Standalone LDAP

What we will cover in the next few pages is how to configure WebSphere Application Server to use a standalone LDAP registry. The difference between a standalone LDAP repository and Federated Repositories is that the WAS administrative IDs and User ID’s are both referenced from the same LDAP server. If the LDAP service is down, then you will not be able to log into the WAS Console and application authentication will not work

As far as LDAP servers go, there are many products in the marketplace and your organization will have a solution from one of the big vendors, such as Microsoft’s ADAM, which is a light-weight implementation of Active Directory or IBM’s Tivoli Directory Server. These are just two very common commercial LDAP implementations. However, we are using the Open Source ApacheDS server which we created earlier in this guide.

Configuring the Standalone LDAP Server

We have already created a federated repository, which is defined as the current repository in Global Security as seen below in Security > Global Security.

• Click the Available realm definition list box and choose Standalone LDAP registry
  

• Click Configure
  

You will now the see the Global security > Standalone LDAP configuration page

The Primary administrative use is wasadmin, this user must exist in the LDAP directory in this configuration. We have also chosen LDAP Server to be Custom.

• Enter the LDAP server configuration values as required.
  

We can use the exact same details we used I the Federates repositories example, there are specified in the table below.

Next we have to complete the Security section located on the right-hand side of the page. In this section we have two fields to fill in. Bind distinguished name (DN) is the name which WebSphere will use to connect to LDAP for name searches. The Bind password is the password for this user. Fill in these fields with the values below, which we configured in Apache DS earlier.

Note: If no name is specified for the Bind distinguished name (DN), the application server binds anonymously. The LDAP server must be setup to allow anonymous binding.

Also, you can see at the top of the screen this message

We must go back to Global Security screen, and set Standalone as the current configuration when we are done with this page.

Testing the connection

Once you have filled out the details, click Apply to save, then click Test Connection

A default set of predefined filters exist, which are provided for each LDAP server that the WebSphere supports. You can modify these filters to fit your LDAP configuration.

It is also recommended that we configure Additional properties

In the Global security > Standalone LDAP registry > Advanced Lightweight Directory Access Protocol (LDAP) user registry settings page, change the User Filter and Group Member Id Map to fields as per the entries below.

• Change the User Filter field to the value below
  

The User filter field contains an LDAP string, which provides the LDAP search filter which is used to obtain information about users from an LDAP directory server.

Note: Since we hand crafted our LDAP directory, we know that our users all have inetOrgPerson for objectClass OR and account objectClass, both have uid as an attribute.

• Change the Group Member ID Map to the value in the table below
  

The Group Member ID Map field sets the syntax for user-to-group membership when LDAP is scanning for users belonging to which groups.

Note: Since we hand crafted our LDAP directory, we know that our groups have groupOfNames for objectClass, but could also have groupOfUniqueNames, so I have added an OR condition.

Note: We make these changes because ApacheDS uses slightly different object classes and the default ones are customized for IBM LDAP servers, hence the change. We have only changed the entries required, the other fields are fine as they are.

Note: Each LDAP type, will present pre-configured entries in this page. When in doubt, you will be best to resort to IBM products if you can, however, we have proven that we can use other Open source tooling such as Apache DS. However, it does take some knowledge and you can’t just accept defaults.

• Click Apply, and Save
  
• When back on the Global security > Standalone LDAP registry page click OK, then Save to complete the page and return back to Global security
  

• In the Available realm definitions section, select Standalone LDAP registry and click the Set as current button.
  

You will see the User Account repository will be updated as follows:

Click Apply

If your LDAP Bind username and password are correct and the LDAP server is running the Result will be a follows, as long as all the authentication is correct, and the Primary Administrative user ID can be located in the directory.

Click Save, then restart the server.

Next time we log into the server we will be asked for a username and password.

Note: You will also be prompted for a username and password to stop a running WAS instance when Global Security is enabled.

Congratulations, you have now learned the core fundamentals of securing WAS using a standalone LDAP server for both administrative users and application users.

Review of Security.xml

I think this is a good time to quickly review the security.xml settings for this Standalone LDAP configuration. The security.xml can be found in:

For example:

Looking at the userRegistries stanza contained within security.xml you will see the LDAP Filter settings we have specified. Below is a sample from my configuration.

You should see within the searchFilter section the user filter we configured earlier, for example: userFilter==”(&(uid=%v)(|(objectclass=inetOrgPerson)(objectclass=account)))” This file is very useful, as you can edit it when things go wrong with your WebSphere administrative logins.

You now have configured WebSphere to use an LDAP registry.

To learn more about the courses available from The Middleware Shop, please go to http://www.themiddlewareshop.com/products to see a full list of the current courses available.

Consulting

If you or your organization require support in architecture, performance tuning, automation or simply advice, then please contact me via my support site and request a conversation, where we can discuss your requirement.

About Steve

Steve is a seasoned passionate technology professional, strategist and leader.

An expert in technical communications, and adept in almost all forms of Internet and mobile related technology, Steve has time and time again proven his tenacity to improve systems around him and deliver.

Steve has worn many hats during his career such as Chief Technical Officer, Founding Member of several business ventures, Programmer, Systems Administrator, Architect, Blogger and Published Author to name a few.

Due to 20 years Industry experience in Middleware, Programming, Networks and Internet Technologies, He combines systems knowledge with efficient working methods and inter personal skills required to build effective relationship with clients and colleagues alike. Exceeding typical expectations in any role undertaken, Steve is certain to become a valuable asset within any organisation He joins.

Key Skills

• Leadership (Team, Project, Business, People).

• Architecture (Solutions, Information, Technical, Applications).

Simply, I help you deal with CANETI: Constant And Never Ending Technological Innovation

Specific IBM WebSphere skills:

WebSphere Application Server (WAS Base, WAS ND & Liberty Profile & Liberty Runtime)

• Automation
• Security, SSL
• Dev Ops
• Architecture
• Performance Tuning

Middleware Integration Skills:

• .NET programming, and Architecture
• Java Programming, and Architecture
• SOA, SOAP, and XML messaging
• JBoss Fuse, WMQ, IIB, Mule

Integration Skills:

• SOA
• Process Improvement
• ICD’s
• Messaging Architecture
• Governance

General Digital Architecture & Governance

• Lightweight Architectures
• Digital Strategy, platform stacks for example IAAS, PAAS, SAAS
• PCI DSS

Industry Qualifications & Recognition

• TOGAF 9.1
• IBM Champion 2013

So, you require an Independent IBM WebSphere Middleware Consultant to help with WebSphere Architecture, Support, Migration, Automation and Thought Leadership.

An expert in technical communications in the middleware domain, and adept in almost all forms of Internet and mobile related technology, Steve Robinson has time and time again proven his tenacity to improve systems around him and deliver.

Steve has worn many hats during his career such as Chief Technical Officer, Founding Member of several business ventures, Programmer, Systems Administrator, Architect, Blogger and Published Author to name a few.

Due to 20 years Industry experience in Middleware, Programming, Networks and Internet Technologies, He combines systems knowledge with efficient working methods and inter personal skills required to build effective relationship with clients and colleagues alike. Exceeding typical expectations in any role undertaken, Steve is certain to become a valuable asset within any organisation He joins.

So, if you are looking for a professional to help with WAS Migration, WAS Architecture, and or WAS Automation (Shell, Jython, Java) and/or Middleware Integration, then please do contact me.

