IBM Cloud Private and IBM Cloud Automation Manager - Some videos

April 12, 2018, 8:06 am

≫ Next: Kerberos Key Distribution Centre (KDC) Encryption Types

≪ Previous: IBM Cloud Private - More on using Helm and Kubectl to create, upload, install and use applications

On IBM developerWorks here: -

https://developer.ibm.com/cloudautomation/videos/

Use CAM to deploy Websphere Liberty into AWS

Deploy MQ topologies into IBM Cloud Private using Cloud Automation Manager

Add UCD application components to an existing CAM library template

Service composition in IBM's Cloud Automation Manager

Edit, publish, and deploy a template using Template Designer

Edit existing templates using Template Designer

Create and publish a new template using IBM CAM Template Designer

Installing IBM Cloud Automation Manager Community Edition

↧

Kerberos Key Distribution Centre (KDC) Encryption Types

April 23, 2018, 6:22 am

≫ Next: WAS and AD and SPNEGO - Oops, I broke my LDAP

≪ Previous: IBM Cloud Private and IBM Cloud Automation Manager - Some videos

I'm tinkering with Kerberos and SPNEGO again, in the context of integrating WebSphere Application Server (WAS) and Active Directory together.

This time I'm using WAS 8.5.5.13 and AD 2012.

Looking at the command that generates the Kerberos configuration within WAS: -

AdminTask.createKrbConfigFile("[-krbPath /opt/ibm/WebSphere/AppServer/java/jre/lib/security/krb5.conf -realm UK.IBM.COM -kdcHost ad2012.uk.ibm.com.com -dns uk.ibm.com -keytabPath /home/wasadmin/bpm857.keytab -encryption des3-cbc-sha1]")

I started to wonder about the -encryption switch: -

Source: Creating a Kerberos configuration file

Looking here: -

Windows Configurations for Kerberos Supported Encryption Type

prompted me to dig into Windows a bit more.

As per the above link, one place to check the supported Encryption Types is the User Account: -

so, if I so choose, I can lock down the encryption types in one of many ways ...

↧

WAS and AD and SPNEGO - Oops, I broke my LDAP

April 23, 2018, 8:19 am

≫ Next: Hmm, SPNEGO not playing nicely THIS TIME

≪ Previous: Kerberos Key Distribution Centre (KDC) Encryption Types

In the process of setting up Single Sign-On (SSO) between Microsoft Active Directory 2012 and WebSphere Application Server, I inadvertently broke my directory ….

Having run this command: -

ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass P455w0rd -ptype KRB5_NT_PRINCIPAL

I then saw this: -

…

[23/04/18 15:29:16:636 BST] 00000104 exception E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext CWWIM4520E The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]; resolved object com.sun.jndi.ldap.LdapCtx@d088f31d' naming exception occurred during processing.

[23/04/18 15:29:16:637 BST] 00000104 exception E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext
com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\u0000]; resolved object com.sun.jndi.ldap.LdapCtx@d088f31d' naming exception occurred during processing.

...

[23/04/18 15:53:02:425 BST] 00000166 exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext CWWIM4520E  The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580]; resolved object com.sun.jndi.ldap.LdapCtx@8633793e' naming exception occurred during processing.
[23/04/18 15:53:02:426 BST] 00000166 exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext
com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E  The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\u0000]; resolved object com.sun.jndi.ldap.LdapCtx@8633793e' naming exception occurred during processing.

...

and this in the browser: -

What did I do wrong ?

Well, when I ran this command: -

ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass P455w0rd -ptype KRB5_NT_PRINCIPAL

to generate the Kerberos keytab, I used the WRONG password :-(

This meant that, when Kerberos attempted to kick in and log me, using the Service Account UK\bpmbind, it did so with the wrong password, causing Windows to lock the account.

Once I reset the password back to the PROPER password, things proceeded more smoothly ….

In other words, I reset the password in Windows back to the same password that WAS was using to bind to AD via LDAP.

I did then go and regenerate the key tab using the CORRECT password :-)

List the Service Principle Names

setspn -l bpmbind

Registered ServicePrincipalNames for CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com:
HTTP/bpm857.uk.ibm.com

Delete the "bad" one

setspn -d HTTP/bpm857.uk.ibm.com bpmbind

Unregistering ServicePrincipalNames for CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com
HTTP/bpm857.uk.ibm.com
Updated object

Recreate the keytab AND create a new SPN

ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass Qp455w0rd -ptype KRB5_NT_PRINCIPAL

Targeting domain controller: was90box.uk.ibm.com
Successfully mapped HTTP/bpm857.uk.ibm.com to bpmbind.
Password successfully set!
Key created.
Output keytab to bpm857.keytab:
Keytab version: 0x502
keysize 60 HTTP/bpm857.uk.ibm.com@UK ptype 1 (KRB5_NT_PRINCIPAL) vno 9 etype 0x17 (RC4-HMAC) keylength 16 (0xd35a1de683986444c22c35127a44b349)

List the Service Principle Names

setspn -l bpmbind

Registered ServicePrincipalNames for CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com:
HTTP/bpm857.uk.ibm.com

Nice :-)

↧

Hmm, SPNEGO not playing nicely THIS TIME

April 25, 2018, 11:34 am

≫ Next: IBM Integration Bus on Docker - Story of a tinkerer

≪ Previous: WAS and AD and SPNEGO - Oops, I broke my LDAP

So I'm seeing a blank screen where I should be seeing a BPM Process Portal, and am seeing this in the AppCluster logs: -

...

[25/04/18 13:53:12:228 BST] 00000194 ServerCache I DYNA1001I: WebSphere Dynamic Cache instance named ws/WSSecureMapNotShared initialized successfully.

[25/04/18 13:53:12:230 BST] 00000194 ServerCache   I   DYNA1071I: The cache provider "default" is being used.
[25/04/18 13:53:12:617 BST] 00000194 ServletWrappe I com.ibm.ws.webcontainer.servlet.ServletWrapper init SRVE0242I: [IBM_BPM_Repository_AppCluster] [/ProcessCenter] [/login.jsp]: Initialization successful.
[25/04/18 13:53:12:983 BST] 00000194 WebContainer  E com.ibm.ws.webcontainer.internal.WebContainer handleRequest SRVE0255E: A WebGroup/Virtual Host to handle /favicon.ico has not been defined.
[25/04/18 13:56:25:739 BST] 00000194 FfdcProvider  W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/ibm/WebSphereProfiles/AppSrv01/logs/ffdc/AppClusterMember1_a6b879bd_18.04.25_13.56.25.7281859129348691234731.txt com.ibm.ws.ssl.channel.impl.SSLReadServiceContext 192
[25/04/18 13:56:35:615 BST] 00000194 ServletWrappe I com.ibm.ws.webcontainer.servlet.ServletWrapper init SRVE0242I: [IBM_BPM_Repository_AppCluster] [/ProcessCenter] [/welcome.jsp]: Initialization successful.
[25/04/18 13:56:35:941 BST] 00000194 ServerCredent I com.ibm.ws.security.spnego.ServerCredentialsFactory initializeServer CWSPN0016I: Ready to process host: bpm857.uk.ibm.com.
[25/04/18 13:56:35:942 BST] 00000194 TrustAssociat I com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl initialize CWSPN0006I: SPNEGO Trust Association Interceptor initialization is complete. Configuration follows:
  SPNEGO Web Authentication:
  enabled = true
  dynamically update = true
  allowAppAuthMethodFallback = false
  krb5Config = /opt/ibm/WebSphere/AppServer/java/jre/lib/security/krb5.conf
  krb5Keytab = /home/wasadmin/bpm857.keytab
  Server configuration:
  Kerberos ServicePrincipalName=HTTP/bpm857.uk.ibm.com@UK
  com.ibm.ws.security.spnego.SPN.filter=null
  com.ibm.ws.security.spnego.SPN.filterClass=com.ibm.ws.security.spnego.HTTPHeaderFilter@f1c79289
  com.ibm.ws.security.spnego.SPN.NTLMTokenReceivedPage=null
  com.ibm.ws.security.spnego.SPN.spnegoNotSupportedPage=null
  cannonicalSupport=true
[25/04/18 13:56:36:062 BST] 00000194 Context     E com.ibm.ws.security.spnego.Context begin CWSPN0011E: A non-valid SPNEGO token has been encountered while authenticating a HttpServletRequest: 0000:  a1143012 a0030a01 01a10b06 092a8648   ..0. .... .... .*.H
0010:  82f71201 0202   .... ..

