Monday, 29 September 2014

#ShellShock - Bash broke my VMware

So, to avoid impact by the infamous #ShellShock breach, I removed /bin/bash and, inadvertently, broke VMware Fusion.

This is what I see: -


VMware Fusion is damaged and could not be repaired. Please move the VMware Fusion application to the Trash and reinstall VMware Fusion.

Solution ? Don't remove /bin/bash :-)

Friday, 26 September 2014

IBM BPM 8.5.0 - Updating REST Endpoints programmatically

Now I've been seeking a way to achieve this for a wee while now, and finally here it is, thanks in large part to the excellent IBM BPM Community within IBM, many of whom came to my rescue.

In essence, I want to be able to update the various REST endpoints within the IBM BPM WAS applications, when I add in IBM HTTP Server ( either co-located or separate ) and HTTP load balancing. This allows the RESTful services to be rendered via the web tier, rather than going directly to the WAS Web Container.

This IS possible via the Integrated Solutions Console (ISC) GUI, but I was struggling to find a CLI way to achieve it.

Thanks to my extended network, this is what worked for me: -

Start wsadmin client

/opt/ibm/WebSphereProfiles/Dmgr01/bin/wsadmin.sh -lang jython -host `hostname` -port 8879  -user wasadmin -password passw0rd

Update Rest Services Gateway - One WAR - rest.gateway.war

AdminTask.updateRESTServiceProvider(['-clusterName','AppCluster','-appName', 'REST Services Gateway_AppCluster', '-webModuleName', 'rest.gateway.war', '-hostName', 'bpm8501.uk.ibm.com', '-port', '8443' , '-transportType', 'https://'])

Update TeamWorks - one RESTy WARs - bpmrest.war

AdminTask.updateRESTServiceProvider(['-clusterName','AppCluster','-appName', 'IBM_BPM_Teamworks_AppCluster', '-webModuleName', 'bpmrest.war', '-hostName', 'bpm8501.uk.ibm.com', '-port', '8443' , '-transportType', 'https://'])

Update BPE Container - one RESTy WAR - bfmrestapi.war

AdminTask.updateRESTServiceProvider(['-clusterName','AppCluster','-appName', 'BPEContainer_AppCluster', '-webModuleName', 'bfmrestapi.war', '-hostName', 'bpm8501.uk.ibm.com', '-port', '8443' , '-transportType', 'https://'])

Update Task Container - one RESTy WAR - taskrestapi.war

AdminTask.updateRESTServiceProvider(['-clusterName','AppCluster','-appName', 'TaskContainer_AppCluster', '-webModuleName', 'taskrestapi.war', '-hostName', 'bpm8501.uk.ibm.com', '-port', '8443' , '-transportType', 'https://'])

Save and Synchronise

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
quit

I validated that I had the correct number of RESTy WARs: -

cat /opt/ibm/WebSphereProfiles/Dmgr01/config/cells/PSCell1/config-rest.xml | grep 8443

<webModules xmi:id="WBIRestWebModule_1411489980815" name="rest.gateway.war" applicationName="REST Services Gateway_AppCluster" contextRoot="/rest" transportType="https://"; hostName="bpm8501.uk.ibm.com" port="8443">

<webModules xmi:id="WBIRestWebModule_1411489982410" name="bpmrest.war" applicationName="IBM_BPM_Teamworks_AppCluster" contextRoot="/rest/bpm/wle" transportType="https://"; hostName="bpm8501.uk.ibm.com" port="8443">

<webModules xmi:id="WBIRestWebModule_1411489983613" name="bfmrestapi.war" applicationName="BPEContainer_AppCluster" contextRoot="/rest/bpm/bfm" transportType="https://"; hostName="bpm8501.uk.ibm.com" port="8443">

<webModules xmi:id="WBIRestWebModule_1411489983637" name="taskrestapi.war" applicationName="TaskContainer_AppCluster" contextRoot="/rest/bpm/htm" transportType="https://"; hostName="bpm8501.uk.ibm.com" port="8443">

cat /opt/ibm/WebSphereProfiles/Dmgr01/config/cells/PSCell1/config-rest.xml | grep ".war"

<webModules xmi:id="WBIRestWebModule_1411489449181" name="rest.gateway.war" applicationName="REST Services Gateway Dmgr" contextRoot="/rest_dmgr" transportType="https://"; hostName="bpm8501.uk.ibm.com" port="9043">

<webModules xmi:id="WBIRestWebModule_1411489980815" name="rest.gateway.war" applicationName="REST Services Gateway_AppCluster" contextRoot="/rest" transportType="https://"; hostName="bpm8501.uk.ibm.com" port="8443">

<endpoints xmi:id="WBIRestEndpoint_1411489980822" id="6260563d-e009-499d-9d00-1c56cbd062e2" name="Store and forward" description="WBI Store and Forward REST API" type="{com.ibm.bpm}Qualifier" typeDisplayName="SCA Qualifier" version="7.0.0.0" publicEndpoint="true" providerEndpointID="StoreAndForward" relativeURL="/bpm/qos/storeandforward"/>

<webModules xmi:id="WBIRestWebModule_1411489982410" name="bpmrest.war" applicationName="IBM_BPM_Teamworks_AppCluster" contextRoot="/rest/bpm/wle" transportType="https://"; hostName="bpm8501.uk.ibm.com" port="8443">

<webModules xmi:id="WBIRestWebModule_1411489983613" name="bfmrestapi.war" applicationName="BPEContainer_AppCluster" contextRoot="/rest/bpm/bfm" transportType="https://"; hostName="bpm8501.uk.ibm.com" port="8443">

<webModules xmi:id="WBIRestWebModule_1411489983637" name="taskrestapi.war" applicationName="TaskContainer_AppCluster" contextRoot="/rest/bpm/htm" transportType="https://"; hostName="bpm8501.uk.ibm.com" port="8443">

PS This also works for IBM Business Monitor 8.0.1.2, running on WAS 8.0.0.8: -

/opt/ibm/WebSphereProfiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd
AdminTask.updateRESTServiceProvider(['-clusterName','WebCluster','-appName', 'REST Services Gateway_WebCluster', '-webModuleName', 'rest.gateway.war', '-hostName', 'bam8012.uk.ibm.com., '-port', '8443' , '-transportType', 'https://'])
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
quit 


*UPDATE* As if by magic, I've just found a page in the IBM BPM documentation that says much the same: -

Updating context roots in an existing network deployment environment

as well as this old-but-good Technote: -

Customize System REST Services Context Root: /rest

Time for Bash - No, not #ShellShock

So I have a backup script that I use to backup certain folders on my Mac to an external USB drive: -

#! /bin/bash

# now=$(date +"%d_%m_%Y" +"_" +"%h:%m")
now=`date +%d-%m-%Y-%H-%M-%S`

tar cvzf notes_$now.tar.gz ~/Library/Application\ Support/IBM\ Notes\ Data/*
tar cvzf docs_$now.tar.gz ~/Documents/Docs.ISSW/*
tar cvzf customers_$now.tar.gz ~/Documents/Customers.ISSW/*
tar cvzf personal_$now.tar.gz ~/Documents/Personal/*
tar cvzf itunes_$now.tar.gz ~/Music/
tar cvzf pictures_$now.tar.gz ~/Pictures/


This is one of many backups, including TimeMachine, Synology NAS and SuperDuper. One can never have TOO many backups ;-)

My script calculates the current date/time and appends it to the filename: -

now=$(date +"%d_%m_%Y" +"_" +"%h:%m")

For some reason, that's stopped working recently - not sure precisely when but ...

