Friday, 29 January 2016

DB2 ate my database, well, actually it was the disk monster

I saw this today: -

[29/01/16 18:51:34:031 GMT] 00000001 WSRdbDataSour I   DSRA8208I: JDBC driver type  : 4
[29/01/16 18:51:34:047 GMT] 00000001 FfdcProvider  W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on C:\IBM\WebSphere\AppServer\profiles\AppSrv01\logs\ffdc\server1_b282bac_16.01.29_18.51.34.0471036725969790999288.txt com.ibm.bpm.migration.database.ValidateDatabaseVersion.verifyStandardDB 102
[29/01/16 18:51:34:047 GMT] 00000001 WsServerImpl  E   WSVR0009E: Error occurred during startup
com.ibm.ws.exception.RuntimeError: Failed to query the BPM version from database [jdbc/PerformanceDB]. Please check the ffdc log for detail information. 
For fresh installation scenario, please run the database initialization scripts under the corresponding database schema first; for upgrade or migration scenario, please upgrade your database to match with current product version first.

during the startup of a standalone IBM BPM Advanced 8.5.6 environment.

I'd just built the environment, as part of a setup of an IBM Integration Designer (IID) development environment.

Thankfully it didn't take me long to work out what had gone wrong ….

During the build of the DB2 databases, my Windows VM had run out of disk space; apparently 40 GB isn't enough :-) Mind you, I've also got IBM Operational Decision Manager installed, as I've been learning how to write Hello World, the ODM Rule ( that's another post for another day ).

Once I increased disk space ( thanks, VMware Fusion ) to 60 GB, and restarted Windows, I dropped the PDWDB database: -

db2 drop db PDWDB

and then recreated it: -

cd c:\Program Files (x86)\IBM\WebSphere\AppServer\profiles\AppSrv01\dbscripts\ProcessServer\DB2\PDWDB
createDatabase.bat
db2 connect to pdwdb
db2 -tvf createSchema_Advanced.sql
db2 terminate


I then restarted the Deployment Environment: -

"c:\Program Files (x86)\IBM\WebSphere\AppServer\bin\BPMConfig.bat" -start -de ProcessServer -profileName AppSrv01

and we're all good now.

Right, time to test Hello World, the SCA Module :-)

Thursday, 14 January 2016

WebSphere Liberty Profile - Tinkering with SSL TLS

I went through this process last evening, and thought that sharing it MIGHT be of interest :-)

Check What's Installed

/opt/IBM/InstallationManager/eclipse/tools/imcl listInstalledPackages

com.ibm.cic.agent_1.8.2000.20150303_1526
com.ibm.websphere.liberty.v85_8.5.5000.20130514_1313

Create a WLP Server

/opt/IBM/WebSphere/Liberty/bin/server create davehay

Server davehay created.

Create a SSL Keystore and Self-Signed Certificate

/opt/IBM/WebSphere/Liberty/bin/securityUtility createSSLCertificate --server=davehay --password=passw0rd --validity=365

Creating keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks

Created SSL certificate for server davehay

Add the following lines to the server.xml to enable SSL:

    <featureManager>
        <feature>ssl-1.0</feature>
    </featureManager>
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />

Add SSL support to Server Configuration

vi /opt/IBM/WebSphere/Liberty/usr/servers/davehay/server.xml 

Append: -

    <featureManager>
                  <feature>ssl-1.0</feature>
    </featureManager>
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />

Update Server Configuration to reflect hostname

vi /opt/IBM/WebSphere/Liberty/usr/servers/davehay/server.xml 

Change: -

    <httpEndpoint id="defaultHttpEndpoint"
                  host="localhost"
                  httpPort="9080"
                  httpsPort="9443" />

to: -

    <httpEndpoint id="defaultHttpEndpoint"
                  host="mta2015a.uk.ibm.com"
                  httpPort="9080"
                  httpsPort="9443" />

Start WLP Server

/opt/IBM/WebSphere/Liberty/bin/server start davehay

Starting server davehay.
Server davehay started with process ID 3962.

