Tuesday, 9 February 2016

More on CTGSK3039W Certificate request “ibmbpm.uk.ibm.com" could not be created.

Following on from an earlier post: -


I saw the same problem earlier today.

This time around, the problem was simpler to resolve.

I'd previously created a Certificate Request: -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK" -file /home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname ihs1.uk.ibm.com,ihs1,ihs2.uk.ibm.com,ihs2

Alas, I had to re-run the Cert. Req. process because the first certificate had failed validation, within a browser ( IE 11 ), because I'd neglected to include the Service Name ( aka VIP ) in the Subject Alternate Name (SAN) field.

For the record, this tied up with an issue I saw last year: -


So I re-ran the Cert. Req. process

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK" -file /home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname ihs1.uk.ibm.com,ihs1,ihs2.uk.ibm.com,ihs2,ibmbpm.uk.ibm.com

Alas, this failed: -

CTGSK3039W Certificate request "ibmbpm.uk.ibm.com" could not be created.

After some trial, a bit of error, and some success …. I found the solution.

The problem was that, whilst this was a newish Certificate Request ( I no longer had any Cert Reqs in the KDB ) : -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -stashed

No certificate requests were found

the label field used in the Certificate Request is more important than I'd realised.

In essence, the certificate that I added to the KDB as a result of the Cert. Req. was still in the KDB, with the same label - ibmbpm.uk.ibm.com.

I proved this by creating a Cert. Req. with a different label: -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com2 -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK" -file /home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname ihs1.uk.ibm.com,ihs1,ihs2.uk.ibm.com,ihs2,ibmbpm.uk.ibm.com

Having realised this, I removed the certificate from the KDB, re-ran the Cert. Req. process using the original label, and we're all good to go.

Saturday, 6 February 2016

IBM BPM - Process Federation Server Tutorial

This on developerWorks: -


Learn how to install and configure the IBM® Process Federation Server to work with two back-end IBM Business Process Manager (BPM) systems. Give your IBM BPM process users a single point of access to all their tasks.

With the different development paths for Business Process Choreographer and Business Process Designer in IBM BPM, varied deployment environments, and coexistence of multiple product versions, the demand for one user interface for interacting with tasks related to both business process definitions (BPDs) and Business Process Execution Language (BPEL) is becoming more urgent.

With a single task list user interface, the users of your process applications can work on individual tasks, unaware of the different and complex back-end systems.

IBM Process Federation Server is based on the IBM WebSphere Application Server Liberty Profile server. It provides application programming interface (API) access to lists of resources that are federated across IBM BPM systems, such as the task list and launch list. It includes the distributed index for the federated environment that is based on an Elasticsearch service. The Elasticsearch service provides fast access to federated resources, and relieves federated IBM BPM systems from expensive queries.

Thursday, 4 February 2016

IBM BPM - General SSLEngine problem

I saw this earlier today: -

...
com.ibm.websphere.sca.ServiceRuntimeException: <soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Fault><faultcode>soapenv:Server</faultcode><faultstring>javax.net.ssl.SSLHandshakeException: General SSLEngine problem</faultstring></soapenv:Fault></soapenv:Body>

whilst trying to test a newly created IBM BPM component.

I'm using IBM Integration Designer (IID), which has a built-in Integration Test Environment (ITE), which is really just a standalone, single server BPM Process Server.

My BPM component, an SCA module, makes a call to a Web Service hosted on a separate, external, IBM ODM Rules Decision Server ( aka Hosted Transparent Decision Service ) : -


Given that I was making a call from one WAS to another, I worked on the assumption that SSL was the problem - yes, the message does kinda imply that.

I proved this by updating the binding of the BPM SCA Import component from the HTTPS URL to: -


This, of course, worked, thus validating my hypothesis.

I then retrieved the SSL Signer Certificate that the ODM Decision Server  presented into the WAS trust store: -

cellID=AdminControl.getCell() 
AdminTask.retrieveSignerFromPort('[-keyStoreName NodeDefaultTrustStore -keyStoreScope (cell):'+cellID+' -host odm851.uk.ibm.com -port 9444 -certificateAlias ODM -sslConfigScopeName (cell):'+cellID+' ]') 
AdminConfig.save() 
AdminNodeManagement.syncActiveNodes() 


and re-tried my BPM process.

