Sunday, 31 July 2016

Scripting the shell

One of my friends was looking for a mechanism to invoke a script as another user AND pass in a parameter.

Challenge, accepted :-)

Here's my script: -

/home/db2inst1/foobar.sh 

#!/bin/bash
echo "Hello World! from `whoami`"
echo "And today's special is " $1 "!!! "
exit


and here's how I invoke it from another user ( root ): -

su - db2inst1 -c '/home/db2inst1/foobar.sh Fish'

Hello World! from db2inst1
And today's special is  Fish !!! 

su - db2inst1 -c "/home/db2inst1/foobar.sh Beef"

Hello World! from db2inst1
And today's special is  Beef !!! 


Bottom line, wrap the remote command in single or double quotes, with the parameter passed after the name of the script.

IBM Operational Decision Manager Advanced 8.8.1 - My First Foray

I spent a few happy hours implementing ODM 8.8.1 on a Red Hat Linux VM yesterday, and have written up my notes below.

Bottom line, this is pretty similar to my experiences with earlier versions ( 8.5, 8.6, 8.7 etc. ) with one exception: -

- With 8.8.1, we've now split out the Rules Management Server onto a separate JVM, meaning that we potentially have two clusters and three servers

For this build, I've chosen to deploy Decision Center AND Decision Server; other options exist, of course

Hope this helps ….

Hostname


OS Users

wasadmin
db2inst1
db2user1

Detail

Switch to wasadmin user

su - wasadmin

Install ODM 8.8.1 binaries

/opt/IBM/InstallationManager/eclipse/tools/imcl -input installODM881.rsp -acceptLicense

Installed com.ibm.websphere.odm.dc.v88_8.8.1000.20160527_0751 to the /opt/IBM/ODM881 directory.
Installed com.ibm.websphere.odm.ds.rules.v88_8.8.1000.20160527_0819 to the /opt/IBM/ODM881 directory.
Installed com.ibm.websphere.odm.pt.dc.v88_8.8.1000.20160527_0943 to the /opt/IBM/ODM881 directory.
Installed com.ibm.websphere.odm.pt.rules.v88_8.8.1000.20160527_0949 to the /opt/IBM/ODM881 directory.

Create Deployment Manager Profile

/opt/IBM/WebSphere/AppServer/bin/manageprofiles.sh -create -templatePath /opt/IBM/WebSphere/AppServer/profileTemplates/management -profileName Dmgr01 -nodeName Dmgr -isDefault -enableAdminSecurity true -adminUserName wasadmin -adminPassword passw0rd

INSTCONFSUCCESS: Success: Profile Dmgr01 now exists. Please consult /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/logs/AboutThisProfile.txt for more information about this profile.

Create Node Profile

/opt/IBM/WebSphere/AppServer/bin/manageprofiles.sh -create -templatePath /opt/IBM/WebSphere/AppServer/profileTemplates/managed -profileName AppSrv01 -nodeName Node1

INSTCONFSUCCESS: Success: Profile AppSrv01 now exists. Please consult /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/AboutThisProfile.txt for more information about this profile.

Start Deployment Manager

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh

...
ADMU3000I: Server dmgr open for e-business; process id is 90622
...

Add Node into Cell

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/addNode.sh `hostname` 8879 -profileName AppSrv01 -username wasadmin -password passw0rd

...
ADMU0003I: Node Node1 has been successfully federated.
...

Stop Deployment Manager

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/stopManager.sh -username wasadmin -password passw0rd

...
ADMU4000I: Server dmgr stop completed.
...

Augment Deployment Manager Profile with Decision Center Capabilities

/opt/IBM/WebSphere/AppServer/bin/manageprofiles.sh -augment -profileName Dmgr01 -templatePath /opt/IBM/WebSphere/AppServer/profileTemplates/rules/management/dc

INSTCONFSUCCESS: Profile augmentation succeeded.

Augment Deployment Manager Profile with Decision Center Capabilities

/opt/IBM/WebSphere/AppServer/bin/manageprofiles.sh -augment -profileName Dmgr01 -templatePath /opt/IBM/WebSphere/AppServer/profileTemplates/rules/management/ds/

INSTCONFSUCCESS: Profile augmentation succeeded.

