Tuesday 10 November 2015

IBM HTTP Server / IBM WebSphere Plugin - Using Transport Layer (TLS) 1.2

The last blog post for today, I promise.

I was seeing this: -

[10/Nov/2015:20:58:15.05163] 0000f090 061fc700 - PLUGIN: ws_common: websphereShouldHandleRequest: Config was successfully reloaded
[10/Nov/2015:20:58:16.28930] 0000f75e 07fff700 - PLUGIN: ws_common: websphereShouldHandleRequest: Config was successfully reloaded
[10/Nov/2015:21:03:07.80560] 0000f090 039f8700 - ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_SOCKET_CLOSED(gsk rc = 420) PARTNER CERTIFICATE DN=No Information Available, Serial=No Information Available
[10/Nov/2015:21:03:07.81064] 0000f090 039f8700 - ERROR: ws_common: websphereGetStream: Could not open stream
[10/Nov/2015:21:03:07.81073] 0000f090 039f8700 - ERROR: ws_common: websphereExecute: Failed to create the stream
[10/Nov/2015:21:03:07.81075] 0000f090 039f8700 - ERROR: ws_common: websphereHandleRequest: Failed to execute the transaction to 'Node1_AppClusterMember1' on host 'nemdemo.uk.ibm.com:9443'; will try another one
[10/Nov/2015:21:03:07.81076] 0000f090 039f8700 - ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find an app server to handle this request 
[10/Nov/2015:21:03:07.81098] 0000f090 039f8700 - ERROR: ESI: getResponse: failed to get response: rc = 2
[10/Nov/2015:21:03:07.81115] 0000f090 039f8700 - ERROR: ws_common: websphereHandleRequest: Failed to handle request
[10/Nov/2015:21:03:52.12777] 0000fa1c 7395a700 - PLUGIN: Plugins loaded.


when attempting to connect to IBM BPM's Process Center URL via IBM HTTP Server / WebSphere Plugin, where I'm using Transport Layer Security (TLS) 1.2 between the Plugin and WAS.

This IBM APAR helped: -


which mentioned: -

A property was added to allow plugin to enable security compatible with the application server strict server setting.
To enable this property, set StrictSecurity=true on the webserver-><servername>->Plug-in properties->Customer Properties window.

Thus I changed the plugin configuration file: -

vi /opt/ibm/WebSphere/Plugins/config/webserver1/plugin-cfg.xml

Change from: -

<?xml version="1.0" encoding="ISO-8859-1"?><!--HTTP server plugin config file for the webserver PCCell1.Node1.webserver1 generated on 2015.11.10 at 08:45:54 PM GMT-->
<Config ASDisableNagle="false" AcceptAllContent="true" AppServerPortPreference="HostHeader" ChunkedResponse="false" FIPSEnable="false" FailoverToNext="false" HTTPMaxHeaders="300" IISDisableFlushFlag="false" IISDisableNagle="false" IISPluginPriority="High" IgnoreDNSFailures="false" KillWebServerStartUpOnParseErr="false" MarkBusyDown="false" OS400ConvertQueryStringToJobCCSID="false" RefreshInterval="60" ResponseChunkSize="64" SSLConsolidate="true" StrictSecurity="false" TrustedProxyEnable="false" VHostMatchingCompat="false">
   <Log LogLevel="Error" Name="/opt/ibm/WebSphere/Plugins/logs/webserver1/http_plugin.log"/>


to: -

<?xml version="1.0" encoding="ISO-8859-1"?><!--HTTP server plugin config file for the webserver PCCell1.Node1.webserver1 generated on 2015.11.10 at 08:45:54 PM GMT-->
<Config ASDisableNagle="false" AcceptAllContent="true" AppServerPortPreference="HostHeader" ChunkedResponse="false" FIPSEnable="false" FailoverToNext="false" HTTPMaxHeaders="300" IISDisableFlushFlag="false" IISDisableNagle="false" IISPluginPriority="High" IgnoreDNSFailures="false" KillWebServerStartUpOnParseErr="false" MarkBusyDown="false" OS400ConvertQueryStringToJobCCSID="false" RefreshInterval="60" ResponseChunkSize="64" SSLConsolidate="true" StrictSecurity="true" TrustedProxyEnable="false" VHostMatchingCompat="false">
   <Log LogLevel="Error" Name="/opt/ibm/WebSphere/Plugins/logs/webserver1/http_plugin.log"/>

and restarted IHS.

Once done, it worked like a treat.

I do, of course, need to make the same change within the WAS cell, and then regenerate / propagate the Plugin Configuration.

