DMZ Secure Proxy Environment setup for IP Forwarding
The DMZ Secure Proxy Server for IBM® WebSphere® Application Server was a new feature
introduced in the WebSphere Application Server V7.0 product. An IBM DMZ Secure Proxy server
provides a more secure proxy server that can be installed and used in demilitarized zone (DMZ)
topologies. The reduced risk is achieved by removing all functions/features not required for a
proxy from the application server. Also, the DMZ Secure proxy is designed to improve security by
minimizing the number of external ports opened.
In the diagram below, a topology is shown of DMZ Secure Proxy Server(s) configured and
deployed between a network of inner and outer firewalls.
IP Forward with 2 DMZ Proxies fronted by F5 in a different subnet
Intranet
DMZ
Public Network
Load balancer front end –
Subnet 2
Load balancer back end –
Subnet 3
sipp
F5
WAS1
WAS2
DMZ
Proxy
Subnet 5
4
Subnet 4
Inner
Firewall
Subnet 1
Outer
Firewall
© 2013 IBM Corporation
Hardware and Software required for setup
Machines
For Single DMZ environment
Use one machine, Host 1
For Dual DMZ environment
Use two machines, Host 1 and Host 2
Need to install and configure the following:
- DMZ Secure Proxy Server
- WAS ND for Administrative Agent and Secure proxy (configuration-only)
For WAS ND environment
Use one machine, Host 3
1
Need to install and configure the following:
- WAS ND clustered environment
Note: This document assumes that Host 3 has existing WAS 8.5.5.0 ND clustered environment
installed/configured and ready to be fronted by the DMZ Secure Proxy Servers.
Software
- IBM Installation Manager (IM) 1.6.2
- DMZ Secure Proxy Server for IBM WebSphere Application Server Version 8.5.5.0
- IBM WebSphere Application Server Network Deployment Version 8.5.5.0
Software can be obtained from a number of external sources.
Install DMZ Secure Proxy Server on Host 1 and Host 2 (for Dual)
(1) Install IBM Installation Manager (IM) 1.6.2
(2) After install completes, and IM brought up, go to File->Preferences… and hit “Add
Repository” button
(3) In Repository field, enter the build repository location, for example,
/WASV855_NDDMZ/DMZ/repository.config
(4) After repository accepted, hit “OK”
(5) Now, click Install icon
(6) From the “Installation Packages” panel, select DMZ Secure Proxy Server for IBM
WebSphere Application Server Version 8.5.5.0
On the Panel click the Next> button
(7) The License Agreement panel appears
Select I accept the terms in the license agreement and then click the Next> button
(8) On this panel, take default or change the Shared Resources Directory and click the Next>
button
(9) The Installation Directory Panel appears
On this panel, take default or change Installation Directory, and then click the Next> button
(10) The Translations panel appears
On this panel, take default and click the Next> button
(11) The Features panel appears, take defaults and click the Next> button
(12) The Summary panel appears
On this panel, click the Install button to begin the installation
2
(13) The Results panel appears when Install finishes
For Which program do you want to start, take default, Profile Management Tool to create a
profile.
Click Finish button
Create the DMZ Secure Proxy Server profile on Host 1 and Host 2 (for Dual)
The IBM DMZ secure proxy server is equipped with capabilities to provide protection from
security risks. The security levels that can be assigned when creating the DMZ Secure Proxy
Server are High, Medium, or Low. The Medium and Low DMZ security levels support only
dynamic routing, while the High DMZ security level supports only static routing.
Static routing means the server obtains the routing information from local flat files. Dynamic
routing means the server obtains the routing information from a Hypertext Transfer Protocol
(HTTP) tunnel connection from the proxy server to a server in the secure zone.
The High DMZ security level cannot be used for SIP proxy servers because static routing is not
supported for the SIP proxy server.
When creating the secure proxy server profile, select the Low security level so that the DMZ
servers can be used for SIP proxy servers.