This is what I now see: -

date: illegal time format
usage: date [-jnu] [-d dst] [-r seconds] [-t west] [-v[+|-]val[ymwdHMS]] ... 
            [-f fmt date | [[[mm]dd]HH]MM[[cc]yy][.ss]] [+format]

A quick Google search later ( Adding date and time to file name ), I've changed the script to this: -

now=`date +%d-%m-%Y-%H-%M-%S`

and it works.

This is what I now get: -

notes_26-09-2014-15-56-38.tar.gz
docs_26-09-2014-15-56-38.tar.gz


etc.

WebSphere Application Server - JVM Performance

Pulling together some performance materials relating to IBM BPM, including this IBM Redbook: -


I also referenced a number of related articles: -




looking at aspects of Garbage Collection, including generational GC: -

Tuning generational GC

When the options are added, you will need to save and synchronize the changes before restarting the application server to put the changes in effect.

When tuning for generational garbage collection, the simplest approach is to treat the nursery space as a new Java heap area, in addition to the Java heap area used in the non-generational case. The Java heap for the non-generational case therefore becomes the tenured heap.

This approach is conservative: the expectation is that the occupancy of the tenured heap will drop as a result of introducing the nursery, but it provides a safe starting point, especially in the case of a migration from a non-generational policy. When the occupancy of the tenure heap after global (full) collections can be monitored, the size can then be adjusted as described earlier:

• -Xmn<size> sets the initial and maximum size of the nursery, effectively setting both -Xmns and -Xmnx.
• -Xmns<size> sets the initial size of the nursery to the specified value.
• -Xmnx<size> sets the maximum size of the nursery to the specified value.

The size of the nursery heap should be fixed, and as a result only one of these options, -Xmn is required. Therefore, you only need to understand how to correctly size the nursery heap.

Tuesday, 23 September 2014

IBM Integration Bus and the WebSphere Application Server (WAS) Plugin

So I am following this rather excellent developerWorks article: -


WebSphere Message Broker V8 lets you generate a configuration file for the WebSphere Plug-in or Apache mod_proxy modules, which are used by IBM HTTP Server and Apache HTTP Server respectively to enable HTTP load balancing. Part 1 of this two-part series shows you how to configure load balancing for WebSphere Message Broker HTTP traffic using WebSphere Plug-in and IBM HTTP Server. The article shows you how to use WebSphere Message Broker Java APIs and the WebSphere Message Broker Explorer to generate a WebSphere Plug-in configuration for IBM HTTP Server.

This includes some sample code that allows one to generate a plugin file for the WebSphere Application Server (WAS) Plugin.

This Java code makes use of the WebSphere MQ and IBM Integration Bus Java APIs, such as com.ibm.broker.config.proxy.BrokerConnectionParameters.

In order to compile the code, I created a new Java project in Eclipse (Kepler) called PluginGeneration, into which I placed the three source files: -

com.ibm.broker.load.plugin.GeneratePlugin
com.ibm.broker.load.plugin.WritePluginFile
com.ibm.broker.load.plugin.BrokerConnectionDetails

( the example source is in the article, including a downloadable ZIP ).

However, in order to compile the code, I needed to add a single IIB JAR file to my Eclipse build path: -

-rwxr-xr-x 1 wmbadmin mqbrkrs 12210797 Jun 19 19:21 /opt/ibm/mqsi/9.0.0.2/classes/ConfigManagerProxy.jar


Once I'd created the project, with the three classes, I used Eclipse to export it as a Runnable JAR file with the main method of the GeneratePlugin class set as the Launch configuration: -


I was then able to execute the JAR: -

java -jar PluginGeneration.jar 

=========================================================================================
*****************************************************************************************
*******************WebSphere Message Broker Plugin Generation Tool***********************
*****************************************************************************************
=========================================================================================

Do you want to add Broker Connection Details ? (y/n) = y

*****************************************************************************************

Please Enter the Broker Connection Details ( Hostname, QMName , QMPort )

Enter the Broker Hostname                            = bam8012.uk.ibm.com

Enter the Queue Manager Name                         = DAVEHAY

Enter the Queue Manager Listener Port Number         = 1414

Sadly, at that point, I hit this exception: -

Exception in thread "main" java.lang.NoClassDefFoundError: com.ibm.mq.MQException
at java.lang.J9VMInternals.verifyImpl(Native Method)
at java.lang.J9VMInternals.verify(J9VMInternals.java:94)
at java.lang.J9VMInternals.initialize(J9VMInternals.java:171)
at com.ibm.broker.config.proxy.MQBrokerConnectionParameters.getSender(MQBrokerConnectionParameters.java:574)
at com.ibm.broker.config.proxy.BrokerProxy.<init>(BrokerProxy.java:322)
at com.ibm.broker.config.proxy.BrokerProxy.getInstance(BrokerProxy.java:863)
at com.ibm.broker.load.plugin.GeneratePlugin.main(GeneratePlugin.java:100)
Caused by: java.lang.ClassNotFoundException: com.ibm.mq.MQException
at java.net.URLClassLoader.findClass(URLClassLoader.java:599)
at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:760)
at java.lang.ClassLoader.loadClass(ClassLoader.java:728)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:325)
at java.lang.ClassLoader.loadClass(ClassLoader.java:707)
... 7 more

This led me to this IBM Technote: -


...
Why was the Java™ MQException Class moved to the com.ibm.mq.jmqi.jar file in WebSphere MQ V7.0?
...
The move of the MQException class to the new com.ibm.mq.jmqi.jar was as a result of significant re-engineering that was implemented across the MQ classes for Java and the MQ classes for JMS. The JMS classes (com.ibm.mq.jms.jar) and Java classes (com.ibm.mq.jar) are now independent and stand as peers, therefore the MQException Class was moved to a common JAR file that can be used by either the Java and JMS libraries.
...

Sadly, I've not yet come up with a perfect solution to this :-(

The issue, and the IBM Technote, implied that I needed to add one or more JARs to the Java class path, which I tried as follows: -

java -cp /opt/ibm/mqm/java/lib/com.ibm.mq.headers.jar:/opt/ibm/mqm/java/lib/com.ibm.mq.jar:/opt/ibm/mqm/java/lib/com.ibm.mq.jmqi.jar -jar /mnt/hgfs/Downloads/PluginGeneration.jar 

but to no avail.

