Thursday, 30 June 2016

Ubuntu Linux and the growing file-system

A friend asked me how to resize a disk partition ( virtual disk ) in an Ubuntu VM on VMware.

This is what I did: -

Look at the existing disk layout

df -kmh

Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1        19G  3.6G   15G  20% /
none            4.0K     0  4.0K   0% /sys/fs/cgroup
udev            478M  4.0K  478M   1% /dev
tmpfs            98M  1.5M   97M   2% /run
none            5.0M     0  5.0M   0% /run/lock
none            489M  216K  489M   1% /run/shm
none            100M   32K  100M   1% /run/user
/dev/sdb1       4.8G   10M  4.6G   1% /installs

Look at the underlying disk "drive"

fdisk /dev/sdb

Command (m for help): p

Disk /dev/sdb: 5368 MB, 5368709120 bytes
181 heads, 40 sectors/track, 1448 cylinders, total 10485760 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x9844eb8f

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1            2048    10485759     5241856   83  Linux

In VMware Fusion, I have TWO virtual disks

The second drive - Virtual Disk 2.vmdk - is the one in which I'm interested

Increase it from 5 GB to 10 GB, with the Linux VM shutdown

With this result

Now check the file-system in Linux

df -kmh

Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1        19G  3.6G   15G  21% /
none            4.0K     0  4.0K   0% /sys/fs/cgroup
udev            478M  4.0K  478M   1% /dev
tmpfs            98M  1.5M   97M   2% /run
none            5.0M     0  5.0M   0% /run/lock
none            489M  144K  489M   1% /run/shm
none            100M   28K  100M   1% /run/user
/dev/sdb1       4.8G   10M  4.6G   1% /installs

fdisk /dev/sdb

Command (m for help): p

Disk /dev/sdb: 10.7 GB, 10737418240 bytes
181 heads, 40 sectors/track, 2896 cylinders, total 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x9844eb8f

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1            2048    10485759     5241856   83  Linux

Nothing has changed, you cry

Now we delete the old partition :-)

Command (m for help): d
Selected partition 1

and then create a new one

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1): 
Using default value 1
First sector (2048-20971519, default 2048): 
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-20971519, default 20971519): 
Using default value 20971519

Note that we start with the same block - 2048 - but that the end block is ~2x ( increased from 10,485,759 to 20,971,519 )

Write the new partition table

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.

Error-check the virtual disk

e2fsck -f /dev/sdb1 

e2fsck 1.42.9 (4-Feb-2014)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/sdb1: 11/327680 files (0.0% non-contiguous), 55902/1310464 blocks

Resize the virtual disk

resize2fs /dev/sdb1 

resize2fs 1.42.9 (4-Feb-2014)
Resizing the filesystem on /dev/sdb1 to 2621184 (4k) blocks.
The filesystem on /dev/sdb1 is now 2621184 blocks long.

Mount the file-system

mount -a

Look at the new disk layout

df -kmh

Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1        19G  3.7G   15G  21% /
none            4.0K     0  4.0K   0% /sys/fs/cgroup
udev            478M  4.0K  478M   1% /dev
tmpfs            98M  1.5M   97M   2% /run
none            5.0M     0  5.0M   0% /run/lock
none            489M  144K  489M   1% /run/shm
none            100M   28K  100M   1% /run/user
/dev/sdb1       9.8G   12M  9.2G   1% /installs

Job, as they say, is a good 'un

With thanks to this: -

WebSphere Application Server, TLS 1.2 and DB2

It's been a day for old blog posts helping to fix new problems.

Today, we saw this: -

CWSIS1593I: The messaging engine, ME_UUID=E997A9EFA09498FC, INC_UUID=6DC2A53AD19710D7, has failed to gain an initial lock on the data store.
CWSIS1538I: The messaging engine, ME_UUID=E997A9EFA09498FC, INC_UUID=6DC2A53AD19710D7, is attempting to obtain an exclusive lock on the data store.

which led me here: -

However the resolution - to sort out the SIB tables - did NOT help.