(1) Profile Management Tool panel appears
(2) On the Profiles panel
Click the Create button
(3) On Environment Selection panel
Select the Secure proxy environment
Click Next> button
(4) On Profile Creation Options panel
Select the Advanced profile creation and click Next>
(5) On Profile Name and Location panel
Take defaults and click Next> button
(6) On Node and Host Names panel
Take defaults and click Next>
(7) On Security Level Selection panel
Select the Low proxy security level
De-select the Web protocol
Click Next>
3
(8) On Administrative Security panel
Enable administrative security, enter User name and Password in fields and click Next>
(9) On Security Certificate (Part 1) panel
Take defaults and click Next>
(10) On Security Certificate (Part 2) panel
Take defaults and click Next>
Note: keystore password should be later changed/updated
(11) On Port Values Assignment panel
Take defaults and click Next>
(12) On Service Definition panel
Take defaults and click Next>
(13) On Profile Creation Summary panel
Important: Remember the Profile name, Node name, and Server name, these exact names are
needed to be used during the ND Secure proxy (configuration-only) setup
Click Create
(14) On Profile Creation Complete panel
Uncheck Launch the First steps console and click Finish
(15) On Profile Management Tool panel
File > Exit
To exit out of the Profile Management Tool
Install WAS Version 8.5.5 Network Deployment on Host 1 and Host 2 (for
Dual)
Install the IBM® WebSphere® Application Server Network Deployment (ND) code from the
product media or from an installation image onto machines where the real DMZ secure proxy
servers will be hosted. The ND install is performed so that an Administrative agent and a DMZ
Secure proxy (configuration-only) profile can be configured on those machines.
(1) Back on the IBM Installation Manager panel
Go to File->Preferences… and hit “Add Repository” button
(2) In Repository field, enter the build repository location, for example,
/WASV855_ND/WAS/repository.config
4
(3) After repository accepted, hit “OK”
click Install icon
(4) From the “Install Packages” panel, select IBM WebSphere Application Server Network
Deployment Version 8.5.5.0
and Click Next> button
(5) On License Agreement panel
Select I accept the terms in the license agreement and click Next> button
(6) On location panel, enter Installation Directory and click Next> button
(7) The Translations panel appears
On this panel, take default and click Next> button
(8) On Features panel
On this panel, take defaults and click Next> button
(9) On Summary panel
Click Install> to begin installation
(10) When Installation finishes
For which program do you want to start, take default and click Finish.
Create the Administrative Agent and Server proxy (configuration-only)
profiles on Host 1 and Host 2 (for Dual)
An Administrative agent is a component that provides enhanced management
capabilities for stand-alone application servers. This was a new concept introduced with the
WebSphere Application Server V7.0. The administrative agent can only manage application
servers that are installed in the same operating system image as the administrative agent.
Create an Administrative agent profile, with its sole purpose to be used to administer a DMZ
Secure proxy (configuration-only) profile. After the profile creation, start the Administrative agent.
A secure proxy (configuration-only) profile is for use with a DMZ secure proxy server. This
configuration-only profile is intended to be used only to configure the profile using the
administrative console of the Administrative agent. The configuration-only server cannot be
started or used for any work.
Create the DMZ Secure proxy (configuration-only) profile with the same server name, profile
name, node name, security level, and port values as the real DMZ secure proxy server.
(1) On the Profile Management Tool panel
Click the Create button
5
(2) On Environment Selection panel
Select Management and click Next>
(3) On Server Type Selection panel
Select Administrative agent and click Next>
(4) On Profile Creation Options panel
Select Typical profile creation and click Next>
(5) On Administrative Security panel
Enable administrative security here
Note: You must also enable administrative security when doing the Secure proxy
(configuration-only) profile creation, otherwise the Admin agent will not be able to manager the
node
Enter User name and Password in fields and click Next>
(6) On Profile Creation Summary panel
Click Create
(7) On Profile Creation Complete panel
Uncheck Launch the First steps console and click Finish
(8) On Profiles panel again
Click Create
(9) On Environment Selection panel
Select Secure proxy (configuration-only) and click Next>
(10) On Profile Creation Options panel
Select Advanced profile creation and click Next>
(11) On Profile Name and Location panel
Important: Make sure Profile name matches that of the DMZ Proxy Server created earlier in
step(13) on page 4 of this document
and click Next>
(12) On Node and Host Names panel
Important: Make sure Node name and Server name match that of the DMZ Proxy Server created
earlier in step(13) on page 4 of this document
and click Next>
(13) On Secure Level Selection panel
Select Low
6
De-select the Web protocol
Click Next>
(14) On Administrative Security panel
If you enabled administrative security on the Administrative agent creation, you must also
enable now and Enter User name and Password in fields and click Next>
(15) On Security Certificate (Part 1) panel
Take defaults and click Next>
(16) On Security Certificate (Part 2) panel
Take defaults and click Next>
Note: keystore password should be later changed/updated
(17) On Port Values Assignment panel
Click the Default Port Values to match the ports setup during the DMZ Secure Proxy
configuration
Click Next>
(18) On Profile Creation Summary panel
Make sure Profile name, Node name and Server name match those of DMZ Secure Proxy
server created earlier and click Create
(20) On Profile Creation Complete panel
Click Finish
(21) On Profiles panel
File > Exit
To exit out of Profile Management Tool
Need to register the Secure proxy (configuration-only) profile node with the
Administrative Agent on Host 1 and Host 2 (for Dual)
After the Secure proxy (configuration-only) profile has been created, register the node to the
Administrative agent. This is performed so that the secure proxy profile can be configured using
the administrative console of the Administrative agent.
