Thursday, 29 September 2016

IBM ODM Rules on Liberty on Docker - Tracing the RES

One of my friends challenged me to work out how to enable a more detailed trace for IBM ODM Rules, running on WebSphere Liberty Profile.

I've written a bit about ODM on Liberty, both with and without Docker, recently: -






However, my pal wanted to go one step further; he wanted to enable Execution Unit (XU) tracing on his Rule Execution Server (RES) - aka Decision Server.

Another of the team directed me here: -


which includes the various trace strings: -


Specifically, he wanted this: -

Ruleset execution: rule session, execution units (XU) com.ibm.rules.res.execution

In essence, it requires a change to the server.xml which is one of the main Liberty configuration files.

Thus I inserted this: -

...
        <featureManager>
                <feature>servlet-3.1</feature>
                <feature>jsp-2.3</feature>
                <feature>jdbc-4.1</feature>
                <feature>appSecurity-2.0</feature>
                <feature>jaxrs-1.1</feature>
                <feature>concurrent-1.0</feature>
                <feature>jndi-1.0</feature>
                <feature>ssl-1.0</feature>
        </featureManager>

        <logging  traceSpecification="com.ibm.rules.res.execution=all"
                traceFileName="trace.log"
                maxFileSize="20"
                maxFiles="10"
                traceFormat="BASIC" />


        <httpSession cookieName="DCSESSIONID"
                invalidateOnUnauthorizedSessionRequestException="true" />
...

into an existing server.xml.

As I'm running ODM on Liberty on Docker, I decided to take the somewhat "nuclear" step of discarding my existing Container, and creating a brand new Image.

This I did the following: -

Stop the existing Container ( instance )

docker kill cf93bfdacb28

Remove the existing Container

docker rm cf93bfdacb28

Remove the Image from which the Container was instantiated

docker rmi ad81c81be14d

and then created a new Image: -

docker build -t odm88 .

and then instantiated a Container from the newly created Image: 

odm88=`docker run -d -t -p 80:9080 -p 443:9443 odm88:latest`

I monitored the logs to ensure that the server was up: -

docker logs $odm88 -f

[AUDIT   ] CWWKZ0001I: Application teamserver started in 25.915 seconds.
[AUDIT   ] CWWKZ0022W: Application decisioncenter has not started in 30.001 seconds.
[AUDIT   ] CWWKF0012I: The server installed the following features: [jsp-2.3, concurrent-1.0, servlet-3.1, ssl-1.0, jndi-1.0, json-1.0, distributedMap-1.0, appSecurity-2.0, jdbc-4.1, jaxrs-1.1, el-3.0].
[AUDIT   ] CWWKF0011I: The server defaultServer is ready to run a smarter planet.
[WARNING ] [dc] Solr index directory '/tmp/solr.data1447360524204199981.dir/index' doesn't exist. Creating new index...
[AUDIT   ] CWWKZ0001I: Application decisioncenter started in 33.707 seconds.

Once up, I opened a command prompt to the Container: -

docker exec -i -t $odm88 /bin/bash

and confirmed that my newly created trace.log file existed: -

ls -al /logs/

total 436
drwxr-xr-x  2 root root   4096 Sep 29 14:12 .
drwxr-xr-x 64 root root   4096 Sep 29 14:12 ..
-rw-r-----  1 root root 210983 Sep 29 14:32 messages.log
-rw-r-----  1 root root 221913 Sep 29 14:32 trace.log

I also confirmed that stuff was being logged, by hitting a test Rule Service via the built-in REST Service tester: -


and monitored the trace.log file for output: -

...
[9/29/16 14:32:44:425 UTC] 00000121 execution     2 com.ibm.rules.res.xu.work.internal.WorkManagerImpl startWork com.ibm.rules.res.xu.work.internal.WorkManagerImpl startWork ENTERING com.ibm.rules.res.xu.ruleset.internal.RulesetParsingWork@c53d8f51
[9/29/16 14:32:44:427 UTC] 00000124 execution     2 com.ibm.rules.res.xu.work.internal.WorkManagerImpl workStarted com.ibm.rules.res.xu.work.internal.WorkManagerImpl workStarted ENTERING javax.resource.spi.work.WorkEvent[source=Thread[Thread-22,5,Default Executor Thread Group]]
[9/29/16 14:32:44:428 UTC] 00000124 execution     2 com.ibm.rules.res.xu.work.internal.WorkManagerImpl workStarted com.ibm.rules.res.xu.work.internal.WorkManagerImpl workStarted EXIT RETURN
[9/29/16 14:32:44:427 UTC] 00000121 execution     2 com.ibm.rules.res.xu.work.internal.WorkManagerImpl workAccepted com.ibm.rules.res.xu.work.internal.WorkManagerImpl workAccepted ENTERING javax.resource.spi.work.WorkEvent[source=com.ibm.rules.res.xu.work.internal.WorkManagerImpl@54266e07]
[9/29/16 14:32:44:428 UTC] 00000121 execution     2 com.ibm.rules.res.xu.work.internal.WorkManagerImpl workAccepted com.ibm.rules.res.xu.work.internal.WorkManagerImpl workAccepted EXIT RETURN
[9/29/16 14:32:44:429 UTC] 00000121 execution     2 com.ibm.rules.res.xu.work.internal.WorkManagerImpl startWork com.ibm.rules.res.xu.work.internal.WorkManagerImpl startWork RETURN 0
[9/29/16 14:32:45:094 UTC] 00000124 execution     2 com.ibm.rules.res.xu.work.internal.WorkManagerImpl workCompleted com.ibm.rules.res.xu.work.internal.WorkManagerImpl workCompleted ENTERING javax.resource.spi.work.WorkEvent[source=Thread[Thread-22,5,Default Executor Thread Group]]
[9/29/16 14:32:45:094 UTC] 00000124 execution     2 com.ibm.rules.res.xu.work.internal.WorkManagerImpl removeWork com.ibm.rules.res.xu.work.internal.WorkManagerImpl removeWork ENTERING com.ibm.rules.res.xu.ruleset.internal.RulesetParsingWork@c53d8f51
[9/29/16 14:32:45:095 UTC] 00000124 execution     2 com.ibm.rules.res.xu.work.internal.WorkManagerImpl removeWork com.ibm.rules.res.xu.work.internal.WorkManagerImpl removeWork EXIT RETURN
[9/29/16 14:32:45:095 UTC] 00000124 execution     2 com.ibm.rules.res.xu.work.internal.WorkManagerImpl workCompleted com.ibm.rules.res.xu.work.internal.WorkManagerImpl workCompleted EXIT RETURN
[9/29/16 14:32:50:585 UTC] 00000121 SystemOut     O   Hello Dave Hay Rules!

