Tuesday, 30 April 2013

IBM Business Process Manager 8.5 - It's Announced


This product version includes the following enhancements:

• Simplified IBM Business Process Manager installation, configuration, migration, and administration processes to help reduce the time and effort required to set up, manage, and expand IBM Business Process Manager environments
• Significant enhancements to the IBM Business Process Manager built-in dashboards to help improve business process outcomes and enable the creation of custom dashboards
• New internal repository to enable a consistent method for storing document attachments, both internally and externally, using standard Content Management Interoperability Services (CMIS) interfaces
• New methods of Team definition, including service-based Team resolution and first-class support for Team managers
• Improved collaboration, communications, and change tracking between business process stakeholders using IBM Blueworks Live and implementation teams using IBM Business Process Manager
• Enhanced security capabilities for web services and support for SOAP headers in the IBM Business Process Manager Standard run time
• Entitlement to the IBM Worklight Enterprise Edition for Nonproduction Environment product to help accelerate the development of IBM Business Process Manager applications on mobile devices

IBM® Business Process Manager ( IBM BPM) V8.5 is an update to the IBM comprehensive and consumable BPM platform that delivers enhanced visibility and management of your business processes. IBM BPM V8.5:

• Simplifies the installation, configuration, and administration of your IBM BPM server environments, with a streamlined user interface and new powerful scripting options
• Includes the next generation of process performance dashboards with better visualization and the same social collaboration capabilities found in the Process Portal, such as activity streams and real-time access to experts
• Keeps "live" reference links to IBM Blueworks Live™ process documents that are relevant to a Business Process Diagram
• Includes an entitlement to IBM Worklight Enterprise Edition for Nonproduction Environment
• Includes WebSphere® Application Server Network Deployment V8.5

The announcement letter is here: -


Note: These products will be generally available on June 14, 2013.

Knowledge Collection: Troubleshooting documents for IBM Business Monitor

Abstract

This Knowledge Collection is a focused compilation of links to documents for troubleshooting.

Content

A Knowledge Collection is a focused compilation of links to documents that share a common theme. Knowledge Collections are navigation aids that organize content to help users quickly find relevant information. Knowledge Collections are not designed to be an all-inclusive list of all documents dealing with the specific theme.

Note to Self - Java Runtime Environment and Mozilla Firefox on 64-bit Red Hat Linux

(1) Download the JRE from here ( assuming that you're happy to use the Oracle JRE ): -



I chose the Linux x64 RPM from the above list: -


(2) Install the RPM: -

$ rpm -ivh jre-7u21-linux-x64.rpm

(3) Create a symbolic link to the plugin: -

( for non-root user e.g. wasadmin )

$ ln -s /usr/java/jre1.7.0_21/lib/amd64/libnpjp2.so /home/wasadmin/.mozilla/plugins/

( for root )

$ mkdir ~/.mozilla/plugins
ln -s /usr/java/jre1.7.0_21/lib/amd64/libnpjp2.so ~/.mozilla/plugins

(4) Restart Firefox

(5) Test Java


(6) Have a nice soothing cup of camomile tea ….

Friday, 26 April 2013

WebSphere Application Server, the Service Integration Bus, CWSIS1501E and ORA-28000: the account is locked

I was trying to work out why my two Service Integration (SI) buses were failing to start up. My back-end database is Oracle 11g R2, with which I'm slowly becoming familiar.

I could see: -

[4/25/13 19:28:15:752 BST] 00000013 SibMessage    I   [MONITOR.BAMCELL.Bus:BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus] CWSID0016I: Messaging engine BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus is in state Starting.
[4/25/13 19:28:15:753 BST] 00000012 SibMessage    I   [CEI.BAMCELL.BUS:BAMSR01.Messaging.000-CEI.BAMCELL.BUS] CWSID0016I: Messaging engine BAMSR01.Messaging.000-CEI.BAMCELL.BUS is in state Starting.


but the Messaging Engines associated with each bus never completed starting, eventually failing to do so with: -

[4/25/13 19:43:17:590 BST] 00000013 SibMessage    E   [MONITOR.BAMCELL.Bus:BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus] CWSIS0002E: The messaging engine encountered an exception while starting. Exception: com.ibm.ws.sib.msgstore.PersistenceException: CWSIS1501E: The data source has produced an unexpected exception: java.sql.SQLException: ORA-28000: the account is locked
 DSRA0010E: SQL State = 99999, Error Code = 28,000

[4/25/13 19:43:17:662 BST] 00000013 SibMessage    E   [MONITOR.BAMCELL.Bus:BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus] CWSID0035E: Messaging engine BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus cannot be started; detected error reported during com.ibm.ws.sib.msgstore.impl.MessageStoreImpl start()
[4/25/13 19:43:17:664 BST] 00000013 SibMessage    E   [MONITOR.BAMCELL.Bus:BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus] CWSID0027E: Messaging engine BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus cannot be restarted because a serious error has been reported.
[4/25/13 19:43:17:665 BST] 00000013 SibMessage    I   [MONITOR.BAMCELL.Bus:BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus] CWSID0016I: Messaging engine BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus is in state Stopped.
[4/25/13 19:43:17:667 BST] 00000013 SibMessage    I   [MONITOR.BAMCELL.Bus:BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus] CWSID0016I: Messaging engine BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus is in state Joined.
[4/25/13 19:43:17:668 BST] 00000013 SibMessage    E   [MONITOR.BAMCELL.Bus:BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus] CWSID0039E: HAManager-initiated activation has failed, messaging engine BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus will be disabled. Reason Refer to earlier messages


and: -

[4/25/13 19:43:17:724 BST] 00000012 SibMessage    E   [CEI.BAMCELL.BUS:BAMSR01.Messaging.000-CEI.BAMCELL.BUS] CWSIS0002E: The messaging engine encountered an exception while starting. Exception: com.ibm.ws.sib.msgstore.PersistenceException: CWSIS1501E: The data source has produced an unexpected exception: java.sql.SQLException: ORA-28000: the account is locked
 DSRA0010E: SQL State = 99999, Error Code = 28,000

