Monday, 30 April 2012

Social Connections III - IBM Dublin - 22 June 2012

Following on from two excellent events in 2011: -





The third Social Connections event will take place on 22nd of June 2012 at IBM Dublin, Ireland.  

 For the third time since its creation in 2010 the Social Connections user group will be hosting an international IBM Connections User Group event. This year's event will be hosted from the mothership of IBM Connections, the IBM Development labs: Dublin, Ireland. The event is aimed at anyone interested in, or working with IBM Connections, and aims to bring together the best of the best of Social Business.

 Speakers from across the globe will travel to Dublin to present on topics that promise to engage people of all backgrounds interested in Social Business, collaboration and anything IBM Connections. Whether you're an Administrator, Developer, Manager, Educator, Student or just a Connections User, you'll find something that is sure to conjure new ideas, form new connections, and get you excited about current and future Social Business practice. So join us to connect, collaborate, exchange and learn!

Admission is free and includes access to all sessions by esteemed speakers, lunch and a social event to follow the conference
.

Want to know more ? And you should, by the way.

Then go here …. NOW

Using OpenSSL to manage multiple certificates

More in my occasional series of "Now I did not know that" covering openssl, GSK, IBM HTTP Server etc.

Multiple Certificates In One File

In almost all cases, OpenSSL will assume that there's only one certificate in a given file. As such, it will generally only use the first certificate that it finds, and will ignore all others.

Normally, you will only have one certificate in a file, so that'll be OK. However, you may ocassionally come across files with several certificates in them. Unless you're going to be using this file as a CA bundle (where you list all the CA certificates you trust in one single file), you'll probably need to split your file into one per certificate.

First up, you'll want to check how many certificates a file holds. The simplest way to do that is with:

cat ca-certificate-file | grep -E 'BEGIN.* CERTIFICATE' | wc -l
If you get a number that's greater than 1, then you have multiple certificates in the file. Your best bet is to split the files after the "--END ... CERTIFICATE--" line (you may or may not have anything for "....")

One way to split it is using this perl program, which will handle finding the file ends for you, and prompt you for files to save certificates into.

Note that the format of a X509 PEM certificate is:

(Header Info)
------BEGIN (TRUSTED|X509) CERTIFICATE-----
(Certificate Data)
------END (TRUSTED|X509) CERTIFICATE-----

With thanks to Nick Burch and his most excellent blog here.

Whether the Weather - Another reason to go to DanNotes this week :-)



With thanks to AccuWeather for the charts ….

WebSphere Application Server 8.5 Announced - and running on perhaps the coolest hardware in the land ....

Following on from a previous post - WebSphere Application Server 8.5 on #WasDev - IBM have now formally announced WAS 8.5 here.

To make matters even better, there's a video up here on IBM developerWorks showing …. the WebSphere Application Server V8.5 Liberty Profile running on the Raspberry Pi.



Now that IS cool :-)


Counting down to DanNotes 2012

As per my previous post - DanNotes - Comwell Klarskovgaard, Korsør - May 2/3 - I'm proud as punch to be presenting at the DanNotes conference in Denmark later this week.

My two sessions are very WebSphere-related, which may be a shock to some people :-)

Wednesday

14.15-15.15 WebSphere administration for Domino admins

Thursday

10.00-11.00 Desktop Single Sign-On in an Active Directory World

The full agenda is available online here.

Am looking forward to the event, and hope to see you there.

:-)

Friday, 27 April 2012

Single sign-on for HTTP requests using SPNEGO web authentication

You can securely negotiate and authenticate HTTP requests for secured resources in WebSphere® Application Server by using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) as the web authentication service for WebSphere Application Server.

Note: In WebSphere Application Server Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. 

This function was deprecated in WebSphere Application Server Version 7.0. SPNEGO web authentication has taken its place to provide the following enhancements:
• You can configure and enable SPNEGO web authentication and filters on WebSphere Application Server by using the administrative console.
• Dynamic reload of SPNEGO is provided without the need to stop and restart WebSphere Application Server.
• Fallback to an application login method is provided if the SPNEGO web authentication fails.
• SPNEGO can be customized at the WebSphere security domain level.

You can enable either SPNEGO TAI or SPNEGO Web Authentication but not both.

Knowledge Collection: IBM WebSphere Portal Performance

A Knowledge Collection is a focused compilation of links to documents that share a common theme. Knowledge Collections are navigation aids that organize content to help readers quickly find relevant information. Knowledge Collections are not designed to be an all-inclusive list of all documents dealing with a specific theme.

This technote contains links to additional reading on the topic of IBM WebSphere Portal Performance

Answer

How should I start tuning WebSphere portal Server for better performance ?