Test Connectivity ( via HTTP )

From Linux


--2016-01-13 19:22:37--  http://mta2015a.uk.ibm.com:9080/
Resolving mta2015a.uk.ibm.com... 192.168.153.128
Connecting to mta2015a.uk.ibm.com|192.168.153.128|:9080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4725 (4.6K)
Saving to: `index.html'

100%[==================================================================================================================================================================>] 4,725       --.-K/s   in 0s      

2016-01-13 19:22:37 (625 MB/s) - `index.html' saved [4725/4725]

wget --no-check-certificate https://mta2015a.uk.ibm.com:9443/

--2016-01-13 19:24:54--  https://mta2015a.uk.ibm.com:9443/
Resolving mta2015a.uk.ibm.com... 192.168.153.128
Connecting to mta2015a.uk.ibm.com|192.168.153.128|:9443... connected.
WARNING: cannot verify mta2015a.uk.ibm.com's certificate, issued by `/C=us/O=ibm/OU=davehay/CN=localhost':
  Self-signed certificate encountered.
    WARNING: certificate common name `localhost' doesn't match requested host name `mta2015a.uk.ibm.com'.
HTTP request sent, awaiting response... 200 OK
Length: 4725 (4.6K)
Saving to: `index.html.2'

100%[==================================================================================================================================================================>] 4,725       --.-K/s   in 0s      

2016-01-13 19:24:54 (1.01 GB/s) - `index.html.2' saved [4725/4725]

List Content of Keystore

keytool -list -v -keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -storepass passw0rd

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: default
Creation date: 13-Jan-2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=davehay, O=ibm, C=us
Issuer: CN=localhost, OU=davehay, O=ibm, C=us
Serial number: 3559914d
Valid from: Wed Jan 13 19:06:46 GMT 2016 until: Thu Jan 12 19:06:46 GMT 2017
Certificate fingerprints:
MD5:  6D:26:90:BA:50:1C:3B:8B:28:73:C0:68:F0:16:AA:13
SHA1: 41:75:D6:93:20:BA:10:EB:F3:FE:B9:20:91:48:45:BC:8D:50:3E:FA
SHA256: FA:94:A3:3A:55:99:2F:80:98:85:A1:09:C8:F8:6F:BC:C1:5A:7D:C2:53:03:C4:4F:9D:A1:2E:D9:6B:3D:36:2D
Signature algorithm name: SHA1withRSA
Version: 3

Create New Self-Signed Certificate

/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -genkey -alias selfsigned -keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -storepass passw0rd -validity 360 -keysize 2048 -dname CN=mta2015a.uk.ibm.com,DC=UK,DC=IBM,DC=COM -sigAlg SHA256withRSA -keyAlg RSA

List Content of Keystore

keytool -list -v -keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -storepass passw0rd

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: default
Creation date: 13-Jan-2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=davehay, O=ibm, C=us
Issuer: CN=localhost, OU=davehay, O=ibm, C=us
Serial number: 3559914d
Valid from: Wed Jan 13 19:06:46 GMT 2016 until: Thu Jan 12 19:06:46 GMT 2017
Certificate fingerprints:
MD5:  6D:26:90:BA:50:1C:3B:8B:28:73:C0:68:F0:16:AA:13
SHA1: 41:75:D6:93:20:BA:10:EB:F3:FE:B9:20:91:48:45:BC:8D:50:3E:FA
SHA256: FA:94:A3:3A:55:99:2F:80:98:85:A1:09:C8:F8:6F:BC:C1:5A:7D:C2:53:03:C4:4F:9D:A1:2E:D9:6B:3D:36:2D
Signature algorithm name: SHA1withRSA
Version: 3
Alias name: selfsigned
Creation date: 13-Jan-2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=mta2015a.uk.ibm.com, DC=UK, DC=IBM, DC=COM
Issuer: CN=mta2015a.uk.ibm.com, DC=UK, DC=IBM, DC=COM
Serial number: 5696bab3
Valid from: Wed Jan 13 20:59:31 GMT 2016 until: Sat Jan 07 20:59:31 GMT 2017
Certificate fingerprints:
MD5:  B4:9C:EC:1F:D3:82:88:5F:33:CB:26:63:A8:7F:65:4E
SHA1: 7C:21:43:87:32:3F:66:FE:E4:CA:06:7D:50:C6:F5:91:A4:41:02:40
SHA256: C5:0B:93:B1:64:F1:13:C2:A6:D7:9E:95:88:FE:80:7F:1F:8F:F5:3A:10:BE:93:0F:9C:9C:21:05:D0:06:70:FA
Signature algorithm name: SHA256withRSA
Version: 3

/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -pw passw0rd

Certificates in database /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks:
   default
   selfsigned

Update Server Configuration to reflect new certificate

vi /opt/IBM/WebSphere/Liberty/usr/servers/davehay/server.xml 

Add/amend: -

    <sslDefault sslRef="defaultSSLSettings" />
    <ssl id="defaultSSLSettings"
         keyStoreRef="defaultKeyStore"
     serverKeyAlias="selfsigned" />
    <keyStore id="defaultKeyStore" 
         location="key.jks"
         type="jks"
         password="passw0rd" />

Stop WLP Server

/opt/IBM/WebSphere/Liberty/bin/server stop davehay

Stopping server davehay.
Server davehay stopped.

