Mohan WebSite

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (40)
Ansibile (19)
Apache (135)
Asterisk (2)
cassandra (2)
Centos (230)
- ftp (5)
- IPTABLES (15)
- SFTP (1)
- swap (3)
Centos RHEL 7 (270)
centos8 (3)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (31)
Eassy (11)
ELKS (1)
EXCHANGE (3)
Fedora (6)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
health (2)
horoscope (23)
Hyper-V (10)
IIS (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (9)
Ldap (5)
Linux (189)
Linux Commands (166)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (24)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (36)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (35)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
TIPS on Linux (28)
tomcat (62)
Ubuntu (1)
Uncategorized (30)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

Kill a Terminal Server Session from the Command Line

How to Kill a Terminal Services Session from the Command Line

Open a CMD prompt
To query for current sessions, type:
- qwinsta.exe /server:<servername>
To kill a session, type:
- rwinsta.exe /server:<servername> <session id>

Disable CRL Checking

How to Disable CRL Checking in IIS 6.x:

Open a CMD prompt
Navigate to c:\inetpub\adminscripts
To disable for ALL sites, run the following command:
- cscript adsutil.vbs set w3svc/CertCheckMode 1
- Hit the ENTER key
To disable for SPECIFIC sites, run the following command:
- cscript adsutil.vbs set w3svc/siteid#/CertCheckMode 1
- Hit the ENTER key

To query to see if the CertCheckMode is already set or not, you can run one of the following commands:

cscript adsutil.vbs get w3svc/CertCheckMode
cscript adsutil.vbs get w3svc/siteid#/CertCheckMode

A developer recently reported a problem that when a customer attempted to upload an attachment, they would sometime receive the error:The page was not displayed because the request entity is too large.In our case it did not include an error number, but it will sometimes include the error number:

HTTPS 413

The fix for us is listed below:

How to set the uploadReadAheadSize in IIS 7.5

Launch “Internet Information Services (IIS) Manager”
Expand the Server field
Expand Sites
Select the site you want to make the modification for.
In the Features section, double click “Configuration Editor”
Under “Section” select: system.webServer>serverRuntime
Modify the “uploadReadAheadSize” section
Click Apply

1. uploadReadAheadSize

In the second scenario, the error occurred because of the size of the page, it is very large and it caused to request entry body become larger when you submitting the page.http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7e0d74d3-ca01-4d36-8ac7-6b2ca03fd383.mspx?mfr=true

Basically, what happens is if you have a website with SSL and “Accept Client Certificates” enabled HTTP requests are limited to the UploadReadAheadSize of the site. To resolve this, you have to increase the UploadReadAheadSize. (Default size 48kb)

Collapse | Copy Code

appcmd.exe set config -section:system.webserver/serverruntime /uploadreadaheadsize: 1048576 /commit:apphost

2. maxReceivedMessageSize

WCF by default limits messages to 64KB to avoid DOS attack with large message. By default, it sends byte[] as base64 encoded string and it increases the size of the message (33% increase in size). There for if the uploaded file size is ~larger than 48KB then it raises the above error. (48KB * 1.33 = ~64KB) (NB. you can use MTOM – Message Transmission Optimization Mechanize to optimize the message)

By modifying the “maxReceivedMessageSize” in the Web.config file to accept large messages, you can solve this issue.

Collapse | Copy Code

<system.serviceModel>
  <bindings>
    <basicHttpBinding>
      <binding maxReceivedMessageSize="10485760">
        <readerQuotas ... />
      </binding>
    </basicHttpBinding>
  </bindings>  
</system.serviceModel>

script start, stop, backup and restore your WebSphere environment

#!/bin/ksh
#
# Set you environment here [ACC,FOP,PRD]
ENV=FOP

# Set your company name here
COMP=WARMETAL

#
# APP_HOME setting
APP_HOME=/opt/sft/${COMP}-${ENV}

# Change here the WAS userid, WAS group and sid if necessary
WAS_USER=wasuser
WAS_GROUP=wasgroup
WAS_PROCESSES="dmgr nodeagent Front_Server Security_Server APP_Server JMS_Server"

WAS_CELL="${COMP}-${ENV}.cell"
WAS_NODE_EB="${COMP}-${ENV}.AppSrv.node"
WAS_NODE_FE="${COMP}-${ENV}.AppSrv.node"

# Change the location of the directory in this variable of the WAS :
WAS_HOME=/opt/IBM/WebSphere/AppServer
WAS_BASE_HOME=/opt/sft/${COMP}-${ENV}/WAS_Profiles/${COMP}-${ENV}.AppSrv
WAS_BASE_DATA=/var/data/${COMP}-${ENV}/WAS
WAS_BASE_LOG=/var/log/${COMP}-${ENV}/WAS
WAS_BASE_DUMP=/var/dump/ibm/websphere/6.1/BASE

# Change the location of the directory in this variable of the WAS_ND :
WAS_ND_HOME=/opt/sft/${COMP}-${ENV}/WAS_Profiles/${COMP}-${ENV}.dmgr
WAS_ND_DATA=/var/data/${COMP}-${ENV}/WAS_ND
WAS_ND_LOG=/var/log/${COMP}-${ENV}/WAS_ND
WAS_ND_DUMP=/var/dump/${COMP}-${ENV}/WAS_ND

