Security Bulletin: ClassLoader manipulation with Apache Struts (CVE-2014-0114) affects WebSphere Lombardi Edition and IBM Business Process Manager (BPM)

From the Flash: -

Summary

There is a class loader manipulation vulnerability in Apache Struts (CVE-2014-0114) that affects WebSphere Lombardi Edition and IBM Business Process Manager.

Vulnerability Details

CVEID: CVE-2014-0114

DESCRIPTION: Apache Struts 1.X might allow a remote attacker to execute arbitrary code on the system, which is caused by the failure to restrict the setting of class loader attributes. An attacker might exploit this vulnerability using the class parameter of an ActionForm object to manipulate the class loader and execute arbitrary code on the system. There is partial impact to confidentiality, integrity, and availability.

CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92889 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) 

The affected products can be vulnerable in up to the following two different scenarios:

• The product bundles WebSphere Application Server. The Integrated Solution Console in WebSphere Application Server V7 and earlier uses a vulnerable version of the struts library. For these products you need to apply a fix for WebSphere Application Server.

• WebSphere Lombardi Edition and IBM Business Process Manager include various user interface components that make use of an additional instance of the vulnerable library and, therefore, need their own fix.

Security Bulletin: ClassLoader manipulation with Apache Struts (CVE-2014-0114) affects WebSphere Lombardi Edition and IBM Business Process Manager (BPM)

WebSphere MQ 8 - How to download

Thanks to WebSphere MQ for sharing this: -

Downloading WebSphere MQ Version 8.0 from the Passport Advantage Web site

This document describes how to download IBM WebSphere MQ Version 8.0 eAssembly images from the Passport Advantage Web site.

WebSphere MQ V8.0 documentation

Welcome to the IBM® WebSphere® MQ, Version 8.0 product documentation, where you can find detailed instructions on how to complete the tasks that you need to perform to create and maintain your WebSphere MQ environment. This documentation also contains conceptual information to help you understand the product, and the ways in which you can use it to solve your business problems.

Education: Join webcast on Installation, Configuration and Basic Test of WebSphere MQ Advanced Message Security 7.5 in Linux

This via Twitter: -

On 11 June 2014 at 11:00 AM EDT, a WebSphere Support Technical Exchange presentation on Installation, Configuration and Basic Test of WebSphere MQ Advanced Message Security 7.5 in Linux will be delivered by Angel Rivera, a subject matter expert. An open question and answer session will follow the presentation.

The objective for this WebSphere Support Technical Exchange is to describe in detail, how to install and configure for first usage the WebSphere MQ Advanced Message Security (AMS) version 7.5 in Linux, including test scenario for first usage.

Education: Join webcast on Installation, Configuration and Basic Test of WebSphere MQ Advanced Message Security 7.5 in Linux

Estimating the effort for BPM migrations – why it’s not easy!

From Werner Tod in IBM Germany: -

This blog entry describes the factors that need to be considered to estimate the necessary effort to migrate an existing environment of Lombardi Teamworks, WebSphere Lombardi Edition, WebSphere Process Server, or an older version of IBM Business Process Manager to a new version of IBM Business Process Manager.

Unfortunately, there is no mathematical formula and no 'magic' spreadsheet that would be able to just calculate the effort based on some basic information about the source environment for the migration. But, there are some lessons learned from completed IBM Business Process Manager migrations that make it easier to come up with a reliable estimate. These lessons learned are summarized in this article.

Note: It is always strongly recommended for an IBM Business Process Manager migration project to involve experts from IBM Services. The following web site has more information: http://www.ibm.com/developerworks/websphere/services/discovermigration.html. IBM Services will run or guide the migration as a project with clearly defined phases. The initial phase (Discovery) aims at coming up with a reliable estimate and plan for the necessary migration activities.

Estimating the effort for BPM migrations – why it's not easy!

Using WebSphere MQ V7 as JMS Provider for WebSphere Application Server V7, V8.0 and V8.5

This rather useful White Paper is currently of use to me, and may be of use to you.

Abstract

To demonstrate the use of a simple but functional Message Driven Bean (MDB) in WebSphere Application Server V7, V8.0 and V8.5, which interacts with WebSphere MQ V7 as the Java™ Messaging Service (JMS) provider.

Content

To demonstrate the use of a simple but functional Message Driven Bean (MDB) in WebSphere Application Server V7, V8.0 and V8.5, which interacts with WebSphere MQ V7 as the Java™ Messaging Service (JMS) provider.

The MDB was created with Rational Application Developer (RAD) 7.5 and the Enterprise Archive File (EAR) file which contains the MDB can be downloaded from this techdoc.

The main scenario is to show how to configure both WebSphere Application Server and WebSphere MQ V7.x, in order for an MDB to get messages from MQ, using a WebSphere Application Server Listener Port from a Queue (Point to Point).

Using WebSphere MQ V7 as JMS Provider for WebSphere Application Server V7, V8.0 and V8.5

Time for a new JDBC driver for IBM Business Process Manager?

This from IBM_BPM via Twitter: -

Time for a new JDBC driver for IBM Business Process Manager?

<snip>

IBM Business Process Manager comes with Java database connectivity (JDBC) drivers for DB2, Oracle, and Microsoft SQL Server databases. The version of the database JDBC drivers represents the level of the database product at the moment that the IBM Business Process Manager (BPM) product was released. A good practice is to update these drivers to fit the latest version of your database vendor.

...

You have now updated your JDBC driver. The advice is always to be up-to-date with your JDBC drivers so that you can avoid unexpected errors due some failures coming from the driver.

</snip>

Time for a new JDBC driver for IBM Business Process Manager?

IBM WebSphere Application Server Migration Toolkit - What It Is

IBM WebSphere Application Server Migration Toolkit

The IBM® WebSphere® Application Server Migration Toolkit is a suite of tools and knowledge collections that enables your organization to quickly and cost-effectively migrate to WebSphere Application Server V7, V8, or V8.5, whether from a previous version of WebSphere Application Server or competitive application servers including Apache Tomcat Server, JBoss Application Server, Oracle Application Server, and Oracle® WebLogic Server.

plus this: -

IBM Education Assistant - IBM WebSphere Application Server Migration Toolkit Version: V3.5      

Linux - Digging into performance

This came to me via Twitter: -

Linux Performance

WebSphere Application Server - Get started with Liberty profile

etc. etc.