This tuning guide provides details about the parameters that you can tune to improve portal performance. This guide serves as a very good starting point to start portal tuning process before production usage.

Performance tuning guide for WebSphere portal on IBM i
This document discusses additional performance tuning recommendations that is specific to running WebSphere Portal on the IBM i platform. The focus is more on platform level recommendations unique to the IBM i and are minimally discussed in the above guide.

Monitoring Performance in a WebSphere Portal environment
To tune your WebSphere Portal environment for optimal performance, you need to know what needs tuning. The monitoring methods discussed in this article cover several key areas of WebSphere Portal. They help you to view the true behavior of your WebSphere Portal environment and ultimately identify bottlenecks and potential problems. This article is meant to be an overview of monitoring methods rather than an in-depth look at any specific methods.

IBM WebSphere Portal performance testing and analysis
Finding and fixing performance problems in a production environment is challenging on a number of levels. Optimally, most bottlenecks in the system should be found and fixed before the system is allowed into production. This article explains a tested process that can ensure that, with high probability, most of the significant performance issues are found and addressed before you promote a system to production.

IBM WebSphere portal performance considerations for custom portal code
This article provides general guidance for creating well performing custom code for IBM WebSphere Portal. Custom code does not only refer to portlets (although they are the most common programming model for portals), but also includes code for WebSphere Portal themes and skins.

Performance management tools for IBM WebSphere Portal
This article describes the tools and how they were used to evaluate an IBM WebSphere Portal 7.0 performance and/or problem determination issue during a recent engagement at a customer site.

WebSphere Portal Performance Troubleshooting Guide
This document is intended as a guide for resolving performance problems in IBM WebSphere Portal V5.1 or later.

How to set an appropriate number of Portal Datasource connections in WebSphere Portal
For a given maximum number of Portal WebContainer threads set, what should I set my maximum Portal datasource connections to? This is important parameter and may lead to portal hang if not tuned correctly.

WebSphere Portal Server and Dynacache Replication(DRS) issues
This technote discusses some common issues observed with a WebSphere Portal server cluster having performance, memory issues, and HAManager/DRS exceptions. The cache replication suggestions are also valid for portal version 7.0.x.x.

Wednesday, 25 April 2012

More on IBM HTTP Server and WAS Plugin passwords

Following on from my earlier blog posts here and here.

This is definitely a work-in-progress.

<Caveat Emptor>

*FIRST BACKUP YOUR KEY DATABASE ETC.*

Using gsk7cmd to check password expiration

C:\IBM\HTTPServer\bin>gsk7cmd.bat -keydb -expiry -db \IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb -pw WebAS

Password expiry time: 26-Apr-2012 16:20:31

Using gsk7capicmd to check password expiration

C:\IBM\HTTPServer\bin>gsk7capicmd.bat -keydb -expiry -db \IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb -pw WebAS

Validity:  Thursday, 26 April 2012 16:20:31 PM GMT Daylight Time

Using gsk7cmd to change password

C:\IBM\HTTPServer\bin>gsk7cmd.bat -keydb -changepw -db \IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb -pw WebAS -new_pw Passw0rd -stash

Validating the change

C:\IBM\HTTPServer\bin>gsk7capicmd.bat -keydb -expiry -db \IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb -pw Passw0rd

</Caveat>

Yes, and I am using Windows in this example, as I was working with a client who is using Windows rather than Unix for their web tier.

And you did back up your key database BEFORE you started ?

More on DB2 UDB JDBC drivers ...

This following yesterday's post, I've just gone through the process of inferring the version/type of JDBC driver that I'm using: -

$ ls -al

total 3336
drwxr-x---  2 wasadmin wasgrp    4096 Dec  8  2010 .
drwxr-x--- 40 wasadmin wasgrp    4096 Jul 25  2011 ..
-rwxr-x---  1 wasadmin wasgrp 3395609 Dec  8  2010 db2jcc4.jar
-rwxr-x---  1 wasadmin wasgrp    1015 Dec  8  2010 db2jcc_license_cu.jar

$ . /opt/IBM/WebSphere/wp_profile/bin/setupCmdLine.sh
$ java -version

java version "1.6.0"
Java(TM) SE Runtime Environment (build pxa6460sr9fp2ifix-20110913_02(SR9 FP2+IV03622+IZ99243))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Linux amd64-64 jvmxa6460sr9-20110912_90359 (JIT enabled, AOT enabled)
J9VM - 20110912_090359
JIT  - r9_20101028_17488ifx31
GC   - 20101027_AA)
JCL  - 20110727_04

$ java -cp ./db2jcc4.jar com.ibm.db2.jcc.DB2Jcc -version

IBM Data Server Driver for JDBC and SQLJ 4.8.87

Tuesday, 24 April 2012

IBM DB2 UDB JDBC Drivers - What are you using ?

