Quantcast
Channel: A Portal to a Portal
Viewing all 1851 articles
Browse latest View live

IBM Integration Designer - java.io.IOException: The filename, directory name, or volume label syntax is incorrect.

May 1, 2015, 5:44 am
$
0
0
I saw this exception: -

[01/05/15 12:45:56:762 BST]     FFDC Exception:com.ibm.bpm.config.util.ConfigException SourceId:com.ibm.bpm.config.BPMConfig.main ProbeId:163 Reporter:java.lang.Class@7b57bfee
com.ibm.bpm.config.util.ConfigException
                at com.ibm.bpm.config.util.ConfigHelper.isOnLocalInstallation(ConfigHelper.java:4530)
                at com.ibm.bpm.config.model.Validator.validateInstallAndProfile(Validator.java:1426)
                at com.ibm.bpm.config.model.ConfigModelFactory.validateConfigModel(ConfigModelFactory.java:143)
                at com.ibm.bpm.config.model.ConfigModelFactory.loadFromPropertiesDelegate(ConfigModelFactory.java:117)
                at com.ibm.bpm.config.model.ConfigModelFactory.loadFromConfigFile(ConfigModelFactory.java:95)
                at com.ibm.bpm.config.BPMConfig.configureDeploymentEnvironment(BPMConfig.java:596)
                at com.ibm.bpm.config.BPMConfig$Actions.createDe(BPMConfig.java:3978)
                at com.ibm.bpm.config.cli.CreateAction.runInner(CreateAction.java:137)
                at com.ibm.bpm.config.cli.AbstractConfigAction.run(AbstractConfigAction.java:127)
                at com.ibm.bpm.config.cli.CreateAction.run(CreateAction.java:33)
                at com.ibm.bpm.config.BPMConfig.main(BPMConfig.java:272)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
                at java.lang.reflect.Method.invoke(Method.java:611)
                at com.ibm.wsspi.bootstrap.WSLauncher.launchMain(WSLauncher.java:234)
                at com.ibm.wsspi.bootstrap.WSLauncher.main(WSLauncher.java:96)
                at com.ibm.wsspi.bootstrap.WSLauncher.run(WSLauncher.java:77)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
                at java.lang.reflect.Method.invoke(Method.java:611)
                at org.eclipse.equinox.internal.app.EclipseAppContainer.callMethodWithException(EclipseAppContainer.java:587)
                at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:198)
                at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:110)
                at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:79)
                at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:369)
                at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:179)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
                at java.lang.reflect.Method.invoke(Method.java:611)
                at org.eclipse.core.launcher.Main.invokeFramework(Main.java:340)
                at org.eclipse.core.launcher.Main.basicRun(Main.java:282)
                at org.eclipse.core.launcher.Main.run(Main.java:981)
                at com.ibm.wsspi.bootstrap.WSPreLauncher.launchEclipse(WSPreLauncher.java:398)
                at com.ibm.wsspi.bootstrap.WSPreLauncher.main(WSPreLauncher.java:161)
Caused by: java.io.IOException: The filename, directory name, or volume label syntax is incorrect.
                at java.io.Win32FileSystem.canonicalize(Win32FileSystem.java:407)
                at java.io.File.getCanonicalPath(File.java:570)
                at java.io.File.getCanonicalFile(File.java:594)
                at com.ibm.bpm.config.util.ConfigHelper.isOnLocalInstallation(ConfigHelper.java:4528)
                ... 36 more

CapturedDataElements begin
arg0:-create
arg1:-de
arg2:c:\Advanced-PS-Standalone-DB2.properties
CapturedDataElements end

 earlier whilst trying to create an IBM BPM Deployment Environment as a local Unit Test Environment for IBM Integration Designer 8.5.5 on Windows 7.

Under the covers, I'm using WebSphere Application Server 8.5.5.4, BPM Advanced 8.5.50 and Business Monitor 8.5.5.0.

This was the command that I ran: -

"C:\IBM\WebSphere\AppServerbin\BPMConfig.bat" -create -de c:\Advanced-PS-Standalone-DB2.properties

After much trial and much error, I realised the error of my ways.

In the properties file - Advanced-PS-Standalone-DB2.properties - which I sourced from: -

c:\temp\IID\Install\launchpad\content'samples\config\iid

( I'd previously unpacked the IID media into c:\temp\IID\install )

I had: -

bpm.de.node.1.installPath="C:\\IBM\WebSphere\\AppServer"

rather than: -

bpm.de.node.1.installPath=C:\\IBM\WebSphere\\AppServer

In other words, the quotation symbols ( "" ) were getting in the way :-(

I'd rightly used the double-backslash ( \\ ) as required, BUT the quotations were NOT required.

Easy peasy.....
Search

Reminder to Self - If you see SSL0279E again

May 3, 2015, 12:31 am
$
0
0
Following on from an older post: -


if I ever see: -

SSL0279E: SSL Handshake Failed due to fatal alert from client. Client sent fatal alert [level 2 (fatal), description 46 (certificate_unknown)]

in the IHS error_log file again, do NOT waste time exporting certificates from WAS cell-default trust stores and importing them into the IHS KDB.

This is, again, in the context of connecting Process Center to Process Server, albeit with the most recent level of IBM BPM, 8.5.6.

The problem ABSOLUTELY comes from the fact that the Process Server AppCluster JVM is trying to connect to the Process Center AppCluster JVM ( from port 9447 to port 9443 ), as evidenced by this: -

[03/05/15 08:11:55:320 BST] 0000013c WSX509TrustMa E   CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN "CN=bpm856.uk.ibm.com, OU=PSCell1Node1, OU=Node1, O=IBM, C=US" was sent from target host:port "bpm856.uk.ibm.com:9447".  The signer may need to be added to local trust store "/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/PCCell1/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml".  The extended error message from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
        java.security.cert.CertPathValidatorException: The certificate issued by CN=bpm856.uk.ibm.com, OU=Root Certificate, OU=PSCell1, OU=Dmgr, O=IBM, C=US is not trusted; internal cause is:
        java.security.cert.CertPathValidatorException: Certificate chaining error".

in the Process Center's AppCluster JVM SystemOut.log.

The solution is to import the signer certificate from Process Center's IHS server into the cell-default trust store for the Process Server: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr02/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd -host `hostname` -port 8883
cellID=AdminControl.getCell()
AdminTask.retrieveSignerFromPort('[-keyStoreName CellDefaultTrustStore -keyStoreScope (cell):'+cellID+' -host bpm856.uk.ibm.com -port 8443 -certificateAlias ProcessCenter -sslConfigName CellDefaultSSLSettings -sslConfigScopeName (cell):'+cellID+' ]')
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
quit

Once done, and all is now good :-)

Disaster recovery guidance for IBM Business Process Manager - An updated approach for IBM BPM V8.x

May 6, 2015, 11:14 am
$
0
0
IBM® Business Process Manager (BPM) is a powerful tool for modeling and running an organization's most critical business processes. Over the past several years, features have been developed and verified to enable cross-site replication and recovery, achieving very sophisticated disaster-recovery objectives. Learn about the core principles that guide an infrastructure architect to design a successful disaster-recovery strategy.