Set Variable

export ODM_HOME=/opt/IBM/ODM881/

Create Decision Center Cluster

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/configureDCCluster.sh -dmgrAdminUsername wasadmin -dmgrAdminPassword passw0rd -clusterPropertiesFile ~/configureDCCluster.properties -targetNodeName Node1 -dmgrHostName `hostname` -dmgrPort 8879

...
  [wsadmin] GBRPT0019I: Start application teamserver on server Node1-DCServer ...
  [wsadmin] GBRPC0028I: The cluster is up and running!

BUILD SUCCESSFUL
Total time: 6 minutes 15 seconds
...

Stop Deployment Manager

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/stopManager.sh -username wasadmin -password passw0rd

Create Decision Server Cluster

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/configureDSCluster.sh -dmgrAdminUsername wasadmin -dmgrAdminPassword passw0rd -clusterPropertiesFile ~/configureDSCluster.properties -targetNodeName Node1 -dmgrHostName `hostname` -dmgrPort 8879

...
  [wsadmin] GBRPC0013I: Synchronization done.
  [wsadmin] GBRPC0028I: The cluster is up and running!

BUILD SUCCESSFUL
Total time: 7 minutes 34 seconds
...

Switch to DB2 Instance Owner

su - db2inst1

Create Decision Center Database (RTSDB)

db2 create database RTSDB automatic storage yes using codeset UTF-8 territory GB pagesize 32768

Create Decision Server Database (RESDB)

db2 create database RESDB automatic storage yes using codeset UTF-8 territory GB pagesize 32768

Connect to RESDB as db2inst1 owner

db2 connect to RESDB user db2inst1 using passw0rd

Create Buffer Pool

db2 create bufferpool BP32K size 8000 automatic pagesize 32K

Grant DBADM rights to db2user1 user

db2 grant dbadm on database to user db2user1

Create RESDB Tables

db2 -tvf /opt/IBM/ODM881/executionserver/databases/trace_db2.sql

Connect to RESDB as db2user1 user

db2 connect to RESDB user db2user1 using passw0rd

Create RESDB Tables

db2 -tvf /opt/IBM/ODM881/executionserver/databases/trace_db2.sql

db2 -tvf /opt/IBM/ODM881/executionserver/databases/repository_db2.sql

db2 -tvf /opt/IBM/ODM881/executionserver/databases/xomrepository_db2.sql

db2 -tvf /opt/IBM/ODM881/executionserver/databases/decisionrunner_db2.sql

Disconnect from RESDB

db2 terminate

Connect to RTSDB as db2inst1 owner

db2 connect to RTSDB user db2inst1 using passw0rd

Grant DBADM rights to db2user1 user

db2 grant dbadm on database to user db2user1

Connect to RTSDB as db2user1 user

db2 connect to RTSDB user db2user1 using passw0rd

Create RTSDB tables

db2 -tvf rule-team-server.sql

Disconnect from RTSDB

db2 terminate

Switch to wasadmin user

su - wasadmin

Start wsadmin client

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd -host `hostname` -port 8879

Create Administrators group

AdminTask.createGroup('[-cn Administrators]')

Save and sync

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

Add wasadmin user to Administrators group

AdminTask.addMemberToGroup('[-memberUniqueName uid=wasadmin,o=defaultWIMFileBasedRealm -groupUniqueName cn=Administrators,o=defaultWIMFileBasedRealm]')

Save and sync

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

Map Administrators group into Decision Center application roles

AdminApp.edit('teamserver', '[ -MapRolesToUsers [[ rtsInstaller AppDeploymentOption.No AppDeploymentOption.No "" Administrators AppDeploymentOption.No user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm "" ]]]' )

AdminApp.edit('teamserver', '[ -MapRolesToUsers [[ rtsAdministrator AppDeploymentOption.No AppDeploymentOption.No "" Administrators AppDeploymentOption.No user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm "" ]]]' )