Bottom line, ODM on Liberty, with/out Docker, is just SO amazingly flexible.

Of course, I didn't need to throw away the Container and Image just to change a few lines of XML.

This is what I should have done: -

Update the source server.xml file

Changing the trace string to: -

        <logging  traceSpecification="com.ibm.rules.res.execution=all:com.ibm.rules.res.console=all"
                traceFileName="trace.log"
                maxFileSize="20"
                maxFiles="10"
                traceFormat="BASIC" />

Copying the source server.xml to the existing Container

docker cp server.xml $odm88:/opt/ibm/wlp/usr/servers/defaultServer

Commit the change

docker commit $odm88

Stop the Liberty Server

docker exec -i -t $odm88 /bin/bash -c "/opt/ibm/wlp/bin/server stop"

Stopping server defaultServer.
Server defaultServer stopped.

Restart the existing Container

docker restart $odm88

5cfcc8ec2443cedeea0f6ed6456829d1a0f994c169855da7c4e2593bef0f47f0

Monitor the logs

docker logs $odm88 -f

Launching defaultServer (WebSphere Application Server 8.5.5.9/wlp-1.0.12.cl50920160227-1523) on IBM J9 VM, version pxa6480sr3-20160428_01 (SR3) (en_US)
[AUDIT   ] CWWKE0001I: The server defaultServer has been launched.
[AUDIT   ] CWWKE0100I: This product is licensed for development, and limited production use. The full license terms can be viewed here: https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/license/base_ilan/ilan/8.5.5.9/lafiles/en.html
[AUDIT   ] CWWKG0093A: Processing configuration drop-ins resource: /opt/ibm/wlp/usr/servers/defaultServer/configDropins/defaults/keystore.xml
[AUDIT   ] CWWKZ0058I: Monitoring dropins for applications. 
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://5cfcc8ec2443:9080/testing/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://5cfcc8ec2443:9080/DecisionRunner/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://5cfcc8ec2443:9080/DecisionService/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://5cfcc8ec2443:9080/res/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://5cfcc8ec2443:9080/teamserver/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://5cfcc8ec2443:9080/decisioncenter/
[AUDIT   ] CWWKZ0001I: Application DecisionService started in 8.615 seconds.
[AUDIT   ] CWWKZ0001I: Application testing started in 8.746 seconds.
[AUDIT   ] CWWKZ0001I: Application DecisionRunner started in 9.413 seconds.
[AUDIT   ] CWWKZ0001I: Application res started in 9.422 seconds.
[AUDIT   ] CWWKZ0001I: Application teamserver started in 12.839 seconds.
[WARNING ] [dc] Solr index directory '/tmp/solr.data912267916741895538.dir/index' doesn't exist. Creating new index...
[AUDIT   ] CWWKZ0001I: Application decisioncenter started in 17.642 seconds.
[AUDIT   ] CWWKF0012I: The server installed the following features: [jsp-2.3, concurrent-1.0, servlet-3.1, ssl-1.0, jndi-1.0, json-1.0, distributedMap-1.0, appSecurity-2.0, jdbc-4.1, jaxrs-1.1, el-3.0].
[AUDIT   ] CWWKF0011I: The server defaultServer is ready to run a smarter planet.


