Tuesday, 10 November 2015

IBM HTTP Server / IBM WebSphere Plugin - Using Transport Layer (TLS) 1.2

The last blog post for today, I promise.

I was seeing this: -

[10/Nov/2015:20:58:15.05163] 0000f090 061fc700 - PLUGIN: ws_common: websphereShouldHandleRequest: Config was successfully reloaded
[10/Nov/2015:20:58:16.28930] 0000f75e 07fff700 - PLUGIN: ws_common: websphereShouldHandleRequest: Config was successfully reloaded
[10/Nov/2015:21:03:07.80560] 0000f090 039f8700 - ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_SOCKET_CLOSED(gsk rc = 420) PARTNER CERTIFICATE DN=No Information Available, Serial=No Information Available
[10/Nov/2015:21:03:07.81064] 0000f090 039f8700 - ERROR: ws_common: websphereGetStream: Could not open stream
[10/Nov/2015:21:03:07.81073] 0000f090 039f8700 - ERROR: ws_common: websphereExecute: Failed to create the stream
[10/Nov/2015:21:03:07.81075] 0000f090 039f8700 - ERROR: ws_common: websphereHandleRequest: Failed to execute the transaction to 'Node1_AppClusterMember1' on host 'nemdemo.uk.ibm.com:9443'; will try another one
[10/Nov/2015:21:03:07.81076] 0000f090 039f8700 - ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find an app server to handle this request 
[10/Nov/2015:21:03:07.81098] 0000f090 039f8700 - ERROR: ESI: getResponse: failed to get response: rc = 2
[10/Nov/2015:21:03:07.81115] 0000f090 039f8700 - ERROR: ws_common: websphereHandleRequest: Failed to handle request
[10/Nov/2015:21:03:52.12777] 0000fa1c 7395a700 - PLUGIN: Plugins loaded.


when attempting to connect to IBM BPM's Process Center URL via IBM HTTP Server / WebSphere Plugin, where I'm using Transport Layer Security (TLS) 1.2 between the Plugin and WAS.

This IBM APAR helped: -


which mentioned: -

A property was added to allow plugin to enable security compatible with the application server strict server setting.
To enable this property, set StrictSecurity=true on the webserver-><servername>->Plug-in properties->Customer Properties window.

Thus I changed the plugin configuration file: -

vi /opt/ibm/WebSphere/Plugins/config/webserver1/plugin-cfg.xml

Change from: -

<?xml version="1.0" encoding="ISO-8859-1"?><!--HTTP server plugin config file for the webserver PCCell1.Node1.webserver1 generated on 2015.11.10 at 08:45:54 PM GMT-->
<Config ASDisableNagle="false" AcceptAllContent="true" AppServerPortPreference="HostHeader" ChunkedResponse="false" FIPSEnable="false" FailoverToNext="false" HTTPMaxHeaders="300" IISDisableFlushFlag="false" IISDisableNagle="false" IISPluginPriority="High" IgnoreDNSFailures="false" KillWebServerStartUpOnParseErr="false" MarkBusyDown="false" OS400ConvertQueryStringToJobCCSID="false" RefreshInterval="60" ResponseChunkSize="64" SSLConsolidate="true" StrictSecurity="false" TrustedProxyEnable="false" VHostMatchingCompat="false">
   <Log LogLevel="Error" Name="/opt/ibm/WebSphere/Plugins/logs/webserver1/http_plugin.log"/>


to: -

<?xml version="1.0" encoding="ISO-8859-1"?><!--HTTP server plugin config file for the webserver PCCell1.Node1.webserver1 generated on 2015.11.10 at 08:45:54 PM GMT-->
<Config ASDisableNagle="false" AcceptAllContent="true" AppServerPortPreference="HostHeader" ChunkedResponse="false" FIPSEnable="false" FailoverToNext="false" HTTPMaxHeaders="300" IISDisableFlushFlag="false" IISDisableNagle="false" IISPluginPriority="High" IgnoreDNSFailures="false" KillWebServerStartUpOnParseErr="false" MarkBusyDown="false" OS400ConvertQueryStringToJobCCSID="false" RefreshInterval="60" ResponseChunkSize="64" SSLConsolidate="true" StrictSecurity="true" TrustedProxyEnable="false" VHostMatchingCompat="false">
   <Log LogLevel="Error" Name="/opt/ibm/WebSphere/Plugins/logs/webserver1/http_plugin.log"/>

and restarted IHS.

