Quantcast
Channel: A Portal to a Portal
Viewing all 1851 articles
Browse latest View live

WASX7023E: Error creating "SOAP" connection to host "localhost" after enabling TLS 1.2

October 1, 2015, 11:32 am
$
0
0
On the back of my earlier post: -


having changed my WAS cell to only support TLS 1.2, I then realised that the WSAdmin client would no longer work.

/opt/ibm/ODM/WebSphereProfiles/ODMCell1Dmgr01/bin/wsadmin.sh -lang jython -hostname `hostname`.uk.ibm.com -port 13503

WASX7023E: Error creating "SOAP" connection to host "localhost"; exception information: com.ibm.websphere.management.exception.ConnectorNotAvailableException: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error parsing HTTP status line "": java.util.NoSuchElementException; targetException=java.lang.IllegalArgumentException: Error parsing HTTP status line "": java.util.NoSuchElementException]

WASX7213I: This scripting client is not connected to a server process; please refer to the log file /opt/ibm/ODM/WebSphereProfiles/ODMCell1Dmgr01/logs/wsadmin.traceout for additional information.

WASX8011W: AdminTask object is not available.

WASX7411W: Ignoring the following provided option: [-hostname, tcemowndw01.nbsnet.co.uk]

WASX7031I: For help, enter: "print Help.help()"

This time I knew where to look, and what to change.

Sure enough, I checked out: -

/opt/ibm/ODM/WebSphereProfiles/ODMCell1Dmgr01/properties/ssl.client.props

and found: - 

com.ibm.ssl.protocol=SSL_TLS

where I should've seen: -

com.ibm.ssl.protocol=TLSv1.2

Once I amended the file, all was well.

I'm guessing, but haven't yet checked, that I could've simply overridden the property file with a command-line parameter such as -D com.ibm.ssl.protocol=TLSv1.2 

Something to check here: -



Search

Mac OS X - Finder - Open in Terminal

October 2, 2015, 12:08 pm
$
0
0
I love the internet, I really really love the internet.

I have a requirement, I go to Google, I search for a solution, and I find ... a solution :-)

The context ....

I was looking for a script ( federateIHS.sh ) on a Red Hat VM, running within VMware Fusion.

The script wasn't on the VM, but was available within a folder on the host Mac.

I found the script using Spotlight ( via [CMD][Space] ) and was then trying to work out how to quickly get it from OS X to Linux.

I know I could open Terminal, navigate to the folder ( /Users/davehay/Documents/Docs.ISSW/WebSphere/MTA2015 ) and then send it to Linux ( scp federateIHS.sh wasadmin@bpmdemo:~ ).

How could I do it more simply ?

In Windows, I'd have leveraged the functionality built into the shell, and opened a command prompt ( aka the DOS box ).

So I went to Google and typed .... finder open command prompt here

and found this: -


This talked me through creating a Service within the Terminal application.

Once I followed this, I was able to do this: -


which is nice.

I'm now looking for an equivalent to New Terminal at File but that'll do for now :-)

IBM HTTP Server - Fun with Transport Layer Security

October 5, 2015, 7:41 am
$
0
0
I've been experimenting with encryption in the context of IBM HTTP Server (IHS), specifically in terms of enforcing Transport Layer Security (TLS) 1.2 and a tight set of ciphers.

Firstly, I generated a signer certificate using the IBM Global Security Toolkit (GSK) with a key length of 2048 bits using the Secure Hashing Algorithm (SHA) as the signature algorithm and Rivest-Shamir-Adleman (RSA) as the encryption algorithm.

This is how I did it: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -size 2048 -dn "cn=wasdemo.uk.ibm.com,dc=uk,dc=ibm,dc=com" -label "wasdemo.uk.ibm.com" -default_cert yes -sigalg SHA256WithRSA  

Having done this, and validated it: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -details -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label "wasdemo.uk.ibm.com"

...
Key Size : 2048
Version : X509 V3
...
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 : 
    41 BB 35 E5 6B 21 01 01 4E B4 5E 4B FC 09 BE B5
    B2 FD 7B A2
Fingerprint : MD5 : 
    AC D8 C2 E0 2B E1 23 24 3A DF E8 4A 5E 74 CC CA
Fingerprint : SHA256 : 
    4D 6D A5 5F 72 6E 35 32 AC DA DE AD 65 E9 6A A1
    F8 3B AB A3 B3 08 DC 43 4D 15 4C 3E 78 23 F5 A6
...
Signature Algorithm : SHA256WithRSASignature (1.2.840.113549.1.1.11)
...

I then reconfigured the IHS configuration - httpd.conf - for TLS: -

...
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 8443
<VirtualHost *:8443>
SSLFIPSEnable
SSLProtocolEnable TLSv12
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
SSLCipherSpec TLSv12 TLS_RSA_WITH_AES_256_CBC_SHA256SSLEnable
</VirtualHost>
KeyFile /opt/ibm/HTTPServer/ssl/keystore.kdb
SSLCacheErrorLog /opt/ibm/HTTPServer/logs/sidd_log
SSLCachePortFilename /opt/ibm/HTTPServer/logs/siddport
ScriptSock logs/cgisock
SSLDisable
...

I've highlighted the four pertinent lines, one of which enforces a specific cipher - TLS_RSA_WITH_AES_256_CBC_SHA256.

I then validated the SSL/TLS configuration: -

 /opt/ibm/HTTPServer/bin/apachectl -DDUMP_SSL_CONFIG

SSL configuration:
Default server
Server name: wasdemo.nbsnet.co.uk:8080
SSL enabled: NO

SSL server defined at: /opt/ibm/HTTPServer/conf/httpd.conf:858
Server name: wasdemo.nbsnet.co.uk:8443
SSL enabled: YES
FIPS enabled: 1
Keyfile: /opt/ibm/HTTPServer/ssl/keystore.kdb
Protocols enabled: TLSv12
Ciphers for SSLV2: (protocol disabled)
Ciphers for SSLV3: (protocol disabled)
Ciphers for TLSv10: (protocol disabled)
Ciphers for TLSv11: (protocol disabled)
Ciphers for TLSv12: TLS_RSA_WITH_AES_256_CBC_SHA256(3D)

Syntax OK

which looked A-OK.

I then started IHS: -

/opt/ibm/HTTPServer/bin/apachectl -k start -f /opt/ibm/HTTPServer/conf/httpd.conf

I then monitored the error log: -

tail -f /opt/ibm/HTTPServer/logs/error_log 

[Mon Oct 05 13:55:36 2015] [notice] Using GSKit version 8.0.50.34
[Mon Oct 05 13:55:36 2015] [notice] WebSphere Plugins loaded.
[Mon Oct 05 13:55:36 2015] [notice] Bld version: 8.5.5
[Mon Oct 05 13:55:36 2015] [notice] Bld date: Oct 30 2014, 11:39:36
[Mon Oct 05 13:55:36 2015] [notice] Webserver: IBM_HTTP_Server
[Mon Oct 05 13:55:36 2015] [notice] Using config file /opt/ibm/HTTPServer/conf/httpd.conf 
[Mon Oct 05 13:55:36 2015] [notice] IBM_HTTP_Server/8.5.5.4 (Unix) configured -- resuming normal operations
[Mon Oct 05 13:55:36 2015] [notice] Core file limit is 0; core dumps will be not be written for server crashes

and tested IHS using a variety of browsers ( on my Mac, whilst IHS runs on Linux ): -


Interestingly, I got a variety of responses, none of them good: -

Firefox 41.0.1

An error occurred during a connection to wasdemo.uk.ibm.com:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) 

Chrome 45.0.2454.101
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Opera 32.0

This webpage is not available

A secure connection cannot be established because this site uses an unsupported protocol.