# Essential Homes
WAS_UPDATE_INSTALLER_HOME=/opt/IBM/UpdateInstaller
WAS_IHS_HOME=/opt/IBM/HTTPServer

BACKUPFILEND=${WAS_ND_DUMP}/wasbck_`date +%Y%m%d%H%M`.zip
BACKUPFILEBASE=${WAS_BASE_DUMP}/wasbck_`date +%Y%m%d%H%M`.zip

case "$1" in

start )
  echo "Starting the Network Deployment Manager"
  su - $WAS_USER $WAS_ND_HOME/bin/startManager.sh

  echo "Starting the Node"
  su - $WAS_USER $WAS_BASE_HOME/bin/startNode.sh

  for server in Front Security APP JMS; do
    echo "Starting server $server"
    su - $WAS_USER ${ALLSHARE_HOME}/WAS_Profiles/${COMP}-${ENV}.AppSrv/bin/startServer.sh ${server}_Server
  done
  su - $WAS_USER ${ALLSHARE_HOME}/WAS_Profiles/${COMP}-${ENV}.AppSrv/bin/startServer.sh Monitoring_server
 ;;

stop )
  echo "Stopping the Network Deployment Manager"
  su - $WAS_USER $WAS_ND_HOME/bin/stopManager.sh

  echo "Stopping the Node"
  su - $WAS_USER $WAS_BASE_HOME/bin/stopNode.sh -stopservers
  su - $WAS_USER ${ALLSHARE_HOME}/WAS_Profiles/${COMP}-${ENV}.AppSrv/bin/stopServer.sh Monitoring_server
 ;;

start-node )
  echo "Starting the Node"
  su - $WAS_USER $WAS_BASE_HOME/bin/startNode.sh
 ;;

stop-node )
  echo "Stopping the Node"
  su - $WAS_USER $WAS_BASE_HOME/bin/stopNode.sh -stopservers
  su - $WAS_USER ${APP_HOME}/WAS_Profiles/${COMP}-${ENV}.AppSrv/bin/stopServer.sh Monitoring_server
 ;;

start-dmgr )
  echo "Starting the Network Deployment Manager"
  su - $WAS_USER $WAS_ND_HOME/bin/startManager.sh
 ;;

stop-dmgr )
  echo "Stopping the Network Deployment Manager"
  su - $WAS_USER $WAS_ND_HOME/bin/stopManager.sh
 ;;

start-all )
  for server in JMS APP Security Front; do
    echo "Starting server $server"
    su - $WAS_USER ${APP_HOME}/WAS_Profiles/${COMP}-${ENV}.AppSrv/bin/startServer.sh ${server}_Server
  done
  su - $WAS_USER ${APP_HOME}/WAS_Profiles/${COMP}-${ENV}.AppSrv/bin/startServer.sh Monitoring_server
;;

stop-all )
  for server in Front Security APP JMS; do
    echo "Stopping server $server"
    su - $WAS_USER ${APP_HOME}/WAS_Profiles/${COMP}-${ENV}.AppSrv/bin/stopServer.sh ${server}_Server
  done
;;

backup )
  for profile in dmgr AppSrv; do
    su - $WAS_USER ${APP_HOME}/WAS_Profiles/${COMP}-${ENV}.${profile}/bin/backupConfig.sh \
      /var/backup/${COMP}-${ENV}/was/was-config-${profile}-`date +%Y%m%d`.zip \
      -nostop \
      -logfile /var/backup/${COMP}-${ENV}/was/was-config-${profile}-`date +%Y%m%d`.log \
      -profileName ${COMP}-${ENV}.${profile}
done
;;

restore )
  if [ -f /var/backup/${COMP}-${ENV}/was/was-config-dmgr-${2}.zip -a -f /var/backup/${COMP}-${ENV}/was/was-config-AppSrv-${2}.zip ]; then
    for profile in dmgr AppSrv; do
      su - $WAS_USER /opt/sft/${COMP}-${ENV}/WAS_Profiles/${COMP}-${ENV}.${profile}/bin/restoreConfig.sh \
        /var/backup/${COMP}-${ENV}/was/was-config-${profile}-`date +%Y%m%d`.zip \
        -logfile /var/backup/${COMP}-${ENV}/was/was-config-${profile}-`date +%Y%m%d`.log \
        -profileName ${COMP}-${ENV}.${profile}
    done
  else
     if [ ! "$2" = "" ]; then
       echo "Cannot find or read (all) backup files, searching for:"
       echo /var/backup/${COMP}-${ENV}/was/was-config-dmgr-${2}.zip
       echo /var/backup/${COMP}-${ENV}/was/was-config-AppSrv-${2}.zip
       echo
     else
       echo "Please specify the date (YYYYMMDD) to restore as argument"
       echo "Available dates currently under backup:"
       ls -1 /var/backup/${COMP}-${ENV}/was/was-config-*.zip | awk -F - '{ print $5 }' | \
       sed 's/.zip//g' | sort | uniq
       echo
     fi
    exit 1
  fi
;;