(1) After the Secure proxy (configuration-only) profile has been created, start the Administrative
agent from directory
<WAS_HOME_ND_AdminAgent_profile_directory>/bin
Start the Administrative Agent
startServer adminagent
7
Once the Administrative agent is started
(2) Register the Secure proxy (configuration-only) node with Administrative agent
From <WAS_HOME_ND_AdminAgent_profile_directory>/bin
Run registerNode command
registerNode -conntype SOAP -port <SOAP_port> -profilePath <WAS_HOME_ND_Secure
proxy_configuration_only_profile_directory> -username <admin_agent_user> -password
<admin_agent_passwd> -nodeusername <secure_config_only_user> -nodepassword
<secure_config_only_passwd>
Note: The default SOAP port is 8877, but my be different. The SOAP port value is listed in the
"AboutThisProfile.txt" file located at <WAS_HOME_ND_AdminAgent_profile_directory>/logs
Once profile is registered, changes can be made to the Secure proxy (configuration-only) profile
thru the Administrative Agent console
(http://<admin_agent_hostname>:<Administrative_port>/ibm/console)
Note: The Administrative default port is 9060, but may be different. The Administrative port value
is listed in the "AboutThisProfile.txt" file located at
<WAS_HOME_ND_AdminAgent_profile_directory>/logs
Create Core Group Tunnel connection between the DMZ Secure Proxy
server(s) and WAS 8.5.5 ND Cell
On Host 3 with WAS 8.5.5.0 ND internal cell clustered environment
If you are using a DMZ secure proxy server with dynamic routing, the routing information is
exchanged using core groups. In this case, you need to create a tunnel access point group to
establish a core group bridge tunnel between the core groups and DMZ proxy server.
The core group contains a bridge service that supports cluster services that span multiple core
groups. Core groups are connected by access point groups. A core group access point defines
a set of bridge interfaces that resolve IP addresses and ports. It is through this set of bridge
interfaces that the core group bridge provides access to a core group.
Any WebSphere Application Server process (dmgr, node agent, application server) can be a core
group bridge process for a core group. A process that is chosen for a core bridge should have
production activities or response times that will not be affected by the core bridge workload.
Node agents or application servers that do not host any applications can be used as bridges, but
it is best, if system resources permit, to use dedicated non-clustered application servers that do
not host applications.
Also it is best for a core group to have the core group bridges reside on different physical
systems, if possible. One bridge is typically sufficient for workload purposes, but two are
recommended in the event a bridge fails. The bridges in a core group partition high availability
(HA) data amongst the active bridges. To enable “seamless” core group failover, whereby the HA
state of the failed bridge will be recovered by the remaining bridge(s) without the data being
unavailable in the local core group, one should set the WAS Core Group custom property
IBM_CS_HAM_PROTOCOL_VERSION to 6.0.2.31.
8
For additional information on core group bridges, check the WebSphere Application Server
Version 8.5 information center (see Appendix).
To create the core group tunnel, go to the administrative console of the WebSphere Application
Server Network Deployment (ND) internal cell and do the following:
Log in to the WAS 8.5.5.0 ND Administrative Console
The steps below should be followed for each of the DMZ Secure Proxy servers. Each DMZ
external cell should have a tunnel to the WAS 8.5.5.0 ND internal cell nodes.