It's all on WASdev here: -

Get started with Liberty profile

IBM Business Process Manager 8.5 - The (long) story of the missing WebSphere Variables and why my JDBC datasources don't fully work

So, on a newly minted IBM BPM Advanced 8.5.0.1 installation, I noticed that some of the JDBC datasources that are created when I generate the Deployment Environment using the BPMConfig command: -

/opt/IBM/WebSphere/AppServer/bin/BPMConfig.sh -create -de BPM85Advanced.properties 

fail to connect, via the Test Connection button within the WAS Integrated Solutions Console (ISC).

This is what I see: -

specifically: -

The test connection operation failed for data source BPM CellScopedDB data source on server dmgr at node bpm85Node1 with the following exception: com.ibm.wsspi.runtime.variable.UndefinedVariableException: Undefined variable DB2_JCC_DRIVER_PATH. View JVM logs for further details.

and: -

The test connection operation failed for data source BPM ESBMediationDB data source on server dmgr at node bpm85Node1 with the following exception: com.ibm.wsspi.runtime.variable.UndefinedVariableException: Undefined variable DB2_JCC_DRIVER_PATH. View JVM logs for further details.

Looking in the Deployment Manager's SystemOut.log ( in /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/logs/dmgr ), I see: -

[16/05/14 17:19:16:830 BST] 000000f6 DataSourceCon E   DSRA8040I: Failed to connect to the DataSource.  Encountered "": com.ibm.wsspi.runtime.variable.UndefinedVariableException: Undefined variable DB2_JCC_DRIVER_PATH

[16/05/14 17:19:17:032 BST] 000000f6 MBeanHelper   E   Could not invoke an operation on object: WebSphere:name=DataSourceCfgHelper,process=dmgr,platform=dynamicproxy,node=bpm85Node1,version=8.5.5.1,type=DataSourceCfgHelper,mbeanIdentifier=DataSourceCfgHelper,cell=bpm85Cell,spec=1.0 because of an mbean exception: com.ibm.wsspi.runtime.variable.UndefinedVariableException: Undefined variable DB2_JCC_DRIVER_PATH

Interestingly, it's only the two cell-scoped data sources that have the issue: -

I have a number of instances of the JDBC Provider: -

only one of which is scoped at the cell level: -

which has two references to the variable DB2_JCC_DRIVER_PATH: -

${DB2_JCC_DRIVER_PATH}/db2jcc4.jar
${UNIVERSAL_JDBC_DRIVER_PATH}/db2jcc_license_cu.jar
${DB2_JCC_DRIVER_PATH}/db2jcc_license_cisuz.jar
${PUREQUERY_PATH}/pdq.jar
${PUREQUERY_PATH}/pdqmgmt.jar

I only have two instances of this WebSphere Variable: -

neither of which are scoped at the cell level.

I quickly resolved this: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd
AdminConfig.create('VariableSubstitutionEntry', '(cells/bpm85Cell|variables.xml#VariableMap_1)', '[[symbolicName "DB2_JCC_DRIVER_PATH"] [description ""] [value "${WAS_INSTALL_ROOT}/jdbcdrivers/DB2"]]')
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

Sadly this moved me forward, but didn't fully fix the problem.

This is what I now see: -

The test connection operation failed for data source BPM CellScopedDB data source on server dmgr at node bpm85Node1 with the following exception: com.ibm.wsspi.runtime.variable.UndefinedVariableException: Undefined variable WAS_INSTALL_ROOT. View JVM logs for further details.

The test connection operation failed for data source BPM ESBMediationDB data source on server dmgr at node bpm85Node1 with the following exception: com.ibm.wsspi.runtime.variable.UndefinedVariableException: Undefined variable WAS_INSTALL_ROOT. View JVM logs for further details.

with: -

[16/05/14 18:55:32:539 BST] 00000131 MBeanHelper   E   Could not invoke an operation on object: WebSphere:name=DataSourceCfgHelper,process=dmgr,platform=dynamicproxy,node=bpm85Node1,version=8.5.5.1,type=DataSourceCfgHelper,mbeanIdentifier=DataSourceCfgHelper,cell=bpm85Cell,spec=1.0 because of an mbean exception: com.ibm.wsspi.runtime.variable.UndefinedVariableException: Undefined variable WAS_INSTALL_ROOT
[16/05/14 18:55:33:260 BST] 00000131 DataSourceCon E   DSRA8040I: Failed to connect to the DataSource.  Encountered "": com.ibm.wsspi.runtime.variable.UndefinedVariableException: Undefined variable WAS_INSTALL_ROOT

in SystemOut.log.

Again, this is a problem with a missing WebSphere Variable - WAS_INSTALL_ROOT - which isn't available 

Again, this is easily fixed: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd
AdminConfig.create('VariableSubstitutionEntry', '(cells/bpm85Cell|variables.xml#VariableMap_1)', '[[symbolicName "WAS_INSTALL_ROOT"] [description ""] [value "/opt/IBM/WebSphere/AppServer"]]')

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

Am I out of the woods yet ?

Nope: -

The test connection operation failed for data source BPM CellScopedDB data source on server dmgr at node bpm85Node1 with the following exception: com.ibm.wsspi.runtime.variable.UndefinedVariableException: Undefined variable UNIVERSAL_JDBC_DRIVER_PATH. View JVM logs for further details.

The test connection operation failed for data source BPM ESBMediationDB data source on server dmgr at node bpm85Node1 with the following exception: com.ibm.wsspi.runtime.variable.UndefinedVariableException: Undefined variable UNIVERSAL_JDBC_DRIVER_PATH. View JVM logs for further details.

and: -

[16/05/14 19:10:41:888 BST] 00000142 MBeanHelper   E   Could not invoke an operation on object: WebSphere:name=DataSourceCfgHelper,process=dmgr,platform=dynamicproxy,node=bpm85Node1,version=8.5.5.1,type=DataSourceCfgHelper,mbeanIdentifier=DataSourceCfgHelper,cell=bpm85Cell,spec=1.0 because of an mbean exception: com.ibm.wsspi.runtime.variable.UndefinedVariableException: Undefined variable UNIVERSAL_JDBC_DRIVER_PATH
[16/05/14 19:10:42:989 BST] 00000142 DataSourceCon E   DSRA8040I: Failed to connect to the DataSource.  Encountered "": com.ibm.wsspi.runtime.variable.UndefinedVariableException: Undefined variable UNIVERSAL_JDBC_DRIVER_PATH

in SystemOut.log.

