Friday, 28 May 2010

Lotus Connections 2.5.0.2 Fixpack Released

Picked up via Chris Whisonant on Twitter, that the latest fix pack for Lotus Connections 2.5, namely 2.5.0.2, has just been released.

The Fix List and Installation Instructions are here: -


including a new Update Installer, documented here: -


( interim fix: download.updii.2502.multi.00001 )

LTPA and WAS 6.1 Clusters

Hmmm, whilst importing a new LTPA token into my WAS 6.1.0.29 cluster of Lotus Connections 2.5.0.1, having generated/exported it from my WAS 6.1.0.27 cluster of WebSphere Portal 6.1.5, I then found that I couldn't sychronise my two WAS nodes from the Deployment Manager.

I was seeing: -

00002a04 NodeSync E ADMS0005E: The system is unable to generate synchronization request:
javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getRepositoryEpoch operation on ConfigRepository MBean because of insufficient or empty credentials.


etc.

After some digging through the logs, and Googling, I found this Technote: -


which, in essence, required me to turn off automatic LTPA token generation, not a bad thing in itself, and then remove the temporary files under temp, wstemp and config/temp in my Deployment Manager, before forcing the nodes to resychronise using the synchNode.sh script.


Removing files with hyphenated filenames in Linux

I was trying to remove a strangely named directory under my WebSphere Application Server Deployment Manager's wstemp directory: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/wstemp

as follows: -

cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/wstemp
rm -Rf -6895560/

which resulted in: -

rm: invalid option -- 6
Try `rm --help' for more information.

I'd had the same problem a few days ago - the problem is that the hyphen ( - ) character is seen by the rm command as an option.

The solution ? A quick rummage around Google threw this up: -


Use the "--" option to tell rm that there are no more options coming, hence the command becomes: -

rm -Rf -- -6895560/

Job done :-)

Lotus Connections 2.5.0.1 - Problems with Service Integration Bus after configuring Shared Message Store

During the final phase of configuring a two-node cluster for Lotus Connections 2.5, I was attempting to configure the Shared Message Store so that all LC features deployed as clusters across both nodes could see messages and logs.

The Information Centre covers this in depth here: -


and, in essence, I'd created a series of directories on a NFS server ( running NFS v3 on Red Hat Enterprise Linux ), as follows: -

mkdir /net/data/collaboration/messagestore
mkdir /net/data/collaboration/messagestore/Activities
mkdir /net/data/collaboration/messagestore/Blogs
mkdir /net/data/collaboration/messagestore/Communities
mkdir /net/data/collaboration/messagestore/Dogear
mkdir /net/data/collaboration/messagestore/Files
mkdir /net/data/collaboration/messagestore/Homepage
mkdir /net/data/collaboration/messagestore/Profiles
mkdir /net/data/collaboration/messagestore/Wikis

and then created eight new members of the WebSphere Service Integration Bus ( SIBus ), one for each of the clustered LC features.

Each bus member has two directories; one for logs and one for messages: -

/net/data/collaboration/messagestore/<clusterName>/log
/net/data/collaboration/messagestore/<clusterName>/store

these two subdirectories being created when the cluster is first started ( which, in turn, starts the bus ).

So far, so good.

I'd already verified that I could write to, and read from, the NFS server, by creating/editing/viewing/deleting files from both nodes, against the shared NFS server - which was automatically mounted in /etc/fstab when Linux starts.

However, whilst I could start my clusters after making these changes, the SIBus members never started completely, and merely showed as "Starting".

In order to diagnose the problem further, I stopped all of the clusters, stopped the node agents, cleared down the logs, started ONE node agent, and started one cluster ( Activities ), which meant that I only had one JVM on one node to play with.

I then monitored the logs and, c'est voila, I found these messages: -

[21/05/10 14:47:38:723 BST] 0000002d SibMessage    E   [ConnectionsBus:Activities.000-ConnectionsBus] CWSIS1592E: The file store has caught an unexpected io exception.
[21/05/10 14:47:38:724 BST] 0000002d SibMessage    I   [ConnectionsBus:Activities.000-ConnectionsBus] CWSIS1582I: The file store had a problem initialising its log file but will attempt to retry.
[21/05/10 14:47:43:731 BST] 0000002d SibMessage    I   [ConnectionsBus:Activities.000-ConnectionsBus] CWSIS1581I: The file store is attempting to initalise its log file: /net/data/collaboration/messagestore/Activities/log/Log

When I checked the normal Linux error log, via the dmesg command, I also found: -

SELinux: initialized (dev 0:13, type nfs), uses genfs_contexts
lockd: server 192.168.113.97 not responding, still trying

Working with the networking specialists at the client site, it turned out that the iptables firewall on the NFS server was misconfigured, and was blocking me. However, the problem was even more subtle, as my tests had proved that NFS writes and reads were working OK.

The problem, as seen from dmesg, was with the Lock Daemon ( lockd ), which was being blocked.

Using the NFS v3 protocol ( which is supported by Connections ), the ports that needed to be opened on the NFS server were: -

LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769


or, in other words: -

32803/tcp
32769/udp

Once these changes were made, and the NFS server was rebooted, the SIBus burst into life and Connections started .... connecting.

The moral of the story - get to know and love your network specialist :-)

Thursday, 27 May 2010

Getting the Lotus Connections Portlet to work with WebSEAL

A very useful, and potentially quite timely, post from Luis Benitez: -

...
Last week, I spent a day at a customer up in New Jersey. They are currently deploying a pilot of Lotus Connections 2.5. One of the most important things for them is to be able to mash up Lotus Connections with their existing intranet applications via their portal (powered by WebSphere Portal, of course).

To simplify sign on for all their employees, they use WebSEAL and SPNEGO to provide single sign on for all web applications. This way, an employee logs on to their workstation in the morning, and they are never prompted to log on again to other web applications.

As we deployed the Lotus Connections 2.5 Portlet, we ran into an issue. The portlet wasn't built to support an SSO solution in the middle (it mostly depends on WebSphere SSO which is based on something called LTPA token). At this point, I had to figure out how to change the portlet to support WebSEAL, so I went on and downloaded the source code for the portlet (isn't it nice when they make the source code available?)

