WO2003073205A2 - Ecs node manager for ensuring high availability server and application - Google Patents

Ecs node manager for ensuring high availability server and application Download PDF

Info

Publication number
WO2003073205A2
WO2003073205A2 PCT/US2003/004950 US0304950W WO03073205A2 WO 2003073205 A2 WO2003073205 A2 WO 2003073205A2 US 0304950 W US0304950 W US 0304950W WO 03073205 A2 WO03073205 A2 WO 03073205A2
Authority
WO
WIPO (PCT)
Prior art keywords
server
monitoring
java
determining
parameter
Prior art date
Application number
PCT/US2003/004950
Other languages
French (fr)
Other versions
WO2003073205A3 (en
Inventor
Rahul Srivastava
Ananthan Bala Srinivasan
Eric M. Halpern
Dean Jacobs
Original Assignee
Bea Systems, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US10/339,469 external-priority patent/US7233989B2/en
Priority claimed from US10/339,144 external-priority patent/US7287075B2/en
Priority claimed from US10/338,981 external-priority patent/US7152185B2/en
Application filed by Bea Systems, Inc. filed Critical Bea Systems, Inc.
Priority to AU2003217581A priority Critical patent/AU2003217581A1/en
Publication of WO2003073205A2 publication Critical patent/WO2003073205A2/en
Publication of WO2003073205A3 publication Critical patent/WO2003073205A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • G06F11/1438Restarting or rejuvenating
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/32Monitoring with visual or acoustical indication of the functioning of the machine
    • G06F11/324Display of status information
    • G06F11/325Display of status information by lamps or LED's
    • G06F11/326Display of status information by lamps or LED's for error or online/offline status
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates generally to managing a network of servers, and more particularly to monitoring the health of a network of servers.
  • Servers within a distributed network perform transactions with other servers and use resources within the system. As the servers require the use of other servers and resources, the operability and reliability ofthe servers become more important. If a server fails while performing a task, it may affect other servers and resources that were tied up in transactions with the server at the time of its failure. Whether a server has failed completely or the server's condition has degraded is important information to a network. Thus, it is important to know the status of a server in order to maintain the health ofthe server and the network in which it operates. A maintenance system should be able to require a server to provide health information and be able to maintain or correct servers not operating properly.
  • a Node Manager monitors the status of multiple servers.
  • the NM detects server failures, periodically monitors server health status, and performs server maintenance.
  • the NM determines whether or not the server is restartable. If the server is restartable, the NM checks to see if any other conditions exist that limit the server from being restarted. If no other conditions exist, the server is restarted. If the failed server is not restartable or other conditions exist preventing the server from being restarted, the failed server is not restarted.
  • the NM periodically monitors the health of a server whether or not the NM detects a server failure. This process begins when the NM makes a health query to a server. Then, the NM waits for a server response containing the server's health information. If the server replies that it is healthy, the NM continues to monitor the server. If the server's reply indicates the server's health is degenerate or the server does not reply at all, the NM presumes the server has failed. The NM may wait a specified period of time before deciding the server has failed to respond to a query. Once a server is deemed failed, the NM then determines whether to terminate the server.
  • the NM may be controlled by parameters located within the NM or Administration Server (AS).
  • the parameters may be burned into system software or modified at runtime.
  • the NM may be controlled by an external administrative agent.
  • An administrative agent may control the NM by interfacing with the AS.
  • the NM and AS may authenticate each other and encode their communications between each other.
  • FIG. 1 is a block diagram of several nodes having servers in a self health monitoring system in accordance with one embodiment ofthe present invention.
  • FIG. 2 is a diagram showing the operation ofthe automatic monitoring system of a Node Manager in accordance with one embodiment ofthe present invention.
  • FIG. 3 is a diagram showing the operation of a health monitoring and corrective action system of a Node Manager in accordance with one embodiment ofthe present invention.
  • FIG. 4 is a diagram showing the operation of a managed server in a health monitoring system in accordance with one embodiment ofthe present invention.
  • FIG. 5 is a diagram showing an encryption method for a self health monitoring system in accordance with one embodiment ofthe present invention.
  • a self health monitoring system may be composed of several nodes.
  • a node may be a single physical machine or take some other form.
  • each node has a Node Manager (NM), an Administration Server (AS), and several other managed servers or server instances.
  • NM Node Manager
  • AS Administration Server
  • the AS and NM may send and transmit messages to each other.
  • NM may also send and transmit messages with the other servers located on the node.
  • the NM performs two primary functions. First, the NM automatically detects and restarts failed servers. The NM continually monitors servers running on the local machine. Upon detecting a server has failed, the NM will automatically restart the failed server. The server restart may occur as soon as the NM detects the server failure. Secondly, the NM periodically monitors and restarts failed or degenerate servers. The NM will periodically monitor servers running on the local machine. When the NM detects that a server is less than healthy, the NM may restart the server depending on server parameters and the condition ofthe server. In one embodiment, runtime Java MBeans hosted on the AS are used in conjunction with the NM to achieve these functions. The runtime Java MBeans offer the functionality of the NM and the health information acquired by the NM to clients in a programmatic manner.
  • FIG. 1 depicts a self health monitoring system 100 in accordance with one embodiment ofthe present invention.
  • system 100 includes a first node 10, a second 20, and a third node 30.
  • Each node may contain an AS 11, 21, and 31, and an NM 12, 22, and 32, respectively.
  • the AS communicates with the NM.
  • the AS and the NM communicate through a (SSL) secure socket layer connection.
  • Each node also contains at least one managed server.
  • these managed servers may be composed of server instance processors or logic servers all located on one hardware machine.
  • server shall be understood to include server instance processors, server instance logic, and other managed servers.
  • a node may be one physical machine with servers that communicate with other servers on the same machine. As shown in FIG. 1 , node 10 includes servers 13-15, node 20 includes servers 23-25, and node 30 includes servers 33-35.
  • An NM may communicate with the servers within the particular NM's node. For example, NM 12 can communicate with servers 13, 14, 15, all within node 10. In one embodiment, the NM communicates with the servers within its node through a secure socket layer connection.
  • the operation of an automatic monitoring system for detecting failed servers in the self health monitoring system of FIG. 1 is shown in flow chart 200 of FIG. 2 and described as follows.
  • the operation of an NM starts at step 205.
  • the NM undergoes start-up and configuration operations in step 210.
  • the NM receives instructions from an AS at start-up.
  • the AS may instruct the NM to start an instance on a local machine.
  • the AS may also instruct the NM to provide information to the AS regarding servers previously monitored during previous monitoring periods by the NM.
  • the NM may assume that all ofthe monitored servers are alive upon NM startup and sets each server state to "unknown".
  • the NM begins monitoring a server.
  • the server is monitored over an SSL connection established with the server.
  • the server is monitored over a plain text protocol connection or some other type of connection.
  • the NM determines if a server has failed in step 230.
  • the server failure is detected by a breakdown ofthe connection between the NM and the server.
  • the NM monitors the server by confirming the integrity ofthe connection between the NM and the server. When the server being monitored dies, the NM is notified accordingly. In one embodiment, the NM receives an IOException error when the server dies. The integrity ofthe connection may also be verified in other ways, all considered within the scope ofthe invention. If the NM does not detect a failed server, operation ofthe system returns to step 220 to continue monitoring the server.
  • a restart parameter specifies whether the server should be restarted upon detecting a server failure.
  • the restart parameter may reside on the server, the NM, or in some other memory location.
  • the parameter may be defined per server instance or for a number of servers.
  • the parameter may also be modifiable at runtime though commands issued through the AS. If the server is not restartable, operation continues to step 250 and the server is not restarted. In one embodiment, a message is written to a log file indicating that the server is not restartable and no further action is taken by the NM towards the failed server.
  • the process ends at step 260 and the NM ceases monitoring the failed server. Though no further action is performed on the server at step 260, the server may be monitored again beginning at step 220 if the server is restarted or at step 205 if the NM is restarted.
  • step 270 the system checks to confirm that no other conditions exist to prevent the server from being restarted. If at step 270 any conditions exist preventing a server restart, then system operation proceeds to step 275.
  • step 275 an action or inaction is taken to address the condition that is preventing the server from being restarted. The action or inaction may be taken by either the NM, AS, or some other server.
  • step 280 the system determines whether the condition is satisfied in step 280. If the condition is not satisfied in step 280, operation returns to step 275. If the condition is satisfied in step 280, operation continues to step 270.
  • step 275 operation continues from step 275 to step 270 whether the condition is satisfied or not.
  • the NM will check to see if the server may be restarted after each time a restart is considered in step 270.
  • step 280 operation continues from step 275 or step 280 to step 240.
  • the results of step 280 may be recorded in a log or memory as either condition satisfied, condition not satisfied, or some other message. If at step 270 the conditions are satisfied, then operation continues to step 290.
  • system conditions may exist at step 270 that limit the server to a maximum number of restarts allowed during a period of time.
  • parameters may control the maximum number of server restarts permitted within the period of time and the length ofthe time period.
  • the number of actual restarts for a particular server may be indicated by a restart counter. If at step 270, the value in the maximum restarts allowed parameter is larger than the restart counter, then the maximum number of restarts has not occurred during the current time period and the process continues to step 290. If the restart counter value is larger than the maximum number of server restarts permitted within the particular time period, then operation continues to step 280. Operation ofthe system may remain at step 280 until the current time period has elapsed. Once the time period has elapsed, the restart counter is reset to zero and the time period begins again. The system then continues to step 270.
  • the restart counter is again compared to the maximum number of restarts parameter and operation continues accordingly.
  • system operation will continue past step 280 even though the maximum start parameter has been exceeded. In this case, a message is logged regarding this event and operation continues.
  • System operation in this embodiment will consist of a loop between step 270 and step 280 until the time period has elapsed and the restart counter is reset to zero.
  • the server is restarted.
  • the NM, server, or AS may perform actions or process events.
  • the server restart counter is incremented.
  • certain server parameters may be configured to take effect upon the next server incarnation.
  • Parameters determine how a NM is to act upon detecting server failure. Examples of these parameters in one embodiment ofthe present invention are shown below. These parameters can be defined per server instance and modified at runtime via the Admin Console.
  • This parameter specifies whether the servers are restartable or not. In one embodiment, the default is true.
  • Server can be started within the period specified by RestartlntervalSeconds. In one embodiment, the default is 2.
  • Certain methods implemented in Java may be used to access or modify the parameter examples listed above. Examples of these methods include boolean getAutoRestartEnabled(), void setAutoRestartEnabled(boolean), int getRestartlntervalSecondsO, void setRestartlntervalSeconds(int), int gefRestarfMaxQ, and void setRestartMax(int).
  • the NM may monitor the health of a server or perform maintenance on a server. The NM may monitor server health or perform server maintenance without detecting a change or degradation in the health status of the server. Server maintenance and monitoring may be performed simultaneously on multiple servers at any time.
  • the simultaneous monitoring and maintenance may be synchronous or asynchronous.
  • the operation of a system for monitoring the health of a server with a NM in accordance with one embodiment of the present invention is shown in diagram 300 of FIG. 3 and described as follows.
  • Health monitoring system operation 300 starts off with a start step 310.
  • the system determines whether the NM should begin monitoring a server in step 320. If the system determines the NM should monitor the particular server, operation continues to step 330. If the system determines the particular server should not be monitored at the current time, the NM will not monitor the current server. In one embodiment, a server will not be monitored until a period of time has passed since the server has been restarted.
  • a monitor delay parameter will determine the period of time the NM shall wait before monitoring the restarted server.
  • the delay parameter may be stored by the AS, NM, or the server itself.
  • the delay parameter may correspond to a particular server or several servers. In one embodiment ofthe present invention, the value ofthe delay parameter may be modified at server runtime.
  • the NM determines if a health check is triggered for a particular server in operation 330.
  • a health check may be triggered by an internal event in the NM.
  • the health check is triggered by an external event occurring outside the NM, the occurrence of which is communicated to the NM.
  • a health check is triggered for a server after a period of time has elapsed.
  • a health check interval parameter may specify a period of time. The expiration of the time period specified by the interval parameter will trigger a health check for a server.
  • an interval parameter corresponds to a single server. In another embodiment, an interval parameter corresponds to several servers. In any case, the interval parameter may be modified at server runtime. If a health check is not triggered in step 330, the system continues in a standby state waiting for a triggering event to occur regarding a particular server. If a health check triggering event does occur, system operation continues to step 340.
  • the NM queries a server for it's health status.
  • the NM invokes a Java servlet located on the server to return the server's health status to the NM.
  • This Java servlet is an asynchronous servlet that will return the server's health information upon the occurrence of a particular event.
  • the event is the elapse of a period of time.
  • the NM may inquire about the server's health status by communicating with the server itself or a server self health monitor application running on the server. The query may be transmitted over a TCP connection established between the NM and server or in some other manner.
  • the NM determines if a response is received from the server in step 350.
  • the server may be unable to receive the NM's query.
  • the server may be too busy to accept a connection from the NM.
  • the server may have failed and be unable to accept an NM connection request.
  • the NM may throw an IOException and consider the server as "failed”.
  • the NM would then set an internal value of the server state to "failed”.