[25/04/18 13:56:36:135 BST] 00000194 WebContainer  E com.ibm.ws.webcontainer.internal.WebContainer handleRequest SRVE0255E: A WebGroup/Virtual Host to handle /favicon.ico has not been defined.
[25/04/18 13:57:07:953 BST] 00000194 Context     E com.ibm.ws.security.spnego.Context begin CWSPN0011E: A non-valid SPNEGO token has been encountered while authenticating a HttpServletRequest: 0000:  a1143012 a0030a01 01a10b06 092a8648   ..0. .... .... .*.H
0010:  82f71201 0202   .... ..

[25/04/18 13:58:23:688 BST] 00000194 Context     E com.ibm.ws.security.spnego.Context begin CWSPN0011E: A non-valid SPNEGO token has been encountered while authenticating a HttpServletRequest: 0000:  a1143012 a0030a01 01a10b06 092a8648   ..0. .... .... .*.H
0010:  82f71201 0202   .... ..

[25/04/18 13:58:23:745 BST] 00000194 WebContainer  E com.ibm.ws.webcontainer.internal.WebContainer handleRequest SRVE0255E: A WebGroup/Virtual Host to handle /favicon.ico has not been defined.
[25/04/18 14:16:39:148 BST] 00000194 Context     E com.ibm.ws.security.spnego.Context begin CWSPN0011E: A non-valid SPNEGO token has been encountered while authenticating a HttpServletRequest: 0000:  a1143012 a0030a01 01a10b06 092a8648   ..0. .... .... .*.H
0010:  82f71201 0202   .... ..
...

Now last time I saw this, the two boxes ( BPM on Linux and Active Directory on Windows ) were out-of-sync.

This time, Windows says this: -

and Linux says this: -

date

Wed 25 Apr 14:18:31 BST 2018

which is pretty close.

However, given that this all worked before I suspended/reawakened my VMs, I restart the AppCluster.

Alas, this made no difference.

So I then rebooted the Windows VM …

Alas, this made no difference.

So I then rebooted the Linux VM …

And then restarted the Deployment Environment….

But still this …

...
[25/04/18 14:56:20:090 BST] 00000172 ServerCredent I com.ibm.ws.security.spnego.ServerCredentialsFactory initializeServer CWSPN0016I: Ready to process host: bpm857.uk.ibm.com.
[25/04/18 14:56:20:091 BST] 00000172 TrustAssociat I com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl initialize CWSPN0006I: SPNEGO Trust Association Interceptor initialization is complete. Configuration follows:
SPNEGO Web Authentication:
enabled = true
dynamically update = true
allowAppAuthMethodFallback = false
krb5Config = /opt/ibm/WebSphere/AppServer/java/jre/lib/security/krb5.conf
krb5Keytab = /home/wasadmin/bpm857.keytab
Server configuration:
Kerberos ServicePrincipalName=HTTP/bpm857.uk.ibm.com@UK
com.ibm.ws.security.spnego.SPN.filter=null
com.ibm.ws.security.spnego.SPN.filterClass=com.ibm.ws.security.spnego.HTTPHeaderFilter@becc3490
com.ibm.ws.security.spnego.SPN.NTLMTokenReceivedPage=null
com.ibm.ws.security.spnego.SPN.spnegoNotSupportedPage=null
cannonicalSupport=true
[25/04/18 14:56:20:168 BST] 00000172 Context E com.ibm.ws.security.spnego.Context begin CWSPN0011E: A non-valid SPNEGO token has been encountered while authenticating a HttpServletRequest: 0000: a1143012 a0030a01 01a10b06 092a8648 ..0. .... .... .*.H
0010: 82f71201 0202 .... ..
...

So, rather than trialling and erring, I switched on some debugging, via these two JVM Custom Properties: -

com.ibm.security.jgss.debug = all
com.ibm.security.krb5.Krb5Debug = all

for the AppCluster JVM, and saw this: -

...

[25/04/18 16:32:55:885 BST] 0000014b SystemOut     O [KRB_DBG_CRYP] Rc4HMac:WebContainer : 0:   Checksum arrays = [B@ce870b1e newchecksum:[B@600dad29
[25/04/18 16:32:55:917 BST] 0000014b SystemOut     O [JGSS_DBG_CTX]  WebContainer : 0 Error authenticating request. Reporting to client
Major code = 11, Minor code = 0
org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0
message: Checksum error; received checksum does not match computed checksum
[25/04/18 16:32:55:918 BST] 0000014b SystemOut     O [JGSS_DBG_CTX]  WebContainer : 0 >>SPNEGO: wrap the response data to a gss token
[25/04/18 16:32:55:918 BST] 0000014b SystemOut     O [JGSS_DBG_CTX]  WebContainer : 0 >>SPNEGO: no response token
[25/04/18 16:32:55:918 BST] 0000014b SystemOut     O [JGSS_DBG_CTX]  WebContainer : 0 >>SPNEGO: target accept incomplete
[25/04/18 16:32:55:922 BST] 0000014b SystemOut     O [JGSS_DBG_CTX]  WebContainer : 0 >>SPNEGO: target select preferred mechanism
[25/04/18 16:32:55:923 BST] 0000014b SystemOut     O [JGSS_DBG_CTX]  WebContainer : 0 com.ibm.security.jgss.spnego2478 = false
[25/04/18 16:32:55:924 BST] 0000014b Context     E com.ibm.ws.security.spnego.Context begin CWSPN0011E: A non-valid SPNEGO token has been encountered while authenticating a HttpServletRequest: 0000:  a1143012 a0030a01 01a10b06 092a8648   ..0. .... .... .*.H
0010:  82f71201 0202   .... ..
…

I dug around and around and around, and then found this: -

SPNEGO troubleshooting tips

which said, in part: -

…

The password used when generating the keytab file with ktpass does not match the password assigned to the service account. When the password changes you should regenerate and redistribute the keys., even if it is reset to the same password.

In addition, the ktpass tool might generate a keytab file with a non-matching password as in the following cases:

• If the password entered to ktpass matches the password for the service account, then the produced keytab file does work.

• If the password entered to ktpass does not match the password for the service account, and is less than 7 characters in length, ktpass stops and does not produce a keytab file.

