Thursday 28 March 2013

Problems with IBM Business Monitor Messaging Engine ( SI Bus ) following a teardown


This post relates to my OWN individual experiences on my OWN personal VMware environment. This is NOT NOT NOT a recipe for everyone; your mileage may vary. If in doubt, PLEASE raise a PMR with IBM Support


Having performed a fresh installation of IBM Business Monitor against Oracle 11g R2 after a "teardown" - where I cleaned up the database objects created the first time around - I noticed that the Messaging Engine cluster ( that hosts the Service Integration Bus ) kept restarting.

When I checked SystemOut.log for the offending cluster member, I found: -

[28/03/13 09:54:01:606 GMT] 0000001b SibMessage    I   [CEI.BAMCELL.BUS:BAMSR01.Messaging.000-CEI.BAMCELL.BUS] CWSIS1538I: The messaging engine, ME_UUID=3D59E737F07528C9, INC_UUID=62A8E276B06B1903, is attempting to obtain an exclusive lock on the data store.
[28/03/13 09:54:01:766 GMT] 0000001c SibMessage    I   [CEI.BAMCELL.BUS:BAMSR01.Messaging.000-CEI.BAMCELL.BUS] CWSIS1545I: A single previous owner was found in the messaging engine's data store, ME_UUID=09BF782E0B664719, INC_UUID=78437FD9A71F6596
[28/03/13 09:54:01:768 GMT] 0000001d SibMessage    I   [MONITOR.BAMCELL.Bus:BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus] CWSIS1545I: A single previous owner was found in the messaging engine's data store, ME_UUID=E2ABE650D061BE5C, INC_UUID=ADD9DFC1AA982A5A
[28/03/13 09:54:01:771 GMT] 0000001c SibMessage    E   [CEI.BAMCELL.BUS:BAMSR01.Messaging.000-CEI.BAMCELL.BUS] CWSIS1535E: The messaging engine's unique id does not match that found in the data store. ME_UUID=3D59E737F07528C9, ME_UUID(DB)=09BF782E0B664719
[28/03/13 09:54:01:784 GMT] 0000001b SibMessage    I   [CEI.BAMCELL.BUS:BAMSR01.Messaging.000-CEI.BAMCELL.BUS] CWSIS1593I: The messaging engine, ME_UUID=3D59E737F07528C9, INC_UUID=62A8E276B06B1903, has failed to gain an initial lock on the data store.

[28/03/13 09:54:01:788 GMT] 0000001a SibMessage    I   [MONITOR.BAMCELL.Bus:BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus] CWSIS1537I: The messaging engine, ME_UUID=E2ABE650D061BE5C, INC_UUID=5634F9A5B06B1901, has acquired an exclusive lock on the data store.

and: -

[28/03/13 09:55:53:555 GMT] 0000000f SibMessage    E   [CEI.BAMCELL.BUS:BAMSR01.Messaging.000-CEI.BAMCELL.BUS] CWSID0046E: Messaging engine BAMSR01.Messaging.000-CEI.BAMCELL.BUS detected an error and cannot continue to run in this server.
[28/03/13 09:55:53:555 GMT] 0000000f HAGroupImpl   I   HMGR0130I: The local member of group IBM_hc=BAMSR01.Messaging,WSAF_SIB_BUS=CEI.BAMCELL.BUS,WSAF_SIB_MESSAGING_ENGINE=BAMSR01.Messaging.000-CEI.BAMCELL.BUS,type=WSAF_SIB has indicated that is it not alive. The JVM will be terminated.
[28/03/13 09:55:53:566 GMT] 0000000f SystemOut     O Panic:component requested panic from isAlive
[28/03/13 09:55:53:567 GMT] 0000000f SystemOut     O java.lang.RuntimeException: emergencyShutdown called:
[28/03/13 09:55:53:567 GMT] 0000000f SystemOut     O    at
[28/03/13 09:55:53:567 GMT] 0000000f SystemOut     O    at
[28/03/13 09:55:53:569 GMT] 0000000f SystemOut     O    at
[28/03/13 09:55:53:569 GMT] 0000000f SystemOut     O    at
[28/03/13 09:55:53:569 GMT] 0000000f SystemOut     O    at$HAGroupUserCallback.doCallback(
[28/03/13 09:55:53:569 GMT] 0000000f SystemOut     O    at
[28/03/13 09:55:53:569 GMT] 0000000f SystemOut     O    at$

The first set of exceptions ( CWSIS1545I and CWSIS1535E ) led me to the solution, aided by this IBM Technote: -


I realised that, when I'd cleaned down the database objects from the previous installation of BAM, I'd neglected to remove the schemas for the Messaging Engine.

In Oracle, I used SQL*Plus: -

sqlplus / as SYSDBA

and ran: -

SQL> select username from dba_users;



This showed the two schema user objects - MONME00 and MONCM00 - which I then removed: -

SQL> drop user MONCM00 cascade;

User dropped.

SQL> drop user MONME00 cascade;

User dropped.

and then restarted the ME cluster member.

This automatically recreated the objects ( this is almost certainly NOT the default behaviour - most DBAs would prefer to have more control over the creation of database objects such as schemas and users ) and the ME came up without exception.

Job done :-)


This post relates to my OWN individual experiences on my OWN personal VMware environment. This is NOT NOT NOT a recipe for everyone; your mileage may vary. If in doubt, PLEASE raise a PMR with IBM Support


Good Decision! Five Useful Technical Patterns for Operational Decision Management

Technical patterns are useful as best practice guides for both selecting and using technology. The technical patterns for IBM Operational Decision Manager (ODM) technology can be divided into two sets, those that align with its business rules capabilities and those that align with the business events capabilities.

1. Complex or Volatile Routing
2. Input Data Validation
3. Data Enrichment and Calculation
4. Data Augmentation of Decision Service Requests
5. Application Modernization

Want to know more ? Then please visit Cheryl Wilson's blog here: -

Wednesday 27 March 2013

Updating IBM Business Process Manager 8

I'm writing this down as I'm going to need it at some point in the future :-)

So here's a Bash script to list the fixes available to me: -

for z in /store/BPM801/Fixes/*.zip 
        echo $z 

and one to list more detail about each fix: -

for z in /store/BPM801/Fixes/*.zip 
        unzip -c $z repository.xml | grep 'information name=' | sed 's/^.\{25\}//' | sed "s/'.*$//g" 

and one to expand a list of fixes to a target directory structure: -

for z in /store/BPM801/Fixes/*.zip 
        unzip $z -d `echo $z |  sed 's/^.\{20\}//' | sed 's/.zip//g'` 

This is how we'd install a single fix: -

/opt/IBM/InstallationManager/eclipse/tools/imcl install -repositories /tmp/BPM801Fixes/ -installationDirectory /opt/IBM/WebSphere/AppServer/

Installed to the /opt/IBM/WebSphere/AppServer directory.

and here's a script to install a whole bunch of fixes: -

for z in /store/BPM801/Fixes/*.zip 
        /opt/IBM/InstallationManager/eclipse/tools/imcl install `unzip -c $z repository.xml | grep 'information name=' | sed 's/^.\{25\}//' | sed "s/'.*$//g"` -repositories /tmp/BPM801Fixes/`echo $z |  sed 's/^.\{20\}//' | sed 's/.zip//g'` -installationDirectory /opt/IBM/WebSphere/AppServer -log ~/$z.txt


and here's how we validated what's installed: -

/opt/IBM/InstallationManager/eclipse/tools/imcl listInstalledPackages

More about Oracle DB ...