Start a shell against the Container

docker exec -i -t $odm88 /bin/bash

Check the trace.log to validate the new trace string

cat /logs/trace.log |grep -i console

trace.specification = *=info:com.ibm.rules.res.console=all:com.ibm.rules.res.execution=all
[9/29/16 18:06:29:515 UTC] 0000001d id=         com.ibm.ws.logging.internal.TraceSpecification               I TRAS0018I: The trace state has been changed. The new trace state is *=info:com.ibm.rules.resconsole=all:com.ibm.rules.res.execution=all.
[9/29/16 18:06:31:667 UTC] 00000026 WebGroup      I   SRVE0169I: Loading Web Module: Rule Execution Server Console.
[9/29/16 18:06:31:667 UTC] 00000026 webcontainer  I com.ibm.ws.webcontainer.osgi.DynamicVirtualHost addWebApplication SRVE0250I: Web Module Rule Execution Server Console has been bound to default_host.
[9/29/16 18:06:37:144 UTC] 00000026 console       2   logging path and file name: res-console.log
[9/29/16 18:06:37:157 UTC] 00000026 console       C   GBRXC0180W 
                                 res-console.log
[9/29/16 18:06:37:157 UTC] 00000026 console       2   Default logging file name is used: res-console
[9/29/16 18:06:37:158 UTC] 00000026 console       2   logging file name: res-console
[9/29/16 18:06:37:188 UTC] 00000026 console       I   The operating system is Linux amd64 4.4.20-moby.
[9/29/16 18:06:37:189 UTC] 00000026 console       I   The JVM is IBM Corporation IBM J9 VM 2.8.
[9/29/16 18:06:37:189 UTC] 00000026 console       I   The class path is /opt/ibm/wlp/bin/tools/ws-server.jar:/opt/ibm/wlp/bin/tools/ws-javaagent.jar:/opt/ibm/wlp/bin/tools/ws-javaagent.jar. 
[9/29/16 18:06:37:205 UTC] 00000026 console       I   Logging started. Rule Execution Server console version: Decision Server
[9/29/16 18:06:37:212 UTC] 00000026 console       I   Properties used for initialization: 
ilog.rules.res.HELP_INDEX = http://www.ibm.com/support/knowledgecenter/SSQP76_8.8.1/com.ibm.odm.dserver.rules.res.console/cshelp_resconsole.xml
ilog.rules.res.HELP_TOPIC = com.ibm.odm.dserver.rules.res.console
resconsole-logging-config-filename = resconsole-logging.properties
[9/29/16 18:06:37:282 UTC] 00000026 console       2   Properties: {org.apache.myfaces.AUTO_SCROLL=true, ilog.rules.res.HELP_TOPIC=com.ibm.odm.dserver.rules.res.console, ilog.rules.res.HELP_CONTEXT=http://www.ibm.com/support/knowledgecenter/SSQP76_8.8.1, org.apache.myfaces.COMPRESS_STATE_IN_SESSION=false, javax.faces.STATE_SAVING_METHOD=server, fileXomPersistenceDirectory=res_xom, org.apache.myfaces.SERIALIZE_STATE_IN_SESSION=false, calendarType=gregorian, distributed.mode=true, org.apache.myfaces.READONLY_AS_DISABLED_FOR_SELECTS=true, ilog.rules.res.RTS_CONTEXT=/teamserver, management.protocol=jmx, server-info-max-length=100, org.apache.myfaces.ADD_RESOURCE_CLASS=org.apache.myfaces.renderkit.html.util.DefaultAddResource, org.apache.myfaces.CHECK_EXTENSIONS_FILTER=false, org.jboss.jbossfaces.WAR_BUNDLES_JSF_IMPL=true, defaultDWConfiguration=factoryClassname=ilog.rules.res.persistence.impl.jdbc.IlrDatasourceTraceDAOFactory;JNDI_NAME=jdbc/resdatasource, persistenceType=datasource, filePersistenceDirectory=res_data, allowIframe=true, org.apache.myfaces.VALIDATE=false, org.apache.myfaces.NUMBER_OF_VIEWS_IN_SESSION=10, org.apache.myfaces.RESOURCE_VIRTUAL_PATH=/faces/myFacesExtensionResource, ilog.rules.res.SSP_CONTEXT=/testing, management.tcpip.timeout=20, ilog.rules.res.HELP_INDEX=http://www.ibm.com/support/knowledgecenter/SSQP76_8.8.1/com.ibm.odm.dserver.rules.res.console/cshelp_resconsole.xml, org.apache.myfaces.PRETTY_HTML=true, org.apache.myfaces.DETECT_JAVASCRIPT=false, ilog.rules.res.trace.DECISIONWAREHOUSE_CONFIGURATIONS=defaultDWConfiguration, xomPersistenceType=datasource, resconsole-logging-config-filename=resconsole-logging.properties, autoCreateSchema=false, management.tcpip.port=1883, ilog.rules.res.HTDS_CONTEXT=/DecisionService, org.apache.myfaces.ALLOW_JAVASCRIPT=true}
[9/29/16 18:06:39:206 UTC] 00000026 console       I   Reading Decision Warehouse configurations from web.xml
[9/29/16 18:06:39:223 UTC] 00000026 console       I   The Decision Warehouse configuration defaultDWConfiguration was loaded.
[9/29/16 18:06:39:231 UTC] 00000026 console       I   The trace DAO factory was initialized: ilog.rules.res.persistence.impl.jdbc.IlrDatasourceTraceDAOFactory
[9/29/16 18:06:39:861 UTC] 00000026 console       2   JMX implementation used: Sun
[9/29/16 18:06:39:985 UTC] 00000026 console       I   The initialization was successful. 1 RuleApps are available in the RES repository.

which is nice :-)

Source: -

IBM Business Process Manager - More Cookie Fun

Following this earlier post: -


I've been tinkering further with cookies, in the context of IHS and, as importantly, IBM BPM Advanced.

I'm running BPM on WebSphere Application Server (WAS) 8.5.5.10, and using the corresponding version of IHS and the WebSphere Plugin.

Having implemented my earlier suggestion: -

LoadModule headers_module modules/mod_headers.so
Header set Set-Cookie HttpOnly;Secure

things appeared to work ….

However, I did find that, in the context of BPM, the Business Process Choreographer (BPC) Explorer UI failed to render once this cookie trick was in place :-(

Whilst it appeared to work, I realised that the BPC login page never actually loaded; the browser would just "spin" through an apparently infinite redirection loop, with this going through the IHS logs: -

192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/faces/pages/Default.jsp?BPCTZ=-60 HTTP/1.1" 302 -
192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/faces/pages/layouts/views/TaskInstanceListView.jsp HTTP/1.1" 302 -
192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/faces/ibm_security_logout?logoutExitPage=/index.jsp HTTP/1.1" 302 -
192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/index.jsp HTTP/1.1" 200 1049
192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/faces/pages/Default.jsp?BPCTZ=-60 HTTP/1.1" 302 -
192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/faces/pages/layouts/views/TaskInstanceListView.jsp HTTP/1.1" 302 -
192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/faces/ibm_security_logout?logoutExitPage=/index.jsp HTTP/1.1" 302 -
192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/index.jsp HTTP/1.1" 200 1049


repeatedly.

When I enabled tracing in WAS: -

*=info:com.ibm.ws.webcontainer*=all:com.ibm.wsspi.webcontainer*=all:HTTPChannel=all:GenericBNF=all:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all

( for the SupCluster JVM ), I saw this: -

[9/27/16 10:19:11:894 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:894 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:894 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:904 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:904 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:904 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:915 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:915 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:950 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:950 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10


which, to my simple mind, implied that the httponly cookie was somehow "choking" the SupCluster Web Container :-(

So I've spent the past day or so tinkering, and believe I have a viable solution.

I further modified httpd.conf and strategically placed the Header directive inside the Virtual Host that's used to configure IHS to listen on 8443 for HTTPS traffic: -

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
LoadModule headers_module modules/mod_headers.so
Listen 8443
<VirtualHost *:8443>
        Header setifempty Set-Cookie HttpOnly;Secure
        SSLEnable
</VirtualHost>
KeyFile /opt/IBM/HTTPServer/BPM/ssl/keystore.kdb
SSLDisable


This is the only place where I modify the headers.

Note also that I'm using the setifempty verb rather than set or edit.