Adding Ant to IBM Operational Decision Manager

May 8, 2015, 11:29 pm
$
0
0
In a departure from the norm, I'm NOT going to detail my recent experiences with Apache Ant and IBM ODM Ruls here, but instead direct you to my post on another site, the Global WebSphere Community (GWC), which hosts the WebSphere User Group.

So you want to know more about Ant and ODM ? Then please read my post here: -

and feel free to provide feedback here, there, or via Twitter.

WebSphere Liberty Profile and IBM HTTP Server - Exchanging SSL Certificates

May 11, 2015, 11:57 am
$
0
0
This one is for a friend of mine, TonyH, who asked this question earlier.

I don't claim to understand his requirements, but he asked: -

What's the best way to export certs from liberty so I can import them into the IHS keystore?

I'm running Liberty Profile 8.5.5.5 on my Mac and IBM HTTP Server (IHS) 8.5.5.5 on a Red Hat VM.

I started by downloading the Liberty Profile Runtime from here: -


which resulted in: -

-rw-r--r--@  1 davehay  staff  60261097 11 May 18:26 wlp-runtime-8.5.5.5.jar

and installed it: -

java -jar wlp-runtime-8.5.5.5.jar

to here: -

/Users/davehay/Liberty/wlp

I then followed Oliver Rebmann's excellent blog post: -


to setup a SSL key store and certificate, as follows: -

cd /Users/davehay/Liberty/wlp/bin
./securityUtility createSSLCertificate --server=defaultServer --password=passw0rd --validity=365

and added the relevant configuration to my server's configuration: -

vi /Users/davehay/Liberty/wlp/usr/servers/defaultServer/server.xml

adding the lines highlighted below: -

<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">

    <!-- Enable features -->
    <featureManager>
        <feature>jsp-2.2</feature>
    </featureManager>

    <!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
    <httpEndpoint id="defaultHttpEndpoint"
                  httpPort="9080"
                  httpsPort="9443" />

    <featureManager>
        <feature>ssl-1.0</feature>
    </featureManager>
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />

</server>

and started Liberty: -

/Users/davehay/Liberty/wlp/bin/server start

Having validated that I could connect to Liberty on port 9443 ( see the httpsPort directive above ): -


I then used the openssl tool to retrieve the certificate from port 9443 to a file: -

openssl s_client -showcerts -connect localhost:9443 </dev/null > ~/liberty.cer

Having shipped the certificate file from the Mac to the Red Hat VM: -

scp ~/liberty.cer wasadmin@bpm856:~

I then imported it into the IHS key store: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -add -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -file ~/liberty.cer -label liberty

and validated it thus: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
!liberty
*-bpm856.uk.ibm.com

and: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -label liberty

...
Label : liberty
Key Size : 2048
Version : X509 V3
Serial : 5550f616
Issuer : CN=172.16.0.65,OU=defaultServer,O=ibm,C=us
Subject : CN=172.16.0.65,OU=defaultServer,O=ibm,C=us
Not Before : May 11, 2015 7:33:58 PM GMT+01:00
Not After : May 10, 2016 7:33:58 PM GMT+01:00
...

The job, as they say, is a good 'un.

PS Thanks to Oliver for his insights ....

IBM Integration Designer - 101

May 12, 2015, 10:57 am
$
0
0
I'm learning to get to grips with IBM Integration Designer (IID) at present, hence my post on the WUG here: -


Part of my self-enablement has come from a pair of tutorials, cannily called Hello World, that I found a few days ago: -


I was using older ( version 7.5.1 ) editions of these two tutorials, although they worked perfectly ( user errors notwithstanding !! ).

However, here's the more up-to-date source for the most recent versions of IBM BPM: -



Interestingly, Hello World seems to have disappeared with the latest version of the product.

In addition, BPM 8.5.6 also has some tutorials in the Knowledge Centre here: -


which is nice.

IBM Cognos - Working with SSL/TLS Keystore

May 13, 2015, 11:00 am
$
0
0
This is an ongoing voyage of discovery, as I seek to replicate my success: -


( this is a post that I authored for the WebSphere User Group on their Global WebSphere Community site )

with IBM Business Monitor.

Whilst the DB2 and WAS aspects ( configuring the DB2 instance and listener for SSL, updating the WAS JDBC data sources, adding the DB2 signer certificate into he WAS trust store etc. ) are the same, the Cognos BI engine is quite different.

I don't yet have it cracked, but I did discover a few more things about Cognos BI today, specifically in terms of where it keeps its own SSL/TLS key store.

It's here: -

-rw-r--r-- 1 wasadmin wasadmins 19728 May 13 16:07 /opt/IBM/WebSphere/AppServer/profiles/BAMCell1AppSrv01/cognos/SupClusterMember1/configuration/certs/CAMKeystore

Why do I know this ?

Because I wanted to test a hypothesis by adding the DB2 server's signer certificate to it.

This is how I first retrieved the signer certificate: -

openssl s_client -showcerts -connect localhost:60007 </dev/null > ~/db2.cer

and I happily verified the certificate: -

openssl x509 -fingerprint -noout -text -in ~/db2.cer

SHA1 Fingerprint=FC:BB:C1:24:4E:6E:B8:55:5B:33:87:69:C7:E2:10:E4:E6:0F:7A:CC
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1681898445175821098 (0x17574db98cfc932a)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=com, DC=ibm, DC=uk, CN=bpm856.uk.ibm.com
        Validity
            Not Before: May 11 10:01:51 2015 GMT
            Not After : May 11 10:01:51 2016 GMT
        Subject: DC=com, DC=ibm, DC=uk, CN=bpm856.uk.ibm.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:cc:de:34:78:ca:b8:48:c1:24:43:3b:39:ca:79:
                    6e:7d:bd:2f:fd:a5:86:cc:fa:d1:0f:9f:6b:d2:04:
                    ac:5f:3e:4f:42:81:89:03:88:fb:95:86:ed:fd:f4:
                    c5:a1:c0:8e:b4:70:b7:2d:36:c8:2e:1a:5c:d7:b5:
                    83:e0:f4:36:f8:0a:8f:32:54:47:1a:b7:a4:b6:42:
                    d8:4c:60:ee:e5:2c:de:a2:77:ee:10:b0:fc:c3:a2:
                    7a:e2:3b:45:c4:2f:8a:11:43:bc:fb:a2:e1:cd:69:
                    0f:aa:bb:e2:7c:de:2b:8b:3c:76:cd:56:a8:5d:3e:
                    5c:e7:fb:ef:b1:15:f9:14:41
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                56:25:C5:62:51:0C:60:55:4D:61:9D:71:EF:D4:A4:E9:AA:07:24:85
            X509v3 Authority Key Identifier: 
                keyid:56:25:C5:62:51:0C:60:55:4D:61:9D:71:EF:D4:A4:E9:AA:07:24:85