Following on from my earlier post about Oracle DB: -

Oracle Database - My First Few Baby Steps .... 

one of my colleagues picked up on my point about starting the SQLPlus application with authentication: -

sqlplus sys/passw0rd@orcl as SYSDBA

by saying: -

"Whenever you use "as sysdba" as a mechanism to log on, Oracle will assume you are logging in using OS level authentication.  As such you don't need to provide a username and password.  This method of logon is only available to a few ....

$export ORACLE_SID=orcl 
$sqlplus / as sysdba

For the above to work, the OS user you are logged on with as you run the above, must be a member of the DBA OS user group.  So how come the way you've logged on works?  Simple, Oracle ignores any credentials provided when you use 'as sysdba'.  So try it, change the username and password to anything and you should still get on ( It's important that someone, usually the sys user, can be authenticated in this manner, i.e. externally to the database, as when the db's shut down, someone needs to be capable of starting the thing up.  As all credentials are only available for querying once the db is up, this would provide a catch 22 situation for db startup.  Not sure what DB2 and SQL Server etc. employ? ).  As for all other 'normal' users, they can't log on to the db until the dba has started the db, by which time the Oracle data dictionary is open and can now be queried for authentication purposes.

The 'create user' command is fine, but it will create a user called 'monitor' which won't be able to effectively log on interactively, but if as I suspect it's a system account, you wouldn't want anyone to log on as that user? If you do want the monitor user to actually be capable of logging on you would grant the user that privilege with 'grant create session to monitor'.  You would normally allocate a default tablespace for the newly created user, otherwise it will use whichever tablespace is defined as the catch all default tablespace which isn't a great idea going forwards as then every user gets thrown in to this catch all tablespace and makes management more difficult.  A newly created standard user would often be created along the lines of ...

    IDENTIFIED BY passw0rd 
    QUOTA 10M ON example 

Clearly one wouldn't expire the password on a system account.  Often a newly created user is simply created using an existing profile which is fit for purpose and the profile would give most of the above and more in one slice."

PS With regard to his comment about DB2, the answer is pretty simple - DB2 "delegates" authentication to the OS, so one can only start the database instance ( or the DAS ) once one has authenticated to the underlying OS e.g. su - db2inst1 -c db2start or su - dasusr1 -c "db2admin start" - in both cases, one will likely need to pass the password for the Unix account.

Tuesday 26 March 2013

IBM Business Monitor and the Dispatcher

As per my previous posts, I've just started to dabble with Oracle 11g R2 as my database for IBM Business Monitor, instead of using DB2 which is my default position.

The installation had been relatively smooth, but I then had an issue with the Cognos Dispatcher which, I was sure, was Oracle-related.

Think again ….

I was seeing: - 31198 2013-03-26 12:00:54.796 +0 pogoStartup na na 0 Thread-54 DISP 6235 1 Audit.Other.dispatcher.DISP.pogo pogo com.cognos.pogo.contentmanager.coordinator.ActiveCMControl Failure <messages><message><messageString>DPR-DPR-1035 Dispatcher detected an error.</messageString></message><message><messageString>DPR-DPR-1004 Expecting a BI Bus XML response but got:   </messageString></message></messages> DPR-CMI-4007 Unable to perform an active Content Manager election on the local IP node. For more information, see the dispatcher and Content Manager detailed logs. Ensure that the local Content Manager service is started.DPR-DPR-1004 Expecting a BI Bus XML response but got: com.cognos.pogo.bibus.CommandExecutionException: DPR-DPR-1004 Expecting a BI Bus XML response but got: at com.cognos.pogo.bibus.BIBusCommand.handleDefaultException( at 

in the cogserver.log after building a new BAM 8011 environment against Oracle 11g R2.

Whilst poking about in cogstartup.xml, I realised that the Dispatcher was sitting on port 9097 rather than 9081: -

$ cat ../configuration/cogstartup.xml | grep

      <crn:item xsi:type="xsd:anyURI" order="0"></crn:item>
      <crn:item xsi:type="xsd:anyURI"></crn:item>
          <crn:item xsi:type="xsd:string"></crn:item>

Given that Monitor/Cognos can't currently access the Dispatcher on an HTTPS port, I'd previously handled this by adding a Virtual Host alias to default_host for port 9081.

Therefore, you can guess the problem ....

Yep, whilst I could access port 9097: -

$ telnet 9097

I was then getting: -

SRVE0255E: A WebGroup/Virtual Host to handle /p2pd has not been defined.

SRVE0255E: A WebGroup/Virtual Host to handle has not been defined.

when I tried to access the Dispatcher via a browser.

Once I added a new alias for 9097, and restarted the Support cluster, I got further forward, but was then seeing: -

Failure SecureErrorId: 2013-03-26-14:23:03.321-#1  Original Error: DPR-ERR-2088 The requested Server Group '' does not exist.  Handler trace back: [the_dispatcher] com.cognos.pogo.handlers.performance.PerformanceIndicationHandler [the_dispatcher] com.cognos.pogo.handlers.logic.ChainHandler [service_lookup] com.cognos.pogo.handlers.engine.ServiceLookupHandler [load_balancer] com.cognos.pogo.handlers.logic.ChainHandler [lb_forwarder] com.cognos.p2plb.clerver.LoadBalanceHandler

Thinking semi-laterally, I re-generated and re-propagated the Plugin, and got even further forward: -


Once I restarted the IHS server, I was in like Flynn


Note that this allows me to access the Dispatched on an HTTPS port ( 9443 in my case ), *BUT* the non-HTTPS port ( now 9097 rather than 9081 ) is required because of a current issue with Monitor/Cognos.

*UPDATE 27/03/2013* I've just completed a new, clean, installation of Monitor, and, quelle surprise, my Dispatcher is back on port 9081, rather than 9097. I'm not too sure what happened; I can only assume that something was hogging 9081 when I did the previous install, meaning that port 9097 was allocated instead. I can't explain it but ....

Monday 25 March 2013

Deployment Environment generation fails to create Business Space tables with an Oracle Common Database

I'm currently installing and configuring IBM Business Monitor against Oracle 11g R2, all on Linux.

I hit the following exception when trying to generate and import a new Deployment Environment: -

25/03/13 20:41:07:936 GMT] 0000002c BSpaceConfigL I BSpaceConfigureDBTask execute CWMO1116I: Using the existing data source with jndi name 'jdbc/mashupDS'.
[25/03/13 20:41:09:528 GMT] 0000002c WBITopologyMg E configureTopology CWLDB9016E: The generation for deployment environment DepEnvBam8011 failed. Reason: CWLDB9014E: The configuration of component WBI_BSPACE failed. Reason java.sql.SQLException: ORA-01435: user does not exist
.. If in doubt, discard the changes and do not save the failed configuration to the master repository.

Thankfully, I quickly picked this Technote ( for IBM WebSphere Enterprise Service Bus ): -

which says, in part: -


This only occurs when the profiles are created based on an Oracle Common Database.

This issue was observed specifically with Oracle 10.2.

