Quantcast
Channel: A Portal to a Portal
Viewing all 1851 articles
Browse latest View live

Thycotic - Good insight into SSL/TLS

March 28, 2016, 10:48 am
Search

Oops, my WAS upgrade broke my TLS

March 30, 2016, 11:11 am
$
0
0
I saw this earlier today: -

[30/03/16 11:35:53:371 BST] 00000001 ORBRas        E com.ibm.ws.orbimpl.transport.WSTransport createServerSocket P=152627:O=0:CT ORBX0390E: Cannot create listener thread. Exception=[ org.omg.CORBA.INTERNAL: CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_SERVER_SOCKET, Exception=java.lang.IllegalArgumentException: Cannot support SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 with currently installed providers vmcid: 0x49421000  minor code: 77  completed: No - received while attempting to open server socket on port 9403 ].

[30/03/16 11:35:53:397 BST] 00000001 FfdcProvider  W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/ibm/WebSphereProfiles/ODMCell1Dmgr01/logs/ffdc/dmgr_498f4d6b_16.03.30_11.35.53.3748582431257869454898.txt com.ibm.ws.orbimpl.transport.WSTransport.startListening 805

[30/03/16 11:35:53:419 BST] 00000001 FfdcProvider  W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/ibm/WebSphereProfiles/ODMCell1Dmgr01/logs/ffdc/dmgr_498f4d6b_16.03.30_11.35.53.3975558083781694628181.txt com.ibm.ws.orbimpl.transport.WSTransport.createListener 724

[30/03/16 11:35:53:420 BST] 00000001 WsServerImpl  E   WSVR0009E: Error occurred during startup com.ibm.ws.exception.RuntimeError: org.omg.CORBA.INTERNAL: CREATE_LISTENER_FAILED_4  vmcid: 0x49421000  minor code: 56  completed: No

whilst starting a WAS ND Deployment Manager.

Coincidentally (!) this happened RIGHT after I'd upgraded from WAS 8.5.5.4 to 8.5.5.8.

A quick Google search led me here: -


which said, in part: -

The problem can be related to unrestricted policy file due to SDK upgrade. Please download/install unrestricted policy files, the steps can be found at: http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-dist&topic=tsecegs (Under "Complete the following steps to download and install the new policy files:").

at which point I metaphorically slapped my forehead and said "Doh!".

I fired up my trusty CipherTest Java class: -

java -cp /mnt/Utilities/ CipherTest

which reported: -

FAILED: Max AES key length too small! (128).

I ran my script to update the Java policies to use the unrestricted world-wide ciphers: -

#!/bin/bash
cd /opt/ibm/WebSphere/AppServer/java/jre/lib/security
mv local_policy.jar local_policy.raj
mv US_export_policy.jar US_export_policy.raj
/opt/ibm/WebSphere/AppServer/java/bin/jar xvf /mnt/Java/unrestrictedpolicyfiles.zip
chmod a+rwx *.jar

and re-ran the CipherTest: -

java -cp /mnt/Utilities/ CipherTest

PASSED: Max AES key length OK! - >= 256 (2147483647).

Sorted :-) And "Doh!" And "SLAP!"

My Cognos has fallen and can't get up

April 5, 2016, 5:21 am
$
0
0
Purely FYI, in case you hit this problem, someone (!) managed to break my IBM Business Monitor 8.5.5 installation over the weekend, most likely when the underlying AIX LPARs were shut down and moved from one physical box to another.

I saw a bunch of nasty exceptions in the Cognos instance pogo logs: -

 2016-04-05 09:21:54.467 FATAL [.authorization.AuthorizationAdapterFactory] Thread-95: Unable to initialize the Access Control Module
com.ibm.cognos.internal.camaaa.accesscontrol.AccessControlException: AAA-ACM-0011 Failed to create http client due to CAMCryptoExce
ption
 
Caused by: com.ibm.cognos.camaaa.internal.common.exception.LocalizableException: AAA-CFG-0016 CAM Crypto initialization failed. Plea
se verify the cryptographic configuration settings

Caused by: CAM-CRP-1280 An error occurred while trying to decrypt using the system protection key. Reason: javax.crypto.BadPaddingEx
ception: Given final block not properly padded 

which threw me somewhat.

Rather than panicking, I read a bunch of Technotes and PMRs, and then decided to simply blow away the Cognos configuration that's stored on each of the WAS app nodes ( under the WAS profiles directory ).