[4/25/13 19:43:17:777 BST] 00000012 SibMessage    E   [CEI.BAMCELL.BUS:BAMSR01.Messaging.000-CEI.BAMCELL.BUS] CWSID0035E: Messaging engine BAMSR01.Messaging.000-CEI.BAMCELL.BUS cannot be started; detected error reported during com.ibm.ws.sib.msgstore.impl.MessageStoreImpl start()
[4/25/13 19:43:17:778 BST] 00000012 SibMessage    E   [CEI.BAMCELL.BUS:BAMSR01.Messaging.000-CEI.BAMCELL.BUS] CWSID0027E: Messaging engine BAMSR01.Messaging.000-CEI.BAMCELL.BUS cannot be restarted because a serious error has been reported.
[4/25/13 19:43:17:781 BST] 00000012 SibMessage    I   [CEI.BAMCELL.BUS:BAMSR01.Messaging.000-CEI.BAMCELL.BUS] CWSID0016I: Messaging engine BAMSR01.Messaging.000-CEI.BAMCELL.BUS is in state Stopped.
[4/25/13 19:43:17:782 BST] 00000012 SibMessage    I   [CEI.BAMCELL.BUS:BAMSR01.Messaging.000-CEI.BAMCELL.BUS] CWSID0016I: Messaging engine BAMSR01.Messaging.000-CEI.BAMCELL.BUS is in state Joined.
[4/25/13 19:43:17:783 BST] 00000012 SibMessage    E   [CEI.BAMCELL.BUS:BAMSR01.Messaging.000-CEI.BAMCELL.BUS] CWSID0039E: HAManager-initiated activation has failed, messaging engine BAMSR01.Messaging.000-CEI.BAMCELL.BUS will be disabled. Reason Refer to earlier messages


When I looked at SQL script that I'd used to create the two Oracle schemas ( schemae ? ) and the corresponding database tables etc, I immediately saw the problem: -

CREATE USER MONCM00 IDENTIFIED BY passw0rd DEFAULT TABLESPACE USERS
QUOTA UNLIMITED ON USERS ACCOUNT LOCK;

CREATE USER MONCE00 IDENTIFIED BY passw0rd DEFAULT TABLESPACE USERS
QUOTA UNLIMITED ON USERS ACCOUNT LOCK;


which was easy to resolve: -

$ sqlplus / as sysdba;
SQL> alter user MONCM00 account unlock;
SQL> grant connect, resource to MONCM00;
SQL> alter user MONCE00 account unlock;
SQL> grant connect, resource to MONCE00;
SQL> quit

To be clear, I have two SI Buses: -

CEI.BAMCELL.BUS Common event infrastructure bus  
MONITOR.BAMCELL.Bus Bus for Business Monitor  

each of which has a corresponding Messaging Engine: -

BAMSR01.Messaging.000-CEI.BAMCELL.BUS
BAMSR01.Messaging.000-MONITOR.BAMCELL.Bus  

Each Messaging Engine has a corresponding Message Store ( a set of Oracle database tables "owned" by a schema / user ).

Here's the final picture: -

Bus Description Messaging Engine Schema

CEI.BAMCELL.BUS Common event infrastructure bus   BAMSR01.Messaging.000-CEI.BAMCELL.BUS MONCM00
MONITOR.BAMCELL.Bus Bus for Business Monitor   BAMSR01.Messaging.000-CEI.BAMCELL.BUS  MONCE00

I generated the SQL for the schemas as follows: -

/opt/IBM/WebSphere/AppServer/bin/sibDDLGenerator.sh -system oracle -version 11g -platform unix -schema MONCM00 -statementend ";" >> ~/createMESchemas.sql
/opt/IBM/WebSphere/AppServer/bin/sibDDLGenerator.sh -system oracle -version 11g -platform unix -schema MONCE00 -statementend ";" >> ~/createMESchemas.sql


That was the command that generated the aforementioned CREATE USER commands, thus locking the users.

On a related note, I also saw: -

[4/25/13 20:41:52:045 BST] 00000013 SibMessage    E   [CEI.BAMCELL.BUS:BAMSR01.Messaging.000-CEI.BAMCELL.BUS] CWSIS0002E: The messaging engine encountered an exception while starting. Exception: com.ibm.ws.sib.msgstore.PersistenceException: CWSIS1501E: The data source has produced an unexpected exception: java.sql.SQLException: ORA-01045: user MONCE00 lacks CREATE SESSION privilege; logon denied
 DSRA0010E: SQL State = 72000, Error Code = 1,045


which I resolved with: -

$ sqlplus / as SYSDBA
SQL>  grant create session to MONCE00;  
SQL>  grant create session to MONCM00;
SQL>  quit




Thursday, 25 April 2013

Slow but steady success with Oracle 11g R2

I'm on my second installation of Oracle 11g R2, having previously installed it using the GUI.

This time around I've used a response file to install the product ( see below )via the command: -

./runInstaller -silent -responseFile response/db_install.rsp

and all seems OK so far.

I did hit a few challenges: -

(i) I don't appear to have the oracle_env.sh script anywhere on my box, meaning that the ORACLE_HOME and ORACLE_SID aren't set up.

I manually created the script: -

oracle_env.sh

ORACLE_HOME=/home/oracle/app/oracle/product/11.2.0/dbhome_1/
export ORACLE_HOME
ORACLE_SID=orcl
export ORACLE_SID
PATH=$ORACLE_HOME/bin:$PATH
export PATH
if [ $?LD_LIBRARY_PATH ]
then
        LD_LIBRARY_PATH=$ORACLE_HOME/lib:$LD_LIBRARY_PATH
else
        LD_LIBRARY_PATH=$ORACLE_HOME/lib
fi
export LD_LIBRARY_PATH


and added it into my .bashrc so that it gets executed each time I log in: -

source ~/oracle_env.sh

(ii) the SQL*Plus tool wouldn't connect to the SID. When I ran: -

sqlplus / as SYSDBA

I would see: -

SQL*Plus: Release 11.2.0.1.0 Production on Thu Apr 25 13:41:40 2013

Copyright (c) 1982, 2009, Oracle.  All rights reserved.

Connected to an idle instance.


Thankfully Google quickly came to my aid: -


which pointed out that I'd set ORACLE_HOME to: -

ORACLE_HOME=/home/oracle/app/oracle/product/11.2.0/dbhome_1/

rather than: -

ORACLE_HOME=/home/oracle/app/oracle/product/11.2.0/dbhome_1

The trailing slash ( / ) makes all the difference :-)

Once I updated oracle_env.sh and restarted my shell, I was able to access the SID: -

SQL*Plus: Release 11.2.0.1.0 Production on Thu Apr 25 13:52:11 2013

Copyright (c) 1982, 2009, Oracle.  All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

which, I think you'll agree, is far far better.