Resolving the problem

To work around this issue:

On Step 5. of the Deployment Environment wizard untick the Create Tables box for the Business Space data source and then complete the wizard as normal.

If you want to use Business Space you must then do the following:

1) Locate the Business Space database configuration scripts in (for example in WESB)


2) Copy the scripts to your Oracle database server

3) Run the configBusinessSpaceDB script, providing the appropriate SYSTEM user name and password

4) Restart the deployment manager, all nodes and all servers

Once I followed the circumvention ( unstick the Create Tables box for the Business Space data source ), all was well.


IBM Business Process Manager V8.0 Performance and Tuning Best Practices


This IBM® Redpaper™ publication provides performance tuning tips and best practices for IBM Business Process Manager (BPM) V8.0 (all editions) and IBM Business Monitor V8.0. These products represent an integrated development and runtime environment based on a key set of service-oriented architecture (SOA) and business process management technologies. Such technologies include Service Component Architecture (SCA), Service Data Object (SDO), Business Process Execution Language for Web services (BPEL), and Business Processing Modeling Notation (BPMN).

Both IBM BPM and Business Monitor build on the core capabilities of the IBM WebSphere® Application Server infrastructure. As a result, BPM solutions benefit from tuning, configuration, and best practices information for WebSphere Application Server and the corresponding platform Java Virtual Machines (JVMs).

This paper targets a wide variety of groups, both within IBM (development, services, technical sales, and others) and customers. For customers who are either considering or are in the early stages of implementing a solution incorporating BPM and Business Monitor, this document proves a useful reference. The paper is useful both in terms of best practices during application development and deployment and as a reference for setup, tuning, and configuration information.

This paper introduces many of the issues influencing the performance of each product and can serve as a guide for making rational first choices in terms of configuration and performance settings. Similarly, customers who have already implemented a solution using these products might use the information presented here to gain insight into how their overall integrated solution performance might be improved.

Table of contents

Chapter 1. Overview
Chapter 2. Architecture best practices
Chapter 3. Development best practices
Chapter 4. Performance tuning and configuration
Chapter 5. Initial configuration settings

Oracle Database - My First Few Baby Steps ....

I am just starting to find my feet with Oracle DB, having installed Oracle 11g R2: -

-rw-r--r--@  1 hayd  staff  1239269270 22 Mar 10:16
-rw-r--r--@  1 hayd  staff  1111416131 22 Mar 10:15
Now I knew that I had to set two environment-specific variables, using ~/.bashrc ( in my case ): -

export ORACLE_HOME=~/app/orauser/product/11.2.0/dbhome_1/
export ORACLE_SIDE=orcl

and yet I kept seeing: -

ORA-12162: TNS:net service name is incorrectly specified

when I attempted to access the database using a command such as: -


or: -

$ORACLE_HOME/bin/sqlplus "/as sysdba"

even though I knew that the database was up and running: -

$ORACLE_HOME/bin/tnsping localhost

TNS Ping Utility for Linux: Version - Production on 25-MAR-2013 15:59:37

Copyright (c) 1997, 2009, Oracle.  All rights reserved.

Used parameter files:

Used EZCONNECT adapter to resolve the alias
OK (0 msec)

Can you spot where I went wrong ?

The clue is in the .bashrc script: -

export ORACLE_HOME=~/app/orauser/product/11.2.0/dbhome_1/
export ORACLE_SIDE=orcl

For some reason, ORACLE_SIDE isn't quite as powerful as ORACLE_SID :-)

Once I fixed it and restarted my shell, I was in like Flynn: -

$ORACLE_HOME/bin/sqlplus / as sysdba

SQL*Plus: Release Production on Mon Mar 25 16:37:42 2013

Copyright (c) 1982, 2009, Oracle.  All rights reserved.

Connected to an idle instance.


However, it wasn't all plain sailing - firstly, I was seeing: -

"ORA-27301: OS failure message: No space left on device"

in /home/orauser/app/orauser/product/11.2.0/dbhome_1/startup.log after starting Oracle: -


That was relatively easily fixed, following this blog post: -


As root user, edit the /etc/sysctl.conf file and edit the kernel parameters
# semaphores: semmsl, semmns, semopm, semmni
kernel.sem = 250 32000 100 128

and then run this command

/sbin/sysctl -p

which did the job nicely :-)

Sadly, I'm still seeing: -

ORA-01034: ORACLE not available


$ORACLE_HOME/bin/sqlplus / as sysdba

SQL*Plus: Release Production on Mon Mar 25 16:37:42 2013

Copyright (c) 1982, 2009, Oracle.  All rights reserved.

Connected to an idle instance.

SQL> SELECT name, db_unique_name FROM v$database;

SELECT name, db_unique_name FROM v$database
ERROR at line 1:
ORA-01034: ORACLE not available
Process ID: 0
Session ID: 0 Serial number: 0

The trick appeared to be in the message above: -

Connected to an idle instance.

From further Googling, I further adapted my .bashrc to include: -

export ORACLE_HOME=~/app/orauser/product/11.2.0/dbhome_1
export ORACLE_SID=orcl
export ORACLE_HOME_LISTNER=/home/orauser/app/orauser/product/11.2.0/dbhome_1/bin/tnslsnr

and restarted my shell.

This time, it all worked perfectly: -

sqlplus / as sysdba

SQL*Plus: Release Production on Mon Mar 25 17:47:27 2013

Copyright (c) 1982, 2009, Oracle.  All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> SELECT name, db_unique_name FROM v$database;

--------- ------------------------------
ORCL   orcl


So, in conclusion, I now have a working Oracle environment.

PS I also worked out how to start the Enterprise Manager (EM): -

/home/orauser/app/orauser/product/11.2.0/dbhome_1/bin/emctl start dbconsole

Oracle Enterprise Manager 11g Database Control Release
Copyright (c) 1996, 2009 Oracle Corporation.  All rights reserved.
Starting Oracle Enterprise Manager 11g Database Control ...... started.
Logs are generated in directory /home/orauser/app/orauser/product/11.2.0/dbhome_1/localhost_orcl/sysman/log 


