2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (40)
Ansibile (19)
Apache (135)
Asterisk (2)
cassandra (2)
Centos (230)
- ftp (5)
- IPTABLES (15)
- SFTP (1)
- swap (3)
Centos RHEL 7 (270)
centos8 (3)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (31)
Eassy (11)
ELKS (1)
EXCHANGE (3)
Fedora (6)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
health (2)
horoscope (23)
Hyper-V (10)
IIS (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (9)
Ldap (5)
Linux (189)
Linux Commands (166)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (24)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (36)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (35)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
TIPS on Linux (28)
tomcat (62)
Ubuntu (1)
Uncategorized (30)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

Encrypting the ID and Password for Websphere Application Server

By default, you need to supply the ID and password when starting up/shutting down the deployment manager, node or application server. Example of the command as below

Deployment Manager
//bin/startManager.sh -username XXX -password XXX

Node
//bin/startNode.sh -username XXX -password XXX

Application Server
//bin/startServer.sh -username XXX -password XXX

The steps to encrypt the password and ID is as follows.

Insert the ID and password in clear text into the SOAP properties file at //properties/soap.client.props.

# grep SOAP.login soap.client.props | grep -v “#”
com.ibm.SOAP.loginUserid=wasadm
com.ibm.SOAP.loginPassword=wasadm
com.ibm.SOAP.loginSource=prompt

We use the IBM provided script to encode the password.

//bin/PropFilePasswordEncoder.sh //profiles/default/properties/soap.client.props com.ibm.SOAP.loginPassword -Backup

Taking a look at the same property file again, the password is now encrypted.

# grep SOAP.login soap.client.props | grep -v “#”
com.ibm.SOAP.loginUserid=wasadm
com.ibm.SOAP.loginPassword={xor}Es4zPjwS
com.ibm.SOAP.loginSource=prompt

Now, we can start up websphere and shut down without using the password.

su wasadm -c “//bin/startManager.sh”
su wasadm -c “//bin/startNode.sh”
su wasadm -c “//bin/startServer.sh ”

su wasadm -c “//bin/stopManager.sh”
su wasadm -c “//bin/stopNode.sh”
su wasadm -c “//bin/stopServer.sh ”
end.

======================

Some trival.
How come IBM prefers to use XOR instead of some stronger algorithm like how weblogic uses 3DES? XOR is good enough only to prevent casual snooping.

Someone demonstrated that with a online decoder

http://www.poweredbywebsphere.com/decoder.html

Change WebSphere Ports without Reinstalling

Scenario: you have WebSphere Application Server 7.1 installed as ND. If the cells are using default ports on the same host and you want to access the different cells concurrently, you may want to change the ports on one of the cell.

1. Go to the master config repository for the server ports (Dmgr profiles directory)

2. Backup the current serverindex.xml

3. Edit each of the ports in this file. (Dmgr will use the new ports)

4. Repeat this process for all nodes in the master repository (Node profiles directories)

5. For all cells,

6. Backup virtualhosts.xml

7. edit all the ports. (nodes will use this ports to connect with Dmgr)

7. Start the dmgr (startServer.sh)

8. For each node, executue a syncNode so that nodes get their new port assignments from the master repository

//bin/syncNode.sh

Use the new SOAP ports used in step #3.

9. Start up each node

10. Start up each application server.

Confirm which new ports you want to use before you start.
To make it easier to remember, maybe instead of the usual 80, can try prepending like 9080, 19080, etc.

Access Controls and Virtual Hosts for WebSphere Application Server

WebSphere applications are assigned to virtual hosts during installation and configuration process.

The virtual hosts are bound to one or more aliases (host names and ports), allowing a single application server to respond to multiple inbound request formats.

The virtual host aliases that are configured within WebSphere define the pattern match possibilities for which WebSphere application server will respond with data.

For example, if we have 7 aliases defined for a given virtual host ‘foo-app’ on application server, ‘fooserver?.

