More on the Global Security Toolkit (GSK) and OpenSSL on Linux

This is just a bunch of links right now, but has been extremely useful to me in the past few days …..

IBM SDK for Java 6 - Security information

https://www.ibm.com/developerworks/java/jdk/security/60/

IBM SDK Policy files

I needed to use this as I have a requirement to import 2048-bit SSL root/intermediate certificates into the SSL keystore for IBM HTTP Server, and IHS only supports 1024-bit certificates out-of-the-box

IBM's SDKs ship with strong but limited jurisdiction policy files. Unlimited jurisdiction policy files can be obtained from the link above. The ZIP file should be unpacked and the two JAR files placed in the JRE's jre/lib/security/ directory. These policy files are for use with IBM developed SDKs. The same files are used for the Version 1.4 and Version 5 SDKs. Details of downloads of unlimited jurisdiction policy files for the Solaris and HP platforms can be found in the IBM Security Guide for those platforms.

https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk

Key Management Utility command-line interface (gsk7cmd) syntax

This is somewhat self-explanatory, but extremely useful.

http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.ihs.doc/info/ihs/ihs/tihs_gsk7cmd.html

Migrating OpenSSL certificates from the Apache HTTP Server to the IBM HTTP Server KDB file

This was useful in helping me understand how to move certificates from one format to another e.g. PKCS12 to PEM etc.

http://www-01.ibm.com/support/docview.wss?uid=swg21283831

Setting up a public key infrastructure

This includes some examples of how to use gsk7cmd to view certificate details etc.

$ gsk7cmd -cert -details -db myBrokerTruststore.jks -label CACert

http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=/com.ibm.etools.mft.doc/ap34020_.htm

Can't receive certificate in Ikeyman: All the signer certificates must exist in the key database

This has some great examples of how to use the openssl command to look at certificates e.g.

$ openssl x509 -text -in certificate_from_certificateauthority.crt|grep Issuer:

http://publib.boulder.ibm.com/httpserv/ihsdiag/gather_certificate_doc.html#ALLSIGNERS

IBM HTTP Server and CentOS Linux - Global Security Toolkit (GSK) not playing nicely

I'm breaking new ground, at least for me, with SSL certificates etc. within IBM HTTP Server on a current project, and have been expanding my knowledge of the Global Security Toolkit (GSK) on my own CentOS environment.

I've written about CentOS and IBM software before so this is merely a continuation of the series :-)

So when I saw an exception trying to run certain GSK commands such as gsk7cmd, I immediately assumed that I might be missing a shared library of some sort.

I confirmed this by running: -

$ cd /opt/IBM/HTTPServer/bin

$ ./gsk7ver 

which returned: -

/opt/IBM/HTTPServer/gsk7/bin/gsk7ver: error while loading shared libraries: libstdc++.so.5: cannot open shared object file: No such file or directory

I fixed this by running: -

$ yum install libstdc++.so.5

and was then able to re-run GSK commands, including gsk7ver.

More to come …...

Installing Rational Software Architect 8.0.3 on CentOS Linux 6.2

More fun with CentOS, this time it's Rational Software Architect …

Initially, I saw the same sort of issues that I'd previously seen with IBM HTTP Server including: -

...

/bin/bash: /tmp/RSA803/RSA_SETUP/InstallerImage_linux_gtk_x86/install: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory

…

...
libgcc_s.so.1 must be installed for pthread_cancel to work

…

which I resolved with: -

$ sudo yum install ld-linux.so.2

and

$ sudo yum install libgcc_s.so.1

respectively.

However, I was still struggling, with errors such as: -

$ ./InstallerImage_linux_gtk_x86/installc -acceptLicense

CRIMA9C35370BE ERROR: The package IBM® Rational® Software Architect requires system library libstdc++.so.5 or libstdc++.so.6. Make sure libstdc++.so.5 or libstdc++.so.6 is available in the system library path before installing this package.

which I resolved with: -

$ yum install libstdc++.so.6

and: -

$ ./InstallerImage_linux_gtk_x86/installc -acceptLicense

java.io.IOException: Cannot run program "lsb_release": java.io.IOException: error=2, No such file or directory

which I resolved with: -

$ sudo yum install redhat-lsb

Finally, I needed to use strace as follows to dig into the additional missing packages e.g. 

