I struggled to set up Liberty to provide a Highly Available solution – if I shut down one TCPIP instance, I want to access Liberty through another TCPIP instance. In principle it is easy; but there is just a little problem when you are using certificates on the z/OS image. I’ll use names rather than IP addresses in the discussion below.
Take the simple scenario where have your Liberty instance running on z/OS image with IP address MVS1 port 9443.
Your web browser uses MVS1:9443/ibmmq/console to initiate the sign-on. As part of the handshake Liberty sends down its certificate with the Subject Alternative Name(SAN) of MVS1. The browser checks that this SAN is the same as where the Liberty instance is running and, as it matches, the logon proceeds.
You want to shut down that LPAR, and run the work on another LPAR, MVS2. The Liberty instance starts up, binds to TCPIP and waits for requests. The web browser connects to MVS2, and sends down the certificate with the SAN of MVS1. As MVS1 does not match MVS2, the browser complains saying that someone could be stealing your information.
You could have a certificate for each LPAR, but this is additional administration overhead.
You also have the problem of your browser getting to the different IP address. This could be a different URL, update to the DNS server, a change of router configuration, or change your work station to direct the request to a different place.
This has been solved using Virtual IP Addressing or VIPA. In simple terms, give the Web Server its own IP address, which can move around between different LPARs in a Sysplex.
This area has a lot of new, complex jargon. You have Static VIPAs, Dynamic VIPAs, and Distributed VIPAs . The TCP documentation is not bad, but it focuses on TCP/IP, not how it will be used. The documentation has example configurations, but one configuration covers many scenarios. I was looking for a simple, getting started example.
There are a couple of ways of setting up the configuration.
- The simplest scenario, use VIPARANGE.
- Liberty has its own IP address which can be activated on different TCP images
- Once set up, when the web server binds to TCPIP, the IP address is created on the TCPIP image.
- When the VIPA is active, the TCPIP image will listen for the request. I had two TCPIP images listening on the same OSA connection. The connections went to one TCPIP. When I stopped that TCPIP, the connections automatically went to the other TCPIP. When I stopped both TCPIP the client got “No route to host (Host unreachable)”.
- You can have a web server with the same IP address running on different TCPIP images at the same time (with different configuration files).
- Use Sysplex Distributer. This has a front end IP which takes connection requests and distributes them to TCPIP images. It can do this using “Hot Standby”, “round robin” and other techniques. If the front end is shut down, you can configure other TCPIP images to take over.