I even tried adding in the additional IIB JAR: -

java -cp /opt/ibm/mqm/java/lib/com.ibm.mq.headers.jar:/opt/ibm/mqm/java/lib/com.ibm.mq.jar:/opt/ibm/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/ibm/mqsi/9.0.0.2/classes/ConfigManagerProxy.jar -jar /mnt/hgfs/Downloads/PluginGeneration.jar 

but again to no avail.

In the end, I found that the "optimum" solution was to include the four JARs: -

com.ibm.mq.headers.jar
com.ibm.mq.jar
com.ibm.mq.jmqi.jar
ConfigManagerProxy.jar

in the Build Path: -


AND also inside the exported JAR: -


which now allows me to successfully generate the WAS Plugin configuration: -

java -jar PluginGeneration.jar

=========================================================================================
*****************************************************************************************
*******************WebSphere Message Broker Plugin Generation Tool***********************
*****************************************************************************************
=========================================================================================

Do you want to add Broker Connection Details ? (y/n) = y

*****************************************************************************************

Please Enter the Broker Connection Details ( Hostname, QMName , QMPort )

Enter the Broker Hostname                            = bam8012.uk.ibm.com

Enter the Queue Manager Name                         = DAVEHAY

Enter the Queue Manager Listener Port Number         = 1414

Broker HTTP Service Details for this Broker Connection
Broker,HTTP/HTTPS,Port,URL,Execution Groups....

Do you want to add Broker Connection Details ? (y/n) = n

*****************************************************************************************

Enter the file name for Plugin                       = plugin-cfg.xml

Enter the location of file                           = /tmp

=========================================================================================
*****************************************************************************************
*********************Congratulation Plugin Generated Successfully************************
**************************Exiting Plugin Generation Tool*********************************
*****************************************************************************************
=========================================================================================


cat /tmp/plugin-cfg.xml 

<?xml version="1.0" encoding="UTF-8"?><Config>
    <!--PLUGININSTALLROOT MUST BE UNCOMMENTED FOR SSL-->
    <!--Property Name="PluginInstallRoot" Value="SET ME TO YOUR WEBSPHERE PLUGINS DIRECTORY"/-->
    <VirtualHostGroup Name="default_host">
        <VirtualHost Name="*:80"/>
    </VirtualHostGroup>



Still not sure why I need to have the WMQ/IIB JARs on build path AND exported within the JAR, but it works :-)

PS For the record, I did try executing the JAR like this: -

java -cp /opt/ibm/mqm/java/lib/com.ibm.mq.headers.jar:/opt/ibm/mqm/java/lib/com.ibm.mq.jar:/opt/ibm/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/ibm/mqsi/9.0.0.2/classes/ConfigManagerProxy.jar -jar PluginGeneration.jar

but that didn't end well either: -

Exception in thread "main" java.lang.NoClassDefFoundError: com.ibm.broker.config.proxy.ConfigManagerProxyLoggedException
at java.lang.J9VMInternals.verifyImpl(Native Method)
at java.lang.J9VMInternals.verify(J9VMInternals.java:94)
at java.lang.J9VMInternals.prepare(J9VMInternals.java:516)
at java.lang.Class.getMethod(Class.java:964)
at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:506)
at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:498)
Caused by: java.lang.ClassNotFoundException: com.ibm.broker.config.proxy.ConfigManagerProxyLoggedException
at java.net.URLClassLoader.findClass(URLClassLoader.java:599)
at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:760)
at java.lang.ClassLoader.loadClass(ClassLoader.java:728)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:325)
at java.lang.ClassLoader.loadClass(ClassLoader.java:707)
... 6 more



Finally, it's worth noting that I'm running the JAR as a user that's configured for BOTH WMQ and IIB: -

...
. /opt/ibm/mqm/bin/setmqenv -s -k

source /opt/ibm/mqsi/9.0.0.2/bin/mqsiprofile

...

with the following class path: -

/opt/ibm/mqsi/9.0.0.2/messages:/opt/ibm/mqsi/9.0.0.2/classes:/opt/ibm/mqsi/9.0.0.2/classes/ConfigManagerProxy.jar:/opt/ibm/mqsi/9.0.0.2/classes/brokerutil.jar:/opt/ibm/mqm/java/lib/com.ibm.mq.jar:/opt/ibm/mqm/java/lib/com.ibm.mqjms.jar:/opt/ibm/mqm/samp/wmqjava/samples:/opt/ibm/mqm/samp/jms/samples:/var/mqsi/common/wsrr



Monday, 22 September 2014

IBM HTTP Server / IBM Global Security Toolkit - Commanding the line ...

One of my colleagues was looking for inspiration, without too much perspiration, in order to create an SSL/TLS Certificate Service Request (CSR) using IBM HTTP Server and the Global Security Toolkit (GSK).

He was hoping to use the GUI tool, IKeyMan, but I tried very hard to persuade him that GUIs are for WIMPs, and that the command-line tool, gskcapicmd is the way to go ( whilst IHS also has ikeycmd, that relies upon a Java Runtime Environment, which may not always be available, especially on a production IHS server ).

Specifically, he wanted to set the Subject Alternate Name (SAN).

subjectAltName (SAN) is an extension to X.509 that allows various values to be associated with a security certificate.[1] These values are called "Subject Alternative Names", or SANs. Names include:[2]

• e-mail addresses
• IP addresses
• URIs
• DNS names (Otherwise often given as a Common Name RDN within the Subject)
• directory names (alternative Distinguished Names to that given in the Subject)
• other names, given as a General Name: an registered Object identifier followed by a value

This is easily done via the ikeyman GUI: -


and my colleague wanted to know how to achieve the same using gskcapicmd.

Here's my conclusion: -

/opt/IBM/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -label foobar -dn "cn=www.foobar.ibm.com" -size 2048 -file /tmp/foobar.csr -san_dnsname "www.foobar.ibm.com" -san_emailaddr "admin@us.ibm.com" -san_ipaddr "192.168.1.221"