AdminApp.edit('teamserver', '[ -MapRolesToUsers [[ rtsUser AppDeploymentOption.No AppDeploymentOption.No "" Administrators AppDeploymentOption.No user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm "" ]]]' )

AdminApp.edit('teamserver', '[ -MapRolesToUsers [[ rtsConfigManager AppDeploymentOption.No AppDeploymentOption.No "" Administrators AppDeploymentOption.No user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm "" ]]]' )

AdminApp.edit('teamserver', '[ -MapRolesToUsers [[ rtsAdministrator AppDeploymentOption.No AppDeploymentOption.No "" Administrators AppDeploymentOption.No "" group:defaultWIMFileBasedRealm/cn=Administrators,o=defaultWIMFileBasedRealm ]]]' ) 

Map Administrators group into Decision Server applications roles

AdminApp.edit('jrules-ssp', '[ -MapRolesToUsers [[ resAdministrators AppDeploymentOption.No AppDeploymentOption.No "" Administrators AppDeploymentOption.No user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm "" ]]]' )

AdminApp.edit('jrules-ssp', '[ -MapRolesToUsers [[ resDeployers AppDeploymentOption.No AppDeploymentOption.No "" Administrators AppDeploymentOption.No user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm "" ]]]' )

AdminApp.edit('jrules-res-management', '[ -MapRolesToUsers [[ resAdministrators AppDeploymentOption.No AppDeploymentOption.No "" Administrators AppDeploymentOption.No user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm "" ]]]' )

AdminApp.edit('jrules-res-management', '[ -MapRolesToUsers [[ resDeployers AppDeploymentOption.No AppDeploymentOption.No "" Administrators AppDeploymentOption.No user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm "" ]]]' )

AdminApp.edit('jrules-res-management', '[ -MapRolesToUsers [[ resMonitors AppDeploymentOption.No AppDeploymentOption.No "" Administrators AppDeploymentOption.No user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm "" ]]]' )

Save and sync

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

Remove out-of-the-box Decision Center and Decision Server users

AdminTask.deleteUser('[-uniqueName uid=resAdmin,o=defaultWIMFileBasedRealm]')
AdminTask.deleteUser('[-uniqueName uid=resDeployer,o=defaultWIMFileBasedRealm]')
AdminTask.deleteUser('[-uniqueName uid=resMonitor,o=defaultWIMFileBasedRealm]')
AdminTask.deleteUser('[-uniqueName uid=rtsAdmin,o=defaultWIMFileBasedRealm]')
AdminTask.deleteUser('[-uniqueName uid=rtsConfig,o=defaultWIMFileBasedRealm]')
AdminTask.deleteUser('[-uniqueName uid=rtsUser1,o=defaultWIMFileBasedRealm]')

Save and sync

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

Set Variables

cellID = AdminControl.getCell()

Stop Decision Center Cluster

AdminControl.invoke('WebSphere:name=DecisionCenterCluster,process=dmgr,platform=common,node=Dmgr,version=8.5.5.5,type=Cluster,mbeanIdentifier=DecisionCenterCluster,cell='+cellID+',spec=1.0', 'stop')

Stop Decision Server Cluster

AdminControl.invoke('WebSphere:name=DecisionServerCluster,process=dmgr,platform=common,node=Dmgr,version=8.5.5.5,type=Cluster,mbeanIdentifier=DecisionServerCluster,cell='+cellID+',spec=1.0', 'stop')

Stop Rules Management Server

AdminControl.stopServer('RulesMgrSrv','Node1')

Quit

quit

Stop Node Agent

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/stopNode.sh -user wasadmin -password passw0rd

Stop Deployment Manager

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/stopManager.sh -user wasadmin -password passw0rd

Start Deployment Manager

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh

Start Node Agent

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/startNode.sh

Start Decision Center Cluster

AdminControl.invoke('WebSphere:name=DecisionCenterCluster,process=dmgr,platform=common,node=Dmgr,version=8.5.5.5,type=Cluster,mbeanIdentifier=DecisionCenterCluster,cell='+cellID+',spec=1.0', 'start')