...


Tuesday, 25 May 2010

WebSphere Portal and Form Based Authentication

One of my Australian pals, Adam Brown, was trying to get a 3rd party search engine to work with secured content in WebSphere Portal ( content behind the /wps/myportal rather than /wps/portal URL ).

After some more digging, he was able to resolve this by inspecting the source of the portal's login page ( using the View Source function that most decent browser off ) - the login page being reached when you open  a browser to http://portal.domain.com/wps/myportal ).

As an example, here's the login form from a WebSphere Portal 6.1 implementation: -

<form method="POST" action="/wps/portal/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3hnd0cPE3MfAwMLFzcLAyMnUzPPQAMXAwNfM_1wkA6zeAMcwNFA388jPzdVvyA7rxwAI9wpVw!!/dl3/d3/L0lDUWtpQ1NTUW9LVVFBISEvb0lvZ0FFQ1FRREdJUXBURE9DNEpuQSEhLzRDd2lSLXJmbTE2SWt5WGlnRUEhLzdfQ0dBSDQ3TDAwOERGODAyQjU2SVEwRDAwRTAvd3BzLnBvcnRsZXRzLmxvZ2lu/" name="LoginForm">
<table width="70%" cellspacing="2" cellpadding="0" align="left" border="0">
<tr>
<td class="wpsEditText" align="left">
<label for="userID">User ID:</label>
</td>
</tr>
<tr>
<td class="wpsFieldText" align="left">
<input dir="ltr" type="text" style="width:112px;" id="userID" name="wps.portlets.userid" value=""/>
</td>
</tr>
<tr>
<td class="wpsEditText" align="left">
<label for="password">Password:</label>
</td>
</tr>
<tr>
<td class="wpsFieldText" align="left">
<input dir="ltr" type="password" style="width:112px;" id="password" name="password"/>
</td>
</tr> 
 
<tr>
<td>&nbsp;</td>
</tr> 
 
<tr>
<td>
&nbsp;
</td>
</tr> 
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="4">
<tr>
<td nowrap>
<input class="wpsButtonText" style="cursor:pointer;" type="submit" border="0" align="absmiddle" name="ns_7_CGAH47L008DF802B56IQ0D00E0__login" value="Log in" />
</td>
<td nowrap>
<input class="wpsButtonText" style="cursor:pointer;" type="submit" onclick="javascript:setCancelURL();return;" border="0" align="absmiddle" name="ns_7_CGAH47L008DF802B56IQ0D00E0__cancel" value="Cancel" />
</td>
</tr>
</table>
</td>
</tr> 
</table>
</form> 

In Adam's case, he was pointing his search engine crawler against the URL of the login page ( on which the login portlet is deployed ) rather than against this login form.

I'm sure he'll do a much better job of writing this up on his blog when he gets back from vacation ...

VMware Server 2.0.2 on Ubuntu 10.04 Lucid Lynx ... The adventure continues ...

Having managed to successfully install VMware Server 2.0.2 onto my shiny new Thinkpad W500, I was able to create a new VMware image ( Red Hat Enterprise Linux 5 ), but then hit the next roadblock / millstone.

VMware Server has a rather neat, browser-plugin-based- remote console that allows the guest VM's console to appear within the browser.

The bad news is that this appears not to work with Firefox 3.6.3. Guess which version I have on my shiny new Ubuntu 10.04 installation ? That's right, you've guess it.

Thankfully, this ( amongst many other forum posts ): -


details how to work around by manually executing the Remote Console plugin outside of the browser.

In my case, all I needed to do was: -

(a) Extract the 64-bit Linux plugin to my user's home directory

cd ~
unzip /usr/lib/vmware/webAccess/tomcat/apache-tomcat-6.0.16/webapps/ui/plugin/vmware-vmrc-linux-x64.xpi

(b) Execute the Remote Console: -

~/plugins/vmware-vmrc -h 127.0.0.1:8333

(c) Authenticate as my VMware user

(d) Choose the running VM whose console I need to access

Easy as pie :-)

Lenovo Thinkpad W500 - My First Few Hours ...

Having just taken delivery of a new shiny 4061-Bl5 Thinkpad, it took me a matter of minutes to replace the out-of-the-box Windows XP with Ubuntu 10.04 ( Lucid Lynx ) - the 64-bit variant - and VMware Server 2.0.2.

Following my own blog post here: -

http://www.davehay.f2s.com/2010/01/patching-things-using-ubuntu-server-910.html

I was somewhat disappointed to find that, even with the patch that previously worked for me ( on Orac ), I wasn't able to get the vmware-config.pl script to execute.

Rather than crying in my (Lotus)beer, I chose to Google the answer - and quickly found my way to Hilario J. Montoliu's blog here: -


http://hmontoliu.blogspot.com/2010/04/installing-vmware-server-202-in-ubuntu.html

which describes, in perfect detail, how to patch the VMware Server installation *BEFORE* applying the patch and *BEFORE* running vmware-config.pl.

I used this version of VMware Server: -

VMware-server-2.0.2-203138.x86_64.tar.gz

on this: -

2.6.32-22-generic #33-Ubuntu SMP Wed Apr 28 13:28:05 UTC 2010 x86_64 GNU/Linux

kernel.

For the record, here's the patch: -

http://www.ubuntugeek.com/images/vmware-server.2.0.1_x64-modules-2.6.30.4-fix.tgzI

Monday, 24 May 2010

SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission

Was seeing another weird problem with my WebSphere Portal 6.1.5 cluster, having deployed the Lotus Connections 2.5 portlets, available on the Catalog here: -


When I deployed the portlets to a page, I was getting "This portlet is not available", even though I'd stopped/started the cluster, resynchronised the nodes etc.

Initially, I thought it was related to this earlier problem: -


but, when I checked the SystemOut.log file on one of the two nodes, I saw this: -

[5/21/10 16:08:34:445 BST] 000000b7 SecurityManag W   SECJ0314W: Current Java 2 
Security policy reported a potential violation of Java 2 Security Permission. Please refer to InfoCenter for further information.