Nice :-)

PS With thanks to Simmo for his ongoing Oracle support :-)

db_install.rsp

####################################################################
## Copyright(c) Oracle Corporation 1998,2008. All rights reserved.##
##                                                                ##
## Specify values for the variables listed below to customize     ##
## your installation.                                             ##
##                                                                ##
## Each variable is associated with a comment. The comment        ##
## can help to populate the variables with the appropriate        ##
## values.                              ##
##                                                                ##
## IMPORTANT NOTE: This file contains plain text passwords and    ##
## should be secured to have read permission only by oracle user  ##
## or db administrator who owns this installation.                ##
##                                                                ##
####################################################################

#------------------------------------------------------------------------------
# Do not change the following system generated value.
#------------------------------------------------------------------------------
oracle.install.responseFileVersion=/oracle/install/rspfmt_dbinstall_response_schema_v11_2_0

#------------------------------------------------------------------------------
# Specify the installation option.
# It can be one of the following:
# 1. INSTALL_DB_SWONLY
# 2. INSTALL_DB_AND_CONFIG
# 3. UPGRADE_DB
#-------------------------------------------------------------------------------
oracle.install.option=INSTALL_DB_AND_CONFIG

#-------------------------------------------------------------------------------
# Specify the hostname of the system as set during the install. It can be used
# to force the installation to use an alternative hostname rather than using the
# first hostname found on the system. (e.g., for systems with multiple hostnames
# and network interfaces)
#-------------------------------------------------------------------------------
ORACLE_HOSTNAME=bam8011.uk.ibm.com

#-------------------------------------------------------------------------------
# Specify the Unix group to be set for the inventory directory. 
#-------------------------------------------------------------------------------
UNIX_GROUP_NAME=oracle

#-------------------------------------------------------------------------------
# Specify the location which holds the inventory files.
#-------------------------------------------------------------------------------
INVENTORY_LOCATION=/home/oracle/app/oraInventory

#-------------------------------------------------------------------------------
# Specify the languages in which the components will be installed.            
#
# en   : English                  ja   : Japanese                 
# fr   : French                   ko   : Korean                   
# ar   : Arabic                   es   : Latin American Spanish   
# bn   : Bengali                  lv   : Latvian                  
# pt_BR: Brazilian Portuguese     lt   : Lithuanian               
# bg   : Bulgarian                ms   : Malay                    
# fr_CA: Canadian French          es_MX: Mexican Spanish          
# ca   : Catalan                  no   : Norwegian                
# hr   : Croatian                 pl   : Polish                   
# cs   : Czech                    pt   : Portuguese               
# da   : Danish                   ro   : Romanian                 
# nl   : Dutch                    ru   : Russian                  
# ar_EG: Egyptian                 zh_CN: Simplified Chinese       
# en_GB: English (Great Britain)  sk   : Slovak                   
# et   : Estonian                 sl   : Slovenian                
# fi   : Finnish                  es_ES: Spanish                  
# de   : German                   sv   : Swedish                  
# el   : Greek                    th   : Thai                     
# iw   : Hebrew                   zh_TW: Traditional Chinese      
# hu   : Hungarian                tr   : Turkish                  
# is   : Icelandic                uk   : Ukrainian                
# in   : Indonesian               vi   : Vietnamese               
# it   : Italian                                                  
#
# Example : SELECTED_LANGUAGES=en,fr,ja
#------------------------------------------------------------------------------
SELECTED_LANGUAGES=en,en_GB

#------------------------------------------------------------------------------
# Specify the complete path of the Oracle Home.
#------------------------------------------------------------------------------
ORACLE_HOME=/home/oracle/app/oracle/product/11.2.0/dbhome_1

#------------------------------------------------------------------------------
# Specify the complete path of the Oracle Base.
#------------------------------------------------------------------------------
ORACLE_BASE=/home/oracle/app/oracle

#------------------------------------------------------------------------------
# Specify the installation edition of the component.                       
#                                                            
# The value should contain only one of these choices.       
# EE     : Enterprise Edition                               
# SE     : Standard Edition                                 
# SEONE  : Standard Edition One
# PE     : Personal Edition (WINDOWS ONLY)
#------------------------------------------------------------------------------
oracle.install.db.InstallEdition=EE

#------------------------------------------------------------------------------
# This variable is used to enable or disable custom install.
#
# true  : Components mentioned as part of 'customComponents' property
#         are considered for install.
# false : Value for 'customComponents' is not considered.
#------------------------------------------------------------------------------
oracle.install.db.isCustomInstall=false

#------------------------------------------------------------------------------
# This variable is considered only if 'IsCustomInstall' is set to true.
#
# Description: List of Enterprise Edition Options you would like to install.
#
#              The following choices are available. You may specify any
#              combination of these choices.  The components you choose should
#              be specified in the form "internal-component-name:version"
#              Below is a list of components you may specify to install.
#       
#              oracle.rdbms.partitioning:11.2.0.1.0 - Oracle Partitioning
#              oracle.rdbms.dm:11.2.0.1.0 - Oracle Data Mining
#              oracle.rdbms.dv:11.2.0.1.0 - Oracle Database Vault
#              oracle.rdbms.lbac:11.2.0.1.0 - Oracle Label Security
#              oracle.rdbms.rat:11.2.0.1.0 - Oracle Real Application Testing
#              oracle.oraolap:11.2.0.1.0 - Oracle OLAP
#------------------------------------------------------------------------------
oracle.install.db.customComponents=oracle.server:11.2.0.1.0,oracle.sysman.ccr:10.2.7.0.0,oracle.xdk:11.2.0.1.0,oracle.rdbms.oci:11.2.0.1.0,oracle.network:11.2.0.1.0,oracle.network.listener:11.2.0.1.0,oracle.rdbms:11.2.0.1.0,oracle.options:11.2.0.1.0,oracle.rdbms.partitioning:11.2.0.1.0,oracle.oraolap:11.2.0.1.0,oracle.rdbms.dm:11.2.0.1.0,oracle.rdbms.dv:11.2.0.1.0,orcle.rdbms.lbac:11.2.0.1.0,oracle.rdbms.rat:11.2.0.1.0