I restarted the cluster, one JVM at a time ( TWICE to allow the configuration to be properly rebuilt ) and all now appears well.

I did have to go back into each of the two JVMs and manually update cogstartup.xml to reflect the correct DB2 listener port ( we've moved to TLS connections between WAS and DB2 for everything apart from Cognos ), and again restart the cluster members.

But all now appears well :-)

If I had to bet, I'd guess that there's something unique in the Cognos configuration, in terms of encryption keys ( see above messages ), perhaps where the key is based upon something unique to the underlying hardware platform ( I remember reading about how AIX and AES ciphers work ).

Therefore, the configuration had the OLD keys for the OLD hardware, whereas we've moved the LPARs to NEW hardware.

Book Review - The Purpose of Change is Problem Solving

April 6, 2016, 1:13 pm
$
0
0
This is the latest in my series of relatively infrequent book reviews for the British Computer Society: -

I chose this book mainly based upon the title, to which I related as an
inveterate solver of problems.

Whilst the book is absolutely about problem solving, it wasn't quite
what I expected. In this book, the author, Janos Korn, digs deeply into
the use of language, including semantics, natural language and
structure.

Thus I found the book to be of somewhat limited relevance to my
day-to-day work as an engineer, IT consultant, problem solver etc.

By this, I don't mean to imply that the book isn't likely to be of use
to many others, I found the language, repeated and multiple references
and, most importantly, the format to be of limited interest.

With specific regard to formatting, I'd have preferred the book to make
more use of indentation and punctuation, as it was hard to separate the
paragraphs from the examples.

So, in summary, whilst this is obviously an extremely well-written and
deeply researched publication, I found it to be a somewhat arduous and
less-than-relevant read.

Given that I obviously failed to understand the purpose and target
audience of this book, I cannot find major fault with the publication
itself, but, in terms of relevance to me, the reader, I'd give it 6/10.

For the record, I was kindly provided this book by BCS, at no cost to myself.

IBM Business Monitor - CWMAX4203E: RESTSecurityAdminMBean instance was not found

April 8, 2016, 5:14 am
$
0
0
I saw this error earlier: -

CWMAX4203E: RESTSecurityAdminMBean instance was not found.

whilst checking my Monitor models, in IBM Business Monitor 8.5.5, after making some SSL/TLS related changes between WebSphere Application Server (WAS) and DB2.

I saw this when I navigated to Applications> Monitor Models.

This caused me to briefly panic.

Thankfully, I found that someone had seen a similar issue, documented in a Problem Management Report (PMR).

For context, in order to make my configuration changes, I needed to have the Deployment Manager running, in order to import two new SSL signer certificates and also select two new, specific, TLS ciphers.

Therefore, I was changing the Deployment Manager configuration, before manually synchronising the node agents.

This meant that, briefly, the DM tried and failed to connect to DB2.

I suspect that this was root cause - from reading the PMR, I believe that a WAS component, LifecycleServicesStartup, starts RESTSecurityAdminMBean during the server startup.

Long story short, I restarted the Deployment Manager, and the problem went away.

I did double-check that: -

(a) I could access my list of Monitor models
(b) click into any specific Model, and see a nice set of green ticks

(c) generate a set of updated Cognos cubes for the Model


which is nice

IBM WebSphere Plugin - GSK_ERROR_BAD_CERT and GSK_INVALID_HANDLE after an upgrade

April 11, 2016, 10:25 pm
$
0
0
During a recent transition from SHA1 to SHA2 signature algorithms *AND* an upgrade from WebSphere Application Server (WAS) 8.5.5.4 to 8.5.5.8, we hit an interesting challenge yesterday.

We're using IBM HTTP Server (IHS) and the WebSphere Plugin on one AIX LPAR, fronting IBM Integration Bus (IIB) on another LPAR.

We've got a set of IIB flows, all of which are being offered up via IHS through the WebSphere Plugin configuration.

Once the 8.5.5.8 upgrade ( including IHS and Plugin ) was completed, we started seeing GSK_ERROR_BAD_CERT and GSK_INVALID_HANDLE errors in the Plugin error log, relating to the downstream IIB HTTP listeners: -

We're still debugging this BUT it looks like the 8.5.5.8 introduced a security validation check, as per this: -


( Actually, this was introduced in 8.5.5.7 )

We appear to have a "problem" with one of our signer certificates, in terms of a mismatch against standards, and the Plugin is now picking up on this.