Interestingly, Apple Safari had a completely different result: -

Safari Version 9.0 (10601.1.56.2)

It just worked :-)

I checked the IHS error log, and saw: -

[Mon Oct 05 13:58:41 2015] [warn] [client 192.168.1.77] [7fd9780028d0] [123070] SSL0222W: SSL Handshake Failed, No ciphers specified.  [192.168.1.77:51689 -> 192.168.1.80:8443] [13:58:41.000261206] 0ms
[Mon Oct 05 13:58:41 2015] [warn] [client 192.168.1.77] [7fd9800028d0] [123106] SSL0222W: SSL Handshake Failed, No ciphers specified.  [192.168.1.77:51690 -> 192.168.1.80:8443] [13:58:41.000268287] 0ms
[Mon Oct 05 13:58:41 2015] [warn] [client 192.168.1.77] [7fd97c0008c0] [123070] SSL0222W: SSL Handshake Failed, No ciphers specified.  [192.168.1.77:51691 -> 192.168.1.80:8443] [13:58:41.000611417] 0ms
[Mon Oct 05 13:58:41 2015] [warn] [client 192.168.1.77] [7fd9840008c0] [123106] SSL0222W: SSL Handshake Failed, No ciphers specified.  [192.168.1.77:51692 -> 192.168.1.80:8443] [13:58:41.000632584] 0ms
After some digging, consideration and further digging, I concluded that it's all my fault :-)

In essence, I've chosen a cipher that the three "failing" browsers do not support, and I've "told" IHS to only use that one cipher.

There were a few mitigations: -

(1) Amend httpd.conf and relax the need to only use that one cipher: -

SSLCipherSpec TLSv12 +TLS_RSA_WITH_AES_256_CBC_SHA256

( in other words, I added a single plus + character to the beginning of the cipher name )

This is validated thusly: -

/opt/ibm/HTTPServer/bin/apachectl -DDUMP_SSL_CONFIG

SSL configuration:
Default server
Server name: wasdemo.nbsnet.co.uk:8080
SSL enabled: NO

SSL server defined at: /opt/ibm/HTTPServer/conf/httpd.conf:858
Server name: wasdemo.nbsnet.co.uk:8443
SSL enabled: YES
FIPS enabled: 1
Keyfile: /opt/ibm/HTTPServer/ssl/keystore.kdb
Protocols enabled: TLSv12
Ciphers for SSLV2: (protocol disabled)
Ciphers for SSLV3: (protocol disabled)
Ciphers for TLSv10: (protocol disabled)
Ciphers for TLSv11: (protocol disabled)
Ciphers for TLSv12: TLS_RSA_WITH_AES_128_GCM_SHA256(9C),TLS_RSA_WITH_AES_256_GCM_SHA384(9D),TLS_RSA_WITH_AES_128_CBC_SHA256(3C),TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A),TLS_RSA_WITH_AES_256_CBC_SHA256(3D)

Syntax OK

(2) Choose another cipher IF I wish to only offer one up: -

SSLCipherSpec TLSv12 TLS_RSA_WITH_AES_256_CBC_SHA

Note how similar that is to the one that I had previously chosen: -

Old / non-workingTLS_RSA_WITH_AES_256_CBC_SHA256
WorkingTLS_RSA_WITH_AES_256_CBC_SHA

/opt/ibm/HTTPServer/bin/apachectl -DDUMP_SSL_CONFIG

SSL configuration:
Default server
Server name: wasdemo.nbsnet.co.uk:8080
SSL enabled: NO

SSL server defined at: /opt/ibm/HTTPServer/conf/httpd.conf:858
Server name: wasdemo.nbsnet.co.uk:8443
SSL enabled: YES
FIPS enabled: 1
Keyfile: /opt/ibm/HTTPServer/ssl/keystore.kdb
Protocols enabled: TLSv12
Ciphers for SSLV2: (protocol disabled)
Ciphers for SSLV3: (protocol disabled)
Ciphers for TLSv10: (protocol disabled)
Ciphers for TLSv11: (protocol disabled)
Ciphers for TLSv12: TLS_RSA_WITH_AES_256_CBC_SHA(35b)

Syntax OK

My conclusion is four-fold: -

(i)Obviously Firefox, Chrome and Opera don't support TLS_RSA_WITH_AES_256_CBC_SHA256 whereas TLS_RSA_WITH_AES_256_CBC_SHA is OK
(ii)Do I really need to only expose a single cipher ? What happens if a client pitches up who just can not support that ?
(iii)If not (ii), then the use of the + symbol allows the browser to negotiate an agreed cipher within a fairly limited range
(iv) Safari rocks :-)

Interestingly, there was obviously nothing wrong with TLS_RSA_WITH_AES_256_CBC_SHA256 as I was able to successfully validate the configuration: -

/opt/ibm/HTTPServer/bin/apachectl configtest 

Syntax OK

However, once I moved to a single AND supported/working cipher - - the browsers were all happy: -

Opera


Chrome

Firefox



Safari

So I couldn't find a way to get Safari to display a padlock for certain sites, including this one :-(

And Finally

For the record, I also validated the secure connection using openssl from the Red Hat CLI, as follows: -

