SIEMENS. Teamcenter Web Application Deployment PLM

Transcription

1 SIEMENS Teamcenter 11.2 Web Application Deployment PLM

2

3 Contents Getting started deploying web applications Deployment considerations Before you begin Teamcenter web application deployment interface Determining your requirements Basic concepts of Teamcenter web application deployment Teamcenter web application deployment Introduction to Teamcenter Web application deployment Basic deployment Introduction to basic deployment Deploy on a JBoss application server (HS) Deploy on a Tomcat application server Deploy on a WebLogic server (HS) Deployment on a WebSphere application server Basic deployment with front-end HTTP (Web) server About application servers and HTTP (Web) servers Deployment on a JBoss application server with IIS front end (H-S) Deployment on JBoss application server with Apache front end (H-S) Deployment on a WebSphere application server (H-S) Deployment on a WebLogic application server with front-end HTTP (Web) server Clustered deployment with front-end HTTP server Overview of clustered deployment Override TreeCache settings Deploy on a WebLogic application server/weblogic Express web server (H-S*) Deploy on a WebLogic server/apache web server (H-S*) Deploy WebSphere application server cluster with HTTP (Web) server Deploying clustered with front-end load-balanced HTTP servers Overview of clustered deployment with front-end load-balanced HTTP servers Configure Microsoft IIS load balancing Global Services web application deployment Introduction to Global Services web application deployment Creating the Global Services tables Configuring application servers for Global Services Overview of application server configuration for Global Services Deploy the Global Services application Deploy Global Services on Websphere Deploy Global Services on WebLogic Deploy Global Services on JBoss Configuring Data Exchange orchestration Introduction to Data Exchange orchestration PLM Web Application Deployment 3

4 Contents Configure the application server for ODE Configure ODE to use an Oracle database Configuring Global Services for HTTPS Overview of Global Services configuration for HTTPS Configure the application server for SSL File Management System certificate and configuration variables Configure Global Services application as a trusted client Install the Global Services signer certificate to Teamcenter rich client Install the Global Services signer certificate to Teamcenter thin client Configure the Teamcenter Enterprise Global Services end point variable Modify Teamcenter preferences for SSL Teamcenter client communication system and proxy server configuration A-1 Overview of TCCS and proxy server configuration A-1 About reverse proxy servers A-3 Enabling File Management System (FMS) URL path extensions A-4 FMS server cache (FSC) SSL client credentials (two-way SSL) A-4 File Management System (FMS), reverse proxy, and two-way SSL configuration details A-5 Overview of FMS, reverse proxy, and two-way SSL configuration A-5 Basic File Management System (FMS) configuration A-5 One-way SSL configuration A-8 Configuring two-way SSL between FMS server caches (FSCs) A-12 Configuring Kerberos authentication on the web tier A-16 Configure IIS reverse proxy for Security Services login service A-16 Configure JBoss ISAPI with IIS for Security Services login service A-18 Troubleshooting four-tier architecture deployment B-1 Tuning WebSphere JVM memory consumption C-1 Glossary D-1 Figures Tables HS deployment configuration H-S deployment configuration H-S* deployment configuration H*-S* deployment configuration Teamcenter client communication system architecture A-2 JVM options for tuning the WebSphere Application Server memory usage C-1 4 Web Application Deployment PLM

5 Chapter 1: Getting started deploying web applications Deployment considerations Before you begin Teamcenter web application deployment interface Determining your requirements Basic concepts of Teamcenter web application deployment PLM Web Application Deployment

6

7 Chapter 1: Getting started deploying web applications Deployment considerations Deployment of your Teamcenter web applications is an important step in setting up your Teamcenter environment. How you deploy the web application is determined by how you intend to use Teamcenter and can affect the application's performance. 1. Consider the high-level requirements of your deployment. 2. Review the different supported deployment configurations to determine which is best for your enterprise. 3. Determine your application server. The application server you use may impact your deployment configuration. Not all configurations are supported for all application servers. Global Services web applications are supported for basic deployments only. For the information about the versions of application servers certified for your platform, see the hardware and software certifications page on GTAC. Siemens PLM Software certifies third-party software applications with the latest patches available when the certification testing is performed. If you encounter problems deploying a Teamcenter web application, ensure that you have installed the latest patches for your application server. Teamcenter and Global Services web applications support IPv6 for web tier communications for the following application servers: JBoss 7.1 Tomcat WebLogic 12c WebSphere 8.5 For versions of web applications supported by Teamcenter, see the hardware and software certifications page on GTAC. Support for IPv6 requires a dual stack application server host and a dual stack Teamcenter server host. Information about supporting IPv6 and dual stack networks on your application server host can be found in your Windows, UNIX, or Linux server documentation. PLM Web Application Deployment 1-1

8 Chapter 1: 1: Getting Getting started started deploying deploying web applications web applications Before you begin Prerequisites Enable a web application Configure a web application Start a Teamcenter web application You must have administrator privileges to use the application servers administration tools. You must have performed web application installation as described in the appropriate Teamcenter server installation guides (for Windows or UNIX/Linux). The web tier application is enabled by deploying it in the application server and, depending on your configuration, its associated proxy component in the web server. Teamcenter web applications are configured during installation and in the application server after deployment. Once your Teamcenter web Application is deployed, it is running. If you need to stop, start, or restart the application at a later time, you must use the application server administration tools to perform these actions. Teamcenter web application deployment interface The application server administration tools provide the interface for deploying your web application. Determining your requirements How you configure your servers that run your Teamcenter web tier application depends on your enterprise requirements for scalability (concurrent users and processes) and data availability (server fail over). An HTTP front-end cluster provides better performance for static web content. Clustering application servers provides better performance for dynamic content and ensures availability because the Teamcenter application has multiple instances that allow a particular application server to fail without causing the Teamcenter data to be inaccessible. To determine the best configuration for your installation you must be familiar with the installation, use, and performance tuning of the servers you choose for deploying the web tier application. For information about server performance, see the documentation provided with your server. Does your environment require IPv6 support? This requirement determines the application servers that you can choose for your deployment. Basic concepts of Teamcenter web application deployment You should understand the following terms. 1-2 Web Application Deployment PLM

9 Getting started deploying web applications Term Basic deployment (HS) Basic deployment with front-end HTTP web server (H-S) Clustered deployment with front-end HTTP web server (H-S*) Clustered deployment with front-end, load-balanced HTTP web servers (H*-S*) Network load balancing (NLB) Web archive (WAR) Web server farm Definition Basic deployment on an enterprise (Java EE) application server. The HTTP web server (H) and servlet container (S) are provided on the same platform as part of the same process. The Teamcenter web tier application (WAR file) is deployed on a Java EE application server that has a built-in HTTP listener, such as JBoss Application Server, Oracle WebLogic Server, and IBM WebSphere Application Server. Deploying a separate HTTP web server to listen to the incoming request is not required. A stand-alone HTTP web server is configured as the front-end to a Java EE application server. A stand-alone HTTP web server is configured with a cluster of web application server instances. The HTTP web server routes requests to a cluster of Java EE application servers. The Teamcenter web tier application (WAR file) is deployed in each application server instance in the cluster. Multiple HTTP web server instances are configured with a load balancer and a cluster of Java EE application server instances. A load balancer in front of the HTTP web servers balances the load for incoming requests and HTTP web servers route that request to the cluster of application servers. In this configuration, the Teamcenter web tier application (WAR file) is deployed in each application server instance in the cluster. Typically, HTTP web servers must be configured for this type of distributed environment. HTTP web servers are configured to allow each HTTP web server in the load balanced cluster (see web server farm) to respond to a virtual IP address. Requests to this virtual IP are intercepted and routed to a machine running one of the web servers in the cluster. A web application that requires an HTTP web server and servlet engine. Multiple HTTP web servers are configured as self contained (redundant) servers in a cluster. The web servers serve a single IP address that allows any of the servers that are available to handle a request to the address. This provides improved performance and reliability. The following figures show each of the deployment configurations for Teamcenter web tier applications. PLM Web Application Deployment 1-3

10 Chapter 1: 1: Getting Getting started started deploying deploying web applications web applications HS deployment configuration H-S deployment configuration 1-4 Web Application Deployment PLM

11 Getting started deploying web applications H-S* deployment configuration H*-S* deployment configuration PLM Web Application Deployment 1-5

12

13 Chapter 2: Teamcenter web application deployment Introduction to Teamcenter Web application deployment Basic deployment Introduction to basic deployment Deploy on a JBoss application server (HS) Deploy on a Tomcat application server Deploy on a WebLogic server (HS) Deployment on a WebSphere application server Deploy on a WebSphere application server (HS) Provide isolation for multiple HTTP sessions Basic deployment with front-end HTTP (Web) server About application servers and HTTP (Web) servers Deployment on a JBoss application server with IIS front end (H-S) Deploying on JBoss application server with IIS front end (H-S) Deploy on a JBoss application server (H-S) Install and configure the Tomcat ISAPI Redirector Install and configure the Tomcat ISAPI Redirector on Windows Server Configure Microsoft Internet Information Services Configure Microsoft Internet Information Services on Windows Server Deployment on JBoss application server with Apache front end (H-S) Deploying on JBoss application server with Apache front end (H-S) Deploy the Teamcenter web application on JBoss (H-S) Install and configure the Tomcat connector Deployment on a WebSphere application server (H-S) Deploy on a WebSphere application server (H-S) Configure the HTTP web server Deployment on a WebLogic application server with front-end HTTP (Web) server Deploy on a WebLogic application server/apache HTTP server (H-S) Deploy on a WebLogic application server/weblogic Express server (H-S) Deploy on a WebLogic server/internet Information Server (IIS) Clustered deployment with front-end HTTP server Overview of clustered deployment Override TreeCache settings Deploy on a WebLogic application server/weblogic Express web server (H-S*) Deploy on a WebLogic server/apache web server (H-S*) Deploy WebSphere application server cluster with HTTP (Web) server Deploying clustered with front-end load-balanced HTTP servers Overview of clustered deployment with front-end load-balanced HTTP servers Configure Microsoft IIS load balancing PLM Web Application Deployment

14

15 Chapter 2: Teamcenter web application deployment Introduction to Teamcenter Web application deployment All of the deployment procedures assume that you have installed your application server per the instructions provided with the application server and that you have created the required Teamcenter Web applications (WAR files) as described in the appropriate Teamcenter server installation guide (for Windows or UNIX/Linux). Teamcenter Web tier applications require a four-tier Teamcenter environment. After you deploy your Web tier application, you must start the Teamcenter server manager before you can use the thin client. Caution You may get an error message, similar to the following, that appears in the Java output and is identified in the hs_err_* file as an error in a compiler thread. # # An unexpected error has been detected by HotSpot Virtual Machine: # # EXCEPTION_ACCESS_VIOLATION (0xc ) at pc=0x6da225d6, pid=6472, tid=4916 # # Java VM: Java HotSpot(TM) Server VM (1.5.0_05-b05 mixed mode) # Problematic frame: # V [jvm.dll+0x1e25d6] # # An error report file with more information is saved as hs_err_pid6472.log # # If you would like to submit a bug report, please visit: # # This is a known issue with certain versions of JVM. These procedures use a slash character (/) as the directory path delimiter except in procedures that are specific to Windows systems. Basic deployment Introduction to basic deployment These basic deployments procedures provide instructions for deploying the Teamcenter web tier application (WAR file) in selected configurations on selected Java EE application servers. For information about versions of operating systems, third-party software, Teamcenter software, and system hardware certified for your platform, see the hardware and software certifications page on GTAC. PLM Web Application Deployment 2-1

16 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment Instructions for enabling secure socket layer (SSL) on an application server are provided in the application server documentation. See the vendor documentation for the following application servers: JBoss Tomcat WebLogic WebSphere If you use SSL with your Teamcenter web tier application, you must set the WEB_protocol thin client preference in Teamcenter to Deploy on a JBoss application server (HS) Caution Recent versions of JBoss configure the Java virtual machine (JVM) to prefer the IPv4 stack. This can cause socket errors when the server manager starts due to a mismatch in protocols between the web tier and server manager hosts. This procedure assumes that you downloaded and installed the JBoss final version and you are using the stand-alone server location for deploying your Teamcenter web application. 1. Copy the Teamcenter WAR (by default, tc.war) file to the following directory: jboss-as final\standalone\deployments 2. Define JMX as a global module. a. Expand the configuration directory: jboss-as final\standalone\configuration b. Open the standalone.xml file. c. Change the HTTPS protocol to TLSv3. (The default protocol is TLSv1.) Locate the subsystem element for the urn:jboss:domain subsystem, and add the following connector element content: <subsystem xmlns="urn:jboss:domain:ee:1.0"> <connector name="https" scheme="https" protocol="http/1.1" socket -binding="https" enable-lookups="false" secure="true"> <ssl name="jbossssl-ssl" password="private" protocol="tlsv3" keyalias="jbossssl" certificate-key-file="d:\ssl\jbossssl.keystore" /> </connector></subsystem> d. Locate the subsystem element for the urn:jboss:domain subsystem, and add the following global-modules element content: <subsystem xmlns="urn:jboss:domain:ee:1.0"> <global-modules> <module name="org.jboss.as.jmx" slot="main"/> </global-modules> 2-2 Web Application Deployment PLM

17 Teamcenter web application deployment </subsystem> Locate the deployment-scanner element and add the deployment-timeout attribute with a value of 600 as follows: <subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1"> <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" deployment-timeout="600"/> </subsystem> e. If you require IPv6 support, locate the interface element for the public interface and modify its contents as follows: <interface name="public"> <any-address/> </interface> 3. Define a dependency to allow the JBoss connector module to use JMX MBeans. a. Expand the main directory: jboss-as final\modules\org\jboss\as\connector\main b. Open the module.xml file. c. Locate the dependencies element, and add the following module element: <module name="org.jboss.as.jmx"/> 4. To allow the Teamcenter web application to listen to nonloopback addresses, configure JBoss using the information in the JBoss documentation: Tip Check Command line parameters and Interfaces and ports in the JBoss documentation. 5. If you require IPv6 support, open the standalone_conf script file in your JBoss installation bin directory and add the following settings: -Djava.net.preferIPv4Stack=false -Djava.net.preferIPv6Addresses=false 6. Open a command shell and ensure you have defined the JAVA_HOME environment variable, and set it to the location of your Java installation. The Teamcenter web application requires Java Start the server by typing standalone (standalone.sh on UNIX) -b host-name in the command shell. PLM Web Application Deployment 2-3

18 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment You must start the application server instance with the bind option to enable connections from clients running on a host different from the application server host. The simplest way to do this is to start the server with the -b host-name option. Substitute the host name or IP address of the local host for host-name. However, this has some security implications. For information about JBoss security, see the JBoss documentation at: If the web tier encounters errors obtaining JCA connections under peak activity, increase the Max_Capacity context parameter value for your Teamcenter web application. Deploy on a Tomcat application server Deploy Tomcat using one of the following methods: Autodeploy 1. Copy the Teamcenter WAR (by default, tc.war) file to the following directory: apache-tomcat-version\webapps 2. Start Tomcat by running the following command: installed-locationapache-tomcat-version\bin\startup.bat When you start Tomcat, Teamcenter is loaded at the default Tomcat port (8080). 3. To verify that the WAR file is loaded, run the Teamcenter thin client from the following URL: Deploy from the application manager page 1. Start Tomcat by running the following command: installed-location\apache-tomcat-version\bin\startup.bat 2. Click the Manager App button and log on to the Tomcat Web Application Manager page. Tip To set the manager user name and password, add the manager-gui role to the following fie: installed-location\apache-tomcat-version\conf\tomcat-users.xml For example, to make the manager user name TomcatMgr and the manager password T0mc4tM4n4g3r, add the following to the file: <role rolename="manager-gui"/> <user username="tomcatmgr" password="t0mc4tm4n4g3r" roles="manager-gui"/> 2-4 Web Application Deployment PLM

19 Teamcenter web application deployment 3. Click the Browse button in the Select WAR file to upload box and select the Teamcenter WAR file (by default, tc.war). 4. Click the Deploy button. The Teamcenter application (for example, tc) is deployed and is displayed in the list of deployed applications. 5. To verify that the WAR file is loaded, run the Teamcenter thin client from the following URL: Deploy on a WebLogic server (HS) This procedure deploys one instance of an Oracle WebLogic Server hosting the Teamcenter web tier application (WAR file). Caution If you do not deploy your Teamcenter web application in a domain by itself, the client-side session cookie can be overwritten by the other applications in the domain. 1. Start the WebLogic server administration console. For information about the console, see the WebLogic server documentation: 2. In the left pane, click Deployments. 3. In the right pane, click Install. 4. In the Install Application Assistant, click Browse next to the Deployment Archive box and navigate to the location of the Teamcenter web tier application (tc.war by default) and click Next. 5. Accept the default Install this deployment as an application option and click Next. 6. Click Finish to accept all the default settings and then click Save. 7. Click Deployments and select the Teamcenter web tier application check box. 8. Ensure the application State indicates Active and the Health indicates OK. If not, click Start, select Servicing all requests, and click Yes in the Start Deployments dialog box. If the web tier encounters errors obtaining JCA connections during peak activity, increase the Max-Pool-Size context parameter value for your Teamcenter web application. If WebLogic reports an error (BEA ) due to more active sockets than socket readers, add the -Dweblogic.ThreadPoolSize=100 parameter when starting the application server. PLM Web Application Deployment 2-5

20 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment Deployment on a WebSphere application server Deploy on a WebSphere application server (HS) This procedure deploys one instance of WebSphere Application Server hosting the Teamcenter web tier application (WAR file): If you deploy a web application that contains the Teamcenter - Online Help solution, set the context root for the web application in WebSphere to the enterprise tier ID for the web application. This is the value of the Deployable File Name context parameter or the Enterprise Application Lookup ID context parameter. Make sure you include the file name (file-name.war) when specifying the context root. See the complete WebSphere documentation: PAG=C11&SSN=12HFE &TRL=TXT&WRD=WebSphere+ Application+Server+v8&PBL=&LST=ALL&RPP=10&submit=Go 1. Install the WebSphere application server by itself on a single machine. This enables the internal HTTP transport train suitable for handling a low level of web requests. For information, see the WebSphere application server documentation: wwhelp.htm 2. Start the WebSphere integrated solutions console. See the WebSphere documentation. 3. In the navigation tree, expand Applications and click Install New Application. 4. In the Preparing for the application installation pane, type the path to, or browse to, the location of the Teamcenter web tier WAR file in the Full path box. Select Prompt me only when additional information is required and click Next. 5. Accept the default Select installed options for enterprise applications and modules and click Next. 6. In the Map modules to servers pane, if you have multiple server instances, select the check boxes for all modules and map them to the same server instance. Click Next again. 7. In the summary pane, click Finish. Wait for WebSphere to complete the application deployment. 8. Click Apply, scroll to the top of the page, and click Save. Your application is now deployed and can be started. 9. In the Enterprise Applications pane, select the Teamcenter web application check box and click Start. 2-6 Web Application Deployment PLM

21 Teamcenter web application deployment Provide isolation for multiple HTTP sessions If you deploy multiple applications in the same application server instance, HTTP session cookies may be overwritten by browsers connecting to different applications. To avoid this, configure the application server to provide separate cookie paths: 1. Log on to the Integrated Solution Console, expand Applications in the navigation tree, and click Enterprise Applications. 2. In the Enterprise Applications pane, click the Teamcenter application link. 3. Click Session Management under Web Modules Properties. 4. Click Override session Management under General Properties. 5. Click the Enable cookies link and type a slash (/) followed by the Teamcenter web application name. For example, if you use the default web application name, type /tc. Basic deployment with front-end HTTP (Web) server About application servers and HTTP (Web) servers Each of the supported applications servers can be configured to use a front-end HTTP server. The HTTP servers that you can use vary according to the application server you are using. Deployment on a JBoss application server with IIS front end (H-S) Deploying on JBoss application server with IIS front end (H-S) This procedure: Deploys the Teamcenter web tier application (WAR file) on the JBoss Application Server. Installs and configures the Tomcat ISAPI Redirector on a Windows Server or Windows Server Configures the Microsoft Internet Information Services (IIS) as the front-end listener (web server) on a Microsoft Windows Server host or a Windows Server 2008 host. As a precondition, the ISAPI Extensions feature of the IIS Application must be activated to allow integration with the Tomcat ISAPI redirector. Deploy on a JBoss application server (H-S) Caution Recent versions of JBoss configure the Java virtual machine (JVM) to prefer the IPv4 stack. This can cause socket errors when the server manager starts due to a mismatch in protocols between the web tier and server manager hosts. PLM Web Application Deployment 2-7