Once done, it worked like a treat.

I do, of course, need to make the same change within the WAS cell, and then regenerate / propagate the Plugin Configuration.

However, that's tomorrow's job :-)

*UPDATE*

This is the Jython that I used to set the StrictSecurity property to true : -


AdminConfig.create('Property', '(cells/'+cellID+'/nodes/Node1/servers/webserver1|server.xml#PluginProperties_1447187986151)', '[[validationExpression ""] [name "StrictSecurity"] [description ""] [value "true"] [required "false"]]') 

*UPDATE*

Having done this, I simply generated/propagated the Plugin configuration: -


AdminControl.invoke('WebSphere:name=PluginCfgGenerator,process=dmgr,platform=common,node=Dmgr,version=8.5.5.4,type=PluginCfgGenerator,mbeanIdentifier=PluginCfgGenerator,cell='+cellID+',spec=1.0', 'generate', '[/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/config '+cellID+' Node1 webserver1 false]', '[java.lang.String java.lang.String java.lang.String java.lang.String java.lang.Boolean]')

AdminControl.invoke('WebSphere:name=PluginCfgGenerator,process=dmgr,platform=common,node=Dmgr,version=8.5.5.4,type=PluginCfgGenerator,mbeanIdentifier=PluginCfgGenerator,cell='+cellID+',spec=1.0', 'propagate', '[/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/config '+cellID+' Node1 webserver1]', '[java.lang.String java.lang.String java.lang.String java.lang.String]')

and we're good to go.

3 comments:

Leandro said...

Hi Dave,

I'm facing the same issue. But I'm didn't manage to run the commands to set the custom property.
I changed manually the plugin-cfg.xml file, and the applications are working. But when I generate and propagate plugin the config is deleted.
I tried to set the custom property straight on Websphere console and the problem still happens.
Can you give me a hand on how to write the command?

I run like below:
AdminConfig.create('Property', '(cells/'+cellID+'/nodes/Nodename/servers/webserver1|server.xml#PluginProperties_1447187986151)', '[[validationExpression ""] [name "StrictSecurity"] [description ""] [value "true"] [required "false"]]')

And this error is shown:
wsadmin>AdminConfig.create('Property', '(cells/'+cellID+'/nodes/c25a0532/servers/webserver1|server.xml#PluginProperties_1447187986151)', '[[validationExpression ""] [name "StrictSecurity"] [description ""] [value "true"] [required "false"]]')
WASX7015E: Exception running command: "AdminConfig.create('Property', '(cells/'+cellID+'/nodes/c25a0532/servers/webserver1|server.xml#PluginProperties_1447187986151)', '[[validationExpression ""] [name "StrictSecurity"] [description ""] [value "true"] [required "false"]]')"; exception information:
com.ibm.bsf.BSFException: error while eval'ing Jacl expression:
invalid command name "validationExpression"
while executing
"validationExpression """
invoked from within
"[validationExpression ""] [name "StrictSecurity"] [description ""] [value "true"] [required "false""
invoked from within
"AdminConfig.create('Property', '(cells/'+cellID+'/nodes/c25a0532/servers/webserver1|server.xml#PluginProperties_1447187986151)', '[[validationExpressi..."

Thanks in advance

Dave Hay said...

Hi Leandro

Thanks for the comment.

The command is written in Jython, so requires you to specify -lang jython when you start the WSAdmin client.

As an example, you could write this: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython

Once you've done this, and successfully connected ( having authenticated to the DM ), you'll need to set a variable called cellID as follows: -

cellID=AdminControl.getCell()

before issuing the AdminConfig.create Jython command.

Hope this helps.

Dave

Leandro said...

Hi Dave

Thanks for you help!
It helped to migrate my server to TLS properly.

Regards,
Leandro