30 July 2012

HPDAZ0602E Corrupted file: Insufficient information to contact a Policy Server (SECJ0391E)

Now, a few words about possible problems when configuring external JACC authorization provider for WebSphere App Server, namely - Tivoli Access Manager. The key issue here always lies in obtaining Policy Server's certificate for JRE to authenticate later on. This can be done in various ways (sslsrvcfg, pdconfig etc.) and obviously, the results may vary depending on the way used - at least it seems so.
Anyway, recently I was asked what may be the reason for the following error appearing in the logs:

[7/25/12 10:07:44:950 CEST] 00000013 AMWASConfigMe I   com.tivoli.pd.as.jacc.cfg.TAMConfigController execute() AWXJC0048E   An error occurred during the configuration. The details are: com.tivoli.pd.as.jacc.cfg.ConfigActionFailedException:
[java.lang.IllegalStateException: HPDAZ0602E   Corrupted file: Insufficient information to contact a Policy Server.
]

Wrappered Exception:
java.lang.IllegalStateException: HPDAZ0602E   Corrupted file: Insufficient information to contact a Policy Server..


This one happened during JACC configuration attempt from the WAS admin console, when console reported that action cannot be successfully completed. "Insufficient information" could only mean that JRE is trying to register with Policy Server, but fails to trust/present valid certificate. Unfortunately, we were stubborn, and hoped that action will complete during server restart. But after saving configuration and restarting server, it fails to start! In the logs we could see:

[7/25/12 10:19:49:404 CEST] 00000000 distSecurityC E   SECJ0391E: Error when setting the Policy object to the provider's policy implementation com.tivoli.pd.as.jacc.TAMPolicy. The exception is com.tivoli.pd.as.jacc.util.JACCException: AWXJR0006E   The file, /opt/ibm/WebSphere/AppServer/profiles/PSS1UPRB01DMgr/etc/tam/amwas.PSS1UPRB01DMgr_dmgr.amjacc.properties, was not found.
    at com.tivoli.pd.as.jacc.TAMPolicy.init(TAMPolicy.java:680)
    at com.tivoli.pd.as.jacc.TAMPolicy.<init>(TAMPolicy.java:97)
    at java.lang.J9VMInternals.newInstanceImpl(Native Method)
    at java.lang.Class.newInstance(Class.java:1345)


which meant that WAS has got JACC enabled, but in fact had failed to provide proper configuration file for amwas/jacc. We gave it some thinking and first, we had to recover from this fatal condition: by editing security.xml we disabled security and disabled using JACC in section:

<security:Security xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:orb.securityprotocol="http://www.ibm.com/websphere/appserver/schemas/5.0/orb.securityprotocol.xmi" xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" xmi:id="Security_1" useLocalSecurityServer="true" useDomainQualifiedUserNames="false" enabled="true" cacheTimeout="600" issuePermissionWarning="false" activeProtocol="BOTH" enforceJava2Security="false" enforceFineGrainedJCASecurity="false" appEnabled="true" dynamicallyUpdateSSLConfig="true" allowBasicAuth="true" activeAuthMechanism="LTPA_1" activeUserRegistry="WIMUserRegistry_1" defaultSSLSettings="SSLConfig_1"> <--- change bold to FALSE


<authConfig xmi:id="AuthorizationConfig_1" useJACCProvider="true">  <-- change bold to FALSE   


After that server went up again and we gave a bit thinking to the problem. It turned out to be awfully simple and...well, strange ? We had to add hostname of the WAS machine to policy server's /etc/hosts. Possibly this can be also solved by adding WAS hostname to DNS, anyway, pdmgrd must be able to resolve WAS's IP based on presented hostname. Then, we were able to complete JACC configuration successfully, turn security back on for the whole cell, save and restart and all worked like a wonder!

Why do I say it was strange? Because my suspicion is that different PD.jar packages (or more precisely: pd.* classes) responsible for connecting to Policy Server do this in a different way. I'm too weak a programmer to dig this up and resolve it 100%, but I just know that you may get different results when a) configuring JRE from pdconfig b) using sslsrvcfg and c) configuring JACC from WAS (WebSphere's embedded TAM) - eventually, you just need to see what works best for you.