Virtual Host: ‘foo-app’
Hostname Port
thisport 8080
thatport 8081
secureport 8443
secureport2 9443
otherport 10001
otherport2 10002
otherport3 10003

Hence, for any inbound request for ‘foo-app’, if the URL does not match against the list above, the request is denied, else the client gets the access. The Application Server is the gatekeeper here.

Usually all default application server ports are removed from the ‘default_host’ virtual host once you do some ‘hardening’, forcing all inbound requests to be channeled through a proxy mechanism.

Hence, you will not be able to access the application ‘foo-app’ directly, if the default listening port is not in the list above. e.g. ‘foo-app’ listens on 1234. To get to ‘foo-app’, you need to get through the aliases above to get to ‘foo-app’.

I use Apache in the web layer above Websphere Application Server. Need to install the Websphere Proxy-Plugin and generate the xml file.

When client access the URL, the GET request reaches Apache, which then checks the request against the Websphere Proxy Plugin for the host or virtual host corresponding to the requested URL.

The Websphere Proxy Plugin has a list of valid WebSphere virtual hosts and virtual-host associated resources. Here, if matched, those requests are forwarded to the appropriate WebSphere application server. If not matched, 404 is generated.

Auto Restart Application Server by Node Agent

Learnt that in websphere application server 7, by default, the node agent will not take any action when an application server fails.

In order to get the node agent to monitor and automatically restart a failed application server instance, we must setup the monitoring policy for that application server.

Go to the deployment manager console, and do the following:

1 . –> Java and Process Management –> Monitoring Policy
2. Check the “Automatic Restart” box
3. In the “Node Restart State“, set the state to “STOPPED”

Whenever you have a failed or killed application servers, node agent will now auto-restart the application server.

If the state is set to “RUNNING”, not only will the node agent restart a failed or killed application server, it WILL ALSO auto start the application server upon a node agent restart.

Setup an Oracle JDBC Data Source on WebSphere Application Server 7 Step-by-Step

Login to the Admin Console of the running server, i.e. Window -> Show Views -> Servers | right click the server -> Run Administration -> Run Administrative Console

Environment -> WebSphere variables

Find “ORACLE JDBC DRIVER PATH” Name out of the list (second page) and click its link

Set its “Value” to the “directory” (not the actual path + filename) where your ojdbc6.jar resides on your file system

We can set this path externally, either a stand alone ojdbc6.jar or find it with Oracle client packages, i.e. C:\app\\product\11.2.0\client_1

Click “Apply”, then “Save” (on top)

Back to WAS Admin Console, go to Security -> Global security

On “Authentication” panel, expand “Java Authentication and Authorization Service” -> J2C authentication data

Click “New”

Give it an Alias name, i.e. Alias_Oracle and input our current databases’ credential: User ID = your_db_username, Password = your_db_password

Click “Apply”, then “Save”

Go to Resources -> JDBC -> JDBC providers

Make sure that the right Scope has been selected, i.e. Node=DOMAINHOSTNAMENode01 or something

Click “New” to create a new JDBC provider

Step 1: Select “Oracle” from “Database type” menu | Provider type = Oracle JDBC Driver | Implementation type = Connection pool data source

Leave the “Name” as default, i.e. “Oracle JDBC Driver”

Step 2: if you have setup the ORACLE JDBC DRIVER PATH correctly, it should have the appropriate “Class path” to “ojdbc6.jar” already selected for you Step 3: Summary, click “Finish”

Go to Resources -> JDBC -> Data sources

Make sure the right Scope is selected , i.e. Node=DOMAINHOSTNAMENode01 or something

Click “New”

Step 1: Data source name = “Oracle JDBC Driver” | JNDI name = “jdbc/OracleDS”

Step 2: Select “Select an existing JDBC provider” = “Oracle JDBC Driver”

Step 3: URL = “jdbc:oracle:thin:@hostname:port:db_alias” | Data store helper class name = “Oracle11g data store helper”

Step 4: Component-managed authentication alias = DOMAINHOSTNAMENode01/Alias_Oracle

select “DefaultPrincipalMapping”

Step 5: Summary, click “Finish”

Back on “Data sources” screen, select the newly created data source and “Test connection”. If it succeeds, you are done

You can retrieve the data source programmatically:

Context initContext = new InitialContext(); dataSource = (DataSource)initContext.lookup(“jdbc/OracleDS”);

check if node is in sync with dmgr and take corrective actions using wsadmin tool

Today’s objective is to check if WebSphere nodes are synchronized and take respective actions depending on the results. I will try to be as clear as possible so, you won’t require any preparation to complete this task.

