I then decided to enable Tracing, I only had my DMGR running at this stage, but this only revealed the same error.

So I resorted to adding the host-name to the /etc/host file. For some unknown reason WAS had deiced that it could no longer speak to the DNCS server I had in my lab, so it could not resolve dmgr.test.kkdc.com which was used for the hostname in the Deployment Manager Profile, then the process worked? I think this is a bit of a bug in WAS, as yesterday it was working fine! I did notice however, that my clicks were skewed. My Linux CentOS 7 Server is loosing time. I added NTP, however I think because it is a VM there is a problem with updates coming in from the time servers? This could be a potential influence, however I ruled it out when the manually updated the dates on both y Linux and AD (Win2012) sever, the problem persisted. So I don’t really know the answer, accept that adding the hostname to the local host file resolved the issue however this defeats the purpose of DNS?

FYI: The trace settings I used on my Deployment Manager (Administration Console)

Click on Change log detail levels as seen below:

Change logging to include com.ibm.ws.security.spnego.*=all for example:

Notice I used the run-time tab, so that tracing stays on even if I restart the DMGR process

When I tail the trace.log file I found:

var/apps/was855_kerberos/profiles/SSOPOC_dmgrProf/logs/ffdc/dmgr_36deb84f_15.09.22_20.41.55.1637580100958811687413.txt

Benefits of using Kerberos

When using Kerberos authentication, the user’s text password never leaves the user’s personal computer. After the user logs in to the system, the user is issued an encrypted Kerberos ticket that allows the user to gain access to other applications. After a user logs in, the user can gain access to J2EE, Web services, .NET, Web browser clients, and more without logging in a second time, using the Kerberos and the SPNEGO technology

Glossary of terms:

Below is a table of important terms used in this guide:

How Kerberos works

When a client requests an initial authentication, the authentication server authenticates the client. If the authentication is successful, the authentication server returns to the client a TGT that is used to request tickets for other services in the network. When the client wants to use a service in the network, it sends a request including its TGT to the TGS. The TGS responds by issuing and sending a service ticket. When the client uses a service in the network, it sends a request that includes its service ticket to the server that hosts the service. The server accepts the service ticket and executes the service.

Setting up Kerberos using Microsoft Active Directory

In this section we will cover the specific to setting up a new Microsoft Active Directory using Windows 2012 Server. We will then promote this machine to an AD Primary Domain Controller (PDC) so that we can join a test Windows workstation to the Windows Domain. We will then be able to test Single Sign On (SSO) by logging into the Windows workstation, then trying to access a secure application running in a secure WAS server. The user will not be asked to login to the Application, due to the SSO configuration.

Microsoft Kerberos KDC

Kerberos is implemented in Microsoft Windows Server 2000 and later. The implementation of Kerberos on a Windows server is composed of the Key Distribution Center (KDC) as a domain service. The KDC uses the domain’s Active Directory as its user registry. The KDC provides two services:

•  Authentication service
  

• Ticket-granting service (TGS) 

  

These services are started automatically and run in the domain controller for a Microsoft Active Directory architecture. When a user logs on to the Windows domain, the information that the user enters is captured by the logon program and is transmitted to the computer’s local security authority (LSA). The LSA is a Windows component that authenticates users to the local system. This LSA then communicates with the network’s KDC in order to receive ticket-granting tickets and service tickets so that the user can access Kerberized services on the Windows domain. Kerberos on Windows server platforms uses Active Directory for all information about Kerberos principals on the Kerberos network. The encryption key that is used to communicate with Kerberos principals is stored in the Active Directory database in the user’s profile. Active Directory plays the role of an LDAP server on a Windows server and is also used as the KDC database. This dual role can be a g

I was running a snippet of Jython and I got the following error:

SECJ7320E: Invalid user registry type

My WEbSphere Application Server Jython-Code:

def getRegistryDetails(securityDomainName, registryType):
    printer("","Input: Security Domain Name=" + securityDomainName)
    printer("","Input: Registry Type=" + registryType)
    registryDetails=AdminTask.getUserRegistryInfo('-userRegistryType ' + registryType)
    return registryDetails
#endIf

registryType="ACTIVE_DIRECTORY"
printer("","Default Ream=" + getRegistryDetails("",registryType))

Reason, I was using an LDAPServerType, not a REgistryType

I changed ACTIVE_DIRECTORY to the value LDAPUserRegistry

After running a Jython script that updates SSO and Kerberos settings in Global secueity, I get the following error:

FFDC Exception:java.security.PrivilegedActionException SourceId:com.ibm.ws.security.web.FormLoginServlet.formLogin ProbeId:422 Reporter:com.ibm.ws.security.web.FormLoginExtensionProcessor@ecfd5211
java.security.PrivilegedActionException: com.ibm.websphere.security.auth.WSLoginFailedException: Login error: com.ibm.security.krb5.KrbException, status code: 37
        message: Clock skew too great
        at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:122)

The reson for this message is that my Linux Server and my Active Directory date/times are out of time synchronisation. I often find that with CentOS 7 on Oracle Virtual Box, even with ntpd enabled that the Linux clock looses time?