Permission:

      suppressAccessChecks : Access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
Code:

     org.apache.commons.beanutils.MethodUtils  in  {file:/opt/IBM/WebSphere/wp_profile/installedApps/cmwputCell01/PA_WPF.ear/snor.pf.portlets.war/WEB-INF/lib/commons-beanutils.jar}

java.security.AccessControlException: Access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)

[5/21/10 16:08:34:448 BST] 000000b7 MethodUtils   W org.apache.commons.beanutils.MethodUtils getMatchingAccessibleMethod Current Security Manager restricts use of workarounds for reflection bugs  in pre-1.4 JVMs.

Despite being for a completely different product, this Technote: -

Java 2 security warning (SECJ0314W) reported on Business Space


showed me the way to go.

In essence, when I'd enabled security, I'd unwittingly (!) set Java2 security via the Integrated Solutions Console ( via Security -> Secure administration, applications, and infrastructure -> Use Java 2 security to restrict application access to local option ).

Once I un-checked this option, and restarted the cluster, all was well.


Thursday, 20 May 2010

Argh, near panic when a new clustered installation of Lotus Connections 2.5.0.1 starts #failing

Having spent 2-3 days this week, preparing for, and building a clustered installation of Lotus Connections 2.5.01, I was feeling a little panic-stricken yesterday, when I was unable to log into Connections, either directly into Profiles, or into any other service, all of which use Profiles.

I was getting exceptions such as: -

19/05/10 17:20:23:625 BST] 0000002c WebApp        E   Exception caught while initializing context 
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'com.ibm.lconn.core.appext.api.SNAXPersonService' defined in URL [wsjar:file:/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/connut-1Node01Cell/Profiles.ear/peoplepages.war/WEB-INF/lib/lc.appext.core.impl-2.5.jar!/META-INF/spring/lconn-service-context.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [com.ibm.lconn.core.appext.impl.SNAXPersonServiceImpl]: Constructor threw exception; nested exception is java.lang.ExceptionInInitializerError        at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:243)

in the SystemOut.log for Profiles, which gave me great cause for concern.

Reading through this forum thread: -


gave me a few pointers, but nothing really concrete.

When I dug a little further into the logs, I found this: -

Caused by: com.ibm.connections.directory.services.exception.DSRuntimeException: com.ibm.connections.directory.services.exception.DSException: CLFRK0004E: SSO domain name '.foobar.snafu.com' is not configured properly for host name 'http://<HOSTNAME.DOMAIN.COM>:9085/communities/dsx/'!

( I've anonymised the domain names etc. )

This started me thinking and I checked the /etc/hosts file of the Linux box on which Connections is running.

Sure enough, the .foobar.snafu.com domain matched a "private" network that only exists between Connections and the back-end data server on which NFS is being used for shared file systems etc.

I'm guessing that WAS was looking at, perhaps, the first IP address on the system, doing a reverse lookup via /etc/hosts and then returning the domain name portion of its hostname.

The solution ?

Set the SSO domain name to something sensible ( matching the domain name portion of the network on which ALL the Connections and Portal and Quickr servers are sitting ).

I did this via the Integrated Solutions Console (ISC), via Security -> Secure administration, applications and infrastructure -> Web security -> single sign-on (SSO), setting the Domain name field.

Once I restarted the Connections cluster, all was well, and I was able to log into Profiles, and access all the other services.

Nice

Wednesday, 19 May 2010

Problem with IBM HTTP Server Plugin configuration file when attempting to propagate from WebSphere Application Server

Some more weirdness from the front line.

In order to run two web servers ( one on port 80, one on port 81 ) on the same (virtual) machine, running IBM HTTP Server 6.1.0.29, I configured a pair of configuration files ( equivalent to httpd.conf ); one called itim50.conf and one called wps615.conf for IBM Tivoli Identity Manager 5.0 and IBM WebSphere Portal 6.1.5 respectively.

I've actually got two VMs, each running IHS, so I'll end up with four instances, spread across two VMs, one on each VM for each product.

So far so good.

However, I then needed to create unique webserver configurations ( called webserver3 on one box and webserver on the second box ), as I had webserver1 and webserver2 already set up.

Using the ConfigureIHSPlugin.sh script, that was relatively easy: -

/ConfigureIHSPlugin.sh -plugin.home /opt/IBM/HTTPServer/Plugins/ -plugin.config.xml /opt/IBM/HTTPServer/Plugins/config/templates/plugin-cfg.xml -ihs.conf.file /opt/IBM/HTTPServer/conf/itim50.conf -ihs.admin.usergroup ihsadmins -operating.system Linux -operating.system.arch 32 -WAS.webserver.name webserver4

This creates the relevant webserver3 and webserver4 configuration under /opt/IBM/HTTPServer/Plugins/config/webserver3 and /opt/IBM/HTTPServer/Plugins/config/webserver4 respectively.

Again, so far, so good.

So why oh why do I get an exception when I attempt to propagate the plugin configuration from the Deployment Manager ( WAS 6.1.0.29 ) to either new HTTP server ?

This is the error that I get from WAS: -

[5/19/10 19:40:45:366 BST] 0000001c SystemOut     O PLGC0063E: The propagation of the plug-in configuration file from /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/admut-2Cell01/nodes/webut-2/servers/webserver4/plugin-cfg.xml to /opt/IBM/HTTPServer/Plugins/config/webserver4/plugin-cfg.xml on the Web server computer failed.

and, in the IHS error log ( /opt/IBM/HTTPServer/log/admin_error.log ), I got this: -

[Wed May 19 19:28:05 2010] [error] ac_write_file: (AC_OPENFILE) WriteFile: Error 13 opening file /opt/IBM/HTTPServer/Plugins/config/webserver3/plugin-cfg.xml.\n

I then started IHS ( adminctl instance ) up in debug mode, by setting: -

LogLevel debug

in /opt/IBM/HTTPServer/conf/admin.conf

This showed up a more detailed exception: -

[Wed May 19 19:37:40 2010] [error] ac_write_file: (AC_OPENFILE) WriteFile: Error 13 opening file /opt/IBM/HTTPServer/Plugins/config/webserver3/plugin-cfg.xml.\n
[Wed May 19 19:38:47 2010] [info] [client 128.86.242.71] mod_ibm_admin: Command issues with following arguments --  Command=WriteFile   Arguments=/opt/IBM/HTTPServer/Plugins/config/webserver3/plugin-cfg.xml  
[Wed May 19 19:38:47 2010] [info] [client 128.86.242.71] mod_ibm_admin: SAIL_WRITE_FILE


However, I still couldn't crack it.