    Signature Algorithm: sha1WithRSAEncryption
         99:4c:9c:6e:65:a9:d1:c8:b1:d7:44:30:cd:9a:bc:d5:77:a0:
         9f:69:8b:97:2e:e7:13:95:97:b2:b4:57:d0:74:14:e3:e3:ea:
         ae:22:ef:01:2c:2e:b7:37:1a:85:e7:00:48:41:71:9b:25:a4:
         25:79:76:04:6d:3c:a5:a3:ce:9c:e2:ea:26:33:56:6d:2e:40:
         1f:0e:bf:e8:b7:de:06:1b:d1:8c:65:c4:19:8c:c8:39:92:d8:
         f5:ad:18:56:c3:ef:d6:25:a1:4c:a9:64:40:df:df:75:a0:5e:
         ec:7e:ea:cc:8e:dc:2c:1e:71:4a:8d:74:7f:d6:84:8a:20:05:
         fb:64

However, when I tried to add it to the Cognos key store: -

/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -import -file ~/db2.cer -alias DB2 -keystore CAMKeystore -storepass MONITOR -storetype PKCS12

I saw this: -

keytool error: java.lang.Exception: Input not an X.509 certificate

Happily a quick Google search later, and I found this: -


which says, in part: -

<snip>
While I agree with Ari's answer (and upvoted it :), I needed to do an extra step to get it to work with Java on Windows (where it needed to be deployed):

openssl s_client -showcerts -connect www.example.com:443 < /dev/null | openssl x509 -outform DER > derp.der

Before adding the openssl x509 -outform DER conversion, I was getting an error from keytool on Windows complaining about the certificate's format. Importing the .der file worked fine.
</snip>

I re-retrieved the certificate from DB2: -

openssl s_client -showcerts -connect localhost:60007 </dev/null | openssl x509 -outform DER> ~/db2.cer

( adding in the relevant Hogwarts magic to get the resulting file in x509 DER ) and was then able to import it: -

/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -import -file ~/db2.cer -alias DB2 -keystore CAMKeystore -storepass MONITOR -storetype PKCS12

Owner: CN=bpm856.uk.ibm.com, DC=uk, DC=ibm, DC=com
Issuer: CN=bpm856.uk.ibm.com, DC=uk, DC=ibm, DC=com
Serial number: 17574db98cfc932a
Valid from: 11/05/15 11:01 until: 11/05/16 11:01
Certificate fingerprints:
 MD5:  81:B0:E7:81:A3:1B:79:64:07:1B:41:9E:7E:0A:F3:08
 SHA1: FC:BB:C1:24:4E:6E:B8:55:5B:33:87:69:C7:E2:10:E4:E6:0F:7A:CC
Trust this certificate? [no]:  y
Certificate was added to keystore

which is nice.

Did that fix my problem ? Alas, no, but it's another step on the journey to ......... ?

Continuing to learn - IBM BPM and IBM Business Monitor to DB2 via SSL/TLS

May 14, 2015, 12:09 pm
$
0
0
I've written a couple of posts on the WebSphere User Group blog here: -



My next trick will be to force WebSphere Application Server (WAS) to use a specific encryption standard, namely TLS version 1.2.

In DB2, this can be enforced as follows: -

db2 update dbm config using SSL_VERSIONS TLSV12

for version 1.2 or: -

db2 update dbm config using SSL_VERSIONS TLSV1

for version 1.0, or: -

db2 update dbm config using SSL_VERSIONS NULL

to revert back to SSL.

...
If you set the parameter to null or TLSv1, the parameter enables support for TLS version 1.0 (RFC2246) and TLS version 1.1 (RFC4346).

Note: During SSL handshake, the client and the server negotiate and find the most secure version to use either TLS version 1.0 or TLS version 1.1. If there is no compatible version between the client and the server, the connection fails. If the client supports TLS version 1.0 and TLS version 1.1, but the server support TLS version 1.0 only, then TLS version 1.0 is used.
If you set the parameter to TLSv12 (RFC5246), the parameter enables support for TLS version 1.2. This setting is required to comply with NIST SP 800-131A.

If you set the parameter to TLSv12 and TLSv1, the parameter enables support for TLS version 1.2 with the option to fall back on TLS version 1.0 and 1.1.
...

All of the SSL-related settings can be queried thusly: -

db2 get dbm config | grep SSL

 SSL server keydb file                   (SSL_SVR_KEYDB) = /home/db2inst1/keystore.kdb
 SSL server stash file                   (SSL_SVR_STASH) = /home/db2inst1/keystore.sth
 SSL server certificate label            (SSL_SVR_LABEL) = bpm856.uk.ibm.com
 SSL service name                         (SSL_SVCENAME) = db2c_ssl
 SSL cipher specs                      (SSL_CIPHERSPECS) = 
 SSL versions                             (SSL_VERSIONS) = 
 SSL client keydb file                  (SSL_CLNT_KEYDB) = 
 SSL client stash file                  (SSL_CLNT_STASH) = 

Note that we also have SSL_CIPHERSPECS to specify the cipher specifications that one wishes to use, as per this: -


and: -

Search

Business Process Management Design Guide: Using IBM Business Process Manager

May 14, 2015, 9:39 pm
$
0
0
IBM® Business Process Manager (IBM BPM) is a comprehensive business process management (BPM) suite that provides visibility and management of your business processes. IBM BPM supports the whole BPM lifecycle approach: 

• Discover and document
• Plan
• Implement
• Deploy
• Manage
• Optimize
Process owners and business owners can use this solution to engage directly in the improvement of their business processes.

IBM BPM excels in integrating role-based process design, and provides a social BPM experience. It enables asset sharing and creating versions through its Process Center. The Process Center acts as a unified repository, making it possible to manage changes to the business processes with confidence.

IBM BPM supports a wide range of standards for process modeling and exchange. Built-in analytics and search capabilities help to further improve and optimize the business processes.

This IBM Redbooks® publication provides valuable information for project teams and business people that are involved in projects using IBM BPM. It describes the important design decisions that you face as a team. These decisions invariably have an effect on the success of your project.

These decisions range from the more business-centric decisions, such as which should be your first process, to the more technical decisions, such as solution analysis and architectural considerations.

Table of contents

Chapter 1. Introduction to successful business process management
Chapter 2. Approaches and process discovery
Chapter 3. Solution analysis and architecture considerations
Chapter 4. Security architecture considerations
Chapter 5. Design considerations and patterns
Chapter 6. Business-centric visibility
Chapter 7. Performance and IT-centric visibility

IBM HTTP Server, Transport Layer Security and Google Chrome

May 29, 2015, 12:17 am

Things that make you go "Hmmm" - #432 - WebSphere Application Server Transaction and Partner Logs

May 30, 2015, 1:44 am
$
0
0
Over the past few weeks, I've written about my experiences configuring IBM Business Process Manager and IBM Business Monitor to connect via a TLS-encrypted tunnel to IBM DB2: -


and am just about to create a post covering the experiences learned whilst configuring WebSphere Application Server to support the current latest Transport Layer Security (TLS) 1.2.

However, I hit a small glitch....