This time, of course, it worked OK :-)

Easy when you know how :-)

Friday, 29 January 2016

DB2 ate my database, well, actually it was the disk monster

I saw this today: -

[29/01/16 18:51:34:031 GMT] 00000001 WSRdbDataSour I   DSRA8208I: JDBC driver type  : 4
[29/01/16 18:51:34:047 GMT] 00000001 FfdcProvider  W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on C:\IBM\WebSphere\AppServer\profiles\AppSrv01\logs\ffdc\server1_b282bac_16.01.29_18.51.34.0471036725969790999288.txt com.ibm.bpm.migration.database.ValidateDatabaseVersion.verifyStandardDB 102
[29/01/16 18:51:34:047 GMT] 00000001 WsServerImpl  E   WSVR0009E: Error occurred during startup
com.ibm.ws.exception.RuntimeError: Failed to query the BPM version from database [jdbc/PerformanceDB]. Please check the ffdc log for detail information. 
For fresh installation scenario, please run the database initialization scripts under the corresponding database schema first; for upgrade or migration scenario, please upgrade your database to match with current product version first.

during the startup of a standalone IBM BPM Advanced 8.5.6 environment.

I'd just built the environment, as part of a setup of an IBM Integration Designer (IID) development environment.

Thankfully it didn't take me long to work out what had gone wrong ….

During the build of the DB2 databases, my Windows VM had run out of disk space; apparently 40 GB isn't enough :-) Mind you, I've also got IBM Operational Decision Manager installed, as I've been learning how to write Hello World, the ODM Rule ( that's another post for another day ).

Once I increased disk space ( thanks, VMware Fusion ) to 60 GB, and restarted Windows, I dropped the PDWDB database: -

db2 drop db PDWDB

and then recreated it: -

cd c:\Program Files (x86)\IBM\WebSphere\AppServer\profiles\AppSrv01\dbscripts\ProcessServer\DB2\PDWDB
createDatabase.bat
db2 connect to pdwdb
db2 -tvf createSchema_Advanced.sql
db2 terminate


I then restarted the Deployment Environment: -

"c:\Program Files (x86)\IBM\WebSphere\AppServer\bin\BPMConfig.bat" -start -de ProcessServer -profileName AppSrv01

and we're all good now.

Right, time to test Hello World, the SCA Module :-)

Thursday, 14 January 2016

WebSphere Liberty Profile - Tinkering with SSL TLS

I went through this process last evening, and thought that sharing it MIGHT be of interest :-)

Check What's Installed

/opt/IBM/InstallationManager/eclipse/tools/imcl listInstalledPackages

com.ibm.cic.agent_1.8.2000.20150303_1526
com.ibm.websphere.liberty.v85_8.5.5000.20130514_1313

Create a WLP Server

/opt/IBM/WebSphere/Liberty/bin/server create davehay

Server davehay created.

Create a SSL Keystore and Self-Signed Certificate

/opt/IBM/WebSphere/Liberty/bin/securityUtility createSSLCertificate --server=davehay --password=passw0rd --validity=365

Creating keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks

Created SSL certificate for server davehay

Add the following lines to the server.xml to enable SSL:

    <featureManager>
        <feature>ssl-1.0</feature>
    </featureManager>
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />

Add SSL support to Server Configuration

vi /opt/IBM/WebSphere/Liberty/usr/servers/davehay/server.xml 

Append: -

    <featureManager>
                  <feature>ssl-1.0</feature>
    </featureManager>
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />

Update Server Configuration to reflect hostname

vi /opt/IBM/WebSphere/Liberty/usr/servers/davehay/server.xml 

Change: -

    <httpEndpoint id="defaultHttpEndpoint"
                  host="localhost"
                  httpPort="9080"
                  httpsPort="9443" />

to: -

    <httpEndpoint id="defaultHttpEndpoint"
                  host="mta2015a.uk.ibm.com"
                  httpPort="9080"
                  httpsPort="9443" />

Start WLP Server

/opt/IBM/WebSphere/Liberty/bin/server start davehay

Starting server davehay.
Server davehay started with process ID 3962.