Start WLP Server

/opt/IBM/WebSphere/Liberty/bin/server start davehay

Starting server davehay.
Server davehay started with process ID 16945.

Test Connectivity ( via HTTPS )

From Linux

wget --no-check-certificate https://mta2015a.uk.ibm.com:9443/

--2016-01-13 20:51:53--  https://mta2015a.uk.ibm.com:9443/
Resolving mta2015a.uk.ibm.com... 192.168.153.128
Connecting to mta2015a.uk.ibm.com|192.168.153.128|:9443... connected.
WARNING: cannot verify mta2015a.uk.ibm.com's certificate, issued by `/DC=COM/DC=IBM/DC=UK/CN=mta2015a.uk.ibm.com':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 4725 (4.6K)
Saving to: `index.html.5'

100%[==================================================================================================================================================================>] 4,725       --.-K/s   in 0s      

2016-01-13 20:51:53 (416 MB/s) - `index.html.5' saved [4725/4725]

Inspect Self-Signed Certificate

openssl s_client -showcerts -connect mta2015a.uk.ibm.com:9443 </dev/null

Server certificate
subject=/DC=COM/DC=IBM/DC=UK/CN=mta2015a.uk.ibm.com
issuer=/DC=COM/DC=IBM/DC=UK/CN=mta2015a.uk.ibm.com
---
No client certificate CA names sent
Server Temp Key: DH, 768 bits
---
SSL handshake has read 1573 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES128-SHA256
    Session-ID: 5696BB3015905180F9175410E9B677F5F5F4B7BC7C7A4C0B3BA986AD0D48BD23
    Session-ID-ctx: 
    Master-Key: 06A29B8AAFC260B798511B29AAA52D3E876E75B897444E146DFA3DC5E50F4D29382E5E26E4EC8E5221E31084DA2B2F03
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1452718896
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

Friday, 8 January 2016

IBM ODM Rules - "Scope reference is invalid"

I saw this today: -

whilst trying to deploy my HelloWorld Rules application ( RulesApp ) from Decision Center to Decision Server ( both on 8.5.1.2 ).

I also noticed that my project, as imported from a .ZIP file into Decision Center, was missing the Business Rules ( of which I only have one, Hello World !! ): -


I spoke to one of my colleagues, an ODM Rules Jedi Master, who suggested that the problem might be with locale.

As soon as he said that, I remembered how this goes - 'cos I have seen this before, albeit from the other side.

When one first installs a Decision Center, the default locale is en_US aka English (United States ), and it's common for this NOT to be changed.

However, if one uses Rule Designer on, say, a Windows desktop that's set to default to the English (United Kingdom) then all Rule applications are automatically created with the en_GB locale.

Whilst I know that this can be changed via the Installation Settings Wizard ( either post-installation or via the Configure tab ) : -



it DOES require the Decision Center repository to be EMPTY i.e. containing NO projects.

Given that my client already had several projects deployed, that wasn't an option, leastways in the short term.

Jedi Master Jonathon then explained how I could work around the problem, from the other side - Rule Designer.

Option one - do it properly

Read the IBM Knowledge Centre - Opening Rule Designer in a specific locale - which describes how to add the following parameter : -

osgi.nl=en_US

to: -

C:\IBM\ODM87\configuration\config.ini

Option two - do it hackily

Manually edit the Rule(s)

vi HelloWorld.brl

and change from: -

  <name>HelloWorld</name>
  <uuid>1254da3e-6164-4ff8-8bbe-1cbe49fd715a</uuid>
  <locale>en_GB</locale>
  <definition><![CDATA[definitions
        set 'the message' to "Hello " + 'the request' ;
then
    set 'the response' to 'the message' ;
    print 'the message' ;
    ]]></definition>


to: -

  <name>HelloWorld</name>
  <uuid>1254da3e-6164-4ff8-8bbe-1cbe49fd715a</uuid>
  <locale>en_US</locale>
  <definition><![CDATA[definitions
        set 'the message' to "Hello " + 'the request' ;
then
    set 'the response' to 'the message' ;
    print 'the message' ;
    ]]></definition>


before re-importing the project into Decision Center.

I chose Option 2 in the short-term, but wouldn't, of course, recommend that to anyone else :-)

For the record, the Diagnostics page within Decision Center also highlighted the locale issue: -


In other words, my Ruleflow was using en_GB whereas the Wizard showed me that Decision Center was using en_US.

CRIMA1174E ERROR There is already a package installed

I saw this one today: -

CRIMA1154E ERROR: Error installing.