Yet again: -

Again, I have a script for that: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd
AdminConfig.create('VariableSubstitutionEntry', '(cells/bpm85Cell|variables.xml#VariableMap_1)', '[[symbolicName "UNIVERSAL_JDBC_DRIVER_PATH"] [description ""] [value "${WAS_INSTALL_ROOT}/jdbcdrivers/DB2"]]')

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

with: -

The test connection operation failed for data source BPM CellScopedDB data source on server dmgr at node bpm85Node1 with the following exception: com.ibm.wsspi.runtime.variable.UndefinedVariableException: Undefined variable PUREQUERY_PATH. View JVM logs for further details.

[16/05/14 19:15:32:302 BST] 00000142 MBeanHelper   E   Could not invoke an operation on object: WebSphere:name=DataSourceCfgHelper,process=dmgr,platform=dynamicproxy,node=bpm85Node1,version=8.5.5.1,type=DataSourceCfgHelper,mbeanIdentifier=DataSourceCfgHelper,cell=bpm85Cell,spec=1.0 because of an mbean exception: com.ibm.wsspi.runtime.variable.UndefinedVariableException: Undefined variable PUREQUERY_PATH

etc.

This is getting boring now.

Interestingly, the PUREQUERY_PATH variable does exist at the node level, but has no value: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd
AdminConfig.create('VariableSubstitutionEntry', '(cells/bpm85Cell|variables.xml#VariableMap_1)', '[[symbolicName "PUREQUERY_PATH"] [description ""] [value ""]]')

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

And ....

So, the long story short .... the two cell-scoped JDBC datasources - BPM CellScopedDB data source and BPM ESBMediationDB data source - are created with regard to variables: -

${DB2_JCC_DRIVER_PATH}/db2jcc4.jar
${UNIVERSAL_JDBC_DRIVER_PATH}/db2jcc_license_cu.jar
${DB2_JCC_DRIVER_PATH}/db2jcc_license_cisuz.jar
${PUREQUERY_PATH}/pdq.jar
${PUREQUERY_PATH}/pdqmgmt.jar

none of which exist at the cell-scoped level :-)

Next time around, this is how I'll fix the problem in one fell swoop: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd
AdminConfig.create('VariableSubstitutionEntry', '(cells/bpm85Cell|variables.xml#VariableMap_1)', '[[symbolicName "DB2_JCC_DRIVER_PATH"] [description ""] [value "${WAS_INSTALL_ROOT}/jdbcdrivers/DB2"]]')
AdminConfig.create('VariableSubstitutionEntry', '(cells/bpm85Cell|variables.xml#VariableMap_1)', '[[symbolicName "WAS_INSTALL_ROOT"] [description ""] [value "/opt/IBM/WebSphere/AppServer"]]')
AdminConfig.create('VariableSubstitutionEntry', '(cells/bpm85Cell|variables.xml#VariableMap_1)', '[[symbolicName "UNIVERSAL_JDBC_DRIVER_PATH"] [description ""] [value "${WAS_INSTALL_ROOT}/jdbcdrivers/DB2"]]')
AdminConfig.create('VariableSubstitutionEntry', '(cells/bpm85Cell|variables.xml#VariableMap_1)', '[[symbolicName "PUREQUERY_PATH"] [description ""] [value ""]]')
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

next time around.

WebSphere Application Server - Controlling whether WAS node name is added to J2C Authentication Aliases ... or not

Following on from my previous post: -

More on IBM BPM and IBM Business Monitor integration - get your aliases right ...

this is how I should've scripted the creation of the EventEmitterAlias J2C alias as follows: -

wsadmin> AdminTask.setAdminActiveSecuritySettings('[-customProperties["com.ibm.websphere.security.JAASAuthData.removeNodeNameGlobal=true"]]')
wsadmin> AdminTask.createAuthDataEntry('[-alias EventEmitterAlias -user wasadmin -password passw0rd -description "Created for BAM > BPM CEI integration" ]')
wsadmin> AdminConfig.save()
wsadmin> AdminNodeManagement.syncActiveNodes()
wsadmin> quit

I've highlighted one particular line: -

AdminTask.setAdminActiveSecuritySettings('[-customProperties["com.ibm.websphere.security.JAASAuthData.removeNodeNameGlobal=true"]]')

This property equates to this checkbox within the WAS Integrated Solutions Console GUI: -

In other words, if the property is set to true, then the checkbox is NOT set for: -

Prefix new alias names with the node name of the cell (for compatibility with earlier releases)

When the property is set to false, then the checkbox IS set.

This means that (a) I can script the solution and (b) avoid the issue of having the node name ( dmgr ) added to the J2C alias.

Webcast - Decision Management: Making the right change at the right time - 4 June 2014

Decision Management: Making the right change at the right time

Topics

• Making rules visible, understandable and adaptable to changes in market demands

• Using Decision Management to modernize existing mainframe applications

• Getting the right business behavior with the right changes made at the right time

• Adopting a decision methodology incrementally with "market validated" decisions

Speakers:

• Richard Szulewski, Senior Product Manager, Business Process, Rules and Events, IBM Software Group

• Chris Backhouse, Architect, Business Process, Rules and Events for z/OS, IBM Software Group

When it comes to keeping mainframe applications current – not their technology but their business behavior – you are never going to be fast enough. No matter how good you are, decisions take too long. In today's mobile-driven business climate, the updates you must make come at you faster than you can redirect scarce skills to make the changes. There is a better way.

Join us for this complimentary webcast as we explore the benefits of Decision Management for mainframe applications. This approach helps get the rules that drive business decisions to where they can be seen and understood, enabling changes based on a real understanding of how decisions are made and the impact of the changes. Decision Management also enables a shared understanding between the business analysts who need changes and the IT teams responsible for delivering high-quality, seamless changes.

Join us after the webcast for a live question-and-answer session. This webcast will also be available for replay after the event.

Broadcast Date: June 4, 2014, 11:00 a.m. EDT / 3:00 p.m. GMT / 4:00 p.m. BST

Decision Management: Making the right change at the right time

IBM Business Monitor 8.0.1.2 - Problems emitting events from IBM BPM Advanced 8.5

So I'm on a journey of discovery, working with a colleague to set up IBM BPM -> IBM Business Monitor integration for the very first time.

I will write up my notes in due course, but I did hit two problems, one of which I've referenced below, purely for information.