status )
for i in $WAS_PROCESSES; do
    unset pid
    pid=`ps -ef|grep $i| grep $i|grep -v grep|awk '{ print $2 }'`
    if [[ "$pid" = "" ]] then
      echo "WAS subprocess $i is stopped..."
      echo
      exit 0
    else
      echo "WAS subprocess $i is running using processed $pid"
    fi
  done
  echo
  exit 1
;;

info )
  # WAS instance information, version, etc...
  echo "Information of the Deployment Manager"
  su - $WAS_USER ${WAS_ND_HOME}/bin/versionInfo.sh

  echo
  echo "Information of AppSrv Node"
  su - $WAS_USER ${WAS_BASE_HOME}/bin/versionInfo.sh

  echo
  echo "Information of Dmgr Node"
  su - $WAS_USER ${WAS_ND_HOME}/bin/versionInfo.sh

  echo
  echo "Information of Update Installer"
  su - $WAS_USER ${WAS_UPDATE_INSTALLER_HOME}/bin/versionInfo.sh
;;

plugin )
 echo "Regenerating the plugin for the HTTP Server"
        su - $WAS_USER ${WAS_HOME}/bin/GenPluginCfg.sh -cell.name $WAS_CELL -node.name $WAS_NODE_FE
;;

env )
 $0 status
 if [[ "$?" = "1" ]] then
   for i in $WAS_PROCESSES; do
      echo "********* $i *********"
      pid=`ps -ef|grep $i|grep -v grep | awk '{ print $2 }'`
      ps ewww $pid | tr ' ' '\012' | grep = | sort
      echo
      echo
   done
  else
   echo "WAS not available, exiting.."
   exit 1
 fi
;;

* )
 echo
 echo "Usage: $0 COMMAND"
 echo "---------------------------"
 echo "start         - Start dmgr, node-agent and the application servers"
 echo "stop          - Stops dmgr, node-agent and the application servers"
 echo
 echo "start-dmgr    - Starts the Deployment Manager"
 echo "stop-dmgr     - Stops the Deployment Manager"
 echo
 echo "start-node    - Starts the local node-agent"
 echo "stop-node     - Stops the local node-agent and all appservers"
 echo
 echo "start-all     - starts all application servers"
 echo "stop-all      - stops all application servers"
 echo
 echo "backup        - Creates online backup of complete cell"
 echo "restore       - Restores offline backup of complete cell using date YYYYMMDD"
 echo
 echo "status        - Server stopped/started state"
 echo "plugin        - regenerate webserver plugin"
 echo "info          - Show server configuration"
 echo "env           - Shows environment variables set for WebSphere configuration"
 echo
 exit 1
esac

WebSphere Console LDAP Authentication

This is an howto on how to get the WebSphere Integrated Solutions Console to authenticate administrators through LDAP, in our case Microsoft’s Active Directory 2008. This is installed with Windows Server 2008 and Active Directory.

Overview

By default, when WebSphere gets installed everybody can access the WebSphere portal because there is no security. This is how the portal looks like:

As you can see, the console can be reached with this url:

http://fqdn-of-server:9060/ibm/console

And as you can see as well, there’s no password field.

Now we want secured access to the console, and we want to centrally administrate the users who will access the console. To do so, we have to follow these steps:

Enable administrative security
Configure Federated Repositories
- Configure the InternalFileRepository
- Configure a LDAP Repository
Restart the WebSphere Console
Set up Administrative Group Roles
Restart the WebSphere Console

After securing the console will be reachable on this url:

https://fqdn-of-server:9043/ibm/console

Prerequisites

Before the above setup can be configured we first have to create the groups on which WebSphere Roles can be associated:

GroupName	WebSphere Role	Short Description
WebSphereAdministrators	Administrator, iscadmins	Full Permissions and the possibility to grant permissions to users and groups
WebSphereOperators	Operator	Change the status of Application Servers (start,stop,etc)
WebSphereReadOnly	Monitor	View Application Server status

For more information about the WebSphere Roles see the resources below.

Backup

Create a backup of the existing configuration. See the WebSphere Management Script for more information on how to do that.

Enable Administrative Security

Follow these steps to enable administrative security:

Login to the console and expand “Security”.
Go to “Secure administration, applications and infrastructure”
Select the checkbox for “Enable administrative security”
Select the checkbox for “Enable application security”
Unselect the checkbox for “Use Java 2 security to restrict application access to local resources”
Click Apply and “Save directly to the master configuration”.

Configure Federated Repositories

In the same page as for the previous section, follow these steps to configure Federated Repositories:

Select from the “Available realm definitions” dropdown menu the “Federated repositories” option.
First click “Set as current”, Apply and “Save directly to the master configuration”, and then click “Configure”.

Now configure the repositories, starting with the InternalFileRepository and than AD-LDAP.

Configure the InternalFileRepository

Leave the realm name at it’s default (defaultWIMFileBasedRealm)
Enter the “Primary administrative user name”. This value is free to choose, but to prevent confusion, do not enter an existing local account or an account already in LDAP. I’ve set it to sjoerd. This account will be your fallback when LDAP is down.
Then check the “Automatically generated server identity” radio button.
Select the “Ignore case for authorization” checkbox.
Click Apply you’ll be prompted to enter a password for the “Primary administrative user name” which you’ve just set. Click OK, and than click “Save directly to the master configuration”.