22 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment This procedure assumes that you downloaded and installed the JBoss final version and you are using the stand-alone server location for deploying your Teamcenter web application. 1. Copy the Teamcenter WAR (by default, tc.war) file to the following directory: jboss-as final\standalone\deployments 2. Define JMX as a global module. a. Expand the configuration directory: jboss-as final\standalone\configuration b. Open the standalone.xml file. c. Change the HTTPS protocol to TLSv3. (The default protocol is TLSv1.) Locate the subsystem element for the urn:jboss:domain subsystem, and add the following connector element content: <subsystem xmlns="urn:jboss:domain:ee:1.0"> <connector name="https" scheme="https" protocol="http/1.1" socket -binding="https" enable-lookups="false" secure="true"> <ssl name="jbossssl-ssl" password="private" protocol="tlsv3" keyalias="jbossssl" certificate-key-file="d:\ssl\jbossssl.keystore" /> </connector></subsystem> d. Locate the subsystem element for the urn:jboss:domain subsystem, and add the following global-modules element content: <subsystem xmlns="urn:jboss:domain:ee:1.0"> <global-modules> <module name="org.jboss.as.jmx" slot="main"/> </global-modules> </subsystem> Locate the deployment-scanner element and add the deployment-timeout attribute with a value of 600 as follows: <subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1"> <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" deployment-timeout="600"/> </subsystem> e. If you require IPv6 support, locate the interface element for the public interface and modify its contents as follows: <interface name="public"> <any-address/> </interface> 3. Microsoft IIS uses the AJP 1.3 protocol to forward requests to JBoss. Perform the following steps to enable the AJP 1.3 protocol: a. Open the JBoss-installation/server/default /deploy/jbossweb.sar/server.xml file. Add or modify the following Connector element: 2-8 Web Application Deployment PLM

23 Teamcenter web application deployment <!-- A AJP 1.3 Connector on port > <Connector protocol="ajp/1.3" port="8009" address="${jboss.bind.address}" tomcatauthentication="false" emptysessionpath="true" enablelookups="false" redirectport="8443" /> IIS forwards requests to JBoss using the AJP 1.3 protocol on the specified port. This must be set to allow access to the remote user name (getremoteuser) method. b. Open the JBoss-installation/standalone/ /configuration/standalone.xml file and add the AJP connector as the child resource of the jboss:domain:web subsystem: <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false"> <connector name="http" protocol="http/1.1" scheme="http" socket-binding="http"/> <connector name="ajp13" protocol="ajp/1.3" scheme="http" socket-binding="ajp"/> <virtual-server name="default-host" enable-welcome-root="true"> <alias name="localhost"/> <alias name="example.com"/> </virtual-server> </subsystem> c. Set or verify the port for the AJP protocol: <socket-binding name="ajp" port="8009" /> If the default port for the AJP 1.3 protocol (8009) is not available on your host running JBoss, set this value to an available port. Record the port value for use when you configure the redirector. If Windows Authentication is enabled in IIS 7 (which is a supported use case for Security Services), you cannot use JBoss 7.1 for the Security Services login service. 4. Define a dependency to allow the JBoss connector module to use JMX MBeans. a. Expand the main directory: jboss-as final\modules\org\jboss\as\connector\main b. Open the module.xml file. c. Locate the dependencies element, and add the following module element: <module name="org.jboss.as.jmx"/> 5. To allow the Teamcenter web application to listen to nonloopback addresses, configure JBoss using the information in the JBoss documentation: Tip Check Command line parameters and Interfaces and ports in the JBoss documentation. 6. If you require IPv6 support, open the standalone_conf script file in your JBoss installation bin directory and add the following settings: -Djava.net.preferIPv4Stack=false -Djava.net.preferIPv6Addresses=false 7. Open a command shell and ensure you have defined the JAVA_HOME environment variable, and set it to the location of your Java installation. The Teamcenter web application requires Java 1.7. PLM Web Application Deployment 2-9

24 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment 8. Start the server by typing standalone (standalone.sh on UNIX) -b host-name in the command shell. You must start the application server instance with the bind option to enable connections from clients running on a host different from the application server host. The simplest way to do this is to start the server with the -b host-name option. Substitute the host name or IP address of the local host for host-name. However, this has some security implications. For information about JBoss security, see the JBoss documentation at: If the web tier encounters errors obtaining JCA connections under peak activity, increase the Max_Capacity context parameter value for your Teamcenter web application. Install and configure the Tomcat ISAPI Redirector You must install the Tomcat ISAPI Redirector and configure the Windows registry for the redirector. If you are installing on a Windows Server 2008 host, you must install the redirector. You must also create the workers.properties and uriworkermap.properties files for the redirector. For additional information about the settings in these files, see the Tomcat documentation: 1. Create a directory (for example, iis75-jboss7) for the redirector in a location accessible to Microsoft IIS that contains the following directories: bin conf log wwwroot 2. Download the ISAPI Redirector from a mirror site for the Apache Tomcat web site: Only the DLL file (isapi_redirector dll or later version) is required. Record the name and location of the Tomcat ISAPI Redirector installation directory for later use. Download the 32-bit or 64-bit redirector as appropriate for your host. 3. Configure Windows registry settings on the host where IIS and ISAPI Redirector are installed. a. In the ISAPI Redirector installation directory, create a file with a.reg extension. The name of this file is discretionary (isapi_redirector.reg is recommended). b. Add the following contents to the.reg file: 2-10 Web Application Deployment PLM

25 Teamcenter web application deployment Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\ Jakarta Isapi Redirector\1.0] "extension_uri"="/jakarta/isapi_redirect.dll" "log_file"="d:\\iis75 jboss7\\logs\\jk_iis.log" "log_level"="debug" "worker_file"="d:\\iis75 jboss7\\workers.properties" "worker_mount_file"="d:\\iis75 jboss7\\uriworkermap.properties" "uri_select"="unparsed" Siemens PLM Software recommends that you use debug for the log_level entry when you initially configure the redirector to get all messages. You can change this after you have tested your installation and determined that it is working properly. The following table provides a brief description of these entries: Name extension_uri log_file log_level worker_file worker_mount_file Description Represents the IIS virtual directory including the ISAPI Redirector file. Defines the name and location of the ISAPI Redirector log file. Defines the level of debug messages written to the ISAPI Redirector log file. Valid values are debug, info, error, and emerg. Defines the location of the ISAPI redirector worker.properties file. Defines the location of the ISAPI redirector uriworkermap.properties file. See these registry settings in the Apache Tomcat Connector Reference Guide: c. Change the following lines in the.reg file to reflect your directory settings: A. For log_file, enter the location of the logs directory you created and the name of the log file. The log file itself is created later by the ISAPI Redirector. B. For worker_file, enter a location for the worker definition file. It is recommended that you create this file in the directory where you installed the Tomcat ISAPI Redirector. You create this file later. C. For the worker_mount_file, enter a location for the worker-uri map file. You create this file later. D. For the extension_uri, enter tomcat. d. In the ISAPI Redirector installation directory, right-click the isapi_redirector.reg file and choose Merge. PLM Web Application Deployment 2-11

26 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment e. After receiving a confirmation message from Windows, check the ISAPI Redirector settings using the Microsoft Registry Editor program (regedit.exe) to ensure the registry settings are correct. For information about using the Microsoft Registry Editor, see the Microsoft Windows online help. 4. Create a text file with contents similar to the following: # Define node1 (one node required for H_SE) worker.list=node1 worker.node1.port=8009 worker.node1.host=host-name1 worker.node1.type=ajp13 The default port is If you changed this AJP port number in JBoss configuration when you configured the Tomcat ISAPI Redirector, use that value. The host-name value is the host where you run JBoss. 5. Save the file as workers.properties in the directory you defined for it in the registry file. 6. Create a text file with contents similar to the following: # Send all /tc requests to node1 /tc/*=node1 Replace tc with the name of your Teamcenter web application (tc by default). This configures the redirector to forward all requests with the /tc/* signature to node1. 7. Save the file as uriworkermap.properties. Save this file in the same directory as the workers.properties file. Install and configure the Tomcat ISAPI Redirector on Windows Server 2008 You must install the Tomcat ISAPI Redirector and configure the Windows registry for the redirector. You must also create the workers.properties and uriworkermap.properties files for the redirector. For additional information about the settings in these files, see the Tomcat documentation: 1. Create a directory (for example, iis75-jboss7) for the redirector in a location accessible to Microsoft IIS that contains the following directories: bin conf log wwwroot 2. Download the ISAPI Redirector from a mirror site for the Apache Tomcat web site: Web Application Deployment PLM

27 Teamcenter web application deployment For 64-bit operating systems, download the AMD 64-bit redirector. Only the DLL (isapi_redirector dll or later version) file is required. Record the name and location of the Tomcat ISAPI Redirector installation directory for later use. Rename the downloaded file to isapi_redirect.dll. 3. Configure Windows registry settings on the Windows Server 2008 host. a. In the ISAPI Redirector installation directory, create a file with a.reg extension. The name of this file is discretionary (isapi_redirector.reg is recommended). b. Add the following contents to the.reg file: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\ Jakarta Isapi Redirector\1.0] "extension_uri"="/jakarta/isapi_redirect.dll" "log_file"="d:\\iis75 jboss7\\logs\\jk_iis.log" "log_level"="debug" "worker_file"="d:\\iis75 jboss7\\workers.properties" "worker_mount_file"="d:\\iis75 jboss7\\uriworkermap.properties" "uri_select"="unparsed" Siemens PLM Software recommends that you use debug for the log_level entry when you initially configure the redirector to get all messages. You can change this after you have tested your installation and determined that it is working properly. The following table provides a brief description of these entries: Name extension_uri log_file log_level worker_file worker_mount_file Description Represents the IIS virtual directory including the ISAPI Redirector file. Defines the name and location of the ISAPI Redirector log file. Defines the level of debug messages written to the ISAPI Redirector log file. Valid values are debug, info, error, and emerg. Defines the location of the ISAPI redirector worker.properties file. Defines the location of the ISAPI redirector uriworkermap.properties file. PLM Web Application Deployment 2-13

28 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment Name uri_select Description Determines how the forwarded URI is handled. Unparsed indicates the original request URI is forwarded. Siemens PLM Software recommends this option. Rewriting the URI and forwarding the rewritten URI does not work correctly. See these registry settings in the Apache Tomcat Connector Reference Guide: c. Change the following lines in the.reg file to reflect your directory settings: A. For log_file, enter the location of the logs directory you created and the name of the log file. The log file itself is created later by the ISAPI Redirector. B. For worker_file, enter a location for the worker definition file. Siemens PLM Software recommends that you create this file in the directory where you installed the Tomcat ISAPI Redirector. You create this file later. C. For the worker_mount_file, enter a location for the worker-uri map file. You create this file later. D. For the extension_uri, enter tomcat. d. In the ISAPI Redirector installation directory, right-click the isapi_redirector.reg file and choose Merge. e. After receiving a confirmation message from Windows, check the ISAPI Redirector settings using the Microsoft Registry Editor program (regedit.exe) to ensure the registry settings are correct. For information about using the Microsoft Registry Editor, see the Microsoft Windows online help. 4. Create a text file with contents similar to the following: # Define node1 (one node required for H_SE) worker.list=node1 worker.node1.port=8009 worker.node1.host=host-name1 worker.node1.type=ajp13 The default port is If you changed this AJP port number in JBoss configuration when you configured the Tomcat ISAPI Redirector, use that value. The host-name value is the host where you run JBoss. 5. Save the file as workers.properties in the directory you defined for it in the registry file. 6. Create a text file with contents similar to the following: # Send all /tc requests to node1 /tc/*=node Web Application Deployment PLM

29 Teamcenter web application deployment Replace tc with the name of your Teamcenter web application (tc by default). This configures the redirector to forward all requests with the /tc/* signature to node1. 7. Save the file as uriworkermap.properties. Save this file in the same directory as the workers.properties file. Configure Microsoft Internet Information Services If you are using a Windows Server 2008 host, configure Microsoft Information Services instead of this procedure. 1. Open the IIS Manager and choose Start Administrative Tools Internet Information Services (IIS) Manager. 2. In the Connections pane, expand your computer name until you see Sites. 3. Add a new web site for your deployment: a. Right-click Sites and choose Add Web Site. b. In the Add Web Site dialog box, type a name for the site in the Site name box, for example, iis75-jboss75. c. In the Physical path box, type or browse to the location of the wwroot directory created when you installed the Tomcat ISAPI Redirector. d. In the Port box, type a value for the binding port, for example, 8028, and click OK. 4. Add a virtual directory: a. In the Connections pane, right-click your new site name and choose Add Virtual Directory. b. In the Alias box, type jakarta. c. In the Physical path box, type the path or browse to the bin directory you created when you installed the Tomcat ISAPI Redirector and click OK. 5. Add an ISAPI filter: a. Right-click Default Web Site and choose Properties. b. Click the ISAPI Filters tab and click Add. c. In the Filter name box, type tomcat. d. In the Executable box, type isapi_redirector.dll or click Browse to navigate to it, and click OK. 6. Add a web service extension: a. Click Web Service Extensions. b. In the details pane, click Add a new Web service extension. PLM Web Application Deployment 2-15

30 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment c. In the Extension name box, type tomcat. d. Click Add. e. In the Path to file box, type the path or click Browse to navigate to the isapi_redirector.dll file, and click OK. f. Select the Set extension status to Allowed check box and click OK. Configure Microsoft Internet Information Services on Windows Server Open the IIS Manager and choose Start Administrative Tools Internet Information Services (IIS) Manager. 2. In the Connections pane, expand your computer name until you see Sites. 3. Add a new web site for your deployment: a. Right-click Sites and choose Add Web Site. b. In the Add Web Site dialog box type a name for the site in the Site name box, for example, iis75-jboss75. c. In the Physical path box, type or browse to the location of the wwwroot directory you created when you installed the Tomcat ISAPI Redirector. d. In the Port box, type a value for the binding port, for example, e. Clear the Start Web site immediately check box and click OK. 4. Add a virtual directory: a. In the Connections pane, right-click your new site name and choose Add Virtual Directory. b. In the Alias box, type jakarta. c. In the Physical path box, type the path or browse to the bin directory you created when you installed the Tomcat ISAPI Redirector and click OK. 5. Configure a handler mapping: a. In the Connections pane, select you new site name. b. Right-click Handler Mappings and select Open Feature. c. In the Handler Mappings pane, double-click ISAPI-dll. d. In the Edit Module Mapping dialog box, type an asterisk (*) character in the Request path box e. Click the browse button next to the Executable box and browse to the location of the isapi_redirector.dll file Web Application Deployment PLM

31 Teamcenter web application deployment f. Click Request Restrictions and clear the Invoke handler only if request is mapped to check box on the Mapping tab. g. Click the Verbs tab and ensure the All verbs option is selected. h. Click the Access tab, ensure the Execute option is selected, and click OK. i. In the Connections pane, select you new site name and click Start in the Actions pane (on the right side under Manage Web Site). To access the web site, enter a URL in the following format: Deployment on JBoss application server with Apache front end (H-S) Deploying on JBoss application server with Apache front end (H-S) This procedure: Deploys the Teamcenter web tier application (WAR file) on JBoss Application Server. Installs and configures the Tomcat connector. Configures the Apache HTTP front end web server. Deploy the Teamcenter web application on JBoss (H-S) Caution Recent versions of JBoss configure the Java virtual machine (JVM) to prefer the IPv4 stack. This can cause socket errors when the server manager starts due to a mismatch in protocols between the web tier and server manager hosts. This procedure assumes that you downloaded and installed the JBoss final version and you are using the stand-alone server location for deploying your Teamcenter web application. 1. Copy the Teamcenter WAR (by default, tc.war) file to the following directory: jboss-as final\standalone\deployments 2. Define JMX as a global module. a. Expand the configuration directory: jboss-as final\standalone\configuration b. Open the standalone.xml file. c. Change the HTTPS protocol to TLSv3. (The default protocol is TLSv1.) Locate the subsystem element for the urn:jboss:domain subsystem, and add the following connector element content: <subsystem xmlns="urn:jboss:domain:ee:1.0"> PLM Web Application Deployment 2-17

32 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment <connector name="https" scheme="https" protocol="http/1.1" socket -binding="https" enable-lookups="false" secure="true"> <ssl name="jbossssl-ssl" password="private" protocol="tlsv3" keyalias="jbossssl" certificate-key-file="d:\ssl\jbossssl.keystore" /> </connector></subsystem> d. Locate the subsystem element for the urn:jboss:domain subsystem, and add the following global-modules element content: <subsystem xmlns="urn:jboss:domain:ee:1.0"> <global-modules> <module name="org.jboss.as.jmx" slot="main"/> </global-modules> </subsystem> Locate the deployment-scanner element and add the deployment-timeout attribute with a value of 600 as follows: <subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1"> <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" deployment-timeout="600"/> </subsystem> e. If you require IPv6 support, locate the interface element for the public interface and modify its contents as follows: <interface name="public"> <any-address/> </interface> 3. Microsoft IIS uses the AJP 1.3 protocol to forward requests to JBoss. Perform the following steps to enable the AJP 1.3 protocol: a. Open the JBoss-installation/server/default /deploy/jbossweb.sar/server.xml file. Add or modify the following Connector element: <!-- A AJP 1.3 Connector on port > <Connector protocol="ajp/1.3" port="8009" address="${jboss.bind.address}" tomcatauthentication="false" emptysessionpath="true" enablelookups="false" redirectport="8443" /> IIS forwards requests to JBoss using the AJP 1.3 protocol on the specified port. This must be set to allow access to the remote user name (getremoteuser) method. b. Open the JBoss-installation/standalone/ /configuration/standalone.xml file and add the AJP connector as the child resource of the jboss:domain:web subsystem: <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false"> <connector name="http" protocol="http/1.1" scheme="http" socket-binding="http"/> <connector name="ajp13" protocol="ajp/1.3" scheme="http" socket-binding="ajp"/> <virtual-server name="default-host" enable-welcome-root="true"> <alias name="localhost"/> <alias name="example.com"/> </virtual-server> </subsystem> c. Set or verify the port for the AJP protocol: <socket-binding name="ajp" port="8009" /> If the default port for the AJP 1.3 protocol (8009) is not available on your host running JBoss, set this value to an available port Web Application Deployment PLM

33 Teamcenter web application deployment Record the port value for use when you configure the redirector. If Windows Authentication is enabled in IIS (which is a supported use case for Security Services), you cannot use JBoss 7.1 for the Security Services login service. 4. Define a dependency to allow the JBoss connector module to use JMX MBeans. a. Expand the main directory: jboss-as final\modules\org\jboss\as\connector\main b. Open the module.xml file. c. Locate the dependencies element, and add the following module element: <module name="org.jboss.as.jmx"/> 5. To allow the Teamcenter web application to listen to nonloopback addresses, configure JBoss using the information in the JBoss documentation: Tip Check Command line parameters and Interfaces and ports in the JBoss documentation. 6. If you require IPv6 support, open the standalone_conf script file in your JBoss installation bin directory and add the following settings: -Djava.net.preferIPv4Stack=false -Djava.net.preferIPv6Addresses=false 7. Open a command shell and ensure you have defined the JAVA_HOME environment variable, and set it to the location of your Java installation. The Teamcenter web application requires Java Start the server by typing standalone (standalone.sh on UNIX) -b host-name in the command shell. You must start the application server instance with the bind option to enable connections from clients running on a host different from the application server host. The simplest way to do this is to start the server with the -b host-name option. Substitute the host name or IP address of the local host for host-name. However, this has some security implications. For information about JBoss security, see the JBoss documentation at: If the web tier encounters errors obtaining JCA connections under peak activity, increase the Max_Capacity context parameter value for your Teamcenter web application. PLM Web Application Deployment 2-19

34 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment Install and configure the Tomcat connector Setup of the Tomcat connector includes: Obtaining the Tomcat connector and placing it in the proper location. Configuring Apache to load the connector. Configuring the worker nodes for the connector. 1. Download the Tomcat connector. The connector is available from the Tomcat Apache connectors site. 2. Change the connector file name to mod_jk_so and copy it to the modules directory in the APACHE_HOME (installation) directory. 3. Add the following line to the httpd.conf file in the APACHE_HOME/conf directory: #Include mod_jk specific configuration file Include conf/mod_jk.conf 4. Create a mod_jk.conf text file in the APACHE_HOME/conf directory with contents similar to the following: # Load mod_jk module # Specify the filename of the mod_jk lib LoadModule jk_module modules/mod_jk.so # Where to find workers.properties JkWorkersFile conf/workers.properties # Where to put jk logs JkLogFile logs/mod_jk.log # Set the jk log level [debug/error/info] JkLogLevel info # Select the log format JkLogStampFormat "[%a %b %d %H:%M:%S %Y]" # JkOptions indicates to send SSK KEY SIZE JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories # JkRequestLogFormat JkRequestLogFormat "%w %V %T" # Mount your applications JkMount /tc/* node1 # You can use external file for mount points. # It will be checked for updates each 60 seconds. # The format of the file is: /url=worker # /examples/*=loadbalancer JkMountFile conf/uriworkermap.properties # Add shared memory. # This directive is present with and # later versions of mod_jk, and is needed for # for load balancing to work properly JkShmFile logs/jk.shm # Add jkstatus for managing runtime data <Location /jkstatus/> JkMount status Order deny,allow Deny from all Allow from </Location> The LoadModules directive must reference the connector library file (mod_jk.so) with the modules directory prefix. The JkMount directive determines which URLs Apache forwards to the 2-20 Web Application Deployment PLM