• If the password entered to ktpass does not match the password for the service account, and is greater than 6 characters in length, ktpass does not stop. Instead, it produces a keytab file containing an invalid key. Use of this key to decrypt a SPNEGO token produces the checksum error previously listed.

Use a non-null password for the service account, and then use that password when invoking ktpass.

…

which reminded me of this post FROM MY OWN DARN BLOG: -

WAS and AD and SPNEGO - Oops, I broke my LDAP

where I wrote about how using ktpass with the WRONG password had broken my WAS -> LDAP bind account.

Which made me think ….

So I regenerated the keytab WITH THE RIGHT PASSWORD: -

ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass Qp455w0rd -ptype KRB5_NT_PRINCIPAL

and then placed the new keytab back into WAS: -

as referenced in the krb5.conf file: -

cat /opt/ibm/WebSphere/AppServer/java/jre/lib/security/krb5.conf

[libdefaults]
default_realm = UK.IBM.COM
default_keytab_name = FILE:/home/wasadmin/bpm857.keytab
default_tkt_enctypes = des3-cbc-sha1
default_tgs_enctypes = des3-cbc-sha1
forwardable  = true
renewable  = true
noaddresses = true
clockskew  = 300
[realms]
UK.IBM.COM = {
kdc = ad2012.uk.ibm.com.com:88
default_domain = uk.ibm.com
}
[domain_realm]
.uk.ibm.com = UK.IBM.COM

So that was fun.

In solving one problem, I caused another.

But I learned yet more about the way that SPNEGO works, and how to debug it when things go wrong ( cough ).

As ever, every day is a school day.

↧

IBM Integration Bus on Docker - Story of a tinkerer

May 11, 2018, 11:26 am

≫ Next: IBM Cloud Developer Console for Apple

≪ Previous: Hmm, SPNEGO not playing nicely THIS TIME

Following this recipe: -

Building a sample IBM Integration Bus image using Docker

I started by pulling the Git repo: -

git clone https://github.com/ot4i/iib-docker

and then built the Docker image: -

cd iib-docker/10.0.0.11/iib

ls -al

total 32
drwxr-xr-x  6 davidhay  staff   192 11 May 10:15 .
drwxr-xr-x  4 davidhay  staff   128 10 May 13:33 ..
-rw-r--r--  1 davidhay  staff  1975 11 May 10:15 Dockerfile
-rw-r--r--  1 davidhay  staff  1460 10 May 13:33 iib-license-check.sh
-rw-r--r--  1 davidhay  staff   410 10 May 13:33 iib_env.sh
-rw-r--r--  1 davidhay  staff  2611 10 May 13:33 iib_manage.sh

docker build -t iibv10image .

and spun up a container: -

docker run --name myNode -e LICENSE=accept -e NODENAME=MYNODE -P iibv10image

Sourcing profile
----------------------------------------
Version: '10.0.0.11'
Product: 'IBM Integration Bus'
Build Number: '490'
IE02 level: 'ie02-L20140415-1143'
IB Level: 'ib1000-L171130.490_P'
Server level: 'S1000-L171127.10584'
Toolkit level:'20171121-1732' [not installed]
----------------------------------------
----------------------------------------
Node MYNODE does not exist...
Creating node MYNODE
BIP8071I: Successful command completion.
----------------------------------------
----------------------------------------
Starting syslog
Starting node MYNODE
BIP8096I: Successful command initiation, check the system log to ensure that the component started without problem and that it continues to run without problem.
----------------------------------------
----------------------------------------
Creating integration server default
BIP1124I: Creating integration server 'default' on integration node 'MYNODE'...
BIP1117I: The integration server was created successfully.

The integration node has initialized the integration server.
BIP8071I: Successful command completion.
----------------------------------------
----------------------------------------
----------------------------------------
----------------------------------------
----------------------------------------
Running - stop container to exit

and then checked for the listening ( and mapped ) ports: -

docker port myNode

4414/tcp -> 0.0.0.0:32769
7800/tcp -> 0.0.0.0:32768

and then hit up IIB: -

http://localhost:32769/#broker/0

Having deployed a Broker Archive (BAR) file to the Integration Server, I was able to hit my flow: -

http://0.0.0.0:32768/Canary?wsdl

Nice !

For the record, the Dockerfile: -

# © Copyright IBM Corporation 2015.
#
# All rights reserved. This program and the accompanying materials
# are made available under the terms of the Eclipse Public License v1.0
# which accompanies this distribution, and is available at
# http://www.eclipse.org/legal/epl-v10.html

FROM ubuntu:16.04

LABEL maintainer "Dan Robinson , Sam Rogers "

LABEL "ProductID"="447aefb5fd1342d5b893f3934dfded73" \
"ProductName"="IBM Integration Bus" \
"ProductVersion"="10.0.0.8"

# Install curl
RUN apt-get update && \
apt-get install -y curl rsyslog sudo && \
rm -rf /var/lib/apt/lists/*

# Install IIB V10 Developer edition
RUN mkdir /opt/ibm && \
curl http://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/integration/10.0.0.11-IIB-LINUX64-DEVELOPER.tar.gz \
| tar zx --exclude iib-10.0.0.11/tools --directory /opt/ibm && \
/opt/ibm/iib-10.0.0.11/iib make registry global accept license silently

# Configure system
RUN echo "IIB_10:"> /etc/debian_chroot && \
touch /var/log/syslog && \
chown syslog:adm /var/log/syslog

# Create user to run as
RUN useradd --create-home --home-dir /home/iibuser -G mqbrkrs,sudo iibuser && \
sed -e 's/^%sudo.*/%sudoALL=NOPASSWD:ALL/g' -i /etc/sudoers

# Increase security
RUN sed -i 's/sha512/sha512 minlen=8/' /etc/pam.d/common-password && \
sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t1/' /etc/login.defs && \
sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defs

# Copy in script files
COPY iib_manage.sh /usr/local/bin/
COPY iib-license-check.sh /usr/local/bin/
COPY iib_env.sh /usr/local/bin/
RUN chmod +rx /usr/local/bin/*.sh

# Set BASH_ENV to source mqsiprofile when using docker exec bash -c
ENV BASH_ENV=/usr/local/bin/iib_env.sh
ENV MQSI_MQTT_LOCAL_HOSTNAME=127.0.0.1

# Expose default admin port and http port
EXPOSE 4414 7800

USER iibuser

# Set entrypoint to run management script
ENTRYPOINT ["iib_manage.sh"]

leads me to believe that I could use other versions of IIB or even AppConnect Enterprise (ACE), which is kinda like IIB v11: -

https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/integration/

↧

IBM Cloud Developer Console for Apple

May 11, 2018, 12:52 pm

≫ Next: macOS and VMware Fusion and Windows 7 and DHCP - The internet fixed my problem

≪ Previous: IBM Integration Bus on Docker - Story of a tinkerer

This is something I did not know that we had: -

https://console.bluemix.net/developer/appledevelopment/dashboard

NIce !

↧

macOS and VMware Fusion and Windows 7 and DHCP - The internet fixed my problem

May 15, 2018, 1:17 am

≫ Next: IBM API Connect - Consuming IBM Integration Bus as a Service - OR NOT

≪ Previous: IBM Cloud Developer Console for Apple

I was seeing "Unidentified network" on a Windows 7 VM, using VMware Fusion Professional Version 10.1.1 on my Mac, following an unexpected b0rk of said Mac.