With this in place, I ran a series of tests for the BPM URLs via IHS: -

https://IBMCloud:8443/

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:06:16 GMT
Last-Modified: Fri, 24 Jun 2016 18:25:52 GMT
Etag: "da5-5360a4cf12c00"
Accept-Ranges: bytes
Content-Length: 3493
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html


https://IBMCloud:8443/foobar.html

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:06:30 GMT
Last-Modified: Thu, 29 Sep 2016 06:22:07 GMT
Etag: "15-53d9f7f3add59"
Accept-Ranges: bytes
Content-Length: 21
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html

https://IBMCloud:8443/ProcessAdmin/login.jsp

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:07:28 GMT
X-Powered-By: Servlet/3.0
Content-Length: 3906
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en-US


https://IBMCloud:8443/ProcessAdmin/ProcessAdmin/com.lombardisoftware.processadmin.ProcessAdmin/ProcessAdmin.jsp

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 09:55:23 GMT
X-Powered-By: Servlet/3.0
BPM_GENERIC_HEADER: SERVED
Last-Modified: Wed, 04 Jun 2014 09:44:06 GMT
Content-Length: 77122
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=99
Connection: Keep-Alive
Content-Type: text/css
Content-Language: en-US


https://IBMCloud:8443/ProcessPortal/login.jsp

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:07:43 GMT
X-Powered-By: Servlet/3.0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Content-Language: en-US


https://IBMCloud:8443/ProcessPortal/dashboards/TWP/BPM_WORK?tw.local.view=tasks&tw.local.state=open

HTTP/1.1 302 Found
Date: Thu, 29 Sep 2016 08:18:04 GMT
X-Powered-By: Servlet/3.0
Location: https://IBMCloud:8443/ProcessPortal/jsp/index.jsp#%2Fdashboards%2FTWP%2FBPM_WORK?tw.local.view=tasks&tw.local.state=open
Content-Length: 0
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en-US


https://IBMCloud:8443/PerformanceAdmin/login.jsp

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:08:12 GMT
X-Powered-By: Servlet/3.0
Content-Length: 2255
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en-US


https://IBMCloud:8443/PerformanceAdmin/console/Welcome.do

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:48:06 GMT
X-Powered-By: Servlet/3.0
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Content-Language: en-US


https://IBMCloud:8443/bpc/faces/pages/Login.jsp

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:08:30 GMT
X-Powered-By: Servlet/3.0
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oam.Flash.RENDERMAP.TOKEN=kdtlsujc7; Path=/bpc; Secure; HttpOnly
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Content-Language: en-US


https://IBMCloud:8443/bpc/faces/pages/layouts/views/TaskInstanceListView.jsp

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:16:29 GMT
X-Powered-By: Servlet/3.0
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oam.Flash.RENDERMAP.TOKEN=kdtlsujcf; Path=/bpc; Secure; HttpOnly
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Content-Language: en-US

Some of my inspiration came from here: -


Wednesday, 21 September 2016

How can IBM Business Process Manager capabilities be exposed in an internet facing deployment?

This IBM Technote: -


has the latest ( as of August 2016 ) position on the oft vexing question about using IBM BPM for internet-facing solutions: -

<snip>
Question

How can IBM Business Process Manager capabilities be exposed in an internet facing deployment?

Cause

Introduction
IBM Business Process Manager is a powerful process development platform - designed to allow business analysts to model process flows and user interface elements in a single package. In order to achieve this goal, there must be compromises for example in functional scope and programming model:

• While most business analysts will be happy to not having to deal with all complexities of software development, programmers will likely observe a lack of control in certain areas.
• Similarly, creating coaches by dragging and dropping reusable components from a palette on a canvas is great, but does not provide the level of control that is required for pixel perfect user interfaces.
While the simplified programming model allows you to build applications with reasonable security, it is not on the same level as a lower level application development environment which for example gives you full control over HTTP requests. Also, the simplified programming model allows you to take shortcuts to build functional, but less secure applications.
</snip>

Please review the Technote for the full IBM position ...

Tuesday, 20 September 2016

IBM HTTP Server - Securing Cookies

The question of secured cookies has arisen recently, where a security penetration test identified a potential risk of cookies being exposed in the clear.

Specifically, this relates to cookies that pass through the IBM HTTP Server web server.

Whilst one would expect the application tier ( in our case, WebSphere Application Server ) to secure cookies, such as the JSESSIONID cookie: -

<snip>
An even more dangerous yet subtle problem with using the HTTP session for security is that the session cookie (JSESSIONID) is usually created before a user authenticates -- typically when they first access the site. At this point, the cookie is often sent in the clear over HTTP. Once the user authenticates, most applications will switch to HTTPS for all future traffic (protecting cookies and content) -- but the JSESSIONID cookie could already have been stolen because an attacker could have captured the cookie when it was initially sent over HTTP. In addition to the obvious point of not using the HTTP session for security, the risk of stealing an HTTP session can be reduced by enabling session security and restricting the LTPA cookie to HTTPS, as discussed earlier.

In addition, cookies created by your applications should be Secure (restricted to HTTPS), and all cookies should be marked HTTPOnly, with a possible exception (which needs to documented, and signed off in a design review) where an application explicitly requires it to function because of client side JavaScript needing access to the cookie.
</snip>


However, as a potential mitigation, it's also possible to instruct the web tier to secure cookies, just in case the application developer ( or WAS administrator ) neglects to so do.

This was my source: -


I'm using IBM HTTP Server 8.5.5.10, which is based upon Apache 2.2

/opt/IBM/HTTPServer/bin/apachectl -V

<snip>
Server version: IBM_HTTP_Server/8.5.5.10 (Unix)
Apache version: 2.2.8 (with additional fixes)

</snip>

By inspecting the HTTP headers in the response from IHS to my browser ( Firefox using the builtin Web Developer tools ), I was able to see that the HttpOnly and Secure flags were NOT set by default: -

HTTP/1.1 304 Not Modified
Date: Tue, 20 Sep 2016 07:47:34 GMT
Connection: Keep-Alive
Keep-Alive: timeout=10, max=97
Etag: "df-5360a4cf12c00"

It was necessary to enable the mod_headers directive in the IHS httpd.conf and then enforce secure cookies: -

LoadModule headers_module modules/mod_headers.so
Header set Set-Cookie HttpOnly;Secure


Once I restarted IHS, and rechecked the response, I could see the additional Set-Cookie header: -

HTTP/1.1 304 Not Modified
Date: Tue, 20 Sep 2016 07:41:30 GMT
Connection: Keep-Alive
Keep-Alive: timeout=10, max=99
Etag: "4a0-5360a4cf12c00"
Set-Cookie: HttpOnly;Secure


The job, as they say, is a good 'un


Thursday, 15 September 2016

IBM Operational Decision Manager - Running Decision Center on WebSphere Liberty Profile on Windows

This is yet another Work-In-Progress, and reflects my current obsession with WebSphere Liberty Profile: -


So today's challenge ( well, it was yesterday but that's not important right now ) was to coach a colleague to build out an IBM ODM Decision Center environment on Windows.