WebSphere Books by Steve Robinson

IBM Awards:

IBM Champion 2013

I have just completed a new module for my updated WAS 8.5.5.x course and I thought that it was such an interesting topic that I would post segments about how to configure Federated Repositories using ApacheDS a s the LDAP Server. In this guide I have used CentOS 7, with WAS 8.5.5.x for Developers (No Charge Edition) and so you should be able to learn some fundamental insights into WebSphere Global Security. A new course on automating the installation and upgrade of WAS and manage security will be available in Q2 2015. One of the guides shows how to configure WAS 8.5.5.x for LDAP ie Global security.

The topics covered in this guide are as follows.

INTRODUCTION
JEE SECURITY
GLOBAL SECURITY
UNSECURE CONSOLE
TURNING ON GLOBAL SECURITY
Security Configuration Wizard
Virtual Member Manager
ROLE MANAGEMENT
Administrative roles
DISABLING GLOBAL SECURITY
SETTING THE INTERNAL REPOSITORY USING SCRIPTING
APACHEDS
Installing ApacheDS
Adding a new partition
ADDING LDAP TO A FEDERATED REPOSITORY
FEDERATED REPOSITORIES RECAP
Security settings
Wimconfig.xml
CHANGING THE OU FOR LDAP BIND
Looking at User Groups
STANDALONE LDAP
CONFIGURING THE STANDALONE LDAP SERVER
TESTING THE CONNECTION
REVIEW OF SECURITY.XML
SUMMARY

 Role Management

In this section, we will demonstrate creating users, groups and assigning roles to groups.

Administrative roles

We may want some people to have only the ability to start and stop applications; others, we may wish to allow full configuration access. WebSphere implements a way of delegating privileges through the use of administrative roles. There are 8 predefined roles in WebSphere 8, as outlined in the following table, which users can be mapped to.

We would need to map wasadmin to both Administrator and Configurator to allow most of the core admin actions.

Presuming we now have Global Security enabled, let’s log into the secure console using wasadmin/wasadmin.

We know at this point of the process, that we have a single administrative user called wasadmin, we can see this by navigating to Users and Groups/Manage Users

In the Manage Users screen we see that we have only one user called wasadmin. It has a unique name using the schema defined by the defaultWIMFileBasedRealm for example uid=wasadmin,o=defaultWIMFileBasedRealm.

On this page, we can see where can create new users. But before we do that, we want to know what roles the “wasadmin” user is assigned, so we do this by navigating to User and Groups / Administrative user roles as seen below

We can see that no roles are listed for the Primary Administrative User Name, in fact, it is assigned al Roles for complete access to the Admin Console. If we wish to delegate access to other users, we must first create the user and or group, then assign the role.

In this example I am going to create a Group called was_admins, and then assign the Administrator and, Configurator and ISCAdmins Roles to this Group,. Then I will create a user called was_admin, which will be an administration user which is assigned to the was_admins group.

• To create a Group, navigate to Manage Groups
  

• Click the Create button as seen above
  
• Add a group name, for example, was_admins
  

Click Create, the Close

You will then be returned to the Manage Groups screen as seen below

We can see above that we now have a group created called was_admins. If we look at fileRegistry.xml file we discussed earlier, we now have a new group entry.

We will now assign roles to the group.

Navigate to User and Groups/Administrative group roles

• When on the Administrative group roles page, click Add, seen below

• Once on the Group screen, CTRL-Select the Role(s) required, search for was* and you will see the was_admins group is displayed in the available list box.
  

• Click the arrow pointing right to assign the roles, then click OK to save.
  

The assigned role will display in the Administrative group roles list

If we view the admin-authz.xml file located in the same folder as the fileRegistry.xml file

We will see the following XML

Looking at the XML we can see that there is mapping structure ie Groups to Roles.

Now we can add was_admin user to the group was_admins to map the user to these roles, which are mapped to a group.

Note: Mapping to groups requires a little more planning, but the dynamic nature lends best when you have multiple users who might be using the console or running admin scripts because it provides flexibility.

• Create a new user called was_admin, by navigating to Users and Groups
  

• Click Create
  

One the Create a User screen, fill out the fields as shown below

I used was_admin as the username and was_admin as the password

• Click Create, then Close
  

When we are returned to the Search for Users screen, we see that there is now a new User.

Now we can add the new was_admin user to the was_admins group. There are two ways to do this.

• We can either open the user, and then click Groups tab and add the user to the group
  
• We can Navigate to Manage Groups as seen below

To add a was_admin to the was_admins group, click Manage Groups

In the Group Properties screen, click the Members tab, then the Add Users button to assign users

• Click Search, then then select was_admin user from the list and then click Add
  

A message will be displayed incating the user has been added to the group.

• Click Close to exit, and return to the Group Properties screen (Members Tab)

Now we have create a new user, a new group with assigned roles, and assigned the new user to a group, we can log out and try the was_admin user and validate that all is OK. Also note that fileRegistry.xml has been modified, and this is what it may look like/

The Elements highlighted in Yellow show the modifications that were performed when we created a new group called was_admins and added the was_admin user to that group. You can even see that the fileRegistry.xm file contains the password as well as the uid.

I know that this section was a little long winded, but it was added to ensure that you fully understand that by default WAS will use an XML-based registry for user/group management when Global security is set to Federated repositories and no LDAP is current. This means simply, all Was administrative users are held in the fileRegistry.xml and the role mapping are held in admin-authz.xml and the current registries assigned to the virtual realm are set and defined in security.xml.

Logging in with the new “was_admin” user

Logout and re-log back in with the new administrative user we have created

When we navigate to Users and Grpups

We can see that we can no longer administer the roles of user and or groups, the options are no longer available.. This is because we did no add Admin Security Manager role to the was_admins group.

Feel free to explore different role combinations. We will not cover more examples, as the information above gives you enough detail to understand how creating user, groups and roles works when using Federated repositories with no LDAP registries, only the internal file-based registry called fileRegistry.xml

INTRODUCTION
JEE SECURITY
GLOBAL SECURITY
UNSECURE CONSOLE
TURNING ON GLOBAL SECURITY
Security Configuration Wizard
Virtual Member Manager
ROLE MANAGEMENT
Administrative roles
DISABLING GLOBAL SECURITY
SETTING THE INTERNAL REPOSITORY USING SCRIPTING
APACHEDS
Installing ApacheDS
Adding a new partition
ADDING LDAP TO A FEDERATED REPOSITORY
FEDERATED REPOSITORIES RECAP
Security settings
Wimconfig.xml
CHANGING THE OU FOR LDAP BIND
Looking at User Groups
STANDALONE LDAP
CONFIGURING THE STANDALONE LDAP SERVER
TESTING THE CONNECTION
REVIEW OF SECURITY.XML
SUMMARY

To learn more about the courses available from The Middleware Shop, please go to http://www.themiddlewareshop.com/products to see a full list of the current courses available.

Consulting

If you or your organization require support in architecture, performance tuning, automation or simply advice, then please contact me via my support site and request a conversation, where we can discuss your requirement.

About Steve

Steve is a seasoned passionate technology professional, strategist and leader.

An expert in technical communications, and adept in almost all forms of Internet and mobile related technology, Steve has time and time again proven his tenacity to improve systems around him and deliver.