Long story short, this meant NO internet connectivity from the VM, regardless of whether I chose NAT or Bridged.

I tried / failed to recover this via various approaches, including shutting down / restarting the VM, but to no avail.

Just before I threw the Mac out of the window ( pardon the pun ), I found this: -

after High Sierra 10.13.2 Update with Fusion 10.0.1 I get Unidentified Network on Windows 10

…

Got the same problem and this worked for me https://kb.vmware.com/s/article/1026510

In terminal I ran:

sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --configure
sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --stop
sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --start

…

This is the aforementioned VMware article: -

Modifying the DHCP settings of vmnet1 and vmnet8 in Fusion (1026510)

…

Run the following commands in sequence to update the changes without restarting Fusion 4.x and later. These can be used if you do not want to relaunch Fusion(if you have other Virtual Machines running).

sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --configure
sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --stop
sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --start

…

MUST MUST MUST REMEMBER THIS!

↧

IBM API Connect - Consuming IBM Integration Bus as a Service - OR NOT

May 17, 2018, 11:08 am

≫ Next: IBM Integration Bus - BIP3113E and BIP2230E and BIP4240E

≪ Previous: macOS and VMware Fusion and Windows 7 and DHCP - The internet fixed my problem

I've been tinkering with IBM API Connect ( APIC ) and IBM Integration Bus ( IIB ), both as Software-as-a-Service (SaaS) capabilities on the IBM Cloud.

Specifically, I've been exposing Integration Services from IIB, and exposing them as APIs …

… which is nice.

However, I did struggle a bit …

My Integration Service ( which includes a Message Flow ) exposes a downstream Decision Service from IBM ODM Rules, so it's the world's simplest service.

And it's SOAP-based, 'cos I know SOAP better than I know REST.

Anyway, I have an endpoint from which I've pulled a WSDL: -

curl --insecure https://foobar.eu-gb.ace.ibm.com/DecisionService/ws/HelloWorldProject/1.0/HelloWorld/1.0/v75?wsdl -u iib:passw0rd > ODMRulesOK.wsdl

and I then try and create an API from that WSDL: -

Alas this failed with: -

Error occurred while validating WSDL "[ODMRulesOK.wsdl located at /var/tmp/java-cmc/temp1603454472707037502ODMRulesOK.wsdl]". Message: An error occurred while processing a (schemaLocation with a value of "https://foobar.eu-gb.ace.ibm.com:443/DecisionService/ws/HelloWorldProject/1.0/HelloWorld/1.0/v75?xsd=xsd0"). Failed to retrieve the remote file from location: https://foobar.eu-gb.ace.ibm.com:443/DecisionService/ws/HelloWorldProject/1.0/HelloWorld/1.0/v75?xsd=xsd0. Ensure the remote file is available. The HTTP Response code is:401 You may want to create a zip file containing all of your wsdl/xsd files and use the zip file as the input.

After some digging around, I realised that this is because IIB is sitting between an authentication junction, and requires a user ID and password ….

That shouldn't be a problem as I'd already pulled the WSDL via the Curl statement above ….

but ….

The WSDL also references an XSD: -

<xsd:include schemaLocation="https://foobar.eu-gb.ace.ibm.com:443/DecisionService/ws/HelloWorldProject/1.0/HelloWorld/1.0/v75?xsd=xsd0"/>

to which APIC doesn't have access.

Therefore, APIC tries, and then fails, to retrieve the XSD, as it doesn't have the credentials.

I can, of course, pull the XSD directly: -

curl --insecure https://foobar.eu-gb.ace.ibm.com/DecisionService/ws/HelloWorldProject/1.0/HelloWorld/1.0/v75?xsd=xsd0 -u iib:D5U_cBMk > xsd0.xsd

*BUT* that doesn't help, as the WSDL still references the XSD via a URL.

So I then needed to hand-edit the WSDL: -

<xsd:include schemaLocation="xsd0.xsd"/>

but the API creation process still fails: -

Error occurred while validating WSDL "[ODMRulesOK.wsdl located at /var/tmp/java-cmc/temp5372241849736215174ODMRulesOK.wsdl]". Message: An error occurred while processing a (schemaLocation with a value of "xsd0.xsd"). The local file "/var/tmp/java-cmc/xsd0.xsd" does not exist. You may want to create a zip file containing all of your wsdl/xsd files and use the zip file as the input.

The solution ?

Read the flippin' message, and create a zip file ….

zip ../ODMRulesOK.zip *

and install from that: -

Having done that, I was able to create an API, publish a Product, and test it using the APIC Assembly tool.

I merely needed to pass in a SOAP envelope: -

to get back a SOAP envelope: _

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:ds="http://www.ibm.com/rules/decisionservice/HelloWorldProject/HelloWorld"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Body>

<HelloWorldResponse

xmlns="http://www.ibm.com/rules/decisionservice/HelloWorldProject/HelloWorld">

<response>Hello David M M Hay</response>

</HelloWorldResponse>

</soapenv:Body>

</soapenv:Envelope>

which is nice.

For the record, I'd had similar problems using the APIC command line, as per the example: -

apic create --type api --wsdl canary.wsdl

Error: An error occurred while processing a (schemaLocation with a value of "https://8gnda2kp.eu-gb.ace.ibm.com:443/Canary?xsd=xsd0").
Failed to retrieve the remote file from location: https://8gnda2kp.eu-gb.ace.ibm.com:443/Canary?xsd=xsd0. Ensure the remote file is available. The HTTP Response code is:401
You may want to create a zip file containing all of your wsdl/xsd files and use the zip file as the input.

so the solution is the same; pull the XSD and "hack" the WSDL

However, it's NOT necessary to create a ZIP file, merely to run the apic create command again ….

apic create --type api --wsdl canary.wsdl

Created canaryhttpservice.yaml API definition [canaryhttpservice:1.0.0]

The resulting YAML file can then be imported into APIC, and we're back in the game.

Which is nice !

↧

IBM Integration Bus - BIP3113E and BIP2230E and BIP4240E

May 17, 2018, 11:10 am

≫ Next: IBM API Connect - More on API consumption

≪ Previous: IBM API Connect - Consuming IBM Integration Bus as a Service - OR NOT

So this has been annoying me for 1/2 day ….

I was trying/failing to create an Integration Service in IBM Integration Bus 10 that consumes a Decision Service from IBM Operational Decision Manager, via SOAP / WSDL.

I'd previously generated the Decision Service, and deployed it to an instance of ODM ( aka Business Rules ) on the IBM Cloud: -

Having grabbed the WSDL from the Decision Service itself: -

I created a new Integration Service in IIB ( using the Toolkit on a Windows VM ), from the WSDL ( via a URL ), and deployed my Service to an Integration Node ( again via the Toolkit ).

This then gave me another WSDL URL: -

for the actual flow running in the Integration Service on the Integration Server.

I plopped this into SoapUI, created a new SOAP project, and attempted to hit my Integration Service: -

For reference, this is what it says ….