Thanks to this post: -

Auto Start/Shutdown Oracle Database 11g R2 on Linux

for an excellent start/stop/restart script: -

# /etc/rc.d/init.d/oracle
# Description: Starts and stops the Oracle database, listeners and Enterprise Manager
# See how we were called.
case "$1" in
echo "Starting Oracle"
echo "—————————————————-" >> /var/log/oracle
date +"! %T %a %D : Starting Oracle Databases as part of system up." >> /var/log/oracle
echo "—————————————————-" >> /var/log/oracle
echo -n "Starting Oracle Databases: "
su - orauser -c dbstart >> /var/log/oracle
echo "Done."
echo -n "Starting Oracle Listeners: "
su - orauser -c "lsnrctl start" >> /var/log/oracle
echo "Done."
echo -n "Starting Oracle Enterprise Manager: "
su - orauser -c "emctl start dbconsole" >> /var/log/oracle
echo "Done."
echo ""
echo "—————————————————-" >> /var/log/oracle
date +"! %T %a %D : Finished." >> /var/log/oracle
echo "—————————————————-" >> /var/log/oracle
touch /var/lock/subsys/oracle
echo "Shutting Down Oracle"
echo "—————————————————-" >> /var/log/oracle
date +"! %T %a %D : Shutting Down Oracle Databases as part of system down." >> /var/log/oracle
echo "—————————————————-" >> /var/log/oracle
echo -n "Shutting Down Oracle Enterprise Manager: "
su - orauser -c "emctl stop dbconsole" >> /var/log/oracle
echo "Done."
echo -n "Shutting Down Oracle Listeners: "
su - orauser -c "lsnrctl stop" >> /var/log/oracle
echo "Done."
rm -f /var/lock/subsys/oracle
echo -n "Shutting Down Oracle Databases: "
su - orauser -c dbshut >> /var/log/oracle
echo "Done."
echo ""
echo "—————————————————-" >> /var/log/oracle
date +"! %T %a %D : Finished." >> /var/log/oracle
echo "—————————————————-" >> /var/log/oracle
echo "Restarting Oracle"
echo "—————————————————-" >> /var/log/oracle
date +"! %T %a %D : Restarting Oracle Databases as part of system up." >> /var/log/oracle
echo "—————————————————-" >> /var/log/oracle
echo -n "Restarting Oracle Databases: "
su - orauser -c dbshut >> /var/log/oracle
su - orauser -c dbstart >> /var/log/oracle
echo "Done."
echo -n "Restarting Oracle Listeners: "
su - orauser -c "lsnrctl stop" >> /var/log/oracle
su - orauser -c "lsnrctl start" >> /var/log/oracle
echo "Done."
echo -n "Restarting Oracle Enterprise Manager: "
su - orauser -c "emctl stop dbconsole" >> /var/log/oracle
su - orauser -c "emctl start dbconsole" >> /var/log/oracle
echo "Done."
echo ""
echo "—————————————————-" >> /var/log/oracle
date +"! %T %a %D : Finished." >> /var/log/oracle
echo "—————————————————-" >> /var/log/oracle
touch /var/lock/subsys/oracle
echo "Usage: oracle {start|stop|restart}"
exit 1

IBM WebSphere Portal 8.0 Performance Tuning Guide Version 1.1, February 2013

Found this: -

This white paper provides a basis for parameter and application tuning for IBM WebSphere Portal 8.0.

Both tuning and capacity are affected by many factors including the workload scenario and the performance measurement environment. For tuning, the objective of this paper is not necessarily to recommend specific values, but to make readers aware of the parameters used in the Portal performance benchmarks.

Performance tuning is an iterative process. More than one change may be required to reach the desired performance of the system(s) under test. When tuning, it is important to begin with a baseline and monitor performance metrics to determine if any parameters should be changed. When a change is made, another measurement should be made determine the effectiveness of the change. Ideally, only one change should be made between each measurement so the specific benefit of each tuning parameter can be determined.

whilst looking for something completely different.

Friday 22 March 2013

Note to self - limiting the amount of information that IBM HTTP Server returns

I'm thinking about security, as should we all.

By default, IBM HTTP Server ( and, I guess, anything based upon Apache HTTPD ), automatically returns it's version: -

in the HTTP response header ( as evidenced here using Firebug ).

This can be disabled by changing: -

ServerSignature On

to: -

ServerSignature Off

in httpd.conf ( requiring IHS to be restarted ). This works alongside the related directive: -

ServerTokens Prod

However, I still see the same: -

The trick appears to be also add: -

AddServerHeader Off

to http.conf.

The first two directives are more fully explained in the Apache documentation: -

The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, mod_info output, ...). The reason why you would want to enable such a footer line is that in a chain of proxies, the user often has no possibility to tell which of the chained servers actually produced a returned error message.

The Off setting, which is the default, suppresses the footer line (and is therefore compatible with the behavior of Apache-1.2 and below). The On setting simply adds a line with the server version number and ServerName of the serving virtual host, and the EMail setting additionally creates a "mailto:" reference to the ServerAdmin of the referenced document.

After version 2.0.44, the details of the server version number presented are controlled by the ServerTokens directive.

This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

but the third directive - AddServerHeader - is a new feature, only found in IBM HTTP Server 7.0 and above: -

The Server response-header field contains information about the software used by the origin server to handle the request, sometimes including information about specific modules that are loaded. Some security policies may dictate that such identifying information be removed from all network daemons.

Setting AddServerHeader to off prevents IBM HTTP Server from adding the Server header to outgoing responses.

The value of the outgoing Server header can be logged by adding the string %{Server}o to whichever LogFormat is referenced by your CustomLog directives.

So, in summary, this is what I now have: -

AddServerHeader Off
ServerTokens Prod
ServerSignature Off

with the following result: -

PS I'm using Firebug to get details of the HTTP headers - other equally sweet plugins are available.

For the record, using base Apache 2.2.15 ( as shipped with Red Hat Enterprise Linux 6.3 ), this is what we see by default: -

because we have the default settings of: -

ServerTokens OS
ServerSignature On

in /etc/httpd/conf/httpd.conf.

If we change this to: -

ServerTokens Prod
ServerSignature Off

we only see: -

Sadly, if we try adding: -

AddServerHeader Off

we see: -

Invalid command 'AddServerHeader', perhaps misspelled or defined by a module not included in the server configuration

when starting Apache :-)

See, I did say that it was an IBM addition ...

Thursday 21 March 2013

Aide Memoire - Working with Cognos CACerts in IBM Business Monitor

Listing what we have

$ /opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/profiles/BAMN1Profile/cognos/BAMSR011.Support/configuration/signkeypair/jCAKeystore -pw MONITOR -type pkcs12

Importing the WAS certificate

$ /opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -add -db /opt/IBM/WebSphere/AppServer/profiles/BAMN1Profile/cognos/BAMSR011.Support/configuration/signkeypair/jCAKeystore -type pkcs12 -file /tmp/wasroot.cert -label WASCERT -pw MONITOR

Exporting the Cognos CA certificate

$ /opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -extract -label ca -db /opt/IBM/WebSphere/AppServer/profiles/BAMN1Profile/cognos/BAMSR011.Support/configuration/signkeypair/jCAKeystore -type pkcs12 -pw MONITOR -target /tmp/cognos.cert

Wednesday 20 March 2013

Discovering what's eating my disk space in Linux

With thanks to Wikipedia: -

$ du --max-depth=1 -c -h -x /

12K /.dbus
17M /sbin
78M /etc
0 /proc
1.1G /tmp
4.6G /home
0 /misc
4.4G /usr
5.2G /var
346M /lib
16K /lost+found
0 /dev
72M /root
4.0K /cgroup
6.5K /mnt
7.3G /opt
4.0K /srv
4.0K /boot
4.0K /media
4.0K /selinux
30M /lib64
0 /sys
9.1M /bin
0 /net
23G /
23G total

Now I can see the villain :-)

*UPDATE* 23/03/2013

On  Mac OS X, the answer is: -

$ du -sh *

2.7G    Desktop
 60G    Documents
 24K    DownloadDirector
2.2G    Downloads
 65M    Dropbox
6.2M    IBMERS
1.8G    Library
  0B    Movies
 25G    Music
5.0G    Pictures
8.0K    Public
  0B    SametimeRooms


Using Multitail to view multiple logs, all at the very same time

As I'm going through the motions of installing and running IBM BPM Advanced on Linux, I wanted a way to keep multiple log files open all at the very same time.

I harked back to an episode of This Week In Lotus, on which I appeared back in 2010, when I recommended the use of Multitail for that precise purpose.