Start Decision Server Cluster

AdminControl.invoke('WebSphere:name=DecisionServerCluster,process=dmgr,platform=common,node=Dmgr,version=8.5.5.5,type=Cluster,mbeanIdentifier=DecisionServerCluster,cell='+cellID+',spec=1.0', 'start')

Start Rules Management Server

AdminControl.startServer('RulesMgrSrv','Node1')

Quit

quit

URLs

WAS Integrated Solutions Console


Decision Center

Enterprise Console


Business Console


Decision Server

Hosted Transparent Decision Service


ILOG Scenario Service Provider


Decision Runner


Rule Execution Server Console


Saturday, 30 July 2016

IBM Operational Decision Management 8.8.1 - My First Foray

I'm writing a post on how I built an IBM ODM Rules environment using the latest ODM Advanced 8.8.1 code.

However, I hit a minor blocker early on, with this: -

configure:
  [wsadmin] WASX7209I: Connected to process "dmgr" on node Dmgr using SOAP connector;  The type of process is: DeploymentManager
  [wsadmin] WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: "[/opt/IBM/ODM881, /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/rules, /home/wasadmin/configureDSCluster.properties, Node1]"
  [wsadmin] GBRPT0028I: Jython scripts are in /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/rules
  [wsadmin] WebSphere 8.5 detected (8.5.5.5)
  [wsadmin] GBRPT0026I: Loading properties file name /home/wasadmin/configureDSCluster.properties
  [wsadmin] WASX7017E: Exception received while running file "/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/rules/configureDSRulesNetworkDeployer.py"; exception information: com.ibm.bsf.BSFException: exception from Jython:
  [wsadmin] Traceback (innermost last):
  [wsadmin]   File "<string>", line 133, in ?
  [wsadmin]   File "<string>", line 44, in doIt
  [wsadmin]   File "<string>", line 119, in checkAndGetProperyValue
  [wsadmin] RuntimeError: GBRPC0029E: The key wodm.dsrules.rulesMgrServerName is not present in the specified properties file
  [wsadmin] Java Result: 105

BUILD SUCCESSFUL
Total time: 32 seconds
whilst creating a Decision Server ( Rule Execution Server ) cluster: -

export ODM_HOME=/opt/IBM/ODM881/
/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/configureDSCluster.sh -dmgrAdminUsername wasadmin -dmgrAdminPassword passw0rd -clusterPropertiesFile ~/configureDSCluster.properties -targetNodeName Node1 -dmgrHostName `hostname` -dmgrPort 8879


As is often the case, the error was mine ….

I was ASSUMING that I could use a similar script - configureDSCluster.properties - for this new 8.8.1 installation, having used the same for the past few versions of ODM, including 8.6 and 8.7.

Alas ….

The error was fairly clear: -

<snip>
  [wsadmin] RuntimeError: GBRPC0029E: The key wodm.dsrules.rulesMgrServerName is not present in the specified properties file
</snip>

When I compared / contrasted my configureDSCluster.properties file with the sample that comes with the product: -

/opt/IBM/ODM881/shared/profiles/profileTemplates/rules/management/ds/documents/bin/rules/configureDSCluster.properties

I saw that I was missing a line: -

wodm.dsrules.rulesMgrServerName=RulesMgrSrv

Once I added it into my own response file: -

configureDSCluster.properties 
wodm.dsrules.clusterName=DecisionServerCluster
wodm.virtualhost.name=default_host
wodm.dsrules.rulesMgrServerName=RulesMgrSrv
wodm.dsrules.db.type=DB2
wodm.dsrules.db.jdbcDriverPath=/opt/IBM/WebSphere/AppServer/ODMjdbcdrivers/DB2/
wodm.dsrules.db.name=RESDB
wodm.dsrules.db.hostname=db2.uk.ibm.com
wodm.dsrules.db.port=60006
wodm.dsrules.db.user=db2user1
wodm.dsrules.db.password=passw0rd


and reran the cluster create process: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/configureDSCluster.sh -dmgrAdminUsername wasadmin -dmgrAdminPassword passw0rd -clusterPropertiesFile ~/configureDSCluster.properties -targetNodeName Node1 -dmgrHostName `hostname` -dmgrPort 8879

it just worked: -

...
  [wsadmin] GBRPC0013I: Synchronization done.
  [wsadmin] GBRPC0028I: The cluster is up and running!