(1) Create Tunnel peer access points for the DMZ Secure Proxy server(s)
Go to Servers -> Core Groups -> Core group bridge settings
Under the Additional Properties click the Tunnel peer access points link
Click New
Name field enter <Anything unique>
Cell field enter <CELL_NAME_OF_DMZ_SECURE_PROXY1> can be found under directory
<DMZ_Secure_Proxy_Profile_directory>/config/cells
9
Accept the remaining defaults
Clcik OK and Save directly to master configuration
Repeat the above steps for the second DMZ secure proxy server
Click New
Name field enter <Anything unique>
Cell field enter <CELL_NAME_OF_DMZ_SECURE_PROXY2> can be found under directory
<DMZ_Secure_Proxy_Profile_directory>/config/cells
10
Accept the remaining defaults
Clcik OK and Save directly to master configuration
(2) Create Tunnel Template
Go to Core Groups -> Core group bridge settings
Under Additional Properties click Tunnel templates link
Click New
Enter Name for the template
Click OK and Save directly to the master configuration
(3) Create a Tunnel Access Point Group
Go to Core Groups -> Core group bridge settings
Under Additional Properties click the Tunnel access point groups link
Click New
(a) Step 1: Specify a Tunnel access point group name and then hit Next
11
Then hit Next
(b) Step 2: Add core group access points
The DefaultCoreGroup contains all the servers and node agents in the WAS ND cell.
Select the DefaultCoreGroup and add (>) to the Core group access points in Tunnel access
point group and click Next
(c) Step 3: Add tunnel peer access points
The tunnel peer access points are those created prior for each DMZ Secure Proxy server.
Select the available core group tunnel peer access points and add (>) to the Tunnel peer
access points in the Tunnel accces point group
Then click Next
(d) Step 4: Review summary and Click Finish
Save directly to the master configuration
(4) Create Bridge Interface(s)
This step can be done one time and is not related to the number of DMZ proxies.
For the bridge interface(s), the node agents in the default core group listed from the WAS internal
cell SIP nodes will be used.
(a) Go to Core group bridge settings -> Access point groups
Click DefaultAccessPointGroup link
Under Access points
Click Core group access points
(b) Select the DefaultCoreGroup (make sure it becomes highlighted) and click Show Detail
button
12
(c) In the Core Group page under Additional Properties
Click on the Bridge interfaces
(d) Select New
In the Bridge interfaces dropdown, select a node agent
Hit OK and Save directly to the master configuration.
Now select New again, and in the Bridge interfaces dropdown, select another node agent
Hit OK and Save directly to the master configuration.
13
Now two node agents are defined to act as core group bridges.
(e) Go to Core Groups -> Core group settings
Click on DefaultCoreGroup link
Under Additional Properties click Custom properties link
Click New and add property
Name IBM_CS_HAM_PROTOCOL_VERSION
Value 6.0.2.31
14
Click OK and Save directly to the master configuration.
(5) Export the Tunnel Group information from the Cell
(a) Export the Tunnel Template
Go to Core Groups -> Core group bridge settings -> Tunnel templates
Associate the Tunnel Access Point Group to the template Name
Click on template Name link
(b) Select the Tunnel Access Point Group (make sure becomes highlighted) from the
dropdown list
Click OK and Save directly to the master configuration.
Make sure Tunnel Access Point Group is now associated with tunnel template.
(6) Export the Tunnel template
(a) Select(check) the Tunnel template and click the Export button
15
Make sure the export was successful. The MyTunnel.props file is created and placed in the
<WAS_HOME>/dmgr_profile directory.
Import the Tunnel Template with DMZ Secure Proxy and ND Secure proxy
(configuration-only) profile on Host 1 and Host 2 (Dual)
(1) Go to the <Secure Proxy (configuration-only) profile>/bin directory on each machine
Run wsadmin command
wsadmin -conntype NONE -username <userid> -password <passwd>
From the wsadmin prompt, type
wsadmin>$AdminTask importTunnelTemplate -interactive
Import tunnel template.
Import a tunnel template and its children into the cell-scoped configuration.