###############################################################################
#                                                                             #
# PRIVILEGED OPERATING SYSTEM GROUPS                                            #
# ------------------------------------------                                  #
# Provide values for the OS groups to which OSDBA and OSOPER privileges       #
# needs to be granted. If the install is being performed as a member of the   #       
# group "dba", then that will be used unless specified otherwise below.          #
#                                                                             #
###############################################################################

#------------------------------------------------------------------------------
# The DBA_GROUP is the OS group which is to be granted OSDBA privileges.
#------------------------------------------------------------------------------
oracle.install.db.DBA_GROUP=oracle

#------------------------------------------------------------------------------
# The OPER_GROUP is the OS group which is to be granted OSOPER privileges.
#------------------------------------------------------------------------------
oracle.install.db.OPER_GROUP=oracle

#------------------------------------------------------------------------------
# Specify the cluster node names selected during the installation.
#------------------------------------------------------------------------------
oracle.install.db.CLUSTER_NODES=

#------------------------------------------------------------------------------
# Specify the type of database to create.
# It can be one of the following:
# - GENERAL_PURPOSE/TRANSACTION_PROCESSING         
# - DATA_WAREHOUSE                               
#------------------------------------------------------------------------------
oracle.install.db.config.starterdb.type=GENERAL_PURPOSE

#------------------------------------------------------------------------------
# Specify the Starter Database Global Database Name.
#------------------------------------------------------------------------------
oracle.install.db.config.starterdb.globalDBName=orcl

#------------------------------------------------------------------------------
# Specify the Starter Database SID.
#------------------------------------------------------------------------------
oracle.install.db.config.starterdb.SID=orcl

#------------------------------------------------------------------------------
# Specify the Starter Database character set.
#                                             
# It can be one of the following:
# AL32UTF8, WE8ISO8859P15, WE8MSWIN1252, EE8ISO8859P2,
# EE8MSWIN1250, NE8ISO8859P10, NEE8ISO8859P4, BLT8MSWIN1257,
# BLT8ISO8859P13, CL8ISO8859P5, CL8MSWIN1251, AR8ISO8859P6,
# AR8MSWIN1256, EL8ISO8859P7, EL8MSWIN1253, IW8ISO8859P8,
# IW8MSWIN1255, JA16EUC, JA16EUCTILDE, JA16SJIS, JA16SJISTILDE,
# KO16MSWIN949, ZHS16GBK, TH8TISASCII, ZHT32EUC, ZHT16MSWIN950,
# ZHT16HKSCS, WE8ISO8859P9, TR8MSWIN1254, VN8MSWIN1258
#------------------------------------------------------------------------------
oracle.install.db.config.starterdb.characterSet=AL32UTF8

#------------------------------------------------------------------------------
# This variable should be set to true if Automatic Memory Management
# in Database is desired.
# If Automatic Memory Management is not desired, and memory allocation
# is to be done manually, then set it to false.
#------------------------------------------------------------------------------
oracle.install.db.config.starterdb.memoryOption=true

#------------------------------------------------------------------------------
# Specify the total memory allocation for the database. Value(in MB) should be
# at least 256 MB, and should not exceed the total physical memory available
# on the system.
# Example: oracle.install.db.config.starterdb.memoryLimit=512
#------------------------------------------------------------------------------
oracle.install.db.config.starterdb.memoryLimit=512

#------------------------------------------------------------------------------
# This variable controls whether to load Example Schemas onto the starter
# database or not.
#------------------------------------------------------------------------------
oracle.install.db.config.starterdb.installExampleSchemas=false

#------------------------------------------------------------------------------
# This variable includes enabling audit settings, configuring password profiles
# and revoking some grants to public. These settings are provided by default.
# These settings may also be disabled.   
#------------------------------------------------------------------------------
oracle.install.db.config.starterdb.enableSecuritySettings=true

###############################################################################
#                                                                             #
# Passwords can be supplied for the following four schemas in the          #
# starter database:                                    #
#   SYS                                                                       #
#   SYSTEM                                                                    #
#   SYSMAN (used by Enterprise Manager)                                       #
#   DBSNMP (used by Enterprise Manager)                                       #
#                                                                             #
# Same password can be used for all accounts (not recommended)               #
# or different passwords for each account can be provided (recommended)       #
#                                                                             #
###############################################################################

#------------------------------------------------------------------------------
# This variable holds the password that is to be used for all schemas in the
# starter database.
#-------------------------------------------------------------------------------
oracle.install.db.config.starterdb.password.ALL=passw0rd

#-------------------------------------------------------------------------------
# Specify the SYS password for the starter database.
#-------------------------------------------------------------------------------
oracle.install.db.config.starterdb.password.SYS=passw0rd

#-------------------------------------------------------------------------------
# Specify the SYSTEM password for the starter database.
#-------------------------------------------------------------------------------
oracle.install.db.config.starterdb.password.SYSTEM=passw0rd

#-------------------------------------------------------------------------------
# Specify the SYSMAN password for the starter database.
#-------------------------------------------------------------------------------
oracle.install.db.config.starterdb.password.SYSMAN=passw0rd

#-------------------------------------------------------------------------------
# Specify the DBSNMP password for the starter database.
#-------------------------------------------------------------------------------
oracle.install.db.config.starterdb.password.DBSNMP=passw0rd

#-------------------------------------------------------------------------------
# Specify the management option to be selected for the starter database.
# It can be one of the following:
# 1. GRID_CONTROL
# 2. DB_CONTROL
#-------------------------------------------------------------------------------
oracle.install.db.config.starterdb.control=DB_CONTROL

#-------------------------------------------------------------------------------
# Specify the Management Service to use if Grid Control is selected to manage
# the database.     
#-------------------------------------------------------------------------------
oracle.install.db.config.starterdb.gridcontrol.gridControlServiceURL=

#-------------------------------------------------------------------------------
# This variable indicates whether to receive email notification for critical
# alerts when using DB control.  
#-------------------------------------------------------------------------------
oracle.install.db.config.starterdb.dbcontrol.enableEmailNotification=false

#-------------------------------------------------------------------------------
# Specify the email address to which the notifications are to be sent.
#-------------------------------------------------------------------------------
oracle.install.db.config.starterdb.dbcontrol.emailAddress=

#-------------------------------------------------------------------------------
# Specify the SMTP server used for email notifications.
#-------------------------------------------------------------------------------
oracle.install.db.config.starterdb.dbcontrol.SMTPServer=