I will divide this into two sections where first will show how to get the information about node synchronization status and invoking synchronization for the node. Second one will describe the process of automatin the first one and execute the same task for all of the nodes federated into our cell.

Please note that in out scenario WebSphere environment has security enabled

Section 1

First of all localize wsadmin tool on your host. It is located in /AppServer/bin

cd /AppServer/bin

Start wsadmin tool to connect to deployment manager

wsadmin.sh -host -port -conntype SOAP -username -password

If you provided correct values simillar output should appear on your screen indicating proper conection to deployment manager

WASX7209I: Connected to process “dmgr” on node dmgr_node using SOAP connector; The
type of process is: DeploymentManager
WASX7029I: For help, enter: “$Help help”
wsadmin>

Assign node name to some varible I have used node_name in this example and my_node is the name of the node you would like to synchronize

set node_name [$AdminControl completeObjectName type=NodeSync,node=my_node,*]

You should see similar output if values are correct

wsadmin>set node_name [$AdminControl completeObjectName type=NodeSync,node=my_node,*]
WebSphere:mbeanIdentifier=nodeSync,cell=my_cell,process=nodeagent,name=nodeSyn
c,platform=common,node=my_node,version=6.0.2.23,type=NodeSync

Now, when we know the exact name of the node we can check if it is in sync with deployment manager

$AdminControl invoke $node_name isNodeSynchronized

If node is in sync with deployment manager you will see following output

wsadmin>$AdminControl invoke $node_name isNodeSynchronized
true
wsadmin>

In other case when we we would proceed with following to get the node synchronized with dmgr

$AdminControl invoke $node_name sync

After synchronization process finishes you should see simillar output

wsadmin>$AdminControl invoke $node_name sync
true
wsadmin>

This is the end of section one where we were able to check if node is synchronized with deployment manager along with initiating synchronization process.

Section 2

In this section I’ll focus on automating this process so we can check all of the nodes and take corective actions in case they are out of sync

First, you have to create some file where we can work on our script. I have mine called syncNodes.jacl

We need to set some array conaining list of nodes federated into deployment manager. Mine is called nodeList

set nodeList [$AdminConfig list Node]

Now we’ll need to get the node names and than transform it to completeObjectName to be able to work further so, I will create loop taking care of it.

foreach node $nodeList {
set node_name [$AdminConfig showAttribute $node name]
set complete_node_name [$AdminConfig completeObjectName type=NodeSync,node=$node_name,*]
…
…
}

Once I have complete node name I have to check if this node is synchronized so, right below I am including command form section one but the output will be stored in variable in_sync for further actions

if {!($complete_node_name==””} then {
set in_sync [$AdminControl invoke $complete_node_name isNodeSynchronized]
…
…
}

manual heap or thread dump in websphere

How you should force heap or thread dump using wsadmin script

Login to your machine running WAS
Navigate to
cd /profiles//bin/
Connect to deployment manager using wsadmin script
wsadmin.sh -conntype SOAP -username -password
Set object variable
wsadmin> set jvm [$AdminControl completeObjectName type=JVM,process=,node=,*]
Force heap dump
wsadmin> $AdminControl invoke $jvm generateHeapDump
In case you would like to dump threads
wsadmin> $adminControl invoke $jvm dumpThreads
Heap or thread dump will be saved to /profiles// directory with with respective naming convention

Heapdump
heapdump..phd
Threaddump
javacore..txt

clean messaging queue using jython

Objective for yesterday: Clean Persistent messages from JMS queue.

There are few methods that will work depending on your messaging set-up. I ill show how to clean persistent messages from the queue using wsadmin and jython.