However we also saw this: -

MESSAGE : DIA3604E The SSL function "gsk_secure_soc_init" failed with the 
          return code "402" in "sqlccSSLSocketSetup".

in the DB2 diagnostic log.

This second post was of immense use: -

as it confirmed that rc402 means: -

0x00000192     402     GSK_ERROR_NO_CIPHERS     Neither SSLV2 nor SSLV3 is enabled.

We're using a Dynamic outbound endpoint SSL configuration set up between WAS and DB2, which ensures that specific connections, on specific ports, go via a specific SSL Configuration, and use TLS 1.2 and strong SSL ciphers.

This is an interim fix, before we enable TLS 1.2 and the strong ciphers across the entire WAS cell.

For some yet-to-be-unexplained reason, even though we had the fully-qualified hostname ( host plus domain ) of the DB2 servers, something was forcing WAS to use the short-name ( hostname ) instead.

Of course, the Dynamic SSL configuration was ONLY configured for the FQDN, and NOT for the short-name.

Once the short-names of the DB2 boxes ( we have an HADR pair ) was applied, WAS worked a treat.

Easy when you know how ….

My Cognos has fallen AGAIN and can't get up

We saw this problem: -

CAM-CRP-1280 An error occurred while trying to decrypt using the system protection key. Reason: javax.crypto.BadPaddingException: Given final block not properly padded 

again today, on another IBM Business Monitor environment.

Again, it was due to our moving an AIX LPAR from one p780 server to another.

So there's something in Cognos that REALLY loves the underlying hardware, assumedly an AES encryption key.

Still, the solution was the same - force the Cognos configuration under Monitor to rebuild.

Thankfully, my previous blog post: -

helped immensely.

Friday, 24 June 2016

F5 BIG-IP - More learning, more tinkering, more blogging

I'm continuing to learn more about the F5, in my quest to really understand how it all works, in the context of solving a tricksy little SSL handshake problem between an LTM and an IBM HTTP Server box.

Here's a few commands that I've used: -

tmsh show /ltm node

Ltm::Node: (
  Availability   : unknown
  State          : enabled
  Reason         : Node address does not have service checking enabled
  Monitor        : none
  Monitor Status : unchecked
  Session Status : enabled
Traffic                ServerSide  General
  Bits In                       0        -
  Bits Out                      0        -
  Packets In                    0        -
  Packets Out                   0        -
  Current Connections           0        -
  Maximum Connections           0        -
  Total Connections             0        -
  Total Requests                -        0
  Current Sessions              -        0

tmsh show ltm pool all members field-fmt |grep "ltm\ pool\|active-member-cnt\|addr\|monitor-status"

ltm pool {
    active-member-cnt 1
            monitor-status up

Plus this: -

Wednesday, 22 June 2016

WebSphere Plugin and the Case of the GSK_ERROR_BAD_KEYFILE_PASSWORD

We've seen a few instances , where the WebSphere Plugin fails to communicate, via SSL, with WAS.

This manifests itself as Error 500 / HTTP500 when accessing WAS via IHS, using hostname OR service name.

Long story short, it looks like the Plugin SSL configuration files are getting "borked" by something.

The plugin log shows this: -

[22/Jun/2016:13:14:40.16292] 00d3008c 00000001 - ERROR: lib_security: logSSLError: str_security (gsk error 408):  GSK_ERROR_BAD_KEYFILE_PASSWORD
[22/Jun/2016:13:14:40.16294] 00d3008c 00000001 - ERROR: lib_security: initializeSecurity: Failed to initialize GSK environment. Secure transports are not possible.

One symptom is that you cannot query the keystore using the gskcapicmd command, as per this: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db plugin-key.kdb -stashed

which returns: -

CTGSK3026W The key file "plugin-key.kdb" does not exist or cannot be read.
CTGSK2016W An invalid database password was encountered.

The same error occurs if you use the correct keystore password e.g. WebAS.

We saw this problem even when we deleted the .KDB and .STH files ( see below ), and propagated them from the WAS cell via the Deployment Manager.