Whilst validating my current setup ( IBM Business Monitor 8.5.6 on WAS ND 8.5.5.5 connecting via TLS 1.0 to DB2 10.5.0.5 ), I noted the following exception in one of my cluster member logs ( specifically the AppTarget ): -

[30/05/15 06:54:23:906 BST] 00000065 RecoveryManag I   WTRN0135I: Transaction service recovering no transactions.
[30/05/15 06:54:23:917 BST] 00000065 RecoveryManag A   WTRN0134I: Recovering 1 XA resource manager(s) from the transaction partner logs
[30/05/15 06:54:23:954 BST] 00000065 XARecoveryDat A   WTRN0151I: Preparing to call xa recover on XAResource: Monitor_Database
[30/05/15 06:54:24:891 BST] 00000065 DMAdapter     I com.ibm.ws.ffdc.impl.DMAdapter getAnalysisEngine FFDC1009I: Analysis Engine using data base: /opt/IBM/WebSphere/AppServer/properties/logbr/ffdc/adv/ffdcdb.xml
[30/05/15 06:54:24:897 BST] 00000065 FfdcProvider  W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere/AppServer/profiles/BAMCell1AppSrv01/logs/ffdc/AppClusterMember1_c432d1b_15.05.30_06.54.24.8794642297944511548081.txt com.ibm.ws.rsadapter.spi.InternalGenericDataStoreHelper.getPooledCon 1298
[30/05/15 06:54:24:939 BST] 00000065 FfdcProvider  W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere/AppServer/profiles/BAMCell1AppSrv01/logs/ffdc/AppClusterMember1_c432d1b_15.05.30_06.54.24.9204315923791292855617.txt com.ibm.ejs.j2c.J2CXAResourceFactory.getXAResource 310
[30/05/15 06:54:24:942 BST] 00000065 J2CXAResource W   J2CA0061W: Error creating XA Connection and Resource com.ibm.ws.exception.WsException: DSRA8100E: Unable to get a XAConnection from the DataSource jdbc/wbm/MonitorDatabase. with SQL State : 08001 SQL Code : -4499


Caused by: com.ibm.websphere.ce.cm.StaleConnectionException: [jcc][t4][2043][11550][4.18.60] Exception java.net.ConnectException: Error opening socket to server bam856.uk.ibm.com/127.0.0.1 on port 60,006 with message: Connection refused. ERRORCODE=-4499, SQLSTATE=08001 DSRA0010E: SQL State = 08001, Error Code = -4,499


java.sql.SQLNonTransientException: [jcc][t4][2043][11550][4.18.60] Exception java.net.ConnectException: Error opening socket to server bam856.uk.ibm.com/127.0.0.1 on port 60,006 with message: Connection refused. ERRORCODE=-4499, SQLSTATE=08001 DSRA0010E: SQL State = 08001, Error Code = -4,499

Caused by: java.net.ConnectException: Connection refused

Having gone through the configuration with a fine tooth comb ( whatever one of those is ), I could NOT find ANY reference to port  60006 anywhere.

For the record, port 60006 is the non-TLS port that I'd previously used, before switching to port 60007 for a TLS-encrypted connection.

After much trial and quite a lot of error, I re-read the log, specifically these two lines: -

[30/05/15 06:54:23:917 BST] 00000065 RecoveryManag A   WTRN0134I: Recovering 1 XA resource manager(s) from the transaction partner logs
[30/05/15 06:54:23:954 BST] 00000065 XARecoveryDat A   WTRN0151I: Preparing to call xa recover on XAResource: Monitor_Database

which started me thinking about the Transaction Manager.

What, I wondered, was the possibility that the OLD pre-TLS configuration was still persisted in a transaction that had previously NOT completed before I switched the configuration across ?

I did some further digging ( using the command fgrep -R 60006 * ) inside the directory that hosts the Transaction, Recovery and Partner logs for the AppCluster: -

cd /opt/IBM/WebSphere/AppServer/profiles/BAMCell1AppSrv01/tranlog/BAMCell1/AppSrv01Node/AppClusterMember1/transaction

and found two binary files: -

log1
log2

here: -

/opt/IBM/WebSphere/AppServer/profiles/BAMCell1AppSrv01/tranlog/BAMCell1/AppSrv01Node/AppClusterMember1/transaction/partner

both of which contained references to the string 60006.

That confirmed my suspicion.

Now there's a third file in this directory, sensibly named: -

DO NOT DELETE LOG FILES

That's there for a VERY good reason - one should NEVER delete the Transaction or Partner Log files.

*** WARNING - CAVEAT EMPTOR ***

Having said NEVER, this is MY own test environment with NO important or critical data - if I break things, I simply rebuild the WAS cell, which takes ~30 minutes.

So, ignoring my own ( and IBM's ) advice, I delete the Partner Logs: -

cd /opt/IBM/WebSphere/AppServer/profiles/BAMCell1AppSrv01/tranlog/BAMCell1/AppSrv01Node/AppClusterMember1/transaction/partner
rm -Rf *

having shut down the AppCluster.

Quelle surprise, when I restarted the cluster, there were no failed transactions to recover, and WAS came up clean and green with NO JDBC exceptions.

*** WARNING - CAVEAT EMPTOR ***

Thinking about it after the event, I probably could have achieved the same thing by re-opening port 60006 on DB2, which I'd previously disabled using the db2set command as follows: -

db2set DB2COMM=SSL

thus overriding the previous configuration: -

db2set DB2COMM=SSL,TCPIP

For the record, the SSL value means that DB2 observes the SSL service configuration within the Database Manager: -

SSL service name                         (SSL_SVCENAME) = db2c_ssl

whereas TCPIP means that it observes the TCPIP service configuration: -

TCP/IP Service name                          (SVCENAME) = db2c_db2inst1

In each case, the Service Name is inferred from /etc/services which ensures that the instance is listening on the appropriate ports: -

DB2_db2inst160000/tcp
DB2_db2inst1_160001/tcp
DB2_db2inst1_260002/tcp
DB2_db2inst1_360003/tcp
DB2_db2inst1_460004/tcp
DB2_db2inst1_END60005/tcp
db2c_db2inst1 60006/tcp
db2c_ssl 60007/tcp

So, had I enabled BOTH services, WAS would've been able to connect via a non-TLS connection to port 60006 and the transaction would have been recovered / completed.

Life is, as ever, a learning curve :-)

For future reference, there's plenty of good material covering the WAS Java Transaction Service, including this: -


which does cover the costs and benefits of deleting the Transaction and Partner Logs, especially in the context of WebSphere Process Server ( now IBM BPM ).

So, again, do NOT NOT NOT delete Tran/Partner Logs unless you really really really know what you're doing.

WebSphere Application Server 8.5.5.5, TLS 1.2 and DB2

May 30, 2015, 12:49 pm
$
0
0
Some more blogging over at the WebSphere User Group ( aka Global WebSphere Community ), following my continuing voyage of discovery in the world of Transport Layer Security (TLS): -


...
I've been working through the configuration of Transport Layer Security (TLS) 1.2 between DB2 and WebSphere Application Server (WAS).

I've learned a heck of a lot about this in the past 48 hours, but the key aspect is that it's necessary to configure BOTH DB2 *AND* WAS to support TLS 1.2
....