  • no response is received from the server although the NM and server have established an initial connection.
  • the NM will wait for a response from the server for a specified period of time.
  • a timeout parameter may specify the period of time the NM will wait for a response from the server. Until the length of time specified in the timeout parameter has transpired, the NM will continue to wait for a response as indicated in the loop of steps 350 and 360. If the NM has not received a response from the server in step 350 and the NM has determined not to wait any longer to receive a response in operation 360, operation continues to step 370 where the server is deemed failed.
  • the NM may attempt to inquire about the delay of the response or resend a health inquiry to the server before proceeding from to 370. In this embodiment, the NM may proceed to step 350, 360, or 380 depending on the result of the delay inquiry or the health inquiry.
  • step 380 the NM interprets the server's response.
  • the NM interprets the server's response to determine if the server is healthy. If the NM determines the server is healthy from the response received by the server, operation flows to step 330 where the NM waits for another health check to be triggered. If the NM determines that the server is not healthy in step 380, operation continues to step 370. In step 370, the NM deems the server has failed. In one embodiment, the NM sets a parameter indicating the state of the particular server to "failed". The parameter may be stored internally within the NM, in the AS, or at some other memory location.
  • step 390 the NM determines whether to terminate the server.
  • the NM contains an auto-terminate parameter.
  • the auto-terminate parameter may relate to a single server or multiple servers at once. A user may set a value for the auto-terminate parameter or the parameter may be preset by the system. If the auto-terminate parameter indicates the server should not be terminated upon server failure, then operation continues to step 396. In one embodiment of the present invention, the system enters a message in a log indicating the failed status of the server and that the server is not to be restarted. After step 396, system operation proceeds to step 330. If the auto-terminate parameter indicates the server should be terminated upon server failure in step 390, then operation continues to step 392.
  • the failed server is terminated in step 392.
  • an entry is made to a log indicating the server is deemed failed and that the server was terminated.
  • Monitoring of the terminated server ends in step 394.
  • the automatic detection system of FIG. 1 may detect the terminated server at step 230.
  • the NM may then proceed to determine whether to restart the server as shown in FIG. 1.
  • certain parameters will control how the server periodically checks the servers running on the local machine. Examples of parameters controlling the check are shown below.
  • HealthChecklntervalSeconds ⁇ number of seconds> [0042] This parameter specifies the interval of time (in seconds) between which periodic scans are done by NM to check if Servers are Failed. In one embodiment, the default is 180 seconds.
  • HealthCheckTimeoutSeconds ⁇ number of seconds>
  • This parameter specifies the length of time (in seconds) the Node Manager will wait for a response to the health check query after which it will deem the monitored server Failed. In one embodiment, the default is 60 seconds.
  • T g p arame ter specifies if a Server is deemed Failed, this parameter will control whether NM will kill the Server or not. In one embodiment, the default is false.
  • HealthCheckStartDelaySeconds ⁇ number of seconds>
  • the time that a server takes to startup depends upon the applications being deployed on it.
  • the NM will wait for a server to complete its startup before the NM starts monitoring the server.
  • This parameter specifies the length of time (in seconds) the NM will wait before starting its monitoring of the server. In one embodiment, the default is 120 seconds.
  • the HealthChecklnterval Seconds and HealthCheckTimeoutSeconds and parameters can be defined per NM and on the NM command line.
  • the AutoKilllfFailedEnabled and HealthCheckStartDelaySeconds parameters can be defined per server instance and can be modified at runtime via the Admin Console. These new parameters for the Server will be modifiable at runtime via the Admin Console.
  • methods implemented in java code can be added to the server MBean and may be used to access or modify the parameters.
  • the NM may allow its functionality and access to server health information to become available to external administrative clients. External administrative clients such as third party application monitors and high availability frameworks may need to be able to start and kill servers using the functionality ofthe NM. In one embodiment ofthe present invention, this is done programmatically with runtime MBeans. Use of an admin console is not required.
  • the MBeans provide a programmatic interface to the NM's functionality.
  • the MBeans allow the NM's record of a server's health to be shared. Internal or external administrative clients may use the MBeans to access server health information collected by the NM.
  • the AS hosts [one]a NodeManagerRuntime MBean that provides methods to accomplish different tasks. Each machine may have one such MBean. [One task may involve starting a specified server.]
  • the AS may have methods according to the examples shown below. java.io.reader start(serverMBean server) throws
  • NodeManagerException This method starts the specified server. It then returns the reader to local log file containing output of executed command. The method throws NodeManagerException if any error occurs.
  • java.io.reader starlnStandby serverMBean server
  • NodeManagerException This method starts the specified server in Standby Mode. It then returns the reader to local log file containing output of executed command. The method throws NodeManagerException if any error occurs.
  • java.io.Reader shutdown ServerMBean server
  • NodeManagerException This method shuts down the specified server. It then returns the reader to local log file containing output of executed command. The method throws NodeManagerException if any error occurs.
  • NodeManagerException kills specified server. It is used to kill the server process when the server does not respond to shutdown operation. It then returns the reader to local log file containing output of executed command. The method throws NodeManagerException if any error occurs.
  • java.io.reader startMonitoring (ServerMBean server) throws
  • This method instructs the NM to start monitoring the specified server.
  • the NM will automatically restart the server if it crashes (if auto restartEnabled is set to true) or gets into failed state (if AutoKilllfFailedEnabled and
  • AutoRestartEnabled are set to true). It then returns the reader to local log file containing output of executed command. The method throws
  • NodeManagerException if any error occurs.
  • java.io.reader stopmonitoring serverMBean server
  • NodeManagerException This method instructs the NM to stop monitoring the specified server. It then returns the reader to local log file containing output of executed command.
  • the method throws NodeManagerException if any error occurs.
  • java.io.Reader getlogs(Server MBean server, String type) throws NodeManagerException; [0057]
  • This method get logs from the NM for the specified server. The type is either "WL_output" or "WL_Error". It then returns the reader to local log file containing output of executed command.
  • This method queries the NM for its view of the specified server state. It is used when the server does not respond to queries to its ServerRuntimeMBean. The method will return "unknown” if NM is either not monitoring the server or does not have any knowledge of the server. It then returns the reader to local log file containing output of executed command. The method throws NodeManagerException if any error occurs.
  • MBeans may provide an interface for JMX clients to access the functionality ofthe NM. In this case, the MBeans for JMX client interfacing may have a different interface than the Server configuration MBeans. Operations such as "start” and “shutdown” may return precise information on their success or failure. They will throw an exception if the operation fails.
  • All operations on the Node Manager Runtime MBeans may be blocking.
  • a TaskMBean interface may be provided around the Server Lifecycle MBeans to provide an asynchronous interface to JMX clients. JMX clients can make use of the NM functionality to perform a wide variety of Server lifecycle and health monitoring control operations. Detailed below are the interactions between these two entities during each of the Server Lifecycle state transitions.
  • Admin command line utility and other Admin Clients will be effecting these state transitions by invoking methods on the ServerLifecycleRuntimeMBean.
  • start Q [SHUTDOWN -> RUNNING] startlnStandbyO [SHUTDOWN -> STANDBY]
  • ServerLifecycleRuntimeMBean hosted on the Admin Server will invoke the start() or startlnStandbyO methods on the corresponding NodeManagerRuntimeMBean.
  • ServerLifecycleRuntimeMBean hosted on the Managed Server will return the State attribute of the Server.
  • ServerLifecycleRuntimeMBean hosted on the Admin Server will invoke the getState() method on the ServerLifecycleRuntimeMBean hosted on the Managed Server. If this operation times out, it will then invoke the getState() method on the NodeManagerRuntimeMBean.
  • the operation of a server that is monitored by a NM in accordance with one embodiment ofthe present invention is shown in diagram 400 of FIG. 4 and described as follows.
  • the operation of flow chart 400 starts off with a start step 410.
  • the server is initialized in step 420.
  • the NM and the server establish a connection as part of the server initialization.
  • server initialization includes the server initializing and running a program that monitors its health and interfaces with query attempts from the NM and other sources. Once a connection between the NM and the server is established and the server is initialized, the server may send a message to the NM indicating the server experienced a successful start up. [0067] After initialization, the server listens for an inquiry regarding the server's health status in step 430. The health status inquiry may come from the NM or an external administrative agent. If no health status inquiry is received, the server continues to listen for an inquiry as shown in FIG. 4. If a health status inquiry is received, operation continues to step 440.
  • step 440 the server performs a self health check on itself.
  • the results of the health check are transmitted by the server in step 450.
  • the results are transmitted to the NM or the AS.
  • the results are transmitted according to the instructions of an external administrative agent.
  • the administrative agent may have the results sent to the agent itself or some other entity.
  • operation of the server returns to step 430 where the server listens for a health status inquiry. In one embodiment, if at any point the server fails, the server will inform the NM as soon as it enters a failed state.
  • the communication between the NM and the AS may be encoded to increase the integrity of the system.
  • the communication may be encoded according to a Diffie-Helman based Authentication and Encryption scheme.
  • the encryption parameters may be negotiated at link establishment time and depend upon configuration parameters and installed software.
  • a flow chart showing the operation of a Diffie-Helman based Authentication and Encryption scheme 500 in accordance with one embodiment of the present invention is shown in FIG. 5. The operation starts at step 505. Next, the connection between the AS and NM is established in operation 510. In one embodiment, the connection between the AS and the NM is initialized by the AS. Once the connection has been initialized by the AS, the NM receives the initial connection.
  • the encryption key size is determined in step 520.
  • the encryption key size is determined by a negotiation between the AS and the NM.
  • the AS and NM each have a minimum key length parameter and maximum key length parameter.
  • the pair for each of the NM and AS is denoted as (min, max).
  • the minimum key length parameter is the minimum encryption level a process will support.
  • the maximum key length parameter is the maximum encryption level a process is will support. In one embodiment, the possible key lengths are 0, 40, or 128 bits.
  • the AS and NM will negotiate a connection that uses an encryption level as high as the lowest maximum key length between the NM and AS, but no lower than the highest minimum key length between the NM and AS.
  • the connection may have a key length of 40 or more preferably 128 bits.
  • the key length may not be 0 bits because the NM has a minimum key length parameter of 40 bits.
  • the maximum key length parameter may be reduced by the capabilities of software installed on the NM or the AS. If the minimum key length parameter for either the AS or NM is higher than the maximum key length parameter for the other of the AS or NM, then no overlap exists in key length parameters. If there is no overlap in key length parameters, the established link will fail and an appropriate error message is logged.
  • command line arguments may be used to specify the minimum encryption level parameter and maximum encryption level parameter.
  • the session keys are generated in step 530.
  • a first session key is used for transmitted data from the AS to the NM and a second session key is used from for data transmitted from the NM to the AS.
  • the session keys are 128 bits.
  • the input parameters to the Diffie-Hellman key agreement algorithm may be fixed or generated.
  • the input parameters are fixed into software existing on the server network and accessible to the AS.
  • the AS server may transmit the fixed input parameters to the NM.
  • the Diffie-Hellman algorithm also requires the generation of a random number.
  • the random number is generated from a cryptographically secure pseudo-random number source.
  • An RC4 bulk encryption method may be used as the encryption method for the link.
  • both the NM and AS may engage in an authentication process at step 540.
  • both the NM and AS are authenticated using a shared secret.
  • One method of authenticating both the NM and AS in accordance with the present invention is as follows. First, both the NM and AS will generate a fingerprint. In one embodiment, the fingerprint may be a 128 bit MD5 message digest created using the send and receive session keys already negotiated. Next, the AS will generate a challenge, encrypt the challenge and fingerprint, and send the encrypted challenge and fingerprint to the NM. In one embodiment, the challenge may be a 64 bit random number. Next, the NM will receive and decrypt the challenge and fingerprint from the AS.
  • the information may be encrypted and decrypted using the AS's password. If the information received by the NM is decrypted and does not match the NM's fingerprint, the NM will reject the authentication request by the AS. Next, the NM will encrypt the challenge received from the server, the session key generated by the NM, and the fingerprint generated by the NM. The NM will then send the encrypted challenge, session key, and fingerprint to the AS. The AS will receive and decrypt the information received from the NM. Upon decrypting the received information, the AS will compare the received challenge and fingerprint to it's own challenge and fingerprint. If either the fingerprints or the challenges do not match, the AS will reject the authentication request from the NM.
  • the encryption and authentication process then ends at step 550.
  • the encryption by the AS and NM may be done using a DES encryption method or some other method suitable for the particular requirements ofthe system.
  • new command line arguments are specified for the AS and NM regarding AS/NM communication encryption and authentication. These new arguments can be modified at runtime via the Admin Console.
  • WebLogic.management.maxEncryptionBits ⁇ number> [0073] This argument specifies the maximum encryption level the process will accept. Possible values are 0, 40, 128. In one embodiment, the default value is 128.
  • WebLogic.management.enableChannelBinding 0
  • 1 [0074] This argument sets an Authentication Protocol. In one embodiment, the a value of 1 enables the Authentication Protocol and the default is 0. WebLogic.management.passwordKey ⁇ string>
  • This argument specifies the key to be used to decrypt the encrypted NM passwords stored in the configuration file. The key must be specified if
  • WebLogic.management.enableChannelBinding is set to 1.
  • the utility WebLogic.wtc.gwt.genpasswd will be used to encrypt NM passwords to be stored in the configuration file.
  • This argument specifies the minimum encryption level the process will accept. Possible values are 0, 40, 128. In one embodiment, the default value is
  • This argument sets an Authentication Protocol enable.