Casting around for inspiration, I checked the permission of the plugin-cfg.xml file in: -

/opt/IBM/HTTPServer/Plugins/config/webserver3
/opt/IBM/HTTPServer/Plugins/config/webserver4

and saw that they were set to: -

-rw-rw-r-- 1 root ihsadmins 25614 May 19 18:07 plugin-cfg.xml

Taking a gamble, I changed the permissions: -

chmod ihsadmin:ihsadmins /opt/IBM/HTTPServer/Plugins/config/webserver3/plugin-cfg.xml
chmod ihsadmin:ihsadmins /opt/IBM/HTTPServer/Plugins/config/webserver4/plugin-cfg.xml

giving me permissions of: -

-rw-r--r-- 1 ihsadmin ihsadmins  1606 May 19 19:42 plugin-cfg.xml

and, quelle surprise, propagation started working.

Looking at the original plugin-cfg.xml file as created by the IHS installer ( in webserver1 and webserver2 ), the file permissions are: -

-rw-rw-r-- 1 root ihsadmins 25614 May 19 18:07 plugin-cfg.xml

Strange but true ...

These two Technotes: -



are both extremely useful in debugging this.

Tuesday, 18 May 2010

More weirdness, this time with changing context root of WebSphere Portal

Anyone here had experience of changing the default Portal context root from /wps/portal to, say, /london/portal ?

The instructions here: -


are a little imprecise re changing the context root of certain web applications e.g. PA_PortletManager.

It says this: -





  • Perform the following steps to change the context root for the Web Modules, Applications, and Portlets portlets:


    1. Log on to the WebSphere Application Server administrative console or the Deployment Manager administrative console in a clustered environment.
    2. Navigate to Applications > Enterprise Applications and the click PA_Portlet_Manager.
    3. Under Web Module Properties, click Context Root for Web Modules.
    4. Change the wps part of the /wps/PA_Portlet_Manager context root to the new URI for your company.
    5. Click Apply and then click Save.
    When you restart the application, the changes will be applied to the portlets.



    However, if I do that, and resync the nodes, restart the cluster, reboot the servers etc. etc. etc., I still get this: -

    EJPPG0017E: Web application for context root /wps/PA_Portlet_Manager is unavailable.

    as per this Technote: -


    Therefore, I'm obviously missing something .......

    Help?

    *UPDATE* As per my comment, the wonderful IBM Support team in Dublin helped me resolve this using XMLAccess.

    In essence, I exported all of the portlets using the XMLAccess command: -

    /opt/IBM/WebSphere/PortalServer/bin/xmlaccess.sh -in /opt/IBM/WebSphere/PortalServer/doc/xml-samples/ExportAllPortlets.xml -out ~/AllPortlets.xml -url http://localhost:10040/wps/config -user wpsadmin -password passw0rd

    I then extracted the relevant portion of the AllPortlets.xml file, related to PA_Portlet_Manager, into a new XML file ( PA_Portlet_Manager.xml  ), and modified the context root from: -

                /wps/PA_Portlet_Manager

    to: -


                /london/PA_Portlet_Manager

    and then reimported the new configuration using XMLAccess: -

    /opt/IBM/WebSphere/PortalServer/bin/xmlaccess.sh -in ~/PA_Portlet_Manager.xml -url http://localhost:10040/wps/config -user wpsadmin -password passw0rd

    Having restarted the Portal cluster, all now appears well






  • Strangeness with the addNode script during a Lotus Connections implementation

    During a troublesome installation of Lotus Connections 2.5 on a Linux server, I hit the following exception, shown up in /tmp/lcinstalllog.txt: -

    (May 18, 2010 3:37:06 PM), MultiPlatform.install, com.ibm.wps.install.ExternalCommandAction$OutputWatcher, msg2, StdOut:      [exec] The java class is not found:   
    (May 18, 2010 3:37:06 PM), MultiPlatform.install, com.ibm.wps.install.ExternalCommandAction$OutputWatcher, msg2, StdOut:      [exec] /opt/IBM/WebSphere/AppServer/bin/addNode.sh: line 119: -Xbootclasspath/p:: No such file or directory
    (May 18, 2010 3:37:06 PM), MultiPlatform.install, com.ibm.wps.install.ExternalCommandAction$OutputWatcher, msg2, StdErr: 
    (May 18, 2010 3:37:06 PM), MultiPlatform.install, com.ibm.wps.install.ExternalCommandAction$OutputWatcher, msg2, StdErr: BUILD FAILED

    which seemed strange.

    However, I had edited addNode.sh as recommended, in order to increase the minimum and maximum heap sizes, by adding the following line: -

      -Xms256m -Xmx1024m \ 

    to the script, as follows: -

    ...
    "$JAVA_HOME"/bin/java \
      -Xms256m -Xmx1024m \ 
      -Xbootclasspath/p:"$WAS_BOOTCLASSPATH" \
      $EXTRA_X_ARGS \
      $WAS_DEBUG \
      $CONSOLE_ENCODING \
      $javaOption \
      "$CLIENTSAS" \

    ...

    Now I can't see anything wrong with that, but it obviously caused some problems.

    I tried running dos2unix against the file, but to no avail - I didn't really expect that to work, given that I'd used vi to edit it in the first place.