The problem appears to be related to the use of the gskcapicmd command to create certificate requests.

I *think* that, as some point, someone has created certificate requests for the Plugin, which has updated one or more of the related configuration files.

There are a number of files in play here: -

plugin-cfg.xml                                  Configuration file, generated by WAS, and propagated from the Deployment Manager to the IHS box
plugin-key.kdb                                  CMS key database, holding BOTH personal AND signer certificates ( keys and trusts )
plugin-key.sth                                   Encrypted stashed password file
plugin-key.crl                                    Certificate Recovation List
plugin-key.rdb                                  Certificate Request Database

As a test, we moved the .CRL and .RDB files into a different subdirectory, leaving just the .xml, .kdb and .sth files in place.

We were then able to query the .KDB without problems: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db plugin-key.kdb –stashed

Certificates found
* default, - personal, ! trusted, # secret key
!       ", OU=RootCertificate, OU=test, OU=dmgr, O=ibm, O=co, C=uk"
-       default

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db plugin-key.kdb -pw WebAS

Certificates found
* default, - personal, ! trusted, # secret key
!       ", OU=RootCertificate, OU=test, OU=dmgr, O=ibm, O=co, C=uk"
-       default

I did some more testing, moving the .CRL and .RDB files back and forth, and have concluded that it IS the .RDB file that "breaks" things.

Once we ended up with JUST the .XML, .KDB and .STH files in place ( in /opt/ibm/WebSphere/Plugins/config/ ), I was able to successfully navigate to WAS via IHS.

Bottom line, there's no need to use the IHS GSK commands ( gskcapicmd ) to request certificates for the WebSphere Plugin in the context of WAS.

If we need a personal WAS certificate, we can generate the Certificate Request using Jython scripts or the ISC, and WAS will take care of updating the KDB etc.

This is different to Plugin -> IBM Integration Bus, where there's no WAS to manage things for us.

The only time we'd ever need to use gskcapicmd against the Plugin KDB was if we wanted to mark the WAS personal certificate as default, in order to ensure that it was used for Plugin -> WAS connectivity, in the context of Mutual Authentication etc ( via the –setdefault  command ).

F5 Load Balancing - My first few forays

I'm currently working on a situation whereby HTTPS load-balancing is inconsistently not working against IBM HTTP Server 8.5.5.

To help me help the client's network team debug this, I've been tinkering with a F5 Local Traffic Manager (LTM) using VMware Fusion on my Mac.

I found a slew of excellent articles on the F5 site including: -

Load balancing got its start in the form of network-based load balancing hardware. It is the essential foundation on which Application Delivery Controllers (ADCs) operate. The second iteration of purpose-built load balancing (following application-based proprietary systems) materialized in the form of network-based appliances. These are the true founding fathers of today's ADCs. Because these devices were application-neutral and resided outside of the application servers themselves, they could load balance using straightforward network techniques. In essence, these devices would present a "virtual server" address to the outside world, and when users attempted to connect, they would forward the connection to the most appropriate real server doing bi-directional network address translation (NAT).

Monitors determine the availability and performance of devices, links, and services on a network. Health monitors check the availability. Performance monitors check the performance and load. If a monitored device, link, or service does not respond within a specified timeout period, or the status indicates that performance is degraded or that the load is excessive, the BIG-IP system can redirect the traffic to another resource.

More importantly, this link: -

was just what I need to get a developer version of F5 VE installed and working.

I ended up with a working F5 Health Monitor probing my IHS server ( on a different Linux VM ), over SSL.