  • a value of 1 enables the Authentication Protocol and the default is
  • an alternate NM may have features in addition to those described above.
  • the alternate NM may function to aggregate administrative actions and information in the NM. The actions and information could then be accessed by third party application monitors and high availability frameworks using standard JMX interfaces.
  • the NM may also achieve internal interactions with the admin console and cluster group leader using standard JMX interfaces.
  • certain services are required by the administrator for the alternate NM to operate properly.
  • One such service is a ProcessControl (“PC") service.
  • the PC service operates to start, kill and restart managed servers on the local node.
  • the service can be hosted by the AS and by the NM on the other nodes.
  • Restart capability is provided to internal and external clients via Runtime MBeans.
  • Another service is the HealthMonitoring (“HM”) service.
  • the HS service monitors state and other runtime attributes of managed servers on local or remote nodes. Either the AS or an individual NM can host the HM service. Server health information is provided to internal and external clients via Runtime MBeans.
  • the alternate NM has several advantageous characteristics. In one embodiment, some aspects ofthe configuration for the alternate NM are similar to the basic NM ofthe present invention.
  • the alternate NM may be hosted on a stripped-down managed server. In this case, the alternate NM registers as a managed server with the AS. With this configuration, the NM performs startup independently of the AS. Further, no configuration MBeans are required for runtime configuration changes [0086]
  • the alternate NM may include a "watchdog" service.
  • the watchdog service operates to monitor the NM on platforms where operating system monitoring is not available, such as non-NT and Solaris platforms.
  • the watchdog service may be configured to spawn the NM when it performs startup, thereby allowing administrators to manually start just one process.
  • a system could use a watchdog service to bootstrap the NM service on a local node upon command of an AS.
  • This watchdog service configuration would eliminate manual configuration of the NM on each remote node and allow runtime configuration through configuration MBeans implemented in java.
  • the NM may be used as the operating system in one embodiment of the present invention.
  • the NM may be installed on a node in conjunction with other software and can be started manually.
  • the alternate NM can be configured to enable its operation to enhance aspects of an entire domain or local node.
  • One NM could be used for an entire domain. This would simplify security in that multiple certificates would not need to be managed.
  • the NM is the highest release.
  • the alternate NM may be used to aggregate cluster heartbeats for all cluster members on a local node.
  • the cluster members may include managed servers on the local node.
  • the alternate NM may also be configured to operate as a surrogate AS.
  • the present invention includes a Node Manager that monitors the status of multiple servers.
  • the NM detects server failures, periodically monitors server health status, and performs server maintenance. When the NM detects a server failure, it determines whether or not the server should be restarted. While periodically monitoring servers, the NM may determine how often to trigger a health check, how long to wait for a response, and how to proceed if the server is deemed failed.
  • the NM may be controlled by an AS directly or by an external administrative agent. An administrative agent may control the NM by interfacing with the AS.
  • the NM and AS may authenticate each other and encode their communications to each other for increased security.
  • An Appendix is attached to this application containing examples within the scope and spirit ofthe present invention.
  • the present invention may be conveniently implemented using a conventional general purpose or a specialized digital computer or microprocessor programmed according to the teachings ofthe present disclosure, as will be apparent to those skilled in the computer art.
  • Appropriate software coding can readily be prepared by skilled programmers based on the teachings ofthe present disclosure, as will be apparent to those skilled in the software art.
  • the invention may also be implemented by the preparation of application specific integrated circuits or by interconnecting an appropriate network of conventional component circuits, as will be readily apparent to those skilled in the art.
  • the present invention includes a computer program product which is a storage medium (media) having instructions stored thereon/in which can be used to program a computer to perform any ofthe processes ofthe present invention.
  • the storage medium can include, but is not limited to, any type of disk including floppy disks, optical discs, DVD, CD-ROMs, microdrive, and magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, DRAMs, VRAMs, flash memory devices, magnetic or optical cards, nanosystems (including molecular memory ICs), or any type of media or device suitable for storing instructions and/or data.
  • the present invention includes software for controlling both the hardware ofthe general purpose/specialized computer or microprocessor, and for enabling the computer or microprocessor to interact with a human user or other mechanism utilizing the results ofthe present invention.
  • software may include, but is not limited to, device drivers, operating systems, and user applications.
  • computer readable media further includes software for implementing Node Managers.
  • the existing NM implementation enables the administrator to start and kill Servers remotely from the Administration Console. However, there is no automatic monitoring or restart of these Servers after that.
  • the goal of this release is to improve the availability of these Servers by monitoring them and automatically restarting them if necessary.
  • NM's functionality and information will be exposed to JMX clients via new runtime MBeans.
  • NM will continuously monitor Servers running on the local machine and will automatically detect and restart failed Servers. This detection and restart will 5 occur as soon as NM detects the Server failure.
  • NM will periodically monitor Servers running on the local machine and will automatically detect and restart Failed Servers. This detection and restart will 0 occur as soon as possible after the Server is deemed to be Failed.
  • New Node Manager Runtime MBeans will be provided. They will be hosted on the Admin Server and will offer methods that wrap NM functionality and 5 expose the health information collected by NM.
  • NM will continuously monitor Servers running on the local machine and will automatically detect and restart failed Servers. This detection and restart will 5 occur as soon as possible after the Server failure.
  • NM's actions will be controlled by these parameters:
  • this parameter specifies that it can be restarted RestartMax times within the specified number of seconds. Default is 3600 seconds (60 minutes).
  • this parameter specifies the max # times a
  • This feature has only an administrative interface, and it is via the new parameters described in section 3.2.
  • NM will periodically monitor Servers running on the local machine and will automatically detect and restart Failed Servers. This detection and restart will occur as soon as possible after the Server is deemed to be Failed.
  • NM will periodically check Servers running on the local machine and will 10 automatically detect and restart Failed Servers. This detection and restart will occur as soon as possible after the Server is deemed to be Failed.
  • HealthChecklntervalSeconds ⁇ number of seconds>
  • HealthCheckTimeoutSeconds ⁇ number of seconds>
  • NM will wait for a Server to complete its startup before it (the 25 NM) starts monitoring the Server. This wait time can be specified using the following parameter:
  • HealthCheckStartDelaySeconds ⁇ number of seconds>
  • TM HealthChecklntervalSeconds and HealthCheckTimeoutSeconds and parameters will be defined per NM, and can be specified on the NM command line.
  • AutoKilllfFailedEnabled and HealthCheckStartDelaySeconds parameters will be defined per Server instance and will be modifiable at runtime via the Admin Console. After NM has killed a Failed server, its restartability is controlled by the parameters defined in section 3.2 above.
  • This feature has only an administrative interface, and it is via the new command line arguments described in section 4.2.
  • External administrative clients (3 rd party application monitors, HA frameworks, etc.) need to be able to start and kill Servers using the NM. They should be able to do this programmatically without using the admin console.
  • MBeans will provide a programmatic interface to NM's functionality.
  • NM periodically collects health information on Servers.
  • Internal or external administrative clients e.g., admin console
  • the Admin Server will host the new "NodeManagerRuntimeMBean". There will be one NodeManagerRuntimeMBean per machine in the domain.
  • This MBean will offer methods that wrap NM functionality and expose the health information collected by NM.
  • the ServerLifecycleRuntimeMBean hosted on the Admin Server will use these MBeans internally. They will NOT be exposed to external JMX clients.
  • NodeManagerRuntimeMBean extends WebLogic . management . runtime . RuntimeMBean
  • NodeManagerException if any error occurs.
  • java. io .Reader stopMonitoring (ServerMBean server) throws NodeManagerException;
  • NodeManagerException if any error occurs.
  • java. io. Reader getLogs ServerMBean server, String 0 type) throws NodeManagerException;
  • Get logs from the NM for the specified server The type is either "WL_output” or "WL_enor”.
  • NM for its view of specified server's state. Used when server does not respond to queries to its ServerRuntimeMBean. 0 Will return "Unknown” if NM is either not monitoring or does not have any knowledge ofthe server. Throws NodeManagerException if any error occurs.
  • NM Upon startup, NM reads an on-disk file to retrieve information on Servers it was monitoring during its previous incarnation.
  • NM invokes the NMCommandServlet deployed on the Server. This is an asynchronous Servlet that will return the Server's health information after
  • NM sets it internal value of Server state to "Failed Not Restartable", logs a warning and continues.
  • NM sets its internal value of Server state to "Failed” and kills the Server.
  • NM checks the Server's AutoRestartEnabled parameter. If it is true and less than RestartMax restarts have been done in the current RestartlntervalSeconds window, NM will restart the Server.
  • NM will discover this only in the next iteration of its health-monitoring query. Now, the Server will inform the NM as soon as it has entered a Failed State.
  • JMX clients (like the Admin Console) performed Server lifecycle operations by invoking methods on the Server configuration MBeans. In Acadia, these clients will be accessing the new Server 35 Lifecycle MBeans for this purpose. These new MBeans have a different interface than the Server configuration MBeans.
  • Admin console weblogic.
  • Admin command line utility and other Admin Clients will be effecting these state transitions by invoking methods on the ServerLifecycleRuntimeMBean.
  • ServerLifecycleRuntimeMBean hosted on the Admin Server will invoke the shutdown() method on the corresponding NodeManagerRuntimeMBean. If not, it will invoke the shutdown() method on the ServerLifecycleRuntimeMBean hosted on the Managed Server.
  • ServerLifecycleRuntimeMBean hosted on the Managed Server will return the State attribute of the Server.
  • ServerLifecycleRuntimeMBean hosted on the Admin Server will invoke the getState() method on the ServerLifecycleRuntimeMBean hosted on the Managed Server. If this operation times out, it will then invoke the getState() method on the NodeManagerRuntimeMBean. 6. Diffie-Hellman based Authentication/Encryption scheme
  • All data being sent over the network link between the Admin Server and NM will be encrypted using a new scheme based on the Diffie-Hellman algorithm.
  • the encryption parameters will be negotiated at link establishment time and will depend upon configuration parameters and installed encryption software.
  • the Admin Server and NM will be authenticated with each other using a shared secret based mechanism.
  • _ _ Admin Server begins the communication session.
  • the first configuration parameter is the Minimum encryption level a process will accept. It is expressed as a key length: 0, 40, or 128 bits.
  • the second configuration parameter is the Maximum encryption level a process is willing to support. It also is expressed as a 0, 40, or 128 bit key size. _ For convenience, this document will denote the two parameters as (min, max). So (40, 128) means a process will accept at least 40-bit encryption but desires 128-bit if possible.
  • the first step is for the two processes to agree on the largest common key size supported by both. This negotiation itself need not be encrypted or hidden.
  • a pre-processing step temporarily reduces the maximum key size parameter configured to agree with the installed software's capabilities. This must be done at link negotiation time, because at configuration time it may not be possible to verify a particular machine's installed encryption package. For example, the administrator may configure (0, 128) encryption for an unbooted machine that 10 only has a 40-bit encryption package installed. When the machine actually negotiates a key size, it should represent itself as (0, 40). In some cases this may cause a run-time error; for example (128, 128) is not possible with a 40-bit encryption package.
  • the following table shows how the configured parameters are modified based 15 on which encryption package is installed. This is a local computation that each process performs itself. The result serves as input for the subsequent cross- machine negotiation.
  • Two session keys will be generated for the encrypted network link using the Diffie-Hellman algorithm.
  • One session key will be used for data flowing from the Admin Server to the NM, and the other key will be used for traffic flowing
  • the generated session keys will always be 128-bit.
  • Input parameters to the Diffie-Hellman key agreement algorithm will be fixed (bumed-in to WebLogic software).
  • Admin Server will transmit the parameters it wants to use to the NM. This permits the burned-in parameters to be changed in future releases.
  • Diffie-Hellman session key agreement also requires a cryptographically secure pseudo-random number source.
  • the seed value for the pseudo-random number generator must contain a large amount of unpredictable data, so that a
  • the 128-bit session key produced by Diffie- Hellman should be used for RC4 bulk encryption.
  • 88 bits must be 25 disclosed in the clear in one of the link establishment messages. This allows an attacker to conduct a 40-bit brute-force key search. Security is better than with a simple 40-bit key, because the 88-bits act as salt and prevent an attacker from using pre-computed lookup tables.
  • a network attacker may not be permitted to defeat the 88-bit disclosure requirement by tampering with packets or deleting packets:
  • Admin Server will generate a log error message and terminate the connection.
  • Admin Server and NM will be authenticated using a shared secret, as follows:
  • Admin Server will generate a 64-bit random number ( challenge ). It will then DES-encrypt the challenge and the fingerprint using its password as the key and send this to the NM.
  • NM will decrypt the received message with the Admin Server s password. If the fingerprints don t match, it will reject the authentication request. • NM will generate a 64-bit session key. NM will then DES-encrypt the previously-received challenge, the generated session key and the fingerprint using its password as the key and send this to the Admin Server.
  • Admin Server will decrypt the received message with the NM s password. It will check the received challenge and fingerprint with its local values. If either doesn t match, it will reject the authentication request. If the above sequence is completed successfully, Admin Server and NM will be considered authenticated with each other. 6.3 External Interface Requirements
  • WebLogic.management.enableChannelBinding is set to 1.
  • the utility WebLogic.wtc.gwt.genpasswd will be used to encrypt NM passwords to be stored in the configuration file.
  • nodemanager.password ⁇ string> the NM s password.
  • WebLogic.nodemanager.enableChannelBinding is set to 1. These new arguments will be modifiable at runtime via the Admin Console.
  • an alternate type of node manager architecture is used.
  • the alternate node manager may be operable to acheive at least the following functions:
  • MS Managed Svrs
  • AS Admin Svr
  • HM HealthMonitoring
  • - can be hosted either by AS or individual NMs
  • NM may be the OS service on NT and Solaris