Steve has worn many hats during his career such as Chief Technical Officer, Founding Member of several business ventures, Programmer, Systems Administrator, Architect, Blogger and Published Author to name a few.

Due to 20 years Industry experience in Middleware, Programming, Networks and Internet Technologies, He combines systems knowledge with efficient working methods and inter personal skills required to build effective relationship with clients and colleagues alike. Exceeding typical expectations in any role undertaken, Steve is certain to become a valuable asset within any organisation He joins.

Key Skills

• Leadership (Team, Project, Business, People).

• Architecture (Solutions, Information, Technical, Applications).

Simply, I help you deal with CANETI: Constant And Never Ending Technological Innovation

Specific IBM WebSphere skills:

WebSphere Application Server (WAS Base, WAS ND & Liberty Profile & Liberty Runtime)

• Automation
• Security, SSL
• Dev Ops
• Architecture
• Performance Tuning

Middleware Integration Skills:

• .NET programming, and Architecture
• Java Programming, and Architecture
• SOA, SOAP and XML messaging
• JBoss Fuse, WMQ, IIB, Mule

Integration Skills:

• SOA
• Process Improvement
• ICD’s
• Messaging Architecture
• Governance

General Digital Architecture & Governance

• Lightweight Architectures
• Digital Strategy, platform stacks for example IAAS, PAAS, SAAS
• PCI DSS

Industry Qualifications & Recognition

• TOGAF 9.1
• IBM Champion 2013

 Setting the internal Repository using Scripting

Our federated repository is based on a virtual realm (A unique name defining the virtual registry as provided by the registries that are federated together and managed by the WebSphere Virtual Manager)

The realm can consist of identities in:

• The file-based repository that is built into the system
  
• One or more external repositories
  
• Both the built-in, file-based repository and in one or more external repositories
  

It is also possible to configure the fileRegistry.xml by using Jython

Configuring a single built-in, file-based repository in a new configuration under federated repositories using wsadmin. You can use the Jython or Jacl scripting language with the wsadmin tool to configure a single built-in, file-based repository in a new configuration under Federated repositories.

Use the following steps to configure for use a single built-in, file-based repository in a new configuration for federated repositories.

• Create the fileRegistry.xml file, which is the user registry itself, if it does not already exist. If the fileRegistry.xml file does exist, this step just adds the user to registry.
  
• Start the WS Admin Tool using <was_profile_roor>/wasadmin.sh –lang Jython
  
• Issue the following command in the interactive session
  

Update the security.xml file to enable administrative security, set the activeUserRegistry to use federated repositories, and update the primaryAdmin and its password. If you already have set the virtual ream i.e. already set the virtual repository, then this might not be useful as it is really designed to issue the actions of the wizard, as per the manual steps we did earlier.

Save your configuration changes. Enter the following commands to save the new configuration.

Note: The changes will be saved to security.xml and fileRegistry.xml as required, however for the changes to take effect for a running WAS instance, restart the application server.

What we are going to do now is configure LDAP by adding an LDAP registry to our Federated Respository. We will cover that topic after we have configured an LDAP server. In this guide, we are going to install and use ApacheDS as out LDAP provider.

INTRODUCTION
JEE SECURITY
GLOBAL SECURITY
UNSECURE CONSOLE
TURNING ON GLOBAL SECURITY
Security Configuration Wizard
Virtual Member Manager
ROLE MANAGEMENT
Administrative roles
DISABLING GLOBAL SECURITY
SETTING THE INTERNAL REPOSITORY USING SCRIPTING
APACHEDS
Installing ApacheDS
Adding a new partition
ADDING LDAP TO A FEDERATED REPOSITORY
FEDERATED REPOSITORIES RECAP
Security settings
Wimconfig.xml
CHANGING THE OU FOR LDAP BIND
Looking at User Groups
STANDALONE LDAP
CONFIGURING THE STANDALONE LDAP SERVER
TESTING THE CONNECTION
REVIEW OF SECURITY.XML
SUMMARY

To learn more about the courses available from The Middleware Shop, please go to http://www.themiddlewareshop.com/products to see a full list of the current courses available.

Consulting

If you or your organization require support in architecture, performance tuning, automation or simply advice, then please contact me via my support site and request a conversation, where we can discuss your requirement.

About Steve

Steve is a seasoned passionate technology professional, strategist and leader.

An expert in technical communications, and adept in almost all forms of Internet and mobile related technology, Steve has time and time again proven his tenacity to improve systems around him and deliver.

Steve has worn many hats during his career such as Chief Technical Officer, Founding Member of several business ventures, Programmer, Systems Administrator, Architect, Blogger and Published Author to name a few.

Due to 20 years Industry experience in Middleware, Programming, Networks and Internet Technologies, He combines systems knowledge with efficient working methods and inter personal skills required to build effective relationship with clients and colleagues alike. Exceeding typical expectations in any role undertaken, Steve is certain to become a valuable asset within any organisation He joins.

Key Skills

• Leadership (Team, Project, Business, People).

• Architecture (Solutions, Information, Technical, Applications).

Simply, I help you deal with CANETI: Constant And Never Ending Technological Innovation

Specific IBM WebSphere skills:

WebSphere Application Server (WAS Base, WAS ND & Liberty Profile & Liberty Runtime)

• Automation
• Security, SSL
• Dev Ops
• Architecture
• Performance Tuning

Middleware Integration Skills:

• .NET programming, and Architecture
• Java Programming, and Architecture
• SOA, SOAP and XML messaging
• JBoss Fuse, WMQ, IIB, Mule

Integration Skills:

• SOA
• Process Improvement
• ICD’s
• Messaging Architecture
• Governance

General Digital Architecture & Governance

• Lightweight Architectures
• Digital Strategy, platform stacks for example IAAS, PAAS, SAAS
• PCI DSS

Industry Qualifications & Recognition

• TOGAF 9.1
• IBM Champion 2013

 Adding LDAP to a federated repository

We have covered how to install Apache DS, we will now look at adding LDAP to our Federated Repository. So far we have the internal fie-based registry names fileRegistry.xml, however our installed JEE application(s) will require a user registry. For this we want to use LDAP. We want to use LDAP as we can connect to the corporate user-directory as presented in LDAP.

Federated repositories recap

In WebSphere it is possible to federate repositories allowing a single virtual repository from which to query administrative and application user accounts. What we are now going to do is federate the internal file-based repository and a newly created LDAP repository, hence the terms Federated Repositories.

To begin the process of creating our federated repository, navigate to the Global Security page and locate the User account repository section. This time select Federated repositories from the Available realm definition pick-list and click the Configure button as seen below.

Note: Now that we have ApacheDS configured and working, we can now configure WebSphere to use the LDAP directory we have created. Before we continue, I would like to explain the Primary administration user which we will set in the next steps. One of the details common to all user registries or repositories is the Primary administrative user name. This ID is a member of the chosen repository, but also has special privileges in WebSphere Application Server. The privileges for this ID and the privileges that are associated with the administrative role ID are the same. The Primary administrative user name can access all of the protected administrative methods of WebSphere Application Server.

Security settings

Navigate to the Security section of the left-hand side panel in the administrative console and click on Global security. In the Security page, under the User account repository section click Configure so we can add a new repository to our virtual realm, which contains our “Federated Repositories”

In the Federated repositories screen, we can see that the Rea Name is set, and so is the Primary administrative user name. We know about the primary user being part of the default internal file Registry which we added earlier.