I re-visited the Multitail site here - - and, from there, found a link to a set of RPMs that someone has kindly pulled together here. This was the version that I downloaded: -

which I then installed ( as root ): -

$ rpm -ivh multitail-5.2.9-1.el3.rf.x86_64.rpm 

and fired it up against my four individual log files: -

multitail -i /opt/IBM/WebSphere/AppServer/profiles/PCN1Profile/logs/PCSR011.AppTarget/SystemOut.log -i /opt/IBM/WebSphere/AppServer/profiles/PCN1Profile/logs/PCSR011.Messaging/SystemOut.log -i /opt/IBM/WebSphere/AppServer/profiles/PCN1Profile/logs/PCSR011.Support/SystemOut.log -i /opt/IBM/WebSphere/AppServer/profiles/PCN1Profile/logs/PCSR011.WebApp/SystemOut.log 

with the following result: -

One of my colleagues pointed out that I could further reduce the command using a wildcard: -

multitail -i /opt/IBM/WebSphere/AppServer/profiles/BAMN1Profile/logs/BAMSR011.*/SystemOut.log

Tuesday 19 March 2013

ADMG0253E: Matching template default could not be found or is not valid for this server

Note to self.

If you see: -

WASX7017E: Exception received while running file "jython/"; exception information: ADMG0253E: Matching template default could not be found or is not valid for this server.

when attempting to create a WAS cluster: -

AdminTask.createClusterMember('[-clusterName '+clusterName+' -memberConfig [-memberNode '+nodeName+' -memberName '+clusterMemberName+' -memberWeight 2 -genUniquePorts true -replicatorEntry false] -firstMember [-templateName default  -nodeGroup DefaultNodeGroup -coreGroup DefaultCoreGroup]]')

or application server: -

AdminTask.createApplicationServer( nodeName, '[-name '+serverName+' -templateName default  -genUniquePorts true ]')

then change the templateName from default to defaultProcessServer.

For me, this is relevant when I'm adding IBM Operational Decision Manager v8 (IODM or ODM or WODM) to an existing IBM Business Process Manager Advanced v8 (BPM) environment.

Setting static IP addresses for Network Manager

Note to self: -

If you want to set/modify a static IP address for Network Manager ( I'm using Red Hat Enterprise Linux 6.3 ), the relevant configuration file is: -


NAME="Auto eth0"

Saturday 16 March 2013

Problems with IBM Business Process Manager ( Business Space ) following upgrade

Using a clean installation of BPM Advanced, with an existing profile, I installed the fixpack.

All appears to be OK, apart from BusinessSpace, which, merely shows the spinny wheel of death of Mashups pages in Chrome and Firefox: -

when hitting: -

then authenticating ( as tw_admin ), and then being redirected to: -

with the following in SystemOut.log ( WebApp cluster ): -

[3/15/13 5:46:27:886 EDT] 0000002f servlet       I init SRVE0242I: [BSpaceEAR_PCSR01.WebApp] [/BusinessSpace] [URIRouterServlet]: Initialization successful.
[3/15/13 5:46:28:187 EDT] 0000002f ControllerSer I logException A checked exception of type [] occurred during the resolution process, do not log the exception trace to avoid log file spamming. Enable trace logging for [] to log the exceptions. The exception message was: [404: Space not found.]
[3/15/13 5:46:28:189 EDT] 0000002f srt           W addHeader SRVE8094W: WARNING: Cannot set header. Response already committed.
[3/15/13 5:46:28:189 EDT] 0000002f srt           W addHeader SRVE8094W: WARNING: Cannot set header. Response already committed.
[3/15/13 5:46:28:822 EDT] 0000002f ControllerSer I logException A checked exception of type [] occurred during the resolution process, do not log the exception trace to avoid log file spamming. Enable trace logging for [] to log the exceptions. The exception message was: [400: Illegal character in authority at index 7: http://{}mmServerRootId/widget-catalog/templateLayout.xml?pragma=cache&max-age=1209600&cache-scope=public&vary=none&user-context=false]
[3/15/13 5:46:28:823 EDT] 0000002f srt           W addHeader SRVE8094W: WARNING: Cannot set header. Response already committed.
[3/15/13 5:46:28:825 EDT] 0000002f srt           W addHeader SRVE8094W: WARNING: Cannot set header. Response already committed.
[3/15/13 6:09:55:676 EDT] 00000030 ControllerSer I logException A checked exception of type [] occurred during the resolution process, do not log the exception trace to avoid log file spamming. Enable trace logging for [] to log the exceptions. The exception message was: [400: Illegal character in authority at index 7: http://{}mmServerRootId/widget-catalog/templateLayout.xml?pragma=cache&max-age=1209600&cache-scope=public&vary=none&user-context=false]

I tried to fix the problem, by editing: -


from: -

#Fri Mar 15 05:35:38 EDT 2013

to: -

#Fri Mar 15 05:35:38 EDT 2013

fully synchronizing the nodes, and then restarted the WebApp cluster.

This made no difference.

Thankfully, via my extended network, I was referred to the newly minted installation instructions for the fix pack: -
from whence I realised that I'd missed a few steps in the process.

This is what I did: -

Stop Deployment Manager


Stop Node Agent


Upgrade the Cluster Members

$ cd /opt/IBM/WebSphere/AppServer/bin
$ ./ -f ../util/BPMProfileUpgrade.ant -profileName PCDMNODE -Dupgrade=true -Dcluster=PCSR01.AppTarget
$ ./ -f ../util/BPMProfileUpgrade.ant -profileName PCDMNODE -Dupgrade=true -Dcluster=PCSR01.Messaging
$ ./ -f ../util/BPMProfileUpgrade.ant -profileName PCDMNODE -Dupgrade=true -Dcluster=PCSR01.Support
$ ./ -f ../util/BPMProfileUpgrade.ant -profileName PCDMNODE -Dupgrade=true -Dcluster=PCSR01.WebApp

Bootstrap AppTarget cluster DB

$ cd ../profiles/PCDMProfile/bin/
$ /opt/IBM/WebSphere/AppServer/profiles/PCDMProfile/bin/ -clusterName PCSR01.AppTarget

Re-edit the BusinessSpace theme properties file

$ vi /opt/IBM/WebSphere/AppServer/profiles/PCN1Profile/BusinessSpace/PCSR01.WebApp/

from: -


to: -


Start the Node Agent

$ /opt/IBM/WebSphere/AppServer/profiles/PCN1Profile/bin/

Start the Deployment Manager


Start the clusters ( via the WAS ISC )

Once all four clusters were back up and running, I logged in to BusinessSpace, and it's looking exactly as it should: -

I hadn't yet created any spaces, so there's nowt much to see :-)

Sorted :-)

Fix Pack for IBM Business Process Manager, IBM Business Monitor and IBM Integration Designer

Goodies available here: -

Version 8.0.1 Fix Pack 1 for the IBM Business Process Manager products

with the actual fix packs downloadable from IBM Fix Central.