Test Connectivity ( via HTTP )

From Linux


--2016-01-13 19:22:37--  http://mta2015a.uk.ibm.com:9080/
Resolving mta2015a.uk.ibm.com... 192.168.153.128
Connecting to mta2015a.uk.ibm.com|192.168.153.128|:9080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4725 (4.6K)
Saving to: `index.html'

100%[==================================================================================================================================================================>] 4,725       --.-K/s   in 0s      

2016-01-13 19:22:37 (625 MB/s) - `index.html' saved [4725/4725]

wget --no-check-certificate https://mta2015a.uk.ibm.com:9443/

--2016-01-13 19:24:54--  https://mta2015a.uk.ibm.com:9443/
Resolving mta2015a.uk.ibm.com... 192.168.153.128
Connecting to mta2015a.uk.ibm.com|192.168.153.128|:9443... connected.
WARNING: cannot verify mta2015a.uk.ibm.com's certificate, issued by `/C=us/O=ibm/OU=davehay/CN=localhost':
  Self-signed certificate encountered.
    WARNING: certificate common name `localhost' doesn't match requested host name `mta2015a.uk.ibm.com'.
HTTP request sent, awaiting response... 200 OK
Length: 4725 (4.6K)
Saving to: `index.html.2'

100%[==================================================================================================================================================================>] 4,725       --.-K/s   in 0s      

2016-01-13 19:24:54 (1.01 GB/s) - `index.html.2' saved [4725/4725]

List Content of Keystore

keytool -list -v -keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -storepass passw0rd

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: default
Creation date: 13-Jan-2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=davehay, O=ibm, C=us
Issuer: CN=localhost, OU=davehay, O=ibm, C=us
Serial number: 3559914d
Valid from: Wed Jan 13 19:06:46 GMT 2016 until: Thu Jan 12 19:06:46 GMT 2017
Certificate fingerprints:
MD5:  6D:26:90:BA:50:1C:3B:8B:28:73:C0:68:F0:16:AA:13
SHA1: 41:75:D6:93:20:BA:10:EB:F3:FE:B9:20:91:48:45:BC:8D:50:3E:FA
SHA256: FA:94:A3:3A:55:99:2F:80:98:85:A1:09:C8:F8:6F:BC:C1:5A:7D:C2:53:03:C4:4F:9D:A1:2E:D9:6B:3D:36:2D
Signature algorithm name: SHA1withRSA
Version: 3

Create New Self-Signed Certificate

/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -genkey -alias selfsigned -keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -storepass passw0rd -validity 360 -keysize 2048 -dname CN=mta2015a.uk.ibm.com,DC=UK,DC=IBM,DC=COM -sigAlg SHA256withRSA -keyAlg RSA

List Content of Keystore

keytool -list -v -keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -storepass passw0rd

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: default
Creation date: 13-Jan-2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=davehay, O=ibm, C=us
Issuer: CN=localhost, OU=davehay, O=ibm, C=us
Serial number: 3559914d
Valid from: Wed Jan 13 19:06:46 GMT 2016 until: Thu Jan 12 19:06:46 GMT 2017
Certificate fingerprints:
MD5:  6D:26:90:BA:50:1C:3B:8B:28:73:C0:68:F0:16:AA:13
SHA1: 41:75:D6:93:20:BA:10:EB:F3:FE:B9:20:91:48:45:BC:8D:50:3E:FA
SHA256: FA:94:A3:3A:55:99:2F:80:98:85:A1:09:C8:F8:6F:BC:C1:5A:7D:C2:53:03:C4:4F:9D:A1:2E:D9:6B:3D:36:2D
Signature algorithm name: SHA1withRSA
Version: 3
Alias name: selfsigned
Creation date: 13-Jan-2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=mta2015a.uk.ibm.com, DC=UK, DC=IBM, DC=COM
Issuer: CN=mta2015a.uk.ibm.com, DC=UK, DC=IBM, DC=COM
Serial number: 5696bab3
Valid from: Wed Jan 13 20:59:31 GMT 2016 until: Sat Jan 07 20:59:31 GMT 2017
Certificate fingerprints:
MD5:  B4:9C:EC:1F:D3:82:88:5F:33:CB:26:63:A8:7F:65:4E
SHA1: 7C:21:43:87:32:3F:66:FE:E4:CA:06:7D:50:C6:F5:91:A4:41:02:40
SHA256: C5:0B:93:B1:64:F1:13:C2:A6:D7:9E:95:88:FE:80:7F:1F:8F:F5:3A:10:BE:93:0F:9C:9C:21:05:D0:06:70:FA
Signature algorithm name: SHA256withRSA
Version: 3