First of all localize wsadmin tool on your host. It is located in /AppServer/bin

cd /AppServer/bin

Create new file called cleanJMSQueue.py on your host machine with the following content. [Remember to replace variables with appropriate values matching your environment]

objName = AdminControl.makeObjectName(‘WebSphere:type=SIBQueuePoint,SIBMessagingEngine=MyNode.MyServer-MyBus,name=MyQueueName,*’)
qps = AdminControl.queryNames_jmx(objName, None)
qp = qps[0]
AdminControl.invoke_jmx(qp, ‘deleteAllQueuedMessages’, [java.lang.Boolean(‘false’)], [‘java.lang.Boolean’])

Start wsadmin tool to connect to deployment manager and execute script

wsadmin.sh -host -port -conntype SOAP -username -password -lang jython -f

Recovering passwords from WebSphere

WebSphere stores passwords for datasources, security aliassss, etc in an encrypted format in its configuration files. The format, called XOR (exclusive OR), is not a particularly strong encryption algorithm, probably designed just to stop casual snooping. (In contrast WebLogic uses triple-DES encryption.)

(To be precise IBM says WebSphere “encodes” paswords, not encrypts them.)

When you forget that password to your development database it can be useful to have the ability to decrypt XOR-encrypted passwords. Fortunately IBM have provided the means to encrypt and decrypt passwords in XOR format (although they probably didn’t mean to leave the code around for general use).

So lets encrypt the password “secret”:

WebSphere 5.x

> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == “secret”, encoded password == “{xor}LDo8LTor”

WebSphere 6.0.x

> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar::ras.jar:wsexception.jar:bootstrap.jar:emf.jar:ffdc.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == “secret”, encoded password == “{xor}LDo8LTor”

and to decrypt (don’t forget to prefix the encoded password with “{xor}”):

WebSphere 5.x

> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == “{xor}LDo8LTor”, decoded password == “secret”

WebSphere 6.0.x

> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar::ras.jar:wsexception.jar:bootstrap.jar:emf.jar:ffdc.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == “{xor}LDo8LTor”, decoded password == “secret”

UPDATE: IBM have heard the cries about poor password security and have added hooks from WebSphere 6.0.2 onwards that allow you to write your own password encryption. One step forward…

Password Decoder for WebSphere

Did you happen to have too much configuration and want to recover password from WebSphere Configuration, if yes then following program can help you. I happen to forgot my application database password and didn’t wanted to get into hassle of resetting it from the Administration Support Group ( you know it can be time consuming and slow route). First of all, you would need to know the configuration file where your password is stored by WebSphere in its configuration ( of course its encrypted). You can find security.xml at following location :

/config/cells//security.xml

Now to be on safe side, copy this file at different location and open in it in an editor, I used notepad++ as its xml file. Use token ‘ to find all JAAS Authentication alias you created for storing credentials. One of the sample entry I am pasting below :

From here we need to copy content of attribute password and replace it in the following Java Program and run it. It will have your password printed on console. Make sure you create a Java Project in Rational Development IDEs (RAD/RSA) and WebSphere Runtime as server library to it. (PasswordUtil class is part of WebSphere Runtime environment and it has lot of dependency on the other JAR file. To keep the effort minimal, use this code on IDE otherwise you may end-up manually editing classpath entries for so many other JAR files).

import com.ibm.ISecurityUtilityImpl.PasswordUtil;

public class Decoder {
public static void main(String[] args){
String encoded_password = ““;

String decoded_password = PasswordUtil.passwordDecode(encoded_password);

if (decoded_password == null){
System.out.println(“ERROR: invalid password decoding exception”);
System.exit(1);
}

if (decoded_password.equals(encoded_password)){
System.out.println(“ERROR: specified password \”” + encoded_password + “\” is decoded”);
System.exit(1);
}

System.out.println(“encoded password == \”” + encoded_password + “\”, decoded password == \”” + decoded_password + “\””);
System.exit(0);
}
}

HTH-

Recent Posts

Pages

Categories

Archives

Recent Comments