IBM PureApplication Systems provide IaaS private cloud solution in a box, with the hardware, storage, and a pattern-based deployment all rolled into one high scale package. You might have seen IBM has also announced plans (and a beta) for a PureApplication Service on SoftLayer, giving a really compelling hybrid cloud story. So in this post, I wanted to share how easy it is to extend the Hypervisor edition of IBM Integration Bus V9 available for PureApplication Systems. I show how you can build a customized Virtual System pattern that exploits some of the benefits of the PureApplication System environment, specifically: Automatic generation of self-signed TLS (SSL) certificates during pattern deployment Enablement of the Web User Interface, with security Configuring a DB2 database for ODBC connectivity, and as a DataCaptureStore for Record & Replay – e.g. an audit database Because the scripting I’ve used in PureApplication Systems is simply OS scripting, you might find these examples useful for other environments.The examples are based on the POWER platform (AIX) and would need a few minor tweaks for the x86 platform. Overview of the Virtual System Pattern The following screenshot shows the Virtual System Pattern I created. It simply contains an IIB V9 part (virtual machine), and a DB2 part.There are three script packages that perform additional configuration of the parts, which I describe in detail below. The script packages themselves are just zip files containing the configuration and script files. Once installed into the catalog, you simply drag them into the parts from the palette on the left. Script package to install the DB2 10.5 Data Server Client package DB2 provides a package called the Data Server Client package, which is very compact (<40MB).So to install ODBC connectivity into the IIB part, I simply packaged this archive (v10.5fp3_aix64_odbc_cli.tar.gz) together with the following text files into a script package zip. Remember to ensure you use UNIX line breaks in all your scripts. cbscript.json – describes the script package to the PureApplication System [ [ { "name": "Install the DB2 V10.5 DSClient package", "version": "1.0.0", "description": "Install the DB2 V10.5 DSClient package", "command": "/bin/sh /etc/install_db2_dsclient.sh", "log": "/etc", "location": "/etc", "timeout": "0", "commandargs": "", "keys": [] } ] install_db2_dsclient.sh – the shell script run as root by the script package #!/bin/sh # The "v10.5fp3_aix64_odbc_cli.tar.gz" filename should match the DS-Client version # that is zipped into the script package mkdir /home/virtuser/db2cli_odbc_driver cd /home/virtuser/db2cli_odbc_driver mv /etc/v10.5fp3_aix64_odbc_cli.tar.gz . gunzip v10.5fp3_aix64_odbc_cli.tar.gz tar xvf v10.5fp3_aix64_odbc_cli.tar rm v10.5fp3_aix64_odbc_cli.tar chown -R virtuser:staff /home/virtuser/db2cli_odbc_driver Script package to configure IBM Integration Bus for TLS (SSL), Web Admin and Record&Replay The bulk of the work is performed by this script package, which contains all the artifacts required to perform the following steps: Open ports in the ipsec4 AIX security module for outbound connectivity to the database (50000) and Web Admin (4414) – only step run as root Generate self-signed SSL certificates for IIB and MQ Configure Web administration, with security enabled using the above certificates Configure ODBC using a set of odbc.ini files contained in the script package Configure Record & Replay using the ODBC connection The parts that make up the script package are as follows: cbscript.json – describes the script package to the PureApplication System [ { "name": "IIB Script Package", "version": "1.0.0", "description": "Configuration