This is for a local development / test environment, rather than anything more "serious".

Thus I decided to see whether I could use WebSphere Liberty Profile and, whilst I was at it, use Apache Derby as a database, instead of my usual favourite, DB2.

The answer is …. "YES I CAN"

I downloaded Liberty from here: -


and Derby from here: -


having previously installed ODM Advanced 8.7: -

"c:\IBM\Installation Manager\eclipse\tools\imcl.exe" listInstalledPackages

com.ibm.cic.agent_1.8.5000.20160506_1125
com.ibm.websphere.odm.dc.v87_8.7.0.20141114_0935


using an IBM Installation Manager response file: -

installODM4WLP.rsp

<?xml version='1.0' encoding='UTF-8'?>
<agent-input>
  <server>
    <repository location='C:\temp\odm87\DEC_CENTER_WIN_32_64_BITS_V8.7_ML\DC' 
temporary='true'/>
  </server>
  <profile id='Operational Decision Manager V8.7' installLocation='C:\Program Files\IBM\ODM87'>
    <data key='cic.selector.arch' value='x86_64'/>
    <data key='user.lic.dc' value='full'/>
  </profile>
  <install>
    <!-- Decision Center 8.7.0.0 -->
    <offering profile='Operational Decision Manager V8.7' id='com.ibm.websphere.odm.dc.v87' version='8.7.0.20141114_0935' features='jdk,base,Rule Solutions for Office,com.ibm.wdc.rules.samples.feature,Documentation,com.ibm.wbdm.dts.wlp.feature'/>
  </install>
  <preference name='com.ibm.cic.common.core.preferences.eclipseCache' value='c:\IBM\IBMIMShared
'/>
</agent-input>

having previously installed IBM Installation Manager 1.8.5 : -

installIIM185Win.rsp

<?xml version='1.0' encoding='UTF-8'?>
<agent-input>
  <server>
    <repository location='c:\temp\iim\' temporary='true'/>
  </server>
  <profile id='IBM Installation Manager' installLocation='C:\IBM\Installation Manager\eclipse' kind='self'>
    <data key='eclipseLocation' value='C:\IBM\Installation Manager\eclipse'/>
    <data key='user.import.profile' value='false'/>
    <data key='cic.selector.nl' value='de,no,fi,ru,hr,fr,hu,sk,sl,sv,ko,el,en,pt_BR,it,iw,zh,es,cs,ar,zh_HK,zh_TW,th,ja,pl,da,tr,nl'/>
    <data key='cic.selector.os' value='win32'/>
    <data key='cic.selector.arch' value='x86_64'/>
    <data key='cic.selector.ws' value='win32'/>
  </profile>
  <install modify='false'>
    <offering profile='IBM Installation Manager' id='com.ibm.cic.agent' version='1.8.5000.20160506_1125' features='agent_core,agent_jre' installFixes='none'/>
  </install>
  <preference name='com.ibm.cic.common.core.preferences.connectTimeout' value='30'/>
  <preference name='com.ibm.cic.common.core.preferences.readTimeout' value='45'/>
  <preference name='com.ibm.cic.common.core.preferences.downloadAutoRetryCount' value='0'/>
  <preference name='offering.service.repositories.areUsed' value='true'/>
  <preference name='com.ibm.cic.common.core.preferences.ssl.nonsecureMode' value='false'/>
  <preference name='com.ibm.cic.common.core.preferences.http.disablePreemptiveAuthentication' value='false'/>
  <preference name='http.ntlm.auth.kind' value='NTLM'/>
  <preference name='http.ntlm.auth.enableIntegrated.win32' value='true'/>
  <preference name='com.ibm.cic.common.core.preferences.preserveDownloadedArtifacts' value='true'/>
  <preference name='com.ibm.cic.common.core.preferences.keepFetchedFiles' value='false'/>
  <preference name='PassportAdvantageIsEnabled' value='false'/>
  <preference name='com.ibm.cic.common.core.preferences.searchForUpdates' value='false'/>
  <preference name='com.ibm.cic.agent.ui.displayInternalVersion' value='false'/>
  <preference name='com.ibm.cic.common.sharedUI.showErrorLog' value='true'/>
  <preference name='com.ibm.cic.common.sharedUI.showWarningLog' value='true'/>
  <preference name='com.ibm.cic.common.sharedUI.showNoteLog' value='true'/>
</agent-input>


Note that I specifically focused on the element of Decision Center that's focused upon WebSphere Liberty Profile, rather than the more widely used set of binaries for WebSphere Application Server Full Profile.

Specifically, I took two WAR files: -

14/09/2016  16:10        97,006,199 decisioncenter.war
14/09/2016  16:10       101,334,161 teamserver.war


and, having unpacked Liberty onto my Windows desktop - C:\Users\Administrator\Desktop - I copied  the DC JAR files into the apps folder of the defaultServer instance - C:\Users\Administrator\Desktop\wlp\usr\servers\defaultServer\apps.

I re-used the server.xml from the ODM on Liberty on Docker lab, edited for Decision Center only: -

<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">

<!-- Enable features -->
<featureManager>
<feature>servlet-3.1</feature>
<feature>jsp-2.3</feature>
<feature>jdbc-4.1</feature>
<feature>appSecurity-2.0</feature>
<feature>jaxrs-1.1</feature>
<feature>concurrent-1.0</feature>
<feature>jndi-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>

<httpSession cookieName="DCSESSIONID"
invalidateOnUnauthorizedSessionRequestException="true" />

<!-- To access this server from a remote client add a host attribute to 
the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080"
httpsPort="9443" />

<jdbcDriver id="DerbyEmbedded" libraryRef="DerbyLib" />
<library id="DerbyLib" filesetRef="DerbyFileset" />
<fileset id="DerbyFileset" dir="${shared.resource.dir}/derby"
includes="derby.jar" />

<!-- RTS data source -->
<dataSource id="derbyEmbedded" isolationLevel="TRANSACTION_READ_COMMITTED"
jndiName="jdbc/ilogDataSource" jdbcDriverRef="DerbyEmbedded">
<properties.derby.embedded databaseName="${shared.resource.dir}/data/rtsdb"
createDatabase="create" user="rtsdbUser" password="rtsdbUser" />
</dataSource>