BUILD SUCCESSFUL
Total time: 6 minutes 55 seconds

...

#LifeIsGood

Friday, 29 July 2016

Messing about with IPTables

<caveat>
I'm NOT a firewall or networking expert, so this is very much YMMV.
</caveat>

I wanted to see if/how I could use the out-of-the-box IPTables firewall to block most connectivity to a web server ( IBM HTTP Server ) whilst allowing SSH connectivity and, more importantly, allowing incoming requests from 

Flush the existing rules

iptables -F

Add a rule to allow SSH connectivity only from a specific interface and host - actually the host VM

iptables -A INPUT -i eth0 -p tcp -s 192.168.153.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Add a rule to allow connectivity from a specific interface and host and port - the F5 LTM

iptables -A INPUT -i eth1 -p tcp -s 10.128.10.0/24 --dport 8443 -m state --state NEW,ESTABLISHED -j ACCEPT

Drop all other traffic from the 192.168.153 subnet

iptables -A INPUT -s 192.168.153.0/24 -j DROP

Drop all other traffic from the 10.128.10 subnet

iptables -A INPUT -s 10.128.10.0/24 -j DROP

Save and print the configuration

iptables-save

...
# Generated by iptables-save v1.4.7 on Fri Jul 29 19:13:26 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [945:348018]
-A INPUT -s 192.168.153.1/32 -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -s 10.128.10.0/24 -i eth1 -p tcp -m tcp --dport 8443 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -s 192.168.153.0/24 -j DROP 
-A INPUT -s 10.128.10.0/24 -j DROP 
COMMIT
# Completed on Fri Jul 29 19:13:26 2016

...

I then tested this by: -

(a) ensuring that I could still connect to IHS via the F5 load balancer: -

openssl s_client -connect 10.128.10.240:443 </dev/null

SSL handshake has read 1065 bytes and written 440 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit


(b) ensuring that I could NOT connect to IHS directly: -

openssl s_client -connect 192.168.153.200:8443 </dev/null

connect: Operation timed out
connect:errno=60


Here's my not-so-secret sources: -






Wednesday, 27 July 2016

IBM BPM Advanced 8.5.5 - Where's the Failed Event Manager ?

Clue, it's in the Deployment Environment


Easy when you know how :-)

Aide Memoire - F5 - Configuration Guide for BIG-IP Local Traffic Management

It's here: -



<snip>
The BIG-IP® local traffic management system is specifically designed to manage your local network traffic. Local traffic management refers to the process of managing network traffic that comes into or goes out of a local area network (LAN), including an intranet.

This configuration guide applies to the set of local traffic management products that are part of the BIG-IP system family of products.

A commonly-used feature of the BIG-IP system is its ability to intercept and redirect incoming network traffic, for the purpose of intelligently tuning the load on network servers. However, tuning server load is not the only type of local traffic management. The BIG-IP system includes a variety of features that perform functions such as inspecting and transforming header and content data, managing SSL certificate-based authentication, and compressing HTTP responses. In so doing, the BIG-IP system not only directs traffic to the appropriate server resource, but also enhances network security and frees up server resources by performing tasks that web servers typically perform.
</snip>

VMware Fusion - Stuck on "GRUB loading stage2"

I had this error: -

GRUB loading stage2

whilst attempting to boot a F5 BIG-IP Virtual Edition VM

No matter how many times I rebooted, the error kept popping up :-(

I'm using VMware Fusion 8.1.1 on OS X 10.11.6.

This thread: -


helped, specifically this: -

Did you enable COM port? What Hypervisor version do you have?

Yes, enabling COM Port helped. Thanks

Once I added a virtual Serial Port: -


it just worked :-)

Friday, 22 July 2016

MQJCA1011 and the story of the missing IBM MQ JMS Provider permissions

We saw this problem earlier this week: -

Failed to load the WebSphere MQ native JNI library: 'mqjbnd'.