Configure a LDAP Repository

In the same page as before click “Manage repositories” to start configuring the LDAP repository:

Click Add
Enter a “Repository identifier”. Also a free value, I’ve named it to “AD-LDAP”
Set the LDAP server “Directory type” to “Microsoft Windows Server 2003 Active Directory”. I’ve found this server also working for Windows Server 2008 Active Directory.
Set the Primary host name to your primary ldap server: ldap.company.local
Leave the port at it’s default value of 389
Set the “Bind distinguished name” to the service account which is a guest domain account: sa_ldap@company.local
Set the bind password
leave the “Login properties” to it’s default value of “uid”

The configuration now looks like this:

Click Apply and “Save directly to the master configuration”

Configure Federated Repositories II

Now go back to the “Federated repositories” page to add the LDAP repository to the realm:

Click “Add Base entry to realm”
Select “AD-LDAP” from the Repository dropdown menu.
Now enter the search base (ou=users,dc=company,dc=local) in both the “Distinguished name of a base entry that uniquely identifies this set of entries in the realm” and the “Distinguished name of a base entry in this repository”.
Click Apply and “Save directly to the master configuration”.

Now the federated repositories look like this:

Click Apply and “Save directly to the master configuration”

Set up Administrative Group Roles

Before we can setup Administrative Group Roles we first have to enable WebSphere to access the just created LDAP repository. To do so, we have to restart the WebSphere console. Since the console is part of the deployment manager you can restart the deployment manager. See the WebSphere Management Script for more information on how to do that.

After restart, you can login, but you’ll need to login with the configured local account:

After logging in expand the “Users and Groups” section and click “Administrative Group Roles” to start granting roles:

Click Add
Enter the group name you’ve created in Active Directory and select the role according to the overview at the top. You can select multiple roles by clicking while pressing the <CTRL>-key.
Repeat the last steps for all groups you’ve created

Now the “Administrative Group Roles” look like this:

Now shut down the application servers, node agent, and the deployment manager.
Start the deployment manager.
Resynchronize the nodes like this, and use the local account that you defined when asked for credentials:

root@aix:/opt/sft/${COMP}-${ENV}/WAS_Profiles/${COMP}-${ENV}.AppSrv/bin>syncNode.sh localhost

Now start the node-agent and the application server.

NOTE: If you come across one of these errors you haven’t synchronized your application servers properly:
SECJ0305I: The role-based authorization check failed for admin-authz operation Server:stop. The user UNAUTHENTICATED (unique ID: unauthenticated) was not granted any of the following required roles: operator, administrator.

[11/5/10 11:44:58:890 GMT+01:00] 00000034 MBeanHelper ...<cut>... ADMN0022E: Access is denied for the stop operation on Server MBean because of insufficient or empty credentials.

Test

I added myself to the WebSphereReadOnly group and when I logged in to the WebSphere Console the control buttons for stopping and starting the application server were gone.

Then I added myself to the WebSphereAdministrators group and it worked:

ADMN1020I: An attempt is made to stop the Monitoring_server server. (User ID = defaultWIMFileBasedRealm/ldapsjoerd)

Then I tried to stop the application servers from the commandline, and also here was authentication required. I gave incorrect credentials when stopping the last application server. As you can see, the stopping of all application servers was successful, except for the last one:

Stopping server Front
ADMU0116I: Tool information is being logged in file
           ../logs/Front_Server/stopServer.log
ADMU0128I: Starting tool with the AppSrv profile
ADMU3100I: Reading configuration for server: Front_Server
Realm/Cell Name: <default>
Username: ldapsjoerd
Password:                                                                                                               
ADMU3201I: Server stop request issued. Waiting for stop status.
ADMU4000I: Server Front_Server stop completed.

Stopping server JMS
ADMU0116I: Tool information is being logged in file
           ../logs/JMS_Server/stopServer.log
ADMU0128I: Starting tool with the AppSrv profile
ADMU3100I: Reading configuration for server: JMS_Server
Realm/Cell Name: <default>
Username: test
Password:                                                                                                               
ADMU0111E: Program exiting with error: javax.management.JMRuntimeException:
           ADMN0022E: Access is denied for the stop operation on Server MBean
           because of insufficient or empty credentials.
ADMU4113E: Verify that username and password information is correct.  If
           running tool from the command line, pass in the correct -username
           and -password.  Alternatively, update the <conntype>.client.props
           file.
ADMU1211I: To obtain a full trace of the failure, use the -trace option.
ADMU0211I: Error details may be seen in the file:
           ../logs/JMS_Server/stopServer.log

NOTE: The dmgr can only be stopped with the local account (sjoerd).

Monitoring

After setting up security, and when running monitoring add authentication information to the monitor. See below for required information (which can all be found inside the node and application server configuration):

Display Name: WebSphere_Monitoring_9030
WebSphere Version: 6.x
Deployment Mode: Network Deployment
Port: 9030
User Name: same as configured for the InternalFileRepository (sjoerd)
SOAP Connector Port: 8882
Network Deployer Host: ndhost.copany.local
Network Deployer SOAP Port: 8879
Advanced Options
- App Servers to Monitor: node:JMS,Front,Monitoring;

You can check the service by going to this url:

http://ndhost.company.local:9030/wasPerfTool/servlet/perfservlet?connector=SOAP&port=8879&host=ndhost.company.local&username=test&password=xxxxxxxx

Troubleshooting

Logging as defined user works, but not through group membership

If you can login using a user defined in the user roles, but not as a user who is defined a member of a group defined in group roles, select the “ignore case for authorization” in the federated repositories configuration.