Having an interesting conversation on Skype re a JDBC driver issue from IBM Tivoli Directory Integrator 7.0.0.5 to IBM DB2 UDB 9.7.0.2

Cannot load JDBC driver class 'com.ibm.db2.jcc.DB2Driver'
java.lang.UnsupportedClassVersionError: (com/ibm/db2/jcc/DB2Driver) bad major version at offset=6


and the question of the JDBC driver version came up.

Did you know ( and I didn''t ) that you can deduce the JDBC driver version by the size of the JAR file e.g. db2jcc.jar etc. from this table: -


So I have DB2 UDB 9.7.0.3 and my dbcjcc.jar is 3,348,681 bytes in size.

That means that it is: -


My correspondent was using DB2 UDB 9.7.0.2 and his JDBC driver was 3,295,950 bytes in size.

Again, this tied up: -


So, a potentially useful way of validating that you have the correct JDBC driver.

Oh, the root cause of the ITDI exception java.lang.UnsupportedClassVersionError  ? Don't yet know, but will report back :-)

Monday, 23 April 2012

More in the "Now I *did* not know that" series - Using domain names in Snder Colors in Lotus Notes

One of my IBM colleagues pointed this out on our internal w3C IBM Connections environment today.

Whilst I've known that I can allocate Sender Colors (sic) to individual email addresses e.g. the boss always appears in RED, the First Lady always appears in pink etc., I had not realised that I could specify an entire DNS domain suffix e.g. ibm.com, apple.com etc. to appear in a particular colour: -



Nice one, Gene, thanks for sharing :-)

Saturday, 21 April 2012

Administering SPNEGO within WebSphere Application Server: Tips on using Kerberos service principal names

I am adding this to my required reading list for projects where Kerberos and SPNEGO are used to deliver desktop Single Sign-On with WebSphere Application Server: -

Summary:  The Simple and Protected GSS-API Negotiation (SPNEGO) trust association interceptor (TAI) in IBM® WebSphere® Application Server V6.1 and in the SPNEGO Web Authentication feature in WebSphere Application Server V7.0 can be a powerful tool to achieve a seamless single sign-on environment between Microsoft® Windows® desktops and WebSphere-based servers. However, some users have trouble configuring service principal names when using SPNEGO. This article describes some best practices for configuring Microsoft Active Directory when using SPNEGO with WebSphere Application Server. (Updated for WebSphere Application Server Versions 6.1 and 7.0.)


This paragraph is especially useful: _

• Users with WebSphere Application Server Version 5.1.1.x and 6.0.x can obtain a custom service offering solution from IBM Software Services for WebSphere (ISSW). This solution comes with the source code, and you maintain the custom code yourself. To obtain more information about the ISSW SPNEGO TAI services offering for WebSphere Application Server V5.1.1 and V6.0, contact IBM Software Services for WebSphere.

• WebSphere Application Server Version 6.1 ships a TAI based upon the ISSW version mentioned above, which is a fully supported product code. However, you do not get the source code with this version.

• WebSphere Application Server V7.0 includes SPNEGO function via a new SPNEGO Web Authentication. (V7.0 still ships, but has deprecated, the SPNEGO TAI.)

as I'd previously assumed that WAS did not include native SPNEGO support until 7.0.0.9. In fact, we shipped SPNEGO in WAS 6.1, but have moved to a new SPNEGO Web Authentication module in v7.

All good stuff …..

Will add this to my existing presentation for WAS and SPNEGO ( as delivered at Social Connections II in Cardiff last year )

Wednesday, 18 April 2012

IBM HTTP Server - WebSphere Plugin - Password to the plugin-key.kdb file expires on April 26, 2012 US EDT

Following on from my earlier post, this is also a related "gotcha".

Password to the plugin-key.kdb file expires on April 26, 2012 US EDT

The password to the plugin-key.kdb file that is shipped with WebSphere Application Server expires on April 26, 2012 US EDT. This file is placed in the [Plugin_Home]/config/{webservername} directory when a web server plug-in is configured on an installed web server.

Again, in my environment, we're OK. Are you ?

Tuesday, 17 April 2012

Argh, Want to get some file info on OSX ? Use GetFileInfo …. if you can find it :-)

Having an interesting conversation with Eric Mack about OSX folders and aliases in Notes, and wanted to check the file permissions for a file that isn't playing ball.

Everything I read on the 'net told me to use GetFileInfo - which is part of the OSX Developer Tools.

So I duly launched the Mac App Store, downloaded the Developer Tools ( all 1.5 GB of it ), and …

I still couldn't find GetFileInfo.

According to the documentation, it should be here: -

/usr/bin/GetFileInfo

but ….. it ain't.