<webContainer deferServletLoad="false"
enableDefaultIsElIgnoredInTag="true" enableJspMappingOverride="true" />

<!-- Web application security -->
<basicRegistry id="basic" realm="customRealm">

<!-- RTS users and groups -->
<user name="rtsAdmin" password="rtsAdmin" />
<user name="rtsConfig" password="rtsConfig" />
<user name="rtsUser1" password="rtsUser1" />
<user name="Eli" password="Eli" />
<user name="Val" password="Val" />
<group name="rtsAdministrator">
<member name="rtsAdmin" />
</group>
<group name="rtsInstaller">
<member name="rtsAdmin" />
</group>
<group name="rtsConfigManager">
<member name="rtsConfig" />
</group>
<group name="rtsUser">
<member name="rtsUser1" />
<member name="Eli" />
<member name="Val" />
</group>
<group name="Validator">
<member name="Val" />
</group>
<group name="Eligibility">
<member name="Eli" />
<member name="Val" />
</group>
</basicRegistry>

<!-- Decision Center -->
<application type="war" id="decisioncenter" name="decisioncenter"
location="${server.config.dir}/apps/decisioncenter.war">
<application-bnd>
<security-role name="rtsAdministrator">
<group name="rtsAdministrator" />
</security-role>
<security-role name="rtsInstaller">
<group name="rtsInstaller" />
</security-role>
<security-role name="rtsConfigManager">
<group name="rtsConfigManager" />
</security-role>
<security-role name="rtsUser">
<group name="rtsUser" />
</security-role>
<security-role name="Eligibility">
<group name="Eligibility" />
</security-role>
<security-role name="Validator">
<group name="Validator" />
</security-role>
</application-bnd>
</application>

<!-- Team Server -->
<application type="war" id="teamserver" name="teamserver"
location="${server.config.dir}/apps/teamserver.war">
<application-bnd>
<security-role name="rtsAdministrator">
<group name="rtsAdministrator" />
</security-role>
<security-role name="rtsInstaller">
<group name="rtsInstaller" />
</security-role>
<security-role name="rtsConfigManager">
<group name="rtsConfigManager" />
</security-role>
<security-role name="rtsUser">
<group name="rtsUser" />
</security-role>
<security-role name="Eligibility">
<group name="Eligibility" />
</security-role>
<security-role name="Validator">
<group name="Validator" />
</security-role>
</application-bnd>
</application>

<!-- Business console -->
<application type="war" id="decisioncenter" name="decisioncenter"
location="${server.config.dir}/apps/decisioncenter.war">
<classloader delegation="parentLast" />
...
</application>

<!-- Enterprise console -->
<application type="war" id="teamserver" name="teamserver"
location="${server.config.dir}/apps/teamserver.war">
<classloader delegation="parentLast" />
...
</application>

</server>

I then start the default server instance: -

c:\Users\Administrator\Desktop\wlp\bin\server start

Starting server defaultServer.
Server defaultServer started.


checked the logs: -

C:\Users\Administrator\Desktop\wlp\usr\servers\defaultServer\logs\console.log

Launching defaultServer (WebSphere Application Server 16.0.0.2/wlp-1.0.13.cl160220160526-2258) on Java HotSpot(TM) Client VM, version 1.8.0_91-b15 (en_GB)
[AUDIT   ] CWWKE0001I: The server defaultServer has been launched.
[AUDIT   ] CWWKE0100I: This product is licensed for development, and limited production use. The full license terms can be viewed here: https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/license/base_ilan/ilan/16.0.0.2/lafiles/en.html
[ERROR   ] CWWKF0042E: A feature definition cannot  be found for the  concurrent-1.0 feature.  Try running the command, bin/installUtility install concurrent-1.0,  to install the feature. Alternatively, you can run the command, bin/installUtility install defaultServer,  to install all features that are referenced by this configuration.
[ERROR   ] CWWKF0042E: A feature definition cannot  be found for the  jaxrs-1.1 feature.  Try running the command, bin/installUtility install jaxrs-1.1,  to install the feature. Alternatively, you can run the command, bin/installUtility install defaultServer,  to install all features that are referenced by this configuration.
[AUDIT   ] CWWKZ0058I: Monitoring dropins for applications. 
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://w2k8.uk.ibm.com:9080/teamserver/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://w2k8.uk.ibm.com:9080/decisioncenter/
[WARNING ] Locale name in faces-config.xml null or empty, setting locale to default locale : en_GB
[AUDIT   ] CWWKZ0001I: Application teamserver started in 29.162 seconds.
[AUDIT   ] CWWKF0012I: The server installed the following features: [jsp-2.3, servlet-3.1, ssl-1.0, jndi-1.0, distributedMap-1.0, appSecurity-2.0, jdbc-4.1, el-3.0].
[AUDIT   ] CWWKF0011I: The server defaultServer is ready to run a smarter planet.
[WARNING ] [dc] Solr index directory 'c:\temp\solr.data3444738204048276327.dir\index' doesn't exist. Creating new index...
[AUDIT   ] CWWKZ0022W: Application decisioncenter has not started in 30.150 seconds.
[AUDIT   ] CWWKZ0001I: Application decisioncenter started in 33.371 seconds.
[WARNING ] The database does not contain a project. Import a project or contact your administrator.