The thing that kicked this off was an exception: -

Track support for CWMAX4230 error on IBM® WebSphere® Business Monitor model configuration.

that my colleague saw when he tried to deploy a Monitor model .....

Briefly, it's necessary to set up a security relationship between BPM and Monitor, in order that the BPM server can publish events to a Service Integration bus topic, to which Monitor can then subscribe.

This requires the exchange of certain security information, including SSL certificates and, if one so chooses, Lightweight Third Party Authentication (LTPA) tokens.

LTPA tokens are used to assert the identity of a user from the BPM environment ( which is running on one WAS cell ) to the Monitor environment ( which is running on a second WAS cell ).

Now I've used LTPA many many times in the past, usually to integrate WebSphere Portal with IBM Connections, IBM Sametime with IBM Connections, IBM Quickr with WebSphere Portal, IBM Domino with WebSphere Portal etc.

In essence, one generates a LTPA key on server A ( BPM cell ) and imports it into server B ( Monitor cell ), and vice versa.

The LTPA token uses the WebSphere Identity Manager (WIM) realm, which is typically defaultWIMFileBasedRealm e.g.

...

com.ibm.websphere.ltpa.Realm=defaultWIMFileBasedRealm
...

In essence, we set up a trust relationship between the two WAS cells, using the exported/imported LTPA keys.

However, one other important thing is that the LTPA token, generated and delivered back to the end-user, and then used to assert the user's identity to the target WAS cell, is generated with an expiration interval.

Therefore, the clock on the server that generated it needs to be in sync with the target WAS server.

If the clocks aren't in sync, then we got a problem ..... :-)

So this is what I had: -

Monitor

Tue May 13 05:49:02 CDT 2014

BPM

Tue May 13 11:46:24 CDT 2014

Thankfully, this old but useful document: -

WebSphere Business Monitor generates CWMAX4230E error on monitor model configuration

gave me a clue.

This issue is resolved through the following actions:

• Enable the exchange of LTPA keys between the WebSphere Business Monitor and WebSphere Process Server nodes. Refer to WebSphere Business Monitor, Version 6.1 product documentation for "Sharing LTPA keys" at: http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r1mx/index.jsp?topic=/com.ibm.btools.help.monitor.install.doc/security/ltpa_cfg.html

• Assure that the system clocks of the WebSphere Business Monitor and WebSphere Portal Server nodes are synchronised

For the record, I was also seeing this: -

[5/13/14 11:49:30:432 CDT] 00000559 LTPAServerObj W   SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Tue May 13 11:46:00 CDT 2014, current Date: Tue May 13 11:49:30 CDT 2014 Token attributes:  username=user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm.. This warning might indicate expected behavior. Please refer to technote at http://www-01.ibm.com/support/docview.wss?uid=swg21594981
.

in the SystemOut.log of the BPM cell's Deployment Manager.

Bottom line, get your clocks in order or LTPA won't work :-)

More on IBM BPM and IBM Business Monitor integration - get your aliases right ...

So part of the process of integrating IBM BPM and IBM Business Monitor is to set up an Event Emitter Alias. This is an ID ( with a fixed name - EventEmitterAlias ) that exists on BPM, and is known to Monitor.

Monitor then fires messages at the BPM cell, using this alias. The alias, as created on the BPM cell, also known as a Java2Connectivity (J2C) Authentication Alias, is then used to map the alias to a real user only known to/by the BPM cell.

The documentation is quite explicit in this: -

Create a J2C authentication alias named EventEmitterAlias on the IBM BPM cell:

1. From the administrative console on the remote IBM BPM cell, click Security > Global Security.
2. Under Authentication, expand Java Authentication and Authorization Service, and then click J2C authentication data.
3. Clear the Prefix new alias names with the node name of the cell (for compatibility with earlier releases) check box.
4. Click Apply.
5. Click Save.
6. Click New and enter EventEmitterAlias for the alias name.
   • The J2C authentication alias must be EventEmitterAlias. It must not contain the node name of the cell.
   • The user ID and password must be an existing administrator user ID and password for the IBM BPM cell.

Guess which fool didn't read point (C) above ?

Yes, you've guessed it.

I created an alias called EventEmitterAlias via the WAS Admin GUI ( Integrated Solutions Console ), and didn't notice that the name automatically picked up the prefix of dmgr meaning that I had an alias called dmgr/EventEmitterAlias.

So Monitor fired a message to BPM, expecting to find EventEmitterAlias, but BPM didn't know about that one.

Long story short, this led to exceptions such as: -

[5/12/14 15:22:25:971 CDT] 0000029c MDBEmitter    E com.ibm.wbimonitor.mdbemitter.MDBEmitter onMessage(Message message) CWMDS6902E
: The following exception occurred when processing the XML and sending CBE:
 No authentication data.
[5/12/14 15:22:26:031 CDT] 000001a6 EmitterUtils  E com.ibm.wbimonitor.emitter.utils.EmitterUtils getInstance() CWMDS6818E: The Monitor emitter cannot be obtained. Will retry in 15 seconds...

in the SystemOut.log file on the BPM ( Process Center ) box.

Once one of my colleagues realised where I'd gone wrong, and we recreated the alias and restarted BPM, all was well.

This, plus my earlier LTPA issues, represents a really useful set of experiences, to which I know I'll refer back :-)

British Computer Society - Raspberry Pi: GPIO Workshop - Monday 19 May 2014

As per my previous post: -

British Computer Society - Southampton - With Added Raspberry Pi !!!

Monday 19 May

Raspberry Pi: GPIO Workshop,

Presented by Joe Dunn, at Southampton Solent University

Time: 17:00 for 17:30 (20:30 finish)

Venue: Reginald Mitchell building, 1^st floor, room RM 148, Southampton Solent University, SO14 0RD

Free but Booking essential via : Joe Dunn - j.dunn@theiet.org

Organised jointly with the IET, BCS Hampshire Branch and Southampton Solent University

Learn how to use wireless networking events to control GPIO outputs on the Pi!

A hands-on 3 hour interactive workshop and lecture teaching attendees how traffic on a wireless network can be used to trigger events using a WiFi dongle and the GPIO pins on board the Raspberry Pi. For example, program your Pi to automatically turn on your kettle or central heating when it detects you coming home!

Bring your own Pi, power lead, network cable and laptop. SD cards and WiFi dongles will be provided. If you don't have a Pi, come along anyway and we'll pair you with somebody who does.

Due to a high level of interest and limited space, prior registration is mandatory. 