This is why:

Optional: Verify that the Ignore case for authorization option is enabled. When you enable this option, the authorization check is case insensitive. Normally, an authorization check involves checking the complete DN of a user, which is unique in the LDAP server and is case sensitive. However, when you use either the IBM Directory Server or the Sun ONE (formerly iPlanet) Directory Server LDAP servers, you must enable this option because the group information that is obtained from the LDAP servers is not consistent in case. This inconsistency affects the authorization check only. Otherwise, this field is optional and can be enabled when a case sensitive authorization check is required. For example, you might select this option when you use certificates and the certificate contents do not match the case of the entry in the LDAP server.

Setting LDAP parameters for Microsoft Active Directory

Define configuration parameters for Microsoft Active Directory to provide extra security options for your environment.

Before you begin

Before setting configuration parameters, perform authentication tests to confirm that user, group, and membership search filters work properly. For more information, see the Related tasks section.

You must be assigned the Security administration role with permission to Manage security (Full permission) to perform these steps.

About this task

You might need to modify the example search parameters in the following steps to match your LDAP server schema.

You can use the system console, the command line interface, or the REST API to complete this task. For the command line and REST API information, see the Related information section.

Procedure

Click System > Security.
Set the following configuration parameters.
LDAP provider URL

The LDAP server host name, port number, and LDAP or LDAPS protocol. The host name must be either the fully qualified domain name or IP address of your LDAP server. The host name must begin with either ldap:// for standard LDAP or ldaps:// when connecting to the LDAP server through a Secure Sockets Layer (SSL) tunnel.The LDAPS protocol is recommended for protecting sensitive user credential information. When selecting LDAPS, you must verify and accept the LDAP server X.509 certificate.

LDAP security authentication

The distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory if the LDAP server does not allow anonymous access.

Password

The password of the LDAP security authentication user.

LDAP base DN (users)

The base DN subtree that is used when searching for user entries on the LDAP server. Use LDAP Data Interchange Format (LDIF) syntax for the entries.

LDAP base DN (groups)

The base DN subtree that is used when searching for group entries on the LDAP server.

Search filter (users)
Note: Confirm that the user search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.

Filter for finding entries in the LDAP base DN (users) subtree that match the user name. For example, see the following example LDAP user entry:
```
dn: CN=testuser,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testuser
givenName: testuser
distinguishedName: CN=testuser,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
instanceType: 4
whenCreated: 20121016115033.0Z
whenChanged: 20121128154238.0Z
displayName: testuser
uSNCreated: 12880
uSNChanged: 30679
name: testuser
objectGUID:: FHdAtR/CQEyxvINHhsGnLw==
userAccountControl: 2687488
badPwdCount: 1
codePage: 0
countryCode: 0
badPasswordTime: 129954117792502335
lastLogoff: 0
lastLogon: 129949649905545787
pwdLastSet: 129948648233962943
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAABP7bJiQPVlNtcWUsVAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: testuser
sAMAccountType: 805306368
userPrincipalName: testuser@secfvt2.austin.ibm.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=secfvt2,DC=austin,DC=i
 bm,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129985909582341952
```
The following filter searches for entries with a user ID attribute sAMAccountName matches the user ID that was used to log in to the system. This filter only looks for entries within the organizationalPerson and person object classes.
```
"(&(sAMAccountName={0})(ObjectClass=organizationalPerson)(ObjectClass=person))" 
```
When the match occurs, the {0} placeholder is replaced by the user ID from the login screen.
Search filter (groups)
Note: Confirm that the group search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.

Filter for finding entries in the LDAP base DN (groups) subtree that match the group name. For example, see the following example LDAP group entry:
```
dn: CN=group1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
objectClass: top
objectClass: group
cn: group1
member: CN=WIMUser3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
member: CN=WIMUser1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
member: CN=user3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
member: CN=user1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
member: CN=KRBUser3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
member: CN=KRBUser1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
member: CN=LDAPUser3,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
member: CN=LDAPUser1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
distinguishedName: CN=group1,CN=Users,DC=secfvt2,DC=austin,DC=ibm,DC=com
instanceType: 4
whenCreated: 20121016162937.0Z
whenChanged: 20121016214016.0Z
uSNCreated: 12972
uSNChanged: 22942
name: group1
objectGUID:: RyfdOC8kXEyOk7Q+qjtjSg==
objectSid:: AQUAAAAAAAUVAAAABP7bJiQPVlNtcWUsXwQAAA==
sAMAccountName: group1
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=secfvt2,DC=austin,DC=ib
 m,DC=com
dSCorePropagationData: 16010101000000.0Z
```
The following filter searches for entries with a group ID attribute sAMAccountName that match the group name. This filter only searches for entries that are within the Group object class.
```
"(&(sAMAccountName={0})(ObjectClass=Group))" 
```
When the match occurs, the {0} placeholder is replaced by the group name.
LDAP membership search filter pattern
Note: Confirm that the member search filter is effective by performing an LDAP authentication test. For more information, click Testing LDAP authentication settings in the Related tasks section below.