( Remember the Plugin is the client to IIB, so this is all about that connection, rather than the connection TO IHS )

Thankfully, we do have a mitigation; by setting the Config parameter AutoSecurity="false" in the Plugin configuration file, the security checking is disabled (!), meaning that we can now client from Plugin to IIB.

Now we need to go and revisit our signer certificates ….. but at least we can continue to test ( this is a NON-PRODUCTION environment )

WebSphere Application Server - Managing the Service Integration Bus using Python

April 13, 2016, 10:55 am
$
0
0
A friend asked me: -

Hi Dave -- do you know the AdminConfig.getid(type:scope) to get a SIBus engine? 
not sure what type and scope need to be passed in 

It took me a wee while, but I shared this: -

for bus in AdminTask.listSIBuses().splitlines():
 name=AdminConfig.showAttribute(bus, "name")
 print AdminConfig.getid("/SIBus:"+ name)                                                                         

which results in: -

BPM.PCCellDe1.Bus(cells/PCCell1/buses/BPM.PCCellDe1.Bus|sib-bus.xml#SIBus_1460402518228)

which is nice.

MacBook Pro and USB - Interesting Quirkiness

April 13, 2016, 12:35 pm
$
0
0
I'm using a MacBook Pro: -


I've seen this a few times: -

034378.680514 SSP4@14700000: AppleUSB30XHCIPort::resetAndCreateDevice: failed to create device after (1) tries, disabling port
034414.624087 SSP4@14700000: AppleUSB30XHCIPort::resetAndCreateDevice: failed to create device after (1) tries, disabling port
034416.245827 SSP4@14700000: AppleUSB30XHCIPort::resetAndCreateDevice: failed to create device after (1) tries, disabling port
037923.490801 SSP1@14500000: AppleUSB30XHCIPort::resetAndCreateDevice: failed to create device after (1) tries, disabling port
037961.216945 SSP2@14600000: AppleUSB30XHCIPort::resetAndCreateDevice: failed to create device after (1) tries, disabling port
038140.039979 SSP2@14600000: AppleUSB30XHCIPort::resetAndCreateDevice: failed to create device after (1) tries, disabling port

when I insert a USB 2.0 or USB 3.0 hard drive.

I only started looking in the system log ( sudo dmesg ) when the USB drives failed to materialise in Finder or Disk Utility.

Previously I'd "solved" this by rebooting, which is a pain.

For the record, I also saw the same on a Mac Mini


This time around, I had a quick Google and found this: -


which said, in part: -

All Macs with USB3 ports are UASP capable and UAS in enabled by default. Since Mountain Lion 10.8 Apple has included kernel extensions (kext) for UAS. In System>Library>Extensions>IOUSBAttachedSCSI.kext (Apple wouldn't include the kext if Macs didn't support UASP)
So yes, Macs do, by default, I might add, use UASP when a UASP enabled device is attached using a USB3 cable. If a UAS device is not detected, then Macs revert to BOT. This has been true since at least the rMBP released in 2012. (Which is what I'm using right now)
...
On occasion, UAS will not be used due to USB hubs, USB2 devices being inserted into the ports (shared bus) and when the USB3 port gets stuck in BOT protocol. Always best to attach a USB3 UAS device first into the USB 3 port. If the Mac gets stuck on USB2 or BOT, removing all devices and a reboot normally clears it.

Taking this into account, I tested by plugging the USB drive into a USB 3.0 hub: -


This time around the drive just worked ….

… which is nice

Weird but nice :-)
Search

WebSphere User Group, IBM South Bank, Monday 25 April 2016

April 15, 2016, 5:27 am
$
0
0
We are pleased to confirm that the next meeting of the WebSphere User Group (UK) will take place on Monday 25th April 2016, to be held in the IBM Client Centre at IBM South Bank, London. There will be no charge for this meeting and as usual we aim to have an excellent agenda lined up, covering a range of current and emerging WebSphere technologies.

Provisional Agenda


For the most recent agenda, logistics and registration, please visit the WUG website here.

Hope to see you there - I'll be speaking about DevOps and BPM, which is nice.

WebSphere Application Server - Converting Internal CA Certificates from one Signature Algorithm to Another

April 22, 2016, 11:33 pm
$
0
0
I have a need to switch my internal WAS cell-default certificates ( root, default etc. ) from one Signature Algorithm ( SHA1 ) to another ( SHA256 )

We have an app ^H^H^H tool for that.