Cross-cell configuration between IBM Business Monitor and IBM Business Process Manager

Abstract

This document describes a cross-cell configuration between IBM Business Monitor and IBM Business Process Manager (BPM) to allow for the monitoring of events from Business Process Definitions (BPDs) deployed in a remote cell to IBM Business Monitor.

Content

The instructions below assume an environment with IBM Business Monitor V8.0.1, IBM Business Process Manager V8.0.1, and DB2 for Linux, UNIX, and Windows V9.7.0.4 installed. It also assumes that an IBM Business Process Manager Advanced Process Server Deployment Manager profile is created with at least one custom node federated into it, and a IBM Business Monitor standalone profile is created and verified.
The information in this document is based on the same set of instructions from this Information Center article, under the Multiple-cell environment with the BPM event emitter service in the IBM Business Process Manager Advanced cell section. This document illustrates the exact same set of instructions with accompanying screenshots.

Cross-cell configuration between IBM Business Monitor and IBM Business Process Manager

Note that this is relevant to BPM 8.0.1; things have changed slightly for BPM 8.5.

I'm working to get this working as I write ..... ping me for details :-)

IBM Operational Decision Manager 8.6 - Coming soon in June

IBM Operational Decision Manager 8.6 Announcement Technical Information

Detailed system requirements to support the announcement of IBM Operational Decision Manager V8.6

IBM Operational Decision Manager V8.6 delivers enhanced decision management and enriched validation and deployment capabilities within the Business Console

IBM® Operational Decision Manager (IBM ODM) V8.6 delivers new and enhanced capabilities plus additional deployment options:

• Delivers a new unit of rule management, the decision service, that enables governed rule deployment by business and IT participants from within the Business Console.

• Allows business users to verify and validate rule changes by defining and running test suites inside the Business Console.

• Offers greater deployment opportunities with additional support for:

• JBoss Enterprise Application Platform 6.1

• JBoss 7.2 GA

• IBM DB2® V10.5

• Eclipse 4.2.2

New - IBM Business Process Manager, IBM Integration Designer, IBM Process Designer and IBM Business Monitor - version 8.5.5 - June 2014

Announcement: IBM Business Process Manager (BPM), IBM Integration Designer, IBM Process Designer, and IBM Business Monitor Version 8.5.5 products

The IBM Business Process Manager V8.5.5 products are an update to the comprehensive and consumable business process management platform that provides visibility and management of your business processes.

IBM Business Monitor V8.5.5 is an update to the IBM Business Process Manager comprehensive, operational, intelligence solution. It offers visibility into real-time, end-to-end business operations, transactions, and processes to help optimize processes and increase efficiency.

This product version includes the following enhancements:

• Includes basic case-management capabilities in IBM Business Process Manager Advanced. These capabilities enable knowledge workers to drive business outcomes by using a combination of structured workflows, ad-hoc tasks, and document processing.

• Provides a new Case Designer that extends the unified design experience. It is built upon the centralized IBM Process Center repository to simplify the development and deployment of process and basic case applications.

• Includes an embedded content repository that is restricted to support the basic case management documents and folders. You can extend the restricted use content repository to support unlimited content management use cases with IBM Enterprise Content Management (ECM).

• Provides an expanded Process Portal to allow knowledge workers to easily interact with cases, folders, and documents.

• Enables you to create mobile-optimized user interfaces with new WYSIWYG tooling that enables the design of responsive process coaches. 

This product version, which is an update to IBM Business Monitor V8.0.1, includes the following enhancements:

• Provides customizable dashboards that calculate and display key performance indicators (KPIs) and metrics that are derived from business transactions, processes, business activity data, and business events.

• Enables you to view dashboards through lightweight web interfaces, mobile devices, and corporate portals. You can drill into specific transaction and process instances.

• Includes a simplified event infrastructure that is optimized for performance. IBM Business Monitor V8.5.5 offers improved event handling performance with the Dynamic Event Framework (DEF), which is an alternative to the Common Event Infrastructure (CEI). While the CEI framework remains available and supported, the DEF handles events more efficiently, which can result in better performance.

• Provides support for the IBM Business Process Manager V8.5.5 operating environment.

• Includes powerful, new visualizations of data that are based on Cognos BI V10.2.1.

• Provides function that helps to improve and simply the product installation.

These products are planned for electronic delivery on 13 June 2014.

Announcement: IBM Business Process Manager (BPM), IBM Integration Designer, IBM Process Designer, and IBM Business Monitor Version 8.5.5 products

Reconfiguring BusinessSpace to avoid HTTP to HTTPS redirection

NOTE: This is an unsupported "solution" to a problem that may occur during the setup of demo/test environments. Your mileage may vary; if in doubt, please contact IBM Support for a formal supported solution.

So, during the build of an IBM Business Process Manager 8.5 PoC environment, one of my developer colleagues had a requirement to connect to BPM using HTTP rather than the secure HTTPS protocol.

By pure coincidence, as this was a PoC environment, I'd not hardened WAS to my normal standard, meaning that the HTTP ports to the JVMs ( and corresponding Virtual Hosts ) were still available.

This meant that the URLs for Process Center and Process Admin worked via HTTP without modification.

However, I noticed that Business Space would automatically redirect from HTTP to HTTPS without prompting.

In other words, I'd enter this URL: -

http://p71004lpar1.static1.tec.hur.cdn:9080/portal

which would then immediately redirect to this URL: -

https://p71004lpar1.static1.tec.hur.cdn:9443/ProcessPortal/login.jsp  

The "solution" to this is quite simple BUT it involves modifying one of the XML files that forms the core of the deployed Process Portal Enterprise Archive (EAR) file.

I'm documenting the circumvention purely for information and, as stated previously, this is an UNSUPPORTED modification.

In essence, I navigated to the "exploded" EAR file, that sits within the cell-level configuration: -

cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/PCCell1/applications/IBM_BPM_Portal_ProcessCenterCluster.ear/deployments/IBM_BPM_Portal_ProcessCenterCluster/process-portal.war/WEB-INF

created a backup of the existing web.xml file: -

cp web.xml web.xml.original

modified web.xml: -

vi web.xml

replacing the word CONFIDENTIAL with the word NONE in two places, specifically changing from: -

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

to: -

<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>

Once I did this, and restarted the Process Portal application ( actually I restarted the cluster within which the EAR resides ), I was able to access the Process Portal via HTTP without issues.