/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -pw passw0rd

Certificates in database /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks:
   default
   selfsigned

Update Server Configuration to reflect new certificate

vi /opt/IBM/WebSphere/Liberty/usr/servers/davehay/server.xml 

Add/amend: -

    <sslDefault sslRef="defaultSSLSettings" />
    <ssl id="defaultSSLSettings"
         keyStoreRef="defaultKeyStore"
     serverKeyAlias="selfsigned" />
    <keyStore id="defaultKeyStore" 
         location="key.jks"
         type="jks"
         password="passw0rd" />

Stop WLP Server

/opt/IBM/WebSphere/Liberty/bin/server stop davehay

Stopping server davehay.
Server davehay stopped.

Start WLP Server

/opt/IBM/WebSphere/Liberty/bin/server start davehay

Starting server davehay.
Server davehay started with process ID 16945.

Test Connectivity ( via HTTPS )

From Linux

wget --no-check-certificate https://mta2015a.uk.ibm.com:9443/

--2016-01-13 20:51:53--  https://mta2015a.uk.ibm.com:9443/
Resolving mta2015a.uk.ibm.com... 192.168.153.128
Connecting to mta2015a.uk.ibm.com|192.168.153.128|:9443... connected.
WARNING: cannot verify mta2015a.uk.ibm.com's certificate, issued by `/DC=COM/DC=IBM/DC=UK/CN=mta2015a.uk.ibm.com':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 4725 (4.6K)
Saving to: `index.html.5'

100%[==================================================================================================================================================================>] 4,725       --.-K/s   in 0s      

2016-01-13 20:51:53 (416 MB/s) - `index.html.5' saved [4725/4725]

Inspect Self-Signed Certificate

openssl s_client -showcerts -connect mta2015a.uk.ibm.com:9443 </dev/null

Server certificate
subject=/DC=COM/DC=IBM/DC=UK/CN=mta2015a.uk.ibm.com
issuer=/DC=COM/DC=IBM/DC=UK/CN=mta2015a.uk.ibm.com
---
No client certificate CA names sent
Server Temp Key: DH, 768 bits
---
SSL handshake has read 1573 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES128-SHA256
    Session-ID: 5696BB3015905180F9175410E9B677F5F5F4B7BC7C7A4C0B3BA986AD0D48BD23
    Session-ID-ctx: 
    Master-Key: 06A29B8AAFC260B798511B29AAA52D3E876E75B897444E146DFA3DC5E50F4D29382E5E26E4EC8E5221E31084DA2B2F03
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1452718896
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

Friday, 8 January 2016

IBM ODM Rules - "Scope reference is invalid"

I saw this today: -

whilst trying to deploy my HelloWorld Rules application ( RulesApp ) from Decision Center to Decision Server ( both on 8.5.1.2 ).

I also noticed that my project, as imported from a .ZIP file into Decision Center, was missing the Business Rules ( of which I only have one, Hello World !! ): -


I spoke to one of my colleagues, an ODM Rules Jedi Master, who suggested that the problem might be with locale.

As soon as he said that, I remembered how this goes - 'cos I have seen this before, albeit from the other side.

When one first installs a Decision Center, the default locale is en_US aka English (United States ), and it's common for this NOT to be changed.

However, if one uses Rule Designer on, say, a Windows desktop that's set to default to the English (United Kingdom) then all Rule applications are automatically created with the en_GB locale.

Whilst I know that this can be changed via the Installation Settings Wizard ( either post-installation or via the Configure tab ) : -



it DOES require the Decision Center repository to be EMPTY i.e. containing NO projects.

Given that my client already had several projects deployed, that wasn't an option, leastways in the short term.

Jedi Master Jonathon then explained how I could work around the problem, from the other side - Rule Designer.

Option one - do it properly

Read the IBM Knowledge Centre - Opening Rule Designer in a specific locale - which describes how to add the following parameter : -

osgi.nl=en_US

to: -

C:\IBM\ODM87\configuration\config.ini

Option two - do it hackily

Manually edit the Rule(s)

vi HelloWorld.brl

and change from: -

  <name>HelloWorld</name>
  <uuid>1254da3e-6164-4ff8-8bbe-1cbe49fd715a</uuid>
  <locale>en_GB</locale>
  <definition><![CDATA[definitions
        set 'the message' to "Hello " + 'the request' ;
then
    set 'the response' to 'the message' ;
    print 'the message' ;
    ]]></definition>


to: -

  <name>HelloWorld</name>
  <uuid>1254da3e-6164-4ff8-8bbe-1cbe49fd715a</uuid>
  <locale>en_US</locale>
  <definition><![CDATA[definitions
        set 'the message' to "Hello " + 'the request' ;
then
    set 'the response' to 'the message' ;
    print 'the message' ;
    ]]></definition>


before re-importing the project into Decision Center.