However, that's tomorrow's job :-)

*UPDATE*

This is the Jython that I used to set the StrictSecurity property to true : -


AdminConfig.create('Property', '(cells/'+cellID+'/nodes/Node1/servers/webserver1|server.xml#PluginProperties_1447187986151)', '[[validationExpression ""] [name "StrictSecurity"] [description ""] [value "true"] [required "false"]]') 

*UPDATE*

Having done this, I simply generated/propagated the Plugin configuration: -


AdminControl.invoke('WebSphere:name=PluginCfgGenerator,process=dmgr,platform=common,node=Dmgr,version=8.5.5.4,type=PluginCfgGenerator,mbeanIdentifier=PluginCfgGenerator,cell='+cellID+',spec=1.0', 'generate', '[/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/config '+cellID+' Node1 webserver1 false]', '[java.lang.String java.lang.String java.lang.String java.lang.String java.lang.Boolean]')

AdminControl.invoke('WebSphere:name=PluginCfgGenerator,process=dmgr,platform=common,node=Dmgr,version=8.5.5.4,type=PluginCfgGenerator,mbeanIdentifier=PluginCfgGenerator,cell='+cellID+',spec=1.0', 'propagate', '[/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/config '+cellID+' Node1 webserver1]', '[java.lang.String java.lang.String java.lang.String java.lang.String]')

and we're good to go.

7 comments:

Leandro said...

Hi Dave,

I'm facing the same issue. But I'm didn't manage to run the commands to set the custom property.
I changed manually the plugin-cfg.xml file, and the applications are working. But when I generate and propagate plugin the config is deleted.
I tried to set the custom property straight on Websphere console and the problem still happens.
Can you give me a hand on how to write the command?

I run like below:
AdminConfig.create('Property', '(cells/'+cellID+'/nodes/Nodename/servers/webserver1|server.xml#PluginProperties_1447187986151)', '[[validationExpression ""] [name "StrictSecurity"] [description ""] [value "true"] [required "false"]]')

And this error is shown:
wsadmin>AdminConfig.create('Property', '(cells/'+cellID+'/nodes/c25a0532/servers/webserver1|server.xml#PluginProperties_1447187986151)', '[[validationExpression ""] [name "StrictSecurity"] [description ""] [value "true"] [required "false"]]')
WASX7015E: Exception running command: "AdminConfig.create('Property', '(cells/'+cellID+'/nodes/c25a0532/servers/webserver1|server.xml#PluginProperties_1447187986151)', '[[validationExpression ""] [name "StrictSecurity"] [description ""] [value "true"] [required "false"]]')"; exception information:
com.ibm.bsf.BSFException: error while eval'ing Jacl expression:
invalid command name "validationExpression"
while executing
"validationExpression """
invoked from within
"[validationExpression ""] [name "StrictSecurity"] [description ""] [value "true"] [required "false""
invoked from within
"AdminConfig.create('Property', '(cells/'+cellID+'/nodes/c25a0532/servers/webserver1|server.xml#PluginProperties_1447187986151)', '[[validationExpressi..."

Thanks in advance

Dave Hay said...

Hi Leandro

Thanks for the comment.

The command is written in Jython, so requires you to specify -lang jython when you start the WSAdmin client.

As an example, you could write this: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython

Once you've done this, and successfully connected ( having authenticated to the DM ), you'll need to set a variable called cellID as follows: -

cellID=AdminControl.getCell()

before issuing the AdminConfig.create Jython command.

Hope this helps.

Dave

Leandro said...

Hi Dave

Thanks for you help!
It helped to migrate my server to TLS properly.

Regards,
Leandro

Gandhi said...

I also getting same error after changing the ownership to wasadmin service are up but getting internal server error and same error which you provided in above http.plugin.log
But same services are running good in Root user
Only getting error while starting services in wasadmin user.
Please suggest me exact solution because I need service are running in wasadmin user

Dave Hay said...

Hey Gandhi

To be fair, I did write this post in 2015, and haven't actively worked with WAS/IHS since ~2018 or thereabouts.

The problem is almost certainly going to be permissions-related - please check your logs, and the file/directory permissions using commands such as ls -al etc.

If needed, please raise a support case with IBM.

Cheers, Dave

Gandhi said...

Thanks Dave permission all checked application up in backend but problem while hitting url getting internal server error
Any how thanks for reply

Dave Hay said...

Internal Server Error e.g. HTTP500 etc. may well come from the upstream WebSphere Application Server (WAS) app.

TL;DR; definitely check the "plumbing" between IHS and the Plugin and WAS, perhaps adding some debug etc.

Visual Studio Code - Wow 🙀

Why did I not know that I can merely hit [cmd] [p]  to bring up a search box allowing me to search my project e.g. a repo cloned from GitHub...