###############################################################################
#                                                                             #
# SPECIFY BACKUP AND RECOVERY OPTIONS                                           #
# ------------------------------------                                      #
# Out-of-box backup and recovery options for the database can be mentioned    #
# using the entries below.                              #   
#                                                                             #
###############################################################################

#------------------------------------------------------------------------------
# This variable is to be set to false if automated backup is not required. Else
# this can be set to true.
#------------------------------------------------------------------------------
oracle.install.db.config.starterdb.automatedBackup.enable=false

#------------------------------------------------------------------------------
# Regardless of the type of storage that is chosen for backup and recovery, if
# automated backups are enabled, a job will be scheduled to run daily at
# 2:00 AM to backup the database. This job will run as the operating system
# user that is specified in this variable.
#------------------------------------------------------------------------------
oracle.install.db.config.starterdb.automatedBackup.osuid=

#-------------------------------------------------------------------------------
# Regardless of the type of storage that is chosen for backup and recovery, if
# automated backups are enabled, a job will be scheduled to run daily at
# 2:00 AM to backup the database. This job will run as the operating system user
# specified by the above entry. The following entry stores the password for the
# above operating system user.
#-------------------------------------------------------------------------------
oracle.install.db.config.starterdb.automatedBackup.ospwd=

#-------------------------------------------------------------------------------
# Specify the type of storage to use for the database.
# It can be one of the following:
# - FILE_SYSTEM_STORAGE
# - ASM_STORAGE
#------------------------------------------------------------------------------
oracle.install.db.config.starterdb.storageType=FILE_SYSTEM_STORAGE

#-------------------------------------------------------------------------------
# Specify the database file location which is a directory for datafiles, control
# files, redo logs.        
#
# Applicable only when oracle.install.db.config.starterdb.storage=FILE_SYSTEM
#-------------------------------------------------------------------------------
oracle.install.db.config.starterdb.fileSystemStorage.dataLocation=/home/oracle/oradata

#-------------------------------------------------------------------------------
# Specify the backup and recovery location.
#
# Applicable only when oracle.install.db.config.starterdb.storage=FILE_SYSTEM
#-------------------------------------------------------------------------------
oracle.install.db.config.starterdb.fileSystemStorage.recoveryLocation=

#-------------------------------------------------------------------------------
# Specify the existing ASM disk groups to be used for storage.
#
# Applicable only when oracle.install.db.config.starterdb.storage=ASM
#-------------------------------------------------------------------------------
oracle.install.db.config.asm.diskGroup=

#-------------------------------------------------------------------------------
# Specify the password for ASMSNMP user of the ASM instance.                 
#
# Applicable only when oracle.install.db.config.starterdb.storage=ASM_SYSTEM
#-------------------------------------------------------------------------------
oracle.install.db.config.asm.ASMSNMPPassword=passw0rd

#------------------------------------------------------------------------------
# Specify the My Oracle Support Account Username.
#
#  Example   : MYORACLESUPPORT_USERNAME=metalink
#------------------------------------------------------------------------------
MYORACLESUPPORT_USERNAME=

#------------------------------------------------------------------------------
# Specify the My Oracle Support Account Username password.
#
# Example    : MYORACLESUPPORT_PASSWORD=password
#------------------------------------------------------------------------------
MYORACLESUPPORT_PASSWORD=

#------------------------------------------------------------------------------
# Specify whether to enable the user to set the password for
# My Oracle Support credentials. The value can be either true or false.
# If left blank it will be assumed to be false.
#
# Example    : SECURITY_UPDATES_VIA_MYORACLESUPPORT=true
#------------------------------------------------------------------------------
SECURITY_UPDATES_VIA_MYORACLESUPPORT=

#------------------------------------------------------------------------------
# Specify whether user wants to give any proxy details for connection.
# The value can be either true or false. If left blank it will be assumed
# to be false.
#
# Example    : DECLINE_SECURITY_UPDATES=false
#------------------------------------------------------------------------------
DECLINE_SECURITY_UPDATES=true

#------------------------------------------------------------------------------
# Specify the Proxy server name. Length should be greater than zero.
#
# Example    : PROXY_HOST=proxy.domain.com
#------------------------------------------------------------------------------
PROXY_HOST=

#------------------------------------------------------------------------------
# Specify the proxy port number. Should be Numeric and atleast 2 chars.
#
# Example    : PROXY_PORT=25
#------------------------------------------------------------------------------
PROXY_PORT=

#------------------------------------------------------------------------------
# Specify the proxy user name. Leave PROXY_USER and PROXY_PWD
# blank if your proxy server requires no authentication.
#
# Example    : PROXY_USER=username
#------------------------------------------------------------------------------
PROXY_USER=

#------------------------------------------------------------------------------
# Specify the proxy password. Leave PROXY_USER and PROXY_PWD 
# blank if your proxy server requires no authentication.
#
# Example    : PROXY_PWD=password
#------------------------------------------------------------------------------
PROXY_PWD=





Wednesday, 17 April 2013

Using IBM HTTP Server to rewrite URLs ( HTTP -> HTTPS )

Late last week, a colleague asked me for some assistance in configuring IBM HTTP Server to "redirect" user requests from HTTP to HTTPS, but using the mod_rewrite directive.

Now I have blogged about this before: -


so this post adds to what I earlier described.

Here's the relevant entries in my httpd.conf file: -

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
LoadModule rewrite_module modules/mod_rewrite.so

Listen 8080
<IfModule mod_ibm_ssl.c>
        Listen 8443
        <VirtualHost *:8443>
                SSLEnable
        </VirtualHost>
        KeyFile /opt/IBM/HTTPServer/ssl/BPMPCEXT.kdb
        SSLCachePortFilename /opt/IBM/HTTPServer/logsext/siddport
        ScriptSock logsext/cgisock
        SSLCachePortFilename /opt/IBM/HTTPServer/logsext/siddport
        ScriptSock logsext/cgisock
</IfModule>

<ifModule mod_rewrite.c>
     RewriteEngine on
     RewriteCond %{SERVER_PORT} ^8080$
     RewriteRule ^(.*)$ https://%{SERVER_NAME}:8443/BusinessSpace/ [R=301,L]
     RewriteLog logsext/rewrite.log
     RewriteLogLevel 4
</ifModule>


In essence, IHS will listen on port 8080 for non-SSL traffic ( I'm running IHS as a non-root user so cannot use port 80 - all non-root ports need to be >1024 ): -

Listen 8080

In addition, IHS will listen on port 8443 for SSL traffic: -

        Listen 8443
        <VirtualHost *:8443>

The rewrite rules are as follows: -

     RewriteCond %{SERVER_PORT} ^8080$
     RewriteRule ^(.*)$ https://%{SERVER_NAME}:8443/BusinessSpace/ [R=301,L]

In other words, for any request coming in on port 8080 is automatically written to go to the URI of /BusinessSpace/ on port 8443.

