I'd like to say thank you to all those were able to attend our first NYC WAS User Group Meetup in 2019. It was great to see so many of our WebSphere users in person. We will be sure to keep you posted as we plan more meetups throughout the year.

 For those of you that could not attend I'd like to use this blog post to give you a summary of what we discussed and highlight some of the interesting questions that were brought up throughout the day. I've also included direct links to all the presentation material for you to download.

We started off the session talking about some WebSphere history and how the application server has changed over the last 20 years (WebSphere Application Server Update). We also looked at all of the deployment options that are available to meet all the requirements for the multiple platforms where you may be running WAS, from traditional WAS ND on bare metal, to microservice based application deployments in containerized cloud environments, and how you can easily transition between them. 

Many of those who attended said they were still in the early stages of cloud adoption. Their environments will be evolving over time and it's important to have a flexible way to plan for the future without being locked into decisions that are made today. For those users that are in the planning stages of cloud adoption the IBM Cloud Application Platform model may be a good option . 

Our next three presentations were more technical in nature. The first looked at cloud native development and dove into the details of building a containerized application and deploying in a way that is secure and highly available (WebSphere in Docker, Kubernetes, IBM Cloud Private). Understandably, we had a number of questions in this area regarding security and patching of these environments.

How do I ensure no one is running my WebSphere container as a root user?

There are two ways to achieve this. The first is to apply a pod security policy. Pod security policies restrict what conditions must be met by a container to be run within the cluster or namespace. You can use the predefined pod security policies or customize them to meet your needs.

The other option is to use IBM WebSphere Cloud Paks which are built to run the application server as a non-root user, along with a host of other benefits.

Our recommendation would be to combine both options so that you have multiple layers of security.

What about using sudo to gain more privileges than a non-root user from inside the container?

This is a valid concern if you building your own docker images from scratch or pulling images from untrusted sources. However, WebSphere DockerHub and IBM Cloud Pak images are built with sudo removed. So sudo is not an option to gain root access. This is one of the advantages of building on top of IBM certified Cloud Paks. They are built with the latest security best practices and updates.

How do I apply WAS fixes and operating system upgrades to my containerized WAS applications?

IBM maintains WebSphere Cloud Paks with the latest fix packs and operating system updates. In order to pick them up you would rebuild your application docker image through your automated build pipeline and pick up the latest updates.

Can I perform these upgrades without any application downtime?

Yes. Kubernetes and ICP have the ability to perform rolling updates so that your applications are always available. If you want to perform more fine-grained testing, such as Blue-Green, or canary deployments, before you switch over your traffic to the new version you can use Istio routing rules. Istio is included as part of all versions of ICP.

Why is traditional WAS ND not available in containers?

Kubernetes and ICP provide the operational qualities of service like high availability, clustering, and failover, so a WAS ND Cell within a Kubernetes cluster would be redundant.

In the afternoon we reviewed one of the most popular WebSphere user topics;, "How do I modernize and update my current traditional WAS application server workloads to take advantage of the cloud?" There are a number different paths you can take and often it can feel overwhelming to undertake this transformation when you have hundreds or even thousands of applications to modernize; especially when looking at applications that have evolved over the last 20 years when many of our current cloud technologies didn't exist. Nevertheless, these are still critical applications that needed to run your business. The WebSphere and IBM Cloud Private teams have built a comprehensive tool called, Transformation Advisor, to help with this journey. In a nutshell, Transformation Advisor is able to analyze your traditional WebSphere (WebLogic, JBoss, or Tomcat) environments and applications and provide a detailed assessment of the work needed to move to a more modern platform. Many people are often involved in modernizing an application. TA can provide sizing estimates for project managers, detailed line-by-line code analysis for developers, and generate resource and deployment configuration file templates for operators to help make the process and simple as possible. Check out the Transformation Advisor tool to try out its all-inclusive capabilities; and remember it's free to use.

Does the Transformation Advisor (TA) tool require connectivity between my WAS environment and TA?

No, the TA data collector can generate a zip file of your WAS configuration and application analysis, which you can manually upload to the TA tool to generate your reports and templates. If you choose to allow connectivity between WAS and TA, the tool can perform the upload for you automatically. 

At the end of the day we dove into the details of WebSphere Liberty Performance and Security. Over the years Liberty has become a field tested, high performance, and secure application server that has thousands of instances running in production, and the entire platform is based on open source, https://openliberty.io/. We discussed many of the key performance updates in the Java runtime and in Liberty that make them an especially good fit for a cloud environment. We also reviewed support for the modern security standards available in Liberty that will let your applications interact seamlessly across different security providers.

We had several performance questions around the IBM/Open J9 JVM (which IBM has open sourced) and how it compares to other JVM implementations. We've done extensive testing in this area and you can look at the results here: https://www.eclipse.org/openj9/oj9_performance.html

We concluded the meetup with the performance and security discussion, but we still have an extensive backlog of topics that we'd like to discuss in future meetups. Most of all we'd like to hear from our users what topics are the most interesting to you. And we'd love to have some of our users present what they have done with WebSphere technology.