The last blog post for today, I promise.
I was seeing this: -
[10/Nov/2015:20:58:15.05163] 0000f090 061fc700 - PLUGIN: ws_common: websphereShouldHandleRequest: Config was successfully reloaded
[10/Nov/2015:20:58:16.28930] 0000f75e 07fff700 - PLUGIN: ws_common: websphereShouldHandleRequest: Config was successfully reloaded
[10/Nov/2015:21:03:07.80560] 0000f090 039f8700 - ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_SOCKET_CLOSED(gsk rc = 420) PARTNER CERTIFICATE DN=No Information Available, Serial=No Information Available
[10/Nov/2015:21:03:07.81064] 0000f090 039f8700 - ERROR: ws_common: websphereGetStream: Could not open stream
[10/Nov/2015:21:03:07.81073] 0000f090 039f8700 - ERROR: ws_common: websphereExecute: Failed to create the stream
[10/Nov/2015:21:03:07.81075] 0000f090 039f8700 - ERROR: ws_common: websphereHandleRequest: Failed to execute the transaction to 'Node1_AppClusterMember1' on host 'nemdemo.uk.ibm.com:9443'; will try another one
[10/Nov/2015:21:03:07.81076] 0000f090 039f8700 - ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find an app server to handle this request
[10/Nov/2015:21:03:07.81098] 0000f090 039f8700 - ERROR: ESI: getResponse: failed to get response: rc = 2
[10/Nov/2015:21:03:07.81115] 0000f090 039f8700 - ERROR: ws_common: websphereHandleRequest: Failed to handle request[10/Nov/2015:21:03:52.12777] 0000fa1c 7395a700 - PLUGIN: Plugins loaded.
[10/Nov/2015:21:03:07.80560] 0000f090 039f8700 - ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_SOCKET_CLOSED(gsk rc = 420) PARTNER CERTIFICATE DN=No Information Available, Serial=No Information Available
[10/Nov/2015:21:03:07.81064] 0000f090 039f8700 - ERROR: ws_common: websphereGetStream: Could not open stream
[10/Nov/2015:21:03:07.81073] 0000f090 039f8700 - ERROR: ws_common: websphereExecute: Failed to create the stream
[10/Nov/2015:21:03:07.81075] 0000f090 039f8700 - ERROR: ws_common: websphereHandleRequest: Failed to execute the transaction to 'Node1_AppClusterMember1' on host 'nemdemo.uk.ibm.com:9443'; will try another one
[10/Nov/2015:21:03:07.81076] 0000f090 039f8700 - ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find an app server to handle this request
[10/Nov/2015:21:03:07.81098] 0000f090 039f8700 - ERROR: ESI: getResponse: failed to get response: rc = 2
[10/Nov/2015:21:03:07.81115] 0000f090 039f8700 - ERROR: ws_common: websphereHandleRequest: Failed to handle request[10/Nov/2015:21:03:52.12777] 0000fa1c 7395a700 - PLUGIN: Plugins loaded.
when attempting to connect to IBM BPM's Process Center URL via IBM HTTP Server / WebSphere Plugin, where I'm using Transport Layer Security (TLS) 1.2 between the Plugin and WAS.
This IBM APAR helped: -
which mentioned: -
A property was added to allow plugin to enable security compatible with the application server strict server setting.
To enable this property, set StrictSecurity=true on the webserver-><servername>->Plug-in properties->Customer Properties window.