Here's my journey: -

Start WSAdmin

/opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd

Convert Certificates to SHA256withRSA

AdminTask.convertCertForSecurityStandard('[-fipsLevel SP800-131 -signatureAlgorithm SHA256withRSA -keySize 2048 ]')

Save and Sync

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

Quit

quit

PS Next time one starts WSAdmin, updated certificates are retrieved back to "local" trust store

/opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd

*** SSL SIGNER EXCHANGE PROMPT ***
SSL signer from target host 127.0.0.1 is not found in trust store /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/etc/trust.p12.

Here is the signer information (verify the digest value matches what is displayed at the server): 

Subject DN:    CN=bpm857.uk.ibm.com, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Issuer DN:     CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Serial number: 23501208165426
Expires:       Thu Apr 20 05:51:34 BST 2017
SHA-1 Digest:  AA:C8:35:CC:B3:46:2E:CE:E5:05:01:A7:5B:55:3A:DF:3C:06:44:A0
MD5 Digest:    76:CA:9D:33:0B:41:EA:03:F9:7E:A6:C6:02:65:D7:4D

Subject DN:    CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Issuer DN:     CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Serial number: 23500614165097
Expires:       Thu Apr 17 05:51:33 BST 2031
SHA-1 Digest:  AA:C8:35:CC:B3:46:2E:CE:E5:05:01:A7:5B:55:3A:DF:3C:06:44:A0
MD5 Digest:    76:CA:9D:33:0B:41:EA:03:F9:7E:A6:C6:02:65:D7:4D

Add signer to the trust store now? (y/n) y

Validate DM Profile Personal Certificate

/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/key.p12 -pw WebAS

Certificates in database /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/key.p12:
   default

/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -details -db /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/key.p12 -pw WebAS -label default

...
Label: default
Key Size: 2048
...
Signature Algorithm: SHA256withRSA (1.2.840.113549.1.1.11)
...

Validate DM Profile Root Certificate

/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/trust.p12 -pw WebAS

Certificates in database /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/trust.p12:
   root

/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -details -db /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/trust.p12 -pw WebAS -label root

...
Label: root
Key Size: 2048
...
Signature Algorithm: SHA256withRSA (1.2.840.113549.1.1.11)
...

Manually synchronise Node - this may be optional but felt "belt n' braces"

/opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/bin/syncNode.sh `hostname` 10003

...
*** SSL SIGNER EXCHANGE PROMPT ***
SSL signer from target host 127.0.0.1 is not found in trust store /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/etc/trust.p12.

Here is the signer information (verify the digest value matches what is displayed at the server): 

Subject DN:    CN=bpm857.uk.ibm.com, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Issuer DN:     CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Serial number: 35849612167890
Expires:       Sat Apr 22 07:14:50 BST 2017
SHA-1 Digest:  94:26:35:50:26:01:43:84:9B:68:63:C8:48:1B:E6:CF:87:E6:85:18
MD5 Digest:    7A:E0:99:2B:CB:65:E7:09:63:00:E9:63:00:9B:84:E8

Subject DN:    CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Issuer DN:     CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Serial number: 35848947653836
Expires:       Sat Apr 19 07:14:49 BST 2031
SHA-1 Digest:  94:26:35:50:26:01:43:84:9B:68:63:C8:48:1B:E6:CF:87:E6:85:18
MD5 Digest:    7A:E0:99:2B:CB:65:E7:09:63:00:E9:63:00:9B:84:E8

Add signer to the trust store now? (y/n) y
...

Validate Node Profile Personal Certificate

/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/key.p12 -pw WebAS

Certificates in database /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/key.p12:
   default

/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -details -db /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/key.p12 -pw WebAS -label default

...
Label: default
Key Size: 2048
...
Signature Algorithm: SHA256withRSA (1.2.840.113549.1.1.11)
...

Validate Node Profile Root Certificate

/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/trust.p12 -pw WebAS

Certificates in database /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/trust.p12:
   root

/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -details -db /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/trust.p12 -pw WebAS -label root

...
Label: root
Key Size: 2048
...
Signature Algorithm: SHA256withRSA (1.2.840.113549.1.1.11)
...

Additional Validation using OpenSSL

echo "" | openssl s_client -connect bpm857.uk.ibm.com:10001 -prexit 2>/dev/null | openssl x509 -noout -text | grep Signature

...
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
...