Enjoy :-)

Friday 15 March 2013

Detected kernel config that is incompatible with DB2 NUMA support

If you see: -

$ db2start

03/15/2013 13:57:23     0   0   SQL1042C  An unexpected system error occurred.
SQL1032N  No start database manager command was issued.  SQLSTATE=57019

$ cat /home/db2inst1/sqllib/db2dump/db2diag.log 

2013-03-15- E3499E346           LEVEL: Severe
PID     : 25653                TID  : 140078121195296PROC : db2star2
INSTANCE: db2inst1             NODE : 000
FUNCTION: DB2 UDB, oper system services, sqloKADetermineNUMASupport, probe:50
DATA #1 : <preformatted>
Detected kernel config that is incompatible with DB2 NUMA support.

when attempting to start DB2 9.7 ( with/out fix pack 7 ), it's possible that you've just got an incompatible Linux/kernel combination.

I saw this on a colleague's laptop today. He's running: -

$ cat /etc/redhat-release 

Red Hat Enterprise Linux Workstation release 6.3 (Santiago)

$ uname -a

Linux 2.6.32-279.19.1.el6.x86_64 #1 SMP Wed Nov 28 19:02:25 CET 2012 x86_64 x86_64 x86_64 GNU/Linux

I experimented with: -


following a bunch of IBM Technotes, including this one: -

but to no avail.

In the end, I took the wimp's way out, and installed DB2 10 instead.

There's probably a much simpler answer, but I couldn't work it out ……. and decided to triage my time, rather than spending hours and hours playing hacking working around it.

Thursday 14 March 2013

To script or not to script

One of my colleagues posted this image in response to my post, on Connections: -

Spent an hour writing a Jython script to do something that I can do in the WAS Admin console in about 5 seconds. Why ? 'Cos it's repeatable …..

Tuesday 12 March 2013

More fun with NFS on Red Hat Enterprise Linux

Hot on the heels of my last post: -

Seeing "mount clntudp_create: RPC: Program not registered" when starting NFS on Red Hat Enterprise Linux 

I hit another apparent show-stopper with NFS.

In fact, I hit two problems.

In the first instance, I was seeing: -

$ mount /mnt

mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
mount.nfs: an incorrect mount option was specified

I spent nearly an hour trying to debug this, until inspiration ( and, perhaps, a spot of Google helped ).

Guess what ?

There were bloomin' firewalls running on the two boxes - client and server.

I quickly killed them off: -

$ service iptables stop

iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]

and I then hit my second problem: -

$ mount /mnt

mount.nfs: mounting failed, reason given by server:
  No such file or directory

I re-checked /etc/exports on the NFS server, which read: -

/media/Software *(rw,no_root_squash)

but I was also seeing: -

Mar 12 18:07:47 vhost4288 mountd[26662]: can't stat exported dir /media/Software: No such file or directory

in it's own logs - /var/log/messages.

I then looked again at the actual directory itself: -

$ ls -al /media

only to find that the directory had been miskeyed as: -

total 16
drwxr-xr-x  2 root root 4096 Mar 12 12:26 .
drwxr-xr-x 28 root root 4096 Mar 12 12:26 ..
-rw-r--r--  1 root root    0 Mar 12 12:26 .hal-mtab
lrwxrwxrwx  1 root root   15 Dec 10 08:41 Sotfware -> /data/Software/

Can you spot the obvious error ?

Yep, someone had misspelt Software as Sotfware.

In the end, I just changed /etc/exports to: -

/data/Software *(rw,no_root_squash)

and re-ran my mount command: -

$ mount /mnt

Can you say "Doh!" ? I bet you can ….

Seeing "mount clntudp_create: RPC: Program not registered" when starting NFS on Red Hat Enterprise Linux

This was a classic Doh! moment.

I kept seeing: -

mount clntudp_create: RPC: Program not registered

when I was trying to check the status of my NFS exports: -

$ cat /etc/exports

/media/Software *(rw,no_root_squash)

using the command: -

$ showmount -e

It took me a few minutes to realise why.

NFS wasn't running, as evidenced by: -

$ chkconfig --list | grep -i nfs

nfs             0:off 1:off 2:off 3:off 4:off 5:off 6:off
nfslock         0:off 1:off 2:off 3:on 4:on 5:on 6:off

I set the service to start at boot-up ( whenever run levels 3, 4 or 5 are started ): -

$ chkconfig --levels 345 nfs on

and validated this: -

$ chkconfig --list | grep -i nfs

nfs             0:off 1:off 2:off 3:on 4:on 5:on 6:off
nfslock         0:off 1:off 2:off 3:on 4:on 5:on 6:off

and then started the service: -

$ service nfs start

Starting NFS services:                                     [  OK  ]
Starting NFS quotas:                                       [  OK  ]
Starting NFS daemon:                                       [  OK  ]
Starting NFS mountd:                                       [  OK  ]

Now I can see my exports: -

$ showmount -e

Export list for vhost4288:
/media/Software *

IBM Redbooks: Building and Implementing a Social Portal

Saw this in a newsletter from my friends at Portal and noted that three of the authors are friends of mine: -

Brian Farbrother is head of the WebSphere technical team within IBM's Premier UK Business Parter, Portal. He is a Solution Architect, specializing in Portals and enterprise collaboration with over 15 years experience in IT. Highly passionate and practically experienced in architecture, strategy, design, development and governance areas, Brian is particularly interested in architecting and implementing enterprise Portal solutions. Since joining Portal, Brian has dedicated his time to both architecting solutions for clients and actively leading teams of architects and developers on client collaboration programmes.

Peter Hood is an experienced IBM Certified IT Specialist originally from Australia. He holds a Masters in Internet and Web Computing from Royal Melbourne Institute of Technology, Melbourne (RMIT). For the past 5 years Peter has been working for IBM Software Group (SWG) in Ireland and the UK, providing technical leadership on collaboration and social technologies within the development and services organisation. With over 15 years of experience in the IT industry, Peter has advised organisations on large integration programs in various industry sectors. He has provided leadership and strategy on general technology architecture, technical consultancy, and led many web based application design and development projects. He has co-authored several IBM Rebooks, IBM WebSphere and Microsoft .NET Interoperability, ISBN/ISSN: 0738495573, and Patterns: Implementing Self-Service in an SOA Environment, ISBN/ISSN: 073849626X. You can reach him at

David Strachan is a Solution Architect in the pan-European IBM Software Services for Collaboration team, based in Edinburgh, UK. He has worked in the software industry for 14 years and held positions at IBM as well as at IBM business partners. He holds a degree from the University of Cambridge. David focusses on Web Experience architecture, bringing together content management, social and portal to deliver exceptional web experiences, and has led large Portal, WCM and Connections deployments at a range of customers. David has been working in this field for more than 10 years and regularly presents on Web Experience topics at IBM conferences.

The guide is divided into the following sections:

•     Introduction to social portal
•     Architecture and technical integration setup
•     Pattern 1: Adding social alongside an existing intranet
•     Pattern 2: Putting social into context
•     Partern 3: Making WCM authoring social

Monday 11 March 2013

Webcast replay: WebSphere Application Server Top Five Performance Topics

Saw this from @IBM_AppServer on Twitter: -

Delivered straight from the source, this presentation looks into the most common performance topics addressed by WebSphere Application Server Level 2 Support. Empowered with this information, you'll be ble to either avoid these particular issues altogether or at the very least expedite resolution.

What's new in IBM Business Process Manager V8

Saw this on Twitter, thanks to @IBM_BPM

Summary:  This article describes the highlights of the newly announced IBM Business Process Manager V8, including a newly redesigned Process Portal, integration with Enterprise Content Management systems, searching and sharing of content between Process Centers, enhanced governance capabilities, and other new features. This content is part of the IBM Business Process Management Journal.

