Monday, 29 February 2016

WAS - Looking at Ciphers

I was interested in the list of SSL/TLS ciphers available, once I switched to TLS 1.2 and the unrestricted JRE ciphers.

This is how I can find out what WAS is offering: -

cellID = AdminControl.getCell()
print AdminTask.listSSLCiphers('[-sslConfigAliasName CellDefaultSSLSettings -scopeName (cell):'+cellID+' -securityLevel HIGH ]')


SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_DHE_DSS_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_AES_256_GCM_SHA384
SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_AES_128_GCM_SHA256
SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256


and: -

print AdminTask.listSSLCiphers('[-sslConfigAliasName CellDefaultSSLSettings -scopeName (cell):'+cellID+' -securityLevel CUSTOM]')

SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_DHE_DSS_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_AES_256_GCM_SHA384
SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_AES_128_GCM_SHA256
SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_DHE_DSS_WITH_RC4_128_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA


For the record, I'm using Java 1.6 ( aka Java 6 ): -

/opt/IBM/WebSphere/AppServer/java/jre/bin/java -fullversion

java full version "JRE 1.6.0 IBM Linux build pxa6460_26sr8fp7ifx-20150930_01 (SR8 FP7)"


For the record, I wrote about the unrestricted ciphers a while ago: -

IBM BPM and Java6

IBM BPM 8.5.5, on which we're currently deployed, only supports Java6, via the underlying WebSphere Application Server.

I wanted to see what specific version of  Java we had ( with WAS ND 8.5.5.5 )

/opt/IBM/WebSphere/AppServer/java/bin/java -version

java version "1.6.0"
Java(TM) SE Runtime Environment (build pxa6460_26sr8fp3-20141218_02(SR8 FP3))
IBM J9 VM (build 2.6, JRE 1.6.0 Linux amd64-64 Compressed References 20141211_226933 (JIT enabled, AOT enabled)
J9VM - R26_Java626_SR8_20141211_2359_B226933
JIT  - r11.b07_20141003_74578.05
GC   - R26_Java626_SR8_20141211_2359_B226933_CMPRSS
J9CL - 20141212_226933)
JCL  - 20141216_01


/opt/IBM/WebSphere/AppServer/java/bin/java -fullversion

java full version "JRE 1.6.0 IBM Linux build pxa6460_26sr8fp3-20141218_02 (SR8 FP3)"

I then upgraded WAS to 8.5.5.8 ( aka Fixpack 8 ), and now see: -

/opt/IBM/WebSphere/AppServer/java/jre/bin/java -version

java version "1.6.0"
Java(TM) SE Runtime Environment (build pxa6460_26sr8fp7ifix-20150930_01(SR8 FP7+IV77422+IV77423+IX90164))
IBM J9 VM (build 2.6, JRE 1.6.0 Linux amd64-64 Compressed References 20150701_255671 (JIT enabled, AOT enabled)
J9VM - R26_Java626_SR8_20150701_0100_B255671
JIT  - tr.r11_20150626_95120.01
GC   - R26_Java626_SR8_20150701_0100_B255671_CMPRSS
J9CL - 20150701_255671)
JCL  - 20150628_01


/opt/IBM/WebSphere/AppServer/java/jre/bin/java -fullversion

java full version "JRE 1.6.0 IBM Linux build pxa6460_26sr8fp7ifx-20150930_01 (SR8 FP7)"

which is nice.

For the record, SR8 FP7 equates to 6.0.1 Service Refresh 8 Fix Pack 7, as per this list: -



Friday, 26 February 2016

nmon on Linux - and Raspberry Pi

I saw this via Nigel Griffiths on Twitter: -

nmon for Linux - nmon is short for Nigel's performance Monitor for Linux on POWER, x86, x86_64, Mainframe & now ARM (Raspberry Pi)



Monday, 22 February 2016

Configure the IBM Process Federation Server to give your IBM BPM process users a single point of access

I found this whilst preparing a deck for #IBM #InterConnect : -


Learn how to install and configure the IBM® Process Federation Server to work with two back-end IBM Business Process Manager (BPM) systems. Give your IBM BPM process users a single point of access to all their tasks.

With the different development paths for Business Process Choreographer and Business Process Designer in IBM BPM, varied deployment environments, and coexistence of multiple product versions, the demand for one user interface for interacting with tasks related to both business process definitions (BPDs) and Business Process Execution Language (BPEL) is becoming more urgent.

With a single task list user interface, the users of your process applications can work on individual tasks, unaware of the different and complex back-end systems.

IBM Process Federation Server is based on the IBM WebSphere Application Server Liberty Profile server. It provides application programming interface (API) access to lists of resources that are federated across IBM BPM systems, such as the task list and launch list. It includes the distributed index for the federated environment that is based on an Elasticsearch service. The Elasticsearch service provides fast access to federated resources, and relieves federated IBM BPM systems from expensive queries.

Process Federation Server structure

Definitely worth a read …..

Friday, 19 February 2016

IBM BPM 8.5.7 Announced

IBM Business Process Manager (IBM BPM) V8.5.7 is an update to the comprehensive and consumable IBM BPM platform that provides visibility and management of your business processes. This release includes:

• New responsive and federated Process Portal that includes:
• New customization and configuration options
• Ability to launch external activities and Business Process Execution Language (BPEL) tasks
• Saved Search capability for individual business users and teams
• New responsive stock controls for mobile and desktop UI development that include the ability to transform Dojo-based stock controls into new responsive controls
• New and improved web-based editors in process designer
• Improved Client Side Human Service (CSHS) editor, which includes nested Client Side Human Services, and improved WYSIWYG coach editor with Grid Layout
• New Graphical Theme Editor for simplified coach and Process Portal styling capability
• Case capability as standard in all IBM BPM editions, which includes a converged Business Process Modeling Notation (BPMN) editor for process and case, unified playback, debugger and process inspector, and consistent use of OASIS Content Management Interoperability Services (CMIS)-compatible content repositories for process and case
• Essential operating environment updates to help enable your IT operations to keep your IBM BPM infrastructure current.