If I enter the URL of: -

http://bam8011.uk.ibm.com:8080

the URL gets rewritten and I get immediately redirected to: -

https://bam8011.uk.ibm.com:8443/mum/resources/bootstrap/login.jsp

If I was running IHS as root, then I could choose to use port 80 ( HTTP ) and port 443 ( HTTPS ). However, as we know, non-root processes cannot use ports <1024, which is why I'm using 8080 and 8443.

Note that SERVER_PORT and SERVER_NAME are internal variables - in some installations, they may not be available.

I've not yet fully dug into this, but it appears to relate to the directive: -

UseCanonicalName Off

Therefore, I'm assuming that IHS merely uses what the user entered in their browser, via the host HTTP header: -

GET /BusinessSpace/ HTTP/1.1
Host: bam8011.uk.ibm.com:8443
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31
DNT: 1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


I'm currently reading Chris Shiflett's blog post on this very subject: -

SERVER_NAME Versus HTTP_HOST
 
and will experiment.


More on IHS and SSL - SSL0208E: SSL Handshake Failed, Certificate validation error

Following on from my earlier post: -

Creating and working with a SSL Certificate Authority in IBM HTTP Server

if you see: -

Error 101 (net::ERR_CONNECTION_RESET): The connection was reset.

in Chrome, and: -

[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb40028d0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52195 -> 192.168.8.162:8443] [05:06:32.584379]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb400b3d0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52196 -> 192.168.8.162:8443] [05:06:32.585419]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb800edd0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52197 -> 192.168.8.162:8443] [05:06:32.586475]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eac0115c0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52198 -> 192.168.8.162:8443] [05:06:32.587517]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb000e7b0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52199 -> 192.168.8.162:8443] [05:06:32.588528]


in the IHS error logs, chances are that you only have one certificate in the IHS SSL keystore or, to be more accurate, the root CA certificate is missing.

This can be validated as follows: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db client.kdb 

Certificates found
* default, - personal, ! trusted
*- clientcert


In other words, this shows that we only have the client certificate ( sometimes known as the intermediate or "device" certificate ) but not the CA certificate.

This is easily fixed: -

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -add -db client.kdb -label myca -file test.cer

( this assumes that you've been following the previous post and have extracted the root CA certificate from the CA keystore into the file test.cer )

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db client.kdb 

Certificates found
* default, - personal, ! trusted
! myca
*- clientcert


Once IHS is restarted, all is well :-)


Creating and working with a SSL Certificate Authority in IBM HTTP Server

With thanks to Mike Whale and his excellent blog post here: -


from which I have ripped stolen reused this content.

This article describes how to create a SSL Certificate Authority using IBM HTTP Server 8.0.0.5, and then generate and use certificates signed by this CA. Alternatively, an organisation would go to a public CA such as Verisign, or they'd have their own internal CA.

Create a CA keystore

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -create -db CA.jks -type jks

Create a CA

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -create -db CA.jks -label myca -dn "cn=test,o=IBM" -ca true

Create a client keystore

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -create -db client.jks -type jks

Create a CSR

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -certreq -create -db client.jks -label clientcert -file /tmp/certreq.arm -dn "cn=clienttest,o=IBM"

Sign the CSR using the CA

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -sign -db CA.jks -label myca -file /tmp/certreq.arm 

Import the signed certificate into the client keystore

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -receive -db client.jks -file cert.arm 

Extract the root CA certificate from the CA keystore

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -extract -db CA.jks -label myca -target test.cer -type jks

Import the root CA certificate into the client keystore

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -add -db client.jks -label myca -file test.cer 

Convert the client keystore into KDB ( PKCS12 ) format in order to allow password to be stashed ( required for IHS to use keystore )

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -convert -db client.jks -pw passw0rd -target client.kdb -new_pw passw0rd -old_format jks -new_format kdb -stash

Note: The only reason that I chose to create the keystore in JKS format was to follow Mike's instructions - I could've simplified things by creating the keystore in KDB format from the outset.

Start IHS

/opt/IBM/HTTPServer/bin/apachectl -k restart -f /opt/IBM/HTTPServer/confext/httpd.conf

NOTE: -

If you see: -

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.

in Chrome or: -

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

in Firefox, and see: -

[Tue Apr 16 12:52:31 2013] [error] [client 192.168.8.1] [7fcd6c0028d0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60917 -> 192.168.8.162:8443] [12:52:31.320280]
[Tue Apr 16 12:52:31 2013] [error] [client 192.168.8.1] [7fcd700028d0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60919 -> 192.168.8.162:8443] [12:52:31.434908]
[Tue Apr 16 12:52:53 2013] [error] [client 192.168.8.1] [1d8fd90] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60940 -> 192.168.8.162:8443] [12:52:53.449571]
[Tue Apr 16 12:52:59 2013] [error] [client 192.168.8.1] [7fcd600093c0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60944 -> 192.168.8.162:8443] [12:52:59.432844]
[Tue Apr 16 12:52:59 2013] [error] [client 192.168.8.1] [7fcd600093c0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60943 -> 192.168.8.162:8443] [12:52:59.433801]
[Tue Apr 16 12:54:31 2013] [error] [client 192.168.8.1] [7fcd740128b0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60961 -> 192.168.8.162:8443] [12:54:31.636000]

etc.

in IHS error.log, then you don't have a default certificate set: -

Listing certificates to confirm what is default / trusted

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db client.kdb 

Certificates found
* default, - personal, ! trusted
! myca
- clientcert


Set the clientcert certificate as default

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -setdefault -label clientcert -db client.kdb 

Listing certificates to confirm what is default / trusted

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db client.kdb 

Certificates found
* default, - personal, ! trusted
! myca
*- clientcert

Inspecting certificates

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db client.kdb -label clientcert