• To add another repository (registry) click on the Add repositories (LDAP, custom etc…) button On the Repository reference screen, we can
  

On the Repository references screen as seen above, do the following

• Click New Repository and select LDAP
  
• Then click on the New Repository button and select LDAP registry
  

In the LDAP server section, choose Custom from the Type of LDAP server list. There are several pre-configured LDAP server types which are tuned for common LDAP servers because ApacheDS is not a template platform, we have to use a custom LDAP.

As shown in the previous screenshot, fill in these fields with the values
as shown in the following table:

Next we have to complete the Security section located on the right-hand side of the page. In this section we have two fields to fill in. Bind distinguished name (DN) is the name which WebSphere will use to connect to LDAP for name searches. The Bind password is the password for this user. Fill in these fields with the values below, which we configured in Apache DS earlier.

If no name is specified for the Bind distinguished name (DN), the application server binds anonymously. The LDAP server must be setup to allow anonymous binding.

Note: Make sure you save now, or you will have to repeat this again!

Once you have completed filling in the required fields, click Apply and you will then be prompted to save as seen above. You are now required to fill in the field called: Unique distinguished name of the base (or parent) entry in federated repositories. It is a bit annoying that we have to enter it again, but now you know J

Populate the field with the following to give it a name, which just so happens to the same as our base DN as well.

• Click Apply to save and then OK to return back to the previous screens, find your way back to Global security > Federated repositories, you should be able to click cancel on the Repository reference screen shown above
  

The result is the following:

• Click OK at the bottom of the Global Security / Federated repositories screen, and you will be again asked to Save and enter a password for the wasadmin user, it is wasadmin. But note, this is not the wasadmin user in the LDAP directory, it is a user stored in the fileRegistry.xml. LDAP in this scenario is used for user administration not was administration,
  
• Then click OK, and Save. Hopefully you will not return to the Global Security screen, which means all is configured
  

Why so many saves? It guess it’s just the order in which security.xml and other files are updated as we progress through screens.

• Restart the server for the changes to take effect

This is really import, please understand the relevance of the point in red above. If you are using a federated repository, and it contains the internal registry and that registry uses wasadmin as the primary user, then it must not exist in the LDAP tree, also the primary admin user must exist in the internal file registry for this to work as intended.

Note: If the save processes occur during this exercise then we know WebSphere Application Server was able to connect to LDAP. If it cannot you will get an error displayed, something similar to the error explained in this blog article:

http://www.themiddlewareshop.com/2015/04/13/validation-failed-secj7716e-primary-administrative-user-id-does-not-exist-in-the-registry/

Next time we log into the server we will be asked for a username and password.

Note: You will also be prompted for a username and password to stop a running WAS instance when Global Security is enabled.

Wimconfig.xml

The contents of the wimconfig.xml has been altered with the required settings and can be located in the following location

INTRODUCTION
JEE SECURITY
GLOBAL SECURITY
UNSECURE CONSOLE
TURNING ON GLOBAL SECURITY
Security Configuration Wizard
Virtual Member Manager
ROLE MANAGEMENT
Administrative roles
DISABLING GLOBAL SECURITY
SETTING THE INTERNAL REPOSITORY USING SCRIPTING
APACHEDS
Installing ApacheDS
Adding a new partition
ADDING LDAP TO A FEDERATED REPOSITORY
FEDERATED REPOSITORIES RECAP
Security settings
Wimconfig.xml
CHANGING THE OU FOR LDAP BIND
Looking at User Groups
STANDALONE LDAP
CONFIGURING THE STANDALONE LDAP SERVER
TESTING THE CONNECTION
REVIEW OF SECURITY.XML
SUMMARY

To learn more about the courses available from The Middleware Shop, please go to http://www.themiddlewareshop.com/products to see a full list of the current courses available.

Consulting

If you or your organization require support in architecture, performance tuning, automation or simply advice, then please contact me via my support site and request a conversation, where we can discuss your requirement.

About Steve

Steve is a seasoned passionate technology professional, strategist and leader.

An expert in technical communications, and adept in almost all forms of Internet and mobile related technology, Steve has time and time again proven his tenacity to improve systems around him and deliver.

Steve has worn many hats during his career such as Chief Technical Officer, Founding Member of several business ventures, Programmer, Systems Administrator, Architect, Blogger and Published Author to name a few.

Due to 20 years Industry experience in Middleware, Programming, Networks and Internet Technologies, He combines systems knowledge with efficient working methods and inter personal skills required to build effective relationship with clients and colleagues alike. Exceeding typical expectations in any role undertaken, Steve is certain to become a valuable asset within any organisation He joins.

Key Skills

• Leadership (Team, Project, Business, People).

• Architecture (Solutions, Information, Technical, Applications).

Simply, I help you deal with CANETI: Constant And Never Ending Technological Innovation

Specific IBM WebSphere skills:

WebSphere Application Server (WAS Base, WAS ND & Liberty Profile & Liberty Runtime)

• Automation
• Security, SSL
• Dev Ops
• Architecture
• Performance Tuning

Middleware Integration Skills:

• .NET programming, and Architecture
• Java Programming, and Architecture
• SOA, SOAP and XML messaging
• JBoss Fuse, WMQ, IIB, Mule

Integration Skills:

• SOA
• Process Improvement
• ICD’s
• Messaging Architecture
• Governance

General Digital Architecture & Governance

• Lightweight Architectures
• Digital Strategy, platform stacks for example IAAS, PAAS, SAAS
• PCI DSS

Industry Qualifications & Recognition

• TOGAF 9.1
• IBM Champion 2013

If you have read the WAS 8.5.5.x silent install guide (which is part of my new WAS 8.5.5.x course available for purchasee  in Q2 2015), you will know that we used the custom install script was8manage.sh or manually install WAS, you would hopefully have turned on Global Security by default. The most obvious surety of this action is that you are required enter a d username and password to log in to the Administrative Console.

To turn on global security, log in to the Admin console and navigate to the Security section of the left-hand side navigation panel and click Global security, as shown in the following screenshot:

You will now be taken to the main Global security configuration page as shown in the following screenshot:

1. Security Configuration Wizard

WebSphere provides a wizard to set up basic security using an internal repository. What we are going to do is run the wizard to secure our admin console.

Click the Security Configuration Wizard button as shown in the previous screenshot. You will be presented with an option to decide on the extent of your security protection. Leave the screen options set to their default and click Next to move on to the next page, where you will select which type of repository you wish to use.

Note: Enable application security is on because usually you want to secure applications and allow role-based management of users/groups for that application. Use Java 2 security to restrict application access to local resources, as seen in the Security Configuration Wizard, is used when you do not trust the application’s code. Since in most cases you trust the code you are installing in your EAR/WAR files, you do not need to turn this option on.

On the Select user repository page, you have four types of repository to choose from these options are discussed below.

Click Next

Global security registry types

Global security is enabled to secure your WAS server, however, to do so requires a user registry. A user registry contains the user and group names for authentication and authorization purposes. Once configured, an application server will connect to the registry and perform lookups to acquire user credentials used in areas where authorization is required.

There are four types of registry which are explained in the table below.

Note: The default repository is built into WebSphere and is based on the platform you are running on.