So that's all good then.

IBM Training Site - Looking Delicious

May 2, 2016, 10:50 am

IBM BPM 8.5.7 - What's Not To Learn ?

May 6, 2016, 10:17 am

IBM Integration Bus v10 Self-Enablement

May 7, 2016, 6:37 am
$
0
0
I found this whilst searching for something completely different ….


Some IBM® Integration Bus V10 betaworks labs have been updated or are new for IIB 10.0.0.4. The latest list of labs can be found on the Resources > Integration Bus > Self-study labs page. Each lab comprises instruction guides as PDF files, and is usually accompanied by an archive file (.zip file) that you can use to complete the lab activities. These self study labs provide the opportunity to develop your skills in IBM Integration Bus.

Obtaining the WebSphere MQ classes for JMS

May 7, 2016, 7:45 am
$
0
0
This pertains to my current project - debugging a SSL/TLS connection issue between WebSphere Application Server 8.5.5.8 and WebSphere MQ 8.0.0.4 …

How do I obtain just the WebSphere MQ classes for JMS JAR files? I want these JAR files to be used with the MQ Light Service in Bluemix, or to be deployed into a software management tool, or to be used with standalone client applications in my company.


Once I've debugged the problem - com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE') - I'll write up the problem, solution and PD process.

Good practice – Use the rolling upgrade option when you update IBM BPM

May 12, 2016, 2:56 am
$
0
0
This came up in a Sametime chat earlier today …

In the context of an IBM BPM 8.5.6 Cumulative Fix update, which do we upgrade / patch first - Process Center or connected Process Server(s) ?

I thought - and was correct - that we should always start with the Process Servers before patching the Process Center.

My Polish colleague who has a mother who bakes exceedingly good cakes,  M, confirmed this: -


If you install IBM® Business Process Manager (BPM) fix packs V7.5.1.2, V8.0.1.2, V8.5.0.1, or upgrade to V8.5.5 or V8.5.6 from V8.5.0.1 or V8.5.5, you can use the rolling upgrade option. By using the rolling upgrade approach, you can incrementally upgrade one process server at a time, starting with test, then staging, and finishing with production. The final step is to upgrade your IBM Process Center and desktop tools.

It's worth also remembering that, very often, when one applies a major update ( Cumulative Fix, Fix Pack or Upgrade ) to Process Center, then the Process Designer tool MAY also be updated ( the release notes for the fix pack / upgrade will confirm this ).

Therefore, there's a good likelihood that your developers will need to download new copies of Process Designer, from Process Center once it's back up-and-running, and then reinstall PD on their desktops.

If you've only got one Process Center and lots of developers, this may well be an issue.

On a previous project, we mitigated this by patching our Sandpit environment to EXACTLY the same level as the Development environment, up-front, thus proving the patching strategy / approach. We then downloaded the updated Process Designer, tested that it connected to the Sandpit, and then shared the PD .ZIP file with our 60+ developers, many of whom were off-shore, via a different channel ( a secure file-share ).

That way, the developers could install the new copy of PD ( into an alternate directory ), wait until the Development environment was patched and back on-line, and then test new PD to "new" PC.

Once they were happy, they could uninstall the old PD ….

For the record, this also validated the approach: -


You can roll out maintenance incrementally in an IBM® Business Process Manager installation that consists of a Process Center and multiple Process Servers, allowing for the continued running of production applications during the upgrade and regression test period....
To perform a rolling upgrade, upgrade first the Process Servers and then the IBM Process Center and tools.
Note: A rolling upgrade can be performed only when applying fix packs, refresh packs, or interim fixes. It cannot be used for migration between major releases.

Search

IBM BPM Advanced 8.5.7 - CWLLG1356E: At attempt failed to get the current user context

May 12, 2016, 12:22 pm
$
0
0
We saw this exception today: -

CWLLG1356E: At attempt failed to get the current user context. com.lombardisoftware.client.delegate.BusinessDelegateException: ObjectId password for authorization validation is null

after an automated ( via UrbanCode Deploy ) build of IBM BPM Advanced 8.5.7 ( specifically a Process Center ).

This happened when we hit the Process Center login page ( https://bpmpc.uk.ibm.com/ProcessCenter ), whilst already logged in ( to the Deployment Manager ) as wasadmin.

I jumped to a conclusion …. which was the RIGHT conclusion … and wondered whether the automation process had "forgotten" to bootstrap the Process Server database ( BPMDB ).