After a quick search: -

$ find / | grep -i getfileinfo

I found it here …..

/Applications/Xcode.app/Contents/Developer/usr/bin/GetFileInfo

A quick symlink later: -

$ sudo ln -s /Applications/Xcode.app/Contents/Developer/usr/bin/GetFileInfo /usr/bin/GetFileInfo

and the job … she is done :-)



IBM Connections - Unpacking IBM Installation Manager on AIX

I "heard' this on the IBM Connections Community Chat on Skype last week, and thought it worthy of sharing here.

One of the participants was seeing this error: -

"The insall executable launcher was unable to locate its companion shared library"

when running install.sh.

After checking pre-requsities, disk space etc. our colleague realised that they'd fallen into an tar on AIX trap.

To quote from the Connections 3.0.1 documentation: -

(AIX only) If you are downloading IBM Installation Manager, the TAR program available by default with AIX does not handle path lengths longer than 100 characters. To overcome this restriction, use the GNU file archiving program instead. This program is an open source package that IBM distributes through the AIX Toolbox for Linux Applications at the IBM AIX Toolbox website. Download and install the GNU-compatible TAR package. You do not need to install the RPM Package Manager because it is provided with AIX.
After you have installed the GNU-compatible TAR program, change to the directory where you downloaded the IBM Connections TAR file, and enter the following command to extract the files from it:

gtar -xvf <Lotus_Connections_wizard>_aix.tar


This is something that I probably knew from my time in the IBM Innovation Centre in Hursley, but it was a good "reminder".

One for the kit bag …..

Monday, 16 April 2012

IBM WebSphere Application Server - Plugin Personal Certificate will expire on April 26, 2012

Does this affect you ?

Abstract

The personal certificate called "WebSphere Plugin Key" within the plugin-key.kdb that is shipped with the WebSphere Plugin install will expire on April 26, 2012.

Content

When the plugin is first installed, it places a copy of the plugin-key.kdb file within the [Plugin_Home]/etc directory. When the plugin is configured to an installed web server, it will pull a copy of this file from the [Plugin_Home]/etc location and place it within the [Plugin_Home]/config/{webservername} directory.

This key file contains a personal certificate that is set to expire by April 26, 2012. Action may be required to maintain encryption between the plugin and application server(s). Please read this documentation carefully to determine if you are affected and what steps may be needed to correct this situation.

I'd strongly recommend that you check this Technote, if you use IBM WebSphere Application Server and the WebSphere Plugin.

In our environment, I used the GSK command, as the IKeyMan GUI was not available to me on my headless Linux boxes: -

$ /opt/IBM/HTTPServer/bin/gsk7cmd -cert -list -db /opt/IBM/HTTPServer/Plugins/config/webserver1/plugin\-key.kdb -pw WebAS

This gave me my cell-level certificate e.g. CN=Portal, OU=Root Certificate, OU=PortalCell, OU=PortalNode, O=IBM, C=US  which I then checked for expiration as follows: -

Label: CN=Portal, OU=Root Certificate, OU=PortalCell, OU=PortalNode, O=IBM, C=US
Key Size: 1024 
Version: X509 V3 
Serial Number: 11 FA EF 15 F5 2F E1 18 
Issued by: CN=Portal, OU=Root Certificate, OU=PortalCell, OU=PortalNode, O=IBM, C=US
Subject: CN=Portal, OU=Root Certificate, OU=PortalCell, OU=PortalNode, O=IBM, C=US
Valid: From: Thursday, 20 January 2011 12:05:44 o'clock GMT To: Friday, 16 January 2026 12:05:44 o'clock GMT 
Fingerprint: AE:2A:DC:10:6C:4A:18:A3:A0:46:A3:FD:EB:6E:2E:D0:8A:D2:CE:66 
Signature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5) 
Trust Status: enabled 

Just because my environment is OK does NOT mean that yours is …. go check, go check NOW

IBM SmartCloud Meetngs - Where's my Java gone ?

I saw this today: -



and then remembered some advice from a colleague - the most recent OSX Java update  ( there to help get rid of Flashback and other similar Java-delivered malware ) automagically turns off Java, and relies upon you - the user - to turn it back on again.

Job Done :-)

Sunday, 15 April 2012

Handing "“The recipient list is too long" when sending emails to Community members in IBM Connections 3.0.1

This from my colleague, Ben Williams: -

A user was trying to send an email to a community of circa 350 users and was getting the error "The recipient list is too long for the browser to pass to your e-mail client."

The solution is partly related to the maxRecipients parameter, and partly to the Service Integration Bus (SIBUS) configuration.

Want to know more ? Check out Ben's post here.