*Input file name. (inputFileName): <Name/location of WAS ND tunnel.props file>
*Bridge Interface Node Name. (bridgeInterfaceNodeName): <Name of Secure proxy node>
*Bridge Interface Server Name. (bridgeInterfaceServerName): <Name of Secure proxy server>
Import tunnel template.
F (Finish)
C (Cancel)
Select [F, C]: [F] F
16
Example of command generated
WASX7278I: Generated command line: $AdminTask importTunnelTemplate {-inputFileNa
me /MyTunnel.props -bridgeInterfaceNodeName svt-r1c3b06Node01 -bridgeInterfaceSer
verName proxy1}
wsadmin>$AdminConfig save
wsadmin>quit
Configure the DMZ Secure Proxy Server using Administrative Console on
Host 1 and Host 2 (for Dual) for IP Forwarding
The secure proxy server configurations are created and maintained as configuration-only profiles
and managed using the administrative console of the Administrative agent.
Make sure the Administrative agent is running.
(1) Access the Administrative Agent console to make changes to the Secure proxy (configurationonly) profile on each machine
http://<admin_agent_hostname>:<Administrative_port>/ibm/console
(2) Select the <Secure proxy (configuration-only) node> to administer and click Continue
button and log in to console
(3) Go to Servers -> Server Types -> WebSphere proxy servers
(4) Click the <proxy_name> link
Under Proxy Settings
Open Sip Proxy Server Settings and click Sip proxy settings link
In the Default cluster field,
Enter the name of the WAS ND cluster you want the DMZ Secure proxy to route traffic thru.
The cluster name is the one defined on the WebSphere Application Server ND cell.
17
Click OK and Save directly to the master configuration.
(5) Click the <proxy_name> link
Under Proxy Settings
Open SIP Proxy Server Settings and click the Sip proxy settings link
Under Additional Properties click Custom properties link
Click New and add the properties below, clicking OK and Save to the master configuration after
each entry
18
Name sipClusterCellName Value <CellName of Remote ND Cluster routing traffic thru>
Name LBIPAddr
Value <IP of Load Balancer>
Name SIPAdvisorMethodName Value OPTIONS
Name UDPMultiThreadingEnabled Value true
Name burstResetFactor
Value 120
Name clusterRouteConfigUpdateDelay Value 60000
Name forceRport
Value true
Name isSipComplianceEnabled Value false
Name keepAliveFailures
Value 3
Name keepAliveInterval
Value 2000
Name localOutboundTCPAddress Value <IP or hostname of DMZ proxy>
Name localOutboundTCPPort
Value 1080
Name maxDeflatorRatio
Value 10
Name maxThroughputFactor Value 90
Name minDeflatorRatio
Value 6
Name perSecondBurstFactor Value 200
Name proxyTransitionPeriod Value 360
Name receiveBufferSizeSocket Value 3000000
Name sendBufferSizeSocket Value 3000000
Name tcp.IPSprayer.host Value <Load Balancer cluster IP>
Name tcp.IPSprayer.port Value <Port for TCP> for example 5060
Name tls.IPSprayer.host Value <Load Balancer cluster IP>
Name tls.IPSprayer.port Value <Port for TLS> for example 5061
Name useViaSentByForOutboundConnections
Value true
Import and export of the configuration should preserve the port settings. The serverindex.xml
should no longer be needed to be copied manually to the DMZ Secure Proxy server.
