30 July 2012

HPDAZ0602E Corrupted file: Insufficient information to contact a Policy Server (SECJ0391E)

Now, a few words about possible problems when configuring external JACC authorization provider for WebSphere App Server, namely - Tivoli Access Manager. The key issue here always lies in obtaining Policy Server's certificate for JRE to authenticate later on. This can be done in various ways (sslsrvcfg, pdconfig etc.) and obviously, the results may vary depending on the way used - at least it seems so.
Anyway, recently I was asked what may be the reason for the following error appearing in the logs:

[7/25/12 10:07:44:950 CEST] 00000013 AMWASConfigMe I   com.tivoli.pd.as.jacc.cfg.TAMConfigController execute() AWXJC0048E   An error occurred during the configuration. The details are: com.tivoli.pd.as.jacc.cfg.ConfigActionFailedException:
[java.lang.IllegalStateException: HPDAZ0602E   Corrupted file: Insufficient information to contact a Policy Server.

Wrappered Exception:
java.lang.IllegalStateException: HPDAZ0602E   Corrupted file: Insufficient information to contact a Policy Server..

This one happened during JACC configuration attempt from the WAS admin console, when console reported that action cannot be successfully completed. "Insufficient information" could only mean that JRE is trying to register with Policy Server, but fails to trust/present valid certificate. Unfortunately, we were stubborn, and hoped that action will complete during server restart. But after saving configuration and restarting server, it fails to start! In the logs we could see:

[7/25/12 10:19:49:404 CEST] 00000000 distSecurityC E   SECJ0391E: Error when setting the Policy object to the provider's policy implementation com.tivoli.pd.as.jacc.TAMPolicy. The exception is com.tivoli.pd.as.jacc.util.JACCException: AWXJR0006E   The file, /opt/ibm/WebSphere/AppServer/profiles/PSS1UPRB01DMgr/etc/tam/amwas.PSS1UPRB01DMgr_dmgr.amjacc.properties, was not found.
    at com.tivoli.pd.as.jacc.TAMPolicy.init(TAMPolicy.java:680)
    at com.tivoli.pd.as.jacc.TAMPolicy.<init>(TAMPolicy.java:97)
    at java.lang.J9VMInternals.newInstanceImpl(Native Method)
    at java.lang.Class.newInstance(Class.java:1345)

which meant that WAS has got JACC enabled, but in fact had failed to provide proper configuration file for amwas/jacc. We gave it some thinking and first, we had to recover from this fatal condition: by editing security.xml we disabled security and disabled using JACC in section:

<security:Security xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:orb.securityprotocol="http://www.ibm.com/websphere/appserver/schemas/5.0/orb.securityprotocol.xmi" xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" xmi:id="Security_1" useLocalSecurityServer="true" useDomainQualifiedUserNames="false" enabled="true" cacheTimeout="600" issuePermissionWarning="false" activeProtocol="BOTH" enforceJava2Security="false" enforceFineGrainedJCASecurity="false" appEnabled="true" dynamicallyUpdateSSLConfig="true" allowBasicAuth="true" activeAuthMechanism="LTPA_1" activeUserRegistry="WIMUserRegistry_1" defaultSSLSettings="SSLConfig_1"> <--- change bold to FALSE

<authConfig xmi:id="AuthorizationConfig_1" useJACCProvider="true">  <-- change bold to FALSE   

After that server went up again and we gave a bit thinking to the problem. It turned out to be awfully simple and...well, strange ? We had to add hostname of the WAS machine to policy server's /etc/hosts. Possibly this can be also solved by adding WAS hostname to DNS, anyway, pdmgrd must be able to resolve WAS's IP based on presented hostname. Then, we were able to complete JACC configuration successfully, turn security back on for the whole cell, save and restart and all worked like a wonder!

Why do I say it was strange? Because my suspicion is that different PD.jar packages (or more precisely: pd.* classes) responsible for connecting to Policy Server do this in a different way. I'm too weak a programmer to dig this up and resolve it 100%, but I just know that you may get different results when a) configuring JRE from pdconfig b) using sslsrvcfg and c) configuring JACC from WAS (WebSphere's embedded TAM) - eventually, you just need to see what works best for you.

Good luck, leave a comment if it helped!