Hmmm, Changing the WAS and Portal admin users in WP7002 doesn't work :-(

I still haven't got to the bottom of this, but I'm seeing: -

[wplc-validate-user-exists]   Instance attributes (Set 1 of 1):
[wplc-validate-user-exists]     ignoreDuplicateIDs= *** NOT_SPECIFIED ***
[wplc-validate-user-exists]     attribute=[ *** NONE_SPECIFIED *** ]
[wplc-validate-user-exists]     customproperty=[ *** NONE_SPECIFIED *** ]
[wplc-validate-user-exists]     cn="CN=PortalBind,OU=Service"
[wplc-validate-user-exists]     trimSpaces= *** NOT_SPECIFIED ***
[wplc-validate-user-exists] com.ibm.websphere.management.cmdframework.InvalidParameterNameException: ADMF0004E: Invalid parameter name CN for command searchUsers.
[wplc-validate-user-exists]     at com.ibm.websphere.management.cmdframework.provider.AbstractAdminCommand.getParameterMetadata(AbstractAdminCommand.java:1096)
[wplc-validate-user-exists]     at com.ibm.websphere.management.cmdframework.provider.AbstractAdminCommand.isParamReadonly(AbstractAdminCommand.java:1162)
[wplc-validate-user-exists]     at com.ibm.websphere.management.cmdframework.provider

when I run: -

./ConfigEngine.sh wp-change-was-admin-user -DnewAdminId="CN=WASAdminPoc,OU=Service Accounts,OU=Management,DC=ts2,DC=net" -DnewAdminPw=NewPassW0rd -DWasPassword=OldPassW0rd

I'm running WebSphere Portal 7.0.0.2 CF12 on Red Hat Enterprise Linux 6, and the user registry is Microsoft Active Directory 2003.

I''ve dug through the WAS logs, even with tracing enabled, and there's nothing apparent.

I added both the -diagnostics and -debug switches to the ConfigEngine.sh command, but nothing was obvious :-(

I even tried running: -

./UpdateProfile.sh install CF

and: -

./ConfigEngine.sh upgrade-profile

but to no avail.

In the end, I "cheated" by adding: -

-Dskip.ldap.validation=true

to the end of the command: -

./ConfigEngine.sh wp-change-was-admin-user -DnewAdminId="CN=WASAdminPoc,OU=Service Accounts,OU=Management,DC=ts2,DC=net" -DnewAdminPw=NewPassW0rd -DWasPassword=OldPassW0rd

Having done this, the command ran through OK.

However, I'm still not sure why it failed int he first instance, and what: -

ADMF0004E: Invalid parameter name CN for command searchUsers.

actually means.

:-(

Saturday, 14 April 2012

CentOS Linux - Reading AND Writing NTFS

I had a bit of an "Ooops" moment yesterday, when I had  an urgent need to share some virtual machines with a colleague; Active Directory 2003 and DB2 UDB /  IBM Tivoli Directory Integrator.

Having converted them from VirtualBox to VMware ( more on this in another post ), I went to write them to his USB drive ....

Ah, his drive is formatted with NTFS because he uses Windows .....

... and my USB drive is formatted with HFS+ because I use it with Linux and Mac ....

Thankfully, a quick Google search helped me add NTFS support to CentOS: -

RPMforge for CentOS 6.0

$ wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
$ rpm -K rpmforge-release-0.5.2-2.el6.rf.*.rpm
$ rpm -i rpmforge-release-0.5.2-2.el6.rf.*.rpm
$ yum -y install ntfs-3g

I've used NTFS-3G and MacFUSE on the OSX Lion box, but this is the first time I've tried it with CentOS.

Nice one :-)

Friday, 13 April 2012

Create custom installation repositories for WebSphere Application Server with the IBM Packaging Utility

Saw this on the blog of one of my IBM colleagues, Mike Whale, earlier this evening: -

Summary:  IBM WebSphere Application Server V8 uses the IBM Installation Manager for product installation and lifecycle management. IBM Installation Manager accesses source repositories that contain the content for a software product installation. Repositories are available on product media, in IBM-hosted web-based repositories, and from Passport Advantage for download. This article describes a free, no-cost companion tool called IBM Packaging Utility that can help you create and customize enterprise repositories that contain the right combination of products and maintenance levels needed for all aspects of your business.

Rational Application Developer 8 and WebSphere Portal - RAD is not for Theming :-)

We saw these rather helpful dialogue boxes earlier today: -


with the even more friendly message: -

The selected wizard could not be started.
Plug-in "com.ibm.etools.portal.ui" was unable to instantiate class "com.ibm.etools.portal.internal.wizard.portal.PortalProjectWizard".
Array index out of range: -1


when one clicked on the "Details >>>" button.