Two things that made a difference: -

(1) Getting the RIGHT cipher

openssl ciphers -v

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5 
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5 
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5 
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

Note that this particular version of the F5 software does NOT support my preferred ECDHE/RSA/GCM ciphers :-(

On my VM, I am running: -

BIG-IP 11.3.0 Build 39.0 VE Trial 11.3.0-HF1 (based on BIGIP 11.3.0HF6)

(2) Getting the Monitor configuration correct

Specifically the send string and the receive response are mega-important

tmsh list ltm monitor https

ltm monitor https davehttps {
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    defaults-from https
    destination *:pcsync-https
    interval 5
    recv 200
    send "GET /index.html HTTP/1.1\\r\\nHost:\\r\\nConnection: Close\\r\\n\\r\\n"
    time-until-up 0
    timeout 16

I inferred the send string using openssl on the device itself: -

openssl s_client -connect

and pasted this string: -

GET /index.html HTTP/1.1
Connection: Close

into the terminal, and pressed [Enter].

This returned, in part: -

HTTP/1.1 200 OK
Date: Wed, 22 Jun 2016 05:26:41 GMT
Last-Modified: Tue, 06 Jan 2015 17:02:04 GMT
ETag: "da5-50bfec4265b00"
Accept-Ranges: bytes
Content-Length: 3493

which confirms the recv string of 200 ( HTTP 200 OK ).

Now my IHS server is showing regular GET requests from the F5 Monitor: - - - [22/Jun/2016:06:26:54 +0100] "GET /index.html HTTP/1.1" 200 3493 - - [22/Jun/2016:06:26:59 +0100] "GET /index.html HTTP/1.1" 200 3493 - - [22/Jun/2016:06:27:04 +0100] "GET /index.html HTTP/1.1" 200 3493 - - [22/Jun/2016:06:27:09 +0100] "GET /index.html HTTP/1.1" 200 3493 - - [22/Jun/2016:06:27:14 +0100] "GET /index.html HTTP/1.1" 200 3493 - - [22/Jun/2016:06:27:19 +0100] "GET /index.html HTTP/1.1" 200 3493 - - [22/Jun/2016:06:27:24 +0100] "GET /index.html HTTP/1.1" 200 3493 - - [22/Jun/2016:06:27:29 +0100] "GET /index.html HTTP/1.1" 200 3493 - - [22/Jun/2016:06:27:34 +0100] "GET /index.html HTTP/1.1" 200 3493 - - [22/Jun/2016:06:27:39 +0100] "GET /index.html HTTP/1.1" 200 3493 - - [22/Jun/2016:06:27:44 +0100] "GET /index.html HTTP/1.1" 200 3493 - - [22/Jun/2016:06:27:49 +0100] "GET /index.html HTTP/1.1" 200 3493 - - [22/Jun/2016:06:27:54 +0100] "GET /index.html HTTP/1.1" 200 3493


in the access.log.

Now I need to go and configure the F5 "front door" to allow me to actual send traffic to/through the load-balancer to the downstream IHS box.

These links were also of use: -

Monday, 20 June 2016

IBM BPM - Process Center and Unit Test Environment Together

This article from 2014: -

A stand-alone Process Center profile for IBM® Business Process Manager (BPM) is useful for situations where memory and disk space are limited. Rather than install the Process Center as a network deployment environment with at least three profiles running, plus an additional profile to support the unit test environment server, this article describes how a single profile can provide both a Process Center server and a unit test environment server. This content is part of the IBM Business Process Management Journal.

has been updated with a second article: -

A stand-alone Process Center profile for IBM® Business Process Manager (BPM) is useful in situations where memory and disk space are limited. In Part 1, you learned how to create a stand-alone Process Center Profile for Windows environments, and now in Part 2, learn the specific steps for a Linux environment. Rather than install the Process Center as a network deployment environment with at least three profiles running, plus an additional profile to support the unit test environment server, this series describes how a single profile can provide both a Process Center server and a unit test environment server.

Definitely worth a bookmark 

Wednesday, 15 June 2016

Achieve your API strategy with IBM API Connect

This from a former colleague of mine, Carlo Marcoli: -

To thrive in the API economy, you need to strategize your API approach and create, run, manage, and secure your APIs. With this dedicated focus on APIs, your company can share data and services in an easy-to-consume format. It can also create an ecosystem of partners and third parties that is much greater than the ecosystem you reach by using traditional channels. An effective API strategy treats an API as a business product with a well identified lifecycle, target market, and metrics for return on investment (ROI).