Again, I'll say it to avoid doubt - THIS IS AN UNSUPPORTED MODIFICATION. YOUR MILEAGE MAY/WILL VARY.

IBM Business Monitor and IBM Cognos - DPR-DPR-1035 Dispatcher detected an error

So I noticed an interesting quirk with my IBM Business Monitor 8.0.1.2 environment today, whilst monitoring (!) the logs during a startup.

I saw this: -

35      1       Audit.Other.dispatcher.DISP.pogo        pogo    com.cognos.pogo.reportservice.ProcessManager            Failure <m
essages><message><messageString>DPR-DPR-1035 Dispatcher detected an error.</messageString></message><message><messageString>Proces
s BIBusTKServerMain failed to start properly.</messageString></message></messages>      External Report Server process BIBusTKServ
erMain cannot be startedProcess BIBusTKServerMain failed to start properly.java.io.IOException: Process BIBusTKServerMain failed t
o start properly.       at com.cognos.pogo.reportservice.ReportServerProcess.getProcessOutput(ReportServerProcess.java:154)     at
 com.cognos.pogo.reportservice.ReportServerProcess.start(ReportServerProcess.java:117)  at com.cognos.pogo.reportservice.ProcessFa
cade.createServerProcess(ProcessFacade.java:219)        at com.cognos.pogo.reportservice.ProcessFacade.<init>(ProcessFacade.java:1
20)     at com.cognos.pogo.reportservice.RSComponentFactory.newProcessFacade(RSComponentFactory.java:67)        at com.cognos.pogo
.reportservice.ProcessManager.createProcessFacade(ProcessManager.java:514)      at com.cognos.pogo.reportservice.ProcessManager.st
artProcess(ProcessManager.java:490)     at com.cognos.pogo.reportservice.ProcessManager.startInitialProcesses(ProcessManager.java:
364)    at com.cognos.pogo.reportservice.ProcessManager.start(ProcessManager.java:295)  at com.cognos.pogo.reportservice.ReportSer
verHandler.start(ReportServerHandler.java:737)  at com.cognos.pogo.services.DefaultHandlerService.start(DefaultHandlerService.java
:94)    at com.cognos.pogo.services.DispatcherServices.start(DispatcherServices.java:189)       at com.cognos.pogo.services.Dispat
cherServices.continueStartup(DispatcherServices.java:417)       at com.cognos.pogo.services.DispatcherServices.configure(Dispatche
rServices.java:137)     at com.cognos.pogo.contentmanager.coordinator.RefreshController.composeAndConfigureServices(RefreshControl
ler.java:120)   at com.cognos.pogo.contentmanager.coordinator.RefreshController.run(RefreshController.java:80)  at com.cognos.pogo
.contentmanager.coordinator.BootstrapConfigurePublish.startConfiguration(BootstrapConfigurePublish.java:154)    at com.cognos.pogo
.contentmanager.coordinator.BootstrapConfigurePublish.checkConfiguration(BootstrapConfigurePublish.java:127)    at com.cognos.pogo
.contentmanager.coordinator.BootstrapConfigurePublish$ConfigurationCheckTask.safeRun(BootstrapConfigurePublish.java:120)        at
 com.cognos.pogo.util.threads.SafeTimerTask.run(SafeTimerTask.java:32)  at java.util.Timer$TimerImpl.run(Timer.java:296)

in: -

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/cognos/BAM8012.AppTarget.AppSrv01Node.0/logs/cogserver.log

I asked Mr Google, and found this IBM Technote: -

Since applying AIX updater, unable to start Cognos service

which said, in part: -

...

Known defect with AIX 6.1 TL09 (refer to APAR#IV52684 for AIX6.1, APAR#52745 for AIX7. Thread memory allocation will cause IBM Cognos BIBus to crash

...

and directs one to obtain an iFix from IBM.

However, there's also a circumvention, which appears to have worked for me.

It effectively involves creating a shell script that wraps around the BIBusTKServerMain binary, and 

This is what I did: -

(1) cd /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/cognos/BAM8012.AppTarget.AppSrv01Node.0/bin64

(2) mv BIBusTKServerMain BIBusTKServerMain.exe

(3) vi BIBusTKServerMain

#!/bin/sh 

MALLOCTYPE=watson 
export MALLOCTYPE 

`pwd`/BIBusTKServerMain.exe $* <&0 >&1 &

(4) chmod +x BIBusTKServerMain

(5) cd ../bin64

(6) mv BIBusTKServerMain BIBusTKServerMain.exe

(7) cp ../bin/BIBusTKServerMain .

Once I put this circumvention in place, and restarted BAM, the exception appears to have gone away.

Which is nice :-)

Of course, I will be calling IBM Support to get the AIX fix for this .....

IBM HTTP Server - Serving multiple directories via Alias and DocumentRoot and Directory directives

I needed to deliver a simple mechanism for log file access to my developers, so chose to use IBM HTTP Server to provide a simple web-based access to the files, rather than insisting that they log into WebSphere Application Server or use a terminal emulator such as PuTTY ( the servers are hosted on AIX ).

I've done this before, and it's a simple solution.

Here's the relevant directives from httpd.conf for IBM Business Process Manager: -

...

DocumentRoot /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ProcessCenterJVM

<Directory />
    Options FollowSymLinks
    AllowOverride None
    FileETag All -INode
</Directory>

<Directory "/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ProcessCenterJVM">

    Options All
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
...

I've highlighted the things that I changed, and that are particularly relevant to the IBM BPM.

Please note that I left the <Directory /> </Directory> stanza alone - this means that my users cannot browse the root file-system served by IHS, only the directories that I specify :-)

This is the URL that I've given my users: -

https://p71004lpar1.static1.tec.hur.cdn:8443/

However, for IBM Operational Decision Manager, I have not one, but two directories to serve up.

The solution is to use the Alias directive, thanks to this StackOverflow article: -

multiple document root for httpd conf file

...

DocumentRoot "/opt/IBM/WebSphere/AppServer/profiles/DecisionCenterNode01/logs"
Alias /DecisionCenterLogs "/opt/IBM/WebSphere/AppServer/profiles/DecisionCenterNode01/logs"
Alias /DecisionServerLogs "/opt/IBM/WebSphere/AppServer/profiles/DecisionServerNode01/logs"

<Directory />
    Options FollowSymLinks
    AllowOverride None
    FileETag All -INode
</Directory>

<Directory "/opt/IBM/WebSphere/AppServer/profiles/DecisionCenterNode01/logs">
    Options All
    AllowOverride None
    Order allow,deny
    Allow from all

</Directory>

<Directory "/opt/IBM/WebSphere/AppServer/profiles/DecisionServerNode01/logs">
        Options All
        AllowOverride None
        Allow from all
</Directory>
...