openssl s_client -connect wasdemo.nbsnet.co.uk:8443

CONNECTED(00000003)
depth=0 DC = com, DC = ibm, DC = uk, CN = wasdemo.nbsnet.co.uk
verify error:num=18:self signed certificate
verify return:1
depth=0 DC = com, DC = ibm, DC = uk, CN = wasdemo.nbsnet.co.uk
verify return:1
---
Certificate chain
 0 s:/DC=com/DC=ibm/DC=uk/CN=wasdemo.nbsnet.co.uk
   i:/DC=com/DC=ibm/DC=uk/CN=wasdemo.nbsnet.co.uk
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfjCCAmagAwIBAgIIWz28JlZ2dN4wDQYJKoZIhvcNAQELBQAwXTETMBEGCgmS
JomT8ixkARkTA2NvbTETMBEGCgmSJomT8ixkARkTA2libTESMBAGCgmSJomT8ixk
ARkTAnVrMR0wGwYDVQQDExRuZW1kZW1vLm5ic25ldC5jby51azAeFw0xNTEwMDIw
NTU4MDlaFw0xNjEwMDIwNTU4MDlaMF0xEzARBgoJkiaJk/IsZAEZEwNjb20xEzAR
BgoJkiaJk/IsZAEZEwNpYm0xEjAQBgoJkiaJk/IsZAEZEwJ1azEdMBsGA1UEAxMU
bmVtZGVtby5uYnNuZXQuY28udWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDDYlZ/rqMSk8VYTSc0SjaReE75vK5wE+Bn7UAk4tU4VOGV760Gb66norBt
YK/RaoSqfrpxXFapNwXl6w1N37a4tECbtN+hn/6cS312DD4fXVR/bTBJwbxb9Jy3
N2SUlfzEgCfWyopTtNa0BID7M4aWS3F5/D52eCRMVszfJhpm/NCDF1FWCSk+UN1I
dbHnv91tMAGLGVrZ79YMhQH9wyU8Wpujr3/mGU3JuejCDFAXLhtxe7/59FvRLsWw
DGbIrEGbwp9tiGpKUBQT7xt3tr4j/DhZNLz1seS+I3jgFcuF416u3HsVj6Iv4C1j
OAEaC7Jvnkv0p++ceNGW/7ipkBWNAgMBAAGjQjBAMB0GA1UdDgQWBBS+o2rAAIZl
ydjc3Tvr2GssMllXdDAfBgNVHSMEGDAWgBS+o2rAAIZlydjc3Tvr2GssMllXdDAN
BgkqhkiG9w0BAQsFAAOCAQEAaSa8+jdSnp6YaMqjtRtJmRBKkXgFRnvM+/CBEZGg
EP26wmg7QJHmcou8neL9sQoE+73JuBiW4WlUfb2Ah/So5RJIGJJT4dXemj0DFaSN
7FtZBIIeeQosBYkddqR7Hs5AvKtUK3m0l9axlLRPRIMcgzGrtw81A9BhJjTo+2J6
YmFF6aSOHIoYbFLfjxdswGVxR//nomikQCIp+MEBvMKC9yvj/mIR6MN0ajJhspNc
nS9+9M1pPJoakxaEwJvH7J2m78PaCelZKmJIT/tuYQyvFkkY7wPa5wKhEM3ygyCK
wCYU3gndC/O649huI6PqvNeXIaYZW4UNTerMK+yN+RjUuA==
-----END CERTIFICATE-----
subject=/DC=com/DC=ibm/DC=uk/CN=wasdemo.nbsnet.co.uk
issuer=/DC=com/DC=ibm/DC=uk/CN=wasdemo.nbsnet.co.uk
---
No client certificate CA names sent
---
SSL handshake has read 1073 bytes and written 591 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA    Session-ID: E3E101009910CB491F45C7B8645FBE55D98F6B0258585858AC87125600000042
    Session-ID-ctx: 
    Master-Key: DFB1AE0092F7EE2A0815C803E0BF80DC9520E9657B4670F8311DAF40B79170F5D91D4D8B4C389BE110CED221F090FB7E
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1444054956
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

*UPDATE 6 October 2015*

This section of the IBM Knowledge Center: -

SSL cipher specifications

was also extremely useful.

*UPDATE 6 October 2015*

Java Development - Where are my HttpServlet and HttpServletRequest types ?

October 6, 2015, 11:06 am
$
0
0
I saw a huge batch of exceptions, including: -

HttpServlet cannot be resolved to a type
HttpServletRequest cannot be resolved to a type
HttpServletRequest cannot be resolved to a type
HttpServletResponse cannot be resolved to a type
HttpServletResponse cannot be resolved to a type
ServletException cannot be resolved to a type
ServletException cannot be resolved to a type
The import javax.servlet cannot be resolved
The import javax.servlet cannot be resolved
The import javax.servlet cannot be resolved
The import javax.servlet cannot be resolved
The import javax.servlet cannot be resolved
WebServlet cannot be resolved to a type

when I attempted to compile a new Java servlet using Eclipse, either Luna or Mars.

In both cases, I had the requisite Java EE version of the IDE, and yet .....

This: -


amongst other things made me realise what I was missing.

Whilst I had the Eclipse IDE, I didn't have a target runtime :-)

I'd downloaded the latest Eclipse Mars from IBM Bluemix here: -


but I was missing a runtime ( this is on my Mac running OS X10.10.5 ).

I downloaded WebSphere Liberty Profile ( WAS Liberty with Java EE 7 Full Platform ) from here: -


and expanded it: -

unzip ~/Downloads/wlp-javaee7-8.5.5.7.zip 

Once I configured Eclipse to use Liberty and, more importantly, changed my JEE project to use Liberty as a Targeted Runtime: -


all the nasty errors went away :-)

Five reasons to be excited about IBM Operational Decision Manager v8.8

October 7, 2015, 12:41 am
$
0
0
I saw this on Twitter: -


The ability to handle change within operational systems is a critical competency as businesses digitize their workflows, focus on their customer experience and reinvent their businesses.  IBM's Smarter Process portfolio has been at the forefront of helping our customers with this mission and today we're excited to share some new developments within our portfolio.  We've made our flagship, industry-leading decision management platform, IBM Operational Decision Manager – IBM ODM  – even better with the release of IBM ODM v8.8, announced on 6th October 2015.

Doh, WebSphere Application Server to DB2 via JDBC - Get the schema right, fool

October 7, 2015, 12:21 pm
$
0
0
I'm writing a tutorial for my team, taking them through the process of building a WebSphere Application Server (WAS) configuration, with IBM HTTP Server (IHS) and DB2.

For the WAS > DB2 piece, I've written the necessary Jython scripts to create a JDBC provider and data source, and deploy a sample Java EE web application.

However, during testing, I hit an interesting issue, evidenced by this exception: -

[07/10/15 19:41:21:224 BST] 0000008e SystemErr     R com.ibm.db2.jcc.am.SqlSyntaxErrorException: DB2 SQL Error: SQLCODE=-204, SQLSTATE=42704, SQLERRMC=DB2USER1.EMPLOYEE, DRIVER=4.19.26

in SystemErr.log.

Long story short, I'm connecting from WAS to DB2 using the user ID db2user1 which has DBADM permissions to the database, the SAMPLE database that one creates using the command db2sampl.

However, when I ran the initial db2sampl command, I took the path of least resistance, aka the default :-)

Therefore, I'd created the data ( tables etc. ) in the wrong schema - db2inst1 - whereas WAS is expecting to use the schema db2user1

To prove this, I checked DB2: -

db2 connect to sample

   Database Connection Information

 Database server        = DB2/LINUXX8664 10.5.5
 SQL authorization ID   = DB2INST1
 Local database alias   = SAMPLE

db2 "select * from db2user1.employee"

SQL0204N  "DB2USER11.EMPLOYEE" is an undefined name.  SQLSTATE=42704

There are a number of solutions to this problem, I chose to drop and then recreate the SAMPLE database: -

drop database sample

db2sampl -schema db2user1

Now my query works: -

db2 "select * from db2user1.employee"

