20 December 2011

pdadmin login fail after migration

There are time that you want to do some unusual stuff with Tivoli Access Manager such as migrate whole TAM instance to a different machine/environment. I did that when trying to replicate KVM environment to a different location, with changing target KVMs IPs to exactly match original one and all the rest as well, including LDAP.

That last component replacement seemed to be a bit too harsh for TAM, and despite copying secAuthority suffix data 1:1, after starting KVM machine and trying to log into pdadmin, I failed to authenticate.

After some investigation it turned out that after copying security suffix data into LDAP, you then need to apply TAM acls to secAuthority objects with ivrgy tool, such as:

/opt/PolicyDirector/sbin/ivrgy_tool -h ldap_host -389 -D "<LDAP_admin_id>" -w <LDAP_admin_pwd> add-acls domain_name

where domain_name is usually Default, but you may also have something more fancy :)

good luck, feel free to comment.

02 December 2011

WebSphere console error SRVE0260E

If when trying to log to a newly configured Deployment Manager in Websphere you see the following error with a stack dump:

Error Page Exception
SRVE0260E: The server cannot use the error page specified for your application to handle the Original Exception printed below.

Original Exception:
Error Message: java.lang.NullPointerException
Error Code: 500
Target Servlet:
Error Stack:
     at com.ibm.isclite.container.provider.PortletContainerContextProvider.addContainerService(PortletContainerContextProvider.java:101)

then you need to raise your system limit for number of open files. on linux you do it with ulimit command:

ulimit -f 8192

where number depends on the DMgr console configuration - for standard WebSphere 1024 is sufficient, whereas with WebSphere Process Server 7 you need to raise it more, to, say, 8192.

Using ulimit -f however sets ulimit for your shell session only, so next time when you restart dmgr in your shell you will hit the same problem again. You can either raise fopen parameter for your profile (in .profile) or for the whole system by inserting:

#<domain>      <type>  <item>         <value>

*               soft    nofile          8192

to /etc/security/limits.conf. You must reboot your Linux in order for this change to take effect.

But of course beware on the impact on your system and consider this change well.

Good luck! Please leave a comment if my hint helped you and feel free to contact me on G+ !

24 November 2011

websphere addNode problem: ADMU0036E: The Deployment Manager cannot lookup by name host at address

That's exactly what hit me: I was trying to federate node to deployment manager when I got this error:

ADMU0036E: The Deployment Manager cannot lookup by name host .. at address

I checked local config: no address was there.
I found this thread on developerWorks, and it helped me - I just needed to turn of loopback interface with:

/etc/init.d/network stop lo

After that addNode went smoothly.

Software version: WAS, SLES 11.1

09 November 2011

strongly recommended for anyone at tech lost: The New Experts Exchange!

Ever been stuck in tech problem? Google is no use in your case? Get ready for the new Experts Exchange! Thousands of experts just waiting for your call!

07 November 2011

Linux port forwarding (port 389, LDAP Proxy)

What I was trying to do this morning was to get my LDAP proxy going. By LDAP proxy I mean simple port 389 forwarding from one machine to the 389 port on actual LDAP server.

After intial attmpt to set up iptables to do what I wanted, I started to look through internet, as this posed to be non-trivial task, at least for me.

Eventually, after putting together instructions found on numerous web pages and forums I put together my Golden Instruction!!! TaDAM!

It looks like that:

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -p tcp --dport 389 -j ACCEPT
iptables -t nat -A POSTROUTING -d ldap_ip_number -j MASQUERADE
iptables -t nat -A PREROUTING -i bond0 -d box_ip_number -p tcp --dport 389 -j DNAT --to

It does the following:

you connect on port 389 of the "box" machine and you can use LDAP running on "ldap" machine.

Simple as it is, but finally I got my satisfaction.

Hope this helps! Good luck.