This allows me to specify two URLs: -

https://p71005lpar1.static1.tec.hur.cdn:8443/DecisionServerLogs/

https://p71005lpar1.static1.tec.hur.cdn:8443/DecisionCenterLogs/

Nice :-)

IBM Operational Decision Manager - Problems connecting Rule Designer to Decision Center and Decision Server

I installed Rule Designer into my W2K8 VM, and immediately saw issues connecting to Decision Server (RES) and Decision Center (RTS), including: -

Unexpected error: ilog.rules.res.util.http.IlrConnectionException

IO error when contacting "/res/repositoryService"

This is the same problem that I saw at a client back in late 2012, and occurs because, unlike Process Designer, Rule Designer doesn't seem "smart" enough to retrieve the SSL certificates from the JVMs on which RES and RTS are running.

The solution is to grab the endpoint certificates from the RES and RTS URLs - I chose to use Internet Explorer to do this, and save the certificates, in DER encoded binary X.509 (.CER) format, to my hard drive ( C:\temp\rts.cer and C:\temp\res.cer respectively ).

I then imported each into the Rule Designer's local SSL key/trust store ( CACerts ), as follows: -

"C:\Program Files\IBM\ODM851\jdk\bin\keytool.exe" -import -file c:\temp\odm.cer -alias RES-P71005LPAR1.static1.tec.hur.cdn -keystore "c:\Program Files\IBM\ODM851\jdk\jre\lib\security\cacerts" -storepass changeit

Owner: CN=P71005LPAR1, OU=P71005LPAR1Node01Cell, OU=DecisionServerNode01, O=IBM,
 C=US
Issuer: CN=P71005LPAR1.static1.tec.hur.cdn, OU=Root Certificate, OU=odm85Cell, O
U=odm85Node1, O=IBM, C=US
Serial number: 912cd201ddc8
Valid from: 4/30/14 6:00 PM until: 4/30/15 6:00 PM
Certificate fingerprints:
         MD5:  9A:7B:E3:1B:B1:02:D3:38:08:A4:4B:24:6D:04:CB:1B
         SHA1: 47:42:81:7F:CC:A2:25:D3:5F:BE:47:6F:92:91:A8:74:F9:6C:ED:7B
         SHA256: 86:3A:1D:49:EC:5B:08:E7:CE:03:9B:FD:59:13:B1:12:90:A9:5B:EE:45:
65:BE:5F:DA:19:B3:F9:54:8A:D2:4A
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:Dmgr01-DEPLOYMENT_MANAGER-1d2ca68d-5864-4176-a6ed-63293
baa9766]]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4e 7e a8 9c 7b fa f8 eb                           N.......
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

"C:\Program Files\IBM\ODM851\jdk\bin\keytool.exe" -import -file c:\temp\rts.cer -alias RTS-P71005LPAR1.static1.tec.hur.cdn -keystore "c:\Program Files\IBM\ODM851\jdk\jre\lib\security\cacerts" -storepass changeit

Owner: CN=P71005LPAR1, OU=P71005LPAR1Node01Cell, OU=DecisionCenterNode01, O=IBM,
 C=US
Issuer: CN=P71005LPAR1.static1.tec.hur.cdn, OU=Root Certificate, OU=odm85Cell, O
U=odm85Node1, O=IBM, C=US
Serial number: d8b5af263526
Valid from: 5/1/14 3:51 PM until: 5/1/15 3:51 PM
Certificate fingerprints:
         MD5:  E5:BB:A2:FA:81:D1:2E:7C:23:50:9D:68:E7:E8:AA:71
         SHA1: 77:33:BE:8C:14:AA:1B:CF:40:15:D8:A8:C9:3B:0F:7B:BB:0B:E3:94
         SHA256: 4A:83:6E:61:1E:A1:65:D3:42:1A:79:F4:74:9E:2E:41:0A:B9:EE:7C:65:
C0:5F:DB:7A:01:36:03:29:E9:35:A4
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:Dmgr01-DEPLOYMENT_MANAGER-1d2ca68d-5864-4176-a6ed-63293
baa9766]]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 40 4d 83 cb f4 e0 56 b4                           .M....V.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

Note that the command will prompt you to Trust this certificate to which you need to respond yes :-)

Once both certificates are added to CACerts, I simply restarted Rule Designer, and was then able to publish projects to Decision Center (RTS) and rulesets to Decision Server (RES).

PS Two useful links on the same subject here: -

Executing a scenario suite with a Scenario Service Provider (SSP) over HTTPS

"CertPathBuilderException: unable to find valid certification path to requested target" when connecting to Rule Team Server/Decision Center or Rule Execution Server over HTTPS

Five Things to Know About Systematically Deploying IBM Business Process Manager

From IBM developerWorks: -

5 Things to Know About Systematically Deploying IBM Business Process Manager

Want to get a leg up on deploying the new IBM Business Process Manager (BPM) Version 8.5?  A recent IBM Redbooks publication describes the latest features of this popular BPM software and includes step-by-step tips to help ensure your set-up goes smoothly.

IBM BPM provides a common software platform for business process improvement and lifecycle governance. Built-in analytics and search capabilities enable individuals throughout an enterprise to contribute to improving and optimizing critical processes, quickly and collaboratively.

BPM V8.5 includes several new capabilities and improvements compared to earlier versions:

• Changes in security, with fewer default system users and a new ability to alter the security configuration using the wsadamin tool instead of XML files
  
   
• Improved web services, including a new type of server configuration that allows web service endpoint connection details to be defined separately for each environment
   
• Simplified installation and configuration, featuring consolidated deployment patterns and clustering topologies

 

Speaking of installation and configuration, the new IBM Rebooks publication, Business Process Management Deployment Guide: Using IBM Business Process Manager V8.5, describes an approach with step-by-step instructions for building a new IBM BPM environment successfully.

And, of course, remember that my team, IBM Software Services for WebSphere (ISSW), can certainly help with this work.

More about GNU tools on AIX

So I've got a script that creates and updates the httpd.conf configuration file used by IBM HTTP Server.

This script makes use of the sed command, and works perfectly on Linux, specifically Red Hat Enterprise Linux 6, both on x86-64 and z/Linux.