This results in a nice little file: -

-rw-r--r--   1 wasadmin mqm        1009 Sep 22 15:44 foobar.csr

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICqjCCAZICAQAwHTEbMBkGA1UEAxMSd3d3LmZvb2Jhci5pYm0uY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsr5hUIlJdYS9b+cWOCow56g1g2Wt
sfL0OsFWtXyjPjFBDgVxFhKgXwdti9qsnb6nmb0zJMXa4s09PBQpCtTVl0p9YlAL
JZZS9kCfg8W1/LGMcud5GpjJQ8F0Jxkt7CC32YXaDIN1FfgCkjwFafb8RoJx1u2S
xDZMgOhdCCwIz4tz6CH9UhyjFv+Dpp6m05lJ9DnPfzwqaheLnvZMOH7B9jkZQdXR
QrATLy7RkHGHfYRepb+ReTiyU4jHVN9WPiieS3rv8RIj39639IeWh9erqAMBNG+z
Co/TzRRC7Nm5GonlzWozBV9QqrR2SjcLLmfmBcYlGOG24b9xJjactOIKbwIDAQAB
oEgwRgYJKoZIhvcNAQkOMTkwNzA1BgNVHREELjAsgRBhZG1pbkB1cy5pYm0uY29t
hwTAqAHdghJ3d3cuZm9vYmFyLmlibS5jb20wDQYJKoZIhvcNAQEFBQADggEBAFGi
I7umaDAWHzu7VTRbdjdmEbHiGHaojfTOSFUyP4NV8YvcgszVNVE8cEGzTcXUmcdV
/RZJv0GvPx5VGdAfgB/aQBP3Z9JekJS1VEJN9T7E5nyDqJDkobGUVUJVKjWT9lt0
YfrF6g5AQtV1uT3yvx5EkyWCG7jGOBlJOb550wGAVgMnNV32GtzP6v0z2sWUDVHR
ypuu/TaWD9iG0+M5EMVIABuUslnc2LjtTM8sr26UR2UcQJYxkcTXXHVwmaNdjlm1
AkYJfYGgMm6G4smZWfUjC43QkLhsnNkgLSiAYuzVlrn6xJZ98BzfyYgvX40RwAdN
UPKFJdZz3etLIH9+IRs=
-----END NEW CERTIFICATE REQUEST-----


which can then be sent off to the Certificate Authority (CA) for action.

Some required reading: -




WebSphere Application Server - Using WSAdmin to manage users and groups

print AdminTask.searchUsers(["-cn *"]) 

uid=wasadmin,o=defaultWIMFileBasedRealm
uid=wmbadmin,o=defaultWIMFileBasedRealm
uid=deAdmin,o=defaultWIMFileBasedRealm

 
print AdminTask.searchGroups(["-cn *"])

cn=developers,o=defaultWIMFileBasedRealm
cn=administrators,o=defaultWIMFileBasedRealm
cn=dashboard-editor,o=defaultWIMFileBasedRealm
cn=dashboard-viewer,o=defaultWIMFileBasedRealm


print AdminTask.help('-commands')

...
WASX8004I: Available admin commands: 

WIMCheckPassword - Validates the user/pasword in the Federated repositories user registry
addAdminIdToUserRegObj - Adds the adminId to the user registry object in the security.xml file
addCompUnit - Add a composition unit, based on an asset or another business-level application, to a business-level application.
addDisabledSessionCookie - Adds a cookie configuration that applications will not be able to programmatically modify
addExternalBundleRepository - Adds an external bundle repository to the configuration.  Requires a repository name and a URL.
addFeaturesToServer - Add feature pack or stack product features to existing server 
addFileRegistryAccount - Adds an account to the file registry.
addGroupToBusConnectorRole - Give a group permission to connect to the bus specified.
addGroupToDefaultRole - Grants a group default access to all local destinations on the bus for the specified role.
addGroupToDestinationRole - Grants a group access to a destination for the specified destination role.
addGroupToForeignBusRole - Grants a group access to a foreign bus from the local bus specified for the specified destination role.
addGroupToTopicRole - Gives a group permission to access the topic for the specified role.
addGroupToTopicSpaceRootRole - Gives a group permission to access the topic space for the specified role.
addIdMgrLDAPAttr - Adds an LDAP attribute configuration to the LDAP repository configuration.
addIdMgrLDAPAttrNotSupported - Adds a configuration for a virtual member manager property not supported by a specific LDAP repository.
addIdMgrLDAPBackupServer - Sets up a backup LDAP server.

...
 
print AdminTask.getMembersOfGroup(['-uniqueName','cn=dashboard-editor,o=defaultWIMFileBasedRealm'])

 uid=wasadmin,o=defaultWIMFileBasedRealm

print AdminTask.getMembershipOfUser(['-uniqueName',uid=wasadmin,o=defaultWIMFileBasedRealm'])

cn=developers,o=defaultWIMFileBasedRealm
cn=dashboard-editor,o=defaultWIMFileBasedRealm


which is nice.

Friday, 19 September 2014

WebSphere Application Server - Recovering from failed transaction recovery

Thanks to Twitter for sharing: -

IBM_AppServer
Great blog on Recovering from failed transaction recovery. Very helpful! Take a look! http://t.co/KoxbxEqNr9 #wasserv
19/09/2014 17:10


When WebSphere Application Server is running a transaction, the transaction information is written to the tranlog directory to log1 & log2. The resources required for that transaction (database name, user, password, etc) are recorded in the partnerlog directory to it's log1 & log2. When a transaction completes, the transaction information is garbage collected from the logs. If the application server should abend or be forced off mid-transaction, such that a transaction does not complete, then on subsequent server restarts, the transaction service detects the unfinished transaction and attempts to re-establish the resource(s) stored in the partnerlogs then complete the transaction(s) stored in the travelogs.

IBM Integration Bus - The Fun Continues .... MQ reason code 2035 while trying to connect

So I now have IBM Integration Bus (IIB) 9.0.0.2 and the Toolkit running on my Red Hat Enterprise Linux VM, as per these most recent posts: -



I have the toolkit installed as user wasadmin because that's the user with which I installed a whole slew of other WebSphere products, using IBM Installation Manager.

Therefore, in order to use the Toolkit to create/administer an Integration Node ( fka Broker ), I need to ensure that the wasadmin user is setup to access IIB and WebSphere MQ (WMQ).

I did this by: -

(a) Adding the user into the appropriate Linux groups - this is what I now have: -

id wasadmin

uid=500(wasadmin) gid=505(mqm) groups=505(mqm),506(mqbrkrs)

id mqm

uid=505(mqm) gid=505(mqm) groups=505(mqm)

id wmbadmin

uid=506(wmbadmin) gid=506(mqbrkrs) groups=506(mqbrkrs),505(mqm)

In essence, I added the wasadmin user to the mqbrkrs group as follows: -

usermod -G mqm,mqbrkrs wasadmin

( as root )

(b) configuring the Bash environment for user wasadmin to use BOTH WMQ and IIB: -

cat /home/wasadmin/.bashrc

# .bashrc

# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi

# User specific aliases and functions
umask 022
set -o vi
alias hist='history | cut -c 8-'

. /opt/ibm/mqm/bin/setmqenv -s -k

source /opt/ibm/mqsi/9.0.0.2/bin/mqsiprofile


I have highlighted in bold the two lines added to achieve this.