23 July 2012

SSL/HTTPS - problems with kdb files

I'm active Experts Exchange contributor, and there's this SSL/kdb problem. I indulge myself into publishing my comment to one of the questions (http://www.experts-exchange.com/Networking/Protocols/Application_Protocols/SSL/Q_27794894.html) here (with some edits):

It's on CMS format (IBM Key Database file) and problems with opening it with your ikeyman tool (with WebSphere java):
  • for CMS it is IBM proprietary format (like LTPA) and is not available in non-IBM JRE/JDKs, BUT I also had this issue that WAS's JDK could not open CMS (kdb) files - can't really say why as I did not troubleshoot it. but the workaround that worked for me was to run ikeyman not from /opt/IBM/WebSphere/AppServ
er/java but from different WAS package JRE - like UpdateInstaller or InstallationManager - I'm sure you have either installed on your machine so try them.
I just now checked how it looks like when running ikeyman from: C:\Program Files (x86)\IBM\WebSphere\AppServer\java\jre\bin I can operate on CMS files but when running  from: C:\Program Files (x86)\IBM\Java60\jre\bin I can't, so it might be something with your java paths. If you can't figure it out, try the workaround I suggested above (UI or IM java)
  • difference between kdb and p12 is - at least this is "emiprical" difference experienced by me - that kdb usually houses many certificates (signer&personal) for use by applications, whereas p12 is usually used to carry one certificate from an issuer to the owner (for instance I get my corporate certificate in p12 from supplier). just "any" java's keytool or any gsk7 won't be able to open kdb file, it must me somewhere near ;) WebSphere  
  • if you use kdb file for your IHS, don't forget to indicate your certificate as "default" in the kdb file. I was looking for the way to set cert alias to use from within httpd.conf file, but it seems to be impossible
  • I thought that IHS uses ONLY kdb database to get certifcates from but I just found that you may simply supply crt file - PEM encoded (example: http://rimuhosting.com/howto/modssl.jsp) 

  • some reference - different product, but usage of gsk7 commands is given:
  • ocenter/tivihelp/v3r1/index.jsp?topic=%2Fcom.ibm.tivoli.itws.doc_8.5.1%2Ffipsensurenetwork.htm

    10 July 2012

    WebSphere Community Blog: WebSphere Application Server V8.5 is Now Available...

    Now watch this... this is really cool!

    WebSphere Community Blog: WebSphere Application Server V8.5 is Now Available...: I first talked about WAS V8.5 back in October 2011 when we started the early program. And in June 2012 we shipped it...Walt Noffsinger, WAS...

    09 July 2012

    Windows 7 XP Mode - Virtual PC

    Did you know that windows 7 users have the option to create easily virtual machines with Windows XP? It is called "XP mode" and works really great?

    A colleague of mine has recommended it a long time ago, but until recently I had no real need to use it, because all my critical work tools ran smoothly on win7. But a few days ago I wanted to set up a test environment for some IBM software and I didn't want to infest my usual Win7 machine with additional software, which I will probably want to discard soon. So, having downloaded XP mode package I configured it, wondering will it be useful at all. It turned out pretty good!

    Installation is quite quick - I guess VPC shares some libraries with the host system and does not really create VMWare-like virtual machine - rather slices out some system resources and presents it as a standalone VM. Anyhow it makes it, it does it really well. XP machine starts literally a few minutes after you begin installation of XP Mode and it runs pretty quickly, letting your work on the VM to be quite nice - no noticable lags, hard disk scratching and so on. And it is all on the encrypted hard disk.

    You can use XP Mode twa ways: either as a standalone vm, or as a "xp native" runtime for applications hosted in fact on your Win7 system, with whom for some reasons xp compatibility set in program properties is not enough. I did no try the latter, but I assume the experience would be good as well.

    The XP VPC is istantly connected to the internet (provided of course your host system is) by the means of NAT. However, if you want to connect over tcp ip to some software running on the VM, like some specific port, you need to do some tweaking. It'd be a nice topic for another post, but I did not solve this issue myself, so I just post a link to a forum page with solution by "judios".
    So anyway - if you are a licensed Win7 user and you need a simple WinXP virtal machine VPC is definately a thing for you! Good luck, have fun and don't bother to leave a comment!