Wednesday 6 March 2013

IBM Business Monitor - Fixing REST Endpoints

If you see this: -

then you probably forgot to set your REST endpoints when you imported your Deployment Environment into your IBM Business Process Manager or IBM Business Monitor environment.

Note the highlighted portion of the URL - this points at the WRONG host :-)

Silly you :-)

Good news, it can be resolved simply using the WAS Integrated Systems Console ( ISC ) and, I imagine, wsadmin.

Here's the ISC route: -

More on the AJAX Proxy

Following on from my earlier posts, I've now discovered, thanks to @WAS_John, how to determine whether the AJAX Proxy config ( proxy-config.xml ) actually made it into my cluster member's configuration.

He explained that the update process: -

wsadmin> AdminTask.updateBlobConfig('[-clusterName BAMSR01.WebApp -propertyFileName "/opt/IBM/WebSphere/AppServer/profiles/BAMDMProfile/BusinessSpace/BAMSR01.WebApp/" -prefix "Mashups_"]')

actually updates resources.xml.

However, I wasn't 100% clear which specific file got updated.

This is how I checked: -

cd /opt/IBM/WebSphere/AppServer/profiles/BAMN1Profile/config/cells

ls -al `find . -name resources.xml`

-rw-r--r-- 1 wasadmin wasadmins  53144 Mar  4 14:18 ./BAMCELL/applications/commsvc.ear/deployments/commsvc/resources.xml
-rw-r--r-- 1 wasadmin wasadmins  51832 Mar  4 14:18 ./BAMCELL/clusters/BAMSR01.AppTarget/resources.xml 
-rw-r--r-- 1 wasadmin wasadmins 135131 Mar  4 14:18 ./BAMCELL/clusters/BAMSR01.Messaging/resources.xml 
-rw-r--r-- 1 wasadmin wasadmins 120465 Mar  4 14:18 ./BAMCELL/clusters/BAMSR01.Support/resources.xml 
-rw-r--r-- 1 wasadmin wasadmins 855651 Mar  6 11:16 ./BAMCELL/clusters/BAMSR01.WebApp/resources.xml 
-rw-r--r-- 1 wasadmin wasadmins  51382 Mar  4 14:04 ./BAMCELL/nodes/BAMNODE1/resources.xml 
-rw-r--r-- 1 wasadmin wasadmins  53783 Mar  4 14:18 ./BAMCELL/nodes/BAMNODE1/servers/BAMSR011.AppTarget/resources.xml 
-rw-r--r-- 1 wasadmin wasadmins  53783 Mar  4 14:18 ./BAMCELL/nodes/BAMNODE1/servers/BAMSR011.Messaging/resources.xml 
-rw-r--r-- 1 wasadmin wasadmins  53783 Mar  4 14:18 ./BAMCELL/nodes/BAMNODE1/servers/BAMSR011.Support/resources.xml 
-rw-r--r-- 1 wasadmin wasadmins  53783 Mar  4 14:18 ./BAMCELL/nodes/BAMNODE1/servers/BAMSR011.WebApp/resources.xml 
-rw-r--r-- 1 wasadmin wasadmins 200966 Mar  4 14:14 ./BAMCELL/resources.xml

Note that I have highlighted the file that changed most recently.