Now I can log in as wasadmin and create an Integration Node ( aka Broker ), as follows: -

mqsicreatebroker DAVEHAY -q DAVEHAY

WebSphere MQ queue manager created.
Directory '/var/mqm/qmgrs/DAVEHAY' created.
The queue manager is associated with installation 'Installation2'.
Creating or replacing default objects for queue manager 'DAVEHAY'.
Default objects statistics : 79 created. 0 replaced. 0 failed.
Completing setup.
Setup completed.
WebSphere MQ queue manager 'DAVEHAY' starting.
The queue manager is associated with installation 'Installation2'.
5 log records accessed on queue manager 'DAVEHAY' during the log replay phase.
Log replay for queue manager 'DAVEHAY' complete.
Transaction manager state recovered for queue manager 'DAVEHAY'.
WebSphere MQ queue manager 'DAVEHAY' started using V8.0.0.0.
BIP8071I: Successful command completion. 


mqsistart DAVEHAY

BIP8096I: Successful command initiation, check the system log to ensure that the component started without problem and that it continues to run without problem. 

mqsilist

BIP1285I: Broker 'DAVEHAY' on queue manager 'DAVEHAY' is stopped. 
BIP8071I: Successful command completion.


dspmq

QMNAME(QM_MDB)                                            STATUS(Running)
QMNAME(DAVEHAY)                                           STATUS(Running)

I can then start the Toolkit: -

~/IBM/IntegrationToolkit90/launcher

One small glitch - I see this within the Toolkit when I attempt to connect to the Integration Node: -


The user 'wasadmin' is not authorized to connect to queue manager 'DAVEHAY' (MQ reason code 2035 while trying to connect) 

Happily the solution is relatively simple :-)

I looked at the logs: -

cd /var/mqm/qmgrs/DAVEHAY/errors
cat AMQERR01.LOG

wherein I could see: -

AMQ5534: User ID 'wasadmin' authentication failed

EXPLANATION:

The user ID and password supplied by 'javaw' could not be authenticated.

ACTION:

Ensure that the correct user ID and password are provided by the application. Ensure that the authentication repository is correctly configured. Look at previous error messages for any additional information.

AMQ5542: The failed authentication check was caused by the queue manager CONNAUTH CHCKLOCL(OPTIONAL) configuration.

EXPLANATION:

The user ID 'wasadmin' and its password were checked because the queue manager connection authority (CONNAUTH) configuration refers to an authentication information (AUTHINFO) object named 'SYSTEM.DEFAULT.AUTHINFO.IDPWOS' with CHCKLOCL(OPTIONAL).

This message accompanies a previous error to clarify the reason for the user ID and password check.

ACTION:
Refer to the previous error for more information.

Ensure that a password is specified by the client application and that the password is correct for the user ID. The authentication configuration of the queue manager connection determines the user ID repository. For example, the local operating system user database or an LDAP server.

If the CHCKCLNT setting is OPTIONAL, the authentication check can be avoided by not passing a user ID across the channel. For example, by omitting the MQCSP structure from the client MQCONNX API call.

To avoid the authentication check, you can amend the authentication configuration of the queue manager connection, but you should generally not allow unauthenticated remote access.

After some digging, I think that the problem is that the Toolkit is attempting to connect to the DAVEHAY Queue Manager, and is not sending the correct authentication string e.g. user ID *AND* password.

Looking at the Queue Manager in more detail: -

runmqsc DAVEHAY

5724-H72 (C) Copyright IBM Corp. 1994, 2014.
Starting MQSC for queue manager DAVEHAY.

display qmgr connauth

AMQ8408: Display Queue Manager details.
   QMNAME(DAVEHAY)                      
   CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)

display AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)

AMQ8566: Display authentication information details.
   AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
   AUTHTYPE(IDPWOS)                        ADOPTCTX(NO)
   DESCR( )                                CHCKCLNT(REQDADM)
   CHCKLOCL(OPTIONAL)                      FAILDLAY(1)
   ALTDATE(2014-09-19)                     ALTTIME(11.21.38)

My reading of this is: -

(a) the Toolkit is sending a user ID ( wasadmin ) but NOT sending a password
(b) the Queue Manager expects BOTH a user ID and a password

Interestingly, the Toolkit, leastways on Linux, doesn't give one the opportunity to specific connection credentials :-)

Therefore, the Toolkit, whilst running as wasadmin, is trying to connect to the Queue Manager as that user wit NO password :-)

Ironically, I'm making a LOCAL connection as both the Toolkit AND the Queue Manager are running on the same OS.

After much faffing about, I found this excellent deck from my IBM Hursley colleague, Morag Hughson: -


which led me to this solution: -

ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(REQDADM) CHCKLOCL(NONE)    
REFRESH SECURITY TYPE(CONNAUTH)


which, as far as I can establish, means that MQ will require a valid set of credentials for client connections, via CHCKCLNT(REQDADM), but not for local connections, via CHCKLOCL(NONE).

To verify this hypothesis, I switched back to the old state: -

ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(REQDADM) CHCKLOCL(OPTIONAL)    
REFRESH SECURITY TYPE(CONNAUTH)

and my old friend: -

The user 'wasadmin' is not authorized to connect to queue manager 'DAVEHAY' (MQ reason code 2035 while trying to connect) 

popped up.

I reverted back to CHCKLOCL(NONE) and I'm now in like Flynn: -


On a related note, I had a similar, but different problem with WMQ Explorer ( running as another user - wmbadmin ): -

/opt/ibm/WebSphere_MQ_Explorer/MQExplorer

With this, I was attempting to make a remote connection to the same Queue Manager: -

Host name or IP address bam8012.uk.ibm.com
Port number 1414
Server-connection channel SYSTEM.DEF.SVRCONN

Unlike the IIB Toolkit, this DOES allow me to enter credentials.

However, Explorer failed to connect with: -

Could not establish a connection to the queue manager - reason 2538. (AMQ4059)
  Could not establish a connection to the queue manager - reason 2538. (AMQ4059)
  Severity: 10 (Warning)
  Explanation: The attempt to connect to the queue manager failed. This could be because the queue manager is incorrectly configured to allow a connection from this system, or the connection has been broken.
  Response: Try the operation again. If the error persists, examine the problem determination information to see if any information has been recorded.


I took the default port of 1414 so then checked to see whether it was running: -

netstat -aon | grep LISTENING | grep 1414

unix  2      [ ACC ]     STREAM     LISTENING     11460  /var/run/mcelog-client

In other words, nothing was listening on port 1414.