35 Teamcenter web application deployment connector module. The /tc/* entry indicates that all requests to Teamcenter are sent to node1, assuming that the default application context root (/tc) is used. You can also use the JkMountFile directive to specify a mount points configuration file (uriworkermap.properties). The format for entries in this file is /url=worker-name. For example: # Simple worker configuration file # Mount the Servlet context to the ajp13 worker /jmx-console=node1 /jmx-console/*=node1 /web-console=node1 /web-console/*=node1 5. Create a workers.properties text file in the APACHE_HOME/conf directory that identifies the location of the servlet container. For example, the following is a worker properties file with a single node: # Define list of workers that will be used # for mapping requests worker.list=node1 # Define Node1 # modify the host as your host IP or DNS name. worker.node1.port=8009 worker.node1.host=ahla6002 worker.node1.type=ajp13 worker.node1.cachesize=10 By convention, each node is defined as worker.name.attribute=value. You can use any name value to designate the servlet container with the specified host or IP address and port number of the AJP13 connector running in the servlet container. The cachesize attribute defines the size of the thread pool (number of concurrent requests allowed) for the servlet container. Deployment on a WebSphere application server (H-S) Deploy on a WebSphere application server (H-S) This procedure deploys the Teamcenter web tier application (WAR file) on IBM WebSphere Application Server and configures IBM HTTP server as the front-end web server. If you deploy multiple applications in the same application server instance, HTTP session cookies may be overwritten by browsers connecting to different applications. To avoid this, configure the application server to provide separate cookie paths. You must set up the following WebSphere components for this configuration: This sequence is recommended by the WebSphere Launchpad program. The process assumes that you have separate hosts for the application server (host A) and the web server (host B). WebSphere provides installation wizards to aid you in this process. The wizards are accessed from the launchpad.exe application. PLM Web Application Deployment 2-21

36 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment If you deploy a web application that contains the Teamcenter - Online Help solution, set the context root for the web application in WebSphere to the enterprise tier ID for the web application. This is the value of the Deployable File Name context parameter or the Enterprise Application Lookup ID context parameter. Make sure you include the file name (file-name.war) when specifying the context root. See the complete WebSphere documentation: PAG=C11&SSN=12HFE &TRL=TXT&WRD=WebSphere+ Application+Server+v8&PBL=&LST=ALL&RPP=10&submit=Go 1. Install the WebSphere application server on host A. Use the installation wizard for WebSphere Application Server. 2. Install the IBM HTTP server with the required plug-in on host B. Use the installation wizard for IBM HTTP Server. If using a different web server, skip this wizard and install the web server per the vendors instructions on host B. 3. If using a previously installed IBM HTTP server or a different web server, install the web server plug-in on host B. Use the installation wizard for web server plug-ins. 4. Copy the configureweb-server-name script file from the plugins-install-root/bin directory on host B to the profiles-install-root/profile-name/bin directory on host A. 5. In a command shell, run the configureweb-server-name script. This creates a web server definition file for the integrated solutions console. You can now use the console to manage the web server. 6. Start the WebSphere application server. 7. Start the WebSphere integrated solutions console. See the WebSphere documentation. 8. Propagate the web server plug-in file and configure the web server to accept all content. For an IBM HTTP server: For most other web servers, you must manually apply the web server plug-in file to the web server environment, However, It may be possible to propagate some other web server plug-in files in this manner. In the navigation tree, expand Servers and select Web servers. In the Web servers pane, click Propagate Plug-in. Expand Servers Web Servers Web-server-name Plug-in properties Web Application Deployment PLM

37 Teamcenter web application deployment If you have load-balanced clustered web servers in your configuration, you must update the plug-in configuration on each web server. You can also locate the plugin-cfg.xml file for your web server, manually set the AcceptAllContent value to true, and push the change to the other web servers. For information about the IBM HTTP web server configuration, see the IBM documentation: ftp://ftp.software.ibm.com/software/webserver/appserv /library/v60/ihs_60.pdf Select AcceptAllContent from the Accept content for all requests list and click OK. 9. In the navigation tree, expand Applications and click Install New Application. 10. In the Preparing for the application installation pane, type the path to, or browse to, the location of the Teamcenter web tier WAR file in the Full path box. Select Prompt me only when additional information is required and click Next. 11. Accept the default Select installed options for enterprise applications and modules and click Next. 12. In the Map modules to servers pane, if you have multiple server instances, select the check boxes for all modules and map them to the same server instance. Click Next again. 13. In the summary pane, click Finish. Wait for WebSphere to complete the application deployment. 14. Click Apply, scroll to the top of the page, and click Save. Configure the HTTP web server 1. Open the Teamcenter site_specific.properties file and modify the following properties: portalcommunicationtransport=http HTTP_SERVER_1.URI= Replace host-name and port-number with the WebSphere application server host name and HTTP listening port number. Replace tc-name with your Teamcenter web application name; by default, this value is tc. 2. In the Integrated Solutions Console navigation tree, expand Environment Virtual Host and click default_host. 3. Click Host Aliases under Additional Properties and click New. 4. Type the web server listening port number in the Port box and click OK. 5. In the navigation tree, expand Environment Update global web server plug-in configuration and click OK. 6. Propagate the plug-in configuration file to the web server. The web server plug-in configuration service propagates the plugin-cfg.xml file automatically for IBM HTTP server. For all other web PLM Web Application Deployment 2-23

38 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment servers, propagate the plug-in configuration file manually. For information about propagating the plug-in configuration file, see the WebSphere application server documentation. If the plug-in configuration service does not propagate the configuration file properly for an IBM HTTP server, you must manually copy the file to the web server plug-in directory. a. Copy the plugin-cfg.xml file from the profile-root/config/cells/ cell-name/nodes/web-server-name-node/servers/web-server-name directory on the host where your WebSphere application server is installed. b. Paste the file into the plugins-root/config/web-server-name directory on the host where the web server is installed. c. Restart the web server. Deployment on a WebLogic application server with front-end HTTP (Web) server Deploy on a WebLogic application server/apache HTTP server (H-S) This procedure deploys one instance of the Teamcenter web tier application (WAR file) hosted on Oracle WebLogic (application) Server and configures an Apache HTTP server that is used as the web tier server. 1. Deploy one instance of an Oracle WebLogic Server hosting the Teamcenter web tier application (WAR file). 2. Configure the Apache HTTP server. You must install the Apache HTTP server and configure it so that it can communicate with the your Teamcenter application on the WebLogic application server. a. Install the Apache HTTP server on a separate host from the WebLogic server host. For information for installing Apache HTTP server on a specific type of host, see the Apache web server documentation: b. Install and configure the Apache HTTP server plug-in as described in the Oracle WebLogic documentation: Deploy on a WebLogic application server/weblogic Express server (H-S) This procedure deploys one instance of the Teamcenter web tier application (WAR file) hosted on Oracle WebLogic (application) Server and one instance of the Teamcenter proxy application (WAR file) hosted on a WebLogic Express (WLX) server. In this configuration, WLX is used as the web tier providing a JSP/servlet container in a four-tier architecture supporting the Teamcenter enterprise application Web Application Deployment PLM

39 Teamcenter web application deployment 1. Deploy one instance of an Oracle WebLogic Server hosting the Teamcenter web tier application (WAR file). 2. Deploy the Teamcenter proxy application. a. Generate the Teamcenter WebLogic proxy WAR file. For information, see the Teamcenter server installation manual (for Windows or UNIX/Linux). b. Install WebLogic Express and create a domain for deploying the WebLogic proxy WAR file. c. Deploy the WebLogic proxy WAR file in WebLogic Express. For information, see Deploying New Applications and Modules in the WebLogic Express documentation. Ensure your clients connect to the WebLogic Express host and port, rather than the web application server. Deploy on a WebLogic server/internet Information Server (IIS) You can use IIS as your HTTP server on Windows 2008 servers in an H-S configuration. You must configure the WebLogic server proxy (WLS proxy) DLLs in this configuration. You can choose to use either 32-bit DLLs or 64-bit DLLs. This procedures uses the 32-bit DLLs. For information about installing IIS7 on Windows 2008 servers, see the following URL: 1. Deploy one instance of an Oracle WebLogic Server hosting the Teamcenter web tier application (WAR file). 2. Copy the iisproxy.dll and iisforward.dll files available in the WLSHOME\Server\plugin\win\32 or WLSHOME\Server\plugin\win\x64 directory to the directory that you want as your home folder for your IIS web site. Change the directory security properties to allow execute permission to its contents. Ensure that you copy the DLL file from the 32 directory for 32-bit operating systems or the x64 directory for 64-bit operating systems. These are not interchangeable and cause errors if you copy the wrong DLL file. 3. Open the IIS Manager and choose Start Administrative Tools Internet Information Services (IIS) Manager. 4. In the Connections pane, expand your computer name entry until you see Sites. 5. Create a new web site with the home folder set to the directory that contains the DLLs you copied in step 1: a. Right-click Sites and choose Add a Web Site. PLM Web Application Deployment 2-25

40 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment b. In the Add Web Site dialog box, type a name for your web site in the Site name box, for example, IISWLS, and click the browse button ( ) next to the Physical path box. c. In the Browse for Folder dialog box, browse to the directory that contains the iisproxy.dll and iisforward.dll files and click OK. d. In the Port box, type a unique port number, for example 8088, and click OK. 6. Add ISAPI Filters: a. In the Connections pane, select your new web site and double-click ISAPI Filters in the web site Home pane. You may have to scroll down in the Home pane to access ISAPI Filters. b. Click Add in the Actions pane (on the right). c. In the Add ISAPI Filter dialog box, type a name for the filter in the Filter name box, for example, iisforward, and click the button next to the Executable box. d. In the Open dialog box, browse to the iisforward.dll file location, double-click the file name, and click OK. 7. Configure a handler mapping: a. In the Connections pane, select your new web site and double-click Handler Mappings in the web site Home pane. b. In the right pane, click Add Script Map. c. In the Add a Script Map dialog box, type *.wlforward in the Request path box and click the button next to the Executable box. d. Browse to the web site's home folder and select the iisproxy.dll file. e. Type a name for the script map in the Name box, for example, iisproxy, and click OK. f. Click Yes in the Add a Script Map dialog box to allow the ISAPI extension. 8. Create an iisproxy.ini file in the directory that contains the DLLs. This file must contain the following information: WebLogicHost=dns-name-or-ip-address WebLogicPort=listening-port-for-WLS WlForwardPath=/tc-Web-application name Debug=ALL DebugConfigInfo=ON The WebLogicPort value is 7001 by default. The WlForwardPath value points to the web application that the proxy forwards to (tc is the default for the Teamcenter web application). If you want to forward to all web applications, set this value to /. The debug values are optional and are set for debugging purposes. The default log file for debug messages is C:\TEMP\wlproxy.log Web Application Deployment PLM

41 Teamcenter web application deployment 9. Restart IIS. To access the web site, enter a URL in the following format: Clustered deployment with front-end HTTP server Overview of clustered deployment Setting up an application server cluster can be a very complex process and can vary depending on your particular hardware, performance requirements, or availability requirements. The following instructions provide information specific to the Teamcenter web tier application. The application server documentation available from the vendor provides the best source for the cluster set up process and is referenced at several points in the following procedures. If you intend to run two instances of an applications server on the same host using a single WAR file (not typical), you must override the TreeCacheTCP.xml file (if you are using TCP mode). To do this, change the end_port value to allow bind port rollover. This is not required if you are using multicast mode. Siemens PLM Software does not support clustered deployment of Teamcenter web applications on JBoss. Override TreeCache settings 1. Use the jar command to extract the TreeCacheTCP.xml file from the JETIServerAccessor.jar file within the WAR file. 2. Locate the TCP element in the TreeCacheTCP.xml file and increase the end_port parameter value by the number of application server instances you are running on the host. For example: <TCP start_port="26700" end_port="26701" sock_conn_timeout="2000"/> This change allows the Teamcenter web Application, when running on multiple application server instances on the same host, to initialize the TreeCache by binding to a vacant port within the designated range. 3. Copy the TreeCacheTCP.xml file into the startup class path of your application servers as follows: This is required to override this configuration file in the WAR file. You must restart all servers instances involved after copying this file to the indicated directories. PLM Web Application Deployment 2-27

42 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment For WebLogic, copy the file to the domain root directory. The domain root is the directory where there can be multiple standalone application servers or cluster members. For WebSphere, copy the file to the profile root directory. The profile root is the directory where there can be multiple standalone application servers or cluster members. For JBoss, copy the file to the bin directory of each server instance. For Oracle Application Server, copy the file to the home directory of each application server instance, typically the Java EE home directory. Deploy on a WebLogic application server/weblogic Express web server (H-S*) This procedure: Deploys Teamcenter web tier applications (WAR file) on a Oracle WebLogic Server cluster. Configures WebLogic Express (WLX) server as the front-end web tier server for the cluster. In this configuration, WLX is used as the web tier providing a JSP/servlet container in a four-tier architecture supporting the Teamcenter enterprise application. Deploys one instance of the Teamcenter proxy application (WAR file) hosted on the WebLogic Express (WLX) server. For the list of currently supported web application servers and HTTP web servers for each operating system, see the Siemens PLM Software Global Technical Access Center (GTAC). 1. Deploy one instance of an Oracle WebLogic Server hosting the Teamcenter web tier application (WAR file). 2. Configure WebLogic Express as the front-end web server for a cluster. WebLogic Express Server (WLX) is designed for deploying simple web applications and can be used as a web tier in a four-tier Teamcenter environment. a. Create the Teamcenter Web Tier Proxy solution: A. Launch the Web Application Manager (insweb). B. Click Add to begin creating the web application. C. In the Add Web Application dialog box: i. Type a name for the application in the Name box, for example, WebLogic Cluster Proxy. ii. iii. Accept the default value for Staging Location or enter a different directory. (Optional) Type a description of the application in Description box Web Application Deployment PLM

43 Teamcenter web application deployment iv. Click Advanced Web Application Options. Type a name for the deployable file in the Deployable File Name box (alphanumeric characters only) and clear the Automatically Build Deployable File check box. v. Make sure the Disk Locations for Install Images box includes the path to the Web_tier directory on the Teamcenter software distribution image. vi. Click Solutions. In the Select Solutions dialog box, clear all preselected solutions and select only the Teamcenter Web Tier Proxy solution. Do not change the default solution type (Thin Client) in the Solution Type box. D. Click OK. The default context parameter values are acceptable. E. Click OK to begin building the solution. The Web Application Manager displays the status of the installation in the Progress dialog box. When the installation is complete, click OK to close the Progress dialog box. Do not exit the Web Application Manager. b. Open the web.xml file in the staging-directory/webapp_root/web-inf directory for the solution and comment the following lines: <servlet> <servlet-name>proxyservlet</servlet-name> <servlet-class>weblogic.servlet.proxy.httpproxyservlet</servlet-class> <init-param> <param-name>redirecturl</param-name> <param-value>localhost:7001</param-value> </init-param> <init-param> <param-name>weblogichost</param-name> <param-value>localhost</param-value> </init-param> <init-param> <param-name>weblogicport</param-name> <param-value>7001</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>proxyservlet</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> c. Modify web.xml to uncomment the following lines: <!-- <servlet> <servlet-name>httpclusterservlet</servlet-name> <servlet-class>weblogic.servlet.proxy.httpclusterservlet </servlet-class> PLM Web Application Deployment 2-29

44 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment <init-param> <param-name>weblogiccluster</param-name> <param-value> <WeblogicClusterHost1>:<port1> <WeblogicClusterHost2>:<port2> </param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>httpclusterservlet</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> --> Replace <WeblogicClusterHost1>:<port1> <WeblogicClusterHost1> :<port2> with the host name and port number for each WebLogic server participating in the cluster. d. If the context root of the proxy WAR file does not match the context root of the Teamcenter web application: A. Open the weblogic.xml file in this same directory. B. Modify the following entry to match the context root Teamcenter web application (WAR file) deployed in the application server where the proxy forwards requests: <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE weblogic-web-app PUBLIC "-//Oracle Systems, Inc.//DTD Web Application 8.1//EN" " <!--============================================================================== Copyright (c) 2004 UGS Unpublished - All rights reserved ================================================================================== Filename: weblogic.xml ================================================================================== Date Name Description of Change 11-Apr-2005 vardhan Proxy weblogic.xml $HISTORY$ ===============================================================================--> <weblogic-web-app> <context-root>/tc</context-root> </weblogic-web-app> e. In the Web Application Manager, select the solution name and click Modify. f. Click Generate Deployable File and click OK. When the Web Application Manager finishes generating the deployable file, you can exit the application. g. Install WebLogic Express and create a domain for deploying the Teamcenter proxy WAR file. For information creating domains and deploying WAR files in WebLogic, see the WebLogic server documentation: documentation/weblogic-server htmll h. Deploy the Teamcenter Web Tier Proxy file in WebLogic Express. Deploy on a WebLogic server/apache web server (H-S*) This procedure: 2-30 Web Application Deployment PLM

45 Teamcenter web application deployment Deploys the Teamcenter web tier application (WAR file) on a Oracle WebLogic Server cluster. Configures Sun Java System web Server running as the front-end HTTP listener for the cluster. 1. Deploy one instance of an Oracle WebLogic Server hosting the Teamcenter web tier application (WAR file). 2. Configure Apache HTTP (Web) server as the listener for a cluster. a. Install the Apache HTTP server on a separate host from the WebLogic server host. For information for installing Apache HTTP server on a specific type of host, see the Apache web server documentation: b. Install and configure the Apache HTTP server plug-in as described in the Oracle WebLogic documentation: c. Configure the WebLogic Server cluster and deploy your Teamcenter web application to the cluster as described in the Using Clusters documentation in the Oracle WebLogic System Administration documentation: Deploy WebSphere application server cluster with HTTP (Web) server This configuration is basically the same as deploying on WebSphere application server (H-S) with the additional requirement that you have the optional WebSphere application server Deployment Manager. 1. Ensure the WebSphere application server, including the optional IBM HTTP server or Sun web server and its corresponding plug-in, and the optional WebSphere application server deployment manager, are installed. See the following topics in the WebSphere Application Server documentation. Installing your application serving environment Balance workloads by clustering application servers Establishing high availability (HA) for failover 2. Deploy on WebSphere application server (H-S). 3. Ensure the Teamcenter WAR file and all its modules are deployed to all cluster instances. 4. Ensure the plug-in configuration file is propagated to all cluster members and the HTTP server side. PLM Web Application Deployment 2-31

46 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment Deploying clustered with front-end load-balanced HTTP servers Overview of clustered deployment with front-end load-balanced HTTP servers This configuration requires that you setup an H-S deployment, and then configure an external load balancer for the HTTP (Web) servers to create a web server farm. There are various external load balancers available and each has to be configure according to the vendors instructions. Therefore, Siemens PLM Software cannot provide instructions for all possible configurations. You can use the Microsoft IIS load balancing instructions as a guide. Configure Microsoft IIS load balancing This procedure provides instructions for configuring the network load balancing mechanism provided with Microsoft IIS 6.0. Ensure that each host is self-sufficient with resources duplicated on each one. The Teamcenter database, whether a single or distributed database, must be on host separate from the web and application servers. Network load balancing (NLB) aids in the process of creating a farm. A farm is a redundant cluster of several web servers serving a single IP address. Each machine can be configured to route the requests to the Java EE application server where your web tier is deployed. Each server in the cluster is fully self-contained, which means it is able to function without requiring any other server in the cluster. If any machine in the cluster is unavailable, NLB rebalances the incoming requests to the running servers in the cluster. The servers in the cluster must be able to communicate with each other to exchange information about their current processor and network load and to determine when a server is unavailable. NLB can provide reasonably close to 1:1 performance improvement for each server added to the cluster. NLB requires a minimum of two servers running Windows Server Each server must have at least one network card (NIC) and a fixed IP address. For best performance, Siemens PLM Software recommends you have two adapters in each server; one mapped to the real IP address (dedicated IP) and one mapped to the virtual IP address (cluster IP). NLB uses advanced networking features of network adapters. Therefore, low end adapters, especially those for nonserver hosts, may not support the required NDIS protocols. 1. Select an available IP address on the same class C network segment as the fixed IP addresses for the virtual IP address. 2. On any server, start the Network Load Balancing Manager in one of these ways: Choose Start Administrative Tools Network Load Balancing Manager. At a command prompt, type NLBmgr. 3. In the Network Load Balancing Manager dialog box, right-click the Network Load Balancing Clusters root node and choose New cluster. 4. Define the cluster parameters: a. Type the virtual IP address you selected for the cluster in the IP address box. b. Type a subnet mask in the Subnet mask box. You must use the same subnet mask for all servers in the cluster Web Application Deployment PLM

47 Teamcenter web application deployment The Full Internet name value is only for reference and is used primarily for displaying the name of the server. However, if you have a domain configured for the server you may use that domain name. c. If your server has more than one network adapter, click Unicast for the Cluster operation mode. If you are using a single adapter, Siemens PLM Software recommends that you select Multicast to allow both the NLB traffic and the native IP traffic to move through the same network adapter. Multicast is slower than Unicast as both kinds of traffic must be handled by the network adapter but it is the only way to remotely configure all machines centrally for servers with one network adapter. d. Clear the Allow Remote Control check box and click Next. If you need this functionality, enable it after you have the cluster running. 5. Click Next in the Cluster IP addresses dialog box. 6. Define the standard port rules: a. Click Add. b. Select the All check box and type 80 in both the From and To boxes. c. Click Both for Protocols. d. Click Multiple hosts for Filtering mode and None for Affinity. e. Click OK. 7. Define the secure port rules: a. Click Add. b. Select the All check box and type 443 in both the From and To boxes. c. Click Both for Protocols. d. Click Multiple hosts for Filtering mode and Single for Affinity. e. Click OK. 8. Connect the master host as a node in the cluster: a. Type the IP address of the host you want as the master in the Host box. PLM Web Application Deployment 2-33