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Server</faultcode>
<faultstring>BIP3113E: Exception detected in message flow gen.ODMRulesOK.SOAP Input (integration node TESTNODE_Dave)</faultstring>
<detail>
<Text>BIP2230E: Error detected whilst processing a message in node 'gen.ODMRulesOK.Route To Label'.
The integration node detected an error whilst processing a message in node 'gen.ODMRulesOK.Route To Label'. An exception has been thrown to cut short the processing of the message.
See the following messages for details of the error. : F:\build\S1000_slot1\S1000_P\src\DataFlowEngine\BasicNodes\ImbRouterNode.cpp: 315: ImbRouterNode::evaluate: ComIbmRouteToLabelNode: gen/ODMRulesOK#FCMComposite_1_2
BIP4240E: RouteToLabel node ''gen.ODMRulesOK.Route To Label'' unable to locate Label node ''HelloWorld''.
A RouteToLabel node received a message that contains a label, but no Label node has this label.
Possible causes of this error are as follows: (a) The input message is not as expected. (b) The logic of the message flow, which does not calculate a valid Label node name for all valid input messages. (c) Errors in deployment. Check that the input message is as expected. Then check the logic of the message flow, to ensure that in all cases the calculated Label node names are correct. Finally ensure that the message flow, and any nested message flows have been saved. Redeploy the new configuration to the broker, using the complete configuration option. If the problem persists, contact your IBM Support Center. : F:\build\S1000_slot1\S1000_P\src\DataFlowEngine\BasicNodes\ImbRouterNode.cpp: 291: ImbRouterNode::evaluate: ComIbmRouteToLabelNode: gen/ODMRulesOK#FCMComposite_1_2</Text>
</detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>

After much faffing about, I poked about within the generated Message Flow: -

Can you see what I did there ?

So the Input is NOT wired to the Output ( or, indeed, to ANYTHING )

So I tried wiring the Input to the Output: -

but those clever IIB folks have thought about that: -

So I tried again - using the error message as inspiration ( by adding a Route To Label node ): -

and redeployed my flow.

At which point it just works :-)

So … the moral of the story - CONNECT YOUR DARN NODES, HAY

↧

IBM API Connect - More on API consumption

May 18, 2018, 4:27 am

≫ Next: Red Hat Enterprise Linux - Where's my LDAPSearch tool ?

≪ Previous: IBM Integration Bus - BIP3113E and BIP2230E and BIP4240E

Following on from an earlier post: -

IBM API Connect - Consuming IBM Integration Bus as a Service - OR NOT

I've been happily consuming an API from IBM API Connect ( on cloud ) using a SOAP client ( SoapUI ), sending in SOAP: -

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:hel="http://www.ibm.com/rules/decisionservice/HelloWorldProject/HelloWorld">
<soapenv:Header/>
<soapenv:Body>
<hel:HelloWorldRequest>

<hel:DecisionID>?</hel:DecisionID>
<hel:request>David M M Hay</hel:request>
</hel:HelloWorldRequest>
</soapenv:Body>
</soapenv:Envelope>

to get back SOAP: -

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:ds="http://www.ibm.com/rules/decisionservice/HelloWorldProject/HelloWorld"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<HelloWorldResponse
xmlns="http://www.ibm.com/rules/decisionservice/HelloWorldProject/HelloWorld">
<DecisionID>?</DecisionID>
<response>Hello David M M Hay</response>
</HelloWorldResponse>
</soapenv:Body>
</soapenv:Envelope>

I wanted to go a little further, and also consume the same API using a command-line, having subscribed to the API via the APIC Developer Portal.

To do this, I hit up the Developer Portal: -

https://sb-foobarukibmcom-foobar.developer.eu.apiconnect.ibmcloud.com

and registered myself as a new developer ( trick is to use a DIFFERENT email address to avoid getting confused between the admin and developer roles ).

Having created an Application ( App ), I then navigated into my chosen API Product: -

and subscribed to the API.

I then grabbed my Client ID: -

Having created a XML snippet containing the SOAP request: -

vi canary.xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:can="http://Canary">
<soapenv:Header/>
<soapenv:Body>
<can:operation1>
<input1>David M M Hay</input1>
</can:operation1>
</soapenv:Body>
</soapenv:Envelope>

I finished by involving the Canary API: -

curl --insecure --header "Content-Type: text/xml;charset=UTF-8" --header "X-IBM-Client-Id: b0aca626-ceed-4f21-b7d0-a8c725076659" --data @canary.xml https://api.eu.apiconnect.ibmcloud.com/foobarukibmcom-foobar/sb/CanaryHttpService

To break the command down, we have: -

Parameter	Value	Why

--insecure		By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure
--header	Content-Type: text/xml;charset=UTF-8	The service expects XML
--header	X-IBM-Client-Id: b0aca626-ceed-4f21-b7d0-a8c725076659	To set the client ID
--data	@canary.xml	The reference to the XML file containing the SOAP envelope
	https://api.eu.apiconnect.ibmcloud.com/foobarukibmcom-foobar/sb/CanaryHttpService	The URL of the API, as exposed via the Developer Portal ( and hosted on the Gateway )

For the record, this is using the native macOS version of curl

ls -al `which curl`

-rwxr-xr-x 1 root wheel 185104 28 Mar 05:02 /usr/bin/curl

Final thought, this gave me the heads-up on using —header X-IBM-Client-Id : -

Calling an API

↧

Red Hat Enterprise Linux - Where's my LDAPSearch tool ?

May 19, 2018, 4:36 am

≫ Next: IBM AppConnect Enterprise 11 on Linux - reminding myself

≪ Previous: IBM API Connect - More on API consumption

Why oh why do I forget this ?

Running this command : -

ldapsearch -h ad2012.uk.ibm.com -p 389 -D CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com -w Qp455w0rd -b CN=Users,DC=uk,DC=ibm,DC=com CN=bpm* CN

on RHEL 7.5 ( Maipo ) gives me this: -

-bash: ldapsearch: command not found

A few clicks later ….

yum install -y openldap-clients

Detected RHEL 7 server x86_64 ...
Wrote new config file /etc/yum.repos.d/ibm-yum-41186.repo

/usr/bin/yum --noplugins install -y openldap-clients
ftp3     | 2.0 kB  00:00:00
ftp3-extras   | 2.0 kB  00:00:00
ftp3-optional   | 2.0 kB  00:00:00
ftp3-rh-common     | 2.1 kB  00:00:00
ftp3-supplementary     | 2.0 kB  00:00:00
server     | 2.9 kB  00:00:00
(1/6): ftp3-extras/updateinfo   | 153 kB  00:00:06
(2/6): ftp3-extras/primary     | 223 kB  00:00:06
(3/6): ftp3-optional/updateinfo   | 2.0 MB  00:00:18
(4/6): ftp3/updateinfo     | 2.7 MB  00:00:24
(5/6): ftp3-optional/primary     | 4.4 MB  00:00:29
(6/6): ftp3/primary   |  28 MB  00:01:21
ftp3   20399/20399
ftp3-extras     838/838
ftp3-optional     15063/15063
Resolving Dependencies
--> Running transaction check
---> Package openldap-clients.x86_64 0:2.4.44-15.el7_5 will be installed
--> Processing Dependency: openldap(x86-64) = 2.4.44-15.el7_5 for package: openldap-clients-2.4.44-15.el7_5.x86_64
--> Running transaction check
---> Package openldap.x86_64 0:2.4.44-13.el7 will be updated
---> Package openldap.x86_64 0:2.4.44-15.el7_5 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================================================================================
Package     Arch   Version   Repository     Size
==========================================================================================================================================================================================================
Installing:
openldap-clients   x86_64   2.4.44-15.el7_5   ftp3   190 k
Updating for dependencies:
openldap   x86_64   2.4.44-15.el7_5   ftp3   355 k