The JVM attempted to load the platform native library 'mqjbnd', which was mapped to the filename: 'libmqjbnd.a'.

When attempting to load the library, the JVM reported the error message:

'mqjbnd (Not found in java.library.path)'

in the context of a failing WebSphere Application Server (WAS) to IBM MQ (MQ) configuration.

We found this, whilst trying to debug this: -

com.ibm.mq.connector.DetailedResourceAdapterInternalException: MQJCA1011: Failed to allocate a JMS connection. An internal error caused an attempt to allocate a connection to fail. See the linked exception for details of the failure.

We're using JMS Activation Specifications, JMS Queues and, most importantly, a JMS MQ Provider.

This latter has a native MQ library configured: -

ra=AdminConfig.getid("/Cell/"+cellID+"/ServerCluster/"+clusterName+"/ J2CResourceAdapter:WebSphere MQ Resource Adapter/")
AdminTask.manageWMQ(ra, '[-nativePath /opt/mqm/java/lib64/ - disableWMQ false ]')
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

When I checked, the user under which WAS runs, wasadmin, does NOT appear to have the permission to access the MQ native library path: -

/opt/mqm/java/lib64/

as per this example: -

whoami

wasadmin

ls -al /opt/mqm/java/lib64/

ls: 0653-345 /opt/mqm/java/lib64/.: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/..: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/bin: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/doc: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/http: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/jre64: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/lib: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/lib64: Permission denied.
ls: 0653-345 /opt/mqm/java/lib64/original.jre64.IT13492: Permission denied.
total 0


We compared / contrasted this against a working system, where wasadmin WAS able to access the Java path.

Thus it feels like the wasadmin user no longer has the permission to access the MQ native libraries, which are owned by mqm.

This may have changed as a result of a MQ patching / maintenance process.

Once the MQ administrator changed the permissions for the /opt/mqm/java directory to: -

dr-xr-xr-x

things started working again ….

Disable desktop notifications for a site

I was getting slightly cross ( hey, I'm British, what can I say? ) with Firefox 47's insistence on asking me whether I REALLY wanted notifications from a site, each and every time I opened or refreshed a page on that site.

This had the answer: -


<snip>
You can reset this to the default (or outright disallow it) on a per-site basis by right-clicking somewhere in a blank spot of the site (or pressing Ctrl-I on Windows or Cmd-I on Mac) and then selecting "View Page Info" from the opening menu. This opens a window with a "Permissions" tab. I that, scroll down to the very bottom until you see "Show Notifications" as the third-to-last entry. Either reset that to the default, or just select "Block".

Additionally, the notifications are currently a labs feature in Google Music, so you can also disable them by going into the Google Music Labs preferences and disabling them.
</snip>


I changed it from Use Default to Block 

Job done :-)

Monday, 18 July 2016

IBM Integration Bus - The names, they are a-changin'

So I still struggle to remember that, with IBM Integration Bus 9, the naming conventions inherited from WebSphere Message Broker ( and it's precedents ) have CHANGED.

Here's a useful crib: -


Friday, 8 July 2016

F5 BIG-IP Local Traffic Manager ( LTM ) - Scripting It, Baby

Following on from my earlier posts: -



I've made yet more headway with this fascinating product.

I'd referenced this excellent post: -


which, in part, included the necessary F5 commands, using the tmsh utility, to set up a pair of network interfaces, some IP addresses and a default route: -

<snip>

tmsh create net vlan external interfaces add { 1.1 { untagged } }

tmsh create net vlan internal interfaces add { 1.2 { untagged } }

tmsh create net self 10.128.10.240 address 10.128.10.240/24 vlan external
tmsh create net self 10.128.20.240 address 10.128.20.240/24 vlan internal

tmsh create net route Default_Gateway network 0.0.0.0/0 gw 10.128.10.2

tmsh save sys config

</snip>

However, I wanted to go further - I wanted to script the configuration of the necessary components: -

HTTPS Health Monitor
Node
Virtual Server

to allow the F5 to do its job of (a) monitoring a downstream instance of IBM HTTP Server and (b) allow me to have IHS listening on port 8443 whilst the F5 receives traffic on port 443.