IBM Integration Bus 9 - Installing the IIB Toolkit on RHEL

June 2, 2015, 6:59 am
$
0
0
This follows a post from last year: -


in which I wrote about deploying the IIB toolkit onto Red Hat Enterprise Linux.

I'm now using Red Hat Enterprise Linux Server release 6.6 (Santiago).

Last time around, I'd mentioned that I had a bunch of missing Linux RPMs.

This time around, this is what I had to install on top of RHEL 6.6: -

libXtst.so.6
libatk-1.0.so.0
libgdk_pixbuf-2.0.so.0
libgdk-x11-2.0.so.0

as follows: -

yum install -y libXtst.so.6
yum install -y libatk-1.0.so.0
yum install -y libgdk_pixbuf-2.0.so.0
yum install -y libgdk-x11-2.0.so.0

Here's the resulting IBM Installation Manager (IIM) response file: -

<?xml version='1.0' encoding='UTF-8'?>
<agent-input>
  <variables>
    <variable name='sharedLocation' value='/opt/IBM/IMShared'/>
  </variables>
  <server>
    <repository location='/tmp/foobar/integrationbus/Integration_Toolkit'/>
  </server>
  <profile id='IBM Integration Toolkit' installLocation='/opt/IBM/IntegrationToolkit90'>
    <data key='eclipseLocation' value='/opt/IBM/IntegrationToolkit90'/>
    <data key='user.import.profile' value='false'/>
    <data key='cic.selector.os' value='linux'/>
    <data key='cic.selector.arch' value='x86'/>
    <data key='cic.selector.ws' value='gtk'/>
    <data key='user.MB61.installPath' value='/opt/IBM/WMBT610'/>
    <data key='user.MB70.installPath' value='/opt/IBM/WMBT700'/>
    <data key='user.MB80.installPath' value='/opt/IBM/WMBT800'/>
    <data key='cic.selector.nl' value='en'/>
  </profile>
  <install modify='false'>
    <!-- IBM® Integration Toolkit 9.0.0.200 -->
    <offering profile='IBM Integration Toolkit' id='com.ibm.integration.toolkit.v90' version='9.0.0.20140515-1210' features='com.ibm.integration.toolkit,com.ibm.integration.adapters,com.ibm.rad.sdpcore,com.ibm.rad.jre,com.ibm.rad.webtools_core,com.ibm.rad.was_core,com.ibm.rad.data_tools,com.ibm.rad.tptp,com.ibm.rad.j2c,com.ibm.rad.clearcase,com.ibm.rad.birt,com.ibm.rad.transform_authoring,com.ibm.rad.pde' installFixes='none'/>
  </install>
  <preference name='com.ibm.cic.common.core.preferences.eclipseCache' value='${sharedLocation}'/>
  <preference name='com.ibm.cic.common.core.preferences.connectTimeout' value='30'/>
  <preference name='com.ibm.cic.common.core.preferences.readTimeout' value='45'/>
  <preference name='com.ibm.cic.common.core.preferences.downloadAutoRetryCount' value='0'/>
  <preference name='offering.service.repositories.areUsed' value='true'/>
  <preference name='com.ibm.cic.common.core.preferences.ssl.nonsecureMode' value='false'/>
  <preference name='com.ibm.cic.common.core.preferences.http.disablePreemptiveAuthentication' value='false'/>
  <preference name='http.ntlm.auth.kind' value='NTLM'/>
  <preference name='http.ntlm.auth.enableIntegrated.win32' value='true'/>
  <preference name='com.ibm.cic.common.core.preferences.preserveDownloadedArtifacts' value='true'/>
  <preference name='com.ibm.cic.common.core.preferences.keepFetchedFiles' value='false'/>
  <preference name='PassportAdvantageIsEnabled' value='false'/>
  <preference name='com.ibm.cic.common.core.preferences.searchForUpdates' value='false'/>
  <preference name='com.ibm.cic.agent.ui.displayInternalVersion' value='false'/>
  <preference name='com.ibm.cic.common.sharedUI.showErrorLog' value='true'/>
  <preference name='com.ibm.cic.common.sharedUI.showWarningLog' value='true'/>
  <preference name='com.ibm.cic.common.sharedUI.showNoteLog' value='true'/>
</agent-input>

resulting in this: -

/opt/IBM/InstallationManager/eclipse/tools/imcl listInstalledPackages

com.ibm.cic.agent_1.8.2000.20150303_1526
com.ibm.websphere.IHS.v85_8.5.5005.20150220_0158
com.ibm.websphere.PLG.v85_8.5.5005.20150220_0158
com.ibm.integration.toolkit.v90_9.0.0.20140515-1210

Now I'm off to cut some code ...

IBM Integration Bus - MQJE001 rc2495 - A few lessons (re)learned

June 2, 2015, 12:24 pm
$
0
0
So I was seeing this: -

com.ibm.broker.config.proxy.ConfigManagerProxyLoggedMQException: Could not connect to queue manager 'IIB9QMGR' (MQ reason code 2495 ; MQJE001: Completion Code '2', Reason '2495'.)
...
Caused by: com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2495'.
...
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2495;AMQ8568: The native JNI library 'mqjbnd' was not found. For a client installation this is expected. [3=mqjbnd]
...

whilst trying to use the IBM Integration Bus 9.0.0.2 Toolkit to interact with two Queue Managers ( via WebSphere MQ 8.0.0.2 ): -

/opt/IBM/IntegrationToolkit90/eclipse

I read an old blog post of mine, and found this: -

. /opt/mqm/bin/setmqenv -s -k

which I then tried, but got this: -

Caused by: java.lang.UnsatisfiedLinkError: mqjbnd (/opt/mqm/java/lib64/libmqjbnd.so: wrong ELF class: ELFCLASS64)

Of course, as ever, I should've read one of my previous posts ( this one from 2013 ): -


which had me setting LD_LIBRARY_PATH  to use the 32-bit MQM Java libraries: -

export LD_LIBRARY_PATH=/opt/mqm/java/lib/:$LD_LIBRARY_PATH

Once I did this, I got further forward, seeing: -

...
com.ibm.broker.config.proxy.ConfigManagerProxyLoggedMQException: The user 'wasadmin' is not authorized to connect to queue manager 'IIB9QMGR' (MQ reason code 2035 while trying to connect)
...
Caused by: com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2035'.
...

which is an old old friend.

I fixed that issue as follows: -

setmqaut -m IIB9QMGR -t qmgr -p wasadmin +connect +inq +dsp

plus, thanks to this: -


runmqsc DAVEHAY
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(REQDADM) CHCKLOCL(NONE)    
REFRESH SECURITY TYPE(CONNAUTH)

runmqsc IIB9QMGR
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(REQDADM) CHCKLOCL(NONE)    
REFRESH SECURITY TYPE(CONNAUTH)

and, as ever, it's all good now :-)

Securing the Database - IBM DB2 10.5 and Transport Layer Security 1.2

June 3, 2015, 11:48 am
$
0
0
This builds upon a series of earlier posts, including: -




This week, my colleague, JohnR, and I have been endeavouring to understand more about the way that one can use Transport Layer Security (TLS) 1.2 in the context of IBM DB2, with specific regard to Java client connectivity.