Transaction Summary
==========================================================================================================================================================================================================
Install  1 Package
Upgrade     ( 1 Dependent package)

Total download size: 545 k
Downloading packages:
No Presto metadata available for ftp3
(1/2): openldap-clients-2.4.44-15.el7_5.x86_64.rpm     | 190 kB  00:00:04
(2/2): openldap-2.4.44-15.el7_5.x86_64.rpm     | 355 kB  00:00:05
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total     104 kB/s | 545 kB  00:00:05
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : openldap-2.4.44-15.el7_5.x86_64   1/3
  Installing : openldap-clients-2.4.44-15.el7_5.x86_64   2/3
  Cleanup   : openldap-2.4.44-13.el7.x86_64   3/3
  Verifying  : openldap-clients-2.4.44-15.el7_5.x86_64   1/3
  Verifying  : openldap-2.4.44-15.el7_5.x86_64   2/3
  Verifying  : openldap-2.4.44-13.el7.x86_64   3/3

Installed:
  openldap-clients.x86_64 0:2.4.44-15.el7_5

Dependency Updated:
  openldap.x86_64 0:2.4.44-15.el7_5

Complete!

Removed temporary configuration

Now we have it ….

which ldapsearch

/bin/ldapsearch

ls -al `which ldapsearch`

-rwxr-xr-x 1 root root 85928 Apr 3 13:04 /bin/ldapsearch

And now we're good to go: -

ldapsearch -h ad2012.uk.ibm.com -p 389 -D CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com -w Qp455w0rd -b CN=Users,DC=uk,DC=ibm,DC=com CN=bpm* CN

# extended LDIF
#
# LDAPv3
# base <CN=Users,DC=uk,DC=ibm,DC=com> with scope subtree
# filter: CN=bpm*
# requesting: CN
#

# bpmadmin, Users, uk.ibm.com
dn: CN=bpmadmin,CN=Users,DC=uk,DC=ibm,DC=com
cn: bpmadmin

# bpmbind, Users, uk.ibm.com
dn: CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com
cn: bpmbind

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

↧

IBM AppConnect Enterprise 11 on Linux - reminding myself

May 22, 2018, 1:48 am

≫ Next: DB2 on the Cloud - Ooops, broke my smallint

≪ Previous: Red Hat Enterprise Linux - Where's my LDAPSearch tool ?

I was having a chat with a colleague about the merits of running the IBM AppConnect Enterprise (ACE) or IBM Integration Bus (IIB) Toolkit on a Linux VM.

So, to remind myself, I spun up an existing RHEL 7.4 VM, and installed the required GUI-related RPMs: -

yum install -y xterm
yum install -y gtk2
yum install -y libgtk-x11-2.0.so.0
yum install -y libXtst
yum install -y xeyes
yum install -y xauth
yum install -y xorg-x11-fonts-Type1
yum install -y psmisc

and then switched to the ACE user: -

su - aceadmin

and started the Toolkit: -

/opt/ibm/ace-11.0.0.0/tools/eclipse

Alas this failed: -

Eclipse:
An error has occurred. See the log file
/home/aceadmin/IBM/ACET11-config/11.0.0.0/configuration/1526978110847.log.

so I checked the log: -

cat /home/aceadmin/IBM/ACET11-config/11.0.0.0/configuration/1526978110847.log

!SESSION 2018-05-22 09:35:10.249 -----------------------------------------------
eclipse.buildId=4.2.2.M20140918-1444
java.fullversion=8.0.5.10 - pxa6480sr5fp10-20180214_01(SR5 FP10)
JRE 1.8.0 IBM J9 2.9 Linux amd64-64 Compressed References 20180208_378436 (JIT enabled, AOT enabled)
OpenJ9   - 39bb844
OMR   - c04ccb2
IBM   - 2321a81
BootLoader constants: OS=linux, ARCH=x86_64, WS=gtk, NL=en_GB
Framework arguments:  -showlocation -product com.ibm.etools.msgbroker.tooling.ide
Command-line arguments:  -os linux -ws gtk -arch x86_64 -showlocation -product com.ibm.etools.msgbroker.tooling.ide

!ENTRY org.eclipse.osgi 4 0 2018-05-22 09:35:13.418
!MESSAGE Application error
!STACK 1
org.eclipse.swt.SWTError: No more handles [gtk_init_check() failed]
at org.eclipse.swt.SWT.error(SWT.java:4394)
at org.eclipse.swt.widgets.Display.createDisplay(Display.java:914)
at org.eclipse.swt.widgets.Display.create(Display.java:900)
at org.eclipse.swt.graphics.Device.<init>(Device.java:156)
at org.eclipse.swt.widgets.Display.<init>(Display.java:498)
at org.eclipse.swt.widgets.Display.<init>(Display.java:489)
at org.eclipse.ui.internal.Workbench.createDisplay(Workbench.java:673)
at org.eclipse.ui.PlatformUI.createDisplay(PlatformUI.java:161)
at org.eclipse.ui.internal.ide.application.IDEApplication.createDisplay(IDEApplication.java:154)
at org.eclipse.ui.internal.ide.application.IDEApplication.start(IDEApplication.java:96)
at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:196)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:110)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:79)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:353)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:180)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:629)
at org.eclipse.equinox.launcher.Main.basicRun(Main.java:584)
at org.eclipse.equinox.launcher.Main.run(Main.java:1438)
at org.eclipse.equinox.launcher.Main.main(Main.java:1414)

Before panicking, I checked my flow - I'd logged into the VM as root: -

ssh -Y root@integration

and then switched to the aceadmin user.

Therefore, the X11 session was "owned" by root rather than aceadmin.,

I logged out, and reconnected: -

ssh -Y aceadmin@integration

and retried: -

/opt/ibm/ace-11.0.0.0/tools/eclipse

Nice :-)

↧

DB2 on the Cloud - Ooops, broke my smallint

May 22, 2018, 2:21 am

≫ Next: Using DB2 on the IBM Cloud from macOS

≪ Previous: IBM AppConnect Enterprise 11 on Linux - reminding myself

So I was knocking up a test DB using IBM DB2 on Cloud ( a SaaS offering ), for some integration testing between IBM AppConnect Enterprise (ACE) and DB2 itself.

I'll talk about the connectivity in a later post.

However, I created a table: -

CREATE TABLE EMPLOYEE(ID SMALLINT, FIRSTNAME CHAR(30), LASTNAME CHAR(30));

and inserted some data: -

INSERT INTO EMPLOYEE(ID,FIRSTNAME,LASTNAME) VALUES(12345,'Homer','Simpson');

INSERT INTO EMPLOYEE(ID,FIRSTNAME,LASTNAME) VALUES(23456,'Marge','Simpson');

INSERT INTO EMPLOYEE(ID,FIRSTNAME,LASTNAME) VALUES(34567,'Lisa','Simpson');

and then got this: -

SQL0413N Overflow occurred during numeric data type conversion.

Can you see what I did wrong ??

Yeah, I know, right !

The SMALLINT data type stores small whole numbers that range from –32,767 to 32,767. The maximum negative number, –32,768, is a reserved value and cannot be used.

https://www.ibm.com/support/knowledgecenter/en/SSGU8G_12.1.0/com.ibm.sqlr.doc/ids_sqr_144.htm

So I was trying to insert the value 34567 into a column that was limited to 32767.