Abstract

A Node Manager (12) monitors the status of multiple servers (220). The Node Manager detects server failures (230), periodically monitors server health status (340), and performs server maintenance. When the Node Manager detects a server failure, it determines whether the server should be restarted (240). While periodically monitoring servers, the Node Manager may determine how often to trigger a health check, how long to wait for a response, and how to proceed if the server is deemed failed (360). The Node Manager may be controlled by an Administrative Server directly or by an external administrative agent. An administrative agent may control the Node Manager by interfacing with the Administrative Server. The Node Manager and AS may authenticate each other and encode their communications to each other for increased security.

Description

ECS NODE MANAGER FOR ENSURING HIGH AVAILABILITY SERVER AND APPLICATION
Claim to Priority
[0001] The present application claims the benefit of priority under 35 U.S.C. §119(e) to U.S. Provisional Patent Application entitled "ECS NODE MANAGER FOR ENSURING HIGH AVAILABILITY SERVER AND APPLICATION", Patent Application No. 60/359,009, filed on February 22, 2002, which application is incorporated herein by reference.
Copyright Notice [0002] A portion ofthe disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone ofthe patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.
Cross Reference to Related Applications [0003] The present application is related to the following United States Patents and Patent Applications, which patents/applications are assigned to the owner of the present invention, and which patents/applications are incorporated by reference herein in their entirety: [0004] United States Patent Application No. 10/339,469, entitled "METHOD FOR AUTOMATIC MONITORING OF MANAGED SERVER HEALTH", filed on January 9, 2003, currently pending, which claims priority to provisional United States Patent Application entitled "ECS NODE MANAGER FOR ENSURING HIGH AVAILABILITY SERVER AND APPLICATION", Patent Application No. 60/359,009, filed on February 22, 2002; [0005] United States Patent Application No. 10/338,981, entitled "METHOD FOR EVENT TRIGGERED MONITORING OF MANAGED SERVER HEALTH", filed on January 9, 2003, currently pending, which claims priority to provisional United States Patent Application entitled "ECS NODE MANAGER FOR ENSURING HIGH AVAILABILITY SERVER AND APPLICATION", Patent Application No. 60/359,009, filed on February 22, 2002; and [0006] United States Patent Application No. 10/339,144, entitled "SYSTEM FOR MONITORING MANAGED SERVER HEALTH", filed on January 9, 2003, currently pending, which claims priority to provisional United States Patent Application entitled "ECS NODE MANAGER FOR ENSURING HIGH AVAILABILITY SERVER AND APPLICATION", Patent Application No. 60/359,009, filed on February 22, 2002; [0007] United States Patent Application No. 10/340,496, entitled "METHOD FOR INITIATING A SUB-SYSTEM HEALTH CHECK", filed on January 10, 2003, currently pending, which claims priority to provisional United States Patent Application entitled "Server Self-Health Monitor", Patent Application No. 60/359,010, filed on February 22, 2002; [0008] United States Patent Application No. 10/340,227, entitled "METHOD FOR MONITORING A SUB-SYSTEM HEALTH ", filed on January 10, 2003, currently pending, which claims priority to provisional United States Patent Application entitled "Server Self-Health Monitor", Patent Application No. 60/359,010, filed on February 22, 2002; and
[0009] United States Patent Application No. 10/340,002, entitled "SYSTEM FOR MONITORING A SUBSYSTEM HEALTH", filed on January 10, 2003, currently pending, which claims priority to provisional United States Patent Application entitled "Server Self-Health Monitor", Patent Application No. 60/359,010, filed on February 22, 2002.
Field of the Invention [0010] The present invention relates generally to managing a network of servers, and more particularly to monitoring the health of a network of servers.
Background of the Invention [0011] As computer and computer systems have evolved over the years, the processes they implement have evolved in their complexity. One approach to implementing computer processes to solve more complex problems is to assign a number of computers to handle different parts of a process. Each part or task may be handled by different computers, computer objects, applications, or servers, hereafter referred to collectively as servers. These servers make up a distributed network. Within the network, different servers may handle functions such as management, data base maintenance, accessibility, server boot-up, shutdown, and so forth.
[0012] Servers within a distributed network perform transactions with other servers and use resources within the system. As the servers require the use of other servers and resources, the operability and reliability ofthe servers become more important. If a server fails while performing a task, it may affect other servers and resources that were tied up in transactions with the server at the time of its failure. Whether a server has failed completely or the server's condition has degraded is important information to a network. Thus, it is important to know the status of a server in order to maintain the health ofthe server and the network in which it operates. A maintenance system should be able to require a server to provide health information and be able to maintain or correct servers not operating properly.
[0013] What is needed is a system for monitoring and inquiring into the health of a server and for taking corrective action if deemed appropriate.
Summary of the Invention [0014] In one embodiment ofthe present invention, a Node Manager (NM) monitors the status of multiple servers. The NM detects server failures, periodically monitors server health status, and performs server maintenance. When the NM detects a server failure, it determines whether or not the server is restartable. If the server is restartable, the NM checks to see if any other conditions exist that limit the server from being restarted. If no other conditions exist, the server is restarted. If the failed server is not restartable or other conditions exist preventing the server from being restarted, the failed server is not restarted.
[0015] In another embodiment ofthe present invention, the NM periodically monitors the health of a server whether or not the NM detects a server failure. This process begins when the NM makes a health query to a server. Then, the NM waits for a server response containing the server's health information. If the server replies that it is healthy, the NM continues to monitor the server. If the server's reply indicates the server's health is degenerate or the server does not reply at all, the NM presumes the server has failed. The NM may wait a specified period of time before deciding the server has failed to respond to a query. Once a server is deemed failed, the NM then determines whether to terminate the server.
[0016] The NM may be controlled by parameters located within the NM or Administration Server (AS). The parameters may be burned into system software or modified at runtime. In another embodiment, the NM may be controlled by an external administrative agent. An administrative agent may control the NM by interfacing with the AS. For increased security, the NM and AS may authenticate each other and encode their communications between each other. Brief Description of the Drawings
[0017] FIG. 1 is a block diagram of several nodes having servers in a self health monitoring system in accordance with one embodiment ofthe present invention.
[0018] FIG. 2 is a diagram showing the operation ofthe automatic monitoring system of a Node Manager in accordance with one embodiment ofthe present invention.
[0019] FIG. 3 is a diagram showing the operation of a health monitoring and corrective action system of a Node Manager in accordance with one embodiment ofthe present invention.
[0020] FIG. 4 is a diagram showing the operation of a managed server in a health monitoring system in accordance with one embodiment ofthe present invention.
[0021] FIG. 5 is a diagram showing an encryption method for a self health monitoring system in accordance with one embodiment ofthe present invention.
Detailed Description
[0022] A self health monitoring system may be composed of several nodes. A node may be a single physical machine or take some other form. In one embodiment ofthe present invention, each node has a Node Manager (NM), an Administration Server (AS), and several other managed servers or server instances. The AS and NM may send and transmit messages to each other. The
NM may also send and transmit messages with the other servers located on the node.
[0023] In one embodiment, the NM performs two primary functions. First, the NM automatically detects and restarts failed servers. The NM continually monitors servers running on the local machine. Upon detecting a server has failed, the NM will automatically restart the failed server. The server restart may occur as soon as the NM detects the server failure. Secondly, the NM periodically monitors and restarts failed or degenerate servers. The NM will periodically monitor servers running on the local machine. When the NM detects that a server is less than healthy, the NM may restart the server depending on server parameters and the condition ofthe server. In one embodiment, runtime Java MBeans hosted on the AS are used in conjunction with the NM to achieve these functions. The runtime Java MBeans offer the functionality of the NM and the health information acquired by the NM to clients in a programmatic manner.
[0024] FIG. 1 depicts a self health monitoring system 100 in accordance with one embodiment ofthe present invention. As shown, system 100 includes a first node 10, a second 20, and a third node 30. Each node may contain an AS 11, 21, and 31, and an NM 12, 22, and 32, respectively. In each node, the AS communicates with the NM. In one embodiment ofthe present invention, the AS and the NM communicate through a (SSL) secure socket layer connection. Each node also contains at least one managed server. In one embodiment, these managed servers may be composed of server instance processors or logic servers all located on one hardware machine. Hereinafter, the term "server" shall be understood to include server instance processors, server instance logic, and other managed servers. A node may be one physical machine with servers that communicate with other servers on the same machine. As shown in FIG. 1 , node 10 includes servers 13-15, node 20 includes servers 23-25, and node 30 includes servers 33-35. An NM may communicate with the servers within the particular NM's node. For example, NM 12 can communicate with servers 13, 14, 15, all within node 10. In one embodiment, the NM communicates with the servers within its node through a secure socket layer connection.
[0025] In accordance with one embodiment ofthe present invention, the operation of an automatic monitoring system for detecting failed servers in the self health monitoring system of FIG. 1 is shown in flow chart 200 of FIG. 2 and described as follows. The operation of an NM starts at step 205. Next, the NM undergoes start-up and configuration operations in step 210. In one embodiment ofthe present invention, the NM receives instructions from an AS at start-up. The AS may instruct the NM to start an instance on a local machine. The AS may also instruct the NM to provide information to the AS regarding servers previously monitored during previous monitoring periods by the NM. The NM may assume that all ofthe monitored servers are alive upon NM startup and sets each server state to "unknown". In step 220, the NM begins monitoring a server. In one embodiment, the server is monitored over an SSL connection established with the server. In another embodiment, the server is monitored over a plain text protocol connection or some other type of connection.
[0026] The NM determines if a server has failed in step 230. In one embodiment, the server failure is detected by a breakdown ofthe connection between the NM and the server. In these embodiments, the NM monitors the server by confirming the integrity ofthe connection between the NM and the server. When the server being monitored dies, the NM is notified accordingly. In one embodiment, the NM receives an IOException error when the server dies. The integrity ofthe connection may also be verified in other ways, all considered within the scope ofthe invention. If the NM does not detect a failed server, operation ofthe system returns to step 220 to continue monitoring the server.
[0027] If the NM does detect a failed server in step 230, the NM will determine if the server is restartable in step 240. In one embodiment, a restart parameter specifies whether the server should be restarted upon detecting a server failure. The restart parameter may reside on the server, the NM, or in some other memory location. The parameter may be defined per server instance or for a number of servers. The parameter may also be modifiable at runtime though commands issued through the AS. If the server is not restartable, operation continues to step 250 and the server is not restarted. In one embodiment, a message is written to a log file indicating that the server is not restartable and no further action is taken by the NM towards the failed server. Once the event is recorded, the process ends at step 260 and the NM ceases monitoring the failed server. Though no further action is performed on the server at step 260, the server may be monitored again beginning at step 220 if the server is restarted or at step 205 if the NM is restarted.
[0028] If the server is deemed restartable in step 240, operation ofthe system continues to step 270. At step 270, the system checks to confirm that no other conditions exist to prevent the server from being restarted. If at step 270 any conditions exist preventing a server restart, then system operation proceeds to step 275. In step 275, an action or inaction is taken to address the condition that is preventing the server from being restarted. The action or inaction may be taken by either the NM, AS, or some other server. After the condition is addressed in step 275, the system determines whether the condition is satisfied in step 280. If the condition is not satisfied in step 280, operation returns to step 275. If the condition is satisfied in step 280, operation continues to step 270. In one embodiment ofthe present invention, operation continues from step 275 to step 270 whether the condition is satisfied or not. In yet another embodiment of the present invention, the NM will check to see if the server may be restarted after each time a restart is considered in step 270. In this embodiment (not shown), operation continues from step 275 or step 280 to step 240. In any case, the results of step 280 may be recorded in a log or memory as either condition satisfied, condition not satisfied, or some other message. If at step 270 the conditions are satisfied, then operation continues to step 290. [0029] In one embodiment, system conditions may exist at step 270 that limit the server to a maximum number of restarts allowed during a period of time. In this case, parameters may control the maximum number of server restarts permitted within the period of time and the length ofthe time period. The number of actual restarts for a particular server may be indicated by a restart counter. If at step 270, the value in the maximum restarts allowed parameter is larger than the restart counter, then the maximum number of restarts has not occurred during the current time period and the process continues to step 290. If the restart counter value is larger than the maximum number of server restarts permitted within the particular time period, then operation continues to step 280. Operation ofthe system may remain at step 280 until the current time period has elapsed. Once the time period has elapsed, the restart counter is reset to zero and the time period begins again. The system then continues to step 270. At step 270, the restart counter is again compared to the maximum number of restarts parameter and operation continues accordingly. In another embodiment, system operation will continue past step 280 even though the maximum start parameter has been exceeded. In this case, a message is logged regarding this event and operation continues. System operation in this embodiment will consist of a loop between step 270 and step 280 until the time period has elapsed and the restart counter is reset to zero. [0030] At step 290, the server is restarted. Then, the NM, server, or AS may perform actions or process events. In one embodiment, the server restart counter is incremented. In another embodiment, certain server parameters may be configured to take effect upon the next server incarnation. [0031] Parameters determine how a NM is to act upon detecting server failure. Examples of these parameters in one embodiment ofthe present invention are shown below. These parameters can be defined per server instance and modified at runtime via the Admin Console.
AutoRestartEnabled = < true | false >
[0032] This parameter specifies whether the servers are restartable or not. In one embodiment, the default is true.
[0033] RestartlntervalSeconds = <number of seconds>
[0034] If a Server is restartable, this parameter specifies that it can be restarted
RestartMax times within the specified number of seconds. In one embodiment, the default is 3600 seconds (60 minutes). RestartMax = <number> [0035] If Servers are restartable, this parameter specifies the max # times a
Server can be started within the period specified by RestartlntervalSeconds. In one embodiment, the default is 2.