48 Chapter 2: 2: Teamcenter Teamcenter web application web application deployment deployment b. Click Connect. c. Click Next. Node 1 is the master, which means that it receives requests and acts as the routing manager. Although when the load is high on this node, other machines may take over for the master. d. In the Host Parameters dialog box, select 1 from the Priority list. e. Click Finish. Priority sets a unique ID for each node in the cluster. The lower the number the higher the priority. The Network Load Balancing Manager configures your network adapter. The network connection flashes on and off a few times during this configuration process on the sever you are configuring as a host. When the configuration is complete, the Status column displays Converged for the node. 9. In the Network Load Balancing Manager, right-click the cluster domain and choose Connect. 10. Repeat step 8 until all nodes have been added to the cluster Web Application Deployment PLM

49 Chapter 3: Global Services web application deployment Introduction to Global Services web application deployment Creating the Global Services tables Configuring application servers for Global Services Overview of application server configuration for Global Services Deploy the Global Services application Deploy Global Services on Websphere Deploy Global Services on WebLogic Deploy Global Services on JBoss Configuring Data Exchange orchestration Introduction to Data Exchange orchestration Configure the application server for ODE Configure ODE to use an Oracle database Configuring Global Services for HTTPS Overview of Global Services configuration for HTTPS Configure the application server for SSL File Management System certificate and configuration variables Overview of FMS certificate and configuration variables Generate a key store and private key Obtain a signed certificate Update the FSC and FMS configuration Configure Global Services application as a trusted client Install the Global Services signer certificate to Teamcenter rich client Install the Global Services signer certificate to Teamcenter thin client Configure the Teamcenter Enterprise Global Services end point variable Modify Teamcenter preferences for SSL PLM Web Application Deployment

50

51 Chapter 3: Global Services web application deployment Introduction to Global Services web application deployment Deploying Global Services requires that you have available information about the database that Global Services uses as its datastore. If you are using a Teamcenter database as your datastore, you must know the type of database prior to starting the application deployment procedure. This information is determined during the Teamcenter server installation process. If you are not using a Teamcenter database as your datastore, you must create the Global Services required tables manually. Creating the Global Services tables Global Services stores product configuration, connection configuration, SSO security, and business object files in a datastore. This datastore must be accessible to Global Services through a JDBC connection using JNDI. This connection is set up in your application server and the steps required are specific to the application server. In most cases, the setup requires creating a data source and a connection pool. For specific information about creating a connection pool and datastore, see your application server and database documentation. You can use Teamcenter Environment Manager (TEM) to create the Global Services tables in Teamcenter during the server installation process. If you are not using a Teamcenter database as your datastore, you can create or upgrade the Global Services required tables in your database using the scripts supplied in the database specific directory of the Teamcenter 11.2 Global Services Application Directory solution staging location. These directories are located under: webapp_root Caution database The Global Services tables are referenced by third-party software that requires case-insensitive collation types. Therefore, if your database server s default collation is case insensitive, you must alter your Global Services database to case-insensitive (CI) collation after you create it. For information about configuring a database for CI collation, see the comments in the database sql files. Caution A datastore created by a Global Services instance deployed on a given server must not be accessed by Global Services instances deployed on a server that runs a different operating system. This is especially important if there are text files in the datastore containing characters other than US ASCII characters. Record the database name and type; you must have this information during the deployment procedure. PLM Web Application Deployment 3-1

52 Chapter 3: 3: Global Global Services Services web application web application deployment deployment Teamcenter provides the following Global Services database scripts: The script files contain comments that provide additional information about their purpose and use. Create scripts File name oracle_create_tcgs.sql sqlserver_create_tcgs.sql db2_create_tcgs.sql hsqldb_create_tcgs.sql oracle_drop_tcgs.sql sqlserver_drop_tcgs.sql hsqldb_drop_tcgs.sql Purpose Creates the Global Services tables in the indicated database that has not previously contained Global Services table data. Drops the Global Services tables from the indicated database that has previously contained Global Services table data so the create script can be used to create an empty datastore. This allows the Global Services application to install the initial content the next time the application is accessed. Upgrade scripts File name oracle_upgrade_tcgs_v80000.sql sqlserver_upgrade_tcgs_v80000.sql oracle_upgrade_tcgs_v80001.sql sqlserver_upgrade_tcgs_v80001.sql oracle_upgrade_tcgs_v80002.sql sqlserver_upgrade_tcgs_v80002.sql db2_upgrade_tcgs_v80003.sql sqlserver_upgrade_tcgs_v80003.sql oracle_upgrade_tcgs_v80003.sql db2_upgrade_tcgs_v sql sqlserver_upgrade_tcgs_v sql Purpose Upgrade from Teamcenter 8 to the current release Upgrade from Teamcenter 8.1 to the current release Upgrade from Teamcenter 8.2 to the current release Upgrade from Teamcenter 8.3 to the current release Upgrade from Teamcenter to the current release Configuring application servers for Global Services Overview of application server configuration for Global Services Several tasks must be performed to configure the application server for Global Services. Some of these tasks may require using the application server administration tool. See your application server documentation for more specific information about how to perform these tasks. 3-2 Web Application Deployment PLM

53 Global Services web application deployment Global Services supports the IPv6 protocol. However, to install Global Services in an environment that does not support the IPv6 protocol, the application server must be installed on a dual-stack server. For information about supporting IPv6 and dual stack networks on you application server host, see your Windows, UNIX, or Linux server documentation. Perform the setup as described in the following topic for your application server: Deploy Global Services on Websphere 8 Deploy Global Services on WebLogic Deploy Global Services on JBoss After you deploy the web tier application, at a minimum you must perform the initial configuration to enable Global Services. Replace appserver-host and port-number with the host name and port number the application server uses. Replace GS-app-context-root with the context root the application server uses for the Global Services web tier application; this is usually the EAR file name without the extension. The data store is populated with the initial content the first time that you access the Global Services web tier application. Deploy the Global Services application The following provides information for deploying the Global Services EAR file. If you are familiar with deploying applications on your application server, this information may be sufficient to allow you to perform the installation. For more detailed instructions, see the appropriate application server topic. Global Services no longer supplies solutions (Gateway for Oracle Manufacturing and Gateway for SAP) or Oracle Manufacturing or SAP connectors. These are replaced by third-party integration products. These products are available from GTAC in the Integrations section of Full Product Releases file downloads. The documentation for installing, administering, or configuring these integrations is included in the same location. You must have a valid WebKey user name and password to access the integration products. 1. Start the application server administration tool if your application server has one. If you are configuring Oracle application server 10g v10.1.2, type Xmx256 and dedicated connection=true in Java Options in your OC4J instance s Server Properties page. 2. Create a connection pool and a data source that uses it. Choose an appropriate driver for your database. The following table provides suggested driver values. It is recommended that you set the maximum connection pool size to 1000 to ensure enough connections are available for processing. PLM Web Application Deployment 3-3

54 Chapter 3: 3: Global Global Services Services web application web application deployment deployment JDBC database Driver class Driver type Default port DB2 COM.ibm.db2.jdbc.app.DB2Driver IBM Type 2 DB2 Driver 5000 MySQL org.gjt.mm.mysql.driver MySQL Type 4 Driver 3306 Oracle oracle.jdbc.pool.oracledriver Oracle Thin Driver 1521 SQL server com.microsoft.sqlserver.jdbc. SQLServerXADataSource Other 1433 Provide user name and password values to connect to the database for a database user with read and write access. The ApplicationInstance context parameter determines the JNDI name for the data store. This parameter value is defined when you build the Global Services web tier application and is used at the beginning of the JNDI name. The JNDI name is GlobalServicesInstance1/jdbc/GlobalServicesDB if you accept the default value for the context parameter. Provide the URL the JDBC connection uses to connect to the database, for example: Oracle database: jdbc:orcle:thin:@host-name:port-number:oracle-sid 3. Create the following queues if you have included the Teamcenter 11.2 Global Services - JMS Messaging solution in your web application: jms.actiondestination=javax/jms/action jms.responsedestination=javax/jms/response 4. Deploy the enterprise application you generated as described in the documentation for your application server. Caution If you are deploying on a WebSphere application server, do not select the Precompile JSP option. This causes the deployment to fail. Deploy Global Services on Websphere 8 Do not enable application server security on the application server where you deploy the Global Services web application 1. Before you deploy the Global Services application (EAR) file, complete the following: a. Download the binary archive file from the Apache Tomcat site at the following link: Web Application Deployment PLM

55 Global Services web application deployment b. Use an archive management tool, such as 7-Zip file manager, to extract the servlet-api.jar file in the lib directory of the Tomcat archive file into a directory accessible to the application server. the path to the file for later use. c. Open the Global Services web application EAR file in 7-Zip file manager and delete the EAR/lib/asix2-jaxws-1.4.jar file. 2. Start the WebSphere integrated solutions console and expand Servers Server Types in the navigation tree pane and click WebSphere application servers. 3. In the Application servers section, click the server name (server1 by default). 4. In the Application servers pane, expand Java and Process Management under Server Infrastructure and click Process definition. 5. Click Java Virtual Machine under Additional Properties. 6. Type the following parameters in the Generic JVM arguments box: -Dorg.apache.ode.rootDir = full-path-to-ode-working-directory -Dcom.ibm.websphere.webservices.DisableIBMJAXWSEngine=true 7. Type the full path and filename for each of the following files, delimited by semicolons, into the Classpath box. The path to the servlet-api.jar file was noted in a previous step. This must be the last entry in the Classpath property. The other files are located in the WEB_ROOT/staging-directory/earapp_root/lib directory. commons-io-1.4.jar commons-fileupload-1.2.jar woden-api-1.0m8.jar commons-codec-1.3.jar commons-httpclient-3.1.jar commons-logging jar log4j jar servlet-api.jar 8. Click OK, Save, and restart the application server. 9. Deploy the ODE web applications. 10. Configure the deployed ODE web application: a. Click the deployed ODE web application and click Manage Modules under the Modules section in the Enterprise Applications pane. b. Click Apache-Axis2 in the Module column. c. Choose Classes loaded with local class loader first (parent last) from the Class loader order list. PLM Web Application Deployment 3-5

56 Chapter 3: 3: Global Global Services Services web application web application deployment deployment 11. Configure the axis2 properties in Global Services. a. Set the axis2.max.connections property value in the globalservices.properties file to a positive numeric value approximately three times the expected number of concurrent connections to ODE from Global Services. Tip You can start with a low two-digit number if you do not expect a large number of transfer requests. If you experience time-out exceptions, increase the value. You can set properties by manually editing in the globalservices.properties file in the Global Services datastore or using the Global Services Web Manager interface. b. (Optional) Set the ode-axis2.db.pool.max property in the globalservices.properties file. This property is associated with the axis2.max.connections property and is set to 20 by default. If you expect a large number of concurrent connections to ODE or experience time-out exceptions, increase the value. c. Restart the application server. Deploy Global Services on WebLogic Start the WebLogic server administration console. For online help for the WebLogic server administration console, see the WebLogic server documentation. 2. In the left pane of the console, click Deployments. 3. In the right pane, click Install. 4. Navigate to the location of the Global Services EAR and click Next. 5. Continue to click Next until you reach the pane that asks if you want to immediately update the application configuration. 6. Select No and click Finish. In the Deployments page, WebLogic displays the Global Services enterprise application. 7. In the Domain Structure tree, expand Services and Domain, then select Data Sources. 8. In the Summary of Data Sources pane, click New. 9. Enter the following for the data source properties and click Next: Name Type a name that identifies the data source. This name is used in the configuration file (config.xml) to identify this data source in the administration console. 3-6 Web Application Deployment PLM

57 Global Services web application deployment JNDI Name Database Type Database Driver Type the JNDI name defined by the ApplicationInstance context parameter when you built the web tier application. The JNDI name is GlobalServicesInstance1/jdbc/ GlobalServicesDB if you accept the default value for the context parameter. Select the Teamcenter database type if you are using it for your data store. If you created your gs_runtime_resources table manually, select that database type. Select the driver that corresponds to the type of database you are using for your data store. 10. Ensure Supports Global Transactions is selected, select One-Phase Commit, and click Next. 11. Enter the following for the connection pool properties and click Next: Database Name Host Name Port Database User Name Properties Password and Confirm Password Type the SID of the Teamcenter database defined during the Teamcenter server installation process. If you created your gs_runtime_resources table manually, type the name of the database where you created the table. Type the DNS name or IP address of the server that hosts the database. Type the port number on which the database server listens for connection requests. Type the database user account name that you want to use for each connection in the data source. If you are using a MySQL database, type the autoreconnect property with the value set to true, for example: autoreconnect=true Type the password for the database user account. It is recommended that you set the maximum connection pool size to 1000 to ensure enough connections are available for processing. 12. Review the connection parameters and click Test Configuration. If there are any configuration errors, go back and correct them. If the test is successful, click Next. 13. Select the servers or clusters on which you want to deploy the data source and click Finish. 14. If you installed the Teamcenter 11.2 Global Services - JMS Messaging solution, you must create the required queues. PLM Web Application Deployment 3-7

58 Chapter 3: 3: Global Global Services Services web application web application deployment deployment You can use any JMS provider that you desire. You can also create a separate JMS server or JMS module to contain your queues. See the WebLogic Server Administration Console Help. a. In the administration console, expand Services and Messaging and click JMS Modules. b. In the JMS Modules page, click the desired module name and click New in the Summary of Resources table. c. Choose Queue for the type of resource and click Next. d. In the Create a New JMS System Module page, type javax/jms/action in the JNDI Name box and click Finish. You can provide a queue name if you do not want to use the default provided. e. Repeat this process (step 14) using javax/jms/response for the JNDI Name value. Not all changes take effect immediately. For information, see the WebLogic documentation. Deploy Global Services on JBoss 1. Add an administrative user in the management realm: a. Open a command shell and ensure that the JAVA_HOME and JBOSS_HOME environment variables are set. b. Change to the bin directory of JBOSS_HOME and type the following command: add-user The JBoss add-user utility displays prompts for the type of user, realm, user name, and password. The utility displays default values for user type and realm in parentheses. Press Enter to accept the default values for user type and realm (Management User and ManagementRealm). What type of user do you wish to add? a) Management User (mgmt-users.properties) b) Application User (application-users.properties) (a): the user name and password values you enter. 2. Open the standalone.xml file in the following location: JBOSS_HOME standalone configuration 3-8 Web Application Deployment PLM

59 Global Services web application deployment Locate the following entry: <subsystem xmlns="urn:jboss:domain:ee:1.0"/> Replace this entry with: <subsystem xmlns="urn:jboss:domain:ee:1.0"> <global-modules> <module name="org.jboss.as.jmx" slot="main"/> </global-modules> </subsystem> Locate the following entry: <subsystem xmlns="urn:jboss:domain:naming:1.1"/> Replace this entry with: <subsystem xmlns="urn:jboss:domain:naming:1.1"> <bindings> <lookup name="tcgsbosbox" lookup="java:global/tcgs/coreejbs/bosboxbean!com.teamcenter._ globalservices.bos.bosboxhome"/> <lookup name="ejb/jeti/gateway" lookup="java:global/tc/jetigateway-ejb/gateway!com.teamcenter. jeti.ejb.gatewayhome"/> <lookup name="tcgsteamcentersoabox" lookup="java:global/tcgs/teamcentersoaconnectorejbs/ TeamcenterSoaBoxBean!com.teamcenter.globalservices.connection.ConnectionBoxHome"/> <lookup name="tcgsjdbcbox" lookup="java:global/tcgs/coreejbs/jdbcboxbean!com.teamcenter. globalservices.connection.connectionboxhome"/> <lookup name="tcgsdorepositorybox" lookup="java:global/tcgs/coreejbs/dataobjectrepositoryboxbean!com. teamcenter.globalservices.connection.connectionboxhome"/> <lookup name="tcgsnotifierreactor" lookup="java:global/tcgs/coreejbs/notifierreactorbean!com. teamcenter._globalservices.reactor.notifier.notifierreactorhome"/> <lookup name="tcgsentbox" lookup="java:global/tcgs/tcentejbs/tcentboxbean!com.teamcenter. globalservices.connection.connectionboxhome"/> <lookup name="tcgsmessageserver" lookup="java:global/tcgs/coreejbs/ MessageServerBean!com.teamcenter._globalservices.messaging.MessageServerHome"/> </bindings> </subsystem> For development and testing purposes, you can make the JBoss management console accessible to remote hosts by editing the inet-address element: <interface name="management"> <inet-address value="${jboss.bind.address.management: }"/> </interface> Warning Allowing remote access to the JBoss management console is a security risk. Use this configuration only during development and testing. 3. If you are deploying the Teamcenter 11.2 Global Services Framework - Ode BPEL Enterprise Application solution for any reason: a. Using an archive file management tool, such as 7-Zip File Manager, expand the ODE archive (tcgs-ode.ear in the following example) file and remove the Persistence.xml file from the META INF locations: tcgs-ode.ear tcgs-ode.war WEB-INF lib PLM Web Application Deployment 3-9

60 Chapter 3: 3: Global Global Services Services web application web application deployment deployment ode-dao-jpa jar META-INF ode-bpel-store jar META-INF b. Open the standalone startup batch file or shell script in the following location: JBOSS_HOME bin standalone Add the following entry prior to the JBoss bootstrap environment section: set JAVA_OPTS= -Dorg.apache.ode.rootDir=full path to ode-working-dir %JAVA_OPTS% echo ============================================================= echo. echo JBoss Bootstrap Environment 4. Define the JDBC data source: a. Create a directory structure that contains a main directory as its most subordinate child directory under the modules directory of the JBOSS_HOME location, for example: JBOSS_HOME modules foo myjdbcdriver main You can use any valid directory name for the foo and myjdbcdriver directories. b. Copy the database drive file or files to the main directory. c. Create a module.xml file in the main directory that contains the following: <module xmlns="urn:jboss:module:1.0" name="directory-structure"> <resources> <resource-root path="driver-file-name"/> </resources> <dependencies> <module name="javax.api"/> </dependencies> </module> For the name attribute (directory-structure) value, type the directory structure you created without the main directory. Use periods for the path separator, for example: <module xmlns="urn:jboss:module:1.0" name="foo.myjdbcdriver"> For the path attribute (driver-file-name) value, type the database driver file name. For example, for an Oracle database: <resource-root path="ojdbc6.jar"/> 3-10 Web Application Deployment PLM

61 Global Services web application deployment d. Open the standalone.xml file that you edited in step 2, locate the drivers element, and add a driver element as child to the element: <subsystem xmlns="urn:jboss:domain:datasources:1.0"> <datasources> <drivers>. <driver name="driver-name" module="directory-structure"> <datasource-class>driver-class-name</datasource-class> </driver> </drivers> Type any unique value for the name (driver-name) attribute value and for the module (directory-structure) attribute value, type the same value you used for the name attribute in module.xml file. Type the driver class name in the data-source-class element, for example: oracle.jdbc.driver.oracledriver e. Locate the datasource element, and add a datasource element as child to the element: <subsystem xmlns="urn:jboss:domain:datasources:1.0"> <datasources>. <datasource jndi-name="java:/data-source-jndi-name" pool-name="gms_ds" enabled="true" use-java-context="false"> <connection-url>driver-url</connection-url> <driver>driver-name</driver> <security> <user-name>datasource-username</user-name> <password>datasource-password</password> </security> </datasource> </datasources> Type the data source JNDI name for the jndi-name (data-source-jndi-name) attribute value. This value must have a java:/ prefix. Type the URL of the JDBC connection for the database for the connection-url (driver-url) element value. For example, for an Oracle database connection: jdbc:orcle:thin:@host-name:port-number:oracle-sid Type the driver class name in the data-source-class element, for example: oracle.jdbc.driver.oracledriver Type the user name used to connect to the database in the user-name element and the password associated with that user in the password element. 5. Deploy the EAR file: a. Open the JBoss console in a browser on the host where JBoss is running: b. Log on, click Runtime in the top right corner, and click Manage Deployments in the left pane. You may have to click Deployments in the left pane to expose Manage Deployments. PLM Web Application Deployment 3-11

62 Chapter 3: 3: Global Global Services Services web application web application deployment deployment c. Click Add Content in the Deployments pane and click Browse in the Upload dialog box. d. Navigate to the location of the Global Services web application EAR file (tcgs.ear by default) and click Open. e. After JBoss finishes deploying the application, click the application s Enable button in the Deployments pane. You must start the JBoss application server instance with the bind option to enable connections from clients running on a host different from the application server host. The simplest way to do this is to start the server with the -b myhost option. Substitute the host name or IP address of the local host for myhost, for example: standalone -b However, this has some security implications. For information about JBoss security, see the JBoss documentation: Configuring Data Exchange orchestration Introduction to Data Exchange orchestration Global Services uses the standard Apache Orchestration Director Engine (ODE) for business processing execution language (BPEL) functionality. The ODE is set up by default to use the built in Derby database for its event tracking. You must perform the following tasks to set up ODE for Data Exchange and to use the Teamcenter Oracle database for BPEL event tracking. Configure the application server for ODE When the Teamcenter 11.2 Global Services Framework - Ode BPEL enterprise application solution is required, you must perform the following steps: Create the Teamcenter 11.2 Global Services Framework - Ode BPEL enterprise application solution before performing these steps and perform these steps prior to deploying your web application. When you create the web application, you must enter values for the TCGS_WS_URL and TCGS_ODE_URL context parameters. These values must match the values you supply for the globalservices.webservices.url and globalservices.ode.url properties respectively, in the globalservices.properties file. It is recommended that you set the maximum connection pool size to 1000 to ensure enough connections are available for processing. 1. Create an ODE working directory that is accessible to the application server. For example, on a UNIX system, create the /mnt/disk1/ode-working-dir directory. 2. Copy the contents of the ode-working-dir directory located in the WEB_ROOT\staging-directory\earapp_root directory Web Application Deployment PLM

