Monday, 28 November 2016

Note to self - monitoring User Limits in GNU Linux

This came up last week, and is something that I need to keep an eye on.

These are some of the commands that one can/should use to monitor ulimit use on a Linux box: -

ps -eLf

ps -eTf

ps -Tp `pidof java`

top -H -p `pidof java`

pstree -p `pidof java`

for pid in $(pgrep java); do ls /proc/$pid/fd | wc -l; done


Friday, 25 November 2016

WebSphere Application Server - Managing Profiles and Server Names

This is in the context of managing profiles in WebSphere Application Server, using the manageprofiles.sh command.

A friend asked me how he could set the name of a specific server instance ( think JVM ) when he was creating a profile …

This is what I told him: -

/opt/ibm/WebSphere/AppServer/bin/manageprofiles.sh -profilePath /opt/ibm/WebSphere/AppServer/profiles/diesel -enableService false -nodeName chugger -serverName hst125 -profileName diesel -create -cellName trainsRcool -enableAdminSecurity false -hostName bpm857.uk.ibm.com -templatePath /opt/ibm/WebSphere/AppServer/profileTemplates/default

where I'm setting the following variants: -

-nodeName chugger

-serverName hst125

-profileName diesel

-cellName trainsRcool

So that's all good then ….

Apple Calendar - Dealing with Spam invitations

So I keep receiving spam calendar invitations to my Apple Calendar, on iOS and macOS, which is a nuisance.

Thankfully, I found this: -

<snip>
Log in to iCloud on the web, open your calendar, and go to ⚙ > Preferences. Under Advanced, you'll find an option to receive calendar invitations by email instead of straight into your calendar.
</snip>


<snip>
Ok so this works. Create a new calendar (Calendar/File/New Calendar) then open the bogus invite, you should see a drop down box; when you pull it down you'll see colour coded buttons for the original calendar/s and the new one - you can assign the invite to the new calendar by clicking on it (default name is 'new calendar'), then go to the sidebar (or click the top left button marked 'Calendars' if the sidebar isn't showing) and delete the new calendar. It takes a minute or two for the original calendar to update, but then it will be gone. And without replying to the invite! (I hammered all this out with an Apple online chat person, who at first told me to 'Decline' the invite, bad advice…)
</snip>

Q: How do I block spam calendar invites

which allowed me to do this: -


Note that I did NOT click on the default button, but instead chose Delete and Don't Notify.

Nice :-)

Friday, 18 November 2016

Windows 7 - An Update on Updates

Acting in my role as my family's IT Crowd representative, I ran an errand of mercy yesterday to help recover a Windows 7 PC that was failing to properly run up.

It was booting OK, but was tremendously slow, and it's owner was unable to access the internet ( aka Internet Explorer ).

The PC hadn't been booted up for a month or so, and there were a series of overlapping issues, one of which was that the Norton Anti-Virus tool was (a) out-of-date and (b) expired.

In parallel, Windows Update hadn't run in a while, and the PC believed that it had not been updated since July :-( even though updates were last checked for in September :-(

Long story short, I had to manually update Windows via four specific fixes ( Knowledge Base articles ) : -


Windows6.1-KB3102810-x86.msu


Windows6.1-KB3172605-x86.msu


windows6.1-kb3197868-x86_654e073e00c76a3a7dd01dee8fc2e4fb9a75c931.msu


windows6.1-kb3197869-x86_179db4ad840757eeaba21c1838938e5d61217c73.msu

In each case, I found that the trick was to: -

(a) Disable the network interface ( having downloaded the fix, obviously )
(b) Stop the Windows Update Service (WUS) via the Services Control Panel ( services.msc )
(c) Install the fix
(d) Reboot

Once I finally managed to get Windows to update ( and the first of the above four helped with that, as it actually patches WUS ), it's all up-and-running, and Windows seems fairly happy ( as does Norton AV, once I renewed the subscription ).

Now to run SpinRite ...

Tuesday, 15 November 2016

Cool your hot entities in IBM ODM Decision Server Insights

This was authored by two of my IBM colleagues, Nigel Crowther and Jonathon Carr


In any high-volume event processing system, such as Decision Server Insights in IBM® Operational Decision Manager (ODM), an entity instance referenced by thousands of events is a "hot entity." Hot entities slow down processing, becoming the sole consumer of events within the system. This situation effectively reduces an entire multi-processing grid to wait for a single thread to complete.

This tutorial aims to help Decision Server Insights architects and developers build solutions without hot entities. Learn the causes of hot entities and tips to avoid them.

Book Review - OpenStack in Action by Cody Bumgardner

This is another of my semi-regular book reviews for the British Computer Society, who kindly provided me with a free copy of this book, in ePub format.

OpenStack in Action by Cody Bumgardner

Whether you call it serendipity or just-in-time, the timing of the offer to review this book was perfect, in that I was looking at OpenStack, in order to better understand and position it to my clients and peers.

Therefore, this book ticked all the right boxes for me, in terms of allowing me to get a context and deeper understanding of OpenStack ( and the related DevStack offering ).