Doofus!

I fixed it easily: -

DROP TABLE EMPLOYEE;

CREATE TABLE EMPLOYEE(ID INT, FIRSTNAME CHAR(30), LASTNAME CHAR(30));

INSERT INTO EMPLOYEE(ID,FIRSTNAME,LASTNAME) VALUES(12345,'Homer','Simpson');

INSERT INTO EMPLOYEE(ID,FIRSTNAME,LASTNAME) VALUES(23456,'Marge','Simpson');

INSERT INTO EMPLOYEE(ID,FIRSTNAME,LASTNAME) VALUES(34567,'Lisa','Simpson');

INSERT INTO EMPLOYEE(ID,FIRSTNAME,LASTNAME) VALUES(45678,'Bart','Simpson');

↧

Using DB2 on the IBM Cloud from macOS

May 22, 2018, 3:25 am

≫ Next: WebSphere Application Server and HTTP Session Affinity

≪ Previous: DB2 on the Cloud - Ooops, broke my smallint

This is a relatively new area to me, as I typically work with DB2 on a local ( to me ) server, be it an AS/400, an AIX LPAR or a Linux or Windows VM.

However, IBM does offer DB2 on Cloud, formerly known as IBM dashDB, which is available from the IBM Cloud ( nee Bluemix ) console: -

Having spun up an instance ( using the Lite plan ) I then get a nice little dashboard: -

which includes documentation on the many different tools/methods I can use to connect to the database.

In essence, I now have a database - BLUDB - sitting on an internet-accessible host ( with a nice long complex host/service name ) on port 50000 ( as I've not yet chosen to add TLS encryption ) with a set of bind credentials.

Having downloaded and installed the macOS driver, I get the CLPPlus tool: -

/Applications/CLPPlus.app/Contents/MacOS/clpplus

plus a whole set of DB2 driver tools: -

ls -al /Applications/dsdriver/

total 160
drwxr-xr-x  26 davidhay  admin   832 22 May 09:55 .
drwxrwxr-x+ 76 root   admin   2432 21 May 16:55 ..
-rw-r--r--   1 davidhay  admin   4 22 May 09:55 .ftok
-r-xr-xr-x@  1 davidhay  admin   2165 21 May 16:55 Readme.txt
drwxr-xr-x   4 davidhay  admin   128  3 Apr  2017 adm
drwxr-xr-x@ 12 davidhay  admin   384 21 May 16:55 bin
drwxr-xr-x  12 davidhay  admin   384  3 Apr  2017 bnd
drwxr-xr-x   7 davidhay  admin   224 22 May 09:55 cfg
drwxrwsr-t   3 davidhay  admin     96  3 Apr  2017 cfgcache
drwxr-xr-x   4 davidhay  admin   128  3 Apr  2017 conv
-r--r--r--   1 davidhay  admin   2365 21 May 16:55 db2cshrc
drwxr-xr-x   3 davidhay  admin     96 22 May 09:55 db2dump
-r--r--r--   1 davidhay  admin   2241 21 May 16:55 db2profile
drwxr-xr-x  14 davidhay  admin   448  3 Apr  2017 include
-r-xr-xr-x@  1 davidhay  admin  58056 21 May 16:55 installDSDriver
-rw-r--r--   1 davidhay  admin   2816 21 May 16:55 installDSDriver.log
drwxr-xr-x@ 60 davidhay  admin   1920 21 May 16:55 java
drwxr-xr-x@  4 davidhay  admin   128 21 May 16:55 json
drwxr-xr-x   9 davidhay  admin   288  3 Apr  2017 lib
drwxr-xr-x@ 27 davidhay  admin   864 21 May 16:55 license
drwxr-xr-x   3 davidhay  admin     96  3 Apr  2017 msg
drwxr-xr-x@  3 davidhay  admin     96 21 May 16:55 php
drwxr-xr-x   3 davidhay  admin     96 21 May 16:55 python
drwxr-xr-x@  4 davidhay  admin   128 21 May 16:55 rdf
drwxr-xr-x@  3 davidhay  admin     96 21 May 16:55 ruby
drwxr-xr-x@ 10 davidhay  admin   320 21 May 16:55 tools

The trick was to execute the db2profile script: -

source /Applications/dsdriver/db2profile

which gives me this: -

db2level

DB21085I This instance or install (instance name, where applicable: "*") uses
"64" bits and DB2 code release "SQL11011" with level identifier "0202010F".
Informational tokens are "DB2 v11.1.1.1", "s1703232000", "DARWIN64111", and Fix
Pack "1a".
Product is installed at "/Applications/dsdriver".

db2cli -help

IBM DATABASE 2 Interactive CLI Sample Program
(C) COPYRIGHT International Business Machines Corp. 1993,1996
All Rights Reserved
Licensed Materials - Property of IBM
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

===============================================================================
DB2 interactive Call Level Interface (CLI) environment
===============================================================================

The DB2 interactive CLI environment is a multi-purpose design and prototyping
tool.

Command syntax

  db2cli [-help] [<mode>]

Command parameters (<mode> values)

  validate

  Validate db2cli.ini and db2dsdriver.cfg configuration files.

  bind

  Bind dynamic packages used by CLI, .NET and JCC applications against the
  target database.

  refreshldap

  Functionality to refresh dsn entries from LDAP to IBM Data Server Driver
  Configuration File.

  execsql

  Execute or prepare the given SQL statements. Can also capture the SQLs in
  the PDQXML file when capturemode is enabled in the configuration files.

  writecfg

  Functionality to add/remove dsn or database entries, and to add, modify
  and remove the parameters in the db2dsdriver.cfg file.

  -help

  Display db2cli tool help and usage information.

NOTE: For further details of each <mode>, append "-help" option after
specifying <mode>.

For example:

  1. db2cli validate -help
  2. db2cli writecfg -help

This then gave me what I needed to create the DB2 CLI connection: -

db2cli writecfg add -database BLUDB -host foobar.snafu.bluemix.net -port 50000

db2cli writecfg add -dsn dashdb -database BLUDB -host foobar.snafu.bluemix.net -port 50000

db2cli validate -dsn dashdb -connect -user srb12321 -passwd p455w0rd!

the latter of which returned: -

===============================================================================
Client information for the current copy:
===============================================================================

Client Package Type : IBM Data Server Driver Package
Client Version (level/bit): DB2 v11.1.1.1 (s1703232000/64-bit)
Client Platform : Darwin
Install/Instance Path : /Applications/dsdriver
DB2DSDRIVER_CFG_PATH value: <not-set>
db2dsdriver.cfg Path : /Applications/dsdriver/cfg/db2dsdriver.cfg
DB2CLIINIPATH value : <not-set>
db2cli.ini Path : /Applications/dsdriver/cfg/db2cli.ini
db2diag.log Path : /Applications/dsdriver/db2dump/db2diag.log

===============================================================================
db2dsdriver.cfg schema validation for the entire file:
===============================================================================

Success: The schema validation completed successfully without any errors.

===============================================================================
db2cli.ini validation for data source name "dashdb":
===============================================================================

Note: The validation utility could not find the configuration file db2cli.ini.
The file is searched at "/Applications/dsdriver/cfg/db2cli.ini".