63 Global Services web application deployment 3. Deploy the web application as described in the topic for your application server. 4. Modify the application server Java start options for your application server: For WebSphere application servers: a. Log on to the WebSphere Integrated Solutions Console and expand Servers in the left pane. b. Select Application servers and select the server where you deployed the Global Services web application. c. Click the Configuration tab, and in the Server Infrastructure section, expand Java and Process Management and select Process Definition. d. In the Additional Properties section, select Java Virtual Machine. e. Locate the Generic JVM arguments box and add the following argument at the end of its contents: -Dorg.apache.ode.rootDir=complete-path-to-ode-working-dir -Dcom.ibm.websphere.webservices.DisableIBMJAXWSEngine=true complete-path-to-ode-working-dir represents the path to the directory you created in step 1. You may also define this property in your application server s user-defined properties. f. Download the globalservices.properties file from the Global Services datastore, update the properties as follows, and upload the file to the datastore: The globalservices.context.root property defined in previous releases of Global Services is no longer supported. Property globalservices.webservices.url Value Specifies the URL of the Global Services web services WAR file within the Global Services Ode BPEL enterprise application, for example: globalservices.webservices.url = This is used by services that must send HTTP SOAP requests to other web services. PLM Web Application Deployment 3-13

64 Chapter 3: 3: Global Global Services Services web application web application deployment deployment Property globalservices.ode.url Value Specifies the URL to the Global Services Ode BPEL enterprise application, for example: globalservices.ode.url = This is used by services that must send HTTP SOAP requests to BPEL processes. For weblogic application servers: a. Use an archive management tool, such as 7-Zip File Manager, to copy the xercesimpl jar file from the Global Services web application EAR file (tcgs.ear by default) to the ODE.WAR/WEB-IND/Lib location in the ODE web application EAR file (ode.ear by default). b. Add the following JVM argument to the application server startup command. -Dorg.apache.ode.rootDir=complete-path-to-ode-working-dir complete-path-to-ode-working-dir represents the path to the directory you created in step 1. c. Redeploy the ODE web application. Configure ODE to use an Oracle database The Apache Orchestration Director Engine (ODE) uses the built-in Apache Derby database by default for its event tracking. When you install the Global Services Framework feature on your Teamcenter server, you also get Oracle tables required for ODE event tracking. The following steps are required to change ODE to use the Oracle tables: Caution If you use the Apache Derby database, you may encounter concurrency problems. 1. Check the default settings in the ode-axis2.properties file. For most setups, no changes are required. The comments in the file provide information about the settings. Change settings as required. # # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ## ODE-AXIS2 Configuraiton Properties ## Web Application Deployment PLM

65 Global Services web application deployment ### ode-axis2.db.mode ## Database Mode ("INTERNAL", "EXTERNAL", "EMBEDDED") ## What kind of database should ODE use? ## * "EXTERNAL" - ODE will use an app-server provided database and pool. ## The "ode-axis2.db.ext.datasource" property will need to ## be set. ## Ode also supports: ## * "EMBEDDED" - ODE will create its own embbeded database (Derby) ## and connection pool (Minerva). ## * "INTERNAL" - ODE will create its own connection pool for a user- ## specified JDBC URL and driver. ## ### ode-axis2.db.ext.datasource ## External Database [JNDI Name] ## JNDI Name of the DataSource for the ODE database. This is only ## used if the "ode-axis2.db.mode" property is set to "EXTERNAL" ## ### ode-axis2.dao.factory ## DAO Connection Factory class. ## This property is used to enable Hibernate as the JPA implementation. ## Hibernate Configuraiton Properties ## See ###hibernate.dialect ## The classname of a Hibernate org.hibernate.dialect.dialect ## which allows Hibernate to generate SQL optimized for a particular ## relational database. If you leave this setting blank, Hibernate ## will actually attempt to choose the correct org.hibernate.dialect.dialect ## implementation based on the JDBC metadata returned by the JDBC driver. ## Example settings: ## RDBMS Dialect ## DB2 org.hibernate.dialect.db2dialect ## Oracle (any version) org.hibernate.dialect.oracledialect ## Oracle 9i org.hibernate.dialect.oracle9idialect ## Oracle 10g org.hibernate.dialect.oracle10gdialect ## Microsoft SQL Server org.hibernate.dialect.sqlserverdialect ## ###hibernate.hbm2ddl.auto ## Automatically validates or exports schema DDL to the database when the ## SessionFactory is created. With create-drop, the database schema will ## be dropped when the SessionFactory is closed explicitly. ## ###hibernate.current_session_context_class ## Supply a custom strategy for the scoping of the "current" Session. ## See Section 2.5 of Hibernate manual, Contextual sessions for more ## information about the built-in strategies. ## e.g. jta thread managed custom.class ## ###hibernate.transaction.manager_lookup_class ## e.g. classname.of.transactionmanagerlookup ## The classname of a TransactionManagerLookup. Examples: ## org.hibernate.transaction.jbosstransactionmanagerlookup JBoss ## org.hibernate.transaction.weblogictransactionmanagerlookup Weblogic ## org.hibernate.transaction.webspheretransactionmanagerlookup WebSphere ## org.hibernate.transaction.websphereextendedjtatransactionlookup WebSphere 6 ## Default settings ode-axis2.db.mode=external ode-axis2.db.ext.datasource=globalservicesinstance1/jdbc/globalservicesdb ode-axis2.dao.factory=org.apache.ode.daohib.bpel.bpeldaoconnectionfactoryimpl #hibernate.hbm2ddl.auto=update hibernate.current_session_context_class=jta #hibernate.transaction.manager_lookup_class= #hibernate.dialect= 2. For WebSphere application servers, copy the wsdl4j jar file from the WEB_ROOT/staging-directory/earapp_root/lib directory to the WAS_HOME/AppServer/java/jre/lib/ext directory WAS_HOME is the WebSphere installation directory. Configuring Global Services for HTTPS Overview of Global Services configuration for HTTPS You can configure one-way secure socket layer (SSL) communication for your Teamcenter Global Services transfers. The configuration required includes: PLM Web Application Deployment 3-15

66 Chapter 3: 3: Global Global Services Services web application web application deployment deployment Configuring the application server Configuring File Management System (FMS) to use SSL Installing the Global Services signer certificate to the Teamcenter rich client Installing the Global Services signer certificate to the Teamcenter thin client Modifying the Teamcenter Enterprise configuration variables for SSL Modifying the Teamcenter preferences for SSL Configure the application server for SSL You must configure the application server where you have the Global Services web application deployed for SSL. Any other application server that contains Teamcenter web products that are communicating with Global Services must also be configured for SSL. In general, you perform the following configuration in the application server: Create a key store The key store is normally Java key store (JKS) type. You must have the path to, and file name of, the key store file. Import/identify the certificate authority file to the application server The application server must have access to certificate authority (CA) file you will use for your SSL communications. Configure SSL listening port You must set the SSL port number for your application server default value. For WebSphere application servers, you must enable the States Federal Information Standard (FIPS) algorithms. The Use the United States Federal Information Standard (FIPS) algorithms option is located under Security SSL certificate and key Management section in the WebSphere integrated solutions console. Instructions for enabling secure socket layer (SSL) on an application server are provided in the application server documentation. File Management System certificate and configuration variables Overview of FMS certificate and configuration variables You must configure File Management System (FMS) to use a purchased vendor certificate authority that is supported by standard distributions of the Java runtime environment. The following variables apply to configuring FMS for SSL: 3-16 Web Application Deployment PLM

67 Global Services web application deployment key store-file key store-password FSC-myhost FSC-myhost -password FSC-myhost.csr FSC-myhost.cer Represents the key store file name. This file is conforms to the Java-based storage standard with public and private keys that are stored in an encrypted key store. Individual keys and certificates within this cryptographic storage can have individual password protection. Represents the password required to manage the key store. Represents an alias name for the certificate. The certificate is bound to the host so use a name that indicates the FSC host. This is a similar naming convention to the FSC configuration file name (FSC_host-name_user-name). Represents the certificate alias password. This password is required to retrieve the certificate. Represents the certificate signing request (CSR) file name. This file requires a.csr extension. This file contains the certificate signing request information that you send to the signing authority. Represents the certificate file name. This is the file returned by the signing authority and should have a.cer file extension. Generate a key store and private key 1. From a command prompt, go to the FSC_HOME directory. 2. Type the following command and prompt replies to create a key store: keytool -genkey -key store key store-file -keyalg RSA -alias FSC-myhost Enter key store password: key store-password What is your first and last name? [Unknown]: myhost.mydomain.com What is the name of your organizational unit? [Unknown]: mycompany What is the name of your organization? [Unknown]: mycompany What is the name of your City or Locality? [Unknown]: mycity What is the name of your State or Province? [Unknown]: mystate What is the two-letter country code for this unit? [Unknown]: my Is CN=myhost.mydomain.com, OU=mycompany, O=mycompany, L=mycity, ST=mystate, C=my correct? [no]: yes Enter key password for <FSC-myhost> (RETURN if same as key store password): FSC-myhost-password 3. Verify the key entry by typing the following command and prompt replies: keytool -list -key store key store-file Enter key store password: key store-password key store type: jks key store provider: SUN The command output should be similar to: Your key store contains 1 entry fsc-myhost, Nov 8, 2007, keyentry, Certificate fingerprint (MD5): 59:B6:2D:38:24:16:45:1B:47:2A:E9:06:55:80:B3:C6 PLM Web Application Deployment 3-17

68 Chapter 3: 3: Global Global Services Services web application web application deployment deployment 4. Back up the key store file to a secure location. The private key is stored in this file and is unrecoverable if the file or passwords are lost. Obtain a signed certificate You must create a certificate signing request (CSR) and submit it to a certificate authority (CA) to receive the signed certificate. The process of submitting the CSR and receiving the signed certificate from the CA varies by signing authority. 1. Generate a CSR from the private key by typing the following command and prompt replies in your FSC_HOME directory: keytool -certreq -key store key store-file -alias FSC-myhost -file FSC-myhost.csr Enter key store password: key store-password Enter key password for <FSC-myhost> FSC-myhost-password 2. Open the fsc-myhost.csr file and verify the contents are similar to the following: -----BEGIN NEW CERTIFICATE REQUEST----- MIIBtjCCAR8CAQAwdjELMAkGA1UEBhMCbXkxEDAOBgNVBAgTB215c3RhdGUxDzANBgNVBAcTBm15 Y2l0eTESMBAGA1UEChMJbXljb21wYW55MRIwEAYDVQQLEwlteWNvbXBhbnkxHDAaBgNVBAmTE215 ag9zdc5tewrvbwfpbi5jb20wgz8wdqyjkozihvcnaqebbqadgy0amigjaogbaj0h3if8kben2ukw hw1dw+rlxgwcsptla3ei+6raka32dg/4fy89zbcug02413x0bxqwcsrznywfdjhlk4en7i2xejns ORwJfBeF9yW6d4lzaWA6LATFr5T3DHafF6mSRNPl+739mpGuQr44AXBQWqZoOMhecc+n/ErekMlZ dgwtagmbaaggadanbgkqhkig9w0baqqfaaobgqcqjtqujl7gixz0is0fuoaxtcydmix1bevhu+l/ IqcTh4BX8V3vJmm+kHwwKn3yeih+WJzYmDdNh/uaKxO7txyFdPPDd1bdIosFc4XIZwys0jFKwGqf MUjB9wgaKgHSRQTtCOPBEO/ClLjm8ocFNQBWysYVevAZQAmEMp90BxBt/Q== -----END NEW CERTIFICATE REQUEST Submit the CSR file to the certificate signing authority and receive the signed certificate using the process defined by the signing authority. 4. Import the signed certificate into the FSC server by typing the following command and prompt replies in your FSC_HOME directory: keytool -import -trustcacerts -key store key store file -file FSC-myhost.cer -alias FSC-myhost Enter key store password: key store-password Enter key password for <FSC-myhost> FSC-myhost-password Update the FSC and FMS configuration 1. Configure the FSC key store by specifying the following properties in the fsc.$fscid.properties file in your FSC_HOME directory: com.teamcenter.fms.servercache.key store.file=key store-file com.teamcenter.fms.servercache.key store.password=key store-password com.teamcenter.fms.servercache.key store.ssl.certificate.password=fsc-myhost-password 2. Configure the FMS master file for SSL through the following as required: Update the existing HTTP connection Add an additional connection Assign clients to particular connections 3. Modify any of the following bootstrap configuration values to use the new scheme (or port) as required: Any <fscmaster address=" /> values in fsc.xml files 3-18 Web Application Deployment PLM

69 Global Services web application deployment Any <parenfscr address=" /> values in fcc.xml files The Fms_BootStrap_Urls preference Configure Global Services application as a trusted client This process depends on the application server you are using for your Global Services web application. A similar process to the ones provided for WebSphere and WebLogic is required for the other supported application servers. For WebSphere: 1. Log on to the Integrated Solutions Console and navigate to the key stores and certificates section (Security SSL certificate and key management Key stores and certificates). 2. Select the key stores that you created for the Global Services web application certificate and for the File Management System (FMS) certificate and click Exchange Signers. 3. Select the FMS key store and add it as a signer for the Global Services web application. For WebLogic: 1. Open a command shell and navigate to the Java Runtime Environment (JRE) for your WebLogic domain where your Global Services web application is deployed. 2. Import the FMS certificate to the Java cacerts key store using the Java keytool -import utility. Install the Global Services signer certificate to Teamcenter rich client 1. Open a command shell and navigate to: TC_ROOT portal jre lib security 2. Import the certificate using the Java keytool -import utility, for example: keytool -import alias myprivateroot keystore..\lib\security\cacerts file c:\root.cer 3. Use the keytool utility to verify the security certificate was added to the portal key store, for example: keytool list keystore..\lib\security\cacerts The rich client is configured as a trusted client. Try a transfer between sites using the rich client to verify the configuration. Install the Global Services signer certificate to Teamcenter thin client You must import the certificate for the Global Services web application into the internet browsers that you use to access your Teamcenter thin client. This process varies by browser and operating system. PLM Web Application Deployment 3-19

70 Chapter 3: 3: Global Global Services Services web application web application deployment deployment The following procedures are for the currently supported Firefox and Internet Explorer versions on Windows but can be used as a guide for other browsers and operating systems. For Firefox: 1. Choose Tools Options and click Advanced. 2. Click View Certificates and click the Your Certificates tab. 3. Click Import and navigate to the certificate file and click Open. Type the certificate s pass phase when prompted and click OK. For Internet Explorer: 1. Choose Tools Internet Options and click the Content tab. 2. Click Certificates and click the Personal tab. 3. Click Import and follow the wizard instructions to install the certificate. Select the High Security option to prevent Internet Explorer from saving your pass phrase. Configure the Teamcenter Enterprise Global Services end point variable 1. In the Teamcenter Enterprise Administration Editor choose GMS Configuration. 2. In the GMS Configuration pane, type the https URL for the Global Services application as the value for Teamcenter Global Services URL and click Finish. Alternatively, you can edit the GS_END_POINT value in the config.cfg file. Secure Socket Layer (SSL) communication with Global Services is not supported in Teamcenter Enterprise 2005SR1 release. Modify Teamcenter preferences for SSL It is recommended that you configure Global Services for HTTP communications and verify it is functional before switching to SSL. 1. In the Organization application, select the node of the remote site definition from the Organization List tree. 2. Modify the value in the TcGS URL box to the HTTPS URL for the Global Services web application and click Modify. 3. Select the node of the local site definition from the Organization List tree. 4. Modify the value in the TcGS URL box to the HTTPS URL for the Global Services web application and click Modify Web Application Deployment PLM

71 Global Services web application deployment 5. Choose Edit Options and click Search in the Options dialog box. 6. Search for TC_gms and modify the values for the following preferences as indicated: Preference TC_gms_server TC_gms_server_ca_file Value HTTPS URL of your Global Services web application. File name of the trusted CA certificates in PEM format. You can omit setting the value for the TC_gms_server_ca_path preference if you include the full path the file in this preference. TC_gms_server_ca_path TC_gms_sso_enabled Path to the trusted CA certificates file. FALSE SSO does not support HTTPS communications. 7. Locate the Web_protocol preference and change its value to PLM Web Application Deployment 3-21

72

73 Appendix A: Teamcenter client communication system and proxy server configuration Overview of TCCS and proxy server configuration A-1 About reverse proxy servers A-3 Enabling File Management System (FMS) URL path extensions A-4 FMS server cache (FSC) SSL client credentials (two-way SSL) A-4 File Management System (FMS), reverse proxy, and two-way SSL configuration details A-5 Overview of FMS, reverse proxy, and two-way SSL configuration A-5 Basic File Management System (FMS) configuration A-5 Introduction to basic FMS configuration A-5 Configuration element details A-6 FCS configuration files A-7 Configuration file content bootstrap references A-8 One-way SSL configuration A-8 Introduction to one-way SSL configuration A-8 One-way SSL configuration element details A-9 One-way SSL FSC configuration files A-9 One-way SSL configuration file changes bootstrap references A-10 One-way SSL sew configuration files property and keystore files A-10 Configuring two-way SSL between FMS server caches (FSCs) A-12 Overview of two-way SSL between FSCs A-12 Two-way SSL configuration element details A-12 Two-way SSL FSC configuration files A-13 Two-way SSL configuration file changes bootstrap references A-13 Two-way SSL configuration file changes property and keystore files A-14 Configuring Kerberos authentication on the web tier A-16 Configure IIS reverse proxy for Security Services login service A-16 Configure JBoss ISAPI with IIS for Security Services login service A-18 PLM Web Application Deployment

74

75 Appendix A: Teamcenter client communication system and proxy server configuration Overview of TCCS and proxy server configuration Teamcenter currently supports IBM WebSEAL and CA SiteMinder commercial single sign-on (SSO) products for reverse proxy servers. Security Services is required when using these reverse proxy servers. Teamcenter provides the Teamcenter client communication system (TCCS) application that contains the TcProxyClient component to support forward and reverse proxy servers. This component detects form-based and 401-based challenges from reserve proxy servers. It uses the criteria defined in the reverseproxy_config.xml file to identify form-based challenges from a reverse proxy and uses the Apache HTTP client library to detect 401-based challenges. If the reverseproxy_config.xml file is not available, the component uses default criteria defined for the type of reverse proxy server (only WebSEAL is supported if the configuration file does not exist). The following figure shows the TCCS architecture. PLM Web Application Deployment A-1

76 Appendix A: A: Teamcenter Teamcenter client client communication system system and proxy and proxy server server configuration configuration Teamcenter client communication system architecture The TcServerProxy (TSP) manages HTTP communications for Teamcenter server (tcserver) requests. It accepts client requests over secured pipes using a proprietary protocol and submits the requests over HTTP to the web tier endpoint. You can use the tspstat utility to administer and obtain runtime statistics from the TcServerProxy component. The FMS client cache (FCC) runs within the TCCS container. The TCCS application is started when you start the FCC (startfcc command). The FCC accepts client requests over secure pipe connections and submits them to the appropriate FMS server cache (FSC) process. The FCC uses the TcProxyClient component and forward proxy configuration to support forward and reverse proxy servers. Hooks to the java.net package are used to integrate the forward proxy library and the Jakarta Commons HTTP state into the java.net processing. The Teamcenter model event manager (TcMEM) component manages event synchronization across SOA clients sharing the same Teamcenter server instance. For form-based challenges, the TcProxyClient component examines the response for content type. For a 200 response, if the content type is not text/html the component does no further processing. When the TcProxyClient component detects a challenge from a reverse proxy server, it passes the URL for the reverse proxy server to Teamcenter Security Services which returns a cookie corresponding to a valid session for the reverse proxy. The cookie patterns for the proxy servers A-2 Web Application Deployment PLM

77 Teamcenter client communication system and proxy server configuration are defined in the tcsso_rp_cookienamepattern context parameter during the TCCS installation process as part of the Security Services configuration. The TcProxyClient component also supports one-way and two-way SSL using smart card client certificate or soft client-certificate authentication. Client-certificate authentication is more secure than any of the other supported forms of authentication. A client certificate can be either of the following: A smart card containing a certificate that complies with the PKCS#11 standard. Smart-card authentication is an example of two-factor authentication (2FA). Two-factor authentication requires the presentation of something the user knows and something the user has. Smart-card authentication is supported only for a 32-bit Java Runtime Environment (JRE). It is not supported for a 64-bit JRE. A file containing a certificate that complies with the PKCS#12 standard. Commonly used file extensions are.p12,.pfx, and.jks. Teamcenter supports soft certificates for both 32- and 64-bit JREs. Teamcenter client communication system (TCCS) supports client-certificate authentication for the rich client, Client for Office, Lifecycle Visualization, stand-alone Electronic Design Automation (EDA), Solid Edge, and NX applications. You can configure the server to display a notice and consent logon banner when a user connects to a Teamcenter client using smart card or soft certificate authentication. Teamcenter displays the notice defined by the banner.txt file in the login service WAR file. This file is located in the root folder of the Login Service WAR file. If the banner.txt file is empty or contains only whitespace characters, Teamcenter does not display the notice. The consent to log on dialog box provides a cancel button. If the user clicks Cancel, the connection to Teamcenter is prohibited. The pattern is defined as a case-insensitive string that can contain wildcard characters (*) for matching one or more characters at their position in the string. The literal * character can be include by preceding it with the backslash (\) escape character. You can include a wildcard at the beginning or end of the string or both. The following examples are valid patterns: *string string* *string* stri\*ng You can also include a wildcard character within a string, for example: *coo*kie co*ok*ie About reverse proxy servers Teamcenter client communication system (TCCS) supports form-based challenge from reverse proxy servers: IBM WebSEAL CA SiteMinder PLM Web Application Deployment A-3