Once I did this … manually: -

<snip>
Bootstrap AppCluster DB - as wasadmin

/opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/bin/bootstrapProcessServerData.sh -clusterName AppCluster

Bootstraping data into cluster AppCluster and logging into /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/logs/bootstrapProcesServerData.AppCluster.log

WASX7357I: By request, this scripting client is not connected to any server process. Certain configuration and application operations will be available in local mode.
'BootstrapProcessServerData admin command completed successfully.....'
</snip>

Job's a good 'un.

IBM WebSphere Application Server for Distributed Platforms, Version 8.5 - Scripting various types of applications

May 13, 2016, 6:50 am
$
0
0
Found this whilst looking for Something Completely Different (TM) 


Example of the ToC

<snip>
Chapter 1. Scripting for data access resources
Configuring data access with wsadmin scripting
Configuring a JDBC provider using wsadmin
Configuring new data sources using wsadmin
Configuring new connection pools using wsadmin
Changing connection pool settings with the wsadmin tool
Configuring new data source custom properties using wsadmin
Configuring new Java 2 Connector authentication data entries using wsadmin
Configuring new WAS40 data sources using wsadmin scripting
Configuring new WAS40 connection pools using wsadmin scripting
Configuring custom properties for a Version 4.0 data source using wsadmin scripting
Configuring new J2C resource adapters using wsadmin scripting
Configuring custom properties for J2C resource adapters using wsadmin
Configuring new J2C connection factories using wsadmin scripting
Configuring new J2C activation specifications using wsadmin scripting
Configuring new J2C administrative objects using wsadmin scripting
Managing the message endpoint lifecycle using wsadmin scripting
Testing data source connections using wsadmin scripting
JDBCProviderManagement command group for AdminTask object
</snip>

Book Review - Swift Essentials Second Edition by Dr Alex Blewitt

May 24, 2016, 10:30 pm
$
0
0
This is the latest in my series of relatively infrequent book reviews for the British Computer Society: -

Swift Essentials Second Edition by Dr Alex Blewitt

https://www.packtpub.com/application-development/swift-essentials-second-edition

As a non-developer, I was broadly aware of Apple's announcement of Swift at their World-Wide Developers Conference (WWDC) in 2014, and had picked up enough to know that Swift was being actively promoted as an alternative to Objective C for iOS and OS X application development.

However, in late 2015, when Apple announced that they were also contributing Swift to the open-source community, which had the added benefit of enabling Swift to be used on the Linux platform, alongside the Apple OS ecosystem, my interest was truly piqued.

Finally, in early 2016, I was hooked in by the announcement of the IBM Swift Sandbox, allowing one to tinker with the language via a web browser, without necessarily needing to install the Apple Xcode development environment on Mac OS X.

Pulling this all together, I was keen to read more about Swift, so the opportunity to read and review this book, Swift Essentials, Second Edition, was a boon.

The author, Dr Alex Blewitt, has written what is, to me, the perfect mixture of a textbook and a tutorial, providing a complete introduction to the language, even for those of us with little previous experience in the Apple development ecosystem.

The book is aimed at those intending to use Swift, either via the open-source Linux implementation or Apple's own Xcode IDE, and assumes no prior experience with iOS or OS X development. However, it does assume that the reader has some prior application development knowledge, most logically with C/C++ or Java.

Having briefly introduced the language, Dr Blewitt fairly quickly launches into an explanation of how Swift data types - integers, floating point, strings, variables and collections. He then uses this as a foundation upon which he builds up the basic structure of a programming language - loops, iterations, functions and error handling.

From there, progress is swiftly made through the command-line interpreters, application compilation and the Swift playground, the latter being a graphical prototyping environment, before launching into "proper" iOS and watchOS app development.

Dr Blewitt does accurately compare and contrast the open-source Linux and Apple XCode approaches to Swift development, making it clear that one does need Xcode in order to develop apps for iOS and watchOS development, whereas one can use the open-source version of the language to create applications for other OS platforms, including Linux and Windows.

To be realistic, I'm unlikely to be entering the world of mobile application development any time soon, but, if I did have such a requirement, this book would be essential as a go-to reference.

At around 250 pages, the book should serve as a perfect introduction to the language, whilst also acting as a good source of information for those wishing to dig deeper into Swift.

In summary, I found this book to be extremely useful as both a tutorial and a reference, and I would recommend it to anyone seeking to acquire more experience with Swift.

