Showing posts with label ihs. Show all posts
Showing posts with label ihs. Show all posts

23 July 2012

SSL/HTTPS - problems with kdb files

I'm active Experts Exchange contributor, and there's this SSL/kdb problem. I indulge myself into publishing my comment to one of the questions (http://www.experts-exchange.com/Networking/Protocols/Application_Protocols/SSL/Q_27794894.html) here (with some edits):

It's on CMS format (IBM Key Database file) and problems with opening it with your ikeyman tool (with WebSphere java):
  • for CMS it is IBM proprietary format (like LTPA) and is not available in non-IBM JRE/JDKs, BUT I also had this issue that WAS's JDK could not open CMS (kdb) files - can't really say why as I did not troubleshoot it. but the workaround that worked for me was to run ikeyman not from /opt/IBM/WebSphere/AppServ
er/java but from different WAS package JRE - like UpdateInstaller or InstallationManager - I'm sure you have either installed on your machine so try them.
I just now checked how it looks like when running ikeyman from: C:\Program Files (x86)\IBM\WebSphere\AppServer\java\jre\bin I can operate on CMS files but when running  from: C:\Program Files (x86)\IBM\Java60\jre\bin I can't, so it might be something with your java paths. If you can't figure it out, try the workaround I suggested above (UI or IM java)
  • difference between kdb and p12 is - at least this is "emiprical" difference experienced by me - that kdb usually houses many certificates (signer&personal) for use by applications, whereas p12 is usually used to carry one certificate from an issuer to the owner (for instance I get my corporate certificate in p12 from supplier). just "any" java's keytool or any gsk7 won't be able to open kdb file, it must me somewhere near ;) WebSphere  
  • if you use kdb file for your IHS, don't forget to indicate your certificate as "default" in the kdb file. I was looking for the way to set cert alias to use from within httpd.conf file, but it seems to be impossible
  • I thought that IHS uses ONLY kdb database to get certifcates from but I just found that you may simply supply crt file - PEM encoded (example: http://rimuhosting.com/howto/modssl.jsp) 

  • some reference - different product, but usage of gsk7 commands is given:
    http://pic.dhe.ibm.com/inf
  • ocenter/tivihelp/v3r1/index.jsp?topic=%2Fcom.ibm.tivoli.itws.doc_8.5.1%2Ffipsensurenetwork.htm

    27 February 2012

    IBM HTTP Server not starting - http_plugin.log excess size

    I just happened to come across the following error:
    I'm using IBM HTTP Server 7 with WAS Plugin configured. the following behavior was observed - after attempting to start IHS with 

    <IHS_INSTALL_ROOT>/bin/apachectl start

    control returns to shell, as it should. But when I checked if IHS is up and running with

    nestat -an | grep <portnumber>

    it didn't show desired port listening, however when looking for httpd processes with:

    ps -ef | grep httpd

    showed all necessary httpd jobs (namely, 4 of them). That is a problem symptom.

    This was the second time I came across that, so I knew what to do. The clue is http_plugin.log file size: when it grows over 2147483647 bytes (on Linux), OS is no longer able to write to it, and despite seemingly successful startup of the server. So, you just need to remove (or move to other place if you need it) this file, and try to start IHS again, it will recreate it and work fine. The log file is located in <PLUGIN_ROOT>/logs/<Servername>/http_plugin.log

    If you happen to see this malfunction, review your WAS plugin LogLevel settings. Remeber that on Trace or Detail level it generates fairly lot of entries and log grows very quickly. If your system is working fine and you don't have any sophisticated file log monitoring implemented, just change it to Info or Warn - it will be sufficient and your log file won't clog up.

    Good luck,  thanks for comments and feedback!

    13 January 2012

    WebSphere: disable SSL between IHS and WAS (IHS SSL offload)

    Ever wondered how to disable SSL between IHS and WebSphere App Server? In some environments, your IHS and WAS remain in secure zone, and you don't want to spend any CPU time for doing SSL between web server and backend server.
    In case of IBM HTTP Server + WAS combination there's a simple way to do it:

    • assuming you have Plugin already configured for IHS, you need to edit it's config (plugin-cfg.xml) with some editor eg. vi
    • find section for your backend server cluster you want to SSL off-load:
    <ServerCluster CloneSeparatorChange="false" GetDWLMTable="false" IgnoreAffinityRequests="true" LoadBalance="Round Robin" Name="clustername" PostBufferSize="64" PostSizeLimit="-1" RemoveSpecialHeaders="true" RetryInterval="60">
          <Server ConnectTimeout="5" ExtendedHandshake="false" MaxConnections="-1" Name="PTS2CSIP01Node_STS2CSIP01S01" ServerIOTimeout="60" WaitForContinue="false">
             <Transport Hostname="backend_hostname" Port="4300" Protocol="http"/>
             <Transport Hostname="backend_hostname" Port="4343" Protocol="https">
                <Property Name="keyring" Value="/opt/ibm/HTTPServer/Plugins/config/plgcfgname/plugin-key.kdb"/>
                <Property Name="stashfile" Value="/opt/ibm/HTTPServer/Plugins/config/
    plgcfgname/plugin-key.sth"/>
             </Transport>
          </Server>
       </ServerCluster>


     and comment out second Transport definition to:

          <!--Transport Hostname="backend_hostname" Port="4343" Protocol="https">
                <Property Name="keyring" Value="/opt/ibm/HTTPServer/Plugins/config/
    plgcfgname/plugin-key.kdb"/>
                <Property Name="stashfile" Value="/opt/ibm/HTTPServer/Plugins/config/
    plgcfgname/plugin-key.sth"/>
          </Transport-->
     

    • restart your IHS server and check in error_log if plugin has been loaded properly 
    To check, you may turn on plugin tracing:

    <Log LogLevel="Trace" Name="/opt/ibm/HTTPServer/Plugins/logs/plgcfgname/http_plugin.log"/>

    Restart IHS once again and tail  http_plugin.log while sending request to your https port of IHS. You shall get trace like that:
    TRACE: ws_common: websphereFindTransport: Finding the transport
    DETAIL: ws_common: websphereFindTransport: Setting the transport(case 3): backend_hostname on port 4300 <--- PLEASE NOTE THIS IS HTTP PORT OF WAS!
    TRACE: ws_common: websphereExecute: Executing the transaction with the app server reqInfo is OKuseExistingStream=0, client->stream=(nil)
    DEBUG: ws_common: websphereGetStream: Getting the stream to the app server
    TRACE: ws_transport: transportStreamDequeue: Checking for existing stream from the queue
    TRACE: ws_common: websphereGetStream: Have a connect timeout of 5; Setting socket to not block for the connect
    TRACE: ws_common: websphereGetStream: Reseting socket to block
    TRACE: ws_common: websphereGetStream: Setting socket to non-block for ServerIOTimeout over HTTP
    DEBUG: ws_common: websphereGetStream: socket 13 connected to
    backend_hostname:4300
    DEBUG: lib_stream: openStream: Opening the stream
    DETAIL: ws_common: websphereGetStream: Created a new stream; queue was empty, socket = 13


    Any questions? Good Luck!!! Feel free to comment&leave feedback.