I did have a Channel defined: -

display CHANNEL(SYSTEM.DEF.SVRCONN)

AMQ8414: Display Channel details.
   CHANNEL(SYSTEM.DEF.SVRCONN)             CHLTYPE(SVRCONN)
   ALTDATE(2014-09-19)                     ALTTIME(11.21.38)
   CERTLABL( )                             COMPHDR(NONE)
   COMPMSG(NONE)                           DESCR( )
   DISCINT(0)                              HBINT(300)
   KAINT(AUTO)                             MAXINST(999999999)
   MAXINSTC(999999999)                     MAXMSGL(4194304)
   MCAUSER( )                              MONCHL(QMGR)
   RCVDATA( )                              RCVEXIT( )
   SCYDATA( )                              SCYEXIT( )
   SENDDATA( )                             SENDEXIT( )
   SHARECNV(10)                            SSLCAUTH(REQUIRED)
   SSLCIPH( )                              SSLPEER( )
   TRPTYPE(TCP)                         


which was running: -

display chstatus(*)

AMQ8417: Display Channel Status details.
   CHANNEL(SYSTEM.DEF.SVRCONN)             CHLTYPE(SVRCONN)
   CONNAME(192.168.8.100)                  CURRENT
   STATUS(RUNNING)                         SUBSTATE(RECEIVE)


and a default Listener: -

display    LISTENER(SYSTEM.DEFAULT.LISTENER.TCP)

AMQ8630: Display listener information details.
   LISTENER(SYSTEM.DEFAULT.LISTENER.TCP)   CONTROL(MANUAL)
   TRPTYPE(TCP)                            PORT(0)
   IPADDR( )                               BACKLOG(0)
   DESCR( )                                ALTDATE(2014-09-19)
   ALTTIME(11.21.38)                    


*BUT* the Listener was listening on .... port 0, which ain't ever gonna work :-)

Therefore, I needed to create a new Listener: -

DEFINE LISTENER(DAVEHAY) TRPTYPE(TCP) CONTROL(QMGR) PORT(1414)

AMQ8626: WebSphere MQ listener created.

and then start it: -

START LISTENER(DAVEHAY)

AMQ8021: Request to start WebSphere MQ listener accepted.

Again, I'm in like Flynn: -


which is nice.

Ain't it sweet ?





Security Bulletin: A security vulnerability has been identified in Cognos BI Server shipped with IBM Business Monitor (CVE-2014-0107)

Security Bulletin: A security vulnerability has been identified in Cognos BI Server shipped with IBM Business Monitor (CVE-2014-0107)

IBM HTTP Server and SSL Signature Algorithms

So, whilst listening to this week's SecurityNow podcast, Episode 473 Google vs. SHA-1, I learned that Google plans to force the web to deprecate the SHA1 ( Secure Hash Algorithm ) from November 2014 even though Microsoft has a more moderate plan to move away from it by late 2017.

Google wants us to move to SHA2, aka SHA224 / SHA256 / SHA512, even though their own websites are still using SHA1 at the moment: -


Apparently, Google Chrome will start to provide visual feedback to end-users when they visit a site using SHA1, which has led to a bit of debate :-)

This led me to think about IBM HTTP Server, which I use and love on an almost daily basis.

I've created a lot of certificates in IHS using the IBM Global Security Toolkit ( GSK ), using syntax such as: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -size 2048 -dn "cn=bam8012.uk.ibm.com\\,o=ibm\\,c=us\\" -label "bam8012.uk.ibm.com" -default_cert yes

I was interested to see what hashing algorithm IHS uses by default.

Here's the answer: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted
*- bam8012.uk.ibm.com

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -label bam8012.uk.ibm.com

Label : bam8012.uk.ibm.com
Key Size : 2048
Version : X509 V3
Serial : 1f75f58469abb054
Issuer : CN=bam8012.uk.ibm.com\,o\=ibm\,c\=us
Subject : CN=bam8012.uk.ibm.com\,o\=ibm\,c\=us
Not Before : 29 August 2014 18:03:07 GMT+01:00
Not After : 30 August 2015 18:03:07 GMT+01:00
Public Key
    30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01
    01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01
    00 CB CB F2 27 8F 1B 50 E3 A4 9C D9 D4 4E BE 2E
    87 95 FC FF D3 23 01 39 7F 9B 11 1F 9F 91 4F 19
    61 3F 1E 2B B5 79 01 2B 04 A0 91 1F DF 68 22 85
    88 B4 76 B9 B9 FD 68 A0 D7 90 06 50 8E FA 0B 52
    96 14 A6 F3 A0 94 4C 63 41 04 89 F0 F5 0F 6E E0
    7E A4 A2 C9 AB 59 D1 0A 92 31 9D 20 A0 F5 A3 C6
    22 04 1E 30 71 7C D8 5D 86 82 D0 B9 91 8F 9F A3
    E2 FA 41 7D 57 06 FE 2C 5E 1F 9B 6F 77 18 25 22
    60 DE E8 84 59 CF E5 0E E4 90 5E 5F F8 A7 45 B9
    77 67 1C 3E CC 21 45 76 79 04 F5 2B D7 CA 86 1F
    95 3F D7 14 2A 90 21 25 AC 23 34 A2 05 99 DE 46
    C2 6A 19 BF 79 E3 EC 7C F8 BE C7 A1 DE EA 38 6B
    80 7C 92 21 38 5B 11 9B 7B E6 23 05 57 AD F8 68
    DA 21 3B 6D 2A FA 80 47 4D F4 1F 8F A0 FB 38 99
    0D D9 C9 B6 32 67 A5 E4 3F B4 11 E6 4C 98 4C 76
    FB BB 37 ED ED FC 9D 6F 23 D1 0D 7C 95 D3 B1 E9
    EF 02 03 01 00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 : 
    EA F8 A8 80 AC F6 86 29 66 48 A8 9F C2 73 23 99
    68 E8 3C 7D
Fingerprint : MD5 : 
    5A 7F 67 55 D7 0F D1 08 37 FE 6F 31 47 F9 DE F5
Fingerprint : SHA256 : 
    2B 05 82 F8 41 7E 9C 10 4B AE A8 99 18 DD 1D 7B
    50 56 F7 C6 16 5F A9 3F CE 07 19 A3 06 6F 13 24
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
    88 3C 06 C5 DB FC A2 6C D4 C0 42 F4 1F A7 5D DF
    B7 FF B8 70 81 61 90 F5 D9 91 C4 9B E0 16 6A 61
    6C E5 55 C7 63 7E 9C 6A 05 6E C9 42 5C FA 26 4A
    6F 76 6F C5 6F 6E E5 E2 A4 65 8C BB 02 B1 A6 C4
    28 83 37 F1 39 BC 24 D1 9D 7F F2 66 95 5F 90 8E
    45 8E 97 95 61 89 C3 70 69 35 DC 2A CD FE E8 0A
    1A 8B 19 15 A3 DF BB 17 A5 A2 84 09 4F 32 12 47
    46 9D A4 16 F9 B4 E0 73 10 35 0B 0B AB EC 55 59
    00 DD F7 DA B7 44 DE 52 AB BE B3 B3 F5 40 5F 75
    FB 43 8E 4A FA 65 81 99 BB 97 7F DE 9B 88 8B ED
    11 14 FB 34 0B 15 6C EC 33 88 6F FB 41 AF 16 B0
    45 7A 41 2D 3C E4 B3 0B C8 56 81 B2 06 C9 C1 71
    D6 26 71 5C 13 61 39 B6 DD 97 8D 0D F4 84 34 9F
    3D F1 8B C2 E0 F8 11 2F 88 82 60 1B 50 A5 C0 97
    B0 5A 92 8B 1B DE D1 6A D3 BD 7B DC 7E AD 7A 2A
    EA DB 32 E3 14 95 69 94 9A D5 1B C2 A5 14 8F 7E
Trust Status : Enabled


So there's the answer, IHS generates a SHA1 certificate by default. I checked this for IHS 8.0 and 8.5, and the same is true in both cases.