As an example, here's a portion of the script: -

...

sed -i'' 's/Listen 8080/#Listen 8080/g' httpd.conf
sed -i'' 's/#LoadModule ibm_ssl_module/LoadModule ibm_ssl_module/g' httpd.conf
sed -i'' 's/#Listen 443/Listen '${httpsPort}'/g' httpd.conf
sed -i'' 's/#<VirtualHost \*:443>/<VirtualHost \*:'${httpsPort}'>/g' httpd.conf
sed -i'' 's/#SSLEnable/SSLEnable/g' httpd.conf
...

Sadly, when I run this on AIX 7.1, it fails with: -

...

sed: Not a recognized flag: i
Usage:  sed [-n] [-u] Script [File ...]
        sed [-n] [-u] [-e Script] ... [-f Script_file] ... [File ...]

...

This is because, apparently: -

...

The -i option is a GNU (non-standard) extension to the sed command. It was not part of the classic interface to sed.
...

Source: Sed on AIX does not recognize -i flag

The solution ?

Of course, I needed to install the GNU version of sed from here: -

AIX Toolbox for Linux Applications

Once I did this, and updated the symbolic link for the sed binary to point at /opt/freeware/bin/sed, my script worked like a dream.

For the record, this is what I now have for sed : -

$ ls -al `which see`

lrwxrwxrwx    1 root     system           21 May 03 07:22 /usr/bin/sed -> /opt/freeware/bin/sed

What's my AIX box doing ?

Let's ask Nigel's Monitor - aka NMON - written by Nigel Griffiths from IBM

Here's the website from 2006: -

nmon performance: A free tool to analyze AIX and Linux performance

This free tool gives you a huge amount of information all on one screen. Even though IBM doesn't officially support the tool and you must use it at your own risk, you can get a wealth of performance statistics. Why use five or six tools when one free tool can give you everything you need?

or topas

          

Happily nmon is now built into AIX, which is nice :-)

Foiled Again - Installation of IBM Cognos Business Intelligence has failed. Return code : 1

So I hit this issue last year: -

Installation of IBM Cognos Business Intelligence has failed. Return code : 1

during the installation of an IBM Business Monitor 8.0.1.2 environment.

Then I was using Red Hat Enterprise Linuux 6 on VMware.

I blogged about it at the time: -

Installation of IBM Cognos Business Intelligence has failed. Return code : 1

This time around I've hit the same problem again, but using AIX 7.1 on IBM Power7.

Believe it or not, I'm almost the only person in the world who's ever hit this problem - or, to be more realistic, who's written about it :-)

It took me a fair amount of time to crack the problem. To start with, I tried installing the IBM Business Monitor stack one product at  a time; WAS 8.0.0.8, BAM 8.0.1.2 and then Cognos 10.1.1.

However, Cognos kept on failing with the same exception.

I dug around, and eventually found a log file that has some useful insight: -

/opt/IBM/WebSphere/AppServer/cognos/instlog/tl-BISRVR-10.1-6235.144-20140502_0341.txt

When I dug into this log file using grep to pull out all instances of the word fail, I saw this: -

Warning: Failed to get file list for directory "/opt/IBM/WebSphere/AppServer/cognos/maps".
Warning: Failed to retrieve environment variable "LC_ALL".
Failed to extract file "." from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docs8qckstrt-aix64h-gate-10.1.146.0-inst.tar.gz".
Failed to extract file "webcontent/documentation/en/common/help_toolbar_bg.gif" from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docs8qckstrt-aix64h-gate-10.1.146.0-inst.tar.gz".
Failed to extract file "." from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docmigmfdm-aix64h-gate-10.1.82.0-inst.tar.gz".
Failed to extract file "webcontent/documentation/en/images/ug_mfdm_chkmrk.jpg" from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docmigmfdm-aix64h-gate-10.1.82.0-inst.tar.gz".
Failed to extract file "." from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docdashboard-aix64h-gate-10.1.127.0-inst.tar.gz".
Failed to extract file "webcontent/documentation/en/common/chkbx.gif" from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docdashboard-aix64h-gate-10.1.127.0-inst.tar.gz".
Failed to extract file "." from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docbitrblshtngde-aix64h-gate-10.1.44.0-inst.tar.gz".
Failed to extract file "webcontent/documentation/de/images/tg_bitshoot_action_import_portlet.jpg" from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docbitrblshtngde-aix64h-gate-10.1.44.0-inst.tar.gz".
Failed to extract file "." from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docbitrblshtngen-aix64h-gate-10.1.44.0-inst.tar.gz".
Failed to extract file "webcontent/documentation/en/images/tg_bitshoot_action_import_portlet.jpg" from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docbitrblshtngen-aix64h-gate-10.1.44.0-inst.tar.gz".
Failed to extract file "." from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docbitrblshtnges-aix64h-gate-10.1.44.0-inst.tar.gz".
Failed to extract file "webcontent/documentation/es/images/tg_bitshoot_action_import_portlet.jpg" from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docbitrblshtnges-aix64h-gate-10.1.44.0-inst.tar.gz".
Failed to extract file "." from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docbitrblshtngfr-aix64h-gate-10.1.44.0-inst.tar.gz".
Failed to extract file "webcontent/documentation/fr/images/tg_bitshoot_action_import_portlet.jpg" from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docbitrblshtngfr-aix64h-gate-10.1.44.0-inst.tar.gz".
Failed to extract file "." from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docbitrblshtngja-aix64h-gate-10.1.44.0-inst.tar.gz".
Failed to extract file "webcontent/documentation/ja/images/tg_bitshoot_action_import_portlet.jpg" from tar file "/opt/IBM/WebSphere/AppServer/CognosImage/zipfiles/aix64h/docbitrblshtngja-aix64h-gate-10.1.44.0-inst.tar.gz".

For me, there were two possible solutions: -

(1) I was running out of disk space

(2) There was an issue with the AIX tar command

I tried both solutions and, quelle surprise, I think disk space was the issue, even though I didn't see exceptions similar to the previous time e.g. Error: Call to mkdir() failed for directory "/opt/IBM/WebSphere/AppServer/cognos/war/gateway/lib/": No space left on device.

Still, once I increased the space available to /opt/IBM/WebSphere ( the file-system that hosts WAS, BAM, Cognos ) and did a clean uninstall / reinstall of the whole BAM stack, it just worked, which is nice :-)

Bottom line, for me, the exception has always been related to disk space issues :-)