Initially, Cody introduces OpenStack and its API, positioning alongside virtualisation, hypervisors, containerisation and public/private/hybrid clouds. He makes the point that OpenStack is built out of a "stack" of services, including storage, networking, security and orchestration.

Having set the scene, the book immediately jumps into a "hands-on" phase, walking the reader through the installation, setup and use of DevStack, on a provided VM, or via a native, custom build on a Linux distribution such as Ubuntu.

This does assume that the reader has some familiarity with Linux, but is a fairly safe bet given the potential audience of the book. Equally, the use of the so-called "companion" VM does help, if the objective is merely to get some hands-on with DevStack, without actually building it.

Post-DevStack, Cody then describes how OpenStack can be driven, most logically using the command-line interface (CLI). This is a useful section in that it provides the context and introduces aspects such as tenants, users and roles.

My only critique of this section is that the page formatting, leastways in the ePub format that I was using, as the font/size used is rather small, meaning that it's somewhat hard to read the listings, where the actual CLI commands are displayed.

The book continues by joining together the OpenStack components, aka services, highlighting the inter-dependencies and the security model, and outlining the relationship between OpenStack and 3rd party solutions, such as storage and networking.

During the second half of the book, Cody dives even more deeply into the setup of the major OpenStack components; this compares and contrasts nicely to the DevStack setup, and this section is very "hands-on", in terms of commands, projected output, results etc.

Again, the assumption is that the reader is going to be deeply engaged in the build, as well as the use, of an OpenStack cloud. It's also fair to say that an understanding of Linux and TCP/IP networking would be of use here.

By the end of this hands-on section, the reader will have a much deeper level of expertise with OpenStack, in terms of understanding both WHAT and HOW it does what it does.

Finally, Cody walks through what one needs to consider when delivering OpenStack into production, again focusing upon networking, storage topologies, automated HA provisioning, and, perhaps most importantly, cloud orchestration using Heat and Ubuntu Juju.

For me, I wanted to get an introduction to, and the context of, OpenStack, and this book was perfect for that. It also provided me with a good opportunity get some hands-on experience with the product, both via DevStack and OpenStack itself.

As with all things, I'm usually ready to learn something when I need to learn something, and, as mentioned, the timing was perfect.

I now need to go and build something with OpenStack, ideally building upon what I already know.

So that's my next challenge ….

If you are looking to get an introduction into, and some hands-on with, OpenStack, as well as a more general deep-dive reference, then this is definitely the book for you.

Out of 10, I'd give this book a solid 9, and would recommend it to others.

WebSphere Application Server - Using Java to manage WAS via SOAP over HTTPS


This has come from a requirement to create a custom Java class to interact with the WAS Deployment Manager via SOAP over HTTPS.

The wrinkle comes because the target WAS cell is secured using: -
  • Transport Layer Security (TLS) 1.2
  • Strong ECDHE/GCM ciphers
  • Mutual Authentication
This is the relevant portion of the security.xml file: -

  <repertoire xmi:id="SSLConfig_1" alias="CellDefaultSSLSettings" managementScope="ManagementScope_1">
    <setting xmi:id="SecureSocketLayer_1" clientAuthentication="true" securityLevel="CUSTOM" enabledCiphers="SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384" jsseProvider="IBMJSSE2" sslProtocol="TLSv1.2" keyStore="KeyStore_1" trustStore="KeyStore_2" trustManager="TrustManager_2" keyManager="KeyManager_1"/>
  </repertoire>

And this is the code that I'm using to prove the concept: -

import java.util.*;
import javax.management.ObjectName;
import com.ibm.websphere.management.configservice.*;
import com.ibm.websphere.management.*;
import com.ibm.websphere.management.exception.ConnectorException;
 
class adminclient  {
    public static void main(String[] args) throws ConnectorException {

String hostName = args[0];
String soapPort = args[1];

        Properties connectProps = new Properties();
        connectProps.setProperty(AdminClient.CONNECTOR_TYPE, AdminClient.CONNECTOR_TYPE_SOAP);
        connectProps.setProperty(AdminClient.CONNECTOR_HOST, hostName);
        connectProps.setProperty(AdminClient.CONNECTOR_PORT, soapPort);
        connectProps.setProperty(AdminClient.CONNECTOR_SECURITY_ENABLED, "true");
        connectProps.setProperty(AdminClient.CACHE_DISABLED, "false");
 
        AdminClient adminClient = null;
        try {
                adminClient = AdminClientFactory.createAdminClient(connectProps);
        }
 
        catch (Exception e) {
                System.out.println("Exception creating admin client: " + e);
                e.printStackTrace();
        }

try {
ConfigService configService = new ConfigServiceProxy(adminClient);
Session session = new Session();

ObjectName[] servers = configService.resolve(session, "Server");
System.out.println("Number of servers: " + servers.length);
for (ObjectName server : servers) {
System.out.println(server.getKeyProperty("_Websphere_Config_Data_Display_Name"));
}
}

catch (Exception e) {
System.err.println("An exception " + e + " occurred.");
}
    }