    In the end, I removed the line, and re-added it in again. This time it looked like this: -

      -Xms256m -Xmx1024m \

    as follows: -

    ...
    "$JAVA_HOME"/bin/java \
      -Xms256m -Xmx1024m \
      -Xbootclasspath/p:"$WAS_BOOTCLASSPATH" \
      $EXTRA_X_ARGS \
      $WAS_DEBUG \
      $CONSOLE_ENCODING \
      $javaOption \
      "$CLIENTSAS" \
    ...

    Interestingly, this time around, when I ran the diff command against the two versions of the file, there was definitely something different: -

    117c117
    <   -Xms256m -Xmx1024m \ 
    ---
    >   -Xms256m -Xmx1024m \

    but I'm blowed if I can see what ...

    Weird science ..... but without Kelly LeBrock or a bra on my head ...

    Using wsadmin to change the hostname of a WebSphere Application Server ... server

    For various reasons ( don't ask ), it's been necessary to change the domain name portion of the fully qualified hostname of my Lotus Connections servers, which are running WebSphere Application Server Network Deployment 6.1.0.29 ( two nodes, one deployment manager ).

    Now I remember doing this back in WAS V3 where it was necessary to update the underlying DB2 UDB database, via a SQL UPDATE command.

    How the world has changed ...

    The Information Centre here: -


    describes how the Swiss Army Knife tool, wsadmin.sh, can be used to achieve the same ending.

    Here are the steps that I followed: -

    ***CAUTION - THIS WILL POTENTIALLY BREAK YOUR WEBSPHERE ENVIRONMENT IF YOU DO IT WRONG***

    Note that I've used the format wsadmin> to reflect that wsadmin has its own prompt and also used italics to indicate the commands that I typed

    Change to the appropriate directory

    cd /opt/IBM/WebSphere/AppServer/bin

    Execute the wsadmin script ( this requires the server - be it server, node agent or deployment manager ) to be running - note the language is set to jython rather than the default JACL

    wsadmin.sh -user wasadmin -password passw0rd -lang jython

    Generate a listing showing the cell name

    wsadmin> AdminConfig.list('ServerIndex')

    -> this returns the path to the serverindex.xml - depending upon the environment, there may be more than one, as each node ( managed or unmanaged ) has one
    -> in my case, this was (cells/cmwputCell01/nodes/cmwputCellManager01|serverindex.xml#ServerIndex_1)

    Generate a listing showing the current hostname

    wsadmin> AdminConfig.show('(cells/cmwputCell01/nodes/cmwputCellManager01|serverindex.xml#ServerIndex_1)', 'hostName')

    -> this returns the hostname - in my case, this was '[hostName cmwput.uk.ibm.com]' 

    Change the hostname

    wsadmin> AdminConfig.modify('(cells/cmwputCell01/nodes/cmwputCellManager01|serverindex.xml#ServerIndex_1)', "[[hostName cmwput.demo.uk.ibm.com]]")

    -> note the really peculiar syntax, with a plethora of apostrophes, quotation marks, brackets and square brackets

    Save the configuration

    wsadmin> AdminConfig.save()

    Generate a listing showing the current hostname

    wsadmin> AdminConfig.show('(cells/cmwputCell01/nodes/cmwputCellManager01|serverindex.xml#ServerIndex_1)', 'hostName')

    -> this returns the hostname - in my case, this was '[hostName cmwput.demo.uk.ibm.com]' 

    Restart WebSphere Application Server

    Use the stop/startServer or stop/startNode or stop/startManager scripts as appropriate.

    ***CAUTION - THIS WILL POTENTIALLY BREAK YOUR WEBSPHERE ENVIRONMENT IF YOU DO IT WRONG***

    A simple solution to a potentially complex problem.

    Again, remember your mileage may, and almost certainly will, vary.


    Friday, 14 May 2010

    SECJ0055E errors seen periodically in WebSphere Portal SystemOut.log

    Having finished my WP/WCM clustering work, I was checking through the SystemOut.log files for my portal cluster to see whether there were any exceptions or errors about which I should be worried.

    I was seeing: -

    SECJ0055E: Authentication failed for uid=wpadmin,dc=uk,dc=ibm,dc=com. The user id or password may have been entered incorrectly or misspelled.  The user id may not exist, the account could have expired or disabled. The password may have expired.

    This Technote: -


    summed things up perfectly.

    The Run As Role for the Personalization Scheduler service ( pznscheduler ) didn't appear to have a password associated with it.

    I changed this via the Integrated Solutions Console on the Deployment Manager, under Applications -> Enterprise Applications -> pznscheduler > User RunAs roles where I selected the RuleEventRunAsRole and then entered wpadmin in the username field and the appropriate password for that user in the password field.

    Once I clicked OK, saved the configuration and restarted the cluster, all appeared to be well, which is nice.

    35 web sites that use IBM Lotus WCM in production

    An good list of public websites using Lotus WCM, with thanks to Pierre Chauvin.


    following on from his earlier list, of 40 sites, published late last year: -

    http://pierrechauvin.free.fr/index.php?2009/10/11/356-40-sites-qui-utilisent-ibm-lotus-web-content-management-wcm

    Problem with WCM on second node of cluster

    Having built my WebSphere Portal / Lotus Web Content Management 6.1.5 cluster, I was sad to see exceptions in the SystemOut.log of the second node when I accessed WCM content. The errors included: -

    Failed to login to repository

    and: -

    Requested Member does not exist.uid=wpsadmin,o=default organization

    even though I thought I'd done all the right things in terms of LDAP configuration etc.

    Thankfully, Hunter Tweed's most excellent WP615 clustering guide: -


    covered this, along with many other things.

    I'd forgotten to run the enable-jcr-security task on the second node.

    This required me to ensure that the ConfigEngine properties files: -

    /opt/IBM/WebSphere/wp_profile/ConfigEngine/properties/wkplc.properties

    WasUserid
    WasPassword
    PortalAdminId
    PortalAdminPwd

    /opt/IBM/WebSphere/wp_profile/ConfigEngine/properties/wkplc_comp.properties

    WcmAdminGroupId
    WcmAdminGroupCN
    WcmContentAuthorsGroupId
    WcmAdminGroupCN

    were up-to-date, in terms of their references to LDAP user/group IDs, rather than the default WebSphere Identity Manager (WIM) values.