78 Appendix A: A: Teamcenter Teamcenter client client communication system system and proxy and proxy server server configuration configuration Security Services supports cookie sharing in both of these reverse proxy servers, but you must enable the feature for the given server before you can use it. Enabling File Management System (FMS) URL path extensions FMS URL path extensions are always enabled. The configuration elements that require additional path information can include: parentfsc address in the fcc.xml file. This value can be only entered from the fcc_only installer. No other FCC installer supports this; therefore, the fcc.xml file must be modified manually. fscmaster address in the fsc.xml file. multisite fsc addresses in the fmsmaster.xml file. Fms_BootStrap_Urls preference values. The /tc/fms/fmsenterpriseid path extension is not configurable. Reverse proxies must be configured to map to this path extension. FMS server cache (FSC) SSL client credentials (two-way SSL) FMS SSL configuration is not fully supported by the installers. Additional steps are required to generate certificates and configure the FSC property and keystore files. Two-way SSL configuration can be enabled only after first successfully configuring for SSL. Caution The password specified for the com.teamcenter.fms.servercache.keystore.password property and the com.teamcenter.fms.servercache.keystore.ssl.certificate.password property must be identical. These properties are contained in the fsc.properties files. The com.teamcenter.fms.allowuntrustedcertificates property cannot be used with two-way SSL. This property can only be used for trusting one-way SSL self-signed certificates. Additional configuration steps for enabling two-way SSL The following additional steps are required to configure two-way SSL: 1. Modify the fmsmaster FSC address and/or the connection element to add the following value: or <fsc id= FSC_fscmidzone_infodba address= options= needclientauth > <connection id= another2waysslconn A-4 Web Application Deployment PLM

79 Teamcenter client communication system and proxy server configuration protocol= https port= 4545 options= needclientauth /> 2. Uncomment or add the following properties in the fsc.properties file to point to the existing keystore that was created to support the initial SSL configuration: javax.net.ssl.keystore=${fms_home}/keystore javax.net.ssl.keystorepassword=keystorepassword javax.net.ssl.truststore=${fms_home}/keystore javax.net.ssl.truststorepassword=keystorepassword 3. Add trusted certificates to the keystore that can validate the clients that are allowed to connect. The trusted certification from the CA, for example the thawte premium server CA certificate, is required in addition to the client certificate. File Management System (FMS), reverse proxy, and two-way SSL configuration details Overview of FMS, reverse proxy, and two-way SSL configuration This section describes how to configure an FMS system with the following characteristics: All client traffic is directed to a reverse proxy server. All client traffic uses one-way SSL. Several logical and/or physical zones exist behind the reverse proxy. These are separated by firewalls. Reverse proxy sends traffic to an FMS Server Cache (FSC) located within the same zone (using one-way SSL). Another FSC in another zone hosts the real volumes. FSC-to-FSC communication across the zones requires two-way SSL. Basic File Management System (FMS) configuration Introduction to basic FMS configuration This example describes the basic FMS server caches (FSCs), groups, and client maps. The target configuration consists of two FSCs behind a reverse proxy server. All clients are in front of the reverse proxy. There are three zones in this example: Client zone PLM Web Application Deployment A-5

80 Appendix A: A: Teamcenter Teamcenter client client communication system system and proxy and proxy server server configuration configuration All clients are on one side of the reverse proxy server. All communication is routed through the reverse proxy to the backend servers. The only resource the clients communicate with is the reverse proxy server. Middle zone The location of the reverse proxy, web tier, first FSC, and LDAP. Resource zone The second FSC, volumes, and Oracle. The following fmsmaster_fsc_fscmidzone_infodba.xml file is the master configuration file used in this example. <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE fmsworld SYSTEM "fmsmasterconfig.dtd"> <fmsworld> <fmsenterprise id=" "> <fscgroup id="midzone"> <!-- the following fsc element is a caching FSC --> <fsc id="fsc_fscmidzone_infodba" address=" /> <!-- the following fsc element represents the reverse proxy --> <fsc id="fsc_reverseproxy_infodba" address=" /> <!-- the following clientmap element maps all clients to the reverse proxy --> <clientmap subnet=" " mask=" "> <assignedfsc fscid="fsc_proxy_infodba" /> </clientmap> </fscgroup> <fscgroup id="reszone"> <!-- the following fsc element is the FSC that hosts the volumes --> <fsc id="fsc_fscreszone_infodba" address=" <volume id=" d871c1b2023" root="/mnt/disk1/tcapps/tceng2005sr1mp5/tc_vol/volume1" /> <transientvolume id="ce feada2dee4c3e79b955d8ba" root="/tmp/transientvolume_tceng2005sr1mp5_infodba" /> </fsc> </fscgroup> </fmsenterprise> </fmsworld> Configuration element details Element fscgroup Definition Describes either a group of FSCs on a LAN or a network of FSCs that have defined entry and exit FSCs. This configuration is simple because there is only one real FSC in each group; therefore, declared entries and exits are not required. There are two defined fscgroups: midzone Represents the middle zone. reszone Represents the resource zone. A-6 Web Application Deployment PLM

81 Teamcenter client communication system and proxy server configuration Element FSC Definition The FSC for each zone is defined within the groups and one FSC is defined to represent the reverse proxy server, as follows: FSC_fscmidzone_infodba The FSC in the middle tier acts as a cache and performs the role of an FSC configuration master. This means it serves the master configuration file. FSC_fscreszone_infodba FSC_proxy_infodba The FSC in the resource tier mounts the volume and it is a configuration slave to the FSC_fscmidzone_infodba FSC. This FSC represents the reverse proxy server. It is required so that the clientmap elements can point to the FSC (address) for assignment. Clients should be assigned to the reverse proxy address, not to any of the real FSC servers. clientmap Clients are to be mapped to a single FSC (WebSEAL or SiteMinder); therefore, only a single comprehensive clientmap that assigns all clients to the reverse proxy is required. There are no volumes in the assigned group; therefore, you do not have to turn off direct routing to prevent the FCC from attempting to reach FSCs hosting volumes directly within the group. FCS configuration files The following configuration files are associated with the real FSCs: FSC_fscmidzone_infodba The FSC that is the FMS configuration master. o o $FSC_HOME/fmsmaster_FSC_fscmidzone_infodba.xml Master FMS configuration file. $FSC_HOME/FSC_fscmidzone_infodba.xml FSC configuration file that specifies the fscid and master/slave state. FSC_fscreszone_infodba o $FSC_HOME/fmsmaster_FSC_fscreszone_infodba.xml Local copy of the master FMS configuration file. o $FSC_HOME/FSC_fscreszone_infodba.xml FSC configuration file that specifies the fscid and master/slave state. PLM Web Application Deployment A-7

82 Appendix A: A: Teamcenter Teamcenter client client communication system system and proxy and proxy server server configuration configuration Configuration file content bootstrap references Bootstrap references must be changed to point to the reverse proxy (FSC) rather than to any of the real backend FSCs. You must also add the default URL context to all of the bootstrap references in the site context form: protocol://host[:port]/tc/fms/fmsenterpriseid $FMS_HOME/fcc.xml <parentfsc address=" $FSC_HOME/FSC_fscmidzone_infodba.xml <fscmaster serves="true"/> $FSC_HOME/FSC_fscreszone_infodba.xml This is the slave fsc.xml file that points to the master FSC. This is on the same side of the reverse proxy; therefore, a direct reference is used here.... <fscmaster serves="false" address=" Fms_BootStrap_Urls preference This value is used to bootstrap other FMS client integrations. The value must be appropriate for clients outside of the WebSEAL or SiteMinder reverse proxy; therefore, it points to the reverse proxy. For example, for a WebSEAL reverse proxy: For example, for a SiteMinder reverse proxy: One-way SSL configuration Introduction to one-way SSL configuration This section describes how to configure one-way SSL between the clients, the reverse proxy, and the FSC servers. This example uses purchased certificates. The following fmsmaster_fsc_fscmidzone_infodba.xml file is the master configuration file used in this example. <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE fmsworld SYSTEM "fmsmasterconfig.dtd"> <fmsworld> <fmsenterprise id=" "> <fscgroup id="midzone"> <!-- the following fsc element is a caching FSC, A-8 Web Application Deployment PLM

83 Teamcenter client communication system and proxy server configuration the default connection now uses SSL --> <fsc id="fsc_fscmidzone_infodba" address=" /> <!-- the following fsc element represents the WebSEAL proxy --> <fsc id="fsc_webseal_infodba" address=" /> <!-- the following clientmap element maps all clients to the WebSEAL proxy --> <clientmap subnet=" " mask=" "> <assignedfsc fscid="fsc_proxy_infodba" /> </clientmap> </fscgroup> <fscgroup id="reszone"> <!--the following fsc element is the FSC that hosts the volumes, the default connection now uses SSL--> <fsc id="fsc_fscreszone_infodba" address=" <volume id=" d871c1b2023" root="/mnt/disk1/tcapps/tceng2005sr1mp5/tc_vol/volume1" /> <transientvolume id="ce feada2dee4c3e79b955d8ba" root="/tmp/transientvolume_tceng2005sr1mp5_infodba" /> </fsc> </fscgroup> </fmsenterprise> </fmsworld> One-way SSL configuration element details Element FSC Definition The addresses defined for the FSCs specify https. This causes the listener to be configured for SSL. The port on the FSC representing the reverse proxy is changed to use 443 rather than 80. One-way SSL FSC configuration files The following configuration files are associated with the real FSCs: FSC_fscmidzone_infodba Specifies the FMS configuration master. o o o o $FSC_HOME/fmsmaster_FSC_fscmidzone_infodba.xml The master FMS configuration file. $FSC_HOME/FSC_fscmidzone_infodba.xml FSC configuration file that specifies the fscid and master/slave state. $FSC_HOME/fsc.FSC_fscmidzone_infodba.properties Additional properties for this FSC used to configure the keystore. $FSC_HOME/keystore.FSC_fscmidzone_infodba.jks Keystore for this FSC. FSC_fscreszone_infodba Specifies the FMS configuration slave. o $FSC_HOME/fmsmaster_FSC_fscreszone_infodba.xml Local copy of the master FMS configuration file. PLM Web Application Deployment A-9

84 Appendix A: A: Teamcenter Teamcenter client client communication system system and proxy and proxy server server configuration configuration o o o $FSC_HOME/FSC_fscreszone_infodba.xml FSC configuration file that specifies the fscid and master/slave state. $FSC_HOME/fsc.FSC_fscreszone_infodba.properties Additional properties for this FSC used to configure the keystore. $FSC_HOME/keystore.FSC_fscreszone_infodba.jks The keystore for this FSC. One-way SSL configuration file changes bootstrap references Bootstrap references must be changed to use the new port on the reverse proxy (FSC) and to configure the keystores. $FMS_HOME/fcc.xml... <parentfsc address=" Fms_BootStrap_Urls preference This value is used to bootstrap other FMS client integrations. The value must be appropriate for clients outside of the WebSEAL or SiteMinder reverse proxy; therefore, it points to the reverse proxy. For example, for WebSEAL: For example, for SiteMinder: One-way SSL sew configuration files property and keystore files Only use $FMS_HOME, not $FSC_HOME, in FMS configuration files. Always use UNIX-style path separators (/). $FSC_HOME/fsc.FSC_fscmidzone_infodba.properties The property file used to configure the keystore. # fsc.fsc_fscmidzone_infodba.properties com.teamcenter.fms.servercache.keystore.file=$<fms_home}/keystore.fsc_fscmidzone_infodba.jks com.teamcenter.fms.servercache.keystore.password=keystore.fsc_fscmidzone_infodba.password com.teamcenter.fms.servercache.keystore.ssl.certificate.password=keystore.fsc_fscmidzone_infodba.password # these are not needed for 1-way SSL # javax.net.ssl.keystore=$<fms_home}/keystore.fsc_fscmidzone_infodba.jks # javax.net.ssl.keystorepassword=keystore.fsc_fscmidzone_infodba.password # javax.net.ssl.truststore=$<fms_home}/keystore.fsc_fscmidzone_infodba.jks # javax.net.ssl.truststorepassword=keystore.fsc_fscmidzone_infodba.password $FSC_HOME/keystore.FSC_fscmidzone_infodba The keystore for this FSC. The keystore must contain the private key and certificate for the local machine. fscmidzone> keytool -list -v -keystore keystore.fsc_fscmidzone_infodba.jks -storepass keystore.fsc_fscmidzone_infodba.password A-10 Web Application Deployment PLM

85 Teamcenter client communication system and proxy server configuration Keystore type: jks Keystore provider: SUN Your keystore contains 1 entries Alias name: fscmidzone.yourcompany.com Creation date: Jan 23, 2008 Entry type: keyentry Certificate chain length: 2 Certificate[1]: Owner: CN=fscmidzone.yourcompany.com, OU=QA, O=YOUR Corp, L=Plano, ST=Texas, C=US Issuer: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Serial number: dcc36d1ea9d773ba153022a951 Valid from: Thu Jan 10 16:44:38 CST 2008 until: Thu Mar 27 13:20:25 CDT 2008 Certificate fingerprints: MD5: 86:7E:16:59:99:E6:6F:B6:27:9B:92:19:E7:65:EB:A2 SHA1: 6A:D1:64:7A:0A:E1:CB:62:D3:EF:91:BF:E9:A0:CE:AF:A3:3D:E4:1E Certificate[2]: Owner: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Issuer: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Serial number: 1 Valid from: Wed Jul 31 19:00:00 CDT 1996 until: Thu Dec 31 17:59:59 CST 2020 Certificate fingerprints: MD5: 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A SHA1: 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A ******************************************* ******************************************* $FSC_HOME/fsc.FSC_fscreszone_infodba.properties The property file used to configure the keystore. # fsc.fsc_fscreszone_infodba.properties com.teamcenter.fms.servercache.keystore.file=$<fms_home}/keystore.fsc_fscreszone_infodba.jks com.teamcenter.fms.servercache.keystore.password=keystore.fsc_fscreszone_infodba.password com.teamcenter.fms.servercache.keystore.ssl.certificate.password=keystore.fsc_fscreszone_infodba.password # these are not needed for 1-way SSL # javax.net.ssl.keystore=$<fms_home}/keystore.fsc_fscreszone_infodba.jks # javax.net.ssl.keystorepassword=keystore.fsc_fscreszone_infodba.password # javax.net.ssl.truststore=$<fms_home}/keystore.fsc_fscreszone_infodba.jks # javax.net.ssl.truststorepassword=keystore.fsc_fscreszone_infodba.password $FSC_HOME/keystore.FSC_fscreszone_infodba The keystore for this FSC. The keystore must contain the private key and certificate for the local machine. fscreszone> keytool -list -v -keystore keystore.fsc_fscreszone_infodba.jks -storepass keystore.fsc_fscreszone_infodba.password Keystore type: jks Keystore provider: SUN Your keystore contains 1 entries Alias name: fscreszone.yourcompany.com Creation date: Jan 23, 2008 Entry type: keyentry Certificate chain length: 2 Certificate[1]: Owner: CN=fscreszone.yourcompany.com, OU=QA, O=YOUR Corp, L=Plano, ST=Texas, C=US Issuer: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Serial number: dcc36d1ea9d773ba153022a951 Valid from: Thu Jan 10 16:44:38 CST 2008 until: Thu Mar 27 13:20:25 CDT 2008 Certificate fingerprints: MD5: 86:7E:16:59:99:E6:6F:B6:27:9B:92:19:E7:65:EB:A2 SHA1: 6A:D1:64:7A:0A:E1:CB:62:D3:EF:91:BF:E9:A0:CE:AF:A3:3D:E4:1E Certificate[2]: Owner: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Issuer: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Serial number: 1 Valid from: Wed Jul 31 19:00:00 CDT 1996 until: Thu Dec 31 17:59:59 CST 2020 Certificate fingerprints: MD5: 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A SHA1: 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A ******************************************* ******************************************* PLM Web Application Deployment A-11

86 Appendix A: A: Teamcenter Teamcenter client client communication system system and proxy and proxy server server configuration configuration Configuring two-way SSL between FMS server caches (FSCs) Overview of two-way SSL between FSCs Building on the one-way SSL configuration example, this section describes how two-way SSL is configured exclusively for FSC to FSC traffic. The following fmsmaster_fsc_fscmidzone_infodba.xml file is the master configuration file used in this example. <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE fmsworld SYSTEM "fmsmasterconfig.dtd"> <fmsworld> <fmsenterprise id=" "> <fscgroup id="midzone"> <!-- the following fsc element is a caching FSC, the default connection now uses 2-way SSL --> <fsc id="fsc_fscmidzone_infodba" address=" options="needclientauth"> <!-- the following connection element adds an additional connection supporting SSL(1-way) to this FSC --> <connection id="1waysslcon" protocol="https" port="4544"/> </fsc> <!-- the following fsc element represents the WebSEAL proxy --> <fsc id="fsc_webseal_infodba" address=" <!-- the following clientmap element is used to map particular clients (e.g. DAK server, Web Application Server) within the midzone to the 1-way SSL connection of the midzone FSC --> <clientmap subnet=" " mask=" "> <assignedfsc fscid="fsc_fscmidzone_infodba" connectionid="1waysslcon"/> </clientmap> <!-- the following clientmap element maps all (remaining) clients to the WebSEAL proxy --> <clientmap subnet=" " mask=" "> <assignedfsc fscid="fsc_proxy_infodba"/> </clientmap> </fscgroup> <fscgroup id="reszone"> <!-- the following fsc element is the FSC that hosts the volumes, the default connection now uses 2-way SSL --> <fsc id="fsc_fscreszone_infodba" address=" options="needclientauth"> <volume id=" d871c1b2023" root="/mnt/disk1/tcapps/tceng2005sr1mp5/tc_vol/volume1"/> <transientvolume id="ce feada2dee4c3e79b955d8ba" root="/tmp/transientvolume_tceng2005sr1mp5_infodba"/> </fsc> </fscgroup> </fmsenterprise> </fmsworld> Two-way SSL configuration element details Element FSC connection Definition The FSC elements specify options= needclientauth. This causes the default connection to require a two-way SSL handshake. The default connection is defined in the address attribute of the fsc element. In this example, the port number is changed to A new connection element is added (using the original SSL port number 4544) to the FSC_fscmidzone_infodba FSC to continue to support the one-way SSL connection that reverse proxy is configured to use. A-12 Web Application Deployment PLM

87 Teamcenter client communication system and proxy server configuration Element clientmap Definition There is an additional clientmap element to map clients that are already inside the midzone to the one-way SSL connection of the midzone FSC. (The Teamcenter Engineering Data Integration Services Adapter is one such client.) Two-way SSL FSC configuration files The following configuration files are associated with the real FSCs: FSC_fscmidzone_infodba Specifies the FMS configuration master. o o o o $FSC_HOME/fmsmaster_FSC_fscmidzone_infodba.xml Master FMS configuration file. $FSC_HOME/FSC_fscmidzone_infodba.xml FSC configuration file that specifies the fscid and master/slave state. $FSC_HOME/fsc.FSC_fscmidzone_infodba.properties Additional properties for this FSC used to configure the keystore. $FSC_HOME/keystore.FSC_fscmidzone_infodba.jks The keystore for this FSC. FSC_fscreszone_infodba Specifies the FMS configuration slave. o o o o $FSC_HOME/fmsmaster_FSC_fscreszone_infodba.xml Local copy of the master FMS configuration file. $FSC_HOME/FSC_fscreszone_infodba.xml FSC configuration file that specifies the fscid and master/slave state. $FSC_HOME/fsc.FSC_fscreszone_infodba.properties Additional properties for this FSC used to configure the keystore. $FSC_HOME/keystore.FSC_fscreszone_infodba.jks The keystore for this FSC. Two-way SSL configuration file changes bootstrap references None of the bootstrap references change; they continue to point to the reverse proxy HTTPS address. PLM Web Application Deployment A-13