scripts for IIB", "command": "/bin/sh /etc/configure_iib_root.sh", "log": "/etc", "location": "/etc", "timeout": "0", "commandargs": "", "keys": [ { "scriptkey": "DB2_HOSTNAME", "scriptvalue": "", "scriptdefaultvalue": "${DB2_ESE.hostname}" }, { "scriptkey": "DB2_PORT", "scriptvalue": "", "scriptdefaultvalue": "50000" }, { "scriptkey": "DB2_USERNAME", "scriptvalue": "", "scriptdefaultvalue": "virtuser" }, { "scriptkey": "DB2_PASSWORD", "scriptvalue": "", "scriptdefaultvalue": "passw0rd", "type": "password" } ] } ] configure_iib_root.sh – shell script run as root to open the required ports, and kick off the script as ‘virtuser’ to configure IIB #!/bin/sh . /etc/virtualimage.properties # Configure the filewall as root # ipsec4 is disabled at the point our scripts run, and enabled afterwards by the built-in scripts. # So we actually have to enable it, create the filters, then disable it again. /usr/sbin/mkdev -c ipsec -t 4 /usr/sbin/mkdev -c ipsec -t 6 > /dev/null 2>&1 genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -g Y -c tcp -o any -p 0 -O any -P $DB2_PORT -r B -w B -l Y -f Y -i all genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -g Y -c all -o any -p 0 -O any -P 4414 -r B -w B -l Y -f Y -i all /usr/sbin/rmdev -l ipsec_v4 # Call the IIB configuration script as virtuser su - virtuser -C /etc/configure_iib.sh configure_iib.sh – the main script run as ‘virtuser’ to configure IIB #!/bin/sh . /etc/virtualimage.properties # Ensure the MQSI profile is configured . /opt/IBM/mqsi/9.0.0.0/bin/mqsiprofile export LANG=en_GB.UTF-8 export LC_ALL=en_GB # Use GSKit to generate a self-signed certificates for the QMGR and Integration Node mkdir ~/iib_certs chmod -R 700 ~/iib_certs runmqckm -keydb -create -db ~/iib_certs/iib.jks -pw passw0rd -type jks runmqckm -cert -create -db ~/iib_certs/iib.jks -pw passw0rd -dn CN=$MQSI_BROKER_NAME,OU=PureApp,O=IBM -size 2048 -sig_alg SHA512WithRSA -label iib_cert -type jks runmqckm -keydb -create -db ~/iib_certs/mq.kdb -pw passw0rd -type cms -stash runmqckm -cert -create -db ~/iib_certs/mq.kdb -pw passw0rd -dn CN=$MQSI_BROKER_NAME,OU=PureApp,O=IBM -size 2048 -sig_alg SHA512WithRSA -label iib_cert -type cms # Note this script assumes HTTP security in IIB is already configured via default PureApp pattern config. # The values for keystore location should be locked in the pattern to /home/virtuser/iib_certs/iib.jks # Configure the SSL certificate on the QMGR. # Note no further security configuration of MQ is performed by this script echo "ALTER QMGR SSLKEYR('$HOME/iib_certs/mq')" | runmqsc $MQ_QMGR_NAME # Configure the web admin console, in secure mode (default password) mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o server -n enabled -v true mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o server -n enableSSL -v true mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n address -v '*' mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n port -v 4414 mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n keystoreType -v "$MQSI_HTTPS_CONNECTOR_KEYSTORE_TYPE" mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n keystorePass -v "$MQSI_HTTPS_CONNECTOR_KEYSTORE_PASS" mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n keystoreFile -v "$MQSI_HTTPS_CONNECTOR_KEYSTORE_FILE" mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n truststoreType -v "$MQSI_HTTPS_CONNECTOR_KEYSTORE_TYPE" mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n truststorePass -v "$MQSI_HTTPS_CONNECTOR_KEYSTORE_PASS" mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n truststoreFile -v "$MQSI_HTTPS_CONNECTOR_KEYSTORE_FILE" mqsichangeproperties $MQSI_BROKER_NAME -b webadmin -o HTTPSConnector -n sslProtocol -v "$MQSI_HTTPS_CONNECTOR_SSL_PROTOCOL" mqsiwebuseradmin IIB1 -c -u admin -a passw0rd -r virtuser # Configure ODBC connectivity export IE02_PATH=/opt/ibm/IE02/2.0.1 echo "\nexport IE02_PATH=/opt/ibm/IE02/2.0.1\n" >> ~/.profile cp /etc/iib_odbc.ini $HOME/odbc.ini export ODBCINI=$HOME/odbc.ini echo "\nexport ODBCINI=$HOME/odbc.ini\n" >> ~/.profile cp /etc/iib_odbcinst.ini $HOME/odbcinst.ini export ODBCSYSINI=$HOME echo "\nexport ODBCSYSINI=$HOME\n" >> ~/.profile export LIBPATH=$HOME/db2cli_odbc_driver/odbc_cli/clidriver/lib:$LIBPATH echo "\nexport LIBPATH=$HOME/db2cli_odbc_driver/odbc_cli/clidriver/lib:\$LIBPATH\n" >> ~/.profile sed -e "s/REPLACE_WITH_HOSTNAME/$DB2_HOSTNAME/g" /etc/iib_db2dsdriver.cfg | sed -e "s/REPLACE_WITH_PORT/$DB2_PORT/g" > "$HOME/db2cli_odbc_driver/odbc_cli/clidriver/cfg/db2dsdriver.cfg" # Configure record & replay mqsisetdbparms $MQSI_BROKER_NAME -n MBRECORD -u $DB2_USERNAME -p $DB2_PASSWORD mqsicreateconfigurableservice $MQSI_BROKER_NAME -c DataCaptureStore -o MBRECORD -n dataSourceName,egForRecord,egForView,schema -v MBRECORD,default,default,WMB mqsicreateconfigurableservice $MQSI_BROKER_NAME -c DataCaptureSource -o ${MQSI_BROKER_NAME}_Source -n dataCaptureStore,topic -v MBRECORD,"\$SYS/Broker/$MQSI_BROKER_NAME/Monitoring/#" # Restart IIB to pick up the new values mqsistop -q -i $MQSI_BROKER_NAME mqsichangebroker IIB1 -s active mqsistart $MQSI_BROKER_NAME iib_db2dsdriver.cfg - DB2 configuration file modified by the above script and installed into the home directory iib_odbcinst.ini – ODBC system configuration file installed and configured via profile environment variables by the script [ODBC] ;# To turn on ODBC trace set Trace=yes Trace=no TraceFile=/home/virtuser/odbctrace.out Threading=2 iib_odbc.ini – ODBC configuration file installed and configured via profile environment variables by the script [ODBC Data Sources] MBRECORD=IBM DB2 ODBC Driver [MBRECORD] DRIVER=/opt/IBM/mqsi/9.0.0.0/lib/libdb2Wrapper64.so Description=IBM DB2 ODBC Database Database=MBRECORD Script package to configure the MBRECORD database on DB2 The final step is to ensure that DB2 is configured with the correct MBRECORD database IIB will use as its DataCaptureStore. cbscript.json – describes the script package to the PureApplication System [ { "name": "DB2 for IIB Record and Replay Script Package", "version": "1.0.0", "description": "Configuration scripts to configure the MBRECORD database for IIB", "command": "su - db2inst1 -C /etc/configure_db2.sh", "log": "/etc", "location": "/etc", "timeout": "0", "commandargs": "", "keys": [ ] } ] configure_db2.sh – the script, run as db2inst1, to create the database and grant authority to ‘virtuser’ #!/bin/sh . /etc/virtualimage.properties # Run the IIB DDL db2 -tvf /etc/DataCaptureSchema.sql # Grant authority to virtuser, which we will configure IIB to connect using db2 CONNECT TO MBRECORD db2 SET SCHEMA WMB db2 GRANT CONNECT ON DATABASE TO USER VIRTUSER db2 GRANT ALL ON TABLE WMB_MSGS TO USER VIRTUSER db2 GRANT ALL ON TABLE WMB_EVENT_TYPES TO USER VIRTUSER db2 GRANT ALL ON TABLE WMB_EVENT_FIELDS TO USER VIRTUSER db2 GRANT ALL ON TABLE WMB_BINARY_DATA TO USER VIRTUSER db2 TERMINATE DataCaptureSchema.sql – the DDL for the MBRECORD database This file was taken directly from the IIB install, with the CREATE/SET SCHEMA WMB commands uncommented. Summary I hope this gives you a flavor of how to create a Virtual System pattern for IBM Integration Bus in IBM PureApplication System. You can see the scripts packages are simple to create, and don’t require special skills beyond OS scripting.You might even find these scripts helpful to automate IIB node creation in other environments.