EMPNO  FIRSTNME     MIDINIT LASTNAME        WORKDEPT PHONENO HIREDATE   JOB      EDLEVEL SEX BIRTHDATE  SALARY      BONUS       COMM       
------ ------------ ------- --------------- -------- ------- ---------- -------- ------- --- ---------- ----------- ----------- -----------
000010 CHRISTINE    I       HAAS            A00      3978    01/01/1995 PRES          18 F   08/24/1963   152750.00     1000.00     4220.00
000020 MICHAEL      L       THOMPSON        B01      3476    10/10/2003 MANAGER       18 M   02/02/1978    94250.00      800.00     3300.00
000030 SALLY        A       KWAN            C01      4738    04/05/2005 MANAGER       20 F   05/11/1971    98250.00      800.00     3060.00
000050 JOHN         B       GEYER           E01      6789    08/17/1979 MANAGER       16 M   09/15/1955    80175.00      800.00     3214.00
000060 IRVING       F       STERN           D11      6423    09/14/2003 MANAGER       16 M   07/07/1975    72250.00      500.00     2580.00
000070 EVA          D       PULASKI         D21      7831    09/30/2005 MANAGER       16 F   05/26/2003    96170.00      700.00     2893.00
000090 EILEEN       W       HENDERSON       E11      5498    08/15/2000 MANAGER       16 F   05/15/1971    89750.00      600.00     2380.00
000100 THEODORE     Q       SPENSER         E21      0972    06/19/2000 MANAGER       14 M   12/18/1980    86150.00      500.00     2092.00
000110 VINCENZO     G       LUCCHESSI       A00      3490    05/16/1988 SALESREP      19 M   11/05/1959    66500.00      900.00     3720.00
000120 SEAN                 O'CONNELL       A00      2167    12/05/1993 CLERK         14 M   10/18/1972    49250.00      600.00     2340.00
000130 DELORES      M       QUINTANA        C01      4578    07/28/2001 ANALYST       16 F   09/15/1955    73800.00      500.00     1904.00
000140 HEATHER      A       NICHOLLS        C01      1793    12/15/2006 ANALYST       18 F   01/19/1976    68420.00      600.00     2274.00
000150 BRUCE                ADAMSON         D11      4510    02/12/2002 DESIGNER      16 M   05/17/1977    55280.00      500.00     2022.00
000160 ELIZABETH    R       PIANKA          D11      3782    10/11/2006 DESIGNER      17 F   04/12/1980    62250.00      400.00     1780.00
000170 MASATOSHI    J       YOSHIMURA       D11      2890    09/15/1999 DESIGNER      16 M   01/05/1981    44680.00      500.00     1974.00
000180 MARILYN      S       SCOUTTEN        D11      1682    07/07/2003 DESIGNER      17 F   02/21/1979    51340.00      500.00     1707.00
000190 JAMES        H       WALKER          D11      2986    07/26/2004 DESIGNER      16 M   06/25/1982    50450.00      400.00     1636.00
000200 DAVID                BROWN           D11      4501    03/03/2002 DESIGNER      16 M   05/29/1971    57740.00      600.00     2217.00
000210 WILLIAM      T       JONES           D11      0942    04/11/1998 DESIGNER      17 M   02/23/2003    68270.00      400.00     1462.00
000220 JENNIFER     K       LUTZ            D11      0672    08/29/1998 DESIGNER      18 F   03/19/1978    49840.00      600.00     2387.00
000230 JAMES        J       JEFFERSON       D21      2094    11/21/1996 CLERK         14 M   05/30/1980    42180.00      400.00     1774.00
000240 SALVATORE    M       MARINO          D21      3780    12/05/2004 CLERK         17 M   03/31/2002    48760.00      600.00     2301.00
000250 DANIEL       S       SMITH           D21      0961    10/30/1999 CLERK         15 M   11/12/1969    49180.00      400.00     1534.00
000260 SYBIL        P       JOHNSON         D21      8953    09/11/2005 CLERK         16 F   10/05/1976    47250.00      300.00     1380.00
000270 MARIA        L       PEREZ           D21      9001    09/30/2006 CLERK         15 F   05/26/2003    37380.00      500.00     2190.00
000280 ETHEL        R       SCHNEIDER       E11      8997    03/24/1997 OPERATOR      17 F   03/28/1976    36250.00      500.00     2100.00
000290 JOHN         R       PARKER          E11      4502    05/30/2006 OPERATOR      12 M   07/09/1985    35340.00      300.00     1227.00
000300 PHILIP       X       SMITH           E11      2095    06/19/2002 OPERATOR      14 M   10/27/1976    37750.00      400.00     1420.00
000310 MAUDE        F       SETRIGHT        E11      3332    09/12/1994 OPERATOR      12 F   04/21/1961    35900.00      300.00     1272.00
000320 RAMLAL       V       MEHTA           E21      9990    07/07/1995 FIELDREP      16 M   08/11/1962    39950.00      400.00     1596.00
000330 WING                 LEE             E21      2103    02/23/2006 FIELDREP      14 M   07/18/1971    45370.00      500.00     2030.00
000340 JASON        R       GOUNOT          E21      5698    05/05/1977 FIELDREP      16 M   05/17/1956    43840.00      500.00     1907.00
200010 DIAN         J       HEMMINGER       A00      3978    01/01/1995 SALESREP      18 F   08/14/1973    46500.00     1000.00     4220.00
200120 GREG                 ORLANDO         A00      2167    05/05/2002 CLERK         14 M   10/18/1972    39250.00      600.00     2340.00
200140 KIM          N       NATZ            C01      1793    12/15/2006 ANALYST       18 F   01/19/1976    68420.00      600.00     2274.00
200170 KIYOSHI              YAMAMOTO        D11      2890    09/15/2005 DESIGNER      16 M   01/05/1981    64680.00      500.00     1974.00
200220 REBA         K       JOHN            D11      0672    08/29/2005 DESIGNER      18 F   03/19/1978    69840.00      600.00     2387.00
200240 ROBERT       M       MONTEVERDE      D21      3780    12/05/2004 CLERK         17 M   03/31/1984    37760.00      600.00     2301.00
200280 EILEEN       R       SCHWARTZ        E11      8997    03/24/1997 OPERATOR      17 F   03/28/1966    46250.00      500.00     2100.00
200310 MICHELLE     F       SPRINGER        E11      3332    09/12/1994 OPERATOR      12 F   04/21/1961    35900.00      300.00     1272.00
200330 HELENA               WONG            E21      2103    02/23/2006 FIELDREP      14 F   07/18/1971    35370.00      500.00     2030.00
200340 ROY          R       ALONZO          E21      5698    07/05/1997 FIELDREP      16 M   05/17/1956    31840.00      500.00     1907.00

  42 record(s) selected.

I then saw: -

[07/10/15 20:11:05:359 BST] 0000009f SystemErr     R com.ibm.db2.jcc.am.SqlSyntaxErrorException: DB2 SQL Error: SQLCODE=-551, SQLSTATE=42501, SQLERRMC=DB2USER1;SELECT;DB2USER1.EMPLOYEE, DRIVER=4.19.26

which I again validated in DB2 as follows: -

db2 connect to sample user db2user1 using passw0rd

   Database Connection Information

 Database server        = DB2/LINUXX8664 10.5.5
 SQL authorization ID   = DB2USER1
 Local database alias   = SAMPLE

db2 "select * from db2user1.employee"

SQL0551N  The statement failed because the authorization ID does not have the 
required authorization or privilege to perform the operation.  Authorization 
ID: "DB2USER1".  Operation: "SELECT". Object: "DB2USER1.EMPLOYEE".  
SQLSTATE=42501

Of course, I'd rebuilt the DB but forgot to grant db2user1 access to it :-)

This was easily fixed: -

db2 connect to sample user db2inst1 using passw0rd
db2 grant dbadm on database to user db2user1
db2 terminate

and re-tested: -

db2 connect to sample user db2user1 using passw0rd
db2 "select * from db2user1.employee"