The problem in WAS can also happen when  you code an invalid Service name, or a malformed LDAP Bind, or LDAP Base DN, but in this case re-setting the clock and restarting the Deployment Manager, allowed me make my Jython updates and automate the setting up of SSO and Kerberos.

When running the Jython command addIdMgrLDAPServer as part of a Federated repository configuration on WAS 8.5.5.x, I received the following error:

WASX7017E: Exception received while running file "/var/apps/scripts/wasAdmin/manageSecurity/modifyGlobalSecurity_Federated.py"; exception information: com.ibm.websphere.wim.exception.WIMConfigurationException: com.ibm.websphere.wim.exception.WIMConfigurationException: CWWIM5020E Could not connect to the ldap://<ip-address>:389 repository using properties: [port=389],[bindDN=uid=wasldapbind,ou=security,dc=themiddlewareshop,dc=com],[certificateMapMode=exactdn],[sslConfiguration=],[securityDomainName=admin],[sslEnabled=false],[connectTimeout=100],[connectionPool=false],[id=ApacheLDAP],[ldapServerType=CUSTOM],[host=<ip-addreess>],[referal=ignore],[derefAliases=always],[certificateFilter=],[authentication=simple],[bindPassword=****]. Exception occurred: java.net.ConnectException.

The reason for this is that the LDAP server was not running. The problem can occur when the the host/ip-address or port is wrong, or a firewall is running and the LDAP port that is being used is not open.

Note: This is part of the $299 special deal as this course was released before December 2015.

• Have you ever wondered how to install and configure a federated repository (LDAP and internal file-based repository)?
  
• Have you ever had trouble creating a custom stand-alone LDAP configuration?
  
• Have you wondered how to automate the creation of a LDAP configuration using Jython scripting?
• Would you like to know how to configure SSL for IBM HTTP Server?
• Learn how to use your own self-signed certificates with an internal Certificate Authority
• Like to know how to automate SSL Certificate Management?

The WebSphere Application Server 8.5.5.x – Essential Security Concepts course provides the student with a detailed example-based guide which takes the student through how to configure Global Security for Federated Repositories. This course also covers how to set up IHS administration and other Global security insights, along with SSL management sercrets often not addressed in most WAS courses. Jython scripts are also provided to automate the configuration of LDAP use in Global Security.

The course provides over 250 pages of information covering the following topics and more:

Duration: 3-5 Days Self Study
Audience:

• Experienced JEE Developers and Administrators having good experience with WebSphere Application Servers.
• People looking to upgrade their skills to use the WebSphere Application Server Application client, and understand how configure security for WAS environments

Requirements:
Basic knowledge of Linux/Windows commands is expected. Prior experience in administering WebSphere Application Server version 6.1-8.x servers is expected, as is basic shell-scripting and Jython understanding.

WAS 8.5.5.x Essential Security Concepts

The example in this document is focused around how to enable federated repositories using LDAP, and other Global Security essential concepts.

Price: $199.99

Price: $149.99

Note: Once you have paid and registered, you will gain instant access to download your course materials.

Do you need to save time automating manual WebSphere Application Server installtion tasks?

Have you ever wondered how to automate IBM Installation Manager? Ever needed to automate the installation of WAS 8.5.5.x and automate Upgrades and Roll-backs?

The WebSphere Application Server 8.5.5.x Automation Course provides the student with a full set of guides and a set of commercial-grade automation scripts with detailed worked-examples.

The course provides scripts to automate the following:

• Install/Upgrade/Remove IBM Installation Manager (IM)
• Fully demonstrates the three modes of IM Modes (Admin, User, Group).
  • This is never been documented in this much detail before, not even by IBM!
• Install/Upgrade WebSphere Application Server 8.5.5x (or even 8.x, 8.5.x)
• Install/Upgrade IBM HTTP Server (IHS)
• Understand IHS Administration
• Detailed SSL CA, and CSR examples using ikeyman tool, gskcmd tool, and OpenSSL
  • This is never been documented in this much detail before, not even by IBM!
• Install/Upgrade the WebSphere Plugin
• Report on IBM Installation managed installs

This course was produced over 4 months with full-time effort towards design, testing and verification of advanced automation scripts which can be used independently or plugged into any enterprise orchestration management software. To engage a leading IBM WAS consultant to build these scripts, would cost over £100,000 pounds and likely to take 3-6 months to write, and test. I have leveraged my vast industry experience to give you one of the most valuable courses I have produced to date. Once purchased, you can augment these scripts as you please into your enterprise management processes, saving you time and money.