Filter used for returning a list of group member entries that are in the LDAP base DN (groups) subtree. For example, the following filter searches for entries in the group object class that contain a particular group as a member.
```
"(&(member={0}) (objectclass=group))" 
```
LDAP user search attribute

The name of the attribute that represents the unique ID of the user. Typically, the LDAP user search attribute matches the user ID attribute (sAMAccountName) that is used in the user search filter.

Note: The value of the LDAP user search attribute must match the value that was used when adding the user to system.

LDAP group search attribute

The name of the attribute in the group search filter that represents the group name. Typically, the LDAP group search attribute matches the group ID attribute that is used in the group search filter. For example, if the attribute name is sAMAccountName in the group search filter, the LDAP group search attribute should also be sAMAccountName. The sAMAccountName value is the default value if none is specified.

LDAP membership search attribute

The member user attribute in a group. If this attribute is not provided, the membership search uses the full distinguished name (DN) of the user, for example member: cn=Test User1, ou=WebSphere, o=IBM, c=US. Only specify a different value when you want to use a particular attribute of the DN instead of the full DN in the search query.

LDAP JNDI connect pool

JNDI connection pooling is enabled when the value is set to Yes, which is the default value. Consult an IBM service engineer before changing this setting.

LDAP JNDI read timeout (in milliseconds)

The amount of time to wait for the LDAP server to respond. The default value is five minutes. Specify a value of 0 to disable the timeout option.

LDAP server type

The type of LDAP server. When using Microsoft Active Directory, select Microsoft Active Directory.

How to disable WebSphere Global Security for one Application Server in a secure cell

Problem(Abstract)

In a WebSphere Application Server cell where Global Security is enabled, you may want to disable security for individual application servers, for example, when you run some applications that can be accessed anonymously, while others require authentication.

This can be done either from the Application Server Administrative Console or using wsadmin.

Resolving the problem

Solution using Administrative Console:

Go to “Application Servers”
Select the appropriate server
Select “Server security”
Select “Server level security”
Disable the “Enable global security” checkbox
Save the settings and synchronize

Solution using wsadmin:
(assume you want to disable security for server1 on node WASI02Base.)

start wsadmin in Deploymentmanager/bin directory
wsadmin>$AdminConfig list Security
(cells/WASICELL:security.xml#Security_1106748574007)
wsadmin>$AdminConfig list Server
dmgr(cells/WASICELL/nodes/WASI02DMGR/servers/dmgr:server.xml#Server_1)
jmsserver(cells/WASICELL/nodes/wasi01base/servers/jmsserver:server.xml# Server_1106748571434)
nodeagent(cells/WASICELL/nodes/WASI02Base/servers/nodeagent:server.xml# Server_1)
nodeagent(cells/WASICELL/nodes/wasi01base/servers/nodeagent:server.xml# Server_1106748571153)
server1(cells/WASICELL/nodes/WASI02Base/servers/server1:server.xml#Server_1)
server1(cells/WASICELL/nodes/wasi01base/servers/server1:server.xml#Server_1)
wsadmin>set server [$AdminConfig getid /Cell:WASICELL/Node:WASI02Base/Server:server1]
server1(cells/WASICELL/nodes/WASI02Base/servers/server1:server.xml#Server_1)
wsadmin>$AdminConfig list Security $server
wsadmin>$AdminConfig create Security $server {{enabled false}}
(cells/WASICELL/nodes/WASI02Base/servers/server1:security.xml#Security_1151410503621)
wsadmin>$AdminConfig save

The result of both solutions described above (Administrative Console and wsadmin), is a separate security.xml file for server1 containing security enabled=’false’.
After restarting server1, its applications (For example, Snoop) can be accessed without being
prompted for userid and password as it was before, while security for the other servers in the cell is still active.

Remark:
It does not work the other direction. You cannot enable Server Level Security, when the cell-wide Global Security is disabled.

WebSphere Global Security OFF

This is a massive pain, WAS 6.1 is failing with my new SSL certs with larger (2048) size keys. No matter how perfectly configured my Node Default Trust Store looks with it’s happy Signer Certificate, the SSL connection still fails.

I changed a setting to do with SSL – I knew that was a bad idea! Server won’t let me back in the console, time to turn off security.

To disable global security either edit the security.xml file or use the wsadmin tool.

$WAS_HOME\config\cells\cellname\security.xml

Using WAS command-line client wsadmin (run with was user or root privileges):
1. Open a connection to local WAS in offline mode
wsadmin -conntype NONE

2. Turn off global security
wsadmin> securityoff

3. Save
wsadmin> $AdminConfig save

WebSphere Administrative (WAS) Console: turn off global security
Article ID:558727

Description:
I am locked out of the WebSphere Administrative (WAS) console and have forgotten the password. I want to turn off the WebSphere Application Server global security from outside the WAS console so I can login to the WebSphere Administrative console. How do I do this?
Resolution:
To do this you can either modify the security.xml file in WAS or use the ./wsadmin tool to make this change: Login as root to Lawson Insight Desktop (LID). Navigate to the $WAS_HOME/profiles/Dmgr01/bin directory. Run the WAS command line client in offline mode, ./wsadmin -conntype NONE Turn off global security by entering securityoff from the wsadmin> prompt. Save this by executing $AdminConfig save from the wsadmin> prompt.