view ./BAMCELL/clusters/BAMSR01.WebApp/resources.xml

 <resourceProperties xmi:id="J2EEResourceProperty_1362406193149" name="proxy-config.xml" value="&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?>&lt;!-- ***************************************************************** -->&lt;!-- Licensed Materials - Property of IBM                              -->&lt;!-- 5724-L01, 5655-N53, 5724-I82, 5655-R15                            -->&lt;!-- (C) Copyright IBM Corporation 2006, 2012. All rights reserved.    -->&lt;!-- US Government Users Restricted Rights - Use, duplication or       -->&lt;!-- disclosure restricted by GSA ADP Schedule Contract with           -->&lt;!-- IBM Corp.                                                          -->&lt;!-- ***************************************************************** -->&lt;proxy:proxy-rules xmlns:xsi=&quot;" xmlns:proxy="">&#x9;&lt;proxy:mapping contextpath=&quot;/proxy/*&quot;/>  &#x9;&lt;proxy:policy url=&quot;endpoint://*&quot; acf=&quot;none&quot; basic-auth-support=&quot;true&quot;>&#x9;&#x9;&lt;proxy:actions>&#x9;&#x9;&#x9;&lt;proxy:method>GET&lt;/proxy:method>&#x9;&#x9;&#x9;&lt;proxy:method>POST&lt;/proxy:method>&#x9;&#x9;&#x9;&lt;proxy:method>PUT&lt;/proxy:method>&#x9;&#x9;&#x9;&lt;proxy:method>DELETE&lt;/proxy:method>&#x9;&#x9;&lt;/proxy:actions>&#x9;&#x9;&lt;proxy:headers>&#x9;&#x9;&#x9;&lt;proxy:header>Cache-Control&lt;/proxy:header>&#x9;&#x9;&#x9;&lt;proxy:header>Pragma&lt;/proxy:header>&#x9;&#x9;&#x9;&lt;proxy:header>User-Agent&lt;/proxy:header>&#x9;&#x9;&#x9;&lt;proxy:header>Accept*&lt;/proxy:header>&#x9;&#x9;&#x9;&lt;proxy:header>Content*&lt;/proxy:header>&#x9;&#x9;&#x9;&lt;proxy:header>X-Method-Override&lt;/proxy:header>&#x9;&#x9;&#x9;&lt;proxy:header>X-HTTP-Method-Override&lt;/proxy:header>&#x9;&#x9;&#x9;&lt;proxy:header>If-Match&lt;/proxy:header>&#x9;&#x9;&#x9;&lt;proxy:header>If-None-Match&lt;/proxy:header>&#x9;&#x9;&#x9;&lt;proxy:header>If-Modified-Since&lt;/proxy:header>&#x9;&#x9;&#x9;&lt;proxy:header>If-Unmodified-Since&lt;/proxy:header>&#x9;&#x9;&#x9;&lt;proxy:header>Slug&lt;/proxy:header>&#x9;&#x9;&#x9;&lt;proxy:header>SOAPAction&lt;/proxy:header>&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;&lt;/proxy:headers>&#x9;&#x9;&lt;proxy:cookies>&#x9;&#x9;&#x9;&lt;proxy:cookie>LtpaToken&lt;/proxy:cookie>&#x9;&#x9;&#x9;&lt;proxy:cookie>LtpaToken2&lt;/proxy:cookie> &#x9;&#x9;&#x9;&lt;proxy:cookie>JSESSIONID&lt;/proxy:cookie>&#x9;&#x9;&#x9;&#x9;&#x9;&lt;/proxy:cookies>&#x9;&lt;/proxy:policy>&#x9;&lt;proxy:policy url=&quot;*" acf=&quot;none&quot; basic-auth-support=&quot;true&quot;>&#x9;&#x9;&lt;proxy:actions>&#x9;&#x9;&#x9;&lt;proxy:method>GET&lt;/proxy:method>&#x9;&#x9;&lt;/proxy:actions>&#x9;&lt;/proxy:policy>&#x9;&lt;proxy:policy url=&quot;*" acf=&quot;none&quot; basic-auth-support=&quot;true&quot;>&#x9;&#x9;&lt;proxy:actions>&#x9;&#x9;&#x9;&lt;proxy:method>GET&lt;/proxy:method>&#x9;&#x9;&lt;/proxy:actions>&#x9;&lt;/proxy:policy>&#x9;&lt;proxy:policy url=&quot;*" acf=&quot;none&quot; basic-auth-support=&quot;true&quot;>&#x9;&#x9;&lt;proxy:actions>&#x9;&#x9;&#x9;&lt;proxy:method>GET&lt;/proxy:method>&#x9;&#x9;&lt;/proxy:actions>&#x9;&lt;/proxy:policy>&#x9;&#x9;&lt;proxy:policy url=&quot;*"  acf=&quot;none&quot; basic-auth-support=&quot;true&quot;>&#x9;&#x9;&lt;proxy:actions>&#x9;&#x9;&#x9;&lt;proxy:method>GET&lt;/proxy:method>&#x9;&#x9;&lt;/proxy:actions>&#x9;&lt;/proxy:policy>&#x9;    &lt;proxy:mapping contextpath=&quot;/cognosProxy/*&quot;>&#x9;   &lt;proxy:policy url=&quot;endpoint://*&quot; acf=&quot;none&quot; basic-auth-support=&quot;true&quot;>&#x9;&#x9;&#x9;&lt;proxy:actions>&#x9;&#x9;&#x9;&#x9;&lt;proxy:method>GET&lt;/proxy:method>&#x9;&#x9;&#x9;&#x9;&lt;proxy:method>POST&lt;/proxy:method>&#x9;&#x9;&#x9;&#x9;&lt;proxy:method>PUT&lt;/proxy:method>&#x9;&#x9;&#x9;&#x9;&lt;proxy:method>DELETE&lt;/proxy:method>&#x9;&#x9;&#x9;&lt;/proxy:actions>&#x9;&#x9;&#x9;&lt;proxy:headers>&#x9;&#x9;&#x9;&#x9;&lt;proxy:header>Cache-Control&lt;/proxy:header>&#x9;&#x9;&#x9;&#x9;&lt;proxy:header>Pragma&lt;/proxy:header>&#x9;&#x9;&#x9;&#x9;&lt;proxy:header>User-Agent&lt;/proxy:header>&#x9;&#x9;&#x9;&#x9;&lt;proxy:header>Accept*&lt;/proxy:header>&#x9;&#x9;&#x9;&#x9;&lt;proxy:header>Content*&lt;/proxy:header>&#x9;&#x9;&#x9;&#x9;&lt;proxy:header>X-Method-Override&lt;/proxy:header>&#x9;&#x9;&#x9;&#x9;&lt;proxy:header>X-HTTP-Method-Override&lt;/proxy:header>&#x9;&#x9;&#x9;&#x9;&lt;proxy:header>If-Match&lt;/proxy:header>&#x9;&#x9;&#x9;&#x9;&lt;proxy:header>If-None-Match&lt;/proxy:header>&#x9;&#x9;&#x9;&#x9;&lt;proxy:header>If-Modified-Since&lt;/proxy:header>&#x9;&#x9;&#x9;&#x9;&lt;proxy:header>If-Unmodified-Since&lt;/proxy:header>&#x9;&#x9;&#x9;&#x9;&lt;proxy:header>Slug&lt;/proxy:header>&#x9;&#x9;&#x9;&#x9;&lt;proxy:header>SOAPAction&lt;/proxy:header>&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;&lt;/proxy:headers>&#x9;&#x9;&#x9;&lt;proxy:cookies>&#x9;&#x9;&#x9;&#x9;&lt;proxy:cookie>LtpaToken&lt;/proxy:cookie>&#x9;&#x9;&#x9;&#x9;&lt;proxy:cookie>LtpaToken2&lt;/proxy:cookie> &#x9;&#x9;&#x9;&#x9;&lt;proxy:cookie>JSESSIONID&lt;/proxy:cookie>&#x9;&#x9;&#x9;&#x9;&lt;proxy:cookie>CRN&lt;/proxy:cookie>&#x9;&#x9;&#x9;&#x9;&lt;proxy:cookie>caf&lt;/proxy:cookie>&#x9;&#x9;&#x9;&#x9;&lt;proxy:cookie>cam_passport&lt;/proxy:cookie>&#x9;&#x9;&#x9;&#x9;&lt;proxy:cookie>cc_session&lt;/proxy:cookie>&#x9;&#x9;&#x9;&#x9;&lt;proxy:cookie>userCapabilities&lt;/proxy:cookie>&#x9;&#x9;&#x9;&#x9;&lt;proxy:cookie>usersessionid&lt;/proxy:cookie>&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;&lt;/proxy:cookies>&#x9;    &lt;/proxy:policy>        &lt;proxy:meta-data>            &lt;proxy:name>use-context-path-for-cookies&lt;/proxy:name>            &lt;proxy:value>true&lt;/proxy:value>        &lt;/proxy:meta-data>    &lt;/proxy:mapping>&#x9;&#x9;&lt;proxy:meta-data>&#x9;&#x9;&lt;proxy:name>socket-timeout&lt;/proxy:name>&#x9;&#x9;&lt;proxy:value>30000&lt;/proxy:value>&#x9;&lt;/proxy:meta-data>&#x9;&lt;proxy:meta-data>&#x9;&#x9;&lt;proxy:name>connection-timeout&lt;/proxy:name>&#x9;&#x9;&lt;proxy:value>30000&lt;/proxy:value>&#x9;&lt;/proxy:meta-data>&#x9;&#x9;&lt;proxy:meta-data>&#x9;&#x9;&lt;proxy:name>retries&lt;/proxy:name>&#x9;&#x9;&lt;proxy:value>2&lt;/proxy:value>&#x9;&lt;/proxy:meta-data>&#x9;&lt;proxy:meta-data>&#x9;&#x9;&lt;proxy:name>max-connections-per-host&lt;/proxy:name>&#x9;&#x9;&lt;proxy:value>10&lt;/proxy:value>&#x9;&lt;/proxy:meta-data>&#x9;&lt;proxy:meta-data>&#x9;&#x9;&lt;proxy:name>max-total-connections&lt;/proxy:name>&#x9;&#x9;&lt;proxy:value>200&lt;/proxy:value>&#x9;&lt;/proxy:meta-data>&#x9;&lt;proxy:meta-data>&#x9;&#x9;&lt;proxy:name>unsigned_ssl_certificate_support&lt;/proxy:name>&#x9;&#x9;&lt;proxy:value>false&lt;/proxy:value>&#x9;&lt;/proxy:meta-data>&#x9;&lt;proxy:meta-data>&#x9;&#x9;&lt;proxy:name>forward-http-errors&lt;/proxy:name>&#x9;&#x9;&lt;proxy:value>true&lt;/proxy:value>&#x9;&lt;/proxy:meta-data>&lt;/proxy:proxy-rules>" description="Automatically generated! Do not change the value here! Please use the according file in the config directory and rerun the update task!" required="false"/>

Note that I've highlighted the property that I had previously changed - unsigned_ssl_certificate_support=false.

Nice one, John

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...