Imagine being able to install and upgrade WAS 8.x.x.x products in minutes, with self auditing configurations and detailed logging.

The course has been written by Steve Robinson who is a well known WebSphere product specialist and the author of several published WebSphere related books.

Duration: 3-5 Days Self Study
Audience:

• Experienced JEE Developers and Administrators having good experience with WebSphere Application Servers.
• People looking to upgrade their skills to the Latest version of WebSphere Application Server.
• Advanced professionals looking to automate installing and upgrading WAS 8.5.5.x in the enterprise.

Requirements:
Basic knowledge of Linux  commands is expected. Prior experience in administering WebSphere Application Server version 8.x.x.x servers is expected.

Sample Videos:

http://www.themiddlewareshop.com/was-8-5-5-automation-course-videos

WebSphere Application Server 8.5.5 Automation Course

WebSphere Application Server 8.5.5 Automation Course

Price: $499.95

Price: $149.99

WebSphere Application Server Install and Upgrade Automation Course

• Looking to automate WAS inatalls?
• Do you need to save time automating manual WAS tasks?
• Want to know howto create shel scipts to manage WAS installs and upgrades?
• Have you ever wondered how to automate IBM Installation Manager?
• Ever needed to automate the installation of WAS 8.5.5.x and automate Upgrades and Roll-backs?

The WebSphere Application Server 8.5.5.x Automation Course provides the student with a full set of guides and a set of commercial-grade automation scripts with detailed worked-examples covering the following topics and more:

• Install/Upgrade/Remove IBM Installation Manager (IM)
• Fully demonstrates the three modes of IM Modes (Admin, User, Group).
  • This is never been documented in this much detail before, not even by IBM!
• Install/Upgrade WebSphere Application Server 8.5.5x (or even 8.x, 8.5.x)
• Install/Upgrade IBM HTTP Server (IHS)
• Understand IHS Administration
• Detailed SSL CA, and CSR examples using ikeyman tool, gskcmd tool, and OpenSSL
  • This is never been documented in this much detail before, not even by IBM!
• Install/Upgrade the WebSphere Plugin
• Report on IBM Installation managed installs

Product page: http://www.themiddlewareshop.com/product/websphere-8-5-5-automation-course/

Sample Videos: http://www.themiddlewareshop.com/was-8-5-5-automation-course-videos

WebSphere Application Server 8.5.5 Automation Course

WebSphere Application Server 8.5.5 Automation Course

Price: $499.95

Price: $149.99

When testing a MySQL datasource configured at Cell scope for WAS ND 8.5.5.x, I get the following error:

The test connection operation failed for data source EStore_Datasource on server dmgr at node HA01_dmgrNode with the following exception: java.sql.SQLException: java.lang.IllegalAccessError: Class com/mysql/jdbc/NonRegisteringDriver illegally accessing "protected" member of class com/mysql/jdbc/ConnectionImpl. View JVM logs for further details.

The Cell is called HA01Cell, and the Deployment Manager profile  is called HA01_dmgrNode, the datasource in question is EStore_datasource.

The scenario is that I am writing another module for my latest course October 2015 called WAS ND High Availability course, and as part of the course, I demonstrate deploying an application using Jython. As part of this configuration, we need a JDBC Provider, Datasource and JAAS. Because we are using a provider which is unknown to WAS ie USer-defined (MySQL), it requires some properties. The WAS wizards ie that the console presents when configuring Providers/Datasources uses templates. The MySQL template does not exist, so we need to add these custom properties ourselves. Also, when we use Cell Scope, we will need to bounce the Deployment Manager for this to take effect.

In the course we discuss Scope ie Cell, Node, Cluster and Server, and this example above, is one of may as we build our highly available WebSphere Application Server Network Deployment reference environment.

This guide explains How to install the IBM SDK or JRE using the public downloads.

It is possible to acquire the IBM SDK from the following URL, though you will need to register before downloading.

• I have chosen to downloaded the 64 Bit version for the IBM 8 SDK/JRE
  

Note: It all depends on your requirements i.e. the application requirements to decide what SDK is required. In this example, I have used the IBM 8 SDK/JRE to demonstrate that Liberty can run in IBM 8 JRE

• I was then prompted to register with IBM before I can continue.
  

• Once I located the actual download page, I selected all the SDK options for example JDK and JRE and samples just in case I need them at another stage.
  

For Liberty we would only actually require the JRE to replace the standard default OpenJDK on CentOS for example.