...
000210 WILLIAM      T       JONES           D11      0942    11/04/1998 DESIGNER      17 M   23/02/2003    68270.00      400.00     1462.00
000220 JENNIFER     K       LUTZ            D11      0672    29/08/1998 DESIGNER      18 F   19/03/1978    49840.00      600.00     2387.00
000230 JAMES        J       JEFFERSON       D21      2094    21/11/1996 CLERK         14 M   30/05/1980    42180.00      400.00     1774.00
000240 SALVATORE    M       MARINO          D21      3780    05/12/2004 CLERK         17 M   31/03/2002    48760.00      600.00     2301.00
000250 DANIEL       S       SMITH           D21      0961    30/10/1999 CLERK         15 M   12/11/1969    49180.00      400.00     1534.00
000260 SYBIL        P       JOHNSON         D21      8953    11/09/2005 CLERK         16 F   05/10/1976    47250.00      300.00     1380.00
000270 MARIA        L       PEREZ           D21      9001    30/09/2006 CLERK         15 F   26/05/2003    37380.00      500.00     2190.00
000280 ETHEL        R       SCHNEIDER       E11      8997    24/03/1997 OPERATOR      17 F   28/03/1976    36250.00      500.00     2100.00
000290 JOHN         R       PARKER          E11      4502    30/05/2006 OPERATOR      12 M   09/07/1985    35340.00      300.00     1227.00
...

and, more importantly, my Java code now works :-)

Which is nice :-)

WebSphere Application Server - Variables and Databases

October 7, 2015, 1:18 pm
$
0
0
I saw this ongoing issue today: -

[07/10/15 20:34:33:714 BST] 0000008f ConnectionFac E   J2CA0009E: An exception occurred while trying to instantiate the ManagedConnectionFactory class com.ibm.ws.rsadapter.spi.WSManagedConnectionFactoryImpl used by resource jdbc/Sample : java.lang.reflect.InvocationTargetException

[07/10/15 20:34:33:709 BST] 0000008f J2CUtilityCla E   J2CA0036E: An exception occurred while invoking method setDataSourceProperties on com.ibm.w
s.rsadapter.spi.WSManagedConnectionFactoryImpl used by resource jdbc/Sample : com.ibm.ws.exception.WsException: DSRA0023E: The DataSource implementation class "com.ibm.db2.jcc.DB2XADataSource" could not be found.

[07/10/15 20:34:33:723 BST] 0000008f SystemErr     R com.ibm.websphere.naming.CannotInstantiateObjectException: Exception occurred while the JNDI NamingManager was processing a javax.naming.Reference object. [Root exception is com.ibm.websphere.naming.CannotInstantiateObjectException: Exception occurred while the JNDI NamingManager was processing a javax.naming.Reference object. [Root exception is java.lang.reflect.InvocationTargetException]]

[07/10/15 20:34:33:728 BST] 0000008f SystemErr     R Caused by: com.ibm.websphere.naming.CannotInstantiateObjectException: Exception occurred while the JNDI NamingManager was processing a javax.naming.Reference object. [Root exception is java.lang.reflect.InvocationTargetException]

[07/10/15 20:34:33:734 BST] 0000008f SystemErr     R Caused by: com.ibm.ws.rsadapter.exceptions.DataStoreAdapterException: DSRA0023E: The DataSource implementation class "com.ibm.db2.jcc.DB2XADataSource" could not be found.

Caused by: java.lang.ClassNotFoundException: com.ibm.db2.jcc.DB2XADataSource

This came about because I was using a JDBC Provider and Data Source, both of which I'd created at the scope of the cell: -

Create JDBC Provider

cellID=AdminControl.getCell()

provider=AdminTask.createJDBCProvider('[-scope Cell='+cellID+' -databaseType DB2 -providerType "DB2 Using IBM JCC Driver" -implementationType "XA data source" -name "DB2 Using IBM JCC Driver (XA)" -description "Two-phase commit DB2 JCC provider that supports JDBC 4.0 using the IBM Data Server Driver for JDBC and SQLJ. IBM Data Server Driver is the next generation of the DB2 Universal JCC driver. Data sources created under this provider support the use of XA to perform 2-phase commit processing. Use of JDBC driver type 2 on WebSphere Application Server for Z/OS is not supported for data sources created under this provider. This provider is configurable in version 7.0 and later nodes." -classpath [${DB2_JCC_DRIVER_PATH}/db2jcc4.jar ${DB2_JCC_DRIVER_PATH}/db2jcc_license_cu.jar ] -nativePath [${DB2_JCC_DRIVER_PATH} ] ]')

Create JDBC Data Source

AdminTask.createDatasource(provider, '[-name Sample -jndiName jdbc/Sample -dataStoreHelperClassName com.ibm.websphere.rsadapter.DB2UniversalDataStoreHelper -containerManagedPersistence true -componentManagedAuthenticationAlias db2user1 -xaRecoveryAuthAlias -configureResourceProperties [[databaseName java.lang.String SAMPLE] [driverType java.lang.Integer 4] [serverName java.lang.String wasdemo.uk.ibm.com] [portNumber java.lang.Integer 60006]]]')

Whilst I was able to happily test the datasource: -

AdminControl.invoke('WebSphere:name=DataSourceCfgHelper,process=dmgr,platform=dynamicproxy,node=Dmgr,version=8.5.5.5,type=DataSourceCfgHelper,mbeanIdentifier=DataSourceCfgHelper,cell=WASCell,spec=1.0', 'testConnection', '[cells/WASCell|resources.xml#DataSource_1444136343751]', '[java.lang.String]')

my application failed with the above exceptions.

The solution ?

The application, running on the Application Server on the Node, is referencing a cell-scoped JDBC data source using a cell-scoped JDBC provider .... which has a WebSphere Variable - DB2_JCC_DRIVER_PATH - which is only available at the cell-level.

However, that wasn't the problem :-)

When I dug further, I *DID* have an identically named variable, scoped at the node-level: -


Can you see what I did wrong ?

Yes, I had a variable scoped at the node, which trumps the cell, which had a null value.

Once I fixed this: -

AdminConfig.modify('(cells/WASCell/nodes/AppSrv01Node|variables.xml#VariableSubstitutionEntry_1444248288880)', '[[symbolicName "DB2_JCC_DRIVER_PATH"] [description ""] [value "/opt/ibm/WebSphere/AppServer/jdbcdrivers/DB2/ "]]')

everything was lovely again :-)

This was definitely of use: -

as did this: -

Integrate IBM MQ with your IBM Business Process Manager processes

October 12, 2015, 10:55 am
$
0
0
Integrate IBM MQ with your IBM Business Process Manager processes

Learn the various approaches to send and receive messages from a business process through IBM® MQ, communicating with back-end systems. Walk through examples with sample code to see the steps that are required to integrate IBM MQ V8.x with IBM Business Process Manager (BPM) V8.5.x. Gain an understanding of fundamental approaches to use IBM MQ to exchange data with other systems from IBM BPM processes.
Search

Liberty and DevOps, continuous delivery and deployment environment

October 12, 2015, 12:42 pm
$
0
0
This IBM® Redbooks® publication will provide an example approach for an agile IT team to implement DevOps capabilities into their software delivery of a Java application. Several tools will be introduced, that show how teams can achieve transparency, traceability and automation in their application life cycle with all the stakeholders, to deliver a high quality application that meets its initial requirements. The application being built will highlight the composable and dynamic nature of the Liberty runtime which allows developers to quickly get their applications up and running using only the programming model features required for their applications.

Target audience is IT developers, IT managers, IT architects, Project managers, Test manager, Test developers, Operations managers, Operations developers.