===============================================================================
db2dsdriver.cfg validation for data source name "dashdb":
===============================================================================

[ Parameters used for the connection ]

Keywords Valid For Value
---------------------------------------------------------------------------
DATABASE CLI,.NET,ESQL BLUDB
HOSTNAME CLI,.NET,ESQL foobar.snafu.bluemix.net
PORT CLI,.NET,ESQL 50000

===============================================================================
Connection attempt for data source name "dashdb":
===============================================================================

[SUCCESS]

===============================================================================
The validation is completed.
===============================================================================

Having created a table ( as per another post here ), I've also connected the ACE Toolkit to DB2: -

I also found the documentation for the CLI to be of use: -

Db2 driver package

Connecting CLPPlus to a Db2 database

For reference, here's a useful insight into DB2-on-Cloud: -

6 ways IBM dashDB moves DB2 customers to the cloud faster

↧

WebSphere Application Server and HTTP Session Affinity

May 22, 2018, 3:30 am

≫ Next: IBM and Containers and YouTube - what's not to like ?

≪ Previous: Using DB2 on the IBM Cloud from macOS

I was chatting to a colleague about this, and thought it'd be worth writing down for future reference.

He was asking about HTTP Session Affinity between a client/browser and a downstream WebSphere Application Server (WAS) cluster.

I explained that the WebSphere Plugin can leverage Session Affinity using the JSESSIONID cookie, as described here: -

Source: Webcast replay: WebSphere Application Server 6.1 Plug-in: Technical Overview

and this: -

Source: Webcast Replay: WebSphere Plug-in Session Affinity and Load Balancing

↧

IBM and Containers and YouTube - what's not to like ?

May 22, 2018, 7:53 am

≫ Next: How to use the IBM's Transformation Advisor on IBM Cloud Private

≪ Previous: WebSphere Application Server and HTTP Session Affinity

One of my friends drew my attention to Rob Pereen's YouTube channel: -

https://www.youtube.com/user/robpeeren/videos

which includes such gems as: -

IBM Cloud Private: The Next-Generation Application Server

https://www.youtube.com/watch?v=PpLeQ0Lp838

ODM on Docker, Kubernetes and IBM Cloud Private

https://www.youtube.com/watch?v=IJmaab0wo2g&t=2843s

Enjoy !!!!

↧

How to use the IBM's Transformation Advisor on IBM Cloud Private

May 27, 2018, 8:11 am

≫ Next: IBM Application Modernization Field Guide

≪ Previous: IBM and Containers and YouTube - what's not to like ?

Using the Transformation Advisor on IBM Cloud Private

The Transformation Advisor is a free developer tool to help you quickly evaluate on-premise Java EE apps for deployment to the cloud. This recipe describes how to use Transformation Advisor on ICP 2.1.

The Transformation Advisor application is available as additional free content on IBM Cloud Private v2.1. It has the capability to quickly evaluate your on-premise applications for rapid deployment on WebSphere Application Server and Liberty on Public and/or Private Cloud environments. On running the Transformation Advisor it will create a custom data collector which you download and run on your on-prem application server. The data collector identifies the Java EE programming models on the application server and creates a high-level inventory of the content and structure of each application and information about potential problems moving that application to the cloud. This information is used to determine the complexity of your applications. Transformation Advisor calculates a development cost to perform the move to cloud and makes recommendations on the best target environment.

The detailed reports include advice, suggestions, and best practices to ensure that the application runs correctly in the recommended cloud environment, enabling administrators to evaluate applications in minutes without accessing source code.

Transformation Advisor also now (since v1.4.0) helps to get you started making the move to cloud by automatically generating many of the artifacts you need to containerize and deploy your application to the cloud.

↧

IBM Application Modernization Field Guide

May 27, 2018, 8:26 am

≫ Next: Java Arguments - Can you say "Doofus" ?

≪ Previous: How to use the IBM's Transformation Advisor on IBM Cloud Private

IBM Application Modernization Field Guide

Introduction to IBM's app modernization approach that decreases time to market and simplifies deployments.

Business pressures demand faster time to market and app modernization. IBM can make this easy for you and bring immediate benefits:

• Accelerate digital transformation. App modernization is driven by the need to transform business to build new capabilities and deliver them quickly.

• Improve developer productivity. Enabling self service for developers through adoption of cloud native and containerization.

• Improve operational efficiency and standardization. DevOps enablement drives a culture of automation and transformation of operations.

Rewriting your entire estate is a pipe dream. Modernization comes in many flavors. IBM's skills and experience in middleware provide unique insights and approaches to modernize your existing estate with speed, confidence, and reduced risk. View your development investments as an asset, not a liability.

Refactor what's necessary, but don't necessarily refactor.

PDF here

↧

Java Arguments - Can you say "Doofus" ?

May 31, 2018, 5:52 am

≫ Next: Thinking about a multitier architecture on IBM Cloud Private?

≪ Previous: IBM Application Modernization Field Guide

In the context of my ongoing voyage of discovery that is IBM API Connect, I need to pass Basic Authentication credentials BUT as an HTTP header.

Therefore, I need to generate a suitably encoded header, as per RFC 7235, where the user ID and password are Base64 encoded.

https://tools.ietf.org/html/rfc7235

Whilst this is a useful online tool: -

https://www.blitter.se/utils/basic-authentication-header-generator/

I wanted a differently better way.

So I'm knocking up a Java class to calculate Authorization headers, using this: -

Adding header for HttpURLConnection

as source material.

Here's what I have: -

package com.ibm;

import java.util.Base64;

public class genAuthHeader
{
public static void main(String[] args)
{
String username = args[1];
String password = args[2];

System.out.println("Authorization header is " + buildBasicAuthorizationString(username,password));

}

public static
String buildBasicAuthorizationString(String username, String password)
{
String credentials = username + ":" + password;
return "Basic " + new String(Base64.getEncoder().encode(credentials.getBytes()));
}
}

Having created / compiled the class, using Eclipse, when I attempt to run it: -

java com.ibm.genAuthHeader user@foobar.com p455w0rd!

I get this: -

Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 2
at com.ibm.genAuthHeader.main(genAuthHeader.java:10)

Can anyone see where I went wrong ?

Yep ?

This is Java where array indices start at ZERO :-)

I changed my code: -

package com.ibm;

import java.util.Base64;

public class genAuthHeader
{
public static void main(String[] args)
{
String username = args[0];
String password = args[1];

System.out.println("Authorization header is " + buildBasicAuthorizationString(username,password));

}

public static
String buildBasicAuthorizationString(String username, String password)
{
String credentials = username + ":" + password;
return "Basic " + new String(Base64.getEncoder().encode(credentials.getBytes()));
}
}

and NOW it works: -

java com.ibm.genAuthHeader user@foobar.com p455w0rd!

Authorization header is Basic dXNlckBmb29iYXIuY29tOnA0NTV3MHJkIQ==

↧

Thinking about a multitier architecture on IBM Cloud Private?

June 1, 2018, 3:17 am

≫ Next: IBM Integration Bus and Cloudant - Baby steps ...

≪ Previous: Java Arguments - Can you say "Doofus" ?

There's a useful pair of articles pertaining to IBM Cloud Private: -

Thinking about a multitier architecture on IBM Cloud Private?

Decision service lifecycle on IBM Cloud Private

which may be of relevance to a client with whom I'm currently engaged …..

↧