Completing the Wizard using “Federated repositories”

We are going to turn on Global security using the internal File Registry, we do this by choosing Federated repositories as an option. What this means is that we can later federate other registries such as custom or LDAP registries that can be used for user/group role-based management.

Note: However please understand that when you use Federated repositories and you have not removed the internal repository, then you can only assign users/groups from the internal fil registry to assign role-based access to the Was Admin console.

• Choose Federated repositories option in the Select user repository page (Shown earlier)
  
• Click Next
  
• Fill in the Primary admin user, I have used wasadmin as my primary admin, also enter a password. I have also used wasadmin for the password.
  

• Click Next
  
• Click Finish
  

• Click Save to persist the changes to the underlying WebSphere XML configuration files.
  

The result will be that we are presented with the following settings configured in the Global security page.

• Restart the server for Global security enablement to take effect.
  
• Use stopServer.sh and statrServer.sh from the <was_profile_root>bin folder
  

Note: You are not prompted for a username and password when you issue the stopServer command. This is because at this point Global Security is enabled in the underlying sexurity.xml file, but the server has to be restarted for it to take effect.

Next time you open the Admin Console, you will be presented with a login screen similar to below

Review of security.xml and fileRegistry.xml

We are now going to look at the underlying WAS file system and see what was done.

We do this by issuing the following command from the <was_profile_root> for example /opt/IBM/WebSphere/AppServer/profiles/DV_AppServer01Prof

Note: All errors will be piped to /dev/null to stop then from displaying in the results.

Result:

We can see that there are two files that contain the text wasadmin, this is security.xml and fileRegistry.xml

When we open sexurity.xml we find that the security:Security element has activeUserRegistry set to

When we look further down the file we see the following element which defines the settings applied to the registry id of WIMUserRegistry_1

The security.xml file contains elements which define enabled repositories, w s we can see above in the userRegistries elements that we have a default virtual realm that defines the user registry

Now that we know we are the class com.ibm.ws.wim.registry.WIMUserRegistry we know that we are using the internal fileRegistry.xml as our user/group registry.

When we open fileRegistry.xml, we see this XML

We can see that our new user “wasadmin” exists in the fileRegistry.xml (The Internal User Repository).

As seen above in the screen capture of the Global security page, Administrative Security (Global Security) is enabled. The term Global Security is the term for WAS version 7 and below. We also have a Realm that has been set it is called defaultWIMFileBasedRealm and the current Realm definition is set to
Federated repositories. This setting specifies to manage security profiles in multiple repositories under a single realm. The realm can consist of identities in:

• The file-based repository that is built into the system
  
• One or more external repositories
  
• Both the built-in, file-based repository and in one or more external repositories
  

Note: Only a user with administrator privileges can view the federated repositories configuration.

Another point to understand is that when we create a profile and set a username and password, the profile creation process creates and configured a Federated Repository which is using the internal file-based repository built onto the system.

Let’s now take a look at the configuration that exists for the Federated repositories setting.

If we click configure as shown below, we will be able to see more information about the Federated Repositories

Once in the Federated Repositories screen as seen below, we can understand even more about the current registry that is being used in the federated repository.

We can see that we have a Realm name set to defaultWIMFileBasedRealm. As mentioned earlier, we have the Primary administration user name being wasadmin, and there is only one repository in this realm.

Note: We will look at adding LDAP to this federated repository later in this guide.

If we drill down ever further by navigating to the Related Items section and clicking on Manage repositories, we will see what makes up this internal repository.

We can now see that we have a Repository identified as InternalFileRepository.

We see that the internal fileRegistry.xml is governed by this Repository Identifier, sort of like a class of registry type. I would normally not go any further to discover the internal workings of WAS, but I think the next few paragraphs are an interested read.

If we open an ssh session and locate the <was_profile_root> we can issue a find command similar to the following:

Result:

If we then open the file called wimconfig.xml , which was found in: /opt/IBM/WebSphere/AppServer/profiles/DV_AppServer01Prof/config/cells/DV_AppServer01/wim/config/ we can look to understand this file more. The reason we need to be aware of the existence of these type of files is because it could be possible that you may have some complex security requirements in the future and this type of analysis is the kind you may have to do to debug any problems/configuration issues.

If you have a brief look in the file we can see that this file defines the schema for a file repo, but it is not the repo itself.

The highlighted XML elements are for you to review, but please do not edit this file. I am just showing that there is an internal master continuation file which determines the schema/settings of the available registries, and it uses a syntax similar to LDAP schema which is a simplified version of x.500. This is quite an interesting subject, and it delves into some of the theory of how WAS manages security

INTRODUCTION
JEE SECURITY
GLOBAL SECURITY
UNSECURE CONSOLE
TURNING ON GLOBAL SECURITY
Security Configuration Wizard
Virtual Member Manager
ROLE MANAGEMENT
Administrative roles
DISABLING GLOBAL SECURITY
SETTING THE INTERNAL REPOSITORY USING SCRIPTING
APACHEDS
Installing ApacheDS
Adding a new partition
ADDING LDAP TO A FEDERATED REPOSITORY
FEDERATED REPOSITORIES RECAP
Security settings
Wimconfig.xml
CHANGING THE OU FOR LDAP BIND
Looking at User Groups
STANDALONE LDAP
CONFIGURING THE STANDALONE LDAP SERVER
TESTING THE CONNECTION
REVIEW OF SECURITY.XML
SUMMARY

To learn more about the courses available from The Middleware Shop, please go to http://www.themiddlewareshop.com/products to see a full list of the current courses available.

Consulting

If you or your organization require support in architecture, performance tuning, automation or simply advice, then please contact me via my support site and request a conversation, where we can discuss your requirement.

About Steve

Steve is a seasoned passionate technology professional, strategist and leader.

An expert in technical communications, and adept in almost all forms of Internet and mobile related technology, Steve has time and time again proven his tenacity to improve systems around him and deliver.

Steve has worn many hats during his career such as Chief Technical Officer, Founding Member of several business ventures, Programmer, Systems Administrator, Architect, Blogger and Published Author to name a few.

Due to 20 years Industry experience in Middleware, Programming, Networks and Internet Technologies, He combines systems knowledge with efficient working methods and inter personal skills required to build effective relationship with clients and colleagues alike. Exceeding typical expectations in any role undertaken, Steve is certain to become a valuable asset within any organisation He joins.

Key Skills

• Leadership (Team, Project, Business, People).

• Architecture (Solutions, Information, Technical, Applications).

