HowTo: Prepare RedHat OS for IBM Connections

HowTo: Prepare RedHat OS for IBM Connections

Hi all,

this time I would like to show some hints and best practice information how to prepare a Red Hat operating system for best security and performance when installing IBM Connections 5.

Please note: These information are explicitly written for Red Hat 6. Other operating systems might differ in some parts. It is not about to harden a system – this is something the Linux administrators can do for us ;-). See it more as a collections of information, where to start when preparing the operating system for an IBM Connections installation. These settings might not fit in all environments – you need to carefully fine tune your IBM Connections environment in order to get the best possible performance / security out of the system

Users

When it comes to an enterprise production environment, it is a must for me perform a non-root installation. This makes the system much more secure.

So let`s first create a non-root user that is able to install and run IBM Connections:

create a group and a user

groupadd -g 1100 wasadmins 
useradd -d /ibm/chroot/home/wasadmins -g 1100 -m -u 1100 wasadmin
passwd wasadmin (input a strong password for this user)

You may consider setting the password to non-expire if there is a password policy active:

chage -I -1 -m 0 -M 99999 -E -1 wasadmin

Restrict the ssh login to only allow the non-root user to login the system
edit the file /etc/sshd/sshd_config and set:

AllowUsers wasadmin

restart the ssh daemon

Linux Limits

Another important task is to raise the file / process limits to an appropriate level. The standard is too low and can cause outages of the application.
open the file /etc/security/limits.conf and set (you could also separate users and do not use *… But here we set the limits for all users and raise them individually for each user):

*               soft    nofile          10240
*               hard    nofile          65536
*               soft    stack           10240

These settings for for the medium deployment. You might need to raise them if you`re using the large deployment model.

A hard limit can only be raised by root (any process can lower it). So it is useful for security: a non-root process cannot overstep a hard limit. But it’s inconvenient in that a non-root process can’t have a lower limit than its children.
A soft limit can be changed by the process at any time. So it’s convenient as long as processes cooperate, but no good for security
Especially for Red Hat it is important to also change another file, as the number of possible processes is not controlled via limits.conf:
/etc/security/limits.d/90-nproc.conf (set it to 16384 for all other users):

*          soft    nproc         16384
root       soft    nproc     unlimited

you can then create a script, that raises these limits for the wasadmin user (raise the soft limits):
create a file /etc/profile.d/limits.sh and add the following to it:

if [ $USER = "wasadmin" ]; then
    if [ $SHELL = "/bin/ksh" ]; then
        ulimit -p 16384
        ulimit -n 65536
    else
        ulimit -u 16384 -n 65536
    fi
fi

these values are only present when using a shell – which is not the case when IC is started / stopped by script (in case of system boot)
If you`re using a start / stopp script for the application, you should set the limits here too:
e.g.

(...)
NODE="nodeagent"
CLUSTER="InfraCluster_server1 Cluster1_server1 Cluster2_server1"

ulimit -u 16384 -n 65536

check_if_finished()
{
TIMER1=2
(...)

You need to enable „PAM“ in order to make use for the limits settings
edit /etc/ssh/sshd_config and set:
and change

usePAM no 
to usePAM yes

edit /etc/pam.d/login
and add

session required pam_limits.so

Then restart the server.

Dedicated hard disc

Redhat1For a production environment it is  a good advise to add another hard disc, where you install IBM Connections to.

The benefits for this:
– more speed
– more security / stability – just think of a Connections server that starts creating heap dumps and the HDD runs out of space – then you might not be able to login via Shell anymore if you only have one disc on the system.

 

Normally I use the Red Hat LVM (logical volume manager) to have the flexibility to resize:

#display the added disc
fdisk -l
#Partion the disc - follow the dialog
fdisk /dev/sdb
#Create a physical volume
pvcreate /dev/sdb1
#Create the VG (volume group)
vgcreate ibmVG /dev/sdb1
#Create the LV (logical volume)
lvcreate -n ibmLV -L 126G ibmVG
#Create a filesystem for the LV (ext4 here)
mkfs.ext4 /dev/ibmVG/ibmLV
#Mount the filesystem
mount -t ext4 /dev/ibmVG/ibmLV /ibm
#make an entry in the fstab to automatically mount at systemboot
/dev/ibmVG/ibmLV /ibm ext4 defaults 0 0

Memory and swapping
It is highly recommended to avoid memory swapping. This makes the system and application incredibly slow. The setting configures the kernel to give preference to keeping application memory in RAM instead of assigning more memory for file caching.

CAUTION: You need to ensure that you have enough physical memory available!!! Otherwise you`ll run into trouble

edit the file: /etc/sysctl.conf and add

vm.swappiness = 0

For the database server it is also recommended to set the parameter:

vm.overcommit_memory = 0

There is a recommendation to set the I/O scheduler mode for the DB server to “deadline”
open /etc/grub.conf
and add evevator=deadline to the kernel call

e.g. e.g. kernel /vmlinuz-2.6.9-67.EL ro root=/dev/vg0/lv0 elevator=deadline

You can find an explanation here

As I`m not that deep into the system details of I/O schedulers, I can only recommend to measure differences using a performance test. Do not simply make changes to the I/O scheduler.
There are other guides, saying especially for VMWare virtual machines it is best to set the elevator mode to “noop”…

You should also check the Transparent Huge Pages recommendation for WAS / Linux systems:

sudoers file
If you do not get any root access on the machine after installation it might still be a good advise to be able to reboot the system or be able to mount a NFS Share. For these actions you need to have root access. Ask the Linux administrator if it is possible to add these commands to the sudoers file…

Additional red hat packages
In order to be able to use the InstallationManager, you need to install numerous additional Red Hat packages. I never use the InstallationManager, so that I`m not a big fan of all these packages. But for e.g. Cognos it is important to install the required packages to work correctly:

GUI (IM) Installation

compat-libstdc++-33.x86_64
libcanberra-gtk2.i686
PackageKit-gtk-module
gtk2.i686
compat-libstdc++-33.i686
compat-libstdc++-296
compat-libstdc++
libXtst.i686
libpam.so.0

Additional for Cognos:

libstdc++-4.4.6 (i386 and x86_64)
glibc-2.12-1 (i386 and x86_64)
openmotif22-2.2.3 (i386 and x86_84)

General
In general all IBM Connections related processes should run as non-root. There might be some exceptions for example the HTTP Server. If your HTTPServer listens on port 80 & 443, you need to start the process as „root“, as non-root users cannot bind to ports lower than 1024. But the worker processes of the HTTPServer will be started as non-root user „ihsuser“ or similar.
You should be consequent in using non-root users for most of the software parts. Do not start using non-root users for the WAS components but then start TDI as a root user.

I hope some of these hints are useful for you and you next IBM Connections installation 😉
If you have comments please let me know. We are no Linux gurus – there might be more useful extensions we could add to this list.

Leave a Reply

Your email address will not be published. Required fields are marked *