Wednesday, 8 June 2016

Webcast - Using IBM UrbanCode with IBM WebSphere to Accelerate Business Transformations

As found on Twitter today: -

Great news for WebSphere Application Server Administrators, IT Managers, Directors and anyone with challenges associated with deploying applications and configurations to WebSphere Application Server in its traditional version, Liberty or as a Service. IBM UrbanCode Deploy has WAS covered! IBM UrbanCode Deploy can reduce overall cycle times and accelerate time-to-test and time-to-market for clients. In this call, attendees will learn how to accelerate WAS deployments to cloud, optimize deployments everywhere, "keep the configuration in Synch", and how to take a manually configured environment (i.e. cell), capture all the configuration and easily reuse it. UrbanCode Deploy can even help you migrate from older to newer versions of WAS in a fraction of the time with UCD automation. Come learn from our experts how this combination is helping customers every day.

Announced - IBM WebSphere Application Server V9.0

Saw this today: -

WebSphere® Application Server V9.0, with its traditional and Liberty run times, continues to offer industry-leading, production-ready, standards-based Java™ EE 7 compliant architecture.

Highlights of Version 9.0 include:

• Certification to the Java EE 7 Web Profile and Java EE 7 Full Platform for WebSphere Application Server traditional, which provides assurance that applications leverage standards-compliant programming models. WebSphere Liberty was certified to Java EE 7 Web Profile and Full Platform in June, 2015.
• Ease of connecting existing on-premises applications with Bluemix® services, which include IBM Watson™ cognitive for optimal business outcomes.
• Enhanced support for creating, documenting, and discovering APIs, and also integrating with API platforms, such as IBM API Connect™.
• Significant improvements in software delivery lifecycle times through seamless integration into DevOps workflows. This enables continuous delivery and removes cross-team dependencies for deployment.
• Accelerated pace of development and deployment by taking advantage of container technology that includes IBM® Container Services and Docker container with support for Docker Data Center. This enables seamless deployment of WebSphere applications to best meet business needs.
• Increased flexibility to deploy WebSphere Application Server workloads with speed and agility on Pivotal Cloud Foundry, Amazon Web Services, Microsoft™ Azure, and Openshift, in addition to IBM Bluemix.
• New WebSphere Application Server on Bluemix, single-tenant offering, which provides an option for deploying WebSphere Application Server applications on an isolated, single-tenant hardware.
• New option to enable VMware customers to quickly provision new or scale existing workloads to the IBM Cloud. This enables clients who start locally and scale globally with cloud capabilities to scale more easily and also comply with data residency and other regulatory mandates.
• Updated WebSphere Extreme Scale that provides ease-of-use enhancements for caching to help improve response times for the most demanding applications and dramatically speed configurations.
• Use of Liberty App Accelerator to provide a quick start development of Java microservices. Spring Boot, Watson™ services, and other technologies can be used with Liberty App Accelerator to easily deploy projects to Bluemix.
• Best practices for creating new Java microservices by using Game On!, an exemplar application, which helps explore microservices concepts.
WebSphere Application Server V9.0 continues to offer the leading, open-standards-based application foundation for traditional workloads and also modern applications that tend to be delivered as services. It enables accelerated delivery of innovative applications with unmatched operational efficiency, reliability, administration, security, and control.

Planned availability date

June 24, 2016

Monday, 6 June 2016

Problems installing IBM Integration Designer - I *MUST* read my own blog

I was trying to install IBM Integration Designer 8.5.5 via a response file, and kept finding that the installation failed to complete, and that DB2 Express ( part of the IID WebSphere Test Environment - WTEt ) failed to install.

