script run as root to open the required ports, and kick off the script as ‘virtuser’ to configure IIB

#!/bin/sh
. /etc/virtualimage.properties

# Configure the filewall as root
# ipsec4 is disabled at the point our scripts run, and enabled afterwards by the built-in scripts.
# So we actually have to enable it, create the filters, then disable it again.
/usr/sbin/mkdev -c ipsec -t 4
/usr/sbin/mkdev -c ipsec -t 6 > /dev/null 2>&1
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0  -g Y -c tcp -o any -p 0 -O any -P $DB2_PORT -r B -w B -l Y -f Y -i all
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0  -g Y -c all -o any -p 0 -O any -P 4414 -r B -w B -l Y -f Y -i all
/usr/sbin/rmdev -l ipsec_v4

# Call the IIB configuration script as virtuser
su - virtuser -C /etc/configure_iib.sh

configure_iib.sh – the main script run as ‘virtuser’ to configure IIB

#!/bin/sh
. /etc/virtualimage.properties

# Ensure the MQSI profile is configured
. /opt/IBM/mqsi/9.0.0.0/bin/mqsiprofile
export LANG=en_GB.UTF-8
export LC_ALL=en_GB

# Use GSKit to generate a self-signed certificates for the QMGR and Integration Node
mkdir ~/iib_certs
chmod -R 700 ~/iib_certs
runmqckm -keydb -create -db ~/iib_certs/iib.jks -pw passw0rd -type jks
runmqckm -cert -create -db ~/iib_certs/iib.jks -pw passw0rd -dn CN=$MQSI_BROKER_NAME,OU=PureApp,O=IBM -size 2048 -sig_alg SHA512WithRSA -label iib_cert -type jks
runmqckm -keydb -create -db ~/iib_certs/mq.kdb -pw passw0rd -type cms -stash
runmqckm -cert -create -db ~/iib_certs/mq.kdb -pw passw0rd -dn CN=$MQSI_BROKER_NAME,OU=PureApp,O=IBM -size 2048 -sig_alg SHA512WithRSA -label iib_cert -type cms

# Note this script assumes HTTP security in IIB is already configured via default PureApp pattern config.
# The values for keystore location should be locked in the pattern to /home/virtuser/iib_certs/iib.jks

# Configure the SSL certificate on the QMGR.
# Note no further security configuration of MQ is performed by this script
echo "ALTER QMGR SSLKEYR('$HOME/iib_certs/mq')" | runmqsc $MQ_QMGR_NAME

# Configure the web admin console, in secure mode (default password)
mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o server -n enabled -v true
mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o server -n enableSSL -v true
mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n address -v '*'
mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n port -v 4414
mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n keystoreType -v "$MQSI_HTTPS_CONNECTOR_KEYSTORE_TYPE"
mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n keystorePass -v "$MQSI_HTTPS_CONNECTOR_KEYSTORE_PASS"
mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n keystoreFile -v "$MQSI_HTTPS_CONNECTOR_KEYSTORE_FILE"
mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n truststoreType -v "$MQSI_HTTPS_CONNECTOR_KEYSTORE_TYPE"
mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n truststorePass -v "$MQSI_HTTPS_CONNECTOR_KEYSTORE_PASS"
mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n truststoreFile -v "$MQSI_HTTPS_CONNECTOR_KEYSTORE_FILE"
mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n sslProtocol -v "$MQSI_HTTPS_CONNECTOR_SSL_PROTOCOL"
mqsiwebuseradmin IIB1 -c -u admin -a passw0rd -r virtuser

# Configure ODBC connectivity
export IE02_PATH=/opt/ibm/IE02/2.0.1
echo "\nexport IE02_PATH=/opt/ibm/IE02/2.0.1\n" >> ~/.profile
cp /etc/iib_odbc.ini $HOME/odbc.ini
export ODBCINI=$HOME/odbc.ini
echo "\nexport ODBCINI=$HOME/odbc.ini\n" >> ~/.profile
cp /etc/iib_odbcinst.ini $HOME/odbcinst.ini
export ODBCSYSINI=$HOME
echo "\nexport ODBCSYSINI=$HOME\n" >> ~/.profile
export LIBPATH=$HOME/db2cli_odbc_driver/odbc_cli/clidriver/lib:$LIBPATH
echo "\nexport LIBPATH=$HOME/db2cli_odbc_driver/odbc_cli/clidriver/lib:\$LIBPATH\n" >> ~/.profile
sed -e "s/REPLACE_WITH_HOSTNAME/$DB2_HOSTNAME/g" /etc/iib_db2dsdriver.cfg | sed -e "s/REPLACE_WITH_PORT/$DB2_PORT/g" > "$HOME/db2cli_odbc_driver/odbc_cli/clidriver/cfg/db2dsdriver.cfg"