As a keen reader, I rate this book 9/10

For the record, I was kindly provided this book by BCS, at no cost to myself.

DB2 on Windows - SQL1042C An unexpected system error occurred

May 30, 2016, 9:45 am
$
0
0
I see this on Windows: -


When I tried to start DB2: -

db2start

I saw this: -

ADM12026W  The DB2 server has detected that a valid license for the product "DB2 Express Edition" has not been registered.
DB2 : The service has returned a service-specific error code.

SQL1022C  There is not enough memory available to process the command.  SQLSTATE=57011

I checked, and, yep, I have no license :-(

db2licm -l

Product name:                     "DB2 Express Edition"
License type:                     "License not registered"
Expiry date:                      "License not registered"
Product identifier:               "db2exp"
Version information:              "10.5"
Max number of Value Units:        "200"
Max amount of memory (GB):        "64"

Thankfully I had a license key downloaded: -

-rw-r--r--@  1 davidhay  staff  3056932 30 May 16:58 DB2_Exp_Ed_PVU_QS_Activation_V10.5.zip

which I unzipped to find: -

30/05/2013  03:14    <DIR>          .
30/05/2013  03:14    <DIR>          ..
30/05/2013  03:14               903 db2exp_c.lic
30/05/2013  03:14               905 sam32.lic
30/05/2013  03:14    <DIR>          UNIX
30/05/2013  03:14    <DIR>          Windows
               2 File(s)          3,474 bytes
               4 Dir(s)  209,877,737,472 bytes free

db2licm -a db2exp_c.lic

LIC1402I  License added successfully.

LIC1426I  This product is now licensed for use as outlined in your License Agreement.  USE OF THE PRODUCT CONSTITUTES ACCEPTANCE OF THE TERMS OF THE IBM LICENSE AGREEMENT, LOCATED IN THE FOLLOWING DIRECTORY: "C:\IBM\SQLLIB\license\en"

db2licm -l

Product name:                     "DB2 Express Edition"
License type:                     "CPU Option"
Expiry date:                      "Permanent"
Product identifier:               "db2exp"
Version information:              "10.5"
Max number of Value Units:        "200"
Max amount of memory (GB):        "64"
Enforcement policy:               "Soft Stop"

That solved the license problem ….

The SQL1042C problem was slightly more difficult - I suspect it was due to the fact that I'd switched my Windows 2008 R2 VM from a standalone server to an Active Directory domain controller and/or changed the hostname ….

Still, the license trick worked ….

IBM HTTP Server, Global Security Toolkit and CTGSK3039W

May 31, 2016, 1:26 pm
$
0
0
I have written about this before: -



but I continue to learn.

This time around, I'm trying to create a Certificate Request using a different Signature Algorithm, SHA256WithECDSA, as follows: -

/opt/IBM/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -label bpm856.uk.ibm.com -dn cn=bpm856.uk.ibm.com,dc=uk,dc=ibm,dc=com -file /home/wasadmin/bpm856.uk.ibm.com_ihs.req -size 2048 -sigalg SHA256WithECDSA -san_dnsname bpm856.uk.ibm.com

but I see this: -

CTGSK3039W Certificate request "bpm856.uk.ibm.com" could not be created.

I added a trace string to my command: -

/opt/IBM/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -label bpm856.uk.ibm.com -dn cn=bpm856.uk.ibm.com,dc=uk,dc=ibm,dc=com -file /home/wasadmin/bpm856.uk.ibm.com_ihs.req -size 2048 -sigalg SHA256WithECDSA -san_dnsname bpm856.uk.ibm.com-trace foobar.trc

I don't know precisely how to view the resulting trace file, but I was able to view it using view : -