[0036] Certain methods implemented in Java may be used to access or modify the parameter examples listed above. Examples of these methods include boolean getAutoRestartEnabled(), void setAutoRestartEnabled(boolean), int getRestartlntervalSecondsO, void setRestartlntervalSeconds(int), int gefRestarfMaxQ, and void setRestartMax(int). [0037] In addition to detecting the failure of a server, the NM may monitor the health of a server or perform maintenance on a server. The NM may monitor server health or perform server maintenance without detecting a change or degradation in the health status of the server. Server maintenance and monitoring may be performed simultaneously on multiple servers at any time. The simultaneous monitoring and maintenance may be synchronous or asynchronous. The operation of a system for monitoring the health of a server with a NM in accordance with one embodiment of the present invention is shown in diagram 300 of FIG. 3 and described as follows. Health monitoring system operation 300 starts off with a start step 310. Next, the system determines whether the NM should begin monitoring a server in step 320. If the system determines the NM should monitor the particular server, operation continues to step 330. If the system determines the particular server should not be monitored at the current time, the NM will not monitor the current server. In one embodiment, a server will not be monitored until a period of time has passed since the server has been restarted. In this case, a monitor delay parameter will determine the period of time the NM shall wait before monitoring the restarted server. The delay parameter may be stored by the AS, NM, or the server itself. The delay parameter may correspond to a particular server or several servers. In one embodiment ofthe present invention, the value ofthe delay parameter may be modified at server runtime. [0038] Next, the NM determines if a health check is triggered for a particular server in operation 330. A health check may be triggered by an internal event in the NM. In another embodiment, the health check is triggered by an external event occurring outside the NM, the occurrence of which is communicated to the NM. In one embodiment, a health check is triggered for a server after a period of time has elapsed. In this case, a health check interval parameter may specify a period of time. The expiration of the time period specified by the interval parameter will trigger a health check for a server. In one embodiment, an interval parameter corresponds to a single server. In another embodiment, an interval parameter corresponds to several servers. In any case, the interval parameter may be modified at server runtime. If a health check is not triggered in step 330, the system continues in a standby state waiting for a triggering event to occur regarding a particular server. If a health check triggering event does occur, system operation continues to step 340.
[0039] In step 340, the NM queries a server for it's health status. In one embodiment of the present invention, the NM invokes a Java servlet located on the server to return the server's health status to the NM. This Java servlet is an asynchronous servlet that will return the server's health information upon the occurrence of a particular event. In one embodiment, the event is the elapse of a period of time. The NM may inquire about the server's health status by communicating with the server itself or a server self health monitor application running on the server. The query may be transmitted over a TCP connection established between the NM and server or in some other manner. After querying the server for it's health status, the NM determines if a response is received from the server in step 350. In one embodiment, there are at least three possible response scenarios between the NM and the server subject to the NM's inquiry. In the first scenario, the server may be unable to receive the NM's query. The server may be too busy to accept a connection from the NM. In another scenario, the server may have failed and be unable to accept an NM connection request. In either case, the NM may throw an IOException and consider the server as "failed". The NM would then set an internal value of the server state to "failed". In the final scenario, no response is received from the server although the NM and server have established an initial connection. In this case, the NM will wait for a response from the server for a specified period of time. In one embodiment, a timeout parameter may specify the period of time the NM will wait for a response from the server. Until the length of time specified in the timeout parameter has transpired, the NM will continue to wait for a response as indicated in the loop of steps 350 and 360. If the NM has not received a response from the server in step 350 and the NM has determined not to wait any longer to receive a response in operation 360, operation continues to step 370 where the server is deemed failed. In one embodiment, the NM may attempt to inquire about the delay of the response or resend a health inquiry to the server before proceeding from to 370. In this embodiment, the NM may proceed to step 350, 360, or 380 depending on the result of the delay inquiry or the health inquiry.
[0040] If the NM does receive a response in step 350, operation flows to step 380 where the NM interprets the server's response. The NM interprets the server's response to determine if the server is healthy. If the NM determines the server is healthy from the response received by the server, operation flows to step 330 where the NM waits for another health check to be triggered. If the NM determines that the server is not healthy in step 380, operation continues to step 370. In step 370, the NM deems the server has failed. In one embodiment, the NM sets a parameter indicating the state of the particular server to "failed". The parameter may be stored internally within the NM, in the AS, or at some other memory location. Once deemed failed, operation continues to step 390 where the NM determines whether to terminate the server. In one embodiment, the NM contains an auto-terminate parameter. The auto-terminate parameter may relate to a single server or multiple servers at once. A user may set a value for the auto-terminate parameter or the parameter may be preset by the system. If the auto-terminate parameter indicates the server should not be terminated upon server failure, then operation continues to step 396. In one embodiment of the present invention, the system enters a message in a log indicating the failed status of the server and that the server is not to be restarted. After step 396, system operation proceeds to step 330. If the auto-terminate parameter indicates the server should be terminated upon server failure in step 390, then operation continues to step 392. The failed server is terminated in step 392. In one embodiment of the present invention, an entry is made to a log indicating the server is deemed failed and that the server was terminated. Monitoring of the terminated server ends in step 394. Once the server is terminated, the automatic detection system of FIG. 1 may detect the terminated server at step 230. The NM may then proceed to determine whether to restart the server as shown in FIG. 1. [0041] In one embodiment of the present invention, certain parameters will control how the server periodically checks the servers running on the local machine. Examples of parameters controlling the check are shown below.
HealthChecklntervalSeconds = <number of seconds> [0042] This parameter specifies the interval of time (in seconds) between which periodic scans are done by NM to check if Servers are Failed. In one embodiment, the default is 180 seconds.
[0043] HealthCheckTimeoutSeconds = <number of seconds>
[0044] This parameter specifies the length of time (in seconds) the Node Manager will wait for a response to the health check query after which it will deem the monitored server Failed. In one embodiment, the default is 60 seconds.
[0045] AutoKilllfFailedEnabled = < true | false >
[0046] T g parameter specifies if a Server is deemed Failed, this parameter will control whether NM will kill the Server or not. In one embodiment, the default is false.
[0047] HealthCheckStartDelaySeconds = <number of seconds>
[0048] The time that a server takes to startup depends upon the applications being deployed on it. The NM will wait for a server to complete its startup before the NM starts monitoring the server. This parameter specifies the length of time (in seconds) the NM will wait before starting its monitoring of the server. In one embodiment, the default is 120 seconds.
[0049] The HealthChecklnterval Seconds and HealthCheckTimeoutSeconds and parameters can be defined per NM and on the NM command line. The AutoKilllfFailedEnabled and HealthCheckStartDelaySeconds parameters can be defined per server instance and can be modified at runtime via the Admin Console. These new parameters for the Server will be modifiable at runtime via the Admin Console. In conjunction with the parameter examples above, methods implemented in java code can be added to the server MBean and may be used to access or modify the parameters. Examples of these java methods include boolean getAutoKillIfFailedEnabled(), void setAutoK-illlfFailedEnabled(boolean), int getHealthCheckStartDelaySeconds(), and void setHealthCheckStartDelaySeconds (int sees). [0050] In one embodiment, the NM may allow its functionality and access to server health information to become available to external administrative clients. External administrative clients such as third party application monitors and high availability frameworks may need to be able to start and kill servers using the functionality ofthe NM. In one embodiment ofthe present invention, this is done programmatically with runtime MBeans. Use of an admin console is not required. The MBeans provide a programmatic interface to the NM's functionality. Further, the MBeans allow the NM's record of a server's health to be shared. Internal or external administrative clients may use the MBeans to access server health information collected by the NM. In one embodiment, the AS hosts [one]a NodeManagerRuntime MBean that provides methods to accomplish different tasks. Each machine may have one such MBean. [One task may involve starting a specified server.] In one embodiment, the AS may have methods according to the examples shown below. java.io.reader start(serverMBean server) throws
NodeManagerException; [0051] This method starts the specified server. It then returns the reader to local log file containing output of executed command. The method throws NodeManagerException if any error occurs. java.io.reader starlnStandby (serverMBean server) throws
NodeManagerException; [0052] This method starts the specified server in Standby Mode. It then returns the reader to local log file containing output of executed command. The method throws NodeManagerException if any error occurs. java.io.Reader shutdown (ServerMBean server) throws
NodeManagerException; [0053] This method shuts down the specified server. It then returns the reader to local log file containing output of executed command. The method throws NodeManagerException if any error occurs. java.io.reader kill(ServerMBean server) throws
NodeManagerException; [0054] This method kills specified server. It is used to kill the server process when the server does not respond to shutdown operation. It then returns the reader to local log file containing output of executed command. The method throws NodeManagerException if any error occurs. java.io.reader startMonitoring (ServerMBean server) throws
NodeManagerException;
[0055] This method instructs the NM to start monitoring the specified server. The NM will automatically restart the server if it crashes (if auto restartEnabled is set to true) or gets into failed state (if AutoKilllfFailedEnabled and
AutoRestartEnabled are set to true). It then returns the reader to local log file containing output of executed command. The method throws
NodeManagerException if any error occurs. java.io.reader stopmonitoring (serverMBean server) throws NodeManagerException; [0056] This method instructs the NM to stop monitoring the specified server. It then returns the reader to local log file containing output of executed command. The method throws NodeManagerException if any error occurs. java.io.Reader getlogs(Server MBean server, String type) throws NodeManagerException; [0057] This method get logs from the NM for the specified server. The type is either "WL_output" or "WL_Error". It then returns the reader to local log file containing output of executed command. The method throws
NodeManagerException if any error occurs. string get state (ServerMBean server) throws NodeManagerException;
[0058] This method queries the NM for its view of the specified server state. It is used when the server does not respond to queries to its ServerRuntimeMBean. The method will return "unknown" if NM is either not monitoring the server or does not have any knowledge of the server. It then returns the reader to local log file containing output of executed command. The method throws NodeManagerException if any error occurs. [0059] In another embodiment, MBeans may provide an interface for JMX clients to access the functionality ofthe NM. In this case, the MBeans for JMX client interfacing may have a different interface than the Server configuration MBeans. Operations such as "start" and "shutdown" may return precise information on their success or failure. They will throw an exception if the operation fails. All operations on the Node Manager Runtime MBeans may be blocking. A TaskMBean interface may be provided around the Server Lifecycle MBeans to provide an asynchronous interface to JMX clients. JMX clients can make use of the NM functionality to perform a wide variety of Server lifecycle and health monitoring control operations. Detailed below are the interactions between these two entities during each of the Server Lifecycle state transitions. Admin console, weblogic.Admin command line utility and other Admin Clients will be effecting these state transitions by invoking methods on the ServerLifecycleRuntimeMBean. [0060] startQ [SHUTDOWN -> RUNNING] startlnStandbyO [SHUTDOWN -> STANDBY] [0061] ServerLifecycleRuntimeMBean hosted on the Admin Server will invoke the start() or startlnStandbyO methods on the corresponding NodeManagerRuntimeMBean.
[0062] shutdown() [STANDBY -> SHUTDOWN]
[0063] j a srj j js configured, ServerLifecycleRuntimeMBean hosted on the Admin Server will invoke the shutdown() method on the corresponding NodeManagerRuntimeMBean. If not, it will invoke the shutdown() method on the ServerLifecycleRuntimeMBean hosted on the Managed Server. [0064] getState()
[0065] ServerLifecycleRuntimeMBean hosted on the Managed Server will return the State attribute of the Server. ServerLifecycleRuntimeMBean hosted on the Admin Server will invoke the getState() method on the ServerLifecycleRuntimeMBean hosted on the Managed Server. If this operation times out, it will then invoke the getState() method on the NodeManagerRuntimeMBean. [0066] The operation of a server that is monitored by a NM in accordance with one embodiment ofthe present invention is shown in diagram 400 of FIG. 4 and described as follows. The operation of flow chart 400 starts off with a start step 410. Next, the server is initialized in step 420. In one embodiment, the NM and the server establish a connection as part of the server initialization. While establishing the connection and initializing the server, the NM may pass the NM's listening address to the server. In one embodiment, server initialization includes the server initializing and running a program that monitors its health and interfaces with query attempts from the NM and other sources. Once a connection between the NM and the server is established and the server is initialized, the server may send a message to the NM indicating the server experienced a successful start up. [0067] After initialization, the server listens for an inquiry regarding the server's health status in step 430. The health status inquiry may come from the NM or an external administrative agent. If no health status inquiry is received, the server continues to listen for an inquiry as shown in FIG. 4. If a health status inquiry is received, operation continues to step 440. In step 440, the server performs a self health check on itself. Next, the results of the health check are transmitted by the server in step 450. In one embodiment, the results are transmitted to the NM or the AS. In another embodiment, the results are transmitted according to the instructions of an external administrative agent. The administrative agent may have the results sent to the agent itself or some other entity. After transmitting the results of the self health inquiry, operation of the server returns to step 430 where the server listens for a health status inquiry. In one embodiment, if at any point the server fails, the server will inform the NM as soon as it enters a failed state.
[0068] The communication between the NM and the AS may be encoded to increase the integrity of the system. In one embodiment of the present invention, the communication may be encoded according to a Diffie-Helman based Authentication and Encryption scheme. The encryption parameters may be negotiated at link establishment time and depend upon configuration parameters and installed software. A flow chart showing the operation of a Diffie-Helman based Authentication and Encryption scheme 500 in accordance with one embodiment of the present invention is shown in FIG. 5. The operation starts at step 505. Next, the connection between the AS and NM is established in operation 510. In one embodiment, the connection between the AS and the NM is initialized by the AS. Once the connection has been initialized by the AS, the NM receives the initial connection. Next, the encryption key size is determined in step 520. In one embodiment, the encryption key size is determined by a negotiation between the AS and the NM. The AS and NM each have a minimum key length parameter and maximum key length parameter. The pair for each of the NM and AS is denoted as (min, max). The minimum key length parameter is the minimum encryption level a process will support. The maximum key length parameter is the maximum encryption level a process is will support. In one embodiment, the possible key lengths are 0, 40, or 128 bits. The AS and NM will negotiate a connection that uses an encryption level as high as the lowest maximum key length between the NM and AS, but no lower than the highest minimum key length between the NM and AS. For example, if the AS has key length parameters of (0, 128), and the NM has key length parameters of (40, 128), the connection may have a key length of 40 or more preferably 128 bits. The key length may not be 0 bits because the NM has a minimum key length parameter of 40 bits. Once the key length for the connection has been established, the key length is in effect for the lifetime of the connection between the AS and NM. In one embodiment, the maximum key length parameter may be reduced by the capabilities of software installed on the NM or the AS. If the minimum key length parameter for either the AS or NM is higher than the maximum key length parameter for the other of the AS or NM, then no overlap exists in key length parameters. If there is no overlap in key length parameters, the established link will fail and an appropriate error message is logged. In one embodiment, command line arguments may be used to specify the minimum encryption level parameter and maximum encryption level parameter.
