I’ve been setting up a Liberty web server, as used in MQWEB, z/OS Connect, z/OSMF and so on, and was looking into how to make this available, so I could move the web server to a different LPAR or TCP/IP instance.
Moving it should be easy – it is – but … but there are things you need to think about. It is a bit like going around a maze trying to find the solution.
How do I get to the fail over system?
You start the web server on a different LPAR in the sysplex. How can you support this to allow your browser to get to the backend, without changing the URL?
You have two choices.
- You change your DNS look up, or router so your request goes via a different connection (think different bit of wire) to the failover LPAR. These change can be automated to some extent.
- Multiple z/OS images can listen for an IP address.
These work but…
The certificate sent down from the web server contains the address of the LPAR as part of the SAN. When the browser processes it, it compares the LPAR address in the certificate with the address in the certificate. If they do not match the browser produces an error message.
How do I get over the certificate SAN and the IP address difference?
You have a couple of choices
- Use a unique certificate on each LPAR. Yes this works, but there is more administrative work to set up. You could set up two web servers and only use one at a time. This work, but it is unnecessary work.
- Use a Virtual IP address. In TCP networking the end of every connection is a “device” or system with its unique IP address. You can give the web server its own IP address which is “virtual” as it is not device or system. With this, when you start your web server on a different LPAR, it has the same IP address. To use this you have to configure z/OS to support this. You can set this up
- To support multiple web servers, and distribute the work to them
- Have a hot standby
- To route traffic to where the web server has started.
Yes, these work, but – is not easy to set up. I’ll be blogging how to do this.