To that end, I've set up my DB2 10.5.0.5 server to only accept incoming connections on a specific port ( 60007 ) via TLS 1.2 using a very specific cipher specification.

This is what I have: -

db2 get dbm config | grep SSL

...
 SSL server keydb file                   (SSL_SVR_KEYDB) = /home/db2inst1/keystore.kdb
 SSL server stash file                   (SSL_SVR_STASH) = /home/db2inst1/keystore.sth
 SSL server certificate label            (SSL_SVR_LABEL) = bam856.uk.ibm.com
 SSL service name                         (SSL_SVCENAME) = db2c_ssl
 SSL cipher specs                      (SSL_CIPHERSPECS) = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 SSL versions                             (SSL_VERSIONS) = TLSV12
 SSL client keydb file                  (SSL_CLNT_KEYDB) = 
 SSL client stash file                  (SSL_CLNT_STASH) = 
...

cat /etc/services

...
DB2_db2inst160000/tcp
DB2_db2inst1_160001/tcp
DB2_db2inst1_260002/tcp
DB2_db2inst1_360003/tcp
DB2_db2inst1_460004/tcp
DB2_db2inst1_END60005/tcp
db2c_db2inst1 60006/tcp
db2c_ssl 60007/tcp
...

( I've highlighted the most specific aspects above )

This essentially means that DB2 will: -

(a) Listen on port 60007
(b) Only accept incoming connections that use TLS 1.2
(c) Only accept incoming connections that support the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher specification
(d) Present a signer certificate with the alias bam856.uk.ibm.com
(e) Use a local keystore - /home/db2inst1/keystore.kdb  - to store the signer certificate
(f) Use a local stashed password file - /home/db2inst1/keystore.sth

Having set all of this up, we were somewhat surprised to find that a standard Java class wouldn't connect, instead returning handshake_failure exceptions such: -

com.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2030][11211][3.69.24] A communication error occurred during operations on the connection's underlying socket, socket input stream, 
or socket output stream.  Error location: Reply.fill() - socketInputStream.read (-1).  Message: Received fatal alert: handshake_failure. ERRORCODE=-4499, SQLSTATE=08001

This proved to be for a number of reasons.

These are three of them: -

(1) It's important to use the "right" Java Runtime Environment, as TLS 1.2 support was added relatively recently - we experimented with various versions of Java 7 and Java 8, with varying degrees of success
(2) The AES 256 ciphers require the JRE to be augmented with Unrestricted SDK JCE policy files - this is definitely true for the IBM JRE, and may also be true for Oracle
(3) Not all ciphers work with all JREs - John and I had varying results

In addition, DB2 has a quirk in that the Cipher Specification(s) that are configured in the instance Database Manager Configuration are prefixed with tls_ whereas Java appears to want to prefix them with ssl_ 

As an example, here's an excerpt from the IBM SDK 7.1: -

...
Default enabled cipher suites in order of preference:

SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
• SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• SSL_RSA_WITH_AES_256_CBC_SHA256
• SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
...

whereas DB2 wants the suite specified as: -

...
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_RSA_WITH_AES_256_CBC_SHA256
...

as per this: -


When I tried to persuade DB2 to use the same consistent naming convention as Java, this is what I saw: -

db2 update dbm config using SSL_CIPHERSPECS SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

SQL6112N  The configuration parameter was not updated because the resulting 
configuration parameter settings would not be valid.  Reason code "8".

So, in the context of working JREs, I did note that the Java 7 JRE that's included with DB2 10.5.0.5: -

/opt/ibm/db2/V10.5/java/jdk64/jre/bin/java -version

java version "1.7.0"
Java(TM) SE Runtime Environment (build pxa6470sr6-20131015_01(SR6))
IBM J9 VM (build 2.6, JRE 1.7.0 Linux amd64-64 Compressed References 20131013_170512 (JIT enabled, AOT enabled)
J9VM - R26_Java726_SR6_20131013_1510_B170512
JIT  - r11.b05_20131003_47443
GC   - R26_Java726_SR6_20131013_1510_B170512_CMPRSS
J9CL - 20131013_170512)
JCL - 20131011_01 based on Oracle 7u45-b18

returns the handshake_exception whereas that shipped with WebSphere Application Server 8.5.5.5: -

/opt/IBM/WebSphere/AppServer/java/jre/bin/java -version

java version "1.6.0"
Java(TM) SE Runtime Environment (build pxa6460_26sr8fp3-20141218_02(SR8 FP3))
IBM J9 VM (build 2.6, JRE 1.6.0 Linux amd64-64 Compressed References 20141211_226933 (JIT enabled, AOT enabled)
J9VM - R26_Java626_SR8_20141211_2359_B226933
JIT  - r11.b07_20141003_74578.05
GC   - R26_Java626_SR8_20141211_2359_B226933_CMPRSS
J9CL - 20141212_226933)
JCL  - 20141216_01

works perfectly.

Therefore, it's important to ensure that one uses the correct JRE and that one fully tests each required Cipher Suite.

Finally, I mentioned the need to augment the JRE with Unrestricted SDK JCE policy files - this is most clearly documented here: -

...
** Cipher suites that use AES_256 require installation of the   JCE Unlimited Strength Jurisdiction Policy Files.
...


<CAVEAT>

As far as I'm aware, the use of the Unrestricted SDK JCE policy files is definitely something that needs to be considered on a case by case basis, as there are license agreement considerations, as described in this example: -


which then links to this: -


</CAVEAT>

In my own case, having downloaded the policy files, this gave me a ZIP file: -

-rw-r--r-- 1 db2inst1 db2iadm1 4.0K Jun  2 21:06 unrestrictedpolicyfiles.zip

This contains two files: -

-r--r--r--  1 db2inst1 db2iadm1 2253 Oct 12  2012 local_policy.jar
-r--r--r--  1 db2inst1 db2iadm1 2240 Oct 12  2012 US_export_policy.jar

which I placed here: -

/opt/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security/

having backed up and moved the original versions: -

-rwxr-xr-x.  1 wasadmin wasadmins  3890 Feb 19 17:29 blacklist
-rwxr-xr-x.  1 wasadmin wasadmins 77924 Jun  3 14:49 cacerts
-rwxr-xr-x.  1 wasadmin wasadmins  2532 Apr 16  2012 java.policy
-rwxr-xr-x.  1 wasadmin wasadmins 10560 Apr 16  2012 java.security
-rwxr-xr-x.  1 wasadmin wasadmins    98 Feb 19 17:29 javaws.policy
-r--r--r--   1 root     root       2253 Jun  3 15:18 local_policy.jar
-rwxr-xr-x.  1 wasadmin wasadmins  2640 Feb 19 17:29 local_policy.RAJ
-rwxr-xr-x.  1 wasadmin wasadmins     0 Feb 19 17:29 trusted.libraries
-r--r--r--   1 root     root       2240 Jun  3 15:18 US_export_policy.jar
-rwxr-xr-x.  1 wasadmin wasadmins  2175 Feb 19 17:29 US_export_policy.RAJ

( I have highlighted the original files which I moved to a .RAJ extension and also the new files )

With all of the above in place: -

(a) The right version of Java 7 ( in my case ) to support TLS 1.2
(b) The right TLS cipher specification(s)
(c) The unrestricted policy files - if using AES256 ciphers

This is, of course, over and above the configuration required both server-side ( DB2 ) and client-side ( Java ), in terms of hosting key stores, signer certificates etc.