C:\Users\Administrator\Desktop\wlp\usr\servers\defaultServer\logs\messages.log

********************************************************************************
product = WebSphere Application Server 16.0.0.2 (wlp-1.0.13.cl160220160526-2258)
wlp.install.dir = C:/Users/Administrator/Desktop/wlp/
java.home = C:\Program Files (x86)\Java\jre1.8.0_91
java.version = 1.8.0_91
java.runtime = Java(TM) SE Runtime Environment (1.8.0_91-b15)
os = Windows Server 2008 R2 (6.1; x86) (en_GB)
process = 2832@w2k8
...
[15/09/16 14:29:41:998 BST] 00000020 com.ibm.ws.webcontainer.servlet                              I SRVE0242I: [decisioncenter] [/decisioncenter] [dispatcher]: Initialization successful.
[15/09/16 14:29:42:050 BST] 00000020 com.ibm.ws.app.manager.AppMessageHelper                      A CWWKZ0001I: Application decisioncenter started in 33.371 seconds.
[15/09/16 14:30:27:852 BST] 00000024 com.ibm.ws.webcontainer.servlet                              I SRVE0242I: [teamserver] [/teamserver] [/login.jsp]: Initialization successful.
[15/09/16 14:31:12:299 BST] 00000034 com.ibm.ws.webcontainer.servlet                              I SRVE0242I: [teamserver] [/teamserver] [/index.jsp]: Initialization successful.
[15/09/16 14:31:42:097 BST] 0000004f com.ibm.ws.webcontainer.servlet                              I SRVE0242I: [decisioncenter] [/decisioncenter] [/WEB-INF/views/login.jsp]: Initialization successful.
[15/09/16 14:31:52:506 BST] 00000024 com.ibm.ws.webcontainer.servlet                              I SRVE0242I: [teamserver] [/teamserver] [ConnectServlet]: Initialization successful.
[15/09/16 14:31:53:001 BST] 00000038 com.ibm.ws.recoverylog.spi.RecoveryDirectorImpl              I CWRLS0010I: Performing recovery processing for local WebSphere server (defaultServer).
[15/09/16 14:31:53:044 BST] 00000038 com.ibm.ws.recoverylog.spi.RecoveryDirectorImpl              I CWRLS0012I: All persistent services have been directed to perform recovery processing for this WebSphere server (defaultServer).
[15/09/16 14:31:53:067 BST] 00000038 com.ibm.ws.jca.cm.ConnectorService                           I J2CA8050I: An authentication alias should be used instead of defining a user name and password on dataSource[derbyEmbedded].
[15/09/16 14:31:53:168 BST] 00000052 com.ibm.tx.jta.impl.RecoveryManager                          I WTRN0135I: Transaction service recovering no transactions.
[15/09/16 14:31:54:386 BST] 00000038 com.ibm.ws.rsadapter.spi.InternalGenericDataStoreHelper      I DSRA8203I: Database product name : Apache Derby
[15/09/16 14:31:54:390 BST] 00000038 com.ibm.ws.rsadapter.spi.InternalGenericDataStoreHelper      I DSRA8204I: Database product version : 10.12.1.1 - (1704137)
[15/09/16 14:31:54:391 BST] 00000038 com.ibm.ws.rsadapter.spi.InternalGenericDataStoreHelper      I DSRA8205I: JDBC driver name  : Apache Derby Embedded JDBC Driver
[15/09/16 14:31:54:391 BST] 00000038 com.ibm.ws.rsadapter.spi.InternalGenericDataStoreHelper      I DSRA8206I: JDBC driver version  : 10.12.1.1 - (1704137)
[15/09/16 14:31:56:314 BST] 00000038 org.springframework.web.method.HandlerMethod                 W The database does not contain a project. Import a project or contact your administrator.
[15/09/16 14:31:56:441 BST] 00000038 com.ibm.ws.webcontainer.servlet                              I SRVE0242I: [decisioncenter] [/decisioncenter] [/WEB-INF/views/error.jsp]: Initialization successful.


and confirmed that I could log into Team Server and: -


and Decision Center: -

Now off to author some rules in Rule Designer and connect to Decision Center …..

Wednesday, 7 September 2016

IBM Operational Decision Manager - Running it on WebSphere Liberty Profile on Docker - And finally

Following my earlier two posts: -


I've now added the Decision Service WAR to the Liberty build, allowing me to test my Rule Services via SOAP and REST, providing the Hosted Transformation Decision Service (HTDS) capability.

This is what I now have in server.xml : -

<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">

<!-- Enable features -->
<featureManager>
<feature>servlet-3.1</feature>
<feature>jsp-2.3</feature>
<feature>jdbc-4.1</feature>
<feature>appSecurity-2.0</feature>
<feature>jaxrs-1.1</feature>
<feature>concurrent-1.0</feature>
<feature>jndi-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>

<httpSession cookieName="DCSESSIONID"
invalidateOnUnauthorizedSessionRequestException="true" />

<!-- To access this server from a remote client add a host attribute to 
the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080"
httpsPort="9443" />

<jdbcDriver id="DerbyEmbedded" libraryRef="DerbyLib" />
<library id="DerbyLib" filesetRef="DerbyFileset" />
<fileset id="DerbyFileset" dir="${shared.resource.dir}/derby"
includes="derby.jar" />
<!-- RES data source -->
<dataSource id="jdbc/resdatasource" jndiName="jdbc/resdatasource"
jdbcDriverRef="DerbyEmbedded">
<properties databaseName="${shared.resource.dir}/data/resdb"
createDatabase="create" user="resdbUser" password="resdbUser" />
</dataSource>
<!-- RTS data source -->
<dataSource id="derbyEmbedded" isolationLevel="TRANSACTION_READ_COMMITTED"
jndiName="jdbc/ilogDataSource" jdbcDriverRef="DerbyEmbedded">
<properties.derby.embedded databaseName="${shared.resource.dir}/data/rtsdb"
createDatabase="create" user="rtsdbUser" password="rtsdbUser" />
</dataSource>

<!-- Managed executor service for Decision Runner -->
<managedExecutorService jndiName="concurrent/drExecutorService" />

<webContainer deferServletLoad="false"
enableDefaultIsElIgnoredInTag="true" enableJspMappingOverride="true" />

<!-- Web application security -->
<basicRegistry id="basic" realm="customRealm">
<!-- RES users and groups -->
<user name="resAdmin" password="resAdmin" />
<user name="resDeploy" password="resDeploy" />
<user name="resMonitor" password="resMonitor" />
<group name="resAdministrators">
<member name="resAdmin" />
</group>
<group name="resDeployers">
<member name="resAdmin" />
<member name="resDeploy" />
</group>
<group name="resMonitors">
<member name="resAdmin" />
<member name="resDeploy" />
<member name="resMonitor" />
</group>

<!-- RTS users and groups -->
<user name="rtsAdmin" password="rtsAdmin" />
<user name="rtsConfig" password="rtsConfig" />
<user name="rtsUser1" password="rtsUser1" />
<user name="Eli" password="Eli" />
<user name="Val" password="Val" />
<group name="rtsAdministrator">
<member name="rtsAdmin" />
</group>
<group name="rtsInstaller">
<member name="rtsAdmin" />
</group>
<group name="rtsConfigManager">
<member name="rtsConfig" />
</group>
<group name="rtsUser">
<member name="rtsUser1" />
<member name="Eli" />
<member name="Val" />
</group>
<group name="Validator">
<member name="Val" />
</group>
<group name="Eligibility">
<member name="Eli" />
<member name="Val" />
</group>
</basicRegistry>