Wednesday, 17 February 2016

Develop Advanced Integration services for IBM Business Process Manager V8.5.6

As found by my IBM colleague, Tony Hickman

This tutorial explores the new option in IBM® Business Process Manager (BPM) Advanced V8.5.6 to create and deploy Advanced Integration services in a separate module managed outside of IBM Process Center. Learn how to implement Advanced Integration services and how to use them in a process or service created with IBM Process Designer.

Tuesday, 9 February 2016

More on CTGSK3039W Certificate request “ibmbpm.uk.ibm.com" could not be created.

Following on from an earlier post: -


I saw the same problem earlier today.

This time around, the problem was simpler to resolve.

I'd previously created a Certificate Request: -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK" -file /home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname ihs1.uk.ibm.com,ihs1,ihs2.uk.ibm.com,ihs2

Alas, I had to re-run the Cert. Req. process because the first certificate had failed validation, within a browser ( IE 11 ), because I'd neglected to include the Service Name ( aka VIP ) in the Subject Alternate Name (SAN) field.

For the record, this tied up with an issue I saw last year: -


So I re-ran the Cert. Req. process

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK" -file /home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname ihs1.uk.ibm.com,ihs1,ihs2.uk.ibm.com,ihs2,ibmbpm.uk.ibm.com

Alas, this failed: -

CTGSK3039W Certificate request "ibmbpm.uk.ibm.com" could not be created.

After some trial, a bit of error, and some success …. I found the solution.

The problem was that, whilst this was a newish Certificate Request ( I no longer had any Cert Reqs in the KDB ) : -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -stashed

No certificate requests were found

the label field used in the Certificate Request is more important than I'd realised.

In essence, the certificate that I added to the KDB as a result of the Cert. Req. was still in the KDB, with the same label - ibmbpm.uk.ibm.com.

I proved this by creating a Cert. Req. with a different label: -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com2 -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK" -file /home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname ihs1.uk.ibm.com,ihs1,ihs2.uk.ibm.com,ihs2,ibmbpm.uk.ibm.com

Having realised this, I removed the certificate from the KDB, re-ran the Cert. Req. process using the original label, and we're all good to go.

Saturday, 6 February 2016

IBM BPM - Process Federation Server Tutorial

This on developerWorks: -


Learn how to install and configure the IBM® Process Federation Server to work with two back-end IBM Business Process Manager (BPM) systems. Give your IBM BPM process users a single point of access to all their tasks.

With the different development paths for Business Process Choreographer and Business Process Designer in IBM BPM, varied deployment environments, and coexistence of multiple product versions, the demand for one user interface for interacting with tasks related to both business process definitions (BPDs) and Business Process Execution Language (BPEL) is becoming more urgent.

With a single task list user interface, the users of your process applications can work on individual tasks, unaware of the different and complex back-end systems.

IBM Process Federation Server is based on the IBM WebSphere Application Server Liberty Profile server. It provides application programming interface (API) access to lists of resources that are federated across IBM BPM systems, such as the task list and launch list. It includes the distributed index for the federated environment that is based on an Elasticsearch service. The Elasticsearch service provides fast access to federated resources, and relieves federated IBM BPM systems from expensive queries.

Thursday, 4 February 2016

IBM BPM - General SSLEngine problem

I saw this earlier today: -

...
com.ibm.websphere.sca.ServiceRuntimeException: <soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Fault><faultcode>soapenv:Server</faultcode><faultstring>javax.net.ssl.SSLHandshakeException: General SSLEngine problem</faultstring></soapenv:Fault></soapenv:Body>

whilst trying to test a newly created IBM BPM component.

I'm using IBM Integration Designer (IID), which has a built-in Integration Test Environment (ITE), which is really just a standalone, single server BPM Process Server.

My BPM component, an SCA module, makes a call to a Web Service hosted on a separate, external, IBM ODM Rules Decision Server ( aka Hosted Transparent Decision Service ) : -


Given that I was making a call from one WAS to another, I worked on the assumption that SSL was the problem - yes, the message does kinda imply that.

I proved this by updating the binding of the BPM SCA Import component from the HTTPS URL to: -


This, of course, worked, thus validating my hypothesis.

I then retrieved the SSL Signer Certificate that the ODM Decision Server  presented into the WAS trust store: -

cellID=AdminControl.getCell() 
AdminTask.retrieveSignerFromPort('[-keyStoreName NodeDefaultTrustStore -keyStoreScope (cell):'+cellID+' -host odm851.uk.ibm.com -port 9444 -certificateAlias ODM -sslConfigScopeName (cell):'+cellID+' ]') 
AdminConfig.save() 
AdminNodeManagement.syncActiveNodes() 


and re-tried my BPM process.

This time, of course, it worked OK :-)

Easy when you know how :-)

Fun with OpenSSL Certificate Requests and space characters in Subject Names

I've got a command within a Dockerfile that generates a Certificate Service Request, via the openssl req  command. This references an ...