Good luck, leave a comment if it helped!



23 July 2012

SSL/HTTPS - problems with kdb files

I'm active Experts Exchange contributor, and there's this SSL/kdb problem. I indulge myself into publishing my comment to one of the questions (http://www.experts-exchange.com/Networking/Protocols/Application_Protocols/SSL/Q_27794894.html) here (with some edits):

It's on CMS format (IBM Key Database file) and problems with opening it with your ikeyman tool (with WebSphere java):
  • for CMS it is IBM proprietary format (like LTPA) and is not available in non-IBM JRE/JDKs, BUT I also had this issue that WAS's JDK could not open CMS (kdb) files - can't really say why as I did not troubleshoot it. but the workaround that worked for me was to run ikeyman not from /opt/IBM/WebSphere/AppServ
er/java but from different WAS package JRE - like UpdateInstaller or InstallationManager - I'm sure you have either installed on your machine so try them.
I just now checked how it looks like when running ikeyman from: C:\Program Files (x86)\IBM\WebSphere\AppServer\java\jre\bin I can operate on CMS files but when running  from: C:\Program Files (x86)\IBM\Java60\jre\bin I can't, so it might be something with your java paths. If you can't figure it out, try the workaround I suggested above (UI or IM java)
  • difference between kdb and p12 is - at least this is "emiprical" difference experienced by me - that kdb usually houses many certificates (signer&personal) for use by applications, whereas p12 is usually used to carry one certificate from an issuer to the owner (for instance I get my corporate certificate in p12 from supplier). just "any" java's keytool or any gsk7 won't be able to open kdb file, it must me somewhere near ;) WebSphere  
  • if you use kdb file for your IHS, don't forget to indicate your certificate as "default" in the kdb file. I was looking for the way to set cert alias to use from within httpd.conf file, but it seems to be impossible
  • I thought that IHS uses ONLY kdb database to get certifcates from but I just found that you may simply supply crt file - PEM encoded (example: http://rimuhosting.com/howto/modssl.jsp) 

  • some reference - different product, but usage of gsk7 commands is given:
    http://pic.dhe.ibm.com/inf
  • ocenter/tivihelp/v3r1/index.jsp?topic=%2Fcom.ibm.tivoli.itws.doc_8.5.1%2Ffipsensurenetwork.htm

    10 July 2012

    WebSphere Community Blog: WebSphere Application Server V8.5 is Now Available...

    Now watch this... this is really cool!

    WebSphere Community Blog: WebSphere Application Server V8.5 is Now Available...: I first talked about WAS V8.5 back in October 2011 when we started the early program. And in June 2012 we shipped it...Walt Noffsinger, WAS...

    09 July 2012

    Windows 7 XP Mode - Virtual PC

    Did you know that windows 7 users have the option to create easily virtual machines with Windows XP? It is called "XP mode" and works really great?

    A colleague of mine has recommended it a long time ago, but until recently I had no real need to use it, because all my critical work tools ran smoothly on win7. But a few days ago I wanted to set up a test environment for some IBM software and I didn't want to infest my usual Win7 machine with additional software, which I will probably want to discard soon. So, having downloaded XP mode package I configured it, wondering will it be useful at all. It turned out pretty good!

    Installation is quite quick - I guess VPC shares some libraries with the host system and does not really create VMWare-like virtual machine - rather slices out some system resources and presents it as a standalone VM. Anyhow it makes it, it does it really well. XP machine starts literally a few minutes after you begin installation of XP Mode and it runs pretty quickly, letting your work on the VM to be quite nice - no noticable lags, hard disk scratching and so on. And it is all on the encrypted hard disk.

    You can use XP Mode twa ways: either as a standalone vm, or as a "xp native" runtime for applications hosted in fact on your Win7 system, with whom for some reasons xp compatibility set in program properties is not enough. I did no try the latter, but I assume the experience would be good as well.