<!-- RES console -->
<application type="war" id="res" name="res"
location="${server.config.dir}/apps/res.war">
<application-bnd>
<security-role name="resAdministrators">
<group name="resAdministrators" />
</security-role>
<security-role name="resDeployers">
<group name="resDeployers" />
</security-role>
<security-role name="resMonitors">
<group name="resMonitors" />
</security-role>
</application-bnd>
</application>

<!-- Decision Center -->
<application type="war" id="decisioncenter" name="decisioncenter"
location="${server.config.dir}/apps/decisioncenter.war">
<application-bnd>
<security-role name="rtsAdministrator">
<group name="rtsAdministrator" />
</security-role>
<security-role name="rtsInstaller">
<group name="rtsInstaller" />
</security-role>
<security-role name="rtsConfigManager">
<group name="rtsConfigManager" />
</security-role>
<security-role name="rtsUser">
<group name="rtsUser" />
</security-role>
<security-role name="Eligibility">
<group name="Eligibility" />
</security-role>
<security-role name="Validator">
<group name="Validator" />
</security-role>
</application-bnd>
</application>

<!-- Team Server -->
<application type="war" id="teamserver" name="teamserver"
location="${server.config.dir}/apps/teamserver.war">
<application-bnd>
<security-role name="rtsAdministrator">
<group name="rtsAdministrator" />
</security-role>
<security-role name="rtsInstaller">
<group name="rtsInstaller" />
</security-role>
<security-role name="rtsConfigManager">
<group name="rtsConfigManager" />
</security-role>
<security-role name="rtsUser">
<group name="rtsUser" />
</security-role>
<security-role name="Eligibility">
<group name="Eligibility" />
</security-role>
<security-role name="Validator">
<group name="Validator" />
</security-role>
</application-bnd>
</application>

<!-- SSP -->
<application type="war" id="testing" name="testing"
location="${server.config.dir}/apps/testing.war">
<application-bnd>
<security-role name="resAdministrators">
<group name="resAdministrators" />
</security-role>
<security-role name="resDeployers">
<group name="resDeployers" />
</security-role>
</application-bnd>
</application>

<!-- Decision Runner -->
<application type="war" id="DecisionRunner" name="DecisionRunner"
location="${server.config.dir}/apps/DecisionRunner.war">
<application-bnd>
<security-role name="resAdministrators">
<group name="resAdministrators" />
</security-role>
<security-role name="resDeployers">
<group name="resDeployers" />
</security-role>
</application-bnd>
</application>

<!-- Business console -->
<application type="war" id="decisioncenter" name="decisioncenter"
location="${server.config.dir}/apps/decisioncenter.war">
<classloader delegation="parentLast" />
...
</application>

<!-- Enterprise console -->
<application type="war" id="teamserver" name="teamserver"
location="${server.config.dir}/apps/teamserver.war">
<classloader delegation="parentLast" />
...
</application>

<!-- HTDS -->
<application type="war" id="DecisionService" name="DecisionService"
location="${server.config.dir}/apps/DecisionService.war">
</application>


</server>



and the logs confirm that Decision Service is now running: -

Launching defaultServer (WebSphere Application Server 8.5.5.9/wlp-1.0.12.cl50920160227-1523) on IBM J9 VM, version pxa6480sr3-20160428_01 (SR3) (en_US)
[AUDIT   ] CWWKE0001I: The server defaultServer has been launched.
[AUDIT   ] CWWKE0100I: This product is licensed for development, and limited production use. The full license terms can be viewed here: https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/license/base_ilan/ilan/8.5.5.9/lafiles/en.html
[AUDIT   ] CWWKG0093A: Processing configuration drop-ins resource: /opt/ibm/wlp/usr/servers/defaultServer/configDropins/defaults/keystore.xml
[AUDIT   ] CWWKZ0058I: Monitoring dropins for applications. 
[AUDIT   ] CWWKS4104A: LTPA keys created in 1.779 seconds. LTPA key file: /opt/ibm/wlp/output/defaultServer/resources/security/ltpa.keys
[AUDIT   ] CWPKI0803A: SSL certificate created in 5.991 seconds. SSL key file: /opt/ibm/wlp/output/defaultServer/resources/security/key.jks
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://cf93bfdacb28:9080/testing/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://cf93bfdacb28:9080/res/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://cf93bfdacb28:9080/DecisionService/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://cf93bfdacb28:9080/DecisionRunner/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://cf93bfdacb28:9080/teamserver/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://cf93bfdacb28:9080/decisioncenter/
[AUDIT   ] CWWKZ0001I: Application DecisionService started in 18.475 seconds.
[AUDIT   ] CWWKZ0001I: Application testing started in 18.593 seconds.
[AUDIT   ] CWWKZ0001I: Application DecisionRunner started in 19.447 seconds.
[AUDIT   ] CWWKZ0001I: Application res started in 19.868 seconds.
[AUDIT   ] CWWKZ0001I: Application teamserver started in 20.632 seconds.
[WARNING ] [dc] Solr index directory '/tmp/solr.data4281916500924696159.dir/index' doesn't exist. Creating new index...
[AUDIT   ] CWWKZ0022W: Application decisioncenter has not started in 30.007 seconds.
[AUDIT   ] CWWKF0012I: The server installed the following features: [jsp-2.3, concurrent-1.0, servlet-3.1, ssl-1.0, jndi-1.0, json-1.0, distributedMap-1.0, appSecurity-2.0, jdbc-4.1, jaxrs-1.1, el-3.0].
[AUDIT   ] CWWKF0011I: The server defaultServer is ready to run a smarter planet.
[AUDIT   ] CWWKZ0001I: Application decisioncenter started in 31.085 seconds.

and this is what I see: -





and my WSDL: -


accessible via SoapUI: -


Fun with OpenSSL Certificate Requests and space characters in Subject Names

I've got a command within a Dockerfile that generates a Certificate Service Request, via the openssl req  command. This references an ...