88 Appendix A: A: Teamcenter Teamcenter client client communication system system and proxy and proxy server server configuration configuration Two-way SSL configuration file changes property and keystore files Only use $FMS_HOME, not $FSC_HOME in FMS configuration files. Always use UNIX-style path separators (/). $FSC_HOME/fsc.FSC_fscmidzone_infodba.properties Property file used to configure the keystore. # fsc.fsc_fscmidzone_infodba.properties com.teamcenter.fms.servercache.keystore.file=${fms_home}/keystore.fsc_fscmidzone_infodba.jks com.teamcenter.fms.servercache.keystore.password=keystore.fsc_fscmidzone_infodba.password com.teamcenter.fms.servercache.keystore.ssl.certificate.password=keystore.fsc_fscmidzone_infodba.password # these are not needed for 1-way SSL javax.net.ssl.keystore=${fms_home}/keystore.fsc_fscmidzone_infodba.jks javax.net.ssl.keystorepassword=keystore.fsc_fscmidzone_infodba.password javax.net.ssl.truststore=${fms_home}/keystore.fsc_fscmidzone_infodba.jks javax.net.ssl.truststorepassword=keystore.fsc_fscmidzone_infodba.password $FSC_HOME/keystore.FSC_fscmidzone_infodba The keystore for this FSC. The keystore just contain the private key and certificate for the local machine and it must also contain the trusted (CA) certificate for any clients you want to accept. You can optionally import individual certificates for each client rather than importing the signer certificate. A-14 Web Application Deployment PLM

89 Teamcenter client communication system and proxy server configuration fscmidzone> keytool -list -v -keystore keystore.fsc_fscmidzone_infodba.jks -storepass keystore.fsc_fscmidzone_infodba.password Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries Alias name: fscmidzone.yourcompany.com Creation date: Jan 23, 2008 Entry type: keyentry Certificate chain length: 2 Certificate[1]: Owner: CN=fscmidzone.yourcompany.com, OU=QA, O=YOUR Corp, L=Plano, ST=Texas, C=US Issuer: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Serial number: dcc36d1ea9d773ba153022a951 Valid from: Thu Jan 10 16:44:38 CST 2008 until: Thu Mar 27 13:20:25 CDT 2008 Certificate fingerprints: MD5: 86:7E:16:59:99:E6:6F:B6:27:9B:92:19:E7:65:EB:A2 SHA1: 6A:D1:64:7A:0A:E1:CB:62:D3:EF:91:BF:E9:A0:CE:AF:A3:3D:E4:1E Certificate[2]: Owner: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Issuer: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Serial number: 1 Valid from: Wed Jul 31 19:00:00 CDT 1996 until: Thu Dec 31 17:59:59 CST 2020 Certificate fingerprints: MD5: 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A SHA1: 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A ******************************************* ******************************************* Alias name: thawte premium server ca Creation date: Feb 20, 2008 Entry type: trustedcertentry Owner: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Issuer: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Serial number: 1 Valid from: Wed Jul 31 19:00:00 CDT 1996 until: Thu Dec 31 17:59:59 CST 2020 Certificate fingerprints: MD5: 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A SHA1: 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A ******************************************* ******************************************* $FSC_HOME/fsc.FSC_fscreszone_infodba.properties The property file used to configure the keystore. # fsc.fsc_fscreszone_infodba.properties com.teamcenter.fms.servercache.keystore.file=${fms_home}/keystore.fsc_fscreszone_infodba.jks com.teamcenter.fms.servercache.keystore.password=keystore.fsc_fscreszone_infodba.password com.teamcenter.fms.servercache.keystore.ssl.certificate.password=keystore.fsc_fscreszone_infodba.password # these are not needed for 1-way SSL javax.net.ssl.keystore=${fms_home}/keystore.fsc_fscreszone_infodba.jks javax.net.ssl.keystorepassword=keystore.fsc_fscreszone_infodba.password javax.net.ssl.truststore=${fms_home}/keystore.fsc_fscreszone_infodba.jks javax.net.ssl.truststorepassword=keystore.fsc_fscreszone_infodba.password $FSC_HOME/keystore.FSC_fscreszone_infodba The keystore for this FSC. The keystore must contain the private key and certificate for the local machine, and it must also contain the trusted (CA) certificate for any clients you want to accept. You can optionally import individual certificates for each client rather than importing the signer certificate. PLM Web Application Deployment A-15

90 Appendix A: A: Teamcenter Teamcenter client client communication system system and proxy and proxy server server configuration configuration fscreszone> keytool -list -v -keystore keystore.fsc_fscreszone_infodba.jks -storepass keystore.fsc_fscreszone_infodba.password Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries Alias name: fscreszone.yourcompany.com Creation date: Jan 23, 2008 Entry type: keyentry Certificate chain length: 2 Certificate[1]: Owner: CN=fscreszone.yourcompany.com, OU=QA, O=YOUR Corp, L=Plano, ST=Texas, C=US Issuer: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Serial number: dcc36d1ea9d773ba153022a951 Valid from: Thu Jan 10 16:44:38 CST 2008 until: Thu Mar 27 13:20:25 CDT 2008 Certificate fingerprints: MD5: 86:7E:16:59:99:E6:6F:B6:27:9B:92:19:E7:65:EB:A2 SHA1: 6A:D1:64:7A:0A:E1:CB:62:D3:EF:91:BF:E9:A0:CE:AF:A3:3D:E4:1E Certificate[2]: Owner: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Issuer: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Serial number: 1 Valid from: Wed Jul 31 19:00:00 CDT 1996 until: Thu Dec 31 17:59:59 CST 2020 Certificate fingerprints: MD5: 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A SHA1: 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A ******************************************* ******************************************* Alias name: thawte premium server ca Creation date: Feb 20, 2008 Entry type: trustedcertentry Owner: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Issuer: [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Serial number: 1 Valid from: Wed Jul 31 19:00:00 CDT 1996 until: Thu Dec 31 17:59:59 CST 2020 Certificate fingerprints: MD5: 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A SHA1: 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A ******************************************* ******************************************* Configuring Kerberos authentication on the web tier Configure IIS reverse proxy for Security Services login service You must have Microsoft Internet Information Services (IIS) installed (IIS 7.5 for Windows Server 2008 R2 and IIS 8.5 for Windows Server 2012 R2). 1. Copy the iisproxy.dll and iisforward.dll files available in the WebLogic_Home\Server\plugin\win\32 or WLSHOME\Server\plugin\win\x64 directory to the directory that you want as your home folder for your IIS web site. This can be any directory accessible to IIS. Ensure that you copy the DLL file from the 32 directory for 32-bit operating systems or the x64 directory for 64-bit operating systems. These are not interchangeable and cause errors if you copy the wrong DLL file. 2. To open the IIS Manager, choose Start Administrative Tools Internet Information Services (IIS) Manager. 3. In the navigation tree, expand your host name entry until you see Sites. A-16 Web Application Deployment PLM

91 Teamcenter client communication system and proxy server configuration 4. Create a new web site with the home folder set to the directory that contains the DLLs you copied in step 1: a. Right-click Sites and choose Add a Web Site. b. In the Add Web Site dialog box, type a name for your new web site in the Site Name box, for example IIS7_WebLogic103, and click the browse button ( path box. ) next to the Physical c. In the Browse for Folder dialog box, browse to the directory that contains the iisproxy.dll and iisforward.dll files and click OK. d. In the Port box, type a unique port number (for example, 8088) and click OK. 5. Configure the web site application pool: a. In the navigation tree, click Application Pools. b. Under Application Pools, right-click your web site name and choose Advanced Settings. c. In the Advanced Settings dialog box, select True for Enable 32-Bit Applications. 6. Configure the web site authentication: a. In the navigation tree, select your web site name and double-click Authentication under the IIS section. b. In the Authentication pane, select Disabled for Anonymous Authentication. c. Select Enabled for Windows Authentication. This is the 401 negotiate setting. d. Under Actions in the right pane, click Providers and ensure Negotiate and NTLM are in the Enabled Providers box. If they are not, select them from the Available Providers list and click Add. This configures IIS to attempt to authenticate using Kerberos and fall back to NTLM if Kerberos authentication is unsuccessful. Do not select Negotiate:Kerberos as this prevents fall back NTLM authentication. e. Under Actions in the right pane, click Advanced Settings and ensure Enable Kernel-mode authentication is selected. 7. Configure the web site ISAPI filters: a. In the navigation tree, click your web site name and double-click ISAPI Filters in the IIS section. b. In the right pane, click Add under Actions. c. In the Add ISAPI Filter dialog box, type IISForward in the Filter name box, browse to the iisforward.dll file in the Executable box, and click OK. PLM Web Application Deployment A-17

92 Appendix A: A: Teamcenter Teamcenter client client communication system system and proxy and proxy server server configuration configuration 8. Configure a handler mapping: a. In the navigation tree, click your web site name and double-click Handler Mappings in the IIS section. b. In the right pane, click Add Script Map under Actions. c. In the Add a Script Map dialog box, type *.wlforward in the Request path box, browse to the iisproxy.dll file in the Executable box type IISProxy in the Name box, and click OK. 9. Create an iisproxy.ini file in the directory that contains the DLLs. This file must contain the following information. WebLogicHost=<dns-name-or-ip-address> WebLogicPort=<listening-port-for-WLS> WlForwardPath=/examplesWebApp Debug=ALL DebugConfigInfo=ON The WebLogicHost value is the host for the Security Services Login Service application. The WebLogicPort value is the port for the Security Services Login Service application. The WlForwardPath value is the name of the Security Services Login Service web application. The debug values are optional and are set for debugging purposes. The default log file for debug messages is C:\TEMP\wlproxy.log. The iisproxy.ini file is explained in the WebLogic documentation: In the right pane, click Restart under Manage Web Site. Configure JBoss ISAPI with IIS for Security Services login service You must install the Tomcat ISAPI Redirector version or later and configure the Windows registry for the redirector. You must also create the workers.properties and uriworkermap.properties files for the redirector. For additional information about the settings in these files, see the Tomcat documentation. 1. Create a directory where you want to install the Tomcat ISAPI Redirector on the Windows Server 2008 host, for example: D:\jboss_iis 2. Create the a directory structure on the Windows Server 2008 host for the new web site: jboss_iis This is the top level web site directory. Its name can be anything but it is recommended that you use an easily identified name such as jboss_iis. \bin This is the ISAPI redirector install directory. It contains the redirector dll file and its registry file. \conf A-18 Web Application Deployment PLM

93 Teamcenter client communication system and proxy server configuration Contains the ISAPI redirector configuration files. \log Contains the ISAPI redirector log files. \wwwroot This is the physical location of the web site. 3. Download the ISAPI Redirector from the Apache Tomcat web site and save it in the ISAPI redirector install (bin) directory. Download the latest version of the 32-bit redirector (isapi_redirector-version.dll) file, not the 64-bit redirector. Only the isapi_redirector.dll file is required. Rename the downloaded file to isapi_redirect.dll. 4. Configure Windows registry settings on the Windows Server 2008 host. a. In the ISAPI redirector install bin directory, create a file with a.reg extension. The name of this file is discretionary (isapi_redirector.reg is recommended). b. Create an isapi_redirect.reg windows registry file with the following contents: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\ Jakarta Isapi Redirector\1.0] "extension_uri"="/jakarta/isapi_redirect.dll" "log_file"="d:\\iis75 jboss71\\log\\jk_iis.log" "log_level"="debug" "worker_file"="d:\\iis75 jboss71\\conf\\workers.properties" "worker_mount_file"="d:\\iis75 jboss71\\conf\\uriworkermap.properties" uri_select = unparsed It is recommended that you use debug for the log_level entry when you initially configure the redirector to get all messages. You can change this after you have tested your installation and determined that it is working properly. The following table provides a brief description of these entries: Name extension_uri log_file log_level Description Represents the IIS virtual directory including the ISAPI Redirector file. Defines the name and location of the ISAPI Redirector log file. Defines the level of debug messages written to the ISAPI Redirector log file. Valid values are debug, info, error, and emerg. PLM Web Application Deployment A-19

94 Appendix A: A: Teamcenter Teamcenter client client communication system system and proxy and proxy server server configuration configuration Name worker_file worker_mount_file uri_select Description Defines the location of the ISAPI redirector worker.properties file. You create this file later. Defines the location of the ISAPI redirector uriworkermap.properties file. You create this file later. Determines how the forwarded URI is handled. Unparsed indicates the original request URI is forwarded. Siemens PLM Software recommends this option. Rewriting the URI and forwarding the rewritten URI does not work correctly. c. In the ISAPI Redirector installation directory, right-click the isapi_redirector.reg file and choose Merge. d. After receiving a confirmation message from Windows, check the ISAPI Redirector settings using the Microsoft Registry Editor program (regedit.exe) to ensure the registry settings are correct. For information about using the Microsoft Registry Editor, see the Microsoft Windows online help. 5. Create a text file with contents similar to the following: # Define node1 (one node required for H_SE) worker.list=node1 worker.node1.port=8009 worker.node1.host=host-name1 worker.node1.type=ajp13 The default port is If you could not use the default value and you changed the AJP port number in JBoss configuration when you configured the Tomcat ISAPI Redirector, use that value. The port is set (and can be modified) in the JBoss_home\server\default\deply\jbossweb.sar\server.xml file. The host-name value is the host where you run JBoss. 6. Add the AJP 1.3 connector as the child resource of the jboss:domain:web subsystem. a. Expand the configuration directory: jboss-as final\standalone\configuration b. Open the standalone.xml file. c. that each connector references a particular socket binding. Add or modify the following Connector element: <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false"> <connector name="http" protocol="http/1.1" scheme="http" socket-binding="http"/> <connector name="ajp13" protocol="ajp/1.3" scheme="http" socket-binding="ajp"/> <virtual-server name="default-host" enable-welcome-root="true"> <alias name="localhost"/> <alias name="example.com"/> </virtual-server> </subsystem> A-20 Web Application Deployment PLM

95 Teamcenter client communication system and proxy server configuration <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="ajp" port="8009"/> <socket-binding name="http" port="8080"/> IIS forwards requests to JBoss using the AJP 1.3 protocol on this port, this must be set to allow access to the remote user name (getremoteuser method). This configuration supports basic H-SE redirection (with IIS 7.x or 8.x and JBoss 7.x), without authentication. This configuration does not support Tomcat authentication. If Windows authentication is enabled in IIS 7.x or 8.x, you cannot use JBoss 7.1 for the Security Services login service. 7. Save the file as workers.properties in the conf directory. This must match the path you defined for it in the registry file. 8. Create a text file with contents similar to the following: # Send all /tc requests to node1 /tc/*=node1 Replace tc with the name of your Teamcenter Security Services Login Service web application. This configures the redirector to forward all requests with the /tc/* signature to node1. 9. Save the file as uriworkermap.properties. Save this file in the conf directory. 10. To open the IIS Manager, choose Start Administrative Tools Internet Information Services (IIS) Manager. 11. In the navigation tree, expand your host name entry until you see Sites. 12. Create a new web site with the home folder set to the directory you created in step 1: a. Right-click Sites and choose Add a Web Site. b. In the Add Web Site dialog box, type a name for you new web site in the Site Name box, for example jboss-iis. c. Click the browse button next to the Physical path box. d. In the Browse for Folder dialog box, browse to the wwwroot directory you created in step 1 and click OK. e. In the Port box, type a unique port number (for example, 8128) and click OK. 13. Configure the web site authentication: a. In the navigation tree, select your web site name and double-click Authentication under the IIS section. b. In the Authentication pane, select Disabled for Anonymous Authentication. PLM Web Application Deployment A-21

96 Appendix A: A: Teamcenter Teamcenter client client communication system system and proxy and proxy server server configuration configuration c. Select Enabled for Windows Authentication. This is the 401 negotiate setting. d. Under Actions in the right pane, click Providers and ensure Negotiate and NTLM are in the Enabled Providers box. If they are not, select them from the Available Providers list and click Add. This configures IIS to attempt to authenticate using Kerberos and fall back to NTLM if Kerberos authentication is unsuccessful. e. Under Actions in the right pane, click Advanced Settings and ensure Enable Kernel-mode authentication is selected. 14. Configure the web site ISAPI filters: a. In the navigation tree, click your web site name and double-click ISAPI Filters in the IIS section. b. In the right pane, click Add under Actions. c. In the Add ISAPI Filter dialog box, type jkfilter in the Filter name box, browse to the isapi_redirect.dll file in the Executable box, and click OK. 15. Create a virtual directory for your web site: a. In the navigation tree, right-click your web site name and choose Add Virtual Directory. b. In the Add Virtual Directory dialog box, type jakarta in the Alias box. The alias value can be anything but it must match the first value in the extension_uri entry in the isapi_redirect_reg file. c. Browse to the d:\jboss_iis\bin directory in the Physical path box and click OK. 16. Configure a handler mapping: a. In the navigation tree, click your web site name and double-click Handler Mappings in the IIS section. b. In the right pane, double-click ISAPI-dll under Actions. c. In the Edit Module Mapping dialog box, type * in the Request path box (remove any existing entry) and browse to the isapi_redirector.dll file in the Executable box. d. Click Request Restrictions and click the Verbs tab in the Request Restriction dialog box and ensure the All verbs option is selected. e. Click the Access tab, ensure the Execute option is selected, and click OK. 17. If your redirector is a 32-bit dll, enable 32-bit applications: a. In the navigation pane, select Application Pools. A-22 Web Application Deployment PLM

97 Teamcenter client communication system and proxy server configuration b. Select your web site name and click Advanced Settings under Edit Application Pool in the right pane. c. In the Advanced Settings dialog box, select True for Enable 32-Bit Applications. 18. In the right pane, click Restart under Manage Web Site. PLM Web Application Deployment A-23

98

99 Appendix B: Troubleshooting four-tier architecture deployment PLM Web Application Deployment

100

101 Appendix B: Troubleshooting four-tier architecture deployment Identify the problem you encountered in your four-tier rich client architecture and perform the solution described. Problem Web tier application fails during initialization with an error containing the following: Error during login. com.teamcenter.presentation. webclient.actions com. teamcenter.jeti.util. JetiResourceConfiguration Exception: TreeCache initialization failed Error indicating no server pool Solution When a host has multiple IP addresses, the JGroups software and JDK software arbitrarily choose one of them to use as the address to bind to for a server connection port. In some situations, as when using a Windows Network Load Balancer, not all local IP addresses are accessible to other hosts on the network. If the chosen IP address is not accessible, other cluster peers are not able to open sockets to that port. To avoid this error, specify a particular bind address using the bind.address Java system property, for example: Dbind.address= Java arguments can be specified in different ways on different application servers. For example, for a WebLogic managed server, use the WebLogic console server/configuration/server Start/Arguments field. Consult the application server's documentation. Either the server manager is not started or TreeCache communication is not occurring. Ensure that you correctly coordinated the server manager and web tier TreeCache configuration settings. Out-of-memory error during a call to getattrmappingsfordatasettype See the appropriate server installation guide (for Windows or UNIX/Linux). If you are using TCP communication, look for the GMS address during both application server startup and server manager startup. The GMS address indicates the service port obtained. It should be within the range of ports pinged by TreeCache peers. If you use WebSphere and this occurs when launching NX from the rich client, you must modify the JVM arguments in WebSphere to increase memory allocation. PLM Web Application Deployment B-1

102 Appendix B: B: Troubleshooting four-tier four-tier architecture architecture deployment deployment Problem Delays in opening a connection from the web tier to a Teamcenter server Warnings of discarded messages Error messages about the server manager pool ID handlejoin errors occur at startup Solution The web tier may be attempting a connection to the Teamcenter server on an IP address that is unavailable. If the host has multiple addresses and the primary address is not reachable, the Teamcenter web tier logs the following warning: The connection to the pool with ID pool ID is not available. Primary Address Host is IP-address and the Primary Address Port is port; In addition to the Primary Address, additional address(es) were found. Please ensure that the Primary Address used is the right one. This address can be changed by configuring the SERVER_HOST parameter. Inspect the web tier log file for status messages reported during server manager startup. If the server manager log contains a message similar to this, set the SERVER_HOST parameter in the serverpool.properties file to the correct IP address for the host. These warnings indicate that you have two clusters on the same port (multicast) or set of ports (TCP). Your environment is working because you used different names for each cluster, but this is not an optimal environment for performance. Siemens PLM Software recommends configuring a different port or set of ports for each environment. These messages indicate that the pool ID is in use by another server manager in the TreeCache cluster. Either place the server managers in different clusters or configure a distinct pool ID. Occasionally, TreeCache instances fail to accept connections and report handlejoin errors. Typically this error disappears if you restart one or more cluster members. To get additional information, increase the logging level for the tree cache and jgroups classes for both the application server and server manager: 1. Copy the log4j.xml file in the server manager run-time directory (TC_ROOT\pool_manager) to the application server instance startup directory. By default, the server manager run-time directory includes a log4j.xml file, but it logs only the warning level information. The default configuration sends log output to the console and the following files: TC_ROOT\pool_manager\logs\ServerManager\ process\servermanager.log APPSERVER_ROOTlogs\webTier\processwebTier.log 2. Edit log4j.xml so that more information is logged at run time. For example, to increase the log4j output for the B-2 Web Application Deployment PLM