Label : myca
Key Size : 1024
Version : X509 V3
Serial : 516d3a0f
Issuer : CN=test,OU=test,O=IBM
Subject : CN=test,OU=test,O=IBM
Not Before : 16 April 2013 12:46:23 GMT+01:00
Not After : 16 April 2014 12:46:23 GMT+01:00
Public Key
    30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
    05 00 03 81 8D 00 30 81 89 02 81 81 00 96 23 34
    A0 D0 FF 7A C3 EE 5C 06 FB EF AF D2 1A DB 5F F8
    4A E3 6A 8F 00 BC 95 67 4E 97 D4 B1 51 3B 68 F5
    85 72 4B A8 19 72 E0 82 86 6F 08 5D F5 F0 1B 34
    D2 7F F0 64 09 F8 87 B8 49 EB CF 18 D9 35 CD DE
    F4 1F FE 9F 7C 32 D7 2B 9F B0 4F 42 72 FF 02 14
    44 97 10 96 EC E0 34 B1 41 29 DF B8 E9 26 96 4F
    0A D3 FF CB 79 61 F1 E3 E0 81 45 3A 9F 88 E6 5A
    27 F8 99 A6 9C D6 3D 74 7C A8 3F 82 BB 02 03 01
    00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 : 
    F6 9A C2 43 57 D8 90 07 B1 C2 5F CC 02 9F CB D6
    15 C0 5E 6C
Fingerprint : MD5 : 
    A6 81 9C 1E 61 7C 52 17 3D B1 D0 90 C5 84 1D 78
Fingerprint : SHA256 : 
    21 F0 B8 4B A9 9A C9 B4 40 E3 C3 39 1E C5 95 F0
    5B D0 79 70 65 67 D1 50 C5 1C E6 9E 96 1E 5B F5
Extensions
    basicConstraints
        ca = true
        pathLen = 2147483647
        critical
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
    73 1B 8A 4A FD 05 40 BE 2D 7C 3B 67 66 5D D1 7A
    4F F4 4D 60 95 ED 88 81 6D 98 92 5F E4 A5 FF F0
    87 D0 B5 89 F9 A6 44 78 D1 44 94 B5 7F 57 D5 C4
    3B E1 6E 9B AC FE CD C9 0A 2C A8 C8 4C 13 83 B3
    7C 06 B9 3E 66 94 2F ED FB 9A 9B F7 8E 6F CB FD
    E9 24 2D FE 7C 6C EA CA E9 76 58 37 51 B6 7E D9
    6D 59 70 2E E0 01 37 D6 E9 3B A1 C3 D3 4D 16 C9
    B4 68 99 45 85 DE 03 9A 9C D7 F4 0C 1E FC 4D C8
Trust Status : Enabled

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db client.kdb -label myca

Label : clientcert
Key Size : 1024
Version : X509 V3
Serial : 516d3a27
Issuer : CN=test,OU=test,O=IBM
Subject : CN=clienttest,OU=test,O=IBM
Not Before : 16 April 2013 12:46:47 GMT+01:00
Not After : 16 April 2014 12:46:47 GMT+01:00
Public Key
    30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
    05 00 03 81 8D 00 30 81 89 02 81 81 00 83 C5 3E
    52 CF 2E 78 76 50 88 A7 5E D6 1E 7D 2A 96 F2 11
    0E 4D 1F 1E D2 A0 E9 30 56 8E 69 79 BF C3 D0 8F
    94 8E 0B 66 62 0A 64 46 E4 60 87 D7 E8 BF 8F 54
    F2 EB 36 D0 71 18 FC 2B 72 97 B2 49 F0 12 12 4A
    4A B3 F2 1F 99 50 38 BB 40 8F 41 D2 F8 FB 8E 9B
    FC 0F BC 80 21 57 87 EA 05 F3 D4 DF BB D1 59 D7
    4D 91 68 FF B7 BC 52 BC 12 D2 F1 C6 52 63 1D B1
    49 CC 58 88 A5 E5 86 31 9B CE F3 E6 C3 02 03 01
    00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 : 
    1B 33 B7 0A 1D 33 29 F2 6E 56 81 55 92 CB 48 DC
    D3 2F 16 90
Fingerprint : MD5 : 
    C4 64 E5 08 AA F0 AE 65 5A 7A 12 12 21 55 7C 19
Fingerprint : SHA256 : 
    54 A4 41 37 25 65 8F 28 FE 4B 97 37 DE 3A 4D 97
    80 F4 FF C0 8D BA 92 D2 51 F8 4D 4B 69 BD BA 69
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
    25 14 7A 6F D9 F2 CC E3 93 5C 8E 1C 4F 3C DC 57
    C8 D3 B4 D5 51 0D C9 C7 DE 00 C8 B0 2D D8 C2 F6
    50 34 97 1E 24 C8 22 D6 01 F4 DA B9 0E 1C 67 E3
    EF 73 77 F6 21 32 0D 92 B3 9B 0B C1 3A 28 71 70
    7D 3A 7E 7F 8F C3 BE 23 B0 74 F5 E7 20 5E 3D 01
    6B 57 AC 0A 5E F6 3B 93 B6 A3 E1 6A 2E E9 29 00
    4E 81 E3 D3 20 E7 86 96 C0 91 02 5D E9 86 7D 38
    08 02 B1 76 3B D4 A4 C4 41 2E 91 C0 49 84 3B 81
Trust Status : Enabled

Additional Notes

For the record, here's a similar set of instructions, but using KDB ( PKCS12 ) instead of JKS from the outset, avoiding the need for conversion: -

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -create -db CA.kdb -stash

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -create -db CA.kdb  -label myca -dn "cn=test,o=IBM" -ca true

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -create -db client.kdb -stash

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -certreq -create -db client.kdb  -label clientcert -file /tmp/certreq.arm -dn "cn=clienttest,o=IBM"

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -sign -db CA.kdb  -label myca -file /tmp/certreq.arm 

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -receive -db client.kdb  -file cert. arm 

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -extract -db CA.kdb  -label myca -target test.cer

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -add -db client.kdb -label myca -file test.cer 

/opt/IBM/HTTPServer/bin/apachectl -k restart -f /opt/IBM/HTTPServer/confext/httpd.conf

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -setdefault -label clientcert -db client.kdb 





Wednesday, 10 April 2013

CWWIM1998E The following system exception occurred during processing: 'java.text.ParseException: Unparseable date: "20120803122609.732-0000Z"'

Now I cannot take the credit for resolving this one, but I wanted to share the problem and a potential resolution.