(6) Go to Servers -> Server Types -> WebSphere proxy servers
Click the <proxy_name> link
19
Under Communications
Click Ports link
Click on PROXY_HTTPS_ADDRESS and change * to <IP or hostname of DMZ proxy> and
click OK and Save to the directly to the master
Click on PROXY_HTTP_ADDRESS and change * to <IP or hostname of DMZ proxy> and click
OK and Save directly to the master configuration
Click on PROXY_SIPS_ADDRESS and change * to <IP or hostname of DMZ proxy> and click
OK and Save directly to the master configuration
Click on PROXY_SIP_ADDRESS and change * to <IP or hostname of DMZ proxy> and click
OK and Save directly to the master configuration
(7) Go to Servers -> Server Types -> WebSphere proxy servers
Click the <proxy_name> link
Under Java and Process Management
Click Process definition and then Java Virtual Machine
Enable (check) Verbal garbage collection
20
Set Initial heap size 300 MB
Set Maximum heap size 450 MB
Set Generic JVM arguments
-Xtrace:none -Xmo120m -Xgcpolicy:gencon -Xtgc:parallel
-Xgc:noAdaptiveTenure,tenureAge=8,stdGlobalCompactToSatisfyAllocate
-Xdump:heap:events=user,request=exclusive+prepwalk+compact -Xloa -Xloaminimum0.03
-XX:MaxDirectMemorySize=256000000 -Xcompactexplicitgc
Click OK and Save to the master configuration
(8) Go to Servers -> Server Types -> WebSphere proxy servers
Click the <proxy_name> link
Under Java and Process Management
Click Monitoring policy
Change Maximum startup attempts to 2
21
Change Ping interval to 30
Change Ping timeout to 60
Click OK and Save to the master configuration
(9) Go to Servers -> Server Types -> WebSphere proxy servers
Click the <proxy_name> link
Under Troubleshooting
Click Logging and trace and click JVM Logs
System.out
Change File Size Maximum to 20 MB
Change Maximum Number of Historical Log Files to 2
System.err
Change File Size Maximum to 20 MB
Change Maximum Number of Historical Log Files to 2
Click OK and Save to the master configuration
(10) Go to Servers -> Server Types -> WebSphere proxy servers
Click the <proxy_name> link
Under Administration
Click Custom properties
Clck New and add
Name IBM_CLUSTER_RUNRULES_TIMER_TIME
Value 1000
Click OK and Save to the master configuration
Export the Proxy Profile from Secure proxy (configuration-only) on Host 1
and Host 2 (for Dual) and transfer to DMZ Secure Proxy servers
The secure proxy server (configuration-only) profile configuration is exported to a configuration
archive (CAR) file using the exportProxyProfile wsadmin command. The CAR file is then
transferred to the real secure proxy server installation, where it is then imported into the DMZ
Secure Proxy Server using the importProxyProfile wsadmin command. Repeat this process if any
additional changes are made to the secure proxy server configuration.
(1) Go to the <Secure proxy (configuration-only) profile>/bin directory for each DMZ Proxy
Server
Run the following wsadmin command
wsadmin -conntype NONE -lang jython
From wsadmin prompt export the proxy profile
wsadmin>AdminTask.exportProxyProfile(['-archive’, ‘myCell.car'])
''
wsadmin>quit
22
(2) Transfer/copy archive file to appropriate DMZ Secure proxy server on Host 1 and Host 2
Copy/transfer the myCell.car to the <DMZ Secure proxy server runtime profile>/bin directory.
Import the Secure proxy (configuration-only) archive to appropriate DMZ
Secure Proxy server
(1) Start the DMZ Secure proxy server
Go to the <DMZ Secure proxy server runtime profile>/bin directory for each DMZ Proxy Server
startServer <proxy_server_name>
Run the following wsadmin command
wsadmin -lang jython -username <user> -password <passwd>
From the wsadmin prompt import the proxy profile
wsadmin>AdminTask.importProxyProfile(['-archive', 'myCell.car',’deleteExistingServers’,’true’])
''
wsadmin>AdminConfig.save()
''
wsadmin>quit
The importProxyProfile command used with the deleteExistingServers option should ensure
all configuration data (including serverindex.xml information) was transferred properly to the
runtime DMZ Secure Proxy server profile.
Configure the Trust association between the DMZ Secure Proxy servers
and the internal WebSphere 8.5.5 ND Cell
Make sure the dmgr and node agents and cluster members on the WebSphere 8.5.5. ND internal
cell have been started.
(1) The ssl.client.props file contains the location of the key.p12 and trust.p12 files on the
systems. On the DMZ Secure proxy servers, the ssl.client.props is located in the <DMZ Secure
proxy server profile>/properties directory.
For the DMZ Secure proxy servers, modify the following lines:
com.ibm.ssl.keyStore=${user.root}/etc/key.p12
to
com.ibm.ssl.keyStore=$
{user.root}/config/cells/<DMZCellName>/nodes/<DMZNodeName>/key.p12
and
com.ibm.ssl.trustStore=${user.root}/etc/trust.p12
to
com.ibm.ssl.trustStore=$
{user.root}/config/cells/<DMZCellName>/nodes/<DMZNodeName>/trust.p12
23
This will ensure that the key and trust store files are located in the proper profile configuration
location for the DMZ proxy servers.
