Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
SECURITY WARNING
The information contained herein is proprietary to the Commonwealth of Pennsylvania and must not be
disclosed to un-authorized personnel. The recipient of this document, by its retention and use, agrees to
protect the information contained herein. Readers are advised that this document may be subject to the
terms of a non-disclosure agreement.
DO NOT DISCLOSE ANY OF THIS INFORMATION WITHOUT OBTAINING PERMISSION FROM
THE MANAGEMENT RESPONSIBLE FOR THIS DOCUMENT.
COMMONWEALTH OF PENNSYLVANIA
Version History
Date
Version
Modified By / Approved By
Section(s)
Comment
4/05/2007
1.0
K. Will (Editor)
All
Initial Version
9/12/2007
1.1
C. Reber (Editor)
All
9/26/2007
1.2
C. Reber
All
9/27/2007
10/31/2007
Update URLs.
02/25/2008
1.3
Scott White
1.2
C. Reber
11/06/2008
1.4
C. Reber
Cover page
04//01/200
9
1.5
C. Reber
All
Update URLs
07/15/2009
1.6
C Reber
1.1
03/04/2010
1.7
C Reber
3.5
PAGE 2 OF 12
COMMONWEALTH OF PENNSYLVANIA
Table of Contents
1
APPENDIX A .................................................................................................................................12
PAGE 3 OF 12
COMMONWEALTH OF PENNSYLVANIA
1.1
ESF OVERVIEW
The Commonwealth of Pennsylvanias Enterprise Server Farm (ESF) provides Hosting Services for
Agency Web-Based and Agency Specific applications. Its mission is to maintain a high level of security,
availability, reliability, and management of the Commonwealth of Pennsylvania's mission critical web
applications.
Refer to Enterprise Server Farm, for a full description of the ESF and all hosting and service offerings.
1.1.1
If your agency is considering deploying applications in the ESF, examine the ESF web site to understand
the ESF Services Portfolio, and then contact your Service Coordinator (SC). SCs are liaisons between
agencies and the ESF. They answer preliminary questions and coordinate meetings with ESF personnel to
ensure consistent communication on simple or complex projects.
Refer to ESF Getting Started, for an overview of the benefits, services, and options for hosting your
application at the CTC ESF.
Refer to ESF Services Coordinator, to identify your agency Service Coordinator.
1.1.2
The ESF follows a well-defined deployment process for all application deployments. Application
development is performed at the agency or contractor location while the ESF houses both a staging and a
production environment, which are mirror images of each other. This structured deployment and testing
process ensures a stable application in production. Prior to entering the ESF, every new application is
required to undergo a security assessment.
Refer to Deploying in Managed Services to review MS deployment process documents
Refer to Deploying in Managed Services Lite to review MSL deployment process documents.
1.1.3
PAGE 4 OF 12
COMMONWEALTH OF PENNSYLVANIA
1.2
ESF INFRASTRUCTURE
The ESF Web Farm architecture is segmented into security zones that are isolated from each other via
firewalls. The ESF Network contains the External DMZ security zone, the Internal Services security zone,
and the Internal DMZ security zone. These three primary networks are either, physically or logically,
connected to one another.
1.2.1
The External DMZ security zone contains Internet-facing servers that are connected to the Enterprise
DMZ. ESF-managed web servers (such as Managed Services) and Agency-managed servers (such as CoLocation servers) both exist in the External DMZ Security zone. Managed Services and Co-Location
servers are on separate subnets secured by either firewalls or Access Control Lists (ACLs).
1.2.2
The Internal Services security zone contains Managed Services database servers and other application
servers from which dynamic content is obtained by web servers.
1.2.3
The Internal DMZ security zone contains the Managed Web and application servers that need to be
accessible only from the Commonwealth Metropolitan Area Network (MAN). This Security Zone also
contains internal Co-Location databases and web and application servers that are isolated from the
Managed Services servers.
When ESF Domain Controllers intercommunicate in a security zone, all communications use standard
RPC and do not require IPSEC encryption or authentication. Domain Controller-to-Domain Controller
communications between security zones only use IPSEC with Authentication Headers (AH).
Other host-to-AD Component communication in the Managed Services portion of the Enterprise Server
Farm does not require IPSEC. However, IPSEC is required for all communications between entities
outside the Managed Services and ESF AD components.
ESF WEBSPHERE MQ RULES OF ENGAGEMENT
PAGE 5 OF 12
COMMONWEALTH OF PENNSYLVANIA
2 WebSphere MQ Implementation
2.1
PURPOSE / OVERVIEW
2.2
ASSUMPTIONS
This document assumes that the reader has a basic understanding of message queuing and WebSphere
MQ and a good understanding of the operating system and associated utilities.
2.3
SCHEMATIC DIAGRAM
PAGE 6 OF 12
COMMONWEALTH OF PENNSYLVANIA
2.4
PREREQUISITES
For an application to use WebSphere MQ in the ESF, WebSphere MQ must reside in the External Active
Directory Forest, which trusts the internal CWOPA domain. This trust facilitates the Single Sign-On
security model whereby user accounts in CWOPA can grant access to the applications in the ESF. The
Application Management Team (AMT) has full administrative access over the External Active Directory
Forest.
2.5
IMPLEMENTATION DETAILS
The ESF hosts WebSphere MQ 5.3 to deliver messages reliably for applications in the ESF. WebSphere
MQ 5.3 is deployed on a single server located in the internal DMZ zone to ensure that it is only accessible
from internal applications and users, but can send messages to any location. Version 5.3 binaries and
CSD07 (FixPack 7) are installed for the most up-to-date security and feature availability possible.