[0069] After the key size is determined, the session keys are generated in step 530. In one embodiment, a first session key is used for transmitted data from the AS to the NM and a second session key is used from for data transmitted from the NM to the AS. In one embodiment of the present invention, the session keys are 128 bits. The input parameters to the Diffie-Hellman key agreement algorithm may be fixed or generated. In one embodiment, the input parameters are fixed into software existing on the server network and accessible to the AS. The AS server may transmit the fixed input parameters to the NM. The Diffie-Hellman algorithm also requires the generation of a random number. In one embodiment, the random number is generated from a cryptographically secure pseudo-random number source. An RC4 bulk encryption method may be used as the encryption method for the link. The details of generating a session key using the Diffie-Hellman algorithm are generally known in the art and therefore not described here in detail.
[0070] Once the session keys are generated in step 530, the NM and AS may engage in an authentication process at step 540. In one embodiment, both the NM and AS are authenticated using a shared secret. One method of authenticating both the NM and AS in accordance with the present invention is as follows. First, both the NM and AS will generate a fingerprint. In one embodiment, the fingerprint may be a 128 bit MD5 message digest created using the send and receive session keys already negotiated. Next, the AS will generate a challenge, encrypt the challenge and fingerprint, and send the encrypted challenge and fingerprint to the NM. In one embodiment, the challenge may be a 64 bit random number. Next, the NM will receive and decrypt the challenge and fingerprint from the AS. The information may be encrypted and decrypted using the AS's password. If the information received by the NM is decrypted and does not match the NM's fingerprint, the NM will reject the authentication request by the AS. Next, the NM will encrypt the challenge received from the server, the session key generated by the NM, and the fingerprint generated by the NM. The NM will then send the encrypted challenge, session key, and fingerprint to the AS. The AS will receive and decrypt the information received from the NM. Upon decrypting the received information, the AS will compare the received challenge and fingerprint to it's own challenge and fingerprint. If either the fingerprints or the challenges do not match, the AS will reject the authentication request from the NM. If the comparisons performed by the AS and NM reveal matching information, then the authentication requests will be accepted. The encryption and authentication process then ends at step 550. The encryption by the AS and NM may be done using a DES encryption method or some other method suitable for the particular requirements ofthe system. [0071] In one embodiment, new command line arguments are specified for the AS and NM regarding AS/NM communication encryption and authentication. These new arguments can be modified at runtime via the Admin Console. Arguments specified for the AS may include the examples listed below. WebLogic.management.minEncryptionBits = <number> [0072] This argument specifies the minimum encryption level the process will accept. Possible values are 0, 40, 128. In one embodiment, the default value is 0.
WebLogic.management.maxEncryptionBits = <number> [0073] This argument specifies the maximum encryption level the process will accept. Possible values are 0, 40, 128. In one embodiment, the default value is 128.
WebLogic.management.enableChannelBinding = 0 | 1 [0074] This argument sets an Authentication Protocol. In one embodiment, the a value of 1 enables the Authentication Protocol and the default is 0. WebLogic.management.passwordKey = <string>
[0075] This argument specifies the key to be used to decrypt the encrypted NM passwords stored in the configuration file. The key must be specified if
WebLogic.management.enableChannelBinding is set to 1.
[0076] The utility WebLogic.wtc.gwt.genpasswd will be used to encrypt NM passwords to be stored in the configuration file.
[0077] Arguments specified for the NM may include the examples listed below. WebLogic.nodemanager.minEncryptionBits = <number>
[0078] This argument specifies the minimum encryption level the process will accept. Possible values are 0, 40, 128. In one embodiment, the default value is
0.
WebLogic. nodemanager.maxEncryptionBits = <number> [0079] This argument specifies the maximum encryption level the process will accept. Possible values are 0, 40, 128. In one embodiment, the default value is
128.
WebLogic.nodemanager.enableChannelBinding = 0 | 1
[0080] This argument sets an Authentication Protocol enable. In one embodiment, a value of 1 enables the Authentication Protocol and the default is
0.
WebLogic. nodemanager.password = <string>
[0081] This argument specifies the NM password. The NM password must be specified if WebLogic.nodemanager.enableChannelBinding is set to 1. WebLogic.nodemanager.adminServerPassword = <string>
[0082] This argument specifies the Admin Server password. Must be specified if WebLogic.nodemanager.enableChannelBinding is set to 1. [0083] In one embodiment, an alternate NM may have features in addition to those described above. In particular, the alternate NM may function to aggregate administrative actions and information in the NM. The actions and information could then be accessed by third party application monitors and high availability frameworks using standard JMX interfaces. The NM may also achieve internal interactions with the admin console and cluster group leader using standard JMX interfaces.
[0084] In one embodiment, certain services are required by the administrator for the alternate NM to operate properly. One such service is a ProcessControl ("PC") service. The PC service operates to start, kill and restart managed servers on the local node. The service can be hosted by the AS and by the NM on the other nodes. Restart capability is provided to internal and external clients via Runtime MBeans. Another service is the HealthMonitoring ("HM") service. The HS service monitors state and other runtime attributes of managed servers on local or remote nodes. Either the AS or an individual NM can host the HM service. Server health information is provided to internal and external clients via Runtime MBeans.
[0085] The alternate NM has several advantageous characteristics. In one embodiment, some aspects ofthe configuration for the alternate NM are similar to the basic NM ofthe present invention. The alternate NM may be hosted on a stripped-down managed server. In this case, the alternate NM registers as a managed server with the AS. With this configuration, the NM performs startup independently of the AS. Further, no configuration MBeans are required for runtime configuration changes [0086] The alternate NM may include a "watchdog" service. The watchdog service operates to monitor the NM on platforms where operating system monitoring is not available, such as non-NT and Solaris platforms. The watchdog service may be configured to spawn the NM when it performs startup, thereby allowing administrators to manually start just one process. In one embodiment, a system could use a watchdog service to bootstrap the NM service on a local node upon command of an AS. This watchdog service configuration would eliminate manual configuration of the NM on each remote node and allow runtime configuration through configuration MBeans implemented in java. For Solaris and NT systems, the NM may be used as the operating system in one embodiment of the present invention. In this case, the NM may be installed on a node in conjunction with other software and can be started manually. [0087] The alternate NM can be configured to enable its operation to enhance aspects of an entire domain or local node. One NM could be used for an entire domain. This would simplify security in that multiple certificates would not need to be managed. In one embodiment, the NM is the highest release. The alternate NM may be used to aggregate cluster heartbeats for all cluster members on a local node. The cluster members may include managed servers on the local node. The alternate NM may also be configured to operate as a surrogate AS.
[0088] The present invention includes a Node Manager that monitors the status of multiple servers. The NM detects server failures, periodically monitors server health status, and performs server maintenance. When the NM detects a server failure, it determines whether or not the server should be restarted. While periodically monitoring servers, the NM may determine how often to trigger a health check, how long to wait for a response, and how to proceed if the server is deemed failed. The NM may be controlled by an AS directly or by an external administrative agent. An administrative agent may control the NM by interfacing with the AS. The NM and AS may authenticate each other and encode their communications to each other for increased security. [0089] An Appendix is attached to this application containing examples within the scope and spirit ofthe present invention.
[0090] In addition to an embodiment consisting of specifically designed integrated circuits or other electronics, the present invention may be conveniently implemented using a conventional general purpose or a specialized digital computer or microprocessor programmed according to the teachings ofthe present disclosure, as will be apparent to those skilled in the computer art. [0091] Appropriate software coding can readily be prepared by skilled programmers based on the teachings ofthe present disclosure, as will be apparent to those skilled in the software art. The invention may also be implemented by the preparation of application specific integrated circuits or by interconnecting an appropriate network of conventional component circuits, as will be readily apparent to those skilled in the art. [0092] The present invention includes a computer program product which is a storage medium (media) having instructions stored thereon/in which can be used to program a computer to perform any ofthe processes ofthe present invention. The storage medium can include, but is not limited to, any type of disk including floppy disks, optical discs, DVD, CD-ROMs, microdrive, and magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, DRAMs, VRAMs, flash memory devices, magnetic or optical cards, nanosystems (including molecular memory ICs), or any type of media or device suitable for storing instructions and/or data. [0093] Stored on any one ofthe computer readable medium (media), the present invention includes software for controlling both the hardware ofthe general purpose/specialized computer or microprocessor, and for enabling the computer or microprocessor to interact with a human user or other mechanism utilizing the results ofthe present invention. Such software may include, but is not limited to, device drivers, operating systems, and user applications. Ultimately, such computer readable media further includes software for implementing Node Managers.
[0094] Included in the programming (software) ofthe general/specialized computer or microprocessor are software modules for implementing the teachings ofthe present invention, including, but not limited to, separating planes of a source image, averaging at least one of foreground and background colors, replacing colors, and compensating for error introduced by color replacement in one plane by feeding error into a second plane, storage, communication of results, and reconstructing an image according to the processes ofthe present invention.
[0095] Other features, aspects and objects ofthe invention can be obtained from a review ofthe figures and the claims. It is to be understood that other embodiments ofthe invention can be developed and fall within the spirit and scope ofthe invention and claims.
[0096] The foregoing description of preferred embodiments of the present invention has been provided for the purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise forms disclosed. Obviously, many modifications and variations will be apparent to the practitioner skilled in the art. The embodiments were chosen and described in order to best explain the principles ofthe invention and its practical application, thereby enabling others skilled in the art to understand the invention for various embodiments and with various modifications that are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the following claims and their equivalence. Appendix
1 Product Perspective (O)
The existing NM implementation enables the administrator to start and kill Servers remotely from the Administration Console. However, there is no automatic monitoring or restart of these Servers after that.
The goal of this release is to improve the availability of these Servers by monitoring them and automatically restarting them if necessary.
In addition, NM's functionality and information will be exposed to JMX clients via new runtime MBeans. 0
1.1 Product Functions (O)
1.1.1 Automatic detection and restart of crashed servers
NM will continuously monitor Servers running on the local machine and will automatically detect and restart failed Servers. This detection and restart will 5 occur as soon as NM detects the Server failure.
1.1.2 Monitoring and restart of Failed servers
NM will periodically monitor Servers running on the local machine and will automatically detect and restart Failed Servers. This detection and restart will 0 occur as soon as possible after the Server is deemed to be Failed.
1.1.3 Node Manager Runtime MBeans
New Node Manager Runtime MBeans will be provided. They will be hosted on the Admin Server and will offer methods that wrap NM functionality and 5 expose the health information collected by NM.
2 Automatic Detection and Restart of Failed Servers
2.1 Functional Description v NM will continuously monitor Servers running on the local machine and will automatically detect and restart failed Servers. This detection and restart will occur as soon as NM detects the Server failure. 2.2 Functional Requirements
NM will continuously monitor Servers running on the local machine and will automatically detect and restart failed Servers. This detection and restart will 5 occur as soon as possible after the Server failure.
Once a Server failure is detected, NM's actions will be controlled by these parameters:
AutoRestartEnabled = < true | false >
Specifies whether Servers are restartable or not. Default is true.
* " RestartlntervalSeconds = <number of seconds>
If a Server is restartable, this parameter specifies that it can be restarted RestartMax times within the specified number of seconds. Default is 3600 seconds (60 minutes).
RestartMax = <number>
^ If Servers are restartable, this parameter specifies the max # times a
Server can be started within the period specified by RestartlntervalSeconds. Default is 2.
These parameters will be defined per Server instance. They will also be modifiable at runtime via the Admin Console. 0
2.3 Software Interfaces (Javadoc, MBean, Objects, Classes)
This feature has only an administrative interface, and it is via the new parameters described in section 3.2.
These new parameters for the Server will be modifiable at runtime via the 5 Admin Console.
These methods will be added to the weblogic.management.configuration.ServerMBean to access or modify these parameters: boolean getAutoRestartEnabled();
30 void setAutoRestartEnabled(boolean); int getRestartlntervalSecondsO; void setRestartlntervalSeconds(int); int getRestartMaxO; void setRestartMax(int); 5 Monitoring and Restart of Failed Servers
3.1 Functional Description
NM will periodically monitor Servers running on the local machine and will automatically detect and restart Failed Servers. This detection and restart will occur as soon as possible after the Server is deemed to be Failed.
3.2 Functional Requirements
NM will periodically check Servers running on the local machine and will 10 automatically detect and restart Failed Servers. This detection and restart will occur as soon as possible after the Server is deemed to be Failed.
This check will be controlled by these parameters:
HealthChecklntervalSeconds = <number of seconds>
The interval of time (in seconds) between which periodic scans are done 15 by NM to check if Servers are Failed. Default is 180 seconds.
HealthCheckTimeoutSeconds = <number of seconds>
The length of time (in seconds) the Node Manager will wait for a response to the health check query after which it will deem the monitored server Failed. Default is 60 seconds.
20 AutoKilllfFailedEnabled = < true | false >
If a Server is deemed Failed, this parameter will control whether NM will kill the Server or not. Default is false.
The time that a Server takes to startup depends upon the applications being deployed on it. NM will wait for a Server to complete its startup before it (the 25 NM) starts monitoring the Server. This wait time can be specified using the following parameter:
HealthCheckStartDelaySeconds = <number of seconds>
The length of time (in seconds) the Node Manager will wait before starting its monitoring ofthe Server. Default is 120 seconds.
™ HealthChecklntervalSeconds and HealthCheckTimeoutSeconds and parameters will be defined per NM, and can be specified on the NM command line.
AutoKilllfFailedEnabled and HealthCheckStartDelaySeconds parameters will be defined per Server instance and will be modifiable at runtime via the Admin Console. After NM has killed a Failed server, its restartability is controlled by the parameters defined in section 3.2 above.
3.3 External Interface Requirements
3.3.1 Software interfaces (Javadoc, MBean, Objects, Classes) 5
This feature has only an administrative interface, and it is via the new command line arguments described in section 4.2.
These new parameters for the Server will be modifiable at runtime via the Admin Console.
^ These methods will be added to the ServerMBean to access or modify these parameters: boolean getAutoKillIfFailedEnabled(); void setAutoKilllfFailedEnabled(boolean); int getHealthCheckStartDelaySeconds();
* void setHealthCheckStartDelaySeconds(int sees);
4. Node Manager Runtime MBeans
4.1 Functional Description
These MBeans will serve the following purposes:
20 i . Expose NM functionality to external administrative clients
External administrative clients (3rd party application monitors, HA frameworks, etc.) need to be able to start and kill Servers using the NM. They should be able to do this programmatically without using the admin console.
These MBeans will provide a programmatic interface to NM's functionality.
2-> 2. Expose NM's view of Server health
As described in section 4 above, NM periodically collects health information on Servers. Internal or external administrative clients (e.g., admin console) need to be able to access this information.