I broke the installation down into its component parts, and tried to simply install DB2: -

"c:\IBM\Installation Manager\eclipse\tools\imcl.exe" -input z:\tmp\iid856\installDB2_WIN64.rsp -acceptLicense

This explicitly failed: -

ERROR: Error preparing IBM® DB2 Express 64 bit
  CRIMC1029E ERROR: Adding plug-in to repository C:\ProgramData\IBM\Installation Manager\bundles failed.
    CRIMC1085E ERROR: Resumable download failed for: z:\tmp\IID856\WTE_Disk\repository\DB2_64\plugins\
      ERROR: 'plug-in' does not exist (at z:\tmp\IID856\WTE_Disk\repository\DB2_64\plugins\ z:\tmp\IID856\WTE_Disk\repository\DB2_64\plugins\ (The systemcannot find the file specified)

I found this blog post: -

from early 2013.

It looked like there was some problem with the WAS fixes element of the installation.

Reading this IBM Technote: -

appeared to confirm that.

Therefore, I applied the same solution as before - re-extract the ZIP files that comprise the WTE: -

unzip /Volumes/DaveHaySSD/Software/IID856/ 
unzip /Volumes/DaveHaySSD/Software/IID856/ 
unzip /Volumes/DaveHaySSD/Software/IID856/ 
unzip /Volumes/DaveHaySSD/Software/IID856/ 

and also checked for the missing file: -

in the old expanded WTE: -

find /tmp/iid856.old/WTE_Disk/ | grep -i


find /tmp/iid856/WTE_Disk/ | grep -i


See the difference ?

Right, now for the installation ….

Friday, 3 June 2016

Bulletproof SSL and TLS

This time, it's not a book review, it's a book purchase …

I signed up for a free one-week introduction to SSL/TLS, partly to help me cement my understanding

At the end of it, I decided to purchase the author, Ivan's, book: -

which I've just downloaded as an ebook :-)

Something for the weekend ….

In the meantime, Ivan is available here on Twitter

IBM Global Security Toolkit - CTGSK2041W An unsupported modulus size was found.

I'm still tinkering with different ciphers and signature algorithms in IBM HTTP Server, as per this: -

and hit this today when attempting to create a self-signed certificate using the SHA256WithECDSA Signature Algorithm: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -size 2048 -dn ",dc=uk,dc=ibm,dc=com" -label -default_cert yes -sigalg SHA256WithECDSA

CTGSK2041W An unsupported modulus size was found.

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -size 1024 -dn ",dc=uk,dc=ibm,dc=com" -label -default_cert yes -sigalg SHA256WithECDSA

CTGSK2041W An unsupported modulus size was found.

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -size 512 -dn ",dc=uk,dc=ibm,dc=com" -label -default_cert yes -sigalg SHA256WithECDSA

[ No Message ]

Yep, it worked, as validated here: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed

Certificates found
* default, - personal, ! trusted, # secret key
! ad2008root

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -validate -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed

ad2008root : OK : OK : OK

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -label

Label :
Key Size : 512
Version : X509 V3
Serial : 71b3dcfd3e00e5d0
Issuer :,DC=uk,DC=ibm,DC=com
Subject :,DC=uk,DC=ibm,DC=com
Not Before : 2 June 2016 17:14:00 GMT+01:00
Not After : 3 June 2017 17:14:00 GMT+01:00

Signature Algorithm : EC_ecdsa_with_SHA256 (1.2.840.10045.4.3.2)

I then get deeper into the verification using openssl : -

openssl s_client -connect < /dev/null

Server Temp Key: ECDH, prime256v1, 256 bits
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 521 bit

    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256

and SSLSleuth plugin Firefox: -

Cipher suite
Key exchange: Elliptic curve Diffie-Hellman.
Authentication: ECDSA. 
Bulk cipher: AES GCM 128 bits.
HMAC: SHA-256. 
Perfect Forward Secrecy: Yes
SSL/TLS Version: TLSv1.2
Connection status: Secure
Extended validation: No
Signature: SHA-256/ECDSA
Key: 521 bits ECC
Common name:
Issued to:  
Issued by: 
Validity: 2 June 2016 -- 3 June 2017
Fingerprint: 0F:04:8F:94:F3:0D:72:12:C4:2A: 35:06:C5:6F:BD:17:2A:E1:9F:C9

which is nice.