Now that makes sense, given most of the world is still supporting SHA1 and, apparently, MS Windows XP SP2 doesn't support SHA2 - although I'd hope that any remaining Windows XP users would've moved to SP3 a looooong time ago; perhaps embedded Windows users don't have that luxury ?

Anyway, I then wondered whether I could've chosen to generate a SHA2 certificate using gskcapicmd. Guess what, I can :-)

Here's the multitude of choices: -

-Command usage-
-db | -crypto         Required
-tokenlabel           Required if -crypto present
-label                Required
-pw                   Optional
-dn                   Required
-type                 Optional if -db present <cms | kdb>
-expire               Optional
-size                 Optional
-x509version          Optional <1 | 2 | 3>
-default_cert         Optional <yes | no>
-ca                   Optional <true | false>
-sig_alg | -sigalg    Optional < | md5 | MD5_WITH_RSA | MD5WithRSA | sha1 | SHA_WITH_RSA | SHAWithRSA | SHA1WithRSA | sha224 | SHA224_WITH_RSA | SHA224WithRSA | sha256 | SHA256_WITH_RSA | SHA256WithRSA | SHA2WithRSA | sha384 | SHA384_WITH_RSA | SHA384WithRSA | SHA3WithRSA | sha512 | SHA512_WITH_RSA | SHA512WithRSA | SHA5WithRSA | SHA1WithECDSA | EC_ecdsa_with_SHA1 | SHA224WithECDSA | EC_ecdsa_with_SHA224 | SHA256WithECDSA | EC_ecdsa_with_SHA256 | SHA384WithECDSA | EC_ecdsa_with_SHA384 | SHA512WithECDSA | EC_ecdsa_with_SHA512>
-ca_label             Optional
-san_dnsname          Optional
-san_emailaddr        Optional
-san_ipaddr           Optional
-certpolicy           Optional
-eku                  Optional <ocspSigning, timeStamping, emailProtection, codeSigning, clientAuth, serverAuth, SSLStepUpApproval, any>
-ku                   Optional <digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly>
-template             Optional
-secondarydb          Optional if -crypto present
-secondarydbpw        Optional if -secondarydb present
-secondarydbtype      Optional if -secondarydb present


That's a LOT of choice :-)

Of course, one would need to think about the consuming devices BEFORE moving to SHA2, even though Google appear to be telling the rest of the internet what to do .....

Bottom line, think about the Signature Algorithm when creating certificates, along with everything else :-)

Thursday, 18 September 2014

IBM BPM Advanced 8.5.0.1 - PFS-0065 seen in context of Performance Data Warehouse

So, hot on the heels of my previous post: -


I was looking to replicate the same for Process Center.

Strangely, when I looked at my Performance Data Warehouse (PDW) database for the Process Center environment, I did NOT have the TASKS table, merely LSW_TASK, and couldn't work out what SQL was actually used to create the missing table.

Interestingly, whilst there are SQL scripts to create all of the BPM/PDW/CMN database tables, there's nothing for TASKS. It appears that this is created dynamically.

When I dug further, via the Performance Admin console ( https://hostname.domain.com:8443/PerformanceAdmin ), I could see errors in the View Errors tab.

I dug further into the underlying DB2 database tables, specifically LSW_DATA_TRANSFER_ERRORS : -

db2 "select error from db2user1.lsw_data_transfer_errors"

(PFS-0065) Snapshot 2064.8961f2a9-d0f9-419f-bfee-8e6437c4c0ba, undefined tracking group with external ID guid:06fb68640f875312:27f9b3f:148179f00e7:-7ffc. Send definitions to define the tracking group.

com.lombardisoftware.client.delegate.BusinessDelegateException: (PFS-0065) Snapshot 2064.8961f2a9-d0f9-419f-bfee-8e6437c4c0ba, undefined tracking group with external ID guid:06fb68640f875312:27f9b3f:148179f00e7:-7ffc. Send definitions to define the tracking group.

In other words, I was executing a BPD on the in-built Process Server run-time for which there was no corresponding Tracking Group. The clue is in the error above, helpfully highlighted in red.

This was easily resolved - I logged into the Process Admin console ( https://hostname.domain.com:8443/ProcessAdmin ), clicked on the Installed Apps tab and, for the app in question, clicked on the Update Tracking Definitions button: -


Once I did this, the TASKS table magically created itself, LSW_DATA_TRANSFER_ERRORS cleared itself down, and I was able to see statistics from my BPD within the TASKS table.

Now to go and turn off PDW so I never see statistics in the TASKS table again :-)

IBM BPM Advanced 8.5.0.1 - Disabling Process Server to Performance Data Warehouse communication

So, in order to disable the automatic publishing of events from Process Server to the Performance Data Warehouse database, I followed this IBM Technote: -


My requirement is to disable the use of PDW and instead use IBM Business Monitor ( aka BAM ) instead.

In essence, one needs to toggle: -

<performance-server-communication>

from: -

true

to: -

false

in 101Custom.xml ( which I used to override the stock 100Custom.xml ) and then restarted Process Server.

Works for me, your mileage may vary.

Eric Herness, Chief Technology Officer for IBM BPM, has also blogged on the subject here: -



Wednesday, 17 September 2014

IBM Business Process Manager on Cloud service adds case handling and enhanced mobile UIs

New features built into IBM® Business Process Manager (IBM BPM) on Cloud include:

• Basic case-management capabilities that enable knowledge workers to drive business outcomes by using a combination of structured workflows, ad-hoc tasks, and document processing.
• New design capabilities for creating responsive user interfaces that can be designed once and run on any device form factor (phone, tablet, or desktop), to support mobile-ready process applications.
• Service availability for People's Republic of China with hosting in the IBM SoftLayer Hong Kong data center

IBM BPM on Cloud is a comprehensive and consumable, business process management (BPM) cloud service that delivers visibility and management of your business processes in a cloud environment. It includes tooling and runtime to design and run processes and provides capabilities for monitoring and optimizing work that is run within the platform. It is specifically designed to enable process owners and business users to get started with business process improvement quickly with a ready-to-use, cloud-based environment that is hosted in IBM cloud data centers and managed by IBM.

WebSphere Application Server Security configuration changes done with wsadmin are not activated immediately.

Saw this rather useful IBM Technote via Twitter: -


Problem(Abstract)

Some administrative actions (like mapping administrative users or groups to security roles) might not get activated immediately and require a restart of the JVM.