    Once I'd done this, I ran the task as follows: -

    cd /opt/IBM/WebSphere/wp_profile/ConfigEngine
    ./ConfigEngine.sh enable-jcr-security

    and voila, we're good to go.

    This Technote: -


    describes the problem and solution in more detail.

    Thursday, 13 May 2010

    IBM WebSphere Portal Content Templates Catalog

    Following my previous posting regarding the IBM WebSphere Portal Content Templates Catalog, I had been trying, and failing, to deploy the Catalog into my clustered WP/WCM 6.1.5 environment.

    I had, as far as I could tell, modified the install.sh and wkplc.properties appropriately, but the installation script still completed within 10 seconds, and nothing got deployed.

    After some excellent help from Ronan and Esmond in the IBM Dublin labs, I realised where I was going wrong.

    Esmond suggested that I check the ConfigEngine registry - /opt/IBM/WebSphere/wp_profile/ConfigEngine/registry.xml - to see whether the Templates had been registered.

    Looking at this file, I couldn't see any reference to: -

    assemblyName="IBM.WebSphere.Portal.Content.Templates.Catalog"

    which suggested that the first step in install.sh was failing, albeit without an error message.

    Therefore, I looked again at install.sh and, quelle surprise, I was being a complete and utter muppet - the install script is written assuming that the user is running against localhost on 10033: -

    hostName=localhost
    soapPort=10033

    whereas I am running against a cluster, with an external deployment manager.

    Therefore, I ran the two commands, from install.sh, manually: -

    cd /opt/IBM/WebSphere/wp_profile/ConfigEngine

    ./ConfigEngine.sh -install -assemblyRoot /opt/IBM/WebSphere/PortalServer/IBM.WebSphere.Portal.Content.Templates.Catalog/ -installPath /opt/IBM/WebSphere/PortalServer/ -user wasadmin -<PASSWORD> -hostname dm.uk.ibm.com -port 8879 -offeringName PortalServer -assemblyName IBM.WebSphere.Portal.Content.Templates.Catalog -expandBinaries false

    ( so replacing localhost/10033 with the hostname of the Deployment Manager - dm.uk.ibm.com - on port 8879 )

    which updated the registry.xml as follows: -

    <assembly assemblyName="IBM.WebSphere.Portal.Content.Templates.Catalog" installLocation="/opt/IBM/WebSphere/PortalServer//IBM.WebSphere.Portal.Content.Templates.Catalog" lastModified="05/13/2010" version="6.1.0.0">
          <component compName="components/sample.ctc.content" installLocation="/opt/IBM/WebSphere/PortalServer//IBM.WebSphere.Portal.Content.Templates.Catalog/components/sample.ctc.content" version="6.1.0.0">
            <task taskName="deploy-portlets" failOnError="true" status="FAIL"/>
            <task taskName="remove-portlets" failOnError="true" status="FAIL"/>
          </component>
        </assembly>

    I then ran the deploy-portlets script: -

    ./ConfigEngine.sh deploy-portlets -DComponentList=components/sample.ctc.content -propertyfile /opt/IBM/WebSphere/PortalServer/IBM.WebSphere.Portal.Content.Templates.Catalog/wcm.properties 

    and, quelle surprise, it worked. The deploy-portlets task took 15 minutes, and I now have lots of lovely content to look at :-)

    Simple :-)

    Using Ephox EditLive! as the default Rich Text Editor within the Express Internet / Intranet microsites

    As mentioned in an earlier blog post, I'm using the Internet and Intranet microsites that are provided with WebSphere Portal / Lotus Web Content Management 6.1.

    Having deployed them into my two-node WP/WCM 6.1.5 cluster ( Note; it's essential that they be deployed BEFORE database/LDAP transfer etc. ), using the ConfigEngine.sh scripts

    ./ConfigEngine.sh configure-express -DPortalAdminPwd=passw0rd -DWasPassword=passw0rd
    ./ConfigEngine.sh action-express-memberfixer -DPortalAdminPwd=passw0rd -DWasPassword=passw0rd

    and, after the LDAP migration, having re-run the action-express-memberfix task, once I'd added the appropriate LDAP-based WPSADMIN account into: -

    /opt/IBM/WebSphere/wp_profile/
    PortalServer/wcm/shared/app/config/wcmservices/MemberFixerModule.properties

    I wanted to configure them to use the most excellent Ephox EditLive! rich text editor, rather than the default IBM editor.

    That nice Mr Adrian Sutton Esq kindly pointed me at a document on the Ephox website: -


    which describes how, as the portal adminstrator, to configure the Web Content Viewer portlets to use EditLive, by updating or adding a property: -

    WCM_RICH_TEXT_EDITOR = EditLiveJavaEditor.jsp

    I tried this, but the IBM RTE still came up as default when I created a new item of content ( actually a new Company News item within Home page of the Internet microsite ).

    Thankfully, common sense prevailed and, rather than searching for portlets by the criteria "Title Starts With -> Web Content Viewer" - which only threw up: -

    Web Content Viewer IBM API ibm.portal.Web.Content.Viewer
    Web Content Viewer (JSR 286)
    JSR 286 ibm.portal.Web.Content.Viewer.Jsr286

    I chose the search criteria "Title Contains -> Web Content Viewer" which returned: -

    Web Content Viewer IBM API ibm.portal.Web.Content.Viewer
    Web Content Viewer (JSR 286)
    JSR 286 ibm.portal.Web.Content.Viewer.Jsr286
    Express Web Content Viewer
    IBM API ibm.portal.Express.portlets.lrp

    It was the Express Web Content Viewer that I needed to change - in hindsight, had I looked at Edit Page Layout for one of the Internet/Intranet pages, I'd have got the same result.