(2) Go to the <DMZ Secure proxy server runtime profile>/bin directory for each DMZ proxy
server
Run the retrieveSigners command
retrieveSigners -conntype SOAP -port <dmgr_SOAP_port> -host <dmgr_host_name>
-username <dmgr_user> -password <dmgr_user_passwd> -listRemoteKeyStoreNames –
listLocalKeyStoreNames -autoAcceptBootstrapSigner
This command configures the trust association between the WebSphere internal cell servers and
the DMZ external cell by adding the cell’s signer to the DMZ proxy server’s trust store (trust.p12).
For Windows, if the Administrative agent server is running on the machine, then execute the
retrieveSigners command again with the configured interprocess communications (IPC) port.
retrieveSigners –username <dmzuser> -password <dmzpasswd> NodeDefaultTrustStore
ClientDefaultTrustStore -conntype IPC -host localhost -port <local_IPC_port>
-autoAcceptBootstrapSigner
For backup, copy the trust.p12 file from the
<DMZ Secure proxy server runtime
profile>/config/cells/<DMZCellName>/nodes/<DMZNodeName> directory to the <DMZ Secure
proxy server runtime profile>/etc directory.
(3) Stop and restart each DMZ Secure Proxy server
Now ready to start sending SIP traffic through the Load Balancer with the multiple fronted DMZ
Secure proxy servers.
Configuring DMZ Firewalls
Configuration setup for the DMZ Secure proxies fronted by an F5 with Inner and Outer firewalls.
24
IP Forward with 2 DMZ Proxies fronted by F5 in a different subnet
Intranet
DMZ
Public Network
Load balancer front end –
Subnet 2
Load balancer back end –
Subnet 3
sipp
F5
WAS1
WAS2
DMZ
Proxy
Subnet 5
4
Subnet 4
Inner
Firewall
Subnet 1
Outer
Firewall
© 2013 IBM Corporation
Inner Firewall rules
From IP
DMZ
Secure
proxies
From Port
Ephemeral
port range
DMZ
Secure
proxies
Ephemeral
port range
DMZ
Secure
proxies
Keep SSH
port open.
Block all
other ports
not used
Ephemeral
port range
To IP
Core Bridge
servers (on
WAS
internal cell
node agents
)
WAS
internal cell
SIP
containers
WAS
internal cell
DMGR
To Port
Bridge DCS port
Protocol
TCP or TLS
Comments
Incoming
DCS
5060,5061,5062,5063
TCP or TLS
SIP
TCP,TLS
DMGR SOAP port
SOAP
Incoming
SOAP*
The “To IP” for each Core Bridge server is listed in the MyTunnel.props file from step 4(d) on
page 13. The “To Port” for each Core Bridge server can be found as port for
DCS_UNICAST_ADDRESS. DMZ Secure proxies to WAS containers are available over TCP or
TLS protocols.
* In order to have the DMZ external cells trust the WAS internal cell servers, the retrieveSigners
command is performed on page 24, which uses this SOAP port.
25
Outer Firewall rules
From IP
Incoming
Clients*
From Port
Any
DMZ Secure
proxies
Block all other
ports not
used
Any
To IP
Virtual IP of
Load
Balancer
Outgoing
Clients*
To Port
5060,5061
Protocol
TCP/TLS
Comments
Incoming
Clients
5060,5061
TCP/TLS
Outgoing
Clients
* In case of a gateway, the clients are external communities/other gateways and their IP(s) or
range of IP(s) are known, and thus the customer will open the firewall to those specific IP(s) or
range of IP(s).
Appendix
WebSphere Application Server Version 8.5 information center
http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp
IBM WebSphere Application Server V8.5 Concepts, Planning, and Design Guide
http://www.redbooks.ibm.com/redbooks/pdfs/sg248022.pdf
Configuring and Deploying WebSphere SIP Environments
https://www.ibm.com/developerworks/community/wikis/home?lang=en#/wiki/WebSphere SIP and
CEA/page/Configuring and Deploying WebSphere SIP Environments
26
© Copyright 2026 Paperzz