Simply, I help you deal with CANETI: Constant And Never Ending Technological Innovation

Specific IBM WebSphere skills:

WebSphere Application Server (WAS Base, WAS ND & Liberty Profile & Liberty Runtime)

• Automation
• Security, SSL
• Dev Ops
• Architecture
• Performance Tuning

Middleware Integration Skills:

• .NET programming, and Architecture
• Java Programming, and Architecture
• SOA, SOAP and XML messaging
• JBoss Fuse, WMQ, IIB, Mule

Integration Skills:

• SOA
• Process Improvement
• ICD’s
• Messaging Architecture
• Governance

General Digital Architecture & Governance

• Lightweight Architectures
• Digital Strategy, platform stacks for example IAAS, PAAS, SAAS
• PCI DSS

Industry Qualifications & Recognition

• TOGAF 9.1
• IBM Champion 2013

You have tried to connect to the Administrative Console for a new WebSphere Application Server profile. You get the following error

Error 404: com.ibm.ws.webcontainer.servlet.exception.NoTargetForURIException: No target servlet configured for uri: /ibm/console

The most common reason, is that the console will want to redirect to the secure HTTP/s port and that port is not open on the firewall for example

Let’s say you have the following portsFile :

appserver_ports.props

and you have created a WAS  profile using the following command:

/opt/IBM/WebSphere/AppServer/bin/manageprofiles.sh -create -profileName DV_AppServer01Prof -profilePath /opt/IBM/WebSphere/AppServer/profiles/DV_AppServer01Prof -templatePath /opt/IBM/WebSphere/AppServer/profileTemplates/default -cellName DV_AppServer01 -hostName localhostcell01 -nodeName DV_AppServer01 -portsFile /var/apps/scripts/was8manage/appserver_ports.props -isDefault

We need to look at the portsFile

#This file is hand crafted, though numbers are in sequence, it was not generated using -startPort
#This example is for a standalone application server
WC_defaulthost=10020
WC_adminhost=10021
WC_defaulthost_secure=10022
WC_adminhost_secure=10023
BOOTSTRAP_ADDRESS=10024
SOAP_CONNECTOR_ADDRESS=10025
SAS_SSL_SERVERAUTH_LISTENER_ADDRESS=10026
CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS=10026
CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS=10027
ORB_LISTENER_ADDRESS=10028
DCS_UNICAST_ADDRESS=10029
SIB_ENDPOINT_ADDRESS=10030
SIB_ENDPOINT_SECURE_ADDRESS=10031
SIB_MQ_ENDPOINT_ADDRESS=10032
SIB_MQ_ENDPOINT_SECURE_ADDRESS=10033
SIP_DEFAULTHOST=10034
SIP_DEFAULTHOST_SECURE=10035

We can see that the WC_adminhost_secure port is 10023, you were most likely connecting to the web container’s default port of 10020 to get this specific error. But you may have also not have secured the console, and so HTTP will be the required protocol, not HTTP/s so in this case the URL required  may have been http://192.168.0.80:10021/ibm/console/ required not the secure port http://192.168.0.80:10023/ibm/console/

When a console is secured i.e Global Security is turned on then the HTTP will direct to HTTP/s. But if Global security is off, then only the HTTP port will be available for example 10021 in my example which = WC_adminhost., which was the case because Global Security was disabled for this profile.

Error when running some Jython in WebSphere Application Server to configure Global Security we find the following error

Error:

WASX7017E: Exception received while running file "/var/apps/scripts/wasAdmin/security/configureGlobalSecurity.py"; exception information: com.ibm.bsf.BSFException: exception from Jython:
Traceback (innermost last):
  (no code object) at line 0
  File "<string>", line 103
         if (len(securityDomainList) == 0):
         ^
SyntaxError: invalid syntax

The code has the following:

securityDomainList = AdminTask.getSecurityDomainForResource('-resourceName Cell=:Node='+ nodeName + ':Server=' + serverName)
 if (len(securityDomainList) == 0):
    printer("","securityDomainList is empty")
    nullSecurityDomain=""
    printer("","Current Registry Details=" + getRegistryDetails("",nullSecurityDomain))
else:  
    for securityDomain in securityDomainList:
        printer("",'\n'+securityDomain)
        printer("","Current Registry Details=" + getRegistryDetails("",securityDomain))
    #endFor
#endIf

We can see that there is a space before the if, remove the space

Error below was presented when running a Jython script on WAS 8.5.5.5

WASX7017E: Exception received while running file "/var/apps/scripts/wasAdmin/security/configureGlobalSecurity.py"; exception information: com.ibm.bsf.BSFException: exception from Jython:
Traceback (innermost last):
  (no code object) at line 0
  File "<string>", line 107
        else
              ^
SyntaxError: invalid syntax

The code being used is as follows:

securityDomainList = AdminTask.getSecurityDomainForResource('-resourceName Cell=:Node='+ nodeName + ':Server=' + serverName)
if (len(securityDomainList) == 0):
    printer("","securityDomainList is empty")
    nullSecurityDomain=""
    printer("","Current Registry Details=" + getRegistryDetails("",nullSecurityDomain))
else  
    for securityDomain in securityDomainList:
        printer("",'\n'+securityDomain)
        #logger.debug('\n'.join( servers ))
        printer("","Current Registry Details=" + getRegistryDetails("",securityDomain))
    #endFor
#endIf

Add the missing : after else for example ‘else:’ not ‘else’

Resultig fixed code

securityDomainList = AdminTask.getSecurityDomainForResource('-resourceName Cell=:Node='+ nodeName + ':Server=' + serverName)
if (len(securityDomainList) == 0):
    printer("","securityDomainList is empty")
    nullSecurityDomain=""
    printer("","Current Registry Details=" + getRegistryDetails("",nullSecurityDomain))
else: 
    for securityDomain in securityDomainList:
        printer("",'\n'+securityDomain)
        #logger.debug('\n'.join( servers ))
        printer("","Current Registry Details=" + getRegistryDetails("",securityDomain))
    #endFor
#endIf

When running a wsadmin Jython command (from a Jython script file), I get the following error

WASX7023E: Error creating "SOAP" connection to host "localhost"; exception information: com.ibm.websphere.management.exception.ConnectorNotAvailableException: [SOAPException: faultCode=SOAP-ENV:Client; msg=Unable to find a valid IP for host localhost]
WASX7213I: This scripting client is not connected to a server process; please refer to the log file /opt/IBM/WebSphere/AppServer/profiles/DV_AppServer01Prof/logs/wsadmin.traceout for additional information.
WASX8011W: AdminTask object is not available.
INFO:Global security is enabled
WASX7017E: Exception received while running file "/var/apps/scripts/wasAdmin/security/configureGlobalSecurity.py"; exception information: com.ibm.bsf.BSFException: exception from Jython:
Traceback (innermost last):
  File "<string>", line 85, in ?
  File "<string>", line 62, in getDefaultRealm
NameError: AdminTask

As we can see by the error in the stack trace, the AdminTask object is not available, this is because the WebSphere Application Server/Deployment Manager is not started.

Error when adding an LDAP Repository to Federated Repositories using Jython

WASX7017E: Exception received while running file "/var/apps/scripts/wasAdmin/security/configureGlobalSecurity.py"; exception information: com.ibm.websphere.wim.exception.WIMConfigurationException: com.ibm.websphere.wim.exception.WIMConfigurationException: CWWIM5020E  Could not connect to the ldap://localhostcell01:10398 repository using properties: [port=10398],[bindDN=uid=wasldapbind,ou=security,dc=themiddlewareshop,dc=com],[certificateMapMode=exactdn],[sslConfiguration=],[securityDomainName=admin],[sslEnabled=false],[connectTimeout=100],[connectionPool=false],[id=LDAP2],[ldapServerType=CUSTOM],[host=localhostcell01],[referal=ignore],[derefAliases=always],[certificateFilter=],[authentication=simple],[bindPassword=****]. Exception occurred: java.net.ConnectException.

Check these things.

1. Firewall
2. Port (in my case above port looks right, but it was supposed to be 10389, not 10398
3. Use netstat -an command with a grep to check the port for example netstat -an | grep 10398, if nothing is reported, then you may have the wrong port?
4. Check your host file, and or DNS
5.Check your LDAP Bind DN user account, that the name, DN (not RDN) and password are correct
6. Check your BaseDN
7.Check your LDAP entries

These all can cause a Java Exception ie java.net.ConnectException

Tip: I often use an ldapseach locally if this works then it must be my Jython code.