Thankfully this Technote: -


helped us out: -

Creating a new Portal Project results in "Array index out of range: -1" error

This problem only occurs if you attempt to create a new Portal Project when WebSphere Portal Server v7.0 server is installed on your machine.

It is not possible to create or work with Portal projects targeting IBM WebSphere Portal v7.0 or later.

Future versions of Rational Application Developer will show a more appropriate warning message


and links to the Rational Application Developer Information Centre which goes on to say: -

You cannot create and work with the portal projects targeting IBM® WebSphere Portal V7.0, or later. Use the web-based Site Designing Portlet feature to design portal sites on IBM WebSphere Portal V6.1.5, or later. Follow the instructions in IBM WebSphere Portal 7.0 documentation to migrate portal projects deployed on IBM WebSphere Portal V6.1.x to IBM WebSphere Portal V7.0 before working with your portal site using Site Designing Portlet feature.

The Portal Designer can only be used with portal projects targeting all releases of IBM WebSphere Portal V6.1.

Bottom line, if you are looking to design portlets, use a Portlet Project, if you are looking to design themes, use the Site Designing Portlet. You should also look at WebDav to allow you to manage your theme components ( bearing in mind that we have deployed WebSphere Portal 7.0.0.2 which includes the new PageBuilder 2 theme ).



Thursday, 12 April 2012

DanNotes - Comwell Klarskovgaard, Korsør - May 2/3


It's my great privilege to have been invited to speak at this year's DanNotes conference.

I'm humbled by the speakers with whom I'm co-presenting, and will do my level best to maintain the high standards.

The agenda is being finalised at present, and is here.

My sessions are: -

Wednesday

14.15-15.15 WebSphere administration for Domino admins

Thursday

10.00-11.00 Desktop Single Sign-On in an Active Directory World

There's a plethora of other great topics on offer, including JSF, Tivoli Directory Integrator, XPages, IBM Connections, IBM Sametime, Lotus Notes Traveler, GBS Transformer  etc.

Have you registered ? If so, I look forward to meeting you.

If not, why not ? Get on and register :-)


WebSphere Portal - Migration from v6.1.5 to v7.0.x

At present, this is merely a collection of links, but my main aim is to identify any release notes, Javadocs etc. that describe what, if any, portlets or APIs have been deprecated or significantly changed between WP615 and WP70x.

So far, it's looking good e.g. my developers don't need to worry about code that they're writing on WP615, it'll work on WP7, but they will ( of course ) properly test it :-)












The IBM Portlet API has been deprecated for WebSphere Portal Version 7.0 and later versions, but it is still supported. No new functionality will be added and you should convert portlets based on the IBM Portlet API to the Standard Portlet API when possible. Learn how to convert IBM Portlets to Standard API portlets.



and, last but by no means least, there's Rob Will's excellent presentation from Lotusphere 2012 - ID201 Whats New in IBM WebSphere Portal and IBM Web Content Manager  ( requires a free-to-acquire ID on the IBM Greenhouse from here )

Wednesday, 11 April 2012

ThisWeekInLotus and IBM Connections 3.0.1.1

I'd encourage you to check out the @ThisWeekInLotus podcast, specifically episode 94, where our very own Baan Slavens and Mac Guidera discuss the new features in IBM Connections 3.0.1.1, including the back-end infrastructure changes ( including improved browser support ) and the Mobile updates.

This Week In Lotus is here and episode 94 ( Educating Connections ) is here.

One of the podcast's co-hosts, Stuart McIntyre has also posted a blog post about duplicate HTTP headers in Chrome here.

The 3.0.1.1 fix list is here, and there's also a rather useful Technote covering IBM Connections 3.0.1.1 Administration Command: Preview commands for synchronizing user data here.

Making sense of GSKKM_ERR_ASN

Problem

$ ./gsk7capicmd -cert -add -file /tmp/www.uk.ibm.com.cer -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd -label www.wcm.uk.ibm.com

Gives this: -

Error: 2

Please refer to the GSKCapiCmd User's Guide
for the meaning of the error.

Error id: GSKKM_ERR_ASN
Details: www.wcm.uk.ibm.com

./gsk7cmd -cert -add -file /tmp/www.uk.ibm.com.cer -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd -label www.wcm.uk.ibm.com

Gives this: -

The public key of 'www.wcm.uk.ibm.com' is the same as the key of 'wcm_vip_2' in the target keystore.

The key cannot be added unless the duplicate key is removed from the keystore.