103 Troubleshooting four-tier architecture deployment Problem Solution JBossCache and jgroup classes to the INFO level, edit the file: <logger name="org.jboss.cache" additivity="false"> <level value="info"/> <appender-ref ref="webtierappender"/> <appender-ref ref="processconsoleappender"/> </logger> <logger name="org.jgroups" additivity="false"> <level value="info"/> <appender-ref ref="webtierappender"/> <appender-ref ref="processconsoleappender"/> </logger> The JMX HTTP adaptor allows you to view the status of the server pool and dynamically change the pool configuration values (the values are not persistent). Access this functionality from the following URL: Configuration is correct, but run-time errors occur Either the server manager fails to start when employing multicast TreeCache mode or the following error message is received: Exception in thread "main" java.net.socketexception: Can't assign requested address. Replace host-name with the name of the host running the server manager. Replace jmx-port with the number of the port running the JMX HTTP adaptor. This port number is defined on the JMX HTTP Adaptor Port parameter when you install the server manager. Determine from logs whether users are frequently losing a server due to the server timing out and are then having a new server assigned. Server startup can consume a great amount of CPU. Consider increasing timeout values and/or the pool size. Check the internet protocol configuration on the server manager host and the web tier host and ensure that they match. Some application servers configure the Java virtual machine (JVM) to prefer the IPv4 stack. This is the case with recent versions of JBoss. Therefore, you must alter the preferipv4stack Java property on the server manage host to match the web tier configuration. By default, Java prefers to use Internet Protocol Version 6 (IPv6) addresses. Incomplete IPv6 configuration can cause Java socket exceptions that prevent the server manager from starting. For example, an IBM AIX server might be configured to have an IPv6 loopback address ::1 but no IPv6 ethernet address. Detect this problem on AIX with the command: netstat -ni PLM Web Application Deployment B-3

104 Appendix B: B: Troubleshooting four-tier four-tier architecture architecture deployment deployment Problem Solution If this is the case, either complete the IPv6 upgrade configuration as documented in the IBM System Management Guide or uncomment the following line in the mgrstart script: #JVM_ARGS="${JVM_ARGS} -Djava.net.preferIPv4Stack=true" This line adds the -Djava.net.preferIPv4Stack=true Java option, instructing the JVM to use IPv4 addresses for the server manager. If the web application server is running on the same host as the server manager, add this Java option to the web application startup script also. TreeCache connection failure after restarting or redeploying On a machine with multiple IP addresses, it may be necessary to configure the address used by the TreeCache. This address can be added to the TreeCacheTCP.xml file (for TCP mode) or the TreeCacheMcast.xml file (for Mcast mode). In the server manager, this file can be found in the TC_ROOT/pool_manager directory. In the Java EE application it can be found in the file JETIServerAccessor.jar in the staging area of the Web Application Manager. For Mcast mode, locate the UDP configuration line and add bind_addr=desired-address. For TCP mode, locate the TCP configuration line and add bind_addr=desired-address. Terminating a server manager instance by sending it a signal does not clean up the TreeCache data stored in other four-tier components regarding the terminated pool. When this server manager is restarted, it cleans up this information. However, termination of a server manager in this way sometimes leaves the TreeCache communication mechanisms in a corrupted state and the server manager is not able to rejoin the TreeCache cluster. The problem can be resolved by stopping all four-tier components (the application servers and server managers) in the TreeCache cluster and then restarting them all. This problem can usually be avoided by shutting the server manager down cleanly through the server manager administrative interface. A similar problem can occur after the Teamcenter web tier application is redeployed on the application server without stopping and restarting the application server. In this case, an extra TreeCache instance from the earlier deployment might still be running in the application server and this can interfere with proper functioning of the TreeCache. This can usually be resolved by stopping and restarting the application server. B-4 Web Application Deployment PLM

105 Troubleshooting four-tier architecture deployment Problem TreeCache initialization fails when starting the server manager or web tier application CFI_error displays when running AIE export in batch mode Solution Due to a Java run-time issue on Linux, these problems are more likely if the four-tier component is run with the nohup command on Linux and the process is terminated by sending it a signal. The following error messages in the log files indicate that the TreeCache port is already in use: FATAL - None /07/27-16:11:13,244 UTC - host- TreeCache initialization failed: com.teamcenter.jeti.serverassigner.serverassigner org.jgroups.channelexception: failed to start protocol stack Caused by: java.lang.exception: exception caused by TCP.start(): java.net.bindexception: No available port to bind to This error indicates that the TreeCache local service port you have configured is already in use either by another TreeCache instance or by some other process. To resolve this problem, choose a different port and restart/redeploy the reconfigured server manager or web tier application. When you run AIE Export in batch mode, Teamcenter displays a CFI error. This error occurs because jt.exe (Microsoft Task Scheduler) file is missing from the %WINDOWS% directory. To resolve this problem, perform the following steps: 1. Download the jt.zip utility from the following web site: ftp://ftp.microsoft.com/reskit/win2000 Server manager is not used/recognized by the web tier application when the manager is restarted without restarting the web tier 2. Expand the jt.exe file from the jt.zip file and copy it to your TC_ROOT\bin directory. If your server manager is joining a existing TreeCache cluster, the TreeCache Peers parameter for the server manager must contain the host name and port number of a web application server running the web tier application or the host/port pair of a server manager that has the web application server configured as a peer. In a simple environment with one manager and one web tier instance, you should configure the server manager to have the web tier instance as a peer and the web tier application must contain the server manager host and local service port in the TreeCache Peers context parameter. This allows you to start the server manager or the application server independently. PLM Web Application Deployment B-5

106 Appendix B: B: Troubleshooting four-tier four-tier architecture architecture deployment deployment Problem A server manager crash occurs with an error in the Java output that indicates the JVM detected an unexpected error Solution An error message, similar to the following, appears in the Java output and is identified in the hs_err_* file as an error in a compiler thread. # # An unexpected error has been detected by HotSpot Virtual Machine: # # SIGSEGV (11) at pc=ab2727b4, pid=183, tid=9 # # Java VM: Java HotSpot(TM) Server VM ( jinteg: : # 51 PA2.0 (acc_ap) mixed mode) # Problematic frame: # V [libjvm.sl+0xa727b4] # # An error report file with more information is saved as # hs_err_pid183.log # # Please report this error to HP customer support. #./run.sh[175]: 183 Abort(coredump) Excerpt from the hs_err_* file: # # An unexpected error has been detected by HotSpot Virtual Machine: # # EXCEPTION_ACCESS_VIOLATION (0xc ) at pc=0x6da225d6, pid=1272, # tid=3168 # # Java VM: Java HotSpot(TM) Server VM (1.5.0_05-b05 mixed mode) # Problematic frame: # V [jvm.dll+0x1e25d6] # T H R E A D Current thread (0x26a0adb0): JavaThread "CompilerThread1" daemon [ _thread_in_native, id=3168]. Current CompileTask: opto:1020 s! org.jacorb.orb.delegate.request(lorg/omg/corba/object; Ljava/lang/String;Z)Lorg/omg/CORBA/portable/OutputStream; (266 bytes) This is due to a known Java defect affecting the JVM. It may occur when there are enough calls to the server to cause the JRE to dynamically compile the relevant CORBA method. Sun recommends the following workarounds: Add the JVM parameter -XX:-EliminateLocks. (Some versions of Java do not support this parameter.) Use the.hotspot_compiler file to disable the compilation of the jacorb Delegate.request() method. See the documentation for your Java version to determine the proper location and contents of this file. Move to a later JVM. B-6 Web Application Deployment PLM

107 Troubleshooting four-tier architecture deployment Problem During a server manager startup or Java EE web application deployment the following error message is received when using multicast mode: java.net.bindexception: Can't assign requested address A CORBA COMM_FAILURE error is reported in the web tier Solution On some platforms or machines, the jgroups code used by TreeCache in the Teamcenter server manager or the Teamcenter Java EE application may fail to initialize when using mcast mode. This may be caused by using IPv6. This is to known to occur when using a Linux host but may also occur in other configurations. The following is a typical exception message with this error: ERROR /07/29-00:55:20,866 UTC - cili Error initializing JBoss Cache com.teamcenter.jeti.serversubpoolmanager. ServerPoolManager org.jgroups.channelexception: failed to start protocol stack at org.jgroups.jchannel.connect(jchannel.java:393) at org.jboss.cache.treecache.startservice(treecache.java: 1249) at org.jboss.system.servicembeansupport.jbossinternalstart(service MBeanSupport.java:274) at org.jboss.system.servicembeansupport.start(servicembeansupport. java:181) at com.teamcenter.jeti.sharedstore.init(sharedstore.java:144) at com.teamcenter.jeti.serversubpoolmanager.serverpoolmanager.init Cache(ServerPool Manager.java:2092) at com.teamcenter.jeti.serversubpoolmanager.serverpoolmanager.fini shinit(serverpoolmanager.java:449) at com.teamcenter.jeti.serversubpoolmanager.servermanager.main(ser vermanager.java:1480) Caused by: java.lang.exception: exception caused by UDP.start(): java.net.bindexception: Cannot assign requested address at org.jgroups.stack.protocol.handlespecialdownevent(protocol.java :600) at org.jgroups.stack.downhandler.run(protocol.java:117) If this occurs during server manager startup, uncomment the last line in the following block of the mgrstart script file, and restart the server manager. # Uncomment this line to tell Java to prefer IPv4 addresses. # This can fix socket errors on systems that do not have a fully # functional IPv6 configuration. A similar change may be needed # in the startup script for a Java EE application server. #JVM_ARGS="${JVM_ARGS} -Djava.net.preferIPv4Stack=true" If this error occurs during Java EE application deployment, consult your application server vendor's documentation for the proper JVM arguments settings. Another possible solution is to use TCP mode instead of mcast mode for both the Teamcenter server manager and Java EE application. This error usually indicates one of the following: 1. The Teamcenter server has terminated while processing a request. 2. The Teamcenter server encountered a serious error (for example, failed memory allocation) while attempting to process a request. The message generally does not indicate a problem in the web tier itself. Teamcenter server syslog files may contain information useful in diagnosing the root cause of Teamcenter server failures. PLM Web Application Deployment B-7

108 Appendix B: B: Troubleshooting four-tier four-tier architecture architecture deployment deployment Problem After publishing an item to an ODS, the Sun Java System Application Server becomes unresponsive. Solution A Teamcenter web application deployed on a Sun Java System Application Server can become unresponsive. This can occur especially when: You publish and item to the default ODS site that is also the site publishing the item. You attempt to view the published item's details in the home folder. To correct this problem, ensure that you have set the Thread Count and Initial Thread Count to at least the minimum values required (25 and 15 respectively) and restart the application server. Client-side Java session cookies are overwritten by web tier applications deployed in the same domain on a WebLogic application server. Depending on Teamcenter web tier activity, you may have to set these values higher than the minimum to get the best performance. Multiple applications deployed in the same WebLogic domain can cause client session cookies to overwrite each other. To avoid this, deploy your Teamcenter web application in a domain by itself or ensure each application has a separate cookie path. To set your web application session cookie path: 1. Navigate to the WEB-ROOT/staging-directory/webapp_root/WEB-INF directory for the application. WEB_ROOT is the location where you installed the Web Application Manager (insweb) for Windows or UNIX/Linux), and staging-directory is the directory where the specific web application was generated. 2. Open the weblogic.xml file and add the following elements: <session-param> <param-name>cookiepath</param-name> <param-value>/deployable-name</param-value> </session-param> Replace deployable-name with the deployable file name set in the Web Application Manager, for example, tc. 3. Launch the Web Application Manager (insweb). 4. Select the web application name and click Modify. B-8 Web Application Deployment PLM

109 Troubleshooting four-tier architecture deployment Problem Solution 5. In the Modify Web Application dialog box, click Generate Deployable File. 6. In the Generate Deployable File dialog box, click OK. The Web Application Manager displays the status of the installation in the Progress dialog box. When the installation is complete, click OK to close the Progress dialog box. During peak activity, the web tier encounters errors obtaining JCA connections. 7. Click OK to close the Modify Web Application dialog box. The Teamcenter web application is using all available connections in the connection pool. To avoid this, increase the number of available connections by increasing the Max_Capacity context parameter value in the web application WAR file. To set your web application maximum connection pool size: 1. Launch the Web Application Manager (insweb) for Windows or UNIX/Linux). 2. Select the web application name and click Modify. 3. In the Modify Web Application dialog box, click Modify Context Parameters. 4. In the Modify Context Parameters dialog box, locate Max_Capacity, double-click the Value column, and type a larger number. 5. Click OK and click Generate Deployable File. 6. In the Generate Deployable File dialog box, click OK. The Web Application Manager displays the status of the installation in the Progress dialog box. When the installation is complete, click OK to close the Progress dialog box. 7. Click OK to close the Modify Web Application dialog box. 8. Redeploy the WAR file in your application server. PLM Web Application Deployment B-9

110 Appendix B: B: Troubleshooting four-tier four-tier architecture architecture deployment deployment Problem Chinese characters are displayed as square blocks in the Teamcenter rich client. Solution If you use a nonnative language operating system version of Windows, you must install and enable the Multilingual User Interface (MUI) pack to ensure the language font is displayed properly. 1. Download and install the MUI pack for Windows from Microsoft. 2. Open the Regional and Language Options dialog box in the Windows Control Panel. 3. In the Languages tab, set the required language for the menus and dialogs. JBoss GA displays an error message during startup when installed on Oracle Solaris operating system. 4. In the Advanced tab and the Regional Options tab, set the required language. The following error message displays during JBoss startup: AttachmentStore MC bean (org.jboss.system.server.profileservice. repository.abstractattachmentstore)configuration does not specify the parameter type for constructor This is a known JBoss bug (JBAS-6981). You must edit the profile.xml file for your application server instance. Using the default server as an example, edit the {jboss gs}/server/default/conf/boodstrap/profile.xml file as follows: 1. Locate the following parameter element in the file: <!-- The attachment store --> <bean name="attachmentstore" class="org.jboss.system.server.profileservice. repository.abstractattachmentstore"> <constructor> <parameter> <inject bean="bootstrapprofilefactory" property="attachmentstoreroot" /> </parameter> </constructor> <property name="maindeployer"> <inject bean="maindeployer" /> </property> <property name="serializer"> <inject bean="attachmentsserializer" /> </property> <property name="persistencefactory"> <inject bean="persistencefactory" /> </property>. 2. Update the parameter element to include a class attribute: <parameter class="java.io.file"> 3. Save the file and restart the application server. B-10 Web Application Deployment PLM

111 Troubleshooting four-tier architecture deployment Problem During successive calls to get activity status in the Global Services user interface, out of memory errors are displayed. Teamcenter web application fails to deploy on JBoss with the following error message: Did not receive a response to the deployment operation within the allowed timeout period [60 seconds]. Check the server configuration file and the server logs to find more about the status of the deployment. Solution During large Global Services transactions, such as a replication manager transaction during site consolidation orchestration, you may encounter a Java out of memory error from the application server. This usually is caused by repeated checks on activity status (AuditActivity business object) from the Global Services user interface. The Java virtual machine (JVM) size grows with each call to get the status. To avoid this, reduce the application server s Java memory property to between 1200m and 1500m (-Xmx1200m or -Xmx1500m, respectively). The Teamcenter web application takes longer than the default 60 seconds the JBoss deployment scanner allows for deployments. Add the deployment-timeout attribute to the deployment-scanner element and set the value to at least 600 seconds before attempting to deploy the web application. <subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1"> <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" s scan-interval="5000" deployment-timeout="600"/> </subsystem> PLM Web Application Deployment B-11

112

113 Appendix C: Tuning WebSphere JVM memory consumption PLM Web Application Deployment

114

115 Appendix C: Tuning WebSphere JVM memory consumption If your Teamcenter application requires more memory than what is currently allocated in WebSphere, out-of-memory errors can occur. For example, if you use the NX Integration and attempt to launch NX from the rich client, Teamcenter may report an out-of-memory error during a call to getattrmappingsfordatasettype. If errors like this occur, you must modify the JVM arguments in WebSphere to increase memory allocation. For information about how to modify JVM arguments, see the IBM support article titled Setting generic JVM arguments in WebSphere Application Server: Before you tune JVM arguments, use memory profiling tools to analyze your memory issues and determine which tuning options you need to use. The following table provides some suggestions, but these may not be suitable in all cases. JVM options for tuning the WebSphere Application Server memory usage JVM option -Xms -Xmx Description Controls the initial size of the Java heap. Properly tuning this parameter reduces the overhead of garbage collection, improving server response time and throughput. For some applications, the default setting for this option may be too low, resulting in a high number of minor garbage collections. Controls the maximum size of the Java heap. In general, increasing the minimum/maximum heap size can improve startup, reduce the number of garbage collection occurrences, and increase the throughput until the heap no longer resides in physical memory. After the heap begins swapping to disk, Java performance suffers drastically. Therefore, The heap sizes should be set to values such that the maximum amount of memory the VM uses does not exceed the amount of available physical RAM. Typical default value Suggested value 50 MB 512 MB 256 MB 1024 MB PLM Web Application Deployment C-1

116 Appendix C: C: Tuning Tuning WebSphere WebSphere JVM JVM memory memory consumption consumption JVM options for tuning the WebSphere Application Server memory usage JVM option Description Typical default value Suggested value -XX:PermSize Sets the section of the heap reserved for the permanent generation of the reflective data for the JVM. This setting should be increased to optimize the performance of applications that dynamically load and unload many classes. Client: 32 MB Server: 64 MB 128 MB PermSize memory consumption is in addition to the -Xmx value set by the user on the JVM options. Setting this to a value of 128 MB eliminates the overhead of increasing this part of the heap. -XX:MaxPermSize Allows for the JVM to be able to increase the PermSize setting to the amount specified. Initially, when a VM is loaded, the MaxPermSize is the default value, but the VM does not actually use that amount until it is needed. If you set both PermSize and MaxPermSize to 256 MB, the overall heap increases by 256 MB in addition to the -Xmx setting. If an application needs to load or reload a large number of classes, the following error may result: messageoutofmemoryerror: PermGen space Typically, this means that the JVM started with an insufficient maximum value for permanent generation. N/A 256 MB C-2 Web Application Deployment PLM

117 Appendix D: Glossary PLM Web Application Deployment

118

119 Appendix D: Glossary B BLOB Binary large object; attribute type of undefined structure. BLOBs are stored as binary images within an object. business object Logical grouping of data attributes and properties that are manipulated at the enterprise level. A Global Services business object allows users to query for and update information in multiple data sources. business object definition file File that contains the XML-based definition of a Global Services business object. D data source System that manages enterprise data and can be accessed by Teamcenter. Examples are product knowledge management (PKM) systems, product lifecycle management systems, relational databases, enterprise resource planning (ERP) systems, component and supplier management (CSM) systems, mechanical design automation (MDA) systems, purchasing systems, systems engineering GroupWare, and maintenance, repair, and overhaul (MRO) systems. datastore Java Database Connectivity (JDBC) database instance used to store the Global Services configuration and business object definition (BOD) information. The majority of the objects in the datastore are stored as serialized objects for improved performance. The configuration and BOD files are serialized during the process of uploading them to the datastore. Global Services users with administrator privileges can access the Configuration Object form in Global Services that allows them to add, remove, and update objects in the datastore. See also business object definition file. E enterprise tier Teamcenter architectural tier that comprises a configurable pool of Teamcenter C++ server processes and a server manager. Larger sites can distribute the pool of server processes across multiple hosts. Smaller sites can run the pool of servers on the same host as the web tier. N network load balancer (NLB) HTTP web servers are configured to allow each HTTP web server in the load balanced cluster to respond to a virtual IP address. Requests to this virtual IP are intercepted and routed to a machine running one of the web servers in the cluster. PLM Web Application Deployment D-1

120 Appendix D: D: Glossary Glossary O Oracle home Directory in which Oracle software is installed on the Oracle server node. Oracle system identifier (SID) Alphanumeric word used to identify a collection of processes and associated memory structures as belonging to a particular Oracle database instance. The ORACLE_SID environment variable defines the Teamcenter-Oracle system identifier. P preference Configuration variable stored in a Teamcenter database and read when a Teamcenter session is initiated. Preferences allow administrators and users to configure many aspects of a session, such as user logon names and the columns displayed by default in a properties table. S site preference Teamcenter preference that applies to the entire site. SQL See Structured Query Language. Structured Query Language ANSI standard command and embedded language for manipulating data in a relational database. W Web Application Manager Graphical installation utility that generates supporting web files (WAR format) for a named web application. Web Application Manager also installs the rich client distribution server and creates distribution server instances. web archive (WAR) Web application that requires an HTTP web server and servlet engine. web tier Teamcenter architectural tier that comprises a Java application running in a Java Platform, Enterprise Edition (Java EE) application server. The web tier is responsible for communication between the client tier and enterprise tier. D-2 Web Application Deployment PLM

121

122 Siemens Industry Software Headquarters Granite Park One 5800 Granite Parkway Suite 600 Plano, TX USA Americas Granite Park One 5800 Granite Parkway Suite 600 Plano, TX USA Europe Stephenson House Sir William Siemens Square Frimley, Camberley Surrey, GU16 8QD +44 (0) Asia-Pacific Suites , 43/F AIA Kowloon Tower, Landmark East 100 How Ming Street Kwun Tong, Kowloon Hong Kong About Siemens PLM Software Siemens PLM Software, a business unit of the Siemens Industry Automation Division, is a leading global provider of product lifecycle management (PLM) software and services with 7 million licensed seats and 71,000 customers worldwide. Headquartered in Plano, Texas, Siemens PLM Software works collaboratively with companies to deliver open solutions that help them turn more ideas into successful products. For more information on Siemens PLM Software products and services, visit Siemens Product Lifecycle Management Software Inc. Siemens and the Siemens logo are registered trademarks of Siemens AG. D-Cubed, Femap, Geolus, GO PLM, I-deas, Insight, JT, NX, Parasolid, Solid Edge, Teamcenter, Tecnomatix and Velocity Series are trademarks or registered trademarks of Siemens Product Lifecycle Management Software Inc. or its subsidiaries in the United States and in other countries. All other trademarks, registered trademarks or service marks belong to their respective holders.