Table of contents

Chapter 1. Introduction
Chapter 2. Project Planning using Rational Team Concert and Rational Quality Manager
Chapter 3. Code Development, Source code management and Build
Chapter 4. Continuous Test
Chapter 5. Deployment
Chapter 6. Production Environment
Chapter 7. Conclusion
Appendix A. Additional material

MQ - AMQ9637: Channel is lacking a certificate

October 13, 2015, 1:00 am
$
0
0
I wrote this post a wee while back, and those nice developerWorks folks have kindly published it for me: -


...
In the context of configuring encrypted connections between WebSphere / IBM MQ and WebSphere Application Server, I'm currently building a scripted process to set up the infrastructure end-to-end, which I'm testing on a VM. For the record, I'm using IBM MQ 8.0.0.2 and WebSphere Application Server (WAS) 8.5.5.2.
...
At this point, I hit an issue. Instead of a happy message, I saw:

javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

More importantly, this is what I saw in the Queue Manager's log:

----- amqrmrsa.c : 930 --------------------------------------------------------
10/09/15 08:14:35 - Process(25255.10) User(mqm) Program(amqrmppa)
                    Host(bpm856.uk.ibm.com) Installation(Installation1)
                    VRMF(8.0.0.2) QMgr(TESTQM)
                   
AMQ9637: Channel is lacking a certificate.

EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is '????' (if '????' it is unknown at this stage in the SSL processing).

The remote host is '????'.

The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel.
...

Want to know what happened ?

Then read me on developerWorks here: -

WebSphere Application Server and Liberty Security Update

October 13, 2015, 2:35 am
$
0
0
This is what I'm reading right now, in the context of enabling Transport Layer Security (TLS) 1.2 within a WebSphere Application Server Network Deployment 8.5.5.7 infrastructure: -

WebSphere Application Server and Liberty Security Update[PDF]

which was authored and presented at Impact in 2013 by Bill O'Donnell, STSM – WebSphere Foundation Security Architect IBM – WebSphere Development.

Bill also actively manages this important site: -

WebSphere Application Server security

Maintain and strengthen the security of your WebSphere Application Server environment

which is definitely worth book-marking.

WebSphere Application Server - Tinkering with Property Files and a spot of SSL/TLS

October 13, 2015, 7:45 am
$
0
0
This is in the context of my ongoing voyage of discovery with Transport Layer Security (TLS) 1.2 within a WebSphere Application Server (WAS) 8.5.5.7 cell.

It is, for this reason, that I was reading this: -


Specifically, having enabled TLS 1.2 as the default protocol for my cell: -

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd

cellID=AdminControl.getCell()

AdminTask.modifySSLConfig('[-alias CellDefaultSSLSettings -scopeName (cell):'+cellID+' -keyStoreName CellDefaultKeyStore -keyStoreScopeName (cell):'+cellID+' -trustStoreName CellDefaultTrustStore -trustStoreScopeName (cell):'+cellID+' -jsseProvider IBMJSSE2 -sslProtocol TLSv1.2 -clientAuthentication false -clientAuthenticationSupported false -securityLevel HIGH -enabledCiphers ]')

As soon as I save and synchronise the changes: -

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

I see this exception: -

ADMS0206I: The configuration synchronization failed for node: AppSrv01Node.

in the Deployment Manager's SystemOut.log file, and this: -

[08/10/15 15:19:45:430 BST]     FFDC Exception:javax.net.ssl.SSLHandshakeException SourceId:com.ibm.ws.management.filetransfer.client.FileTransferClientImpl.download ProbeId:1575 Reporter:com.ibm.ws.management.filetransfer.client.FileTransferClientImpl@a36b36a1
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

...

Caused by: java.io.EOFException: SSL peer shut down incorrectly

in the Node Agent's FFDC log.

"Talking" this through with the wider WebSphere team, it was pointed out that, by default, I have Dynamic SSL Configuration enabled: -

which means that, as soon as I committed the change, the Deployment Manager immediately starting using AND enforcing TLS 1.2, whereas the Node Agent(s) continued using SSL/TLS.

I could see this by comparing/contrasting the cell and node-level security.xml files: -

diff AppSrv01/config/cells/WASCell/security.xml Dmgr01/config/cells/WASCell/security.xml

108c108
<     <setting xmi:id="SecureSocketLayer_1" clientAuthentication="false" securityLevel="HIGH" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="SSL_TLS" keyStore="KeyStore_1" trustStore="KeyStore_2" trustManager="TrustManager_2" keyManager="KeyManager_1"/>
---
>     <setting xmi:id="SecureSocketLayer_1" clientAuthentication="false" securityLevel="HIGH" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="TLSv1.2" keyStore="KeyStore_1" trustStore="KeyStore_2" trustManager="TrustManager_2" keyManager="KeyManager_1"/>

where the first is from the node and the second is from the DM.

Bill's presentation ( see the earlier link ) explicitly warns about this, on page 56: -

WARNING: BE SURE TO DISABLE dynamic SSL Prior to turning on strict mode. The Dmgr and Nodes will be in a incompatible mode. The Dmgr will likely switch to TLSv1.2 before the nodes do, they will likely still be at SSL_TLS, and the nodes and dmgr will no long be able to communicate. We STRONGLY RECOMMEND that you stop all the nodes except the Dmgr. Do the conversion on the console, restart the Dmgr, manually sync the nodes, then start the node agents and servers.

To start with, I experimented by disabling Dynamic SSL Configuration.

Whilst I knew that I could manually modify security.xml I was looking for a programmatic / scripted way of achieving this.

This is what I did: -

configProperties=AdminConfig.list('Cell')
AdminTask.extractConfigProperties(configProperties, '[-propertiesFileName /tmp/davehay.properties -filterMechanism SELECTED_SUBTYPES -selectedSubTypes [Security ] ]')

The resulting file - /tmp/davehay.properties - includes the line: -

dynamicallyUpdateSSLConfig=true #boolean,default(false)

Therefore, I created a pair of property files: -

dynamic_off.properties

# SubSection 1.0 # Security Section
#
ResourceType=Security
ImplementingResourceType=Security
ResourceId=Cell=!{cellName}:Security=ID#Security_1
#

#
#Properties
#
dynamicallyUpdateSSLConfig=false #boolean,default(false)

dynamic_on.properties

# SubSection 1.0 # Security Section
#
ResourceType=Security
ImplementingResourceType=Security
ResourceId=Cell=!{cellName}:Security=ID#Security_1
#

#
#Properties
#
dynamicallyUpdateSSLConfig=true #boolean,default(false)

which allowed me to turn off Dynamic Security Configuration: _

AdminTask.validateConfigProperties('-propertiesFileName /tmp/dynamic_off.properties')
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

which returns 'true'

and then turn it back on again: -

AdminTask.validateConfigProperties('-propertiesFileName /tmp/dynamic_off.properties')
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

which again returns 'true' :-)

However, I realised that I was going against the recommendation from Bill i.e. to ONLY have the Deployment Manager running, make the SSL_TLS > TLSv1.2 change and then manually synchronise the node(s).