Solution

Remove the duplicate key - wcm_vip_2

So this is a good example of when the slower, Java-based gsk7cmd beats the quicker, C-based gsk7capicmd hands down :-)



BM HTTP Server - Lost the stashed password

When IHS fails to start with: -

$ cat error_log

[Wed Apr 11 07:13:17 2012] [crit] SSL0104E: GSK could not initialize, Invalid password for keyfile. 
Configuration Failed

Check that you did not inadvertently delete the stashed password file, typically key.sth

If so, you can recreate the stash file as follows: -

$ cd /opt/IBM/HTTPServer/bin 
$ ./gsk7capicmd -keydb -stashpw -db /opt/IBM/HTTPServer/ssl/key.kdb -pw <PASSWORD>


which results in: -

ls -al /opt/IBM/HTTPServer/ssl/key.sth

-rw------- 1 wasadmin wasgrp 129 Apr 11 07:15 /opt/IBM/HTTPServer/ssl/key.sth

This helped: -

<snip> 
Message:SSL0104E: GSK could not initialize, Invalid password for key file.

    Reason: The password retrieved from the stash file could not open the key database file. 
    Solution: Use IKEYMAN to open the key database file and recreate the password stash file. This problem could also result from a corrupted key database file. Creating a new key database file may resolve the problem.
</snip>

http://www-01.ibm.com/software/webservers/httpservers/doc/v2047/manual/ibm/en_US/9attroub.htm

Monday, 9 April 2012

IBM Lotus Symphony 3.0.1 Fixpack 1 - Now available for the embedded version

Following on from my previous blog post - IBM Lotus Symphony 3.0.1 Fixpack 1 Released - I'm pleased to report that the fix pack has now been released for the Embedded version of Symphony ( that which is embedded in the Lotus Notes client )

IBM Lotus Symphony 3.0.1 Embedded in Lotus Notes Fix Pack 1 for Windows

Lotus_Symphony301_addon_w32_fp1.zip

IBM Lotus Symphony 3.0.1 Embedded in Lotus Notes Fix Pack 1 for MacOSX 

Lotus_Symphony301_addon_mac_fp1.zip

IBM Lotus Symphony 3.0.1 Embedded in Lotus Notes Fix Pack 1 for Ubuntu Linux 

ibm-lotus-symphony-addon-fp1_3.0.1-1lucid1_i386.deb

IBM Lotus Symphony 3.0.1 Embedded in Lotus Notes Fix Pack 1 for Linux


or, for a more refined search of Fix Central, try here.

IBM Connections 3.0.1 - Supported media formats in Media Gallery

Question

What are the supported photo and video formats for Media Gallery in Connections 3.0.1?

Answer

The supported photo formats are the following:

Supported media formats in Media Gallery 

More on adding and extending file systems using Red Hat Enterprise Linux and LVM

This follows on from an earlier blog post: -


Create a new file system for the newly added disk - set as type 8e

$ fdisk /dev/sdb

Dump out the file system listing

$ fdisk -l

Create a new physical volume for the newly added disk - /dev/sdb1

$ pvcreate /dev/sdb1

Show the existing volume groups

vgscan

Extend the existing volume group - vg00 - to include the newly added disk - /dev/sdb1

$ vgextend vg00 /dev/sdb1

Show the existing mounted file systems

$ mount

Show the updated volume group - vg00

$ vgscan

Create a new logical volume

$ lvcreate -L 20G -n ibmVol vg00

Format the new logical volume as ext3

$ mkfs.ext3 /dev/vg00/ibmVol

Update the file system table - /etc/fstab

$ vi /etc/fstab

Mount all available file systems

$ mount -a

List mounted file systems

$ mount

IBM Rational Application Developer and IBM WebSphere Portal - Problems with File Transfer Servlet

I saw this problem on Thursday, and wanted to share the solution.

So, whilst trying to deploy my portlet from Rational Application Developer 8.0.4 IF1 to WebSphere Portal 7.0.0.2 CF12, we saw: -

WKSP0012E "Caller is not in the required role to access restricted document(s)"

in the logs for the portal server ( /opt/IBM/WebSphere/wp_profile/logs/WebSphere_Portal/SystemOut.og ).

Looking at this old WebSphere Portal Express v6 document for inspiration


we concluded that the problem may be security-related.

The document describes how to use a JACL script - redeployFileTransfer.jacl - to correctly configure security for the File Transfer Servlet.