This is how I extracted the signer certificate from DB2 and stored in a Java KeyStore (JKS) file for use by my Java code: -

openssl s_client -showcerts -connect localhost:60007 </dev/null | openssl x509 -outform DER > ~/db2.cer

depth=0 DC = com, DC = ibm, DC = uk, CN = bam856.uk.ibm.com
verify error:num=18:self signed certificate
verify return:1
depth=0 DC = com, DC = ibm, DC = uk, CN = bam856.uk.ibm.com
verify return:1
DONE

/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -import -file ~/db2.cer -keystore /tmp/davehay.jks -alias DB22 -storepass davehay

Owner: CN=bam856.uk.ibm.com, DC=uk, DC=ibm, DC=com
Issuer: CN=bam856.uk.ibm.com, DC=uk, DC=ibm, DC=com
Serial number: 686dcce6267d5fb4
Valid from: 28/05/15 13:54 until: 28/05/16 13:54
Certificate fingerprints:
 MD5:  55:22:9D:A3:F8:60:EA:E6:2C:4F:C9:74:59:16:7B:22
 SHA1: B9:07:FB:AC:0C:77:18:4D:B9:52:CD:71:5E:00:DB:93:F4:A9:FA:6A
Trust this certificate? [no]:  y
Certificate was added to keystore

as validated below: -

keytool -list -keystore /tmp/davehay.jks -storepass davehay

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

db2, 03-Jun-2015, trustedCertEntry, 
Certificate fingerprint (SHA1): B9:07:FB:AC:0C:77:18:4D:B9:52:CD:71:5E:00:DB:93:F4:A9:FA:6A

For the record, here's the Java class: -

import java.sql.Connection ;
import java.sql.DriverManager ;
import java.sql.ResultSet ;
import java.sql.Statement ;
import java.sql.SQLException;

import org.omg.CORBA.VersionSpecHelper;

class JdbcTestDB2
{
public static void main (String args[])
{
try
{
Class.forName("com.ibm.db2.jcc.DB2Driver");
}
catch (ClassNotFoundException e)
{
System.err.println (e) ;
System.exit (-1) ;
}
String hostname = "bam856.uk.ibm.com";
int port = 60007;
String dbName = "SAMPLE";
String userName = "db2inst1";
String password = "passw0rd";
String sslConnection = "true";

java.util.Properties properties = new java.util.Properties();
properties.put("user",userName);
properties.put("password", password);
properties.put("sslConnection", sslConnection);
properties.put("sslTrustStoreLocation","/tmp/davehay.jks");
properties.put("sslTrustStorePassword","davehay");

String url = "jdbc:db2://" + hostname + ":" + port + "/" + dbName;
try
{
Connection connection = DriverManager.getConnection(url,properties);

String query = "select EMPNO,FIRSTNME,LASTNAME from DB2INST1.EMPLOYEE" ;

Statement statement = connection.createStatement () ;
ResultSet rs = statement.executeQuery (query) ;

while ( rs.next () )
System.out.println (rs.getString (1) + "" + rs.getString(2) + "" + rs.getString(3)) ;
connection.close () ;
}
catch (java.sql.SQLException e)
{
System.err.println (e) ;
System.exit (-1) ;
}
}
}

Note that I've highlighted the variables that I'm then setting for the JDBC connection using a java.util.Properties object.

Finally, during the problem determination phase, I used the JVM command -Djavax.net.debug=ssl to get more information about the handshake_failure : -

java  -Djavax.net.debug=ssl  JdbcTestDB2

...
*** ClientHello, TLSv1
RandomCookie:  GMT: 1433356707 bytes = { 139, 106, 65, 168, 154, 169, 66, 60, 183, 34, 1, 227, 142, 239, 237, 139, 58, 162, 251, 68, 84, 56, 204, 216, 182, 194, 237, 101 }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
main, WRITE: TLSv1 Handshake, length = 67
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
com.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2030][11211][3.69.24] A communication error occurred during operations on the connection's underlying socket, socket input stream, 
or socket output stream.  Error location: Reply.fill() - socketInputStream.read (-1).  Message: Received fatal alert: handshake_failure. ERRORCODE=-4499, SQLSTATE=08001
...

Note that, whilst the ClientHello phase starts, we never see the resulting ServerHello response.

This is with the wrong JRE: -

ls -al `which java`

lrwxrwxrwx. 1 root root 22 Apr  5 21:52 /usr/bin/java -> /etc/alternatives/java

java -version

java version "1.7.0_65"
OpenJDK Runtime Environment (rhel-2.5.1.2.el6_5-x86_64 u65-b17)
OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)

whereas this is what I see with the right JRE: -

...
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1433356928 bytes = { 209, 47, 22, 227, 221, 42, 210, 36, 159, 234, 33, 130, 46, 110, 132, 83, 32, 121, 46, 38, 107, 8, 238, 212, 19, 125, 148, 178 }
Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ECDH_RSA_WITH_RC4_128_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA256withDSA, SHA1withDSA, MD5withRSA
***
main, WRITE: TLSv1.2 Handshake, length = 195
main, READ: TLSv1.2 Handshake, length = 1375
*** ServerHello, TLSv1.2
RandomCookie:  GMT: -128 bytes = { 238, 184, 253, 53, 112, 242, 137, 166, 205, 83, 9, 182, 17, 177, 233, 43, 206, 14, 0, 217, 246, 26, 214, 153, 47, 150, 202, 51 }
Session ID:  {105, 109, 0, 0, 212, 197, 167, 14, 199, 117, 87, 153, 13, 215, 101, 219, 250, 202, 212, 98, 88, 88, 88, 88, 128, 75, 111, 85, 0, 0, 33, 144}
Cipher Suite: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Compression Method: 0
Extension ec_point_formats, formats: [uncompressed]
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
***
JsseJCE:  Using MessageDigest SHA-384 from provider IBMJCE version 1.7
%% Initialized:  [Session-1, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
** SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
...

Again, the ClientHello phase lists a huge number of ciphers being presented from Java to DB2, and the ServerHello shows the single cipher that DB2 is presenting back.

Right, that's it for now :-) 



Search

WebSphere Liberty Profile and JConsole

June 3, 2015, 11:53 pm
$
0
0
One of my team was asked about the option to use the Oracle Java Runtime Environment with WebSphere Liberty Profile, in the specific context of using the JConsole monitoring tool.

Most of the time, I tend to think about the IBM JRE, so my automatic answer ( pertaining to Health Centre ) wasn't an option.

IBM Operational Decision Manager - Enhancements Overview

June 4, 2015, 10:07 pm

Asus X205TA - MacBook Air feel, at a budget price

June 7, 2015, 2:19 am
$
0
0
I was seeking a laptop for a family member, one who was struggling with an old and very slow Toshiba laptop running Windows  7.