This is what I did, in summary: -

------------------------------------------------------------------------------------

(a) Fully syncronise the cell

(b) Stop the Node Agent

(c) Modify the SSL configuration: -

AdminTask.modifySSLConfig('[-alias CellDefaultSSLSettings -scopeName (cell):WASCell -keyStoreName CellDefaultKeyStore -keyStoreScopeName (cell):WASCell -trustStoreName CellDefaultTrustStore -trustStoreScopeName (cell):WASCell -jsseProvider IBMJSSE2 -sslProtocol TLSv1.2 -clientAuthentication false -clientAuthenticationSupported false -securityLevel HIGH -enabledCiphers ]')

(d) Update the Node's ssl.client.props file to reflect the fact that we're now using TLS v1.2 rather than SSL_TLS

vi /opt/ibm/WebSphere/AppServer/profiles/AppSrv01/properties/ssl.client.props

changing from: -

com.ibm.ssl.protocol=SSL_TLS

to: -

com.ibm.ssl.protocol=TLSv1.2

(e) Synchronise the Node with the cell: -

 /opt/ibm/WebSphere/AppServer/profiles/AppSrv01/bin/syncNode.sh `hostname` -user wasadmin -password passw0rd

(f) Validate that DM and Node have consistent SSL/TLS settings: -

diff /opt/ibm/WebSphere/AppServer/profiles/Dmgr01/config/cells/WASCell/security.xml /opt/ibm/WebSphere/AppServer/profiles/AppSrv01/config/cells/WASCell/security.xml

(g) Start the node

(h) Validate that I can see the node from the DM

(i) Mix a Margherita     

------------------------------------------------------------------------------------

So, what did I learn ?

Firstly, read Bill's document from cover to cover.
Secondly, remember Dynamic SSL Configuration.
Thirdly, I now know how to work with WAS property files in Jython
Fourthly, I like Margheritas

Fascinating - Internet Explorer and the Lack of Transport Layer Security

October 15, 2015, 7:48 am
$
0
0
I've just spent a happy 10 minutes trying to work out why Internet Explorer 8 wouldn't load a secure web page from WebSphere Application Server, specifically the Integrated Solutions Console (ISC).

This is what I saw from IE: -


whereas Firefox was more than happy to render the page: -


Then I thought back to something a colleague had said earlier in the week ....

I'm using TLS 1.2 as my default encryption in WAS ( see an earlier blog post - WebSphere Application Server - Tinkering with Property Files and a spot of SSL/TLS ) and, therefore, WAS is expecting any client, including a browser, to support TLS 1.2.

Firefox confirms the encryption : -


Thinking back to what my colleague had said, I checked IE's settings: -


and, guess what ....


For the record, I am experimenting with the replacement of WAS' own CA-managed certificates ( yes, WAS can/does act as a Certificate Authority for certificates used inside the cell ) with those generated by Active Directory.

I'll write this up more fully in the future, but one of the net effects is that Internet Explorer, running in the same AD domain, now trusts the WAS HTTPS-secured pages, because they share the same CA signer.

Which is nice ....

*UPDATE*

For the record, WAS was trying to tell me what was going wrong, with: -

...
[15/10/15 15:22:39:130 BST] 000000d4 SSLHandshakeE E   SSLC0008E: Unable to initialize SSL connection.  Unauthorized access was denied or security settings have expired.  Exception is javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
...
Caused by: javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
...
[15/10/15 15:24:51:003 BST] 000000d5 SSLHandshakeE E   SSLC0008E: Unable to initialize SSL connection.  Unauthorized access was denied or security settings have expired.  Exception is javax.net.ssl.SSLHandshakeException: Client requested protocol SSLv3 not enabled or not supported
...
Caused by: javax.net.ssl.SSLHandshakeException: Client requested protocol SSLv3 not enabled or not supported
...

if only I'd looked in SystemOut.log :-)


IBM Business Process Manager operation overview, Part 3: Advanced operations

October 16, 2015, 10:13 am
$
0
0

IBM Business Process Manager operation overview, Part 3: Advanced operations

Part 3 of this series introduces advanced operations tasks that administrators for IBM® Business Process Manager (IBM BPM) complete in their daily operation work. The maintenance of a clustered server environment for IBM BPM that interacts with many back-end and front-end systems and services can be a challenging task. This final part in the series guides administrators through advanced operations such as troubleshooting, performance tuning, disaster recovery, and high availability - including an operation checklist.



IBM HTTP Server - Working with Default Certificates issued by a Certificate Authority

October 17, 2015, 12:15 pm
$
0
0
I'm working through a process to have IBM HTTP Server (IHS) and WebSphere Application Server (WAS) use certificates minted by a Certificate Authority, specifically Microsoft Windows Server 2008, rather than using so-called self-signed certificates.

In the past, the bulk of my experience has been using self-signed certificates in IHS, although I did do some work with a client ~4-5 years ago where we were using CA-signed certificates.

Equally, I've only ever had WAS act as a certificate signer, which has been the default for ages. In this regard, WAS is the signer, and takes care of issuing and replacing certificates throughout the cell.

However, on my current project, we have a requirement to use CA-signed certificates throughout the estate.

Therefore, whilst I've made some great progress with WAS using Windows CA-signed certificates ( about which I'll blog later ), I did hit a roadblock with IHS.

I started by creating a Certificate Signer Request (CSR) as follows: -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label wasdemo.uk.ibm.com -dn cn=wasdemo.uk.ibm.com -file /home/wasadmin/wasdemo.uk.ibm.com.arm -size 2048 -sigalg SHA256WithRSA

and sent the resulting wasdemo.uk.ibm.com.arm file to my Windows Server box.

Once I'd created the certificate, I got back a file from the CA in the PKCS7 format - certnew.p7b.

Initially I imported this file into IHS' key store, I was able to list it: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
-wasdemo.uk.ibm.com

which was fine.

I then set the certificate to be the default: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -setdefault -label wasdemo.uk.ibm.com -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

However, when I attempted to validate that the certificate was default, I still saw this: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
-wasdemo.uk.ibm.com

and, worse still, this was what I saw when I queried the default certificate within the key store: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -getdefault -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

CTGSK3029W The database does not contain a certificate with label "GSKCAPICMD_TXT_DEFAULT" 

-Command usage-
-db                   Required
-pw | -stashed        Optional
-type                 Optional <cms | kdb | pkcs12 | p12>
 
Long story short, it was a PEBCAK.

I was doing it wrong ....

This was what I should've done ....

Take it from the top ....

Create the Keystore

/opt/ibm/HTTPServer/bin/gskcapicmd -keydb -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -type cms -expire 3650 -stash

Create the CSR

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label wasdemo.uk.ibm.com -dn cn=wasdemo.uk.ibm.com -file /home/wasadmin/wasdemo.uk.ibm.com.arm -size 2048 -sigalg SHA256WithRSA

List the Certificates - of which there should be none

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

No certificates were found.

Add the root certificate ( obtained from the Windows box )

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -add -file certnew.cer -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

List the Certificates - should now show the root certificate

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
!CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com

Note the symbol ( ! ) to show that the root certificate is trusted

Receive the Personal Certificate for IHS

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -receive -file certnew.p7b -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

List the Certificates - should now show both certificates

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
!CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
-wasdemo.uk.ibm.com

Note the symbol ( - ) to show that the certificate is personal
Also note that the the personal certificate is NOT shown as default - it has no asterisk ( * ) symbol next to it

Set the personal certificate to be default

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -setdefault -label wasdemo.uk.ibm.com -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

List the Certificates - should now show trusted root and default personal certificate

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
!CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
*-wasdemo.uk.ibm.com

Validate the Default Certificate

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -getdefault -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

Label : wasdemo.uk.ibm.com
Key Size : 2048
Version : X509 V3
Serial : 125e65d100000000001d
Issuer : CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
Subject : CN=wasdemo.uk.ibm.com
Not Before : 17 October 2015 19:32:02 GMT+01:00
Not After : 16 October 2017 19:32:02 GMT+01:00
Fingerprint : 
b6c9614bd8f7c6747040b9d5450d143d
a028d430

Now when I start IHS and access it via Internet Explorer from the Windows server itself: -



it all works and, more importantly, the browser trusts IHS and doesn't show any exceptions re untrusted certificates.