In this example we will only install the IBM 8 JRE the file is:

To do this we follow these steps:

Copy the JRE download to an appropriate folder for example:

Modify to be able to run the bin file:

• Select the default options
  

Result:

We now have installed IBM 8 JRE into:

To change the JRE current version or use a different vendor i.e. in our case we wish to use IBM’s JRE as opposed to the default CentOS JRE, we can choose one of several options:

• Use JAVA_HOME
  
• Use a server.env file
  

Using JAVA_HOME in .bash_profile

JAVA_HOME will ensure that the current logged in user will use the specified JRE when several applications/products on the same machine refer to JAVA_HOME, this may not be what you want. But if this machine is only for Liberty then this is an easy choice.

Steps:

• First we will verify the current JRE that is set for your environment, so we can test later that it has been changed.
  

Result:

We will now need to set our environment buy editing .bash_profile

We want to set JAVA_HOME to where we have our JDK installed for example:

If JAVA_HOME/bin is not in the PATH, add it to the path:

• Edit your local bash profile (~/.bash_profile) and add two lines:
  

Example .bash_profile

We can either logout and re-login for the changes to take effect or we can source (execute) .bash_profile from our current session:

• Now check what JRE is running for example:
  

Result:

• We can now start an existing Liberty Server for example we have a liberty instance installed in /var/apps/wasnd855_lp/ and we have created a server called server1
  

We can see that JRE used by looking at console.log for example:

Result:

We can now see that Liberty is now using the IBM JRE as opposed to the default CentoOS OpenJDK, but the issue is that now IBM JRE will be used for all application/software that refer to Java_HOME, and we may not want this. We may wish to have only Liberty use the IBM JRE. To do this we must refer to a server.env file.

Specifying JAVA_HOME using server.env

Before we do this, we will remove the edits made to .bash_profile to ensure that JAVA_HOME is not set as an environment variable.

We can see above that the JAVA_HOME variable is not set, and the PATH specifies /user/bin for example:

Result:

Result:

We can use server.env files at the install and server levels to specify environment variables such as JAVA_HOME, WLP_USER_DIR, and WLP_OUTPUT_DIR. These files support only KEY=value pairs. Shell and variable expansion are not supported.

The server management script will search for server.env files in two locations, ${wlp.install.dir}/etc/server.env and ${server.config.dir}/server.env. If both files are present, the contents of the two server.env files will be merged, with values in the the server-level file taking precedence over values in the runtime-level file.

Steps:

We will use a variable fro JAVA_HOME in a file called server.env, in this example it will be placed in the <installroot/>etc/server.env for example: /var/apps/wasnd855_lp/etc

• Stop the server.
  
• Create a file called /var/apps/wasnd855_lp/etc/server.env
  

• Edit the file with your favourite editor (I just logged in using WinSCP an used the default text editor) and set the JAVA_HOME variable to point to the JRE you want to use for example:
  

• Close the file and save your changes.
  
• Start the server
  

• Check the console.log
  

Result:

Note that the version of the JRE listed in the console window now references the IBM 8 JRE Java version, as opposed to the current shell’s Java version.

WebSphere Liberty is a fast, dynamic, easy-to-use Java EE application server, the latest Application Server technology from IBM and  today we release the new Liberty Essentials course.

During this course the student will learn how to automate installations and upgrades in a controlled manner using both IBM Installation Manager and the cloud -ready archive approach. Jython scripting is introduced and how to enable JDBC for data-ware applications.

The course covers the following topics:

• Install, upgrade and uninstall WebSphere Liberty Profile using an Archive-Style approach
• Install, upgrade and uninstall WebSphere Liberty Profile using IBM Installation Manager
• Install, upgrade and uninstall WebSphere Liberty Profile using automation scripts
• Build and Deploy a sample Web Application
• Manage features and add ons
• Configure an off-line feature repository to add features even when not connected to internet
• Install and configure the Admin Center to provide a GUI-based admin console
• Enable basic security to secure the Admin Console
• Use JConsole to invoke exposed Management Beans (Mbeans) via JMX
• Install, configure an implement Jython for Jython automation
• Using Jython to manage deployed application-state
• Locating demo /trial software from IBM
• Enable a JDBC Provider and data source for a data-aware application
• Install and configure MYSQL to support your data-aware Java Web-Application

Fully detailed comprehensive course notes are provided as part of the course.

Because Liberty is lightweight in nature it is Ideal for developers during rapid application development cycles but at the same time being ready for full production in cloud or non-cloud environments alike by Administrators.

WebSphere Liberty Profile Essentials

The WebSphere Application Server 8.5.5.x Liberty Profile Essentials Course provides the student with a full set of guides and a set of commercial-grade automation scripts with detailed worked-examples.

Price: $149.99

Price: $29.95