18 October 2011

UTF-8 characters import into LDAP (TDS)

Related to previous post is the following problem: how to batch process multiple LDAP entries based on LDIF files, for entries containing UTF-8 characters (like polish specials)?
The way you should deal with them is quite similar, but you need to do one additional step: use Base64 encoding to pass UTF-8s to LDAP.

So, if you find yourself facing the following problem:
  • ldapmodify: no DN specified
  • ldap_add: Invalid DN syntax (34)
            additional info: R004054 Invalid UTF-8 character found in string value
you need to do the following:
  1. Prepare your data in a text file but before pasting/typing in set encodingo to UTF-8, eg:

    dn: cn=Kłak Szósty,ou=1,ou=2,O=myorg,C=PL
    cn: Kłak Szósty
    sn: 12345678901
    objectclass: person
    objectclass: top

  2. Now, use any tool to encodee UTF-8 strings into Base64 to get something like:

    dn:: Y249S8WCYWsgU3rDs3N0eSxvdT0xLG91PTIsTz1teW9yZyxDPVBM
    cn:: S8WCYWsgU3rDs3N0eQ==
    sn: 12345678901
    objectclass: person
    objectclass: top

    and be sure that you've added second colon (:) before b64 values!!

    for Base64 encode I use N++ MIME plugin.
  3. Having "based" your strings, now convert the file to ANSI (save as ANSI). This does not change the way it looks on the screen
  4. Copy to the target system using "binary" transfer mode and use it as an input to ldap shell tools (ldapadd, ldapmodify)
It should now work nice and smooth. The tools of preference are still WinSCP and Notepad++ , of course (for encoding you need MIME plugin). Good luck!

14 October 2011

UTF-8 characters in pdadmin (TAM 6.1)

Recently I came across the following problem: how to import LDAP users that have UTF-8 (Polish) characters into TAM with pdadmin? When you simply run pdadmin and use user import command, you will get the result as in following example:

user import elenaciezka "cn=Elena Ciężka,ou=1,ou=2,ou=3,O=myorg,C=PL"

Could not perform the administration request
Error: HPDMG0755W   The specified Distinguished Name (DN) does not exist. (status 0x14c012f3)

As you can easily add these users with Web Portal Manager, that means there is *the way* to do it with pdadmin, which is useful if you want to import more than ten-s of users...

A little googling and the solution to this problem is to use command files as input to pdadmin, which contain UTF-8 characters of your choice. but that's a little peculiar as you need to prepare the command file as ANSI type :)

So, that's what you need to do:
  1. prepare command file, setting UTF-8 encoding first so you get:

    user import elenaciezka "cn=Elena Ciężka,ou=1,ou=2,ou=3,O=myorg,C=PL"
  2. change the encoding to ANSI and you see:

    user import elenaciezka "cn=Elena Ciężka,ou=1,ou=2,ou=3,O=myorg,C=PL"
  3. save the file (say: tam_import.txt) and copy it to your target system using binary mode (most safe in terms of transmission of some strange stuff)
  4. before running pdadmin set shell to use your locale:

    export LANG=pl_PL.utf-8

  5. and you can finally use your file:

    pdadmin -a sec_master -p your_password tam_import.txt
And that should be all. for file conversion you can use text editor of your choice, my preference is the ultimate Notepad++ (seriously guys, n++ is awesome!!) and for transfer any scp client (WinSCP, I prefer).

Good luck guys, and come back for more.

another blog, another idea

hello everyone.

I already had several attempts to start up my blog but honestly, I always lack commitment and regularity to post once some time.
I'm working as IT Specialist and almost every day I find these simple, little problems that seem an obstacle on my way to successful implementation. Usually after some digging in the net I come across the pieces of the puzzle that let me solve my issue. So here's my goal: I will post the whole puzzles here in simple steps.
I do hope they will be found useful by others who deal with similar stuff.

To sum up: stuff is mainly WebSphere family, TAM,TDS & TFIM. Particularly WS-Security and security integration. And yes, I'm and IBM employee.
So please remember that none of the statements posted on this blog are the official statement of IBM Company.