Having checked that we still had the script with WP7: -

$ cd /opt/IBM/WebSphere/AppServer/bin
$ ls -al redeployFileTransfer.jacl

-rwxr-xr-x 1 root root 3918 Apr  5 08:07 redeployFileTransfer.jacl

and made a note of the cell, node and server/instance names: -

Cellname GBEDFTSERH301
Nodename GBEDFTSERH301
Servername WebSphere_Portal

we ran the following wsadmin command to execute the JACL script: -

cd /opt/IBM/WebSphere/AppServer/bin
$ ./wsadmin.sh -conntype NONE -lang jacl -profile redeployFileTransfer.jacl -c "fileTransferAuthenticationOn GBEDFTSERH301 GBEDFTSERH301 WebSphere_Portal"

WASX7357I: By request, this scripting client is not connected to any server process. Certain configuration and application operations will be available in local mode.
Uninstall filetransfer -cell GBEDFTSERH301 -node GBEDFTSERH301 -server WebSphere_Portal
ADMA5017I: Uninstallation of filetransfer started.
ADMA5005I: The application filetransfer is configured in the WebSphere Application Server repository.
ADMA5011I: The cleanup of the temp directory for application filetransfer is complete.
ADMA5106I: Application filetransfer uninstalled successfully.
Install /opt/IBM/WebSphere/AppServer/systemApps/filetransferSecured.ear -cell GBEDFTSERH301 -node GBEDFTSERH301 -server WebSphere_Portal -appname filetransfer -usedefaultbindings -nocreateMBeansForResources
ADMA5016I: Installation of filetransfer started.
ADMA5005I: The application filetransfer is configured in the WebSphere Application Server repository.
ADMA5011I: The cleanup of the temp directory for application filetransfer is complete.
ADMA5013I: Application filetransfer installed successfully.


Having undertaken this, we restarted WebSphere Portal: -

$ ~/stopPortal.sh
$ ~/deleteLogs.sh
$ ~/startPortal.sh


and the RAD to Portal deployment worked like a treat.

For the record, here's the WebSphere 7 version of the same document: -




Wednesday, 4 April 2012

IBM Connections not indexing your files ? Check this out ....

Copy Search conversion tools to local nodes to enable full indexing of data.

The Search conversion tools make it possible to index Files and Wiki attachments. However, the conversion tools are initially deployed on a network share so you must copy them to each node in the Search cluster.

If you are performing this task after you have added a node to an existing cluster, as described in the Adding a node to a cluster topic, you need to complete the steps in this task only if the new node is a member of the Search cluster.

Useful as an aide-memoire, when things ain't working :-(

Verify Java SDK version shipped with IBM WebSphere Application Server fix packs

I'm updating my WebSphere <-> Active Directory / SPNEGO slide deck: -



as it's an evolving repository of the knowledge that my team and I have acquired.

Whilst doing so ( and following WebSphere Support on Twitter ), I saw this pop up yesterday: -


Am adding it into my deck, along with a few other goodies :-)

Monday, 2 April 2012

SRVE0209E: Writer already obtained seen using XMLAccess against WebSphere Portal v7 when SPNEGO is configured

When running: -

$ cd /opt/IBM/WebSphere/wp_profile/PortalServer/bin 
 ./xmlaccess.sh -in /opt/IBM/WebSphere/PortalServer/doc/xml\-samples/Export.xml -out /tmp/snafu.xml -url http://portal.uk.ibm.com:10039/wps/config -user WPSAdmin -password Passw0rd

returns: -

SRVE0209E: Writer already obtained

in /tmp/snafu.xml.

This Technote, amongst others, provides a circumvention / solution to this: -

PK64013; 6.1.0.19: provide way to turn off tai authentication
Create a new security Custom Property 

com.ibm.websphere.security.performTAIForUnprotectedURI

set to false ( the default is true ) via Security -> Global security > Custom properties.

Once we did this, and restarted WebSphere Portal, the job was done :-)

Polling and Surveying Widgets in IBM Connections

I saw this referenced on the IBM Connections Community Chat: -

  • CRM contacts. Based on our own CRM product, this widget targets the need to quickly access contact information, regardless of the platform one is currently using. Using type ahead functions, this widget allows fast and effective searching of the CRM database. This widget is available for WebSphere Portal, Lotus Notes and Lotus Connections. And due to the service oriented setup of this widget, it can be easily enhanced to connect to another CRM provider.

  • Profiles Calendar. Tightly tied in the Profiles functionality of Lotus Connections, this widget shows a calendar and all meetings that day of a person next to his or her profile

  • Poll. This widget allows organizations to quickly put up a poll to ask its employees for their opinion

  • Bulletin Board. This widget allows organizations to inform its employees throughout all platforms used by it

  • Quickr Places. This widget shows an overview of all Quickr places which can be navigated, providing links to the documents in Quickr itself

  • Holidays. Based on the holiday application Eniac uses internally as part of a HRM application, this allows employees to see an overview of the amount of days they took off this year, the amount still left and also provides functionality to request a new holiday

The Collaboration Factory

Thanks to Jon M for drawing my attention to this...

Sunday, 1 April 2012

Reminder - installing podman and skopeo on Ubuntu 22.04

This follows on from: - Lest I forget - how to install pip on Ubuntu I had reason to install podman  and skopeo  on an Ubuntu box: - lsb_rel...