^ These MBeans will provide an interface to this information. 4.2 Functional Requirements
The Admin Server will host the new "NodeManagerRuntimeMBean". There will be one NodeManagerRuntimeMBean per machine in the domain.
This MBean will offer methods that wrap NM functionality and expose the health information collected by NM.
The ServerLifecycleRuntimeMBean hosted on the Admin Server will use these MBeans internally. They will NOT be exposed to external JMX clients.
4.3 External 1-nterface Requirements
4.3.2 Software Interfaces (Javadoc, MBean, Objects, Classes) public interface NodeManagerRuntimeMBean extends WebLogic . management . runtime . RuntimeMBean
Method Summary java . io.Reader start (ServerMBean server) throws NodeManagerException; starts the specified Server.
Returns Reader to local log file containing output of executed command. Throws NodeManagerException if any error occurs. java. io.Reader startInStandby (ServerMBean server) throws NodeManagerException; starts the specified Server in Standby state.
Returns Reader to local log file containing output of executed command. Throws NodeManagerException if any error occurs. java. io. Reader shutdown (ServerMBean server) throws NodeManagerException; shuts down the specified Server.
Returns Reader to local log file containing output of executed command. Throws NodeManagerException if any error occurs. j ava . io . Reader kill (ServerMBean server) throws NodeManagerException; kills the specified Server. Used to kill the server process when the server does not respond to shutdown operation. Returns Reader to local log file containing output of executed command. Throws NodeManagerException if any error occurs. java. io. Reader startMonitoring (ServerMBean server) throws NodeManagerException; instruct NM to start monitoring the specified server. NM will automatically restart the server if it crashes (if AutoRestartEnabled is set to true) or gets into Failed state (if
AutoKilllfFailedEnabled and AutoRestartEnabled are set to true).
10 Returns Reader to local log file containing output of executed command.
Throws
NodeManagerException if any error occurs. java. io .Reader stopMonitoring (ServerMBean server) throws NodeManagerException;
* ^ Instruct NM to stop monitoring the specified server.
Returns Reader to local log file containing output of executed command. Throws
NodeManagerException if any error occurs. java. io. Reader getLogs (ServerMBean server, String 0 type) throws NodeManagerException;
Get logs from the NM for the specified server. The type is either "WL_output" or "WL_enor".
Returns Reader to log retrieved. Throws NodeManagerException if any error occurs. -* String getState (ServerMBean server) throws NodeManagerException;
Query the NM for its view of specified server's state. Used when server does not respond to queries to its ServerRuntimeMBean. 0 Will return "Unknown" if NM is either not monitoring or does not have any knowledge ofthe server. Throws NodeManagerException if any error occurs.
5.1 Node Manager - Managed Server communication
5.1.1 Health monitoring communication 5 NM will periodically poll the Server to check its health. The algorithm used in this polling is as follows:
1. Upon startup, NM reads an on-disk file to retrieve information on Servers it was monitoring during its previous incarnation.
-* It assumes that all ofthe monitored Servers are alive when it starts up. It assumes no knowledge of their current States (i.e., it sets its view of their State to "Unknown").
2. NM invokes the NMCommandServlet deployed on the Server. This is an asynchronous Servlet that will return the Server's health information after
10 HealthChecklntervalSeconds have elapsed.
3. One ofthe following happens when NM invokes the Servlet:
3.1 IOException is thrown.
* ^ This could mean a number of different things:
_ Server has crashed or is not running
_ Server too busy to accept TCP connection
_ Server has Failed, unable to accept TCP connection
_ Transient IO exception
20 All cases are treated as if Server has Failed. NM sets its internal value of Server state to "Failed".
To handle "false negatives". NM kills the Server.
25 If the Server's AutoKilllfFailedEnabled parameter is "true", NM sets its internal value of Server state to "Failed" and kills the Server.
If AutoKilllfFailedEnabled is false, NM sets it internal value of Server state to "Failed Not Restartable", logs a warning and continues.
30
3.3 Server returns its State value after HealthChecklntervalSeconds.
3.3.1 Server State is Running
No action. 3.3.2 Server State is Failed
If the Server's AutoKilllfFailedEnabled parameter is "true", NM sets its internal value of Server state to "Failed" and kills the Server.
^ If AutoKilllfFailedEnabled is false, NM sets it internal value of Server state to "Failed Not Restartable", logs a warning and continues.
4. In the next iteration, if NM sees that its interval value of Server state is "Failed", it will try to restart the Server.
10 NM checks the Server's AutoRestartEnabled parameter. If it is true and less than RestartMax restarts have been done in the current RestartlntervalSeconds window, NM will restart the Server.
If Server has already been restarted RestartMax times in the current RestartlntervalSeconds window, NM will wait till the next 15 RestartlntervalSeconds window begins before doing another restart.
If AutoRestartEnabled is false, NM will not restart the Server. 5.2.1 Server State transition notifications
When certain transitions occur in the Server's State value, it will inform the NM 20 of them.
This will be particularly useful in the following cases:
_ When the NM starts a Server, there is currently no mechanism to determine if the Server started successfully or not. Now, the Server will inform the NM once it has entered a Standby State.
^^ If a Server fails, NM will discover this only in the next iteration of its health-monitoring query. Now, the Server will inform the NM as soon as it has entered a Failed State.
Passing the NM's listening address to the Server when the latter is starting up will facilitate this communication. 30
Impact on JMX clients
In WLS 6.1, JMX clients (like the Admin Console) performed Server lifecycle operations by invoking methods on the Server configuration MBeans. In Acadia, these clients will be accessing the new Server 35 Lifecycle MBeans for this purpose. These new MBeans have a different interface than the Server configuration MBeans.
Detailed below are the changed semantics:
_ Operations such as "start" and "shutdown" will now return precise information on their success or failure. They will throw an exception if the operation fails. Look at [SLC] for details.
_ All operations on the Node Manager Runtime MBeans are now blocking. A TaskMBean interface is being provided around the Server Lifecycle MBeans to provide an asynchronous interface to JMX clients. The new Server Lifecycle and Node Manager Runtime MBeans provide a rich set of functionality. JMX clients can make use of these to perform a wide variety of Server lifecycle and health monitoring control operations. Look at [SLC] and section 5.2.3 above for details on this. 5.3 NM - Server Lifecycle Interactions
Detailed below are the interactions between these two entities during each ofthe Server Lifecycle state transitions.
Admin console, weblogic. Admin command line utility and other Admin Clients will be effecting these state transitions by invoking methods on the ServerLifecycleRuntimeMBean.
1. startO [SHUTDOWN -> RUNNING] startlnStandbyO [SHUTDOWN -> STANDBY]
ServerLifecycleRuntimeMBean hosted on the Admin Server will invoke the startO or startlnStandbyO methods on the corresponding
NodeManagerRuntimeMBean.
2. shutdown() [STANDBY -> SHUTDOWN]
If a NM is configured, ServerLifecycleRuntimeMBean hosted on the Admin Server will invoke the shutdown() method on the corresponding NodeManagerRuntimeMBean. If not, it will invoke the shutdown() method on the ServerLifecycleRuntimeMBean hosted on the Managed Server.
3. getState()
ServerLifecycleRuntimeMBean hosted on the Managed Server will return the State attribute of the Server. ServerLifecycleRuntimeMBean hosted on the Admin Server will invoke the getState() method on the ServerLifecycleRuntimeMBean hosted on the Managed Server. If this operation times out, it will then invoke the getState() method on the NodeManagerRuntimeMBean. 6. Diffie-Hellman based Authentication/Encryption scheme
A Diffie-Hellman based Authentication/Encryption scheme was proposed as an alternative to the current X.509 Certificates based scheme. After much discussion, it was decided that customers do not require this.
Detailed below is the proposal.
6.1 Functional Description
All data being sent over the network link between the Admin Server and NM will be encrypted using a new scheme based on the Diffie-Hellman algorithm. The encryption parameters will be negotiated at link establishment time and will depend upon configuration parameters and installed encryption software.
The Admin Server and NM will be authenticated with each other using a shared secret based mechanism.
6.2 Functional Requirements
6.2.1 Concepts and Definitions
_ Admin Server begins the communication session.
_ A NM receives the initial connection.
_ Both processes are aware of the encryption feature, and have two configuration parameters. _ The first configuration parameter is the Minimum encryption level a process will accept. It is expressed as a key length: 0, 40, or 128 bits.
_ The second configuration parameter is the Maximum encryption level a process is willing to support. It also is expressed as a 0, 40, or 128 bit key size. _ For convenience, this document will denote the two parameters as (min, max). So (40, 128) means a process will accept at least 40-bit encryption but desires 128-bit if possible.
_ Encryption parameters negotiated are for the lifetime of the communication session. 6.2.2 Encryption Key Size Negotiation
The first step is for the two processes to agree on the largest common key size supported by both. This negotiation itself need not be encrypted or hidden.
5 A pre-processing step temporarily reduces the maximum key size parameter configured to agree with the installed software's capabilities. This must be done at link negotiation time, because at configuration time it may not be possible to verify a particular machine's installed encryption package. For example, the administrator may configure (0, 128) encryption for an unbooted machine that 10 only has a 40-bit encryption package installed. When the machine actually negotiates a key size, it should represent itself as (0, 40). In some cases this may cause a run-time error; for example (128, 128) is not possible with a 40-bit encryption package.
The following table shows how the configured parameters are modified based 15 on which encryption package is installed. This is a local computation that each process performs itself. The result serves as input for the subsequent cross- machine negotiation.
Figure imgf000041_0001
20
Next the two processes jointly agree on the largest key size acceptable to both. It may be that there is no overlap, in which case network link establishment fails (with an appropriate log error message). This table shows the outcome for all possible combinations of min/max parameters:
Figure imgf000042_0001
6.2.3 Session Key Agreement
Two session keys will be generated for the encrypted network link using the Diffie-Hellman algorithm. One session key will be used for data flowing from the Admin Server to the NM, and the other key will be used for traffic flowing
10 in the reverse direction. The generated session keys will always be 128-bit.
Input parameters to the Diffie-Hellman key agreement algorithm will be fixed (bumed-in to WebLogic software). Admin Server will transmit the parameters it wants to use to the NM. This permits the burned-in parameters to be changed in future releases.
15 The actual Diffie-Hellman parameters to burn-in for the first release of this feature are shown in Appendix A.
Diffie-Hellman session key agreement also requires a cryptographically secure pseudo-random number source. The seed value for the pseudo-random number generator must contain a large amount of unpredictable data, so that a
20 network-based attacker cannot iterate through likely seed values.
6.2.6 40-bit Protocol Requirements
If a 40-bit key size is negotiated, the 128-bit session key produced by Diffie- Hellman should be used for RC4 bulk encryption. However, 88 bits must be 25 disclosed in the clear in one of the link establishment messages. This allows an attacker to conduct a 40-bit brute-force key search. Security is better than with a simple 40-bit key, because the 88-bits act as salt and prevent an attacker from using pre-computed lookup tables. A network attacker may not be permitted to defeat the 88-bit disclosure requirement by tampering with packets or deleting packets:
The actual bits disclosed in the clear must be used by the Admin Server. If they do not agree with the locally computed Diffie-Hellman session key, or are not supplied as expected, Admin Server will generate a log error message and terminate the connection.
Both the processes implicitly agree to permute their Diffie-Hellman session key when 40-bit encryption is negotiated, as shown below. This prevents a network attacker from tampering with messages and tricking the Admin Server into a 128-bit session when 40-bit was the NM s negotiation result.
6.2.7 Authentication Protocol
To guard against a Man-in-the-Middle attack, Admin Server and NM will be authenticated using a shared secret, as follows:
• Both processes will generate a 128-bit MD5 message digest ( fingerprint ) using the send and receive session keys negotiated (see Section 6.2.3 above)
• Admin Server will generate a 64-bit random number ( challenge ). It will then DES-encrypt the challenge and the fingerprint using its password as the key and send this to the NM.
• NM will decrypt the received message with the Admin Server s password. If the fingerprints don t match, it will reject the authentication request. • NM will generate a 64-bit session key. NM will then DES-encrypt the previously-received challenge, the generated session key and the fingerprint using its password as the key and send this to the Admin Server.
• Admin Server will decrypt the received message with the NM s password. It will check the received challenge and fingerprint with its local values. If either doesn t match, it will reject the authentication request. If the above sequence is completed successfully, Admin Server and NM will be considered authenticated with each other. 6.3 External Interface Requirements
6.3.1 Hardware Interfaces (O)
6.3.2 Software Interfaces (Javadoc, MBean, Objects, Classes)
These new command line arguments will be specified for the Admin Server.
• WebLogic.management.minEncryptionBits = <number> the Minimum encryption level the process will accept. Possible values are 0, 40, 128. Default value is 0.
• WebLogic.management.maxEncryptionBits = <number> the Maximum encryption level the process will accept. Possible values are 0, 40, 128. Default value is 128.
• WebLogic.management.enableChannelBinding = 0 1 1 a value of 1 enables the Authentication Protocol (Section 5.2.7). Default is 0.
• WebLogic.management.passwordKey = <string> key to be used to decrypt the encrypted NM passwords stored in the configuration file.
It must be specified if WebLogic.management.enableChannelBinding is set to 1.
The utility WebLogic.wtc.gwt.genpasswd will be used to encrypt NM passwords to be stored in the configuration file.
These new command line arguments will be specified for the NM. • WebLogic.nodemanager.minEncryptionBits = <number> the Minimum encryption level the process will accept. Possible values are 0, 40, 128. Default value is 0.
• WebLogic. nodemanager.maxEncryptionBits = <number> the Maximum encryption level the process will accept. Possible values are 0, 40, 128. Default value is 128.
• WebLogic.nodemanager.enableChannelBinding = 0 | 1 a value of 1 enables the Authentication Protocol (Section 5.2.7). Default is 0.
• WebLogic. nodemanager.password = <string> the NM s password.
Must be specified if WebLogic.nodemanager.enableChannelBinding is set to 1.
• WebLogic.nodemanager.adminServerPassword = <string> the Admin Server s password. Must be specified if
WebLogic.nodemanager.enableChannelBinding is set to 1. These new arguments will be modifiable at runtime via the Admin Console.
7.5 Alternate Node Manager In one embodiment of the invention, an alternate type of node manager architecture is used. The alternate node manager may be operable to acheive at least the following functions:
• Aggregation of administrative actions and information in NM for access by 3rd party application monitors and HA frameworks using standard JMX interfaces
• Internal interactions with admin console, cluster group leader, etc. using standard JMX interfaces Described below are some ofthe design points ofthe new NM architecture.
Summary of New NM Architecture
Services required by Administrator/ App Monitor
1. ProcessControl ("PC") service
- start, kill and restart Managed Svrs ("MS") on local node - will be hosted by Admin Svr ("AS")
- will be hosted by NM on other nodes
- provide restart capability to internal and external clients via Runtime MBeans
2. HealthMonitoring ("HM") service - monitor State and other runtime attributes of MS on local or remote node
- can be hosted either by AS or individual NMs
- provide this info to internal and external clients via Runtime MBeans
New NM charactertistics
0. hosted on stripped-down MS
- registered as a MS with the AS (in config.xml)
1. Configuration
- all config passed as command line args (like for today's NM)
- startup independent of AS
- no Config MBeans for runtime configuration changes (like for today's NM)
2. WatchDog ("WD")
- reqd to mon NM on platforms where OS monitoring not avl (non NT and Solaris platforms)
- 1 WD per NM - can spawn the NM when started so Admins will have to manually start just 1 process
3. NM may be the OS service on NT and Solaris
- installed when installing WLS on node
- can also be started manually 4. Interoperability
- could havel NM per Domain
- (Security) won't have to manage multiple Certificates - NM must be of highest release wrt all MSs on node
5. If NM is not used:
- won't get PC svc on remote nodes
- HM svc will won't be able to restart remote MSs - better scalability if HM svc hosted on NMs
6. Additional Enhancements
- make NM highly preferable (advantages listed in #5)
- use WD to bootstrap NM on local node upon AS's command
(will eliminate manual config of NM on each remote node and allow runtime config via Config MBeans)
- use NM to aggregate Cluster heartbeats for all cluster members on local node (broader implications - Eric/Mesut/Dean)
- make NM a surrogate AS? (broader implications)