He was looking for something with which he could surf, Gmail, Facebook etc. as well as play some simple Windows games - Solitaire, Sudoko, crossword puzzles etc.

The Asus X205TA looked to be a good combination of price, weight, performance, battery life and price.

It's only got 2 GB RAM, but that's all that's required for this particular set of requirements. The 32 GB flash drive is what helps with regard to performance, and the ability to simply close the lid to suspend Windows gives the laptop a tablet-like feel.

I was deeply impressed with Windows 8.1, only having had experience of Windows XP and Windows 7.

As a Mac user, the combination of the OS plus the size, performance and general nippiness means that this little Asus has a MacBook AIr feel, at ~30% of the price.

With Windows 10 coming out next month, it'll be interesting to see whether there's any benefit in upgrading W8.1 to the latest release, or whether it's solving a problem that we just don't have.

We delivered the laptop to its new home yesterday ( Saturday ), and the response was excellent - think small child with a Christmas toy - and the feedback thus far is also great.

Time will tell with regard to the laptop, I'm on standby for technical support, but I cannot fault GoGoDigital's customer service, which was excellent.


DB2 and SSL/TLS - Client-side

June 10, 2015, 10:25 am
$
0
0
Having blogged extensively about my experiences with DB2 and SSL/TLS, mainly in the context of Java and WebSphere Application Server: -


this post is more client-side than server-side.

Specifically, one of my colleagues, a DB2 guru called John, needs to set up SSL/TLS from a DB2 client to a DB2 server.

This is required to allow IBM Integration Bus (IIB) to communicate, via ODBC and then via the DB2 client, to a database hosted on a DB2 Advanced Enterprise Server.

John looked for, but couldn't locate, the IBM Global Security Toolkit (GSK) files on the IIB server upon which the DB2 client is installed.

This led him to me, and led me to IBM Passport Advantage, as per these fine links: -




Thanks to Passport Advantage, this is what I downloaded: -

IBM DB2 Support Files for SSL Functionality V10.5.0.5 for AIX English (CN4ZYEN)

which is a ~50 MB file: -

-rw-r-----@  1 davehay  staff    51M 10 Jun 18:20 DB2SPTF_SSLF_10.5.0.5_AIX.tar.gz

Tomorrow we install ...

WebSphere MQ Explorer v8 and the IBM Integration Bus 9 Explorer

June 10, 2015, 12:47 pm
$
0
0
Again, I'm experimenting with IBM Integration Bus 9, prior to building an IBM BPM <-> IIB <-> MQ <-> DB2 demonstration in the next week or so.

I'm using a Red Hat Enterprise Linux 6.6 VM, and this is a summary of the steps I followed: -

Prepare to install the SupportPac - IBM Integration Bus ODBC Database Extender (IE02)

mkdir /opt/ibm/IE02
mkdir /opt/ibm/IE02/2.0.1
chown -R wmbadmin:mqbrkrs /opt/ibm/IE02

Install IE02

/tmp/IIB/integrationbus_runtime1/IE02/install-ie02.bin 

Prepare to install the IIB Explorer

mkdir /opt/IBM/IBExplorer
chown -R wmbadmin:mqbrkrs /opt/IBM/IBExplorer/

Install IIB Explorer

/tmp/IIB/integrationbus_runtime1/IBExplorer/install.bin

Initialise MQ Explorer configuration

/usr/bin/strmqcfg -c -i

-c-clean is passed to Eclipse. This causes Eclipse to delete any cached data used by the Eclipse runtime.
-i-init is passed to Eclipse. This causes Eclipse to discard configuration information used by the Eclipse runtime.

Modify MQ Explorer configuration to allow it to "find" IIB Explorer

vi /opt/mqm/mqexplorer/eclipse/links/com.ibm.wmadmin.broker.explorer.link

Add: -

path=/opt/IBM/IBExplorer

UPDATE - thanks to this blog post for allowing me to do this: -

WMB Explorer is not opening with MQ Explorer issue

Start MQ Explorer

/usr/bin/strmqcfg

MQ Explorer: Using existing workspace: /var/mqm/IBM/WebSphereMQ/workspace/ (MQ 8.0)
com.ibm.wmqfte.product.root=/opt/mqm/mqft

However, things went a bit Pete Tong when I attempted to create the default IIB Integration Node configuration, at which point I saw: -

java: cairo-misc.c:380: _cairo_operator_bounded_by_source: Assertion `NOT_REACHED' failed.
JVMDUMP039I Processing dump event "abort", detail "" at 2015/06/10 20:23:49 - please wait.
JVMDUMP032I JVM requested System dump using '/usr/bin/core.20150610.202349.27976.0001.dmp' in response to an event
JVMDUMP030W Cannot write dump to file /usr/bin/core.20150610.202349.27976.0001.dmp: Permission denied
JVMPORT030W /proc/sys/kernel/core_pattern setting "|/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e" specifies that the core dump is to be piped to an external program.  Attempting to rename either core or core.28290.

JVMDUMP010I System dump written to /tmp/core.20150610.202349.27976.0001.dmp
JVMDUMP030W Cannot write dump to file /usr/bin/javacore.20150610.202349.27976.0002.txt: Permission denied
JVMDUMP032I JVM requested Java dump using '/tmp/javacore.20150610.202349.27976.0002.txt' in response to an event
JVMDUMP010I Java dump written to /tmp/javacore.20150610.202349.27976.0002.txt
JVMDUMP032I JVM requested Snap dump using '/usr/bin/Snap.20150610.202349.27976.0003.trc' in response to an event
JVMDUMP030W Cannot write dump to file /usr/bin/Snap.20150610.202349.27976.0003.trc: Permission denied
JVMDUMP010I Snap dump written to /tmp/Snap.20150610.202349.27976.0003.trc
JVMDUMP030W Cannot write dump to file /usr/bin/jitdump.20150610.202349.27976.0004.dmp: Permission denied
JVMDUMP007I JVM Requesting JIT dump using '/tmp/jitdump.20150610.202349.27976.0004.dmp'
JVMDUMP010I JIT dump written to /tmp/jitdump.20150610.202349.27976.0004.dmp
JVMDUMP013I Processed dump event "abort", detail "".

Thankfully this IBM Technote came to the rescue: -


which ties up with my previous experiences with Eclipse crashes of this nature on Red Hat, and required me to amend /opt/mqm/bin/MQExplorer.ini.

vi /opt/mqm/bin/MQExplorer.ini

adding: -

-Dorg.eclipse.swt.internal.gtk.cairoGraphics=false

after the -vmargs line, giving me: -

-startup
../mqexplorer/eclipse/plugins/org.eclipse.equinox.launcher_1.3.0.v20130327-1440.jar
--launcher.library
../mqexplorer/eclipse/plugins/org.eclipse.equinox.launcher.gtk.linux.x86_64_1.1.200.v20130807-1835
-vm
/opt/mqm/java/jre64/jre/bin
-vmargs
-Dorg.eclipse.swt.internal.gtk.cairoGraphics=false
-Xmx512M

Now, I can start MQ Explorer ( /usr/bin/strmqcfg ) and was able to create the IIB Integration Node configuration, which is nice.



Viewing all 1851 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>