  CRIMA1174E ERROR:   There is already a package installed at "/opt/IBM/ODM851" in the "Operational Decision Manager" package group.  The installation directory for the new "Operational Decision Manager V8.5.1" package group must not be the same as a previously used installation directory.

  CRIMA1174E ERROR:   There is already a package installed at "/opt/IBM/ODM851" in the "Operational Decision Manager" package group.  The installation directory for the new "Operational Decision Manager V8.5.1" package group must not be the same as a previously used installation directory.


whilst trying to update IBM Operational Decision Manager Rules from 8.5.1.0 to 8.5.1.2 

This came as a surprise, as I'd run through this process on my own environment a number of times, and was re-using a response file that I'd prepared earlier.

I fired up the IBM Installation Manager command line tool: -

/opt/IBM/InstallationManager/eclipse/tools/imcl -c

=====> IBM Installation Manager

Select:
     1. Install - Install software packages
     2. Update - Find and install updates and fixes to installed software packages
     3. Modify - Change installed software packages
     4. Roll Back - Revert to an earlier version of installed software packages
     5. Uninstall - Remove installed software packages

Other Options:
     L. View Logs
     S. View Installation History
     V. View Installed Packages
        ------------------------
     P. Preferences
        ------------------------
     A. About IBM Installation Manager
        ------------------------
     X. Exit Installation Manager

——>

and chose V. View Installed Packages : -

=====> IBM Installation Manager> Installed Packages

View the following installed packages and fixes. Enter the number to see the details of a package group, package, or fix.
     1-. IBM WebSphere Application Server V8.5
       2. IBM WebSphere Application Server Network Deployment 8.5.5.0
     3-. Operational Decision Manager
       4. Decision Center 8.5.1000.20131113_1624
       5. Decision Server 8.5.1000.20131113_1713
       6. Profile templates for WebSphere Application Server 8.5.1.0

Other Options:
     O. OK

-----> [O] 


and realised where I was going wrong.

I had ODM installed in the package group Operational Decision Manager whereas my response file ( created on a different system ) had: -

  <profile id='Operational Decision Manager V8.5.1' installLocation='/opt/IBM/ODM851'>
    <data key='eclipseLocation' value='/opt/IBM/ODM851'/>
    <data key='user.import.profile' value='false'/>
    <data key='cic.selector.os' value='linux'/>
    <data key='cic.selector.arch' value='x86_64'/>
    <data key='cic.selector.ws' value='gtk'/>
    <data key='user.wodm_express' value='false'/>
    <data key='cic.selector.nl' value='en'/>
    <data key='user.wodm_was_home' value='/opt/IBM/WebSphere/AppServer'/>
  </profile>
  <install modify='false'>
    <offering profile='Operational Decision Manager V8.5.1' id='com.ibm.websphere.odm.dc.v85' version='8.5.1002.20150119-1502' features='jdk,base,Decision Center' installFixes='none'/>
    <offering profile='Operational Decision Manager V8.5.1' id='com.ibm.websphere.odm.ds.v85' version='8.5.1002.20150119-1502' features='com.ibm.wds.jdk.feature,base,com.ibm.wds.rules.studio.feature,com.ibm.wds.rules.res.feature' installFixes='none'/>
  </install>


Once I changed the response file, all went well.

PS It's also worth noting that it's important to change the references to the Package Group THROUGHOUT the response file, or one ends up with a NEW copy of ODM installed under, say, /opt/IBM/ODM851_1 :-)


Thursday, 7 January 2016

CTGSK3039W Certificate request “ibmbpm.uk.ibm.com" could not be created.

I saw this earlier: -

CTGSK3039W Certificate request "ibmbpm.uk.ibm.com" could not be created.

when attempting to create a Certificate Request using the IBM Global Security Toolkit (GSK): -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK" -file / home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname "ibmbpm.uk.ibm.com"

which took me a wee while to resolve.

Can you see what I did wrong ?

It took me a while - I had to compare my request with an existing certificate before I realised …..

I'd specified a Distinguished Name of: -

"CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK"

which breaks the X.500 standard i.e. I should have specified ST=Hampshire rather than S=Hampshire.

Thus it was a typo :-)

Once I changed my request: -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,ST=Hampshire,C=UK" -file / home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname "ibmbpm.uk.ibm.com"

it worked like a dream / charm / treat.

For the record, here's the relevant excerpt from the appropriate RFC 2253: -



Reminder - installing podman and skopeo on Ubuntu 22.04

This follows on from: - Lest I forget - how to install pip on Ubuntu I had reason to install podman  and skopeo  on an Ubuntu box: - lsb_rel...