Fun, Not With Flags, but with Passwords in IBM Installation Manager

I'm installing IBM Integration Designer (IID) 8.5.6 into a Windows VM, as I prepare to write some BPM Advanced SCA/BPEL code ….

However, I hit a pesky password problem with DB2, upon which the IID test environment ( BPM Advanced ) depends.

This is what I did: -

"c:\IBM\Installation Manager\eclipse\tools\imcl.exe" -input z:\tmp\iid856\installIID856.rsp -acceptLicense

and this is what I saw: -

ERROR: Error during "install" phase:
  ERROR: Password is required.

Installed to the C:\IBM\IntegrationDesigner\v8.5 directory.

In other words, IID does get installed, but nothing else does :-(

In my response file - installIID856.rsp - this is what I have in the context of DB2: -

    <data key='user.db2.admin.username' value='db2admin'/>
    <data key='user.db2.admin.password' value='P455w0rd!!'/>
    <data key='user.db2.port' value='50000'/>
    <data key='user.db2.use.existing' value='false'/>

So the trick is to encode ( "encrypt" ) the password …

This is documented here: -

In short, one needs to encode the password: -

"c:\IBM\Installation Manager\eclipse\tools\imutilsc.exe" -silent -nosplash encryptString P455w0rd!!!


and update the response file: -

    <data key='user.db2.admin.username' value='db2admin'/>
    <data key='user.db2.admin.password' value='xQCOAvaPmxemUA3E6gZ+AA=='/>
    <data key='user.db2.port' value='50000'/>
    <data key='user.db2.use.existing' value='false'/>

Once done, I uninstalled IID: -

C:\>"c:\IBM\Installation Manager\eclipse\tools\imcl.exe" uninstallAll

Uninstalled from the C:\IBM\IntegrationDesigner\v8.5 directory.

cleared down the contents of the directory structure, and re-ran the installation process: -

"c:\IBM\Installation Manager\eclipse\tools\imcl.exe" -input z:\tmp\iid856\installIID856.rsp -acceptLicense

Which always helps :-)

Microsoft Active Directory - SSL Certificate Request - And what I forgot

I was trying to generate an SSL certificate, signed by Active Directory ( on Windows Server 2008 R2 SP1 ), using the certreq command: -

certreq -submit -attrib "CertificateTemplate:Webserver"

which kept popping up with: -

and: -

Active Directory Enrollment Policy
Certificate Request Processor: The system cannot find the file specified. 0x80070002 (WIN32: 2)

I couldn't work out what I'd missed … until I opened up Server Manager … and realised that I had NOT added the appropriate Role - Active Directory Certificate Services - so my AD box was "only" acting as a DNS server and domain controller.

Once I did this, unsurprisingly it just worked: -

certreq -submit -attrib "CertificateTemplate:Webserver"

with: -

and: -

Active Directory Enrollment Policy
RequestId: 2
RequestId: "2"
Certificate retrieved(Issued) Issued

and a certificate :-)

Wednesday, 1 June 2016

More on IBM Integration Designer 8.5.5 - "Unable to get property isExists of undefined or null reference"

Following this post from last year: -

in which I write about the issue of installing IBM Integration Designer (IID) from a shared drive on a Windows server.

Most recently, I saw this whilst trying to install IID from a VMware Shared Folder, using VMware Fusion on my Mac, to a Windows 2008 Server R2 VM. I had previously unpacked the installation media into a directory on my Mac, and was hoping to install INTO the VM without needing to copy the source files INTO the VM.

Alas, that did not work, as per my previous post.

However, I've since found this: -

which says, in part: -

On the Microsoft Windows operating system, the LaunchPad always uses Internet Explorer regardless of the default browser that is set by the operating system user. The Internet Explorer default security constraints do not allow applications to access executable files on a remote disk.

which describes how to change IE security policies, albeit briefly, in order to support the installation from a remote "disk".

Which is nice :-)