$ strace -o /tmp/output.txt ./InstallerImage_linux_gtk_x86/installc -acceptLicense

which led me to install these additional packages: -

$ sudo yum install libX11.so.6
$ sudo yum install libgdk-x11-2.0.so.0
$ sudo yum install libpk-gtk-module.so
$ sudo yum install libcanberra-gtk-module.so

Having done that, the RSA 803 installation took 5-10 minutes.

Job done :-)

Got Portal, Get Connections - no, really, GET Connections NOW

We knew this was coming from around the Lotusphere 2012 timeframe, but it's taken a few weeks to make it into the official news e.g. an IBM Announcement Letter ( ULET )

IBM WebSphere Portal Server V7.0.0, IBM WebSphere Portal Enable V7.0.0, and IBM WebSphere Portal Extend V7.0.0 add entitlement to IBM Connections Files and IBM Connections Profiles

If you have IBM® WebSphere® Portal Server, IBM WebSphere Portal Enable, or IBM WebSphere Portal Extend on an active Passport Advantage® Software Subscription and Support contract, you are now entitled to use IBM Connections Files and IBM Connections Profiles. This entitlement lets users find experts and easily share content with other people.

With this new entitlement, you can access IBM Connections Profiles and IBM Connections Files capabilities directly or from within WebSphere Portal Server, WebSphere Portal Enable, or WebSphere Portal Extend. You can now more easily share your organization's collective knowledge.

IBM Connections Files allows users to easily share content with other people. It also allows you to make the content you create available so other people can easily find it, make recommendations, and share it.

IBM Connections Profiles helps users find the people they need by searching across the organization's content using tags to identify expertise, current projects, and responsibilities. It shares skills, interests, and organizational structure for others to discover and use to their benefit.

IBM WebSphere Portal web experience software offerings help organizations create highly customized, engaging, personalized web experiences. Each offers capabilities essential for delivering and sustaining exceptional online experiences, and now include use of social services that help you quickly locate the people and content you need.

See here for more information. There's also a PDF version available here.

SQL1041N The maximum number of concurrent databases have already been started

Saw this referenced in a thread on the IBM Connections Community Chat, moderated by the nice Mr Stuart McIntyre ( SocialStu ), and thought it was worth re-posting.

Problem(Abstract)

This technote explains how to resolve an SQL1041N error that can occur when trying to connect to an IBM® DB2® Test Datastore from IBM Rational® TestManager (TM).

Cause

The default number of databases that can be concurrently active (that is, have applications connected to them) is 8.

Resolving the problem

Change the number of databases that can be concurrently active to the desired number. The valid range is 1 to 256.

To change this number:

• Open the DB2 Control Center

• Expand All Systems -> [server name] -> Instances

• Right-click on the instance that you want to change (DB2 instance) and choose Configure Parameter from the pop-up menu

• Scroll down to NUMDB (under Environment)

• Change the value to the desired number

• Restart the DB2 service (Start -> Run -> services.msc)

As Stuart also pointed out, for those of us who (a) prefer command lines or (b) choose not to use DB2 Control Centre or (c) choose not to run DB2 on Windows, the NUMDB parameter can be set via the DB2 CLI: -

$ db2 update database manager configuration using numdb 15
$ db2stop
$ db2start
$ db2 get database manager configuration

( as the DB2 instance owner of the Connections - or other application - databases )

More on Lotus Notes 8.5.3 on the Mac - Pruning Preferences to Recover Crashes

Having twice managed to break my Notes installation by "fickering" around with the preferences - now one could say that this shouldn't cause the client to fail to start but …. ;-(

I *think* I created the problem by incorrectly setting the URL for the Activities client to: -

https://w3.ibm.com/connections/activities

rather than: -

https://w3-connections.ibm.com/activities

but I may be wrong :-)

Last time around, I managed to recover the client by clearing down the Workspace folder ( /Users/david_hay/Library/Application Support/Lotus Notes Data/Expeditor ), as per this blog post.

This time, I found a more quick and simple solution - I merely cleared down this folder: -

/Users/david_hay/Library/Application Support/Lotus Notes Data/Expeditor/Applications/.metadata/.plugins/org.eclipse.core.runtime/.settings

I'm still not 100% convinced that a configuration change should "break" the client quite so seriously but ….

WebSphere User Group - London - Wednesday 21 March

I may have mentioned this previously, but it's an event that's worth mentioning over and again.

The WebSphere User Group are having one of their UK meetings at IBM South Bank on Wednesday 21 March.

The full agenda etc. is available on the WUG site here and there's some great content being planned, including a session on the WebSphere Application Server 8.5 "Liberty Profile".

I'll be there, hope to see you there :-)