Using wsadmin to enable an LDAP Federated Repository in WebSphere Application Server 8.5

This article is somewhat of an aide memoire for me, allow me to remember how to enable WebSphere Application Server to talk to an LDAP server, without needing to use a GUI 🙂

I pulled this together using my own WAS 8.5 VM running on RHEL 6.3, as ever, and a remote LDAP ( albeit IBM Tivoli Directory Server rather than Microsoft Active Directory ).

Start wsadmin client

$ cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin

$ ./wsadmin.sh -lang jython

List existing repositories

wsadmin> AdminTask.listIdMgrRepositories()

should return: –

‘{InternalFileRepository={repositoryType=File, host=LocalHost}}’

Configure the Administrative User Registry ( assume that we’re keeping the WAS admin in file-based registry )

wsadmin> AdminTask.configureAdminWIMUserRegistry(‘[-realmName defaultWIMFileBasedRealm -verifyRegistry false ]’)

Add the LDAP server

wsadmin> AdminTask.createIdMgrLDAPRepository(‘[-default true -id LDAP1 -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -supportChangeLog none -certificateFilter -loginProperties uid]’)

wsadmin> AdminTask.addIdMgrLDAPServer(‘[-id LDAP1 -host bluepages.ibm.com -port 389 -bindDN uid=8817222GB,c=gb,ou=bluepages,o=ibm.com -bindPassword passw0rd! -referal ignore -sslEnabled false -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -certificateFilter]’)

wsadmin> AdminTask.updateIdMgrLDAPRepository(‘[-id LDAP1 -loginProperties [“”]]’)

wsadmin> AdminTask.updateIdMgrLDAPRepository(‘[-id LDAP1 -adapterClassName com.ibm.ws.wim.adapter.ldap.LdapAdapter -ldapServerType IDS -sslConfiguration -certificateMapMode exactdn -certificateFilter -supportChangeLog none -loginProperties uid]’)

Add the Base Entries

wsadmin> AdminTask.addIdMgrRepositoryBaseEntry(‘[-id LDAP1 -name o=ibm.com -nameInRepository o=ibm.com]’)

wsadmin> AdminTask.addIdMgrRealmBaseEntry(‘[-name defaultWIMFileBasedRealm -baseEntry o=ibm.com]’)

Validate the Admin Name ( wasadmin in file-based registry )

wsadmin> AdminTask.validateAdminName(‘[-registryType WIMUserRegistry -adminUser wasadmin ]’)

Enable Global Security and set Federated Repositories to be default

wsadmin> AdminTask.setAdminActiveSecuritySettings(‘[-activeUserRegistry WIMUserRegistry -enableGlobalSecurity true]’)

Set the LDAP search filters

wsadmin> AdminTask.updateIdMgrLDAPEntityType(‘[-id LDAP1 -name PersonAccount -objectClasses inetOrgPerson -searchBases ou=bluepages,o=ibm.com -searchFilter ]’)

Save changes

wsadmin> AdminConfig.save()

Validate changes

wsadmin> AdminTask.listIdMgrRepositories()

should return: –

‘{InternalFileRepository={repositoryType=File, host=LocalHost}, LDAP1={repositoryType=LDAP, specificRepositoryType=IDS, host=bluepages.ibm.com}}’

wsadmin> AdminTask.listIdMgrRepositoryBaseEntries(‘[-id LDAP1]’)

should return: –

‘{o=ibm.com=o=ibm.com}’

Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414)

Cause

The cause of this problem is that the plug-in keystore does not have the correct SSL signer certificate to match with the SSL personal certificate from the WebSphere Application Server node.
Environment
Note, this technote applies to WebSphere Application Server V7.0 (and later). If you are having the “GSK_ERROR_BAD_CERT” with a previous version of WebSphere Application Server, see the following technote instead: GSK_ERROR_BAD_CERT error configuring SSL between Plug-in and Application Server V6.1.

Resolving the problem

Environment
Note, this technote applies to WebSphere Application Server V7.0 (and later). If you are having the “GSK_ERROR_BAD_CERT” with a previous version of WebSphere Application Server, see the following technote instead: GSK_ERROR_BAD_CERT error configuring SSL between Plug-in and Application Server V6.1.
Resolving the problem
It is possible that the Plug-in keystore (plugin-key.kdb) on the WebSphere Application Server side, may already contain the necessary SSL signer certificates. If so, you can resolve this error by simply copying that plugin-key.kdb file to the web server system, and restarting the web server. In that case, please skip down, and start at step 20 below.

Often the Plug-in keystore (plugin-key.kdb) on the WebSphere Application Server side does NOT contain the necessary SSL signer certificates yet, so you need to find the correct signer certificate from the WebSphere Node and add it as a Signer certificate to the Plug-in CMS keystore, then copy the plugin-key.kdb file to the web server system.

NOTE: The plug-in keystore must contain the Signer Certificates for every WebSphere Node in the cell. So, if your cell has multiple WebSphere Nodes, you will need to repeat steps 1-19 for each one.