I chose Option 2 in the short-term, but wouldn't, of course, recommend that to anyone else :-)

For the record, the Diagnostics page within Decision Center also highlighted the locale issue: -


In other words, my Ruleflow was using en_GB whereas the Wizard showed me that Decision Center was using en_US.

CRIMA1174E ERROR There is already a package installed

I saw this one today: -

CRIMA1154E ERROR: Error installing.

  CRIMA1174E ERROR:   There is already a package installed at "/opt/IBM/ODM851" in the "Operational Decision Manager" package group.  The installation directory for the new "Operational Decision Manager V8.5.1" package group must not be the same as a previously used installation directory.

  CRIMA1174E ERROR:   There is already a package installed at "/opt/IBM/ODM851" in the "Operational Decision Manager" package group.  The installation directory for the new "Operational Decision Manager V8.5.1" package group must not be the same as a previously used installation directory.


whilst trying to update IBM Operational Decision Manager Rules from 8.5.1.0 to 8.5.1.2 

This came as a surprise, as I'd run through this process on my own environment a number of times, and was re-using a response file that I'd prepared earlier.

I fired up the IBM Installation Manager command line tool: -

/opt/IBM/InstallationManager/eclipse/tools/imcl -c

=====> IBM Installation Manager

Select:
     1. Install - Install software packages
     2. Update - Find and install updates and fixes to installed software packages
     3. Modify - Change installed software packages
     4. Roll Back - Revert to an earlier version of installed software packages
     5. Uninstall - Remove installed software packages

Other Options:
     L. View Logs
     S. View Installation History
     V. View Installed Packages
        ------------------------
     P. Preferences
        ------------------------
     A. About IBM Installation Manager
        ------------------------
     X. Exit Installation Manager

——>

and chose V. View Installed Packages : -

=====> IBM Installation Manager> Installed Packages

View the following installed packages and fixes. Enter the number to see the details of a package group, package, or fix.
     1-. IBM WebSphere Application Server V8.5
       2. IBM WebSphere Application Server Network Deployment 8.5.5.0
     3-. Operational Decision Manager
       4. Decision Center 8.5.1000.20131113_1624
       5. Decision Server 8.5.1000.20131113_1713
       6. Profile templates for WebSphere Application Server 8.5.1.0

Other Options:
     O. OK

-----> [O] 


and realised where I was going wrong.

I had ODM installed in the package group Operational Decision Manager whereas my response file ( created on a different system ) had: -

  <profile id='Operational Decision Manager V8.5.1' installLocation='/opt/IBM/ODM851'>
    <data key='eclipseLocation' value='/opt/IBM/ODM851'/>
    <data key='user.import.profile' value='false'/>
    <data key='cic.selector.os' value='linux'/>
    <data key='cic.selector.arch' value='x86_64'/>
    <data key='cic.selector.ws' value='gtk'/>
    <data key='user.wodm_express' value='false'/>
    <data key='cic.selector.nl' value='en'/>
    <data key='user.wodm_was_home' value='/opt/IBM/WebSphere/AppServer'/>
  </profile>
  <install modify='false'>
    <offering profile='Operational Decision Manager V8.5.1' id='com.ibm.websphere.odm.dc.v85' version='8.5.1002.20150119-1502' features='jdk,base,Decision Center' installFixes='none'/>
    <offering profile='Operational Decision Manager V8.5.1' id='com.ibm.websphere.odm.ds.v85' version='8.5.1002.20150119-1502' features='com.ibm.wds.jdk.feature,base,com.ibm.wds.rules.studio.feature,com.ibm.wds.rules.res.feature' installFixes='none'/>
  </install>


Once I changed the response file, all went well.

PS It's also worth noting that it's important to change the references to the Package Group THROUGHOUT the response file, or one ends up with a NEW copy of ODM installed under, say, /opt/IBM/ODM851_1 :-)