# Configure record & replay
mqsisetdbparms $MQSI_BROKER_NAME -n MBRECORD -u $DB2_USERNAME -p $DB2_PASSWORD
mqsicreateconfigurableservice $MQSI_BROKER_NAME -c DataCaptureStore -o MBRECORD -n dataSourceName,egForRecord,egForView,schema -v MBRECORD,default,default,WMB
mqsicreateconfigurableservice $MQSI_BROKER_NAME -c DataCaptureSource -o ${MQSI_BROKER_NAME}_Source -n dataCaptureStore,topic -v MBRECORD,"\$SYS/Broker/$MQSI_BROKER_NAME/Monitoring/#"

# Restart IIB to pick up the new values
mqsistop -q -i $MQSI_BROKER_NAME
mqsichangebroker IIB1 -s active
mqsistart $MQSI_BROKER_NAME

iib_db2dsdriver.cfg – DB2 configuration file modified by the above script and installed into the home directory

<configuration>
   <dsncollection>
      <dsn alias="MBRECORD" name="MBRECORD" host="REPLACE_WITH_HOSTNAME" port="REPLACE_WITH_PORT"/>
   </dsncollection>
   <databases>
      <database name="MBRECORD" host="REPLACE_WITH_HOSTNAME" port="REPLACE_WITH_PORT">
      </database>
   </databases>
</configuration>

iib_odbcinst.ini – ODBC system configuration file installed and configured via profile environment variables by the script

[ODBC]
;# To turn on ODBC trace set Trace=yes
Trace=no
TraceFile=/home/virtuser/odbctrace.out
Threading=2

iib_odbc.ini – ODBC configuration file installed and configured via profile environment variables by the script

[ODBC Data Sources]
MBRECORD=IBM DB2 ODBC Driver

[MBRECORD]
DRIVER=/opt/IBM/mqsi/9.0.0.0/lib/libdb2Wrapper64.so
Description=IBM DB2 ODBC Database
Database=MBRECORD

Script package to configure the MBRECORD database on DB2

The final step is to ensure that DB2 is configured with the correct MBRECORD database IIB will use as its DataCaptureStore.

cbscript.json – describes the script package to the PureApplication System

[
 {
    "name": "DB2 for IIB Record and Replay Script Package",
    "version": "1.0.0",
    "description": "Configuration scripts to configure the MBRECORD database for IIB",
    "command": "su - db2inst1 -C /etc/configure_db2.sh",
    "log": "/etc",
    "location": "/etc",
    "timeout": "0",
    "commandargs": "",
    "keys":
    [
    ]
 }
]

configure_db2.sh – the script, run as db2inst1, to create the database and grant authority to ‘virtuser’

#!/bin/sh
. /etc/virtualimage.properties

# Run the IIB DDL
db2 -tvf /etc/DataCaptureSchema.sql

# Grant authority to virtuser, which we will configure IIB to connect using
db2 CONNECT TO MBRECORD
db2 SET SCHEMA WMB
db2 GRANT CONNECT ON DATABASE TO USER VIRTUSER
db2 GRANT ALL ON TABLE WMB_MSGS TO USER VIRTUSER
db2 GRANT ALL ON TABLE WMB_EVENT_TYPES TO USER VIRTUSER
db2 GRANT ALL ON TABLE WMB_EVENT_FIELDS TO USER VIRTUSER
db2 GRANT ALL ON TABLE WMB_BINARY_DATA TO USER VIRTUSER
db2 TERMINATE

DataCaptureSchema.sql – the DDL for the MBRECORD database

This file was taken directly from the IIB install, with the CREATE/SET SCHEMA WMB commands uncommented.

Summary

I hope this gives you a flavor of how to create a Virtual System pattern for IBM Integration Bus in IBM PureApplication System.

You can see the scripts packages are simple to create, and don’t require special skills beyond OS scripting.
You might even find these scripts helpful to automate IIB node creation in other environments.

Join The Discussion

Your email address will not be published. Required fields are marked *