Here are the exact steps to use in the WebSphere Application Server administrative console:
In the WebSphere Application Server administrative console, go to Security > SSL certificate and key management > Manage endpoint security configurations.

Click on the WebSphere Application Server node (NodeDefaultSSLSettings).

Click on Key stores and certificates on the right side.

Click on NodeDefaultKeyStore.

Click on Personal certificates on the right side.

You will see a chained certificate. The personal certificate is the first one in the chain. The signer certificate is the second one in the chain. Look at the CN in the signer certificate. Also look at the serial number of the signer certificate.

Note: That is the exact signer certificate that you need to use.

Go back to the Key stores and certificates page.

Click on NodeDefaultTrustStore.

Click on Signer certificates on the right side.

Find the signer certificate with the match CN and serial number from above, and check the box next to it. Click Extract.

Note: That is the exact signer certificate that you need to use.

Go back to the Key stores and certificates page.

Click on NodeDefaultTrustStore.

Click on Signer certificates on the right side.

Find the signer certificate with the match CN and serial number from above, and check the box next to it. Click Extract.

Enter a temporary path and filename (for example: /tmp/nodeRootSigner.arm). Click OK.

Go back to the Manage endpoint security configurations page.

Find the node which contains the web server definition. You will need to look inside the node and look inside the servers folder to find the web server (for example: webserver1). Click on the web server name.

Click on Key stores and certificates on the right side.

Click on CMSKeyStore (this is a link to the plugin-key.kdb file).

Click on Signer certificates.

Click Add.

Enter an Alias like “NodeRootSigner”, and enter the path and filename from step 7 (for example: /tmp/nodeRootSigner.arm). Click OK.

Enter a temporary path and filename (for example: /tmp/nodeRootSigner.arm). Click OK.

Go back to the Manage endpoint security configurations page.

Click on Key stores and certificates on the right side.

Click on CMSKeyStore (this is a link to the plugin-key.kdb file).

Click on Signer certificates.

Click the Save link to save the changes.

Now go to Servers > Server Types > Web servers.

Click on the web server name in the list (for example: webserver1).

Click on Plug-in properties.

Click Copy to Web server key store directory. If the button is disabled, you will need to locate the plugin-key.kdb file on the deployment manager system, and copy it to the web server system into the Plugins/config/web_server directory. Where “webserver” is the name of the web server (for example: webserver1).

Click Add.

Enter an Alias like “NodeRootSigner”, and enter the path and filename from step 7 (for example: /tmp/nodeRootSigner.arm). Click OK

Click the Save link to save the changes.
Now go to Servers > Server Types > Web servers.
Click on the web server name in the list (for example: webserver1).
Click on Plug-in properties.
Click Copy to Web server key store directory. If the button is disabled, you will need to locate the plugin-key.kdb file on the deployment manager system, and copy it to the web server system into the Plugins/config/web_server directory. Where “webserver” is the name of the web server (for example: webserver1).

Note: If the “Copy to Web server key store directory” button is not enabled (greyed out) it means that the web server definition does not have a Plug-in CMS keystore file. To avoid this problem, install the latest WAS fixpacks before creating the web server definition in WAS.
Stop and restart the web server, and test to ensure that the HTTPS connection between the web server plug-in and the WebSphere Application Server application server is able to connect successfully now.

Determining if ip address is already in use for device eth0. how to fix the issue RHEL FEDORA CENTOS

[ OK ]
[root@cluster3 ~]# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: Determining if ip address 192.168.1.42 is already in use for device eth0…
[ OK ]
[root@cluster3 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:0C:E4:46
inet addr:192.168.1.42 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe0c:e446/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:325 errors:0 dropped:0 overruns:0 frame:0
TX packets:266 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:32433 (31.6 KiB) TX bytes:55836 (54.5 KiB)
Interrupt:19 Base address:0x2000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

ADD ARPCHECK=no

[root@cluster3 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=”eth0″
BOOTPROTO=none
NM_CONTROLLED=”yes”
ONBOOT=yes
TYPE=”Ethernet”
UUID=”aaf08461-bf96-4b7a-9ff0-07a5bd8d3259″
HWADDR=00:0C:29:0C:E4:46
IPADDR=192.168.1.42
PREFIX=24
NETMASK=255.255.255.0
GATEWAY=192.168.1.254
ARPCHECK=no
DNS1=8.8.8.8
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME=”System eth0″

Recent Posts

Pages

Categories

Archives

Recent Comments

Categories

IIS 7.5 – uploadReadAheadSize

1. uploadReadAheadSize

2. maxReceivedMessageSize

WebSphere Console LDAP Authentication

Overview

Prerequisites

Backup

Enable Administrative Security

Configure Federated Repositories

Configure the InternalFileRepository

Configure a LDAP Repository

Configure Federated Repositories II

Set up Administrative Group Roles

Test

Monitoring

Troubleshooting

Logging as defined user works, but not through group membership

Before you begin

About this task

Procedure

Problem(Abstract)

Resolving the problem

WebSphere Global Security OFF

Using wsadmin to enable an LDAP Federated Repository in WebSphere Application Server 8.5

PRODUCTS