    The other wrinkle was that, in contrast to the Ephox website, the IBM Information Centre here: -


    directs one to use a slightly different value for the property: -

    WCM_RICH_TEXT_EDITOR = /wps/ephox;/jsp/html/EditLiveJavaEditor.jsp

    When I used EditLiveJavaEditor.jsp or /jsp/html/EditLiveJavaEditor.jsp, I still got the IBM RTE rather than EditLive!

    So, after some trial and, as always, some error, I now have the EditLive! editor as my default RTE throughout my WP/WCM environment, which is nice.

    And now to try and get the IBM WebSphere Portal Content Templates Catalog working in my clustered environment - I'll crack it, with the help of the Dublin labs. from whence the installer came ...

    Tuesday, 11 May 2010

    Ports in Portal

    As part of the portal clustering engagement on which I'm currently working, I wanted to change the port range used by the WebSphere Portal instance on the second of the two nodes. 

    The reason for this is that, by default, when the second node is added into the cluster, the WebSphere_Portal instance is removed from the node configuration by the cluster-node-config-cluster-setup  command, in order that a new instance ( WebSphere_Portal_nodename ) can be created. This second instance is automatically allocated to a new port range. As an example, if the original WebSphere_Portal listened ( on WC_defaulthost ) on 10040, then the new instance will listen on 10048.

    Given that there is now no conflict, as WebSphere_Portal has been removed, it's sometimes nice ( for consistency ) to reallocate the port range on node 2 to be consistent with node 1.

    There are a number of ways to achieve this, two of which involve using ConfigEngine.

    ./ConfigEngine.sh modify-ports-by-startport -DWasPassword=password -DModifyPortsServer=servername -DStartPort=starting port number

    ./ConfigEngine.sh modify-ports-by-portsfile -DWasPassword=password -DModifyPortsServer=servername -DPortsFile=full path to ports file

    The third way is to manually change them via the WAS administration console.

    I chose the second option - to import a list of ports from a text file.

    I created a text file ( ~/portalPorts.txt ) containing the following: -

    BOOTSTRAP_ADDRESS=10031
    SOAP_CONNECTOR_ADDRESS=10033
    SAS_SSL_SERVERAUTH_LISTENER_ADDRESS=10032
    CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS=10025
    CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS=10037
    WC_adminhost=10027
    WC_defaulthost=10040
    DCS_UNICAST_ADDRESS=10029
    WC_adminhost_secure=10041
    WC_defaulthost_secure=10035
    SIP_DEFAULTHOST=10039
    SIP_DEFAULTHOST_SECURE=10036
    SIB_ENDPOINT_ADDRESS=10026
    SIB_ENDPOINT_SECURE_ADDRESS=10038
    SIB_MQ_ENDPOINT_ADDRESS=10030
    SIB_MQ_ENDPOINT_SECURE_ADDRESS=10028
    ORB_LISTENER_ADDRESS=10034


    which represent the ports as harvested from the WebSphere_Portal server instance on node 1.

    I then attempted to execute the requisite ConfigEngine script: -

    ./ConfigEngine.sh modify-ports-by-portsfile -DWasPassword=passw0rd -DModifyPortsServer=WebSphere_Portal_node-2 -DPortsFile=~/portalPorts.txt 

    but, sadly, this failed with: -

    BUILD FAILED
    /opt/IBM/WebSphere/wp_profile/ConfigEngine/config/includes/modifyPorts.xml:139: The following error occurred while executing this line:
    /opt/IBM/WebSphere/wp_profile/ConfigEngine/config/includes/modifyPorts.xml:161: File did not load for createModifyPortsJacl task

    I didn't have the time to investigate too closely, so I chose to manually change each and every port, via the WAS administration console.

    Whilst we're on the subject, it's also worth noting that there's a ConfigEngine script for everything, including: -

    ./ConfigEngine.sh list-server-ports -DWasPassword=passw0rd

    which generates a log file: -

    /opt/IBM/WebSphere/wp_profile/ConfigEngine/log/wp_PortMatrix.txt

    which contains a subset of the ports being used: -

    WC_defaulthost=10048
    WC_adminhost=10047
    WC_defaulthost_secure=10051
    WC_adminhost_secure=10050
    BOOTSTRAP_ADDRESS=10042
    SOAP_CONNECTOR_ADDRESS=10043

    Sweet ....


    Monday, 10 May 2010

    More tales from the front-line - Portal clustering

    Whilst endeavouring to add the first node into my WebSphere Portal 6.1.5 cluster, I kept hitting a problem whereby the script: -

    ./ConfigEngine.sh cluster-node-config-post-federation

    was failing with a java.lang.NullPointerException against the action fixup-after-security-change-admin in 
     /opt/IBM/WebSphere/wp_profile/ConfigEngine/config/actions/adv_cfg_mgr.xml

    After much trial and even more error, I realised that, although the portal node was able to resolve the Deployment Manager node by it's fully qualified hostname, the same was not true in reverse.

    I proved this by TELNETing from the portal node to the DM node: -

    telnet dm.uk.ibm.com 8879

    which worked - at least, I could see that TELNET was responding even if I didn't, as one might expect, get a valid TELNET session.

    When I did the reverse: -

    telnet portal.uk.ibm.com 8878

    ( where 8878 is the SOAP port of the node agent )

    I got Connection refused

    As far as I can establish, the node being added into the cell passes over it's hostname, which the DM node then tries and, in my case, fails to resolve CORRECTLY.

    The trick, in my case, was to ensure that the correct fully qualified hostname of the portal node was available to the DM node, by way of the /etc/hosts file.

    Once I was able to TELNET both ways using the FQ hostname, I was good to go.

    On a related note, I hit a similar problem whereby: -

    ./ConfigEngine.sh cluster-node-config-post-federation

    was failing with: -

    Exception: java.net.NoRouteToHostException: No route to host

    on the second ( of two ) nodes in the cluster.

    This turned out to be due to a similar problem - in that case, the second node was resolved the FQ hostname of the DM to the WRONG IP address, which was then being blocked by a Linux firewall configuration ( as seen via the command /sbin/iptables -L ).