WebSphere MQ 5.3 is installed in both the Staging and Production environments. The staging server
belongs to the BETAAPPS domain while the Production server resides in the APPS domain. Both servers
physically reside in the Managed Services Internal DMZ.
PAGE 7 OF 12
COMMONWEALTH OF PENNSYLVANIA
The foundation of WebSphere security is physical and logical isolation. ESF servers are in a physically
protected location (locked and conditioned Server Farm). WebSphere MQ is installed in a secure zone of
the Commonwealth intranet, and the servers are never directly connected to the Internet. The ESF backs
up all data regularly and stores copies in a secure off-site location.
3.2
NAMING CONVENTIONS
Naming conventions provide a standard approach to naming different objects and help to troubleshoot and
locate objects. All objects also need a detailed description of use. Naming conventions are as follows:
ESF requires these naming standards for WebSphere MQ:
For QMGR, the naming standard is XXApplicationName, where:
XX is the two-digit agency code
ApplicationName is the name of the application that is using WebSphere MQ
IBM has three main queue types:
Local
Remote Definition
Transmit
To make queue names intuitive for users, include the ApplicationName incremented by pipeline and
followed by an ESF-approved suffix. An incremental system based on the pipeline provides ease of
administration. ESF-approved suffixes are:
.QUEUE for local queues (receiving or worker)
.REMOTEQ for remote definition queues
.XMITQ for transmission queues
For example, if a remote definition queue points to a transmission queue, the remote queue is named
ApplicationName01.REMOTEQ and the transmission queue is named ApplicationName01.XMITQ.
Since a transmission queue sends messages to a channel to send to the next destination, the pipeline ends.
However, if the application is supposed to post a response back to a local queue for this pipeline, it retains
the same pipeline designation. For example, a local queue that captures responses is named
ApplicationName01.QUEUE.
Due to the way WebSphere MQ works, channel names must be the same on both the sending and
receiving QMGR. The naming standard for channel names is X_QMGR##.Y_QMGR##, where X and Y
can be local or remote. For example:
LOCAL_QMGR##.REMOTE_QMGR## is a sender channel
REMOTE_QMGR##.LOCAL_QMGR## is a receiving channel
This standard permits multiple channels within one QMGR for multiple purposes and allows the agency
to align with the pipeline number.
3.3
SERVICES
PAGE 8 OF 12
COMMONWEALTH OF PENNSYLVANIA
The Listener port service requires minor manual configuration of the QMGR access ports. Each QMGR
requires its own port to listen on and send from. IBMs default port value is TCP_1414, which is widely
known and used in the industry. Since the ESF is a shared environment, it uses a port range from
TCP_4001-4010.
The ESF port is not related to the sending partys port. The Listener port is configured for the QMGR to
receive messages and for remote administrative control. The sending party may send from any available
client port to this specific server port.
3.4
3.4.1
WebSphere MQ provides native application level clustering for high availability. Clustering provides
redundancy and process offloading to less utilized MQ servers. The ESF does not currently support a high
availability configuration with WebSphere MQ clustering. If your application requires a high availability
configuration, please contact your AAM to engage ESF.
3.4.2
To maintain reliability and availability for all applications, ESF does not install third party software or
custom applications on the shared WebSphere MQ server. This server is dedicated to sending and
receiving messages through WebSphere MQ. Additional applications are not supported on the WebSphere
MQ servers.
3.5
MONITORING
ESF operations deliver an enterprise-class solution for operations management and monitoring of
Windows servers and Windows infrastructure including Active Directory, Internet Information Services
(IIS), and SQL server.
Events are monitored so possible service outages or configuration problems are detected so the ESF can
quickly take corrective or preventive actions. The ESF manages critical functions to ensure that services
are operational and performing at a high degree of reliability.
The ESF requests that agencies provide monitoring requirements in ESF documentation so that they can
configure proactive monitoring.
3.6
The ESF performs a full backup of Managed Services servers nightly, Monday through Friday, and
incremental backups on Sundays. The ESF sends tapes to an off-site facility weekly and maintains a
weekly, monthly, and yearly tape archive. Daily and weekly tapes are redeployed in the rotation scheme
while yearly backups are retained for seven years.
3.7
CHANGE MANAGEMENT
3.8
3.8.1
SECURITY
Authentication
Applications should use a least privileged account to connect to WebSphere MQ. WebSphere MQ uses
the local system account as the default account unless a requirement exists for the administrator to submit
records to the queues directly. If a user resides outside of ESF and requires direct access to the channel,
use a service account. However, if an incoming service is responsible for submitting to the Queue
Manager (QMGR), use a default account. Remote QMGR viewing is not supported, as it requires
administrative rights to the WebSphere MQ server.
ESF WEBSPHERE MQ RULES OF ENGAGEMENT
PAGE 9 OF 12
COMMONWEALTH OF PENNSYLVANIA
3.9
MAINTENANCE
To perform periodic maintenance jobs, the ESF follows the standard Enterprise Maintenance window for
maintenances that affect a large number of applications. This window is from Sunday at 11 PM to
Monday at 4 AM. The weekly maintenance window is reserved for system and network level changes.
Agencies should not schedule tasks during this window since many of these changes require low
utilization, user lockout, or server reboots.
The ESF coordinates maintenance schedules that affect individual agencies or applications with agency
contacts. To learn more about Enterprise Network maintenance scheduling, see ESF and OA/OIT
Calendars.
PAGE 10 OF 12
COMMONWEALTH OF PENNSYLVANIA
PAGE 11 OF 12
COMMONWEALTH OF PENNSYLVANIA
5 Appendix A
Provide supplementary material, if available. If there are multiple appendices, add section additions (i.e.,
Section 5, Section 6, etc.) as required.
PAGE 12 OF 12