For example, you want to map the group called "wasadmins" to the Administrator role:

AdminTask.mapGroupsToAdminRole('[-roleName administrator -accessids [group:defaultWIMFileBasedRealm/cn=wasadmins,cn=groups,dc=mycompany,dc=com ] -groupids [wasadmins@defaultWIMFileBasedRealm ]]') 

AdminConfig.save()

Symptom

Although the configuration change has been saved with AdminConfig.save() you cannot login immediately, although your user is member of the "wasadmins" group.

If you login to the AdminConsole with the primary administrative user and go to the "Administrative group roles" page, the new group mapping will be listed.

If you quit the Console again, you can login with a member of the newly mapped group.

Cause

Some changes of the WAS configuration require a restart of the JVM, or at least a refresh of the configuration for the running instances. 
This refresh is done, when you go to the ISC "Administrative group roles" page.

Resolving the problem

When the configuration changes are completed and saved, you can force a refresh of the security configuration with the AdminControl action "refreshAll":

authGrpMgr = AdminControl.completeObjectName('WebSphere:type=AuthorizationGroupManager,*')
AdminControl.invoke(authGrpMgr, 'refreshAll') 


Now the login with a newly mapped user is possible.


Monday, 15 September 2014

IBM Integration Bus 9.0.0.2 - Tooling Up

My ongoing journey with IBM Integration Bus continues: -


I've now got the Toolkit installed and running on RHEL63.

Unlike WMQ and IIB, the Toolkit is installed using IBM Installation Manager.

The first thing I had to do was to update IIM from 1.6.0 to 1.6.2+ as I previously had: -

com.ibm.cic.agent_1.6.0.20120831_1216

I actually updated to 1.7.2: -

com.ibm.cic.agent_1.7.2000.20140227_0303

( thanks to BPM 8.5.5 disk 2 ( BPM_Adv_V855_Linux_x86_2_of_3.tar.gz  ) for providing )

However, things weren't that smooth.

I started the installation of the IIB Toolkit: -

/opt/IBM/InstallationManager/eclipse/tools/imcl install com.ibm.integration.toolkit.v90_9.0.0.20140515-1210 -repositories /mnt/hgfs/IIB/integrationbus/Integration_Toolkit/ -acceptLicense

which almost immediately failed with: -

ERROR: Required 32-bit libraries are missing. For details, see the IBM Installation Manager log file.

I looked in the log file: -

cat /home/wasadmin/var/ibm/InstallationManager/logs/20140912_2025.log

and saw: -

...
 <message>libz.so.1 required by 32 bit profile install is missing</message>
</entry>
<entry num='58' time='1410549538760' elapsed='00:03.39' level='INFO' thread='main'>
 <logger>com.ibm.check.library32bit.CheckLibrary32bit</logger>
 <method>check32Library</method>
 <message>You can find more information on adding missing 32-bit libraries from http://www.ibm.com/support/docview.wss?uid=swg21592400</message>
</entry>

...

...
 <message>libXtst.so.6 required by 32 bit profile install is missing</message>
...

...
 <message>libatk-1.0.so.0 required by 32 bit profile install is missing</message>
...

...
 <message>libfontconfig.so.1 required by 32 bit profile install is missing</message>
...

...
 <message>libfreetype.so.6 required by 32 bit profile install is missing</message>
...

...
 <message>libgdk_pixbuf-2.0.so.0 required by 32 bit profile install is missing</message>
...

...
 <message>libgdk-x11-2.0.so.0 required by 32 bit profile install is missing</message>
...

...
 <message>libglib-2.0.so.0 required by 32 bit profile install is missing</message>
...

...
 <message>libgmodule-2.0.so.0 required by 32 bit profile install is missing</message>
...

...
 <message>libgobject-2.0.so.0 required by 32 bit profile install is missing</message>
...

...
 <message>libgthread-2.0.so.0 required by 32 bit profile install is missing</message>
...

...
 <message>libgtk-x11-2.0.so.0 required by 32 bit profile install is missing</message>
...

...
 <message>libpango-1.0.so.0 required by 32 bit profile install is missing</message>
...

...
 <message>libpangoft2-1.0.so.0 required by 32 bit profile install is missing</message>
...

...
 <message>libpng12.so.0 required by 32 bit profile install is missing</message>
...

...
 <message>libXcomposite.so.1 required by 32 bit profile install is missing</message>
...

...
 <message>libXcursor.so.1 required by 32 bit profile install is missing</message>
...

...
 <message>libXdamage.so.1 required by 32 bit profile install is missing</message>
...

...
 <message>libXinerama.so.1 required by 32 bit profile install is missing</message>
...

...
 <message>libXrender.so.1 required by 32 bit profile install is missing</message>
...

...
 <message>libfontconfig.so.1 required by 32 bit profile install is missing</message>
...

...
 <message>libXcomposite.so.1 required by 32 bit profile install is missing</message>
...

...
 <message>libXcursor.so.1 required by 32 bit profile install is missing</message>
...

...
 <message>libXdamage.so.1 required by 32 bit profile install is missing</message>
...

...
 <message>libXinerama.so.1 required by 32 bit profile install is missing</message>
...

...
 <message>libXrender.so.1 required by 32 bit profile install is missing</message>
...

After a major YUMfest, I managed to install all the missing libraries :-)

Eventually: -

/opt/IBM/InstallationManager/eclipse/tools/imcl install com.ibm.integration.toolkit.v90_9.0.0.20140515-1210 -repositories /mnt/hgfs/IIB/integrationbus/Integration_Toolkit/ -acceptLicense

Installed com.ibm.integration.toolkit.v90_9.0.0.20140515-1210 to the /home/wasadmin/IBM/IntegrationToolkit90 directory.

so now I have: -

/opt/IBM/InstallationManager/eclipse/tools/imcl listInstalledPackages

com.ibm.cic.agent_1.7.2000.20140227_0303
com.ibm.websphere.MON.V80_8.0.1002.20131028_1518
com.ibm.websphere.ND.v80_8.0.8.20131205_0207
com.ibm.ws.cognos.v1011.linuxia64_10.1.1.20121103_1244
com.ibm.websphere.IHS.v80_8.0.8.20131205_0207
com.ibm.websphere.PLG.v80_8.0.8.20131205_0207
com.ibm.integration.toolkit.v90_9.0.0.20140515-1210


which is nice :-)

Of course, this means that I'm running the Toolkit as wasadmin because that's the user which I use to install/use IBM Installation Manager, WAS, IBM Business Monitor etc.

This is how I start the Toolkit ( as wasadmin ): -

~/IBM/IntegrationToolkit90/launcher 

MQSI 9.0.0.2
/opt/ibm/mqsi/9.0.0.2




which is also nice :-)

Reminder - installing podman and skopeo on Ubuntu 22.04

This follows on from: - Lest I forget - how to install pip on Ubuntu I had reason to install podman  and skopeo  on an Ubuntu box: - lsb_rel...