    In short, when networking becomes notworking, things go pear-shaped

    Friday, 7 May 2010

    ADMG0007E: The configuration data type CellCompRegistryCollection is not valid.

    Whilst adding the first of two nodes to a WebSphere Portal 6.1.5 cluster, I kept hitting 

    ADMG0007E: The configuration data type CellCompRegistryCollection is not valid.

    whilst running the task: -

    ./ConfigEngine.sh cluster-node-config-pre-federation -DWasPassword=passw0rd

     Following this developerWorks forum post: -


    the response from Hunter Tweed with regard to the ConfigEngine.bat collect-files-for-dmgr process made me think; I realised that I'd previously gone through the steps to copy the required JAR and XML files from the portal node to the DM node but ....

    I'd then removed/reinstalled WAS ND on the DM node, meaning that these changes had been lost.

    I then re-copied the files across to the DM, but still saw the same exception :-(

    I looked back through my notes from a previous clustering engagement, and realised that I had not restarted the DM node since adding the new JARs etc. which meant that the WAS classpath was out-of-date.

    I stopped the DM, cleared the logs and restarted it again.

    As I type, the cluster-node-config-pre-federation task has just completed.

    Sweet as the proverbial nut .......

    I'm also following Hunter's most excellent WebSphere Portal 6.1.5 / 6.1.0.3 clustering guide, which is available online here: -

    IBM WebSphere Portal Content Templates Catalog

    Just experimenting with these templates on a freshly installed WebSphere Portal Enable 6.1.5 installation ( Linux ).

    Being a typical used, I just jumped straight in and tried to install them using the shipped install.sh having modified it. I then realised that I first needed to: -

    (a) copy the catalog components into /opt/IBM/WebSphere/PortalServer
    (b) ensure that /opt/IBM/WebSphere/wp_profile/ConfigEngine/properties/wkplc.properties has the correct values for WasPassword and PortalAdminPwd.

    Is it just me or would one not expect to take these values from install.sh given that it's necessary to amend it to reflect the WAS and Portal credentials ?

    Have fed back same via the Catalog entry: -


    In the meantime, here goes ...

    Using WebSphere Portal Express Content Libraries on WebSphere Portal Enable/Extend

    In scenarios where WCM has been installed as part of a WebSphere Portal Enable / Extend implementation, these two useful content libraries are on-disk but not configured/available for use.


    They can be configured using the commands: -

    ./ConfigEngine.sh configure-express -DPortalAdminPwd=passw0rd -DWasPassword=passw0rd
    ./ConfigEngine.sh action-express-memberfixer -DPortalAdminPwd=passw0rd -DWasPassword=passw0rd


    ( the latter command being run once the file: -

    /opt/IBM/WebSphere/wp_profile/PortalServer/wcm/shared/app/config/wcmservices/MemberFixerModule.properties file

    has been updated to reflect the correct portal administration user name ).

    which provides these two new WCM libraries: -

    Internet Web Content 6.1.0
    Intranet Web Content 6.1.0


    It's then necessary to test for membership problems etc. using MemberFixer via the following URL: -

    http://portaldemo.uk.ibm.com:10040/wps/wcm/connect?MOD=MemberFixer&Library=Internet Web Content 6.1.0

    which returns: -

    ...
    IWKCW1045X: SUMMARY INFORMATION
    Library processed: Internet Web Content 6.1.0
    IWKCW1046X: Items Processed: 119
    IWKCW1047X: Items Updated and Saved: 0
    IWKCW1047X: Member References requiring Removal: 0
    IWKCW1048X: Member References requiring Update: 0
    IWKCW1049X: Virtual Members requiring Update: 0
    Errors Detected: 0
    ...



    and: -

    http://portaldemo.uk.ibm.com:10040/wps/wcm/connect?MOD=MemberFixer&Library=Intranet Web Content 6.1.0

    which returns

    ...
    IWKCW1045X: SUMMARY INFORMATION
    Library processed: Intranet Web Content 6.1.0
    IWKCW1046X: Items Processed: 108
    IWKCW1047X: Items Updated and Saved: 0
    IWKCW1047X: Member References requiring Removal: 0
    IWKCW1048X: Member References requiring Update: 0
    IWKCW1049X: Virtual Members requiring Update: 0
    Errors Detected: 0
    IWKCW1050X: Non-existent Members that have alternate Distinguished Names available: 6.

    ...

    Given that these are non-existent members, we can remove them using the &fix=true and &alt_dn=remove commands: -

    http://portaldemo.uk.ibm.com:10040/wps/wcm/connect?MOD=MemberFixer&Library=Intranet Web Content 6.1.0&fix=true&alt_dn=remove

    This returns: -

    ...
    IWKCW1045X: SUMMARY INFORMATION
    Library processed: Intranet Web Content 6.1.0
    IWKCW1046X: Items Processed: 108
    IWKCW1047X: Items Updated and Saved: 2
    IWKCW1047X: Member References requiring Removal: 6
    IWKCW1048X: Member References requiring Update: 0
    IWKCW1049X: Virtual Members requiring Update: 0
    Errors Detected: 0

    IWKPL1368X: Utility completed.

    ...

    To be sure, we re-run the MemberFixer query, which now returns: -
    ...
    IWKCW1045X: SUMMARY INFORMATION
    Library processed: Intranet Web Content 6.1.0
    IWKCW1046X: Items Processed: 108
    IWKCW1047X: Items Updated and Saved: 0
    IWKCW1047X: Member References requiring Removal: 0
    IWKCW1048X: Member References requiring Update: 0
    IWKCW1049X: Virtual Members requiring Update: 0
    Errors Detected: 0

    ...

    Life is good ...

    For more information, see here: -

    Exploring the sample site templates

    Installing WebSphere Portal on Linux

    Sample Lotus Web Content Management member fixer tool commands after running ConfigEngine configure-express

    Note to self - Firefox and local connections

     Whilst trying to hit my NAS from Firefox on my Mac, I kept seeing errors such as:- Unable to connect Firefox can’t establish a connection t...