Which is nice ...

Search

Hmmm, Process Portal Not Playing Nicely - IBM BPM Advanced 8.5.5.0

October 19, 2015, 8:28 am
$
0
0
Problem

Hitting Process Portal, either via IHS ( on port 8443 ) or directly ( on port 9443 / 9446 ) results in a garbled page, with most of the artefacts down the left-hand side of the page.
Problem only seen when one explicitly logs into Process Portal

Browser ( IE or Firefox ) makes no difference.

Direct - via AppClusterMember1

https://bpm855.uk.ibm.com:9443/ProcessPortal/jsp/index.jsp

Direct - via AppClusterMember2

https://bpm855.uk.ibm.com:9446/ProcessPortal/jsp/index.jsp

IHS

https://bpm855.uk.ibm.com:8443/ProcessPortal/jsp/index.jsp

Exceptions seen in AppClusterMemberX SystemOut.log

...
[19/10/15 10:13:37:834 BST] 000001c9 JMSClassifica W   XJMS0021E: Unable to map destination and bus to workclass. Aborting the xd classification filter for the current request. Request context information is com.ibm.ws.xd.jms.proxy.impl.AsynchJMSServiceContextImpl@b7558001<bus=BPM.PSCell1De1.Bus,destination=PortalWebMessagingTopicSpace.AppCluster>.
...
[19/10/15 10:18:27:625 BST]     FFDC Exception:java.io.IOException SourceId:com.ibm.ws.webcontainer.channel.WCCByteBufferInputStream
ProbeId:102 Reporter:com.ibm.ws.webcontainer.channel.WCCByteBufferInputStream@af8277d8
java.io.IOException: Async IO operation failed (1), reason: RC: 76  Socket is not connected
        at com.ibm.io.async.AsyncLibrary$IOExceptionCache.<init>(AsyncLibrary.java:924)
        at com.ibm.io.async.AsyncLibrary$IOExceptionCache.get(AsyncLibrary.java:937)
...
[19/10/15 11:43:34:983 BST] 0000014a JSONTransport W org.cometd.server.transport.LongPollingTransport handleJSONParseException Error
parsing JSON:
                                 java.lang.RuntimeException: java.io.IOException: Async IO operation failed (3), reason: RC: 76  Socket is not connected
        at org.eclipse.jetty.util.ajax.JSON$ReaderSource.getNext(JSON.java:1519)
        at org.eclipse.jetty.util.ajax.JSON$ReaderSource.hasNext(JSON.java:1486)
        at org.eclipse.jetty.util.ajax.JSON.parse(JSON.java:789)
        at org.cometd.common.JettyJSONContext.parse(JettyJSONContext.java:57)
        at org.cometd.server.AbstractServerTransport.parseMessages(AbstractServerTransport.java:154)
        at org.cometd.server.transport.JSONTransport.parseMessages(JSONTransport.java:72)
        at org.cometd.server.transport.LongPollingTransport.handle(LongPollingTransport.java:192)
        at org.cometd.server.CometdServlet.service(CometdServlet.java:166)
        at com.ibm.bpm.socialbus.servlet.SocialBusServiceServlet.service(SocialBusServiceServlet.java:183)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1230)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
        at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:136)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:97)
        at com.ibm.bpm.servlet.filters.GenericSecurityServletFilter.doFilter(GenericSecurityServletFilter.java:84)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)
        at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:964)
        at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1104)
        at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3901)
        at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:304)
        at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:981)
        at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1662)
        at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:200)
        at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:463)
        at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:530)
...

Potential Indication of Root Cause - java.io.IOException: Async IO operation failed (1), reason: RC: 76  Socket is not connected

Feels like client-server issue, perhaps problem at IP stack

Definitely red herring - known "problem" covered in multiple Technotes

[19/10/15 11:17:04:847 BST] 00000141 JMSClassifica W   XJMS0021E: Unable to map destination and bus to workclass. Aborting the xd classification filter for the current
request. Request context information is

com.ibm.ws.xd.jms.proxy.impl.AsynchJMSServiceContextImpl@fe11fe03<bus=BPM.PSCell1De1.Bus,destination=PortalWebMessagingTopicSpace.AppCluster>.

A XJMS0021E error occurs in the SystemOut.log file for IBM Business Process Manager (BPM) Version 8.5

XJMS0021E destination and bus workclass problem is logged to WAS systemOUT

Further Analysis

Used Firefox Debugger ( [Fn] [F12] )

Solution

Force BusinessSpace to reload BusinessSpace - templates, spaces and themes

Edit: -

/opt/ibm/WebSphereProfiles/PSCell1AppSrv01/BusinessSpace/AppCluster/mm.runtime.prof/public/oobLoadedStatus.properties

and change from: -

#Mon Oct 19 14:08:27 BST 2015
importTemplates.txt=false
importSpaces.txt=false
importThemes.txt=false

to: -

#Mon Oct 19 14:08:27 BST 2015
importTemplates.txt=true
importSpaces.txt=true
importThemes.txt=true

and restart AppCluster

( File is then reset back to false setting once cluster has been restarted - once templates, spaces etc. have been reset to their OOB defaults )

Problem does *NOT* appear to recur, including java.io.IOException exception

Re-tested Process Portal ( both direct and via IHS )

Direct - via AppClusterMember1

https://bpm855.uk.ibm.com:9443/ProcessPortal/jsp/index.jsp

Direct - via AppClusterMember2

https://bpm855.uk.ibm.com:9446/ProcessPortal/jsp/index.jsp

IHS

https://bpm855.uk.ibm.com:8443/ProcessPortal/jsp/index.jsp

Also tested Business Space

Direct - via AppClusterMember1

https://bpm855.uk.ibm.com:9443/mum/enabler

Direct - via AppClusterMember2

https://bpm855.uk.ibm.com:9446/mum/enabler

IHS

https://bpm855.uk.ibm.com:8443/mum/enabler

IBM UrbanCode Deploy - Increase security when impersonating other users

October 22, 2015, 1:10 am
$
0
0
I found this via IBM developerWorks on Twitter: -


Save time with the User Impersonation feature in IBM UrbanCode Deploy

Use IBM UrbanCode Deploy's User Impersonation feature to facilitate deployment of more complex applications where specific features are managed under dedicated users and specific deployment steps need to be executed as these users.


IBM WOMBAT - Project Artifact Analyzer for IBM BPM and IBM Business Monitor

October 23, 2015, 6:06 am

Learning Jython - Every Day is a School Day

October 23, 2015, 12:06 pm
$
0
0

IBM Operational Decision Manager 8.7.1 Fixpack 1

October 26, 2015, 3:43 am
Viewing all 1851 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>