This is my IHS configuration, for the record: -

/opt/IBM/HTTPServer/bin/apachectl -DDUMP_SSL_CONFIG -f /opt/IBM/HTTPServer/conf/httpd.conf

SSL configuration:
Default server
Server name: bpm856.uk.ibm.com:8080
SSL enabled: NO

SSL server defined at: /opt/IBM/HTTPServer/conf/httpd.conf:852
Server name: bpm856.uk.ibm.com:8443
SSL enabled: YES
FIPS enabled: 0
Keyfile: /opt/IBM/HTTPServer/ssl/keystore.kdb
Protocols enabled: TLSv10,TLSv11,TLSv12
Ciphers for SSLV2: (protocol disabled)
Ciphers for SSLV3: (protocol disabled)
Ciphers for TLSv10: (defaults) TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)
Ciphers for TLSv11: (defaults) TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)
Ciphers for TLSv12: (defaults) TLS_RSA_WITH_AES_128_GCM_SHA256(9C),TLS_RSA_WITH_AES_256_GCM_SHA384(9D),TLS_RSA_WITH_AES_128_CBC_SHA256(3C),TLS_RSA_WITH_AES_256_CBC_SHA256(3D),TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)

Syntax OK
and this is what I did on the F5 LTM: -

Create a HTTPS Monitor

This is the component that monitors the downstream IHS, so needs to "know" the HTTPS ciphers being used and the port. Note that, in Unix-land, port 8443 is "known" as pcsync-https ( just check /etc/services ) which is an alias for port 8443.

The Monitor also needs to send a well-formed HTTP/1.1 request, and wait for a proper HTTP response code e.g. 200 OK.

tmsh create ltm monitor https davehttps { cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from https destination *:pcsync-https interval 5 recv 200 send "GET /index.html HTTP/1.1\\r\\nHost: bpm856.uk.ibm.com\\r\\nConnection: Close\\r\\n\\r\\n" time-until-up 0 timeout 16 }

Create a Node

The node ( we typically have more than one ) refers to the downstream IHS box, specifically in terms of it's IP address or hostname

tmsh create ltm node bpm856.uk.ibm.com { address 192.168.153.200 }

Create a Pool

This is where the Monitor and the Node are brought together

tmsh create ltm pool bpm856.uk.ibm.com_ihs members add { bpm856.uk.ibm.com:pcsync-https { monitor davehttps }}

Create a Virtual Server

This represents the service that the LTM offers to the client, which is where the magic "mapping" between the IHS port of 8443 and the exposed port of 443 happens

tmsh create ltm virtual IHS destination 10.128.10.123:https ip-protocol tcp mask 255.255.255.255 pool bpm856.uk.ibm.com_ihs profiles add { clientssl { context clientside } http{} serverssl{context serverside } tcp{} } source 0.0.0.0/0 source-address-translation { type automap } vlans add { external internal } vlans-enabled 

Save the Configuration

I think this is implicit, but it never hurts to do it :-)

tmsh save sys config

Having run all of that, which takes about 5 seconds, I have a nice network map: -


an active pool: -


a working node: -


and a happy virtual server: -


More importantly, I can hit IHS directly: -


*AND* via the LTM: -


Note that, in the latter case, the connection is on port 443, which the browser automatically hides :-)

So I've still got some SSL certificate stuff to do, especially if I want to have the F5 use Mutual Authentication ( aka Client Authentication ) to the IHS box, but that's for another day ….

Update - 8 September 2016 - a smart F5 guru did advise me NOT to use the same IP address for BOTH the external interface AND the Virtual Server. Therefore, I've updated this post to show the external interface listen on 10.128.10.240 but the Virtual Server listen on 10.128.10.123, as per this example: -

https://10.128.10.123

Reminder - installing podman and skopeo on Ubuntu 22.04

This follows on from: - Lest I forget - how to install pip on Ubuntu I had reason to install podman  and skopeo  on an Ubuntu box: - lsb_rel...