Thus I changed the plugin configuration file: -
vi /opt/ibm/WebSphere/Plugins/config/webserver1/plugin-cfg.xml
Change from: -
<?xml version="1.0" encoding="ISO-8859-1"?><!--HTTP server plugin config file for the webserver PCCell1.Node1.webserver1 generated on 2015.11.10 at 08:45:54 PM GMT-->
<Config ASDisableNagle="false" AcceptAllContent="true" AppServerPortPreference="HostHeader" ChunkedResponse="false" FIPSEnable="false" FailoverToNext="false" HTTPMaxHeaders="300" IISDisableFlushFlag="false" IISDisableNagle="false" IISPluginPriority="High" IgnoreDNSFailures="false" KillWebServerStartUpOnParseErr="false" MarkBusyDown="false" OS400ConvertQueryStringToJobCCSID="false" RefreshInterval="60" ResponseChunkSize="64" SSLConsolidate="true" StrictSecurity="false" TrustedProxyEnable="false" VHostMatchingCompat="false">
<Log LogLevel="Error" Name="/opt/ibm/WebSphere/Plugins/logs/webserver1/http_plugin.log"/>
<Config ASDisableNagle="false" AcceptAllContent="true" AppServerPortPreference="HostHeader" ChunkedResponse="false" FIPSEnable="false" FailoverToNext="false" HTTPMaxHeaders="300" IISDisableFlushFlag="false" IISDisableNagle="false" IISPluginPriority="High" IgnoreDNSFailures="false" KillWebServerStartUpOnParseErr="false" MarkBusyDown="false" OS400ConvertQueryStringToJobCCSID="false" RefreshInterval="60" ResponseChunkSize="64" SSLConsolidate="true" StrictSecurity="false" TrustedProxyEnable="false" VHostMatchingCompat="false">
<Log LogLevel="Error" Name="/opt/ibm/WebSphere/Plugins/logs/webserver1/http_plugin.log"/>
to: -
<?xml version="1.0" encoding="ISO-8859-1"?><!--HTTP server plugin config file for the webserver PCCell1.Node1.webserver1 generated on 2015.11.10 at 08:45:54 PM GMT-->
<Config ASDisableNagle="false" AcceptAllContent="true" AppServerPortPreference="HostHeader" ChunkedResponse="false" FIPSEnable="false" FailoverToNext="false" HTTPMaxHeaders="300" IISDisableFlushFlag="false" IISDisableNagle="false" IISPluginPriority="High" IgnoreDNSFailures="false" KillWebServerStartUpOnParseErr="false" MarkBusyDown="false" OS400ConvertQueryStringToJobCCSID="false" RefreshInterval="60" ResponseChunkSize="64" SSLConsolidate="true" StrictSecurity="true" TrustedProxyEnable="false" VHostMatchingCompat="false">
<Log LogLevel="Error" Name="/opt/ibm/WebSphere/Plugins/logs/webserver1/http_plugin.log"/>
<Config ASDisableNagle="false" AcceptAllContent="true" AppServerPortPreference="HostHeader" ChunkedResponse="false" FIPSEnable="false" FailoverToNext="false" HTTPMaxHeaders="300" IISDisableFlushFlag="false" IISDisableNagle="false" IISPluginPriority="High" IgnoreDNSFailures="false" KillWebServerStartUpOnParseErr="false" MarkBusyDown="false" OS400ConvertQueryStringToJobCCSID="false" RefreshInterval="60" ResponseChunkSize="64" SSLConsolidate="true" StrictSecurity="true" TrustedProxyEnable="false" VHostMatchingCompat="false">
<Log LogLevel="Error" Name="/opt/ibm/WebSphere/Plugins/logs/webserver1/http_plugin.log"/>
and restarted IHS.
Once done, it worked like a treat.
I do, of course, need to make the same change within the WAS cell, and then regenerate / propagate the Plugin Configuration.
However, that's tomorrow's job :-)
*UPDATE*
This is the Jython that I used to set the StrictSecurity property to true : -
*UPDATE*
This is the Jython that I used to set the StrictSecurity property to true : -
AdminConfig.create('Property', '(cells/'+cellID+'/nodes/Node1/servers/webserver1|server.xml#PluginProperties_1447187986151)', '[[validationExpression ""] [name "StrictSecurity"] [description ""] [value "true"] [required "false"]]')
*UPDATE*
Having done this, I simply generated/propagated the Plugin configuration: -
AdminControl.invoke('WebSphere:name=PluginCfgGenerator,process=dmgr,platform=common,node=Dmgr,version=8.5.5.4,type=PluginCfgGenerator,mbeanIdentifier=PluginCfgGenerator,cell='+cellID+',spec=1.0', 'generate', '[/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/config '+cellID+' Node1 webserver1 false]', '[java.lang.String java.lang.String java.lang.String java.lang.String java.lang.Boolean]')
AdminControl.invoke('WebSphere:name=PluginCfgGenerator,process=dmgr,platform=common,node=Dmgr,version=8.5.5.4,type=PluginCfgGenerator,mbeanIdentifier=PluginCfgGenerator,cell='+cellID+',spec=1.0', 'propagate', '[/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/config '+cellID+' Node1 webserver1]', '[java.lang.String java.lang.String java.lang.String java.lang.String]')
and we're good to go.