Example of a local ldapsearch (install OpenSSL Clients using yum)

ldapsearch -H ldap://192.168.0.80:10389 -x -D "uid=wasldapbind,ou=security,dc=themiddlewareshop,dc=com" -W -b "dc=themiddlewareshop,dc=com" -s base -a always "(objectClass=*)" "*"

A little script to help you get syntax for wsadmin help commands in WebSphere Application Server Jython programming

create script called getHelp.sh, then chmod as required and voila

#!/bin/sh
export ADMIN_USER=wasadmin
echo "ADMIN_USER="${ADMIN_USER}
export  ADMIN_PASSWORD=wasadmin
echo "ADMIN_PASSWORD="${ADMIN_PASSWORD}
export WAS_PROFILE_DIR="/opt/IBM/WebSphere/AppServer/profiles/DV_AppServer01Prof"
echo "WAS_PROFILE_DIR="${WAS_PROFILE_DIR}
#${WAS_PROFILE_DIR}/bin/wsadmin.sh -lang jython -username ${ADMIN_USER} -password ${ADMIN_PASSWORD} -c "print AdminTask.help('createJDBCProvider'); print AdminTask.help('createDatasource'); print AdminTask.help('listDatasources'); print AdminTask.help('listJDBCProviders');print AdminTask.help('createAuthDataEntry')"
${WAS_PROFILE_DIR}/bin/wsadmin.sh -lang jython -username ${ADMIN_USER} -password ${ADMIN_PASSWORD} -c "print AdminTask.help('addIdMgrLDAPServer');"

Example result:

[root@localhost security]# ./getHelp.sh
ADMIN_USER=wasadmin
ADMIN_PASSWORD=wasadmin
WAS_PROFILE_DIR=/opt/IBM/WebSphere/AppServer/profiles/DV_AppServer01Prof
WASX7209I: Connected to process "server1" on node DV_AppServer01 using SOAP connector;  The type of process is: UnManagedProcess
WASX8006I: Detailed help for command: addIdMgrLDAPServer

Description: Adds an LDAP server to the LDAP repository configuration.

Target object:   None

Arguments:
  *id - The unique identifier of the repository.
  *host - The host name for the LDAP server.
  securityDomainName - Name used to uniquely identify the security domain.
  port - The port number for the LDAP server.
  bindDN - The binding distinguished name for the LDAP server.
  bindPassword - The LDAP server binding password.
  authentication - The authentication method to use.
  referal - LDAP referral
  derefAliases - Controls how aliases are dereferenced. Possible values are always(default), never, finding, and searching.
  sslEnabled - Enable Secure Sockets Layer (SSL) for the LDAP server.
  connectionPool - LDAP connection pool
  connectTimeout - Connection timeout(in seconds)
  ldapServerType - The type of LDAP server used.
  sslConfiguration - Secure Sockets Layer (SSL) configuration
  certificateMapMode - Specifies whether to map X.509 certificates into an LDAP directory by exact distinguished name or certificate filter. Specify the certificate filter to use the specified certificate filter for the mapping.
  certificateFilter - If you specify the certificate map mode, use this property to specify the LDAP filter, which maps attributes in the client certificate to entries in LDAP.

Steps:
  None

When using IBM Installation Manager to install the WAS Plugin Package, we cannot install the Plugin as a subdirectory within the HIS installation. In previous versions for example, IHS 7.0 and below, many organisations installed the WAS Plugin into a folder called <ihs_root>/Plugins, however we no longer can do this.

For example: We have IBM HTTP Server installed in the default location /opt/IBM/HTTPServer. It was installed using IBM Installation Manager. When we try to install the WAS Plugin using IM into the location /opt/IBM/HTTPServer/Plugins we get the following error.

CRIMA1170E ERROR: There is already a package installed at ” /opt/IBM/HTTPServer/Plugins” in the “IBM HTTP Server V8.5″ package group. The installation directory for the new “Web Server Plug-ins for IBM WebSphere Application Server V8.5″ package group must not be a parent or sub-directory of a previously used installation directory.

The solution is to install the WAS Plugin in /opt/IBM/WebSphere/Plugins (Default) or another folder, as long as it is not within <ihs_root>

Looking for IBM WebSphere Middleware Consulting to help with WebSphere Architecture, Support, Migration, Automation and Thought Leadership? An expert in technical communications in the middleware domain, and adept in almost all forms of Internet and mobile related technology, Steve Robinson has time and time again proven his tenacity to improve systems around him and deliver.

Steve has worn many hats during his career such as Chief Technical Officer, Founding Member of several business ventures, Programmer, Systems Administrator, Architect, Blogger and Published Author to name a few. Due to 20 years Industry experience in Middleware, Programming, Networks and Internet Technologies, He combines systems knowledge with efficient working methods and inter personal skills required to build effective relationship with clients and colleagues alike. Exceeding typical expectations in any role undertaken, Steve is certain to become a valuable asset within any organisation He joins.

So, if you are looking for a professional to help with WAS Migration, WAS Architecture, and or WAS Automation (Shell, Jython, Java) and/or Middleware Integration, then please do contact me.

WebSphere Books by Steve Robinson

IBM WebSphere Application Server 8.0 Administration Guide http://www.packtpub.com/ibm-websphere-application-server-8-0-administration-guide/book

WebSphere Application Server 7.0 Administration Guide http://www.packtpub.com/webSphere-application-server-7-0-administration-guide/book

IBM Awards:

IBM Champion 2013

In the <ihs_root/logs.error_log we find the following error when connecting to IBM HTTP Server using SSL.

[Fri May 01 14:08:10 2015] [error] [client 192.168.0.7] [1a6a0a0] [15650] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.0.7:51155 -> 192.168.0.80:443] [14:08:10.000087901] 0ms

IBM documentation gives the explanation for this error message.

SSL0208E: SSL Handshake Failed, Certificate validation error

This message may appear if you create a (keyring) KeyFile that does not have a complete trust chain for your personal certificate. In other words, there is a gap between the trust status of your end-entity certificate and some trusted root certificate.

When Ikeyman (or gskcmd/gskcapicmd) as bundled with IHS are used, the tools enforce that you load a complete certificate chain starting with a self-signed cert and terminating in your personal cert. Using other Java, WebSphere, or native tools does not enforce this restriction at certificate management time. You have most likely recieved a signed certifcate from a CA, but you have not added that CA to the Key File Database.

You must acquire the complete cert chain from your Certificate vendor, and “add” a complete cert chain (from the top down) using ikeyman either on command-line using gskcmd or manually using the ikeyman GUI.

Hi all, not long now before I release my new WAS 8.5.5.x Advanced Administration Courses, due in late Q2, ealry Q3 2015.

Keep an eye out for several new focused  WebSphere related courses which will cover many topics previously not covered before, and are hard to find with respect to training materials. The concepts within these new guides show how to do some of the more compex WebSphere Application Server, IBM HTTP Server and WebSphere Plugin administration techniques. All demonstrated by worked examples, including a detailed walk though of ikeyman, gskcmd and OpenSSL.

Here is a sample of one guide wich is part of the WebSphere Advanced Security course and covers the following topics in much detail.