Having completed the implementation of IBM Business Monitor 8.0.1.1 for a client, we found, during Functional Testing, that we were unable to log into BusinessSpace: -


using a LDAP user account.

This failed with an HTTP 500 ( which normally indicates a very serious problem with WAS ).

When we checked SystemOut.log, we found

[09/04/13 11:37:36:558 BST] 00000029 exception     W com.ibm.ws.wim.adapter.ldap.LdapAdapter getDateString(Object) CWWIM1998E  The following system exception occurred during processing: 'java.text.ParseException: Unparseable date: "20120803122609.732-0000Z"'.
[09/04/13 11:37:36:559 BST] 00000029 exception     W com.ibm.ws.wim.adapter.ldap.LdapAdapter getDateString(Object)
                                 com.ibm.websphere.wim.exception.WIMSystemException: CWWIM1998E  The following system exception occurred during processing: 'java.text.ParseException: Unparseable date: "20120803122609.732-0000Z"'.

[09/04/13 11:37:36:566 BST] 00000029 servlet       E com.ibm.ws.webcontainer.servlet.ServletWrapper service SRVE0068E: An exception was thrown by one of the service methods of the servlet [mmOSGI] in application [mm.was_bamweb-cluster-80-tatc-i-1]. Exception created : [java.lang.RuntimeException: com.ibm.mm.server.model.user.exception.CannotLoadUserException: BMWSM0016E: The user data could not be loaded.

The symptoms appeared to be a match for: -

We do have a custom LDAP configured ( we're using CA LDAP for which WAS doesn't have a template, as it does for ITDS, AD, Domino etc. ).

It's worth noting that CA LDAP is supported as long as it complies with the LDAP v3 specification, which it does.

The APAR also has a circumvention; to add the offending date format to WIM ( wimconfig.xml ): -

One will have to run following command in order to support
specified dateFormat by VMM.
$AdminTask setIdMgrCustomProperty {-id <LDAP_REPO_ID> -name
ldapTimestampFormat  -value "yyyyMMddHHmmssZ" }
yyyyMMddHHmmssZ >> may vary as per LDAP's dateFormat!

Given that the dates we were getting were in this format: -

20120803122609.732-0000Z

we tried a number of variations on the ldapTimestampFormat property: -

$ /opt/ibm/WebSphere/AppServer/profiles/dm-80-tatc-i/bin/wsadmin.sh -lang jython
wsadmin> AdminTask.setIdMgrCustomProperty('-id ldpa -name ldapTimestampFormat  -value "yyyyMMddHHmmss.Z"')
wsadmin> AdminConfig.save()

-or-

wsadmin> AdminTask.setIdMgrCustomProperty('-id ldpa -name ldapTimestampFormat  -value "yyyyMMddHHmmss.SZ"')
wsadmin> AdminConfig.save()

-or-

wsadmin> AdminTask.setIdMgrCustomProperty('-id ldpa -name ldapTimestampFormat  -value "yyyyMMddHHmmss.SSS-SSSSZ"')
wsadmin> AdminConfig.save()

In each case, we noted that a new line was added / modified in wimconfig.xml: -

      <config:CustomProperties name="ldapTimestampFormat" value="yyyyMMddHHmmss.Z"/>

However, after synchronising the nodes and restarting the JVM hosting BusinessSpace ( the WebApp cluster ), we still saw the same exception.

At that point we were baffled.

Thankfully, the client had previously seen this problem with WebSphere Portal on an earlier version of WAS, and had been recommended to set two different properties in wimconfig.xml to mark two particular LDAP attributes as being unsupported.

To achieve this, we removed the previously added ldapTimestampFormat property: -

$ AdminTask.setIdMgrCustomProperty('-id ldpa -name ldapTimestampFormat')
$ AdminConfig.save()

and then tried to add the unsupported attribute entries: -

wsadmin> AdminTask.addIdMgrLDAPAttrNotSupported('-id ldpa -propertyName modifyTimestamp')
wsadmin> AdminTask.addIdMgrLDAPAttrNotSupported('-id ldpa -propertyName createTimestamp')
wsadmin> AdminConfig.save()

Sadly this failed with a NullPointerException.

Looking at this APAR: -

PM75085: THE WSADMIN ADDIDMGRLDAPATTRNOTSUPPORTED CLI RETURNS NULLPOINTEREXCEPTION FOR VMM CUSTOM REPOSITORY

it appears that this is a known issue, which is due to be fixed in WAS 8.0.0.6 :-)

However, we were able to resolve the issue, by manually adding the attributeConfiguration block, with reference to the two unsupported attributes, to wimconfig.xml: -

Old

      <config:ldapEntityTypes name="Group" searchFilter="">
        <config:objectClasses>groupOfNames</config:objectClasses>
        <config:searchBases>ou=users,o=ibm</config:searchBases>
      </config:ldapEntityTypes>
    </config:repositories>


New

      <config:ldapEntityTypes name="Group" searchFilter="">
        <config:objectClasses>groupOfNames</config:objectClasses>
        <config:searchBases>ou=users,o=ibm</config:searchBases>
      </config:ldapEntityTypes>
      <config:attributeConfiguration>
        <config:propertiesNotSupported name="modifyTimestamp"/>
        <config:propertiesNotSupported name="createTimestamp"/>
      </config:attributeConfiguration>

    </config:repositories>

before synchronising the nodes and restarting the JVM.

This time, it worked, and we were able to successfully log into BusinessSpace using an LDAP user.

We are going to raise a PMR against BusinessSpace, as it's not clear why the original problem only occurred for that LDAP, when we were able to log into the WAS Integrated Solutions Console ( and into the Cognos Dispatcher ) using a LDAP user.

Therefore, this MAY be a new issue specifically with BusinessSpace, although I'm struggling to work out why the WAS-based solution ( iFix and/or ldapTimestampFormat property ) did not work, given that BusinessSpace runs on the WAS JVM …….

Thankfully, my client had retained their notes from the previous occurrence of the problem, which saved us this time around. Kudos to Paul and Tony for writing stuff down :-)

Definitely one for the "Hmmmm" pile.

PS There is also an excellent developerWorks article: -


which was of relevance. Whilst it didn't provide the solution ( using config:propertiesNotSupported ), it did provide some good background on the problem.

Reminder - installing podman and skopeo on Ubuntu 22.04

This follows on from: - Lest I forget - how to install pip on Ubuntu I had reason to install podman  and skopeo  on an Ubuntu box: - lsb_rel...