    The XP VPC is istantly connected to the internet (provided of course your host system is) by the means of NAT. However, if you want to connect over tcp ip to some software running on the VM, like some specific port, you need to do some tweaking. It'd be a nice topic for another post, but I did not solve this issue myself, so I just post a link to a forum page with solution by "judios".
    So anyway - if you are a licensed Win7 user and you need a simple WinXP virtal machine VPC is definately a thing for you! Good luck, have fun and don't bother to leave a comment!

    30 May 2012

    PDJRTE for TAI++ config error: java.lang.NullPointerException at com.tivoli.pd.jutil.jb.getCACert(jb.java:129)

    If you work with complex TAM&J2EE deployments, you will most probably come to the point where you need to use TAI++ trust association scheme to tie your J2EE server (either WebSphere or some other) with TAM&WebSeal system. In particular, this is useful when you want to authenticate users in WebSeal to "let them in" to your backend server but leave authorization for J2EE application to it's internal mechanisms (based on LDAP, for example). If you want to read more on TAI/TAI++ you can do it here or here.
    However, in TAI++ scenario you will most probably come to the point when you will need to configure your Java Runtime for Policy Director (usually done in pdconfig or with pdjrtecfg directly). What WAS really needs for TAI++ is essentialy address of Policy Server, it's certificate to be trusted (downloaded during PDJRTEconfig) and registration with TAM pdmgrd as a member of security domain. These information is stored in (not strictly set, but reasonable to do it so) .conf and .key files producedafter invoking java com.tivoli.pd.jcfg.SvrSslCfg but first you need to have your PDJRTE configured.

     I tried this with WebSphere App Server's (WAS 7 and TAM 6.1.0.5) java first and usually you do it by sourcing WAS environment first and then using pdconfig. However, in WAS 7 there's a class conflicts of some kind and when you go to pdconfig and choose to configure WAS java (normally /opt/ibm/WebSphere/AppServer/java/jre) to be the runtime for Policy Director in picks proper java, but fails to finish the configuration with nasty error:

    Configuration of Access Manager Runtime for Java is in progress.
    This might take several minutes.
    java.lang.reflect.InvocationTargetException
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
            at java.lang.reflect.Method.invoke(Method.java:611)
            at com.tivoli.pd.jcfg.PDJrteCfg.config(PDJrteCfg.java:245)
            at com.tivoli.pd.jcfg.PDJrteCfg.interactCfg(PDJrteCfg.java:1307)
            at com.tivoli.pd.jcfg.PDJrteCfg.invoke(PDJrteCfg.java:1460)
            at com.tivoli.pd.jcfg.PDJrteCfg.main(PDJrteCfg.java:350)
    Caused by:
    [java.lang.NullPointerException
    ]

    Wrappered Exception:
    java.lang.NullPointerException
            at com.tivoli.pd.jutil.jb.getCACert(jb.java:129)
            ... 8 more
    Caused by: java.lang.NullPointerException
            at org.apache.harmony.security.fortress.Services$NormalServices.createDefaultProviderInstance(Services.java:286)
            at org.apache.harmony.security.fortress.Services$NormalServices.getService(Services.java:423)
            at org.apache.harmony.security.fortress.Services$NormalServices.access$2100(Services.java:141)
            at org.apache.harmony.security.fortress.Services.getService(Services.java:824)
            at org.apache.harmony.security.fortress.Engine.getInstance(Engine.java:133)
            at java.security.KeyFactory.getInstance(KeyFactory.java:81)
            at com.ibm.security.x509.X509Key.buildX509Key(X509Key.java:275)
            at com.ibm.security.x509.X509Key.parse(X509Key.java:189)
            at com.ibm.security.x509.X509Key.parse(X509Key.java:215)
            at com.ibm.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:112)
            at com.ibm.security.x509.X509CertInfo.parse(X509CertInfo.java:966)
            at com.ibm.security.x509.X509CertInfo.<init>(X509CertInfo.java:236)
            at com.ibm.security.x509.X509CertInfo.<init>(X509CertInfo.java:222)
            at com.ibm.security.x509.X509CertImpl.parse(X509CertImpl.java:2285)
            at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:227)
            at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:213)
            at com.tivoli.pd.jutil.jb.getCACert(jb.java:51)
            ... 8 more