• INTRODUCTION
• TOPICS COVERED
• STARTING THE ADMINISTRATIVE SERVER
• PERMISSIONS
• STARTING AND STOPPING IBM HTTP SERVER
• EXAMPLE START
• EXAMPLE STOP
• STARTING AND STOPPING IBM ADMINISTRATION SERVER
• EXAMPLE START
• EXAMPLE STOP
• CREATING A WEB SERVER IN WAS ADMIN CONSOLE
• TESTING A CONNECTION FROM WAS CONSOLE TO IBM ADMINISTRATION SERVER
• CONFIGURING WEB SERVERS IN WAS ADMIN CONSOLE
• GENERATING THE PLUGIN-CFG.XML FILE
• PROPAGATING THE PLUGIN-CFG.XML FILE
• CONFIGURE IBM HTTP SERVER TO LOAD THE PLUGIN MODULE
• VERIFY DEFAULTAPPLICATION TARGETS
• CONFIGURING SSL FOR COMMUNICATION
• CREATING A SELF-SIGNED DIGITAL CERTIFICATE
• ADDING SSL TO THE IHS VIRTUAL HOST CONFIGURATION
• PROPAGATING KEYRING FILE FROM WAS TO WEB SERVER
• CONFIGURING VIRTUAL HOSTS
• AUTOMATING SELF-SIGNED CERTIFICATES
• CREATING A NEW KEY DATABASE
• SETTING THE DATABASE PASSWORD
• REGISTERING A KEY DATABASE WITH THE SERVER
• CREATING A SELF-SIGNED CERTIFICATE
• MANAGING CERTIFICATE SIGNING FROM A CERTIFICATE AUTHORITY
• BASIC SSL OVERVIEW
• Digital Certificates
• OBJECTIVE
• INSTALL OPENSSL
• CREATE A CSR USING IKEYMAN TOOL
• Using gskcmd utility to create a a new Keyring Database to store a CSR
• Verifying a Certificate Request via Command-line
• Verifying a Certificate Request using ikeyman
• LISTING AVAILABLE SIGNERS
• CREATE A NEW CA
• SIGNING THE CSR USING THE NEW CA
• RECEIVE THE SIGNED CERTIFICATE INTO THE KEY DATABASE USING COMMAND-LINE
• RECEIVE THE SIGNED CERTIFICATE INTO THE KEY DATABASE USING GUI
• CONFIGURE IBM HTTP SERVER WITH A CERTIFICATED SIGNED BY A CA
• ADDING THE CA’S CERTIFICATE TO THE KEY DATABASE
• ADDING CA’S CERTIFICATE TO THE BROWSERS TRUST KEY STORE/DATABASE
• CONFIGURE /ETC/HOSTS  FILE
• AUTOMATING WEB SERVER DEFINITIONS
• UNDERSTANDING THE PLUGIN-CFG.XML FILE
• APPENDIX A:  ADDITIONAL INFORMATION ON OPENSSL TOOL
• APPENDIX B: CREATING A KEY PAIR USING OPENSSL
• GENERATE PRIVATE KEY
• GENERATE PUBLIC KEY
• CREATE A NEW CA USING CA.PL (CA SCRIPT)

Looking for IBM WebSphere Middleware Consultancy and Training to help with WebSphere Application Server, WMQ and IIB Architecture covering disciplines such as Product Strategy, Migration, Automation and general digital/enterprise insights? An expert in technical communications in the middleware space, and adept in almost all forms of Internet and mobile technology, Steve has time and time again proven his tenacity to improve systems around him and deliver.

Steve has worn many hats during his career such as Chief Technical Officer, Founding Member of several business ventures, Programmer, Systems Administrator, Architect, Blogger and Published Author to name a few. Due to 20 years Industry experience in Middleware, Programming, Networks and Internet Technologies, He combines systems knowledge with efficient working methods and inter personal skills required to build effective relationship with clients and colleagues alike. Exceeding typical expectations in any role undertaken, Steve is certain to become a valuable asset within any organisation He joins.

So, if you are looking for a professional to help with WAS Migration, WAS Architecture, and or WAS Automation (Shell, Jython, Java) and/or Middleware Integration, then please do contact me.

WebSphere Books by Steve Robinson

IBM WebSphere Application Server 8.0 Administration Guide http://www.packtpub.com/ibm-websphere-application-server-8-0-administration-guide/book

WebSphere Application Server 7.0 Administration Guide http://www.packtpub.com/webSphere-application-server-7-0-administration-guide/book

IBM Awards:

IBM Champion 2013

You are trying to run the WASPreUpgrade,sh script and you get the folloing error:

IBM WebSphere Application Server, Release 7.0

Product Upgrade PreUpgrade tool, Version 1.0

Copyright IBM Corp., 1997-2008

MIGR0104E: You must specify the currently installed Application Server directory name.

MIGR0001I: The class name of the WASPreUpgrade command is WASPreUpgrade

<backupDirectoryName>

<currentWebSphereDirectory>

[-traceString <trace spec> [-traceFile <file name>]]

[-machineChange <true | false>]

[-oldProfile < old profile name >]

[-workspaceRoot <user workspace folder name>]

MIGR0272E: The migration function cannot complete the command.

The command which was run from A WAS 7 install <was_root>/bin

[root@localhost bin]# ./WASPreUpgrade.sh /var/apps/was7_to_was8550/WAS7_01_AppServer01Prof_backup /var/apps/was7 -oldProfile WAS7_01_AppServer01Prof

Solution:

The solution is to install a WAS 8.5.5.x instance i.e. binaries, then use the ./WASPreUpgrade.sh script from the new WAS instance and set the path to be that of the WAS 7 profile i.e. prepare to migrate the WAS 7 profile by running the WAS 8.5.5.x version of the script. You cannot use WAS 7 to pre upgrade for WAS 8.5.5.x as it does not know about the later version of WAS.

Error when testing a new JDBC Provider and Datasource

java.sql.SQLException: java.lang.IllegalAccessError: com/mysql/jdbc/ConnectionImpl.getInstance(Ljava/lang/String;
ILjava/util/Properties;Ljava/lang/String;Ljava/lang/String;)Lcom/mysql/jdbc/Connection;

The situation is that I am using a MySQL Java Provider and I have configured the JDBC Provider Datasource and J2C Alias, but I have to save and restart the server.

Once I have restarted the server, I get the following:

The test connection operation failed for data source EStore_Datasource on server server1 at node WAS7_01_AppServer01 
with the following exception: java.sql.SQLException: Access denied for user ''@'localhost' 
(using password: NO)DSRA0010E: SQL State = 28000, Error Code = 1,045. View JVM logs for further details.

This means that we have not assigned the alias to the Data source.

Error:

WASX7209I: Connected to process "server1" on node WAS7_01_AppServer01 using SOAP connector;  The type of process is: UnManagedProcess
WASX7017E: Exception received while running file "/var/apps/scripts/wasAdmin/manageApp/appReady.py"; exception information: com.ibm.bsf.BSFException: exception from Jython:
Traceback (innermost last):
  File "<string>", line 13, in ?
ImportError: no module named appManager

The reason for this error was because I had referred to a Jython class-file (Jython OO script) by name in the same directory, but I had the name wrong. The file was manageApp, not appManage.

My import statement was:

import AppManage as app

It should have been

import manageApp as app