To use this code, we set up two configuration files - soap.client.props and ssl.client.props - both of which were copied from the WAS configuration: -

soap.client.props

com.ibm.SOAP.securityEnabled=false
com.ibm.SOAP.authenticationTarget=BasicAuth
com.ibm.SOAP.loginUserid=wasadmin
com.ibm.SOAP.loginPassword=passw0rd
com.ibm.SOAP.loginSource=prompt
com.ibm.SOAP.krb5ConfigFile=
com.ibm.SOAP.krb5CcacheFile=
com.ibm.SOAP.krb5Service=
com.ibm.SOAP.requestTimeout=180
com.ibm.ssl.alias=DefaultSSLSettings

ssl.client.props

com.ibm.ssl.defaultAlias=DefaultSSLSettingscom.ibm.ssl.performURLHostNameVerification=false
com.ibm.ssl.validationEnabled=false
com.ibm.security.useFIPS=false
com.ibm.jsse2.checkRevocation=false
com.ibm.security.enableCRLDP=false
com.ibm.ssl.alias=DefaultSSLSettings
com.ibm.ssl.protocol=TLSv1.2
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustManager=IbmPKIX
com.ibm.ssl.keyManager=IbmX509
com.ibm.ssl.contextProvider=IBMJSSE2
com.ibm.ssl.enableSignerExchangePrompt=gui
com.ibm.ssl.enabledCipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
com.ibm.ssl.keyStoreName=ClientDefaultKeyStore
com.ibm.ssl.keyStore=/home/wasadmin/key.p12
com.ibm.ssl.keyStorePassword=WebAS
com.ibm.ssl.keyStoreType=PKCS12
com.ibm.ssl.keyStoreProvider=IBMJCE
com.ibm.ssl.keyStoreFileBased=true

com.ibm.ssl.trustStoreName=ClientDefaultTrustStore
com.ibm.ssl.trustStore=/home/wasadmin/trust.p12
com.ibm.ssl.trustStorePassword=WebAS
com.ibm.ssl.trustStoreType=PKCS12
com.ibm.ssl.trustStoreProvider=IBMJCE
com.ibm.ssl.trustStoreFileBased=true
com.ibm.ssl.trustStoreReadOnly=false
Note that the latter references: -
  1. the security settings, including TLS 1.2 and the two ECDHE/GCM ciphers
  2. a pair of PKCS12 ( .p12 ) files, copied from the Deployment Manager
In the case of the .p12 files, the first ( key.p12 ) contains a personal certificate, signed by the Deployment Manager, which is used to authenticate to the Deployment Manager ( hence Mutual Authentication or Client Authentication ).

The second .p12 file ( trust.p12 ) contains the WAS cell's signer certificate, which allows the client code to decrypt what's returned from the DM.

Finally, this is how I compiled the code: -

source /opt/ibm/WebSphereProfiles/Dmgr01/bin/setupCmdLine.sh
javac -cp /opt/ibm/WebSphere/AppServer/runtimes/com.ibm.ws.admin.client_8.5.0.jar:/opt/ibm/WebSphere/AppServer/plugins/com.ibm.ws.security.crypto.jar:/opt/ibm/WebSphere/AppServer/plugins/com.ibm.ffdc.jar adminclient.java

( the first command updates the Linux shell to use the WAS Java SDK etc. )

and this is how I execute the code: -

java -Dcom.ibm.SSL.ConfigURL=file:/home/wasadmin/ssl.client.props -Dcom.ibm.SOAP.ConfigURL=file:/home/wasadmin/soap.client.props -cp /opt/ibm/WebSphere/AppServer/runtimes/com.ibm.ws.admin.client_8.5.0.jar:/opt/ibm/WebSphere/AppServer/plugins/com.ibm.ws.security.crypto.jar:/opt/ibm/WebSphere/AppServer/plugins/com.ibm.ffdc.jar:/home/wasadmin adminclient bpm857.uk.ibm.com 8879

and this is what it returns: -

Nov 15, 2016 7:29:58 AM com.ibm.ws.management.connector.interop.JMXClassLoader
WARNING: Could not find tmx4jTransform.jar in null/etc/tmx4jTransform.jar - Interoperability to older versions of WebSphere is disabled
Nov 15, 2016 7:29:58 AM com.ibm.ws.ssl.config.SSLConfigManager
INFO: CWPKI0027I: Disabling default hostname verification for HTTPS URL connections.
Nov 15, 2016 7:29:58 AM com.ibm.ws.security.config.SecurityObjectLocator
INFO: CWSCF0002I: The client code is attempting to load the security configuration the server and this operation is not allowed.
Nov 15, 2016 7:29:59 AM com.ibm.ws.security.config.SecurityObjectLocator
INFO: CWSCF0002I: The client code is attempting to load the security configuration the server and this operation is not allowed.
Number of servers: 5
dmgr
MEClusterMember1
SupClusterMember1
AppClusterMember1
nodeagent


Not the most exciting class - it's just a list of nodes - but it allows me to prove the plumbing.

Sidebar - having enabled Mutual Authentication (MA), I've now locked myself out of the Deployment Manager via a web browser, as my browser doesn't have a personal certificate that WAS trusts. Therefore, I see this: -



which is nice :-)