    [java.lang.reflect.InvocationTargetException
    ]

    Wrappered Exception:
    java.lang.reflect.InvocationTargetException
            at com.tivoli.pd.jcfg.PDJrteCfg.config(PDJrteCfg.java:51)
            at com.tivoli.pd.jcfg.PDJrteCfg.interactCfg(PDJrteCfg.java:1307)
            at com.tivoli.pd.jcfg.PDJrteCfg.invoke(PDJrteCfg.java:1460)
            at com.tivoli.pd.jcfg.PDJrteCfg.main(PDJrteCfg.java:350)
    Caused by: java.lang.reflect.InvocationTargetException
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
            at java.lang.reflect.Method.invoke(Method.java:611)
            at com.tivoli.pd.jcfg.PDJrteCfg.config(PDJrteCfg.java:245)
            ... 3 more
    Caused by:
    [java.lang.NullPointerException
    ]

    Wrappered Exception:
    java.lang.NullPointerException
            at com.tivoli.pd.jutil.jb.getCACert(jb.java:129)
            ... 8 more
    Caused by: java.lang.NullPointerException
            at org.apache.harmony.security.fortress.Services$NormalServices.createDefaultProviderInstance(Services.java:286)
            at org.apache.harmony.security.fortress.Services$NormalServices.getService(Services.java:423)
            at org.apache.harmony.security.fortress.Services$NormalServices.access$2100(Services.java:141)
            at org.apache.harmony.security.fortress.Services.getService(Services.java:824)
            at org.apache.harmony.security.fortress.Engine.getInstance(Engine.java:133)
            at java.security.KeyFactory.getInstance(KeyFactory.java:81)
            at com.ibm.security.x509.X509Key.buildX509Key(X509Key.java:275)
            at com.ibm.security.x509.X509Key.parse(X509Key.java:189)
            at com.ibm.security.x509.X509Key.parse(X509Key.java:215)
            at com.ibm.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:112)
            at com.ibm.security.x509.X509CertInfo.parse(X509CertInfo.java:966)
            at com.ibm.security.x509.X509CertInfo.<init>(X509CertInfo.java:236)
            at com.ibm.security.x509.X509CertInfo.<init>(X509CertInfo.java:222)
            at com.ibm.security.x509.X509CertImpl.parse(X509CertImpl.java:2285)
            at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:227)
            at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:213)
            at com.tivoli.pd.jutil.jb.getCACert(jb.java:51)
            ... 8 more
    java.lang.reflect.InvocationTargetException
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
            at java.lang.reflect.Method.invoke(Method.java:611)
            at com.tivoli.pd.jcfg.PDJrteCfg.config(PDJrteCfg.java:245)
            at com.tivoli.pd.jcfg.PDJrteCfg.interactCfg(PDJrteCfg.java:1307)
            at com.tivoli.pd.jcfg.PDJrteCfg.invoke(PDJrteCfg.java:1460)
            at com.tivoli.pd.jcfg.PDJrteCfg.main(PDJrteCfg.java:350)
    Caused by:
    [java.lang.NullPointerException
    ]

    Wrappered Exception:
    java.lang.NullPointerException
            at com.tivoli.pd.jutil.jb.getCACert(jb.java:129)
            ... 8 more
    Caused by: java.lang.NullPointerException
            at org.apache.harmony.security.fortress.Services$NormalServices.createDefaultProviderInstance(Services.java:286)
            at org.apache.harmony.security.fortress.Services$NormalServices.getService(Services.java:423)
            at org.apache.harmony.security.fortress.Services$NormalServices.access$2100(Services.java:141)
            at org.apache.harmony.security.fortress.Services.getService(Services.java:824)
            at org.apache.harmony.security.fortress.Engine.getInstance(Engine.java:133)
            at java.security.KeyFactory.getInstance(KeyFactory.java:81)
            at com.ibm.security.x509.X509Key.buildX509Key(X509Key.java:275)
            at com.ibm.security.x509.X509Key.parse(X509Key.java:189)
            at com.ibm.security.x509.X509Key.parse(X509Key.java:215)
            at com.ibm.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:112)
            at com.ibm.security.x509.X509CertInfo.parse(X509CertInfo.java:966)
            at com.ibm.security.x509.X509CertInfo.<init>(X509CertInfo.java:236)
            at com.ibm.security.x509.X509CertInfo.<init>(X509CertInfo.java:222)
            at com.ibm.security.x509.X509CertImpl.parse(X509CertImpl.java:2285)
            at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:227)
            at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:213)
            at com.tivoli.pd.jutil.jb.getCACert(jb.java:51)
            ... 8 more

    The configuration failed.


    Press Enter to continue.


    I suppose it is because WAS 7 has it's own PD.jar file which may even be newer than the one supplied with TAM 6.1.0.5 <-- that's the version we're talking here about. Or it is because WAS 7 uses java 6, whereas tam works fine with java 5 - I can't tell exactly.

    Anyway, what to do about it? Simply point pdconfig to a different java. For example, bundled with TAM base package is ibm java 5. Install it (it is in /opt/ibm/java2-i386-50/ directory), export it's path:

    export PATH=$PATH:/opt/ibm/java2-i386-50/java/jre

    and try pdconfig to configure pdjrte again. It should succeed now.

    To obtain information for using with TAI++, run now SvrSslCfg with the java you just configured eg.:

    /opt/ibm/java2-i386-50/jre/bin/java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd ***** -appsvr_id ******-host ***** -mode remote -port 8925 -policysvr tamsec-p2-1:7135:1 -authzsvr tamsec-p2-1:7136:1 -cfg_file domainname.cfg -key_file domainname.key -cfg_action create -domain domainname

    and later supply it to WAS as TAI++ inteceptor config item.

    Good Luck!

    24 April 2012

    Generation of deployment environment fails - Reason: CWLDB9014E and Reason: CWWBZ0058E

    First of all, this is the task I failed numerous times on, until finally I managed to get past, getting the desired result at the same time. This is because I found some sort of workaround before, but the results were more or less doubtful. Well, this workaround is a bit messy as well, but at least you can benefit from creation of Deployment environment with the wizard, instead of putting DE parts together step by step (and probably missing some parts, which later cause you some, or a lot of, pain).

    So, we're talking WPS 6.2.0.0 (a bit obsolete) and 7.0.0.4, deployed vs. DB2 database hosted on z/OS (which probably is the most troublesome circumstance, as you cannot create any objects automatically like in LUW edition). What we try to do is to generate Deployment environment (in any topology - single, distributed or "golden"), while defining databases on z/OS DB2. What we get is failure in this particular part:, where instead of:



    you keep getting:

    CWLDB9014E: The configuration of component WBI_BPCEventCollector failed.

    To make it short, before, I could not find the reason. But recently, I think I found it by looking into FFDC error report, and saw there errors related to failing connection to DERBY database. I wondered why it tries to use Derby when I explicitly requested all databases to be hosted on z/OS, but I will never know (perhaps some buggy ant script, or other config xml issue). Nevertheless, what we need to do is to:

    1. create "dummy" Derby database, just for sake of generation of DE:
      • go to /opt/ibm/WebSphere/AppServer/derby/bin/networkServer
      • run ./ij.sh
      • issue command: connect 'jdbc:derby:/opt/ibm/WebSphere/AppServer/profiles/PPD2UZLB01DMgr/databases/event/PD2UZL.Support/DerbyEventDB/BPD2CEDB;create=true';
      your database has been created and is ready to use, but first:
    2.  add custom user to connect to Derby server
      • edit /opt/ibm/WebSphere/AppServer/derby/derby.properties by adding line
        derby.user."yourUser"=yourpwd
    3. start Derby network server (/opt/ibm/WebSphere/AppServer/derby/bin/networkServer/startNetworkServer.sh)
      Note: default TCP/IP port for derby is 1527
    4. now, get back to DE generation wizard and run it again, but now type in Derby database for your EventDB - server is localhost:1527, user is "yourUser" and password "yourpwd"
    5. finish generation and you should get to successful end of operation
    6. assuming you have already created all necessary database in your target DB (either DB2 on z/OS or other supplier), you now need to redefine jdbc datasource for EventDB to point to the datastore of your choice.
    You may of course run into numerous problems before getting your DE working 100% fine but above instruction should at least get you through DE generation wizard.

    Good luck, leave a comment or vote in the poll please!







    23 March 2012

    WPM config - HPDCO1364E The specified domain does not exist. (0x1354a554)

    While trying to configure WPM (TAM Web Portal Management), you may encounter this particular error:

    HPDCO1364E   The specified domain does not exist. (0x1354a554)

    You are most probably using non-default (not "Default") domain. Apparently, WPM has a problem with specifying different domain name than default, but this occurs in version 6.1.0.0. What you need to do is to upgrade to fp5 (or lower fp, but I tested it with fp5)
    1. get 6.1.0-TIV-TAM-FP0005-LIN.tar.Z file (for Linux x86)
    2.  gunzip and tar -xf it
    3. install with: rpm -Uhv PDWPM-PD-6.1.0-5.i386.rpm
    4. try pdconfig
    after fixpacking it should suggest you (get from configured Java Runtime) correct domain name.

    Good luck, leave a comment.

    13 March 2012

    a new EEv10 is here!

    Aside from this blog activity, I'm also active Experts Exchange contributor. They launched new version of their site recently, and are very proud of it. So proud, that they give iPads away :) Why should I not get one?




    The New Experts Exchange is Here! Experience EE v.10!

    07 March 2012

    javax.management.JMRuntimeException: ADMN0022E


    If you stumble upon the following error:

    See nested exception; nested exception is: javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getChain operation on TransportChannelService MBean because of insufficient or empty credentials.

    that means you need to revise your application permissions settings. That is, your application most probably has a RunAs role defined, which determines identity that is being mapped to each appliacation call - WebSphere then "thinks" that each call to this EJB is being made by some specified user (RunAs).
    To check this, go to:

    Applications > Enterprise Applications > application_name 

    and find  Map RunAs roles to users under Additional Properties section. There you will find RunAs roles defined for this particular EJB. What you need to do is to type in valid username and password (having necessary permission level if you are using any authorization system - either role-based or external, like calling PDContext for TAM authorization), tick roles you want to assign them to and use Aplly, then save, synchronize and restart server.

    Detailed information can be found on IBM InfoCenter.

    Good luck, leave a comment or vote in the poll, please :) 

    02 March 2012

    humble anouncement


    Dear Readers, just want to humbly (ok, not so :) anounce that this blog has just reached 1000 pageviews, mostly happened withinin the last two months.

    Thank you all for visiting, I do hope you will return to my posting spot. Please leave comments and feedback in the poll.

    01 March 2012

    The new Google's privacy policy - take notice!

    Google is going to make it's new privacy policy effective soon. Among other things, one is particularly alarming - information given to google in all their services (60+) will be merged to create your unified online history. That includes your goolge search history, which is a clear footprint of your age, gender, preferences, medical concerns etc.

    You may want to read more and before all - disable you Online history recording, as described in this EE article.

    27 February 2012

    IBM HTTP Server not starting - http_plugin.log excess size

    I just happened to come across the following error:
    I'm using IBM HTTP Server 7 with WAS Plugin configured. the following behavior was observed - after attempting to start IHS with 

    <IHS_INSTALL_ROOT>/bin/apachectl start

    control returns to shell, as it should. But when I checked if IHS is up and running with

    nestat -an | grep <portnumber>

    it didn't show desired port listening, however when looking for httpd processes with:

    ps -ef | grep httpd

    showed all necessary httpd jobs (namely, 4 of them). That is a problem symptom.

    This was the second time I came across that, so I knew what to do. The clue is http_plugin.log file size: when it grows over 2147483647 bytes (on Linux), OS is no longer able to write to it, and despite seemingly successful startup of the server. So, you just need to remove (or move to other place if you need it) this file, and try to start IHS again, it will recreate it and work fine. The log file is located in <PLUGIN_ROOT>/logs/<Servername>/http_plugin.log

    If you happen to see this malfunction, review your WAS plugin LogLevel settings. Remeber that on Trace or Detail level it generates fairly lot of entries and log grows very quickly. If your system is working fine and you don't have any sophisticated file log monitoring implemented, just change it to Info or Warn - it will be sufficient and your log file won't clog up.

    Good luck,  thanks for comments and feedback!

    13 February 2012

    Installation Manager java.lang.UnsatisfiedLinkError: Could not load SWT library

    IBM Installation Manager is more and more widely used to deploy number of IBM products, so it may be useful to know a little about possible problems when running this tool.
    My today's accomplishment is that I overcame following issue with installation on a lightweight SuSE 11 distribution (eg. stripped from almost every non-necessary package).
    First, when trying to install IM itself I was knocked by:


    JVMDUMP010I Snap dump written to /tmp/was/IM/Snap.20120213.121315.11358.0003.trc
    libgcc_s.so.1 must be installed for pthread_cancel to work


    This one was tackled by adding libgcc43-32bit package to the system. After successful silent installation, I tried to actually run IM to install WAS 7. Shell showed nothing after issuing:

    ./install or ./IBMIM

    It was all I got:

    prep2def:/opt/ibm/InstallationManager/eclipse # ./launcher
    prep2def:/opt/ibm/InstallationManager/eclipse # cd /tmp/
     

    Looking into configuration/datestamp.log files I found this error:

    !ENTRY org.eclipse.osgi 4 0 2012-02-13 13:32:15.756
    !MESSAGE Application error
    !STACK 1
    java.lang.UnsatisfiedLinkError: Could not load SWT library. Reasons:
            /opt/ibm/InstallationManager/eclipse/configuration/org.eclipse.osgi/bundles/454/1/.cp/libswt-pi-gtk-3659.so (libgthread-2.0.so.0: cannot open shared object file: No such file or directory)
            swt-pi-gtk (Not found in java.library.path)
            /tmp/swtlib-32/libswt-pi-gtk-3659.so (libgthread-2.0.so.0: cannot open shared object file: No such file or directory)
            /tmp/swtlib-32/libswt-pi-gtk.so (/tmp/swtlib-32/liblibswt-pi-gtk.so.so: cannot open shared object file: No such file or directory)


    And finally, installing:

    DejaVu Truetype Fonts
     
    and

    libgthread-2_0-0-32bit

    helped, and I was able to successfully run Installation Manager. Hope it helps. Good luck.

    07 February 2012

    SECJ0053E and AWXJR0044E: PolicyConfiguration exists = false

    If you are working on WAS with JACC configured against Tivoli Access Manager (or other external authorization provider, but I assume TAM is the most popular) in your application development cycle you may stumble upon the following error sequence:
    [2/7/12 11:24:45:304 CET] 000000c8 SecurityColla A   SECJ0053E: Authorization failed for defaultRealm/username while invoking (Bean)XyEAR-2.2#XyzBean.jar#soapAction:5 JACC Authorization failed for bean: xyzvBean
    [2/7/12 11:24:45:660 CET] 0000003d AMWASJACCMess I   com.tivoli.pd.as.jacc.TAMPolicy implies(ProtectionDomain, Permission): permission = perm.toString()
    0x864297004
    AWXJR0044E   The access decision for Permission, (javax.security.jacc.EJBMethodPermission xyz), was denied because either the PolicyConfiguration or RoleConfiguration objects did not get created successfully at application installation time.  RoleConfiguration exists = true, PolicyConfiguration exists = false.

    It is more probable to occur right after application update (new version deployed, for instance).

    Here are the things you may do to steer out of this trouble:

     


    1. Ensure all necessary protected object exist in TAM policy database (use pdadmin or WPM - TAM console deployed on WAS)
    2. Update role definition in your authorization provider with:

      Global security > External authorization providers

      choosing "Update with application names listed" and typing in your application name (as appears in Enterprise Applications tab), then Apply

    3. If point 2. fails, follow this sequence: stop application, remove application from server, stop application server, clean temp directories for this server, start server and redeploy application. It should bind with TAM properly this time. After that, restart the server again.
     Good luck.