Ngskkmmutex.cpp^@^@^@µ^@^@^@aGSKKM_RequestMutex(int mutexNum)^@0020465245440001574DEC020247001030303030374637443442303645373230^@^@^@<80>WMì^B^@^@<96>_^@^@^@^A@^@^@^@^@^@^@^D^@^@^@^@^@^@^@^@^@^@^@aGSKKM_RequestMutex(int mutexNum)^@0020465245440001574DEC020247001030303030374637443442303645373230^@^@^@<80>WMì^B^@^@<96>_^@^@^@^A^@^@^@^A^@^@^@^C^@^@^@^Kgskkmdb.cpp^@^@^@·^@^@^@rERROR: sizeof(GSKKM_DB_HANDLE) < sizeof(aDBEntry)^@0020465245440001574DEC020247001030303030374637443442303645373230^@^@^@<80>WMì^B^@^@<96>_^@^@^@^A<80>^@^@^@^@^@^@^D^@^@^@^Lgskkmapi.cpp^@^@"º^@^@^@OGSKKM_Strdup()^@0020465245440001574DEC020247001030303030374637443442303645373230^@^@^@<80>WMì^B^@^@<96>_^@^@^@^A@^@^@^@^@^@^@^D^@^@^@^@^@^@^@^@^@^@^@OGSKKM_Strdup()^@0020465245440001574DEC020247001030303030374637443442303645373230^@^@^@<80>WMì^B^@^@<96>_^@^@^@^A<80>^@^@^@^@^@^@^D^@^@^@^Lgskkmapi.cpp^@^@"º^@^@^@OGSKKM_Strdup()^@0020465245440001574DEC020247001030303030374637443442303645373230^@^@^@<80>WMì^B^@^@<96>_^@^@^@^A@^@^@^@^@^@^@^D^@^@^@^@^@^@^@^@^@^@^@OGSKKM_Strdup()^@0020465245440001574DEC020247001030303030374637443442303645373230^@^@^@<80>WMì^B^@^@<96>_^@^@^@^A<80>^@^@^@^@^@^@^D^@^@^@^Lgskkmapi.cpp^@^@"º^@^@^@OGSKKM_Strdup()^@0020465245440001574DEC020247001030303030374637443442303645373230

Working on the assumption that there MIGHT be a problem with the Key Size ( which I'd specified as 2048 bits, I made an assumption that 2048 may be too big for that particular Signature Algorithm.

I tested my hypothesis by switching to a 512-bit key: -

/opt/IBM/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -label bpm856.uk.ibm.com -dn cn=bpm856.uk.ibm.com,dc=uk,dc=ibm,dc=com -file /home/wasadmin/bpm856.uk.ibm.com_ihs.req -size 512 -sigalg SHA256WithECDSA -san_dnsname bpm856.uk.ibm.com

which worked a treat.

I validated the Certificate Request thusly: -

openssl req -in bpm856.uk.ibm.com_ihs.req -text -noout

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: DC=com, DC=ibm, DC=uk, CN=bpm856.uk.ibm.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (521 bit)
                pub: 
                    04:01:05:be:47:ad:3f:81:aa:fe:95:21:ba:5c:5f:
                    8a:e7:37:ba:8c:80:2d:d1:73:e9:ff:00:7c:e0:f1:
                    0d:46:3a:4c:84:b1:27:63:32:99:2c:33:f1:35:66:
                    22:5d:f2:9d:7e:f1:54:70:f8:d8:f6:f0:90:cc:4d:
                    a8:41:a8:7a:9e:65:96:01:f0:fe:68:63:6d:55:34:
                    ce:d7:ad:20:a3:e0:3f:1c:af:4b:25:84:30:4f:5d:
                    06:d5:86:60:d1:51:bd:65:77:bd:07:08:49:c4:dd:
                    1b:23:83:73:a2:ab:11:6b:3d:e8:4e:17:6b:c7:97:
                    a0:56:86:05:88:72:dc:0c:81:11:78:8e:1c
                ASN1 OID: secp521r1
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:bpm856.uk.ibm.com
    Signature Algorithm: ecdsa-with-SHA256
         30:81:88:02:42:00:8c:2b:3c:b5:5d:65:2e:68:92:e9:38:8e:
         01:e2:01:5c:9b:81:12:ae:d7:57:fc:bf:bb:0e:fa:07:da:4f:
         ea:f4:da:4e:47:5a:37:99:4c:6f:70:44:af:90:db:ac:0b:6b:
         7a:14:7b:57:ce:d4:be:81:c8:66:4a:40:79:03:9d:8e:6f:02:
         42:01:9d:65:ba:29:2f:84:f8:18:ca:c1:6c:e5:c7:f5:99:3b:
         aa:53:04:3f:47:3b:1f:fa:3a:cd:fa:57:42:c7:0c:81:63:ec:
         67:0c:b0:96:7e:3e:c2:76:f6:12:f8:72:e9:99:21:38:52:df:
         a4:42:1a:36:e1:17:fb:74:3a:da:34:11:d9

which is nice.

Viewing all 1851 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>