Claims

What is claimed is:
1. A method for monitoring a server comprising: providing a monitoring instance; establishing a connection between the monitoring instance and a server to be monitored; and determining the health status ofthe server as a result of communications between the monitoring instance and the server.
2. The method as claimed in claim 1 wherein said establishing a connection includes establishing an SSL connection.
3. The method as claimed in claim 1 wherein said determining the health status of the server includes detecting that the server has experienced server failure.
4. The method as claimed in claim 3 wherein detecting that the server has experienced server failure includes detecting that the connection established between the monitoring instance and the server to be monitored has failed.
5. The method as claimed in claim 1 further comprising: performing maintenance on the server upon detecting the server has failed.
6. The method as claimed in claim 5 wherein performing maintenance includes restarting the server.
7. The method as claimed in claim 1 further comprising; determining whether a failed server may be restarted; and restarting the failed server if it may be restarted.
8. The method as claimed in claim 7 wherein determining whether a failed server may be restarted includes determining whether a server has been restarted a maximum number of times within a certain period of time.
9. The method of claim 1 wherein the functionality of the monitoring instance may be controlled by an administration server.
10. The method of claim 9 wherein communication between the monitoring instance and administration server is encoded.
11. A method for monitoring a server comprising: providing a monitoring instance; providing a triggering event that causes the monitoring instance to monitor a server; and determining the status ofthe server.
12. The method of claim 11 wherein providing a triggering event includes determining a period of time has elapsed.
13. The method of claim 11 wherein providing a triggering event includes receiving a signal from an entity external to the monitoring object.
14. The method of claim 11 wherein said determining the status of a server further comprises: transmitting a query signal to the server to determine the server's status; and determining whether the server responds to the query signal.
15. The method of claim 14 wherein said determining whether the server responds to the query signal includes waiting a specified period of time before determining the server has not responded to the query signal.
16. The method of claim 11 wherein said determining the status of a server further comprises: transmitting a query signal to the server to determine the server's status; and receiving the server's response to the query signal; and determining the server's status based upon the server's response.
17. The method of claim 11 further comprises performing treatment on the server corresponding the status ofthe server.
18. The method of claim 17 wherein performing treatment includes terminating the server if the server is deemed failed.
19. The method of claim 11 wherein the functionality of the monitoring instance may be controlled by an administration server.
20. The method of claim 19 wherein communication between the monitoring instance and administration server is encoded.
21. A system for monitoring a server comprising: at least one server operable to transmit and receive messages; a server manager having a memory and operable to transmit messages to and receive messages from said at least one server; and a connection established between said at least one server and said server manager, said server manager operable to monitor said server through said connection.
22. A system for monitoring a server as claimed in claim 21 wherein said server manager includes information relating to each said at least one server.
23. A system for monitoring a server as claimed in claim 22 wherein said information relates to performing maintenance on each said at least one server.
24. A system for monitoring a server as claimed in claim 22 wherein said information relates to monitoring each said at least one server.
25. A system as claimed in claim 21 further comprising: an administrative server that may control the functionality of the server manager.
26. A system as claimed in claim 25 wherein communication between said administration manager and said server manager is encoded.
27. A system as claimed in claim 25 wherein the administration manager may be interfaced by a user.
28. A system as claimed in claim 25 wherein the administration manager may be interfaced by external administration agents.
29. The method ofclaim 1 wherein said determining the health status of the server includes the monitoring instance automatically determining the health status ofthe server.
30. The method ofclaim 1 further comprising: automatically performing maintenance upon detecting the server has failed.
31. The method as claimed in claim 30 wherein automatically performing maintenance includes automatically restarting the server.
32. The system ofclaim 21 wherein the server manager is configured to automatically restart the server upon detecting the server has failed.
33. The system ofclaim 21 wherein the server manager is configured to automatically restart the server upon detecting a health of said server has degenerated.
34. The method of claim 1 wherein determining the health status of the servers is implemented using java language programming.
35. The method of claim 34 wherein the java language programming includes a java method instance.
36. The method of claim 5 wherein performing maintenance is implemented using java language programming.
37. The method of claim 36 wherein the java language programming includes a java method instance.
38. The method of claim 11 wherein determining the status of a server is implemented using java language programming.
39. The method of claim 38 wherein the java language programming includes a java method instance.
40. The method of claim 17 wherein performing treatment on the server is implemented using java language programming.
41. The method of claim 40 wherein the java language programming includes a j ava method instance .
42. The system of claim 22 wherein the information relating to each said at least one server is configured to be accessed using a java MBean.
43. The system of claim 25 wherein said administrative server hosts a java MBean, the java MBean configured to control the functionality of the server manager.
44. The system of claim 43 wherein the java MBean may be accessed externally by an administrative client.
45. The system of claim 44 wherein the java MBeans offer the functionality ofthe server manager and access to the information relating to said at least one server to clients in a programmatic manner.
46. The method as claimed in claim 1 wherein providing a monitoring instance includes: performing startup by the monitoring instance; receiving startup information by the monitoring instance from an administrative server, the startup information including instructions to start a server instance on a local machine and a request to provide information on servers previously monitored by the monitoring instance.
47. The method of claim 7 wherein determining whether a failed server may be restarted includes determining the value of an auto-restart parameter, the value of the auto-start parameter determining whether or not the server is restartable.
48. The method of claim 47 wherein the auto-restart parameter may be accessed and set by a java method.
49. The method of claim 7 wherein determining whether a failed server may be restarted includes determining the value of a max-restart parameter and a restart-interval parameter, the value of the max-restart parameter and restart-interval parameters determining the maximum times the server may be restarted in a certain time interval.
50. The method of claim 49 wherein the max-restart parameter and the restart-interval parameter may be processed and set by a java method.
51. The method of claim 11 wherein determining the status of the server includes: invoking a java servlet located on the server, the servlet configured to return a health status ofthe server to the monitoring instance.
52. The method of claim 51 wherein the java servlet includes an asynchronous servlet configured to return the health status to the monitoring instance upon the occurrence of an event.
53. The method of claim 11 wherein providing a triggering event includes: determining whether an interval period has elapsed, the interval period corresponding to a time between successive health checks performed on a server, wherein a value specified in a health check interval parameter corresponds to the interval period.
54. The method of claim 53 wherein the health check interval parameter may be accessed and set by a java method.
55. The method of claim 11 wherein providing a triggering event includes: determining whether a timeout period has elapsed, the timeout period corresponding to a time the monitoring instance will wait for a response to a health check query performed by the monitoring instance to the server, wherein a value specified in a health check timeout parameter corresponds to the timeout period.
56. The method of claim 55 wherein the health check timeout parameter may be accessed and set by a java method.
57. The method as claimed in claim 17 wherein performing treatment includes: determining a value of a auto-kill parameter, the value specified in the auto-kill parameter corresponding to whether or not the monitoring instance will automatically kill a server if the server is deemed failed.
58. The method of claim 57 wherein the health check timeout parameter may be accessed and set by a java method.
59. The system of claim 25 wherein said administrative server hosts a java MBean, the java MBean configured to provide an interface for JMX clients to control the functionality of the server manager.
60. A system for monitoring a server comprising: a server, the server residing in a node; a node manager configured to monitor the server; and an administration server, wherein communication between the administration server and the node manager is encoded.
61. The system of claim 60 wherein the information is encoded by encrypting the messages transmitted between the node manager and the administration server, the administration server and the node manager authenticating each other before transmitting a first message between each other.
62. The system of claim 61 wherein encrypting the messages includes determining an encryption level, the encryption level controlled by at least one argument.
63. The system of claim 61 wherein encrypting the messages includes generating a session key by the administration server and the node manager, generating the session keys is controlled by at least one argument.
PCT/US2003/004950 2002-02-22 2003-02-20 Ecs node manager for ensuring high availability server and application WO2003073205A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003217581A AU2003217581A1 (en) 2002-02-22 2003-02-20 Ecs node manager for ensuring high availability server and application

Applications Claiming Priority (8)

Application Number Priority Date Filing Date Title
US35900902P 2002-02-22 2002-02-22
US60/359,009 2002-02-22
US10/339,469 US7233989B2 (en) 2002-02-22 2003-01-09 Method for automatic monitoring of managed server health
US10/339,144 2003-01-09
US10/338,981 2003-01-09
US10/339,144 US7287075B2 (en) 2002-02-22 2003-01-09 System for monitoring managed server health
US10/338,981 US7152185B2 (en) 2002-02-22 2003-01-09 Method for event triggered monitoring of managed server health
US10/339,469 2003-01-09

Publications (2)

Publication Number Publication Date
WO2003073205A2 true WO2003073205A2 (en) 2003-09-04
WO2003073205A3 WO2003073205A3 (en) 2003-11-27

Family

ID=27767920

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/004950 WO2003073205A2 (en) 2002-02-22 2003-02-20 Ecs node manager for ensuring high availability server and application

Country Status (2)

Country Link
AU (1) AU2003217581A1 (en)
WO (1) WO2003073205A2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006027038A2 (en) * 2004-09-09 2006-03-16 Fujitsu Siemens Computers, Inc. Computer arrangement for providing services for clients over a network
CN102694805A (en) * 2012-05-30 2012-09-26 北京像素软件科技股份有限公司 Method and system for maintaining game server
WO2012134799A2 (en) 2011-03-31 2012-10-04 Microsoft Corporation Fault detection and recovery as a service
CN113542398A (en) * 2021-07-13 2021-10-22 广州云从凯风科技有限公司 Control method, device, medium and equipment of distributed cluster system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6085243A (en) * 1996-12-13 2000-07-04 3Com Corporation Distributed remote management (dRMON) for networks
US6170067B1 (en) * 1997-05-13 2001-01-02 Micron Technology, Inc. System for automatically reporting a system failure in a server
US6182157B1 (en) * 1996-09-19 2001-01-30 Compaq Computer Corporation Flexible SNMP trap mechanism
US20020016911A1 (en) * 2000-08-07 2002-02-07 Rajeev Chawla Method and system for caching secure web content

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6182157B1 (en) * 1996-09-19 2001-01-30 Compaq Computer Corporation Flexible SNMP trap mechanism
US6085243A (en) * 1996-12-13 2000-07-04 3Com Corporation Distributed remote management (dRMON) for networks
US6170067B1 (en) * 1997-05-13 2001-01-02 Micron Technology, Inc. System for automatically reporting a system failure in a server
US20020016911A1 (en) * 2000-08-07 2002-02-07 Rajeev Chawla Method and system for caching secure web content

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006027038A2 (en) * 2004-09-09 2006-03-16 Fujitsu Siemens Computers, Inc. Computer arrangement for providing services for clients over a network
WO2006027038A3 (en) * 2004-09-09 2008-04-24 Fujitsu Siemens Computers Inc Computer arrangement for providing services for clients over a network
WO2012134799A2 (en) 2011-03-31 2012-10-04 Microsoft Corporation Fault detection and recovery as a service
EP2691859A2 (en) * 2011-03-31 2014-02-05 Microsoft Corporation Fault detection and recovery as a service
EP2691859A4 (en) * 2011-03-31 2015-04-22 Microsoft Technology Licensing Llc Fault detection and recovery as a service
US9240937B2 (en) 2011-03-31 2016-01-19 Microsoft Technology Licensing, Llc Fault detection and recovery as a service
CN102694805A (en) * 2012-05-30 2012-09-26 北京像素软件科技股份有限公司 Method and system for maintaining game server
CN113542398A (en) * 2021-07-13 2021-10-22 广州云从凯风科技有限公司 Control method, device, medium and equipment of distributed cluster system
CN113542398B (en) * 2021-07-13 2023-09-19 广州云从凯风科技有限公司 Management and control method, device, medium and equipment of distributed cluster system

Also Published As

Publication number Publication date
WO2003073205A3 (en) 2003-11-27
AU2003217581A8 (en) 2003-09-09
AU2003217581A1 (en) 2003-09-09

Similar Documents

Publication Publication Date Title
US7233989B2 (en) Method for automatic monitoring of managed server health
US7152185B2 (en) Method for event triggered monitoring of managed server health
US7373556B2 (en) Method for monitoring sub-system health
US7287075B2 (en) System for monitoring managed server health
US7016950B2 (en) System and method for restricting data transfers and managing software components of distributed computers
US7406517B2 (en) System and method for distributed management of shared computers
US20100186094A1 (en) Embedded system administration and method therefor
US9148412B2 (en) Secure configuration of authentication servers
EP2264594B1 (en) A broker system for a plurality of brokers, clients and servers in a heterogeneous network
WO2003073205A2 (en) Ecs node manager for ensuring high availability server and application
US11641281B2 (en) Hashing values using salts and peppers
Muhamedagic Fencing and Stonith
JP2005157446A (en) Network device management method, network